Skip to content

numbersprotocol/numbers-c2pa

Repository files navigation

numbers-c2pa

Setup

Install Rust

$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Install c2patool

$ cargo install c2patool

Install numbers-c2pa

$ python3 -m pip install git+https://github.com/numbersprotocol/numbers-c2pa.git

Usage

C2PA Injection

from datetime import datetime

from numbers_c2pa import create_c2pa_manifest, inject_file

if __name__ == '__main__':
    with open('examples/es256_private.key') as f:
        private_key = f.read()
    with open('examples/es256_certs.pem') as f:
        sign_cert = f.read()
    manifest = create_c2pa_manifest(
        nid='this is nid',
        creator_public_key='this is creator public key',
        asset_hash='this is sha256hash',
        date_created=datetime.now(),
        location_created='123.123, 45.45',
        date_captured=None,
    )
    inject_file(
        'examples/numbers.png',
        manifest=manifest,
        private_key=private_key,
        sign_cert=sign_cert,
    )
    # examples/numbers-c2pa.png will be created
    # Upload file to https://verify.contentauthenticity.org/inspect to view C2PA data

Read C2PA data

from numbers_c2pa import read_c2pa_file

if __name__ == '__main__':
    c2pa_json = read_c2pa_file('examples/numbers-c2pa.png')
    print(c2pa_json)

Create self-signed certificate with intermediate CA

According to c2patool readme:

Both the private_key and sign_cert must be in PEM format. The sign_cert must contain a PEM certificate chain starting with the end-entity certificate used to sign the claim ending with the intermediate certificate before the root CA certificate. See the sample folder for example certificates.

Using a intermediate CA certificate is required.

Updated steps

Create end-entity and intermediate private keys

openssl ecparam -genkey -name prime256v1 -noout -out intermediate_ca.key
openssl ecparam -genkey -name prime256v1 -noout -out end_entity.key

Create intermediate cert

openssl req -x509 -new -key intermediate_ca.key -out intermediate_ca.crt -subj "/CN=Numbers Intermediate CA" -days 365 -sha256

Create end_entity_csr.conf file

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = v3_req
distinguished_name = dn

[ dn ]
C = US
ST = California
L = San Fransisco
O = Numbers Protocol
OU = Numbers Protocol
CN = Numbers Protocol

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = timeStamping
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = numbersprotocol.io
DNS.2 = www.numbersprotocol.io

Create end-entity CSR

openssl req -new -key end_entity.key -out end_entity.csr -config end_entity_csr.conf

Create end-entity certificate

openssl x509 -req -in end_entity.csr -CA intermediate_ca.crt -CAkey intermediate_ca.key -out end_entity.crt -days 365 -CAcreateserial -extfile end_entity_csr.conf -extensions v3_req -sha256

Combine certificate chain

cat end_entity.crt intermediate_ca.crt > certificate_chain.pem