The University of Sydney School of Computer Science Dr. Ralph Holz Lecturer in Networks and Security INFO3616—Principles of Security and Security Engineering S2 2019 Assignment for content of Week 9 Submission 2 due: 18 October 2019, 23:59 AEDT Submission 2 due: 27 October 2019, 23:59 AEDT Task 1 Parsing X.509 (20cr) • For this task, you are going to need the Python library cryptography, which is documented on https://cryptography.io. We recommend to install it in a Python 3 virtual environment (see tutorial of week 4): pip3 install cryptography. • You are given a number of certificates: our custom CA’s root certificate, its intermediate certificate, and the certificate of a student certified by this CA. You also get the private key for the student. • Submit your code to a git repo called info3616_week9 on the University of Sydney GitHub site. Be sure to add your tutor to the repository! Do not change the names of the files! a) Inspecting a certificate (12cr) Download the skeleton code inspect_cert.py. Write Python code to inspect certificates. Instructions: • Do not make changes to the following: – the screen output of the program, i.e. you must leave the printing functions unchanged – the names and signatures of the functions—we are going to autotest your program – the global variables (in capital letters). They are used by the printing function, and the values are assigned in inspect_cert(). • Hint: the necessary imports are already included. • Note that the skeleton code expects both the certificate to inspect and its issuing certificate to be passed in as parameters. This is because we will use the issuer certificate later. • Begin by completing the function open_cert(). • Complete the code for every part of the certificate that we inspect: – Subject – both full subject and Common Name (2cr) – Issuer (in full) (1cr) – Expiry date (not valid after). Use https://docs.python.org/3/library/datetime. html#datetime.datetime to convert the date to YYYY-MM-DD. (2cr) – Public key: algorithm (2cr), a SHA256 hash of it (3cr), and key length (1cr). Note that the skeleton code shows the expected output format for the algorithm. 1 – Serial number (1cr) If you have done everything right, the output for the root certificate will look similar to the below. Issuer: C=AU,ST=NSW,L=Darlington,O=University of Sydney,OU=School of Computer Science… Subject: C=AU,ST=NSW,L=Darlington,O=School of Computer Science,OU=INFO3616 Management… Subject Common Name: INFO3616 Head Honchos Serial number: 671937183735168210438793113571075403114492127582 Expiry date: 2019-11-11 Public key algorithm: secp256r1 Public key length: 256 Public Key Info hash: 6ef093dc14a0c61208d746e30f12760b3b35b50d7a00c63aced1d29e83ddb894 b) Verifying the certificate (6cr) Let’s verify that the intermediate certificate carries a correct signature. Complete the respective function! You will find helpful information here: https://cryptography.io/en/latest/x509/ reference/. • Work first on the verification of the intermediate certificate—this is close to the example given in the API documentation as it is an RSA signature. (4cr) • Then extend your code to also support the verification of the student’s certificate (which uses an elliptic curve signature). (2cr) • There is no need to support further signing schemes. c) Signing and verifying your unikey (2cr) It should be trivial now to create a signature of arbitrary data and verify it. Let’s use the student’s certificate for this purpose. Download the skeleton code sign_and_verify.py and complete the code to sign and verify your unikey. Hints: you will need to load an elliptic curve private key. Check out https://cryptography.io/en/ latest/hazmat/primitives/asymmetric/ec/. 2
