The University of Sydney
School of Computer Science
Dr. Ralph Holz
Lecturer in Networks and Security
INFO3616—Principles of Security and Security Engineering S2 2019
Assignment for content of Week 9
Submission 2 due: 18 October 2019, 23:59 AEDT
Submission 2 due: 27 October 2019, 23:59 AEDT
Task 1 Parsing X.509 (20cr)
• For this task, you are going to need the Python library cryptography, which is documented on
https://cryptography.io. We recommend to install it in a Python 3 virtual environment
(see tutorial of week 4): pip3 install cryptography.
• You are given a number of certificates: our custom CA’s root certificate, its intermediate
certificate, and the certificate of a student certified by this CA. You also get the private key for
the student.
• Submit your code to a git repo called info3616_week9 on the University of Sydney GitHub
site. Be sure to add your tutor to the repository! Do not change the names of the files!
a) Inspecting a certificate (12cr)
Download the skeleton code inspect_cert.py. Write Python code to inspect certificates. Instructions:
• Do not make changes to the following:
– the screen output of the program, i.e. you must leave the printing functions unchanged
– the names and signatures of the functions—we are going to autotest your program
– the global variables (in capital letters). They are used by the printing function, and the
values are assigned in inspect_cert().
• Hint: the necessary imports are already included.
• Note that the skeleton code expects both the certificate to inspect and its issuing certificate to
be passed in as parameters. This is because we will use the issuer certificate later.
• Begin by completing the function open_cert().
• Complete the code for every part of the certificate that we inspect:
– Subject - both full subject and Common Name (2cr)
– Issuer (in full) (1cr)
– Expiry date (not valid after). Use https://docs.python.org/3/library/datetime.
html#datetime.datetime to convert the date to YYYY-MM-DD. (2cr)
– Public key: algorithm (2cr), a SHA256 hash of it (3cr), and key length (1cr). Note that
the skeleton code shows the expected output format for the algorithm.
1
– Serial number (1cr)
If you have done everything right, the output for the root certificate will look similar to the below.
Issuer: C=AU,ST=NSW,L=Darlington,O=University of Sydney,OU=School of Computer Science...
Subject: C=AU,ST=NSW,L=Darlington,O=School of Computer Science,OU=INFO3616 Management...
Subject Common Name: INFO3616 Head Honchos
Serial number: 671937183735168210438793113571075403114492127582
Expiry date: 2019-11-11
Public key algorithm: secp256r1
Public key length: 256
Public Key Info hash: 6ef093dc14a0c61208d746e30f12760b3b35b50d7a00c63aced1d29e83ddb894
b) Verifying the certificate (6cr)
Let’s verify that the intermediate certificate carries a correct signature. Complete the respective
function! You will find helpful information here: https://cryptography.io/en/latest/x509/
reference/.
• Work first on the verification of the intermediate certificate—this is close to the example given
in the API documentation as it is an RSA signature. (4cr)
• Then extend your code to also support the verification of the student’s certificate (which uses
an elliptic curve signature). (2cr)
• There is no need to support further signing schemes.
c) Signing and verifying your unikey (2cr)
It should be trivial now to create a signature of arbitrary data and verify it. Let’s use the student’s
certificate for this purpose. Download the skeleton code sign_and_verify.py and complete the code
to sign and verify your unikey.
Hints: you will need to load an elliptic curve private key. Check out https://cryptography.io/en/
latest/hazmat/primitives/asymmetric/ec/.
2