def smime_verify(ca_path, message):
"""Verify S/MIME pkcs7 signed message.
You may debug certificate errors with command::
openssl smime -verify -in
.tmp/test_verify_signature_file0/signed/signature.sig -CApath
.tmp/test_verify_signature_file0/certs
:param str ca_path: Path to CA certificate store
:param bytes message: Message to verify
:returns: Message data on succesful verification
:rtype: bytes
"""
# SSLContext expects a byte string on Python 2 and Unicode on Python 3
ca_path = _to_str_path(ca_path)
buf = BIO.MemoryBuffer(message)
pkcs7, data = SMIME.smime_load_pkcs7_bio(buf)
certificate_x509 = pkcs7.get0_signers(X509.X509_Stack())
context = SSL.Context()
context.load_verify_locations(capath=ca_path)
ca_store = context.get_cert_store()
smime = SMIME.SMIME()
smime.set_x509_store(ca_store)
smime.set_x509_stack(certificate_x509)
return smime.verify(pkcs7, data)
def scan(self, data, file, options, expire_at):
tmp_directory = options.get('tmp_directory', '/tmp/')
self.event['total'] = {'certificates': 0, 'extracted': 0}
with tempfile.NamedTemporaryFile(dir=tmp_directory) as tmp_data:
tmp_data.write(data)
tmp_data.flush()
if data[:1] == b'0':
pkcs7 = SMIME.load_pkcs7_der(tmp_data.name)
else:
pkcs7 = SMIME.load_pkcs7(tmp_data.name)
certs = pkcs7.get0_signers(X509.X509_Stack())
if certs:
self.event['total']['certificates'] = len(certs)
for cert in certs:
extract_file = strelka.File(
name=f'sn_{cert.get_serial_number()}',
source=self.name,
)
for c in strelka.chunk_string(cert.as_der()):
self.upload_to_coordinator(
extract_file.pointer,
c,
expire_at,
)
self.files.append(extract_file)
self.event['total']['extracted'] += 1
def verify_signature_block(certificate_file, content, signature):
"""
Verifies the 'signature' over the 'content', trusting the
'certificate'.
:param certificate_file: the trusted certificate (PEM format)
:type certificate_file: str
:param content: The signature should match this content
:type content: str
:param signature: data (DER format) subject to check
:type signature: str
:return None if the signature validates.
:exception SignatureBlockVerificationError
"""
sig_bio = BIO.MemoryBuffer(signature)
pkcs7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(sig_bio._ptr()), 1)
signers_cert_stack = pkcs7.get0_signers(X509.X509_Stack())
trusted_cert_store = X509.X509_Store()
trusted_cert_store.set_verify_cb(ignore_missing_email_protection_eku_cb)
trusted_cert_store.load_info(certificate_file)
smime = SMIME.SMIME()
smime.set_x509_stack(signers_cert_stack)
smime.set_x509_store(trusted_cert_store)
data_bio = BIO.MemoryBuffer(content)
try:
smime.verify(pkcs7, data_bio)
except SMIME.PKCS7_Error as message:
raise SignatureBlockVerificationError(message)
else:
return None
def decrypt_verify(p7file, recip_key, signer_cert, ca_cert):
s = SMIME.SMIME()
# Load decryption private key.
s.load_key(recip_key)
# Extract PKCS#7 blob from input.
p7, bio = SMIME.smime_load_pkcs7_bio(p7file)
# Decrypt.
data = s.decrypt(p7)
# Because we passed in a SignAndEnveloped blob, the output
# of our decryption is a Signed blob. We now verify it.
# Load the signer's cert.
sk = X509.X509_Stack()
s.set_x509_stack(sk)
# Load the CA cert.
st = X509.X509_Store()
st.load_info(ca_cert)
s.set_x509_store(st)
# Verify.
p7, bio = SMIME.smime_load_pkcs7_bio(BIO.MemoryBuffer(data))
if bio is not None:
# Netscape Messenger clear-signs, when also encrypting.
data = s.verify(p7, bio)
else:
# M2Crypto's sendsmime.py opaque-signs, when also encrypting.
data = s.verify(p7)
print data
def ed():
print 'test encrypt/decrypt...',
buf = makebuf()
s = SMIME.SMIME()
# Load target cert to encrypt to.
x509 = X509.load_cert('client.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
# Add a cipher.
s.set_cipher(SMIME.Cipher('bf_cbc'))
# Encrypt.
p7 = s.encrypt(buf)
# Load target's private key.
s.load_key('client.pem')
# Decrypt.
data = s.decrypt(p7)
if data:
print 'ok'
else:
print 'not ok'
def verify_payload(msg, raw_sig, cert, ca_cert, verify_cert):
# Load the public certificate of the signer
signer = SMIME.SMIME()
signer_key = X509.X509_Stack()
signer_key.push(X509.load_cert(cert))
signer.set_x509_stack(signer_key)
signer_store = X509.X509_Store()
signer_store.load_info(ca_cert)
signer.set_x509_store(signer_store)
# Extract the pkcs7 signature and the data
if raw_sig:
raw_sig.strip()
sig = "-----BEGIN PKCS7-----\n%s\n-----END PKCS7-----\n" % raw_sig.replace('\r\n', '\n')
p7 = SMIME.load_pkcs7_bio(BIO.MemoryBuffer(sig))
data_bio = BIO.MemoryBuffer(msg)
else:
p7, data_bio = SMIME.smime_load_pkcs7_bio(BIO.MemoryBuffer(msg))
# Verify the signature against the message
if verify_cert:
signer.verify(p7, data_bio)
else:
# Don't verify the signer certificate if this flag is set
signer.verify(p7, data_bio, SMIME.PKCS7_NOVERIFY)
def sv():
print 'test sign/verify...',
buf = makebuf()
s = SMIME.SMIME()
# Load a private key.
s.load_key('client.pem')
# Sign.
p7 = s.sign(buf, SMIME.PKCS7_DETACHED)
# Output the stuff.
buf = makebuf() # Recreate buf, because sign() has consumed it.
bio = BIO.MemoryBuffer()
s.write(bio, p7, buf)
# Plumbing for verification: CA's cert.
st = X509.X509_Store()
st.load_info('ca.pem')
s.set_x509_store(st)
# Plumbing for verification: Signer's cert.
x509 = X509.load_cert('client.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
# Verify.
p7, buf = SMIME.smime_load_pkcs7_bio(bio)
v = s.verify(p7, buf, flags=SMIME.PKCS7_DETACHED)
if v:
print 'ok'
else:
print 'not ok'
def encrypt(input_bio, cert, keyring_source, cypher):
"""
Encrypts the input data with the public key in the certificate from keyring
source with selected cypher.
@type input_bio: M2Crypto.BIO
@param input_bio: input data to encrypt.
@type cert: filepath or M2Crypto.BIO or M2Crypto.X509.X509
@param cert: the recipient certificate reference from filepath, could be
from file, from memory or from pkcs11 smartcard, based on
keyring_soruce input parameter.
@type keyring_source: str
@keyword keyring_source: the type of the source for input certificate, used
to recall the appropriate method for encrypter settings. Ammitted
values are: file, memory, pkcs11.
@type cypher: str
@keyword cypher: the cypher to use for encryption of the data, run
"openssl enc -help" for supported cyphers, you have to choose a public
key cypher from availables.
@rtype: M2Crypto.SMIME.PKCS7
@return: the PKCS#7 encrypted data in PEM format.
"""
encrypter = SMIME.SMIME()
x509 = set_certificate(cert, keyring_source)
sk = X509.X509_Stack()
sk.push(x509)
encrypter.set_x509_stack(sk)
encrypter.set_cipher(SMIME.Cipher(cypher))
Rand.load_file('randpool.dat', -1)
try:
p7 = encrypter.encrypt(input_bio)
except SMIME.SMIME_Error, e:
logging.error('smime error: ' + str(e))
raise
def _get_digital_signers(self):
if not self.pe:
return None
retlist = None
if HAVE_CRYPTO:
address = self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
#check if file is digitally signed
if address == 0:
return retlist
signature = self.pe.write()[address+8:]
bio = BIO.MemoryBuffer(signature)
if bio:
swig_pkcs7 = m2.pkcs7_read_bio_der(bio.bio_ptr())
if swig_pkcs7:
p7 = SMIME.PKCS7(swig_pkcs7)
xst = p7.get0_signers(X509.X509_Stack())
retlist = []
if xst:
for cert in xst:
sn = cert.get_serial_number()
sha1_fingerprint = cert.get_fingerprint('sha1').lower()
md5_fingerprint = cert.get_fingerprint('md5').lower()
subject_str = str(cert.get_subject())
cn = subject_str[subject_str.index("/CN=")+len("/CN="):]
retlist.append({"sn":str(sn), "cn":cn, "sha1_fingerprint" : sha1_fingerprint, "md5_fingerprint" : md5_fingerprint })
return retlist
def plist_from_pkcs7(pkcs7):
"""Extract a plist from PKCS7 encoded data."""
# DEP request
# base64 encode the DER data, and wrap in a PEM-ish format for SMIME.load_pkcs7_bio()
req_data = base64_to_pem('PKCS7', pkcs7)
p7_bio = BIO.MemoryBuffer(str(req_data))
pkcs7 = SMIME.load_pkcs7_bio(p7_bio)
p7_signers = pkcs7.get0_signers(X509.X509_Stack())
signer = SMIME.SMIME()
signer.set_x509_store(X509.X509_Store())
signer.set_x509_stack(p7_signers)
# TODO/XXX: not verifying ANY certificates!
#
# spec says we should verify against the "Apple Root CA" and that this
# CMS message contains all intermediates to do that verification.
# M2Crypto has no way to get at all the intermediate certificates to
# do this manually we'd need to extract all of the certificates and
# verify the chain aginst it. Note as of 2016-03-14 on a brand new
# iPad Apple was including an expired certificate in this chain. Note
# also that at least one of the intermediate certificates had a
# certificate purpose apparently not appropraite for CMS/SMIME
# verification. For now just verify with no CA and skip any
# verification.
plist_text = signer.verify(pkcs7, None, flags=SMIME.PKCS7_NOVERIFY)
plist = plistlib.readPlistFromString(plist_text)
return plist
def sign_m2(keyfile, content):
"""
Sign content with a keyfile using M2Crypto
"""
try:
# load intermediate certs if any
stack = M2X509.X509_Stack()
_, _, certificates = parse_keyfile(keyfile)
for c in certificates:
cert = M2X509.load_cert_string(c)
# skip the main CA cert, as this must be built-in anyway
if (cert.check_ca()
and str(cert.get_issuer()) == str(cert.get_subject())):
continue
stack.push(cert)
# actual signing
smime = M2S.SMIME()
smime.load_key(keyfile)
smime.set_x509_stack(stack)
pkcs7 = M2Buffer()
smime.sign(M2Buffer(content),
M2S.PKCS7_DETACHED | M2S.PKCS7_BINARY).write_der(pkcs7)
return pkcs7.read()
except M2EVPError, ex:
if re.search("ANY PRIVATE KEY", ex.message):
raise ValueError("Key file does not contain a private key")
raise ValueError("Signing failed. Wrong password?")
def decrypt_and_verify(self):
# Instantiate an SMIME object.
s = SMIME.SMIME()
# Load private key and cert.
s.load_key(recipient_key, recipient_cert)
# Load the signed/encrypted data.
p7, data = SMIME.smime_load_pkcs7('smime-m2-sign-encrypt.txt')
# After the above step, 'data' == None.
# Decrypt p7. 'out' now contains a PKCS #7 signed blob.
out = s.decrypt(p7)
# Load the signer's cert.
x509 = X509.load_cert(signer_cert)
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
# Load the signer's CA cert.
st = X509.X509_Store()
st.load_info(ca_cert)
s.set_x509_store(st)
# Recall 'out' contains a PKCS #7 blob.
# Transform 'out'; verify the resulting PKCS #7 blob.
p7_bio = BIO.MemoryBuffer(out)
p7, data = SMIME.smime_load_pkcs7_bio(p7_bio)
v = s.verify(p7)
print v
def verify_mdm_signature(mdm_sig, req_data):
'''Verify the client's supplied MDM signature and return the client certificate included in the signature.'''
p7_bio = BIO.MemoryBuffer(str(mdm_sig))
p7 = SMIME.load_pkcs7_bio(p7_bio)
p7_signers = p7.get0_signers(X509.X509_Stack())
mdm_ca = get_ca()
# can probably directly use m2 certificate here
ca_x509_bio = BIO.MemoryBuffer(mdm_ca.get_cacert().to_pem())
ca_x509 = X509.load_cert_bio(ca_x509_bio)
cert_store = X509.X509_Store()
cert_store.add_x509(ca_x509)
signer = SMIME.SMIME()
signer.set_x509_store(cert_store)
signer.set_x509_stack(p7_signers)
# NOTE: may need to do something special if we can't cleanly convert
# to string from Unicode. must be byte-accurate as the signature won't
# match otherwise
data_bio = BIO.MemoryBuffer(req_data)
# will raise an exception if verification fails
# if no CA certificate we get an:
# PKCS7_Error: certificate verify error
signer.verify(p7, data_bio)
return p7_signers[0].as_pem()
def encrypt_email_body(client: Client, args: Dict):
""" generate an S/MIME-encrypted message
Args:
client: Client
args: Dict
"""
message_body = args.get('message', '').encode('utf-8')
buf = makebuf(message_body)
x509 = X509.load_cert(client.public_key_file)
sk = X509.X509_Stack()
sk.push(x509)
client.smime.set_x509_stack(sk)
client.smime.set_cipher(SMIME.Cipher('des_ede3_cbc'))
p7 = client.smime.encrypt(buf)
out = BIO.MemoryBuffer()
client.smime.write(out, p7)
encrypted_message = out.read().decode('utf-8')
message = encrypted_message.split('\n\n')
headers = message[0]
new_headers = headers.replace(': ', '=').replace('\n', ',')
entry_context = {
'SMIME.Encrypted': {
'Message': encrypted_message,
'Headers': new_headers
}
}
return encrypted_message, entry_context
def _encrypt(self):
"""Use your key thing to encrypt things."""
from M2Crypto import BIO, SMIME, X509
CERT = self.settings.private_cert
PUB_CERT = self.settings.public_cert
PAYPAL_CERT = self.settings.paypal_cert
CERT_ID = self.settings.cert_id
# Iterate through the fields and pull out the ones that have a value.
plaintext = 'cert_id=%s' % CERT_ID
for name, value in self.items.iteritems():
plaintext += '\n%s=%s' % (name, value)
#plaintext = plaintext.encode('utf-8')
# Begin crypto weirdness.
s = SMIME.SMIME()
s.load_key_bio(BIO.openfile(CERT), BIO.openfile(PUB_CERT))
p7 = s.sign(BIO.MemoryBuffer(plaintext), flags=SMIME.PKCS7_BINARY)
x509 = X509.load_cert_bio(BIO.openfile(PAYPAL_CERT))
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
s.set_cipher(SMIME.Cipher('des_ede3_cbc'))
tmp = BIO.MemoryBuffer()
p7.write_der(tmp)
p7 = s.encrypt(tmp, flags=SMIME.PKCS7_BINARY)
out = BIO.MemoryBuffer()
p7.write(out)
return out.read()
def test_verify_with_static_callback(self):
s = SMIME.SMIME()
x509 = X509.load_cert('tests/signer.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
st = X509.X509_Store()
st.load_info('tests/ca.pem')
st.set_verify_cb(verify_cb_rejects_cert_from_heikki_toivonen)
s.set_x509_store(st)
p7, data = SMIME.smime_load_pkcs7_bio(self.signed)
self.assertIsInstance(p7, SMIME.PKCS7, p7)
# Should reject certificate issued by Heikki Toivonen:
with self.assertRaises(SMIME.PKCS7_Error):
s.verify(p7, data)
st.set_verify_cb(verify_cb_dummy_function)
v = s.verify(p7, data)
self.assertEqual(v, self.cleartext)
st.set_verify_cb()
v = s.verify(p7, data)
self.assertEqual(v, self.cleartext)
def verify(certificate_path, ca_certificate_path, sign_request_path, output):
certificate = None
try:
certificate = X509.load_cert(certificate_path)
except (X509.X509Error, IOError):
print('ERROR verify: Could not load certificate for verifying')
exit(1)
smime = SMIME.SMIME()
stack = X509.X509_Stack()
stack.push(certificate)
smime.set_x509_stack(stack)
store = X509.X509_Store()
store.load_info(ca_certificate_path)
smime.set_x509_store(store)
pks7, data = SMIME.smime_load_pkcs7(sign_request_path)
clear_text = smime.verify(pks7, data)
if not output:
output = path.abspath(path.curdir) + '/%s.csr' % DEFAULT_FIELDS['CN']
if clear_text:
request = X509.load_request_string(clear_text)
request.save(output)
print('Verification OK')
print('Request file was saved to %s' % output)
else:
print('Verification failed')
def test_encrypt(self):
buf = BIO.MemoryBuffer(self.cleartext)
s = SMIME.SMIME()
x509 = X509.load_cert('tests/recipient.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
with self.assertRaises(ValueError):
SMIME.Cipher('nosuchcipher')
s.set_cipher(SMIME.Cipher('des_ede3_cbc'))
p7 = s.encrypt(buf)
self.assertEqual(len(buf), 0)
self.assertEqual(p7.type(), SMIME.PKCS7_ENVELOPED, p7.type())
self.assertIsInstance(p7, SMIME.PKCS7, p7)
out = BIO.MemoryBuffer()
p7.write(out)
buf = out.read()
self.assertTrue(buf.startswith(b'-----BEGIN PKCS7-----'))
buf = buf.strip()
self.assertTrue(buf.endswith(b'-----END PKCS7-----'))
self.assertGreater(
len(buf),
len(b'-----END PKCS7-----') + len(b'-----BEGIN PKCS7-----'))
s.write(out, p7)
return out
def verify_signature_block(certificate_file, content_file, signature):
"""Verifies the 'signature' over the 'content', trusting the 'certificate'.
:param certificate_file: the trusted certificate (PEM format)
:type certificate_file: str
:param content_file: The signature should match this content
:type content_file: str
:param signature: data (DER format) subject to check
:type signature: str
:return: Error message, or None if the signature validates.
:rtype: str
"""
sig_bio = BIO.MemoryBuffer(signature)
pkcs7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(sig_bio._ptr()), 1)
signers_cert_stack = pkcs7.get0_signers(X509.X509_Stack())
trusted_cert_store = X509.X509_Store()
trusted_cert_store.load_info(certificate_file)
smime = SMIME.SMIME()
smime.set_x509_stack(signers_cert_stack)
smime.set_x509_store(trusted_cert_store)
data_bio = BIO.openfile(content_file)
try:
smime.verify(pkcs7, data_bio)
except SMIME.PKCS7_Error, message:
return "Signature verification error: %s" % message
def create_stack(recipients):
# Getting the IDs of recipients
ids = [item for item in recipients]
# Getting a list of certificates (public keys)
public_keys = Certificate.query.with_entities(
Certificate.public,
Certificate.serial).filter(Certificate.id.in_(ids)).all()
# Creating the array of serial numbers
recipients = [item[1] for item in public_keys]
# Checking that keys are not empty
if len(public_keys) == 0:
return (None, 400, "Keys not found", [])
# Creating the BIOs
bios = []
for key in public_keys:
bios.append(BIO.MemoryBuffer(key.public.encode("utf-8")))
# Checking that we have at least one recipient
if len(bios) == 0:
return (None, 404, "Recipients not found", [])
# Creating the stack
stack = X509.X509_Stack()
for bio in bios:
stack.push(X509.load_cert_bio(bio))
return (stack, 200, "", recipients)
def encrypt_block(blob, pubkey):
"""
Encrypt the given blob of data, given the public key provided.
:return The encrypted blob.
"""
# Make a MemoryBuffer of the message.
inbuf = BIO.MemoryBuffer(blob)
# Seed the PRNG.
Rand.rand_seed(os.urandom(1024))
# Instantiate an SMIME object.
s = SMIME.SMIME()
# Load target cert to encrypt to.
x509 = X509.load_cert(pubkey)
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
# Set cipher: AES 256 bit in CBC mode.
s.set_cipher(SMIME.Cipher('aes_256_cbc'))
# Encrypt the buffer.
p7 = s.encrypt(inbuf)
temp_buff = BIO.MemoryBuffer()
s.write(temp_buff, p7)
x = temp_buff.read()
return x
def createSignature(hash, signingCertificatePkcs12,
signingCertificatePassword):
# see also in AM: src/crypto-lib/signature.cpp / Signature::create()
s = SMIME.SMIME()
# M2Crypto has no support for PKCS#12, so we have to use pyopenssl here
# to load the .p12. Since the internal structures are incompatible, we
# have to export from pyopenssl and import to M2Crypto via PEM BIOs.
pkcs12 = load_pkcs12(signingCertificatePkcs12, signingCertificatePassword)
signKey = BIO.MemoryBuffer(
dump_privatekey(FILETYPE_PEM, pkcs12.get_privatekey()))
signCert = BIO.MemoryBuffer(
dump_certificate(FILETYPE_PEM, pkcs12.get_certificate()))
caCerts = X509.X509_Stack()
if pkcs12.get_ca_certificates():
for cert in pkcs12.get_ca_certificates():
bio = BIO.MemoryBuffer(dump_certificate(FILETYPE_PEM, cert))
caCerts.push(X509.load_cert_bio(bio, X509.FORMAT_PEM))
bioHash = BIO.MemoryBuffer(hash)
s.load_key_bio(signKey, signCert)
s.set_x509_stack(caCerts)
signature = s.sign(bioHash, SMIME.PKCS7_DETACHED + SMIME.PKCS7_BINARY)
bioSignature = BIO.MemoryBuffer()
signature.write(bioSignature)
data = bioSignature.read_all()
return data
def test_encrypt(self):
buf = BIO.MemoryBuffer(self.cleartext)
s = SMIME.SMIME()
x509 = X509.load_cert('test/recipient.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
self.assertRaises(ValueError, SMIME.Cipher, 'nosuchcipher')
s.set_cipher(SMIME.Cipher('des_ede3_cbc'))
p7 = s.encrypt(buf)
assert len(buf) == 0
assert p7.type() == SMIME.PKCS7_ENVELOPED, p7.type()
assert isinstance(p7, SMIME.PKCS7), p7
out = BIO.MemoryBuffer()
p7.write(out)
buf = out.read()
assert buf[:len('-----BEGIN PKCS7-----')] == '-----BEGIN PKCS7-----'
buf = buf.strip()
assert buf[-len('-----END PKCS7-----'):] == '-----END PKCS7-----'
assert len(buf) > len('-----END PKCS7-----') + len('-----BEGIN PKCS7-----')
s.write(out, p7)
return out
def encrypt(data,
cert_path='/workspace/personal/python_test/keys/myCert.pem',
compact=True):
# Make a MemoryBuffer of the message.
buf = BIO.MemoryBuffer(data)
# Instantiate an SMIME object.
s = SMIME.SMIME()
# Load target cert to encrypt to.
x509 = X509.load_cert(cert_path)
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
# Set cipher: 3-key triple-DES in CBC mode.
s.set_cipher(SMIME.Cipher('des_ede3_cbc'))
# Encrypt the buffer.
p7 = s.encrypt(buf)
# Output p7 to a MemoryBuffer.
out = BIO.MemoryBuffer()
s.write(out, p7)
# Read output as string
output = out.read()
if compact:
# create a single line encrypted message
output = ''.join(output.split('\n')[5:])
return output
def _encrypt(self):
"""Use your key thing to encrypt things."""
from M2Crypto import BIO, SMIME, X509
# Iterate through the fields and pull out the ones that have a value.
plaintext = 'cert_id=%s\n' % self.cert_id
for name, field in self.fields.items():
value = None
if name in self.initial:
value = self.initial[name]
elif field.initial is not None:
value = field.initial
if value is not None:
plaintext += u'%s=%s\n' % (name, value)
plaintext = plaintext.encode('utf-8')
# Begin crypto weirdness.
s = SMIME.SMIME()
s.load_key_bio(BIO.openfile(self.private_cert), BIO.openfile(self.public_cert))
p7 = s.sign(BIO.MemoryBuffer(plaintext), flags=SMIME.PKCS7_BINARY)
x509 = X509.load_cert_bio(BIO.openfile(self.paypal_cert))
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
s.set_cipher(SMIME.Cipher('des_ede3_cbc'))
tmp = BIO.MemoryBuffer()
p7.write_der(tmp)
p7 = s.encrypt(tmp, flags=SMIME.PKCS7_BINARY)
out = BIO.MemoryBuffer()
p7.write(out)
return out.read().decode()
def test_signEncryptDecryptVerify(self):
# sign
buf = BIO.MemoryBuffer(self.cleartext)
s = SMIME.SMIME()
s.load_key('tests/signer_key.pem', 'tests/signer.pem')
p7 = s.sign(buf)
# encrypt
x509 = X509.load_cert('tests/recipient.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
s.set_cipher(SMIME.Cipher('des_ede3_cbc'))
tmp = BIO.MemoryBuffer()
s.write(tmp, p7)
p7 = s.encrypt(tmp)
signedEncrypted = BIO.MemoryBuffer()
s.write(signedEncrypted, p7)
# decrypt
s = SMIME.SMIME()
s.load_key('tests/recipient_key.pem', 'tests/recipient.pem')
p7, data = SMIME.smime_load_pkcs7_bio(signedEncrypted)
out = s.decrypt(p7)
# verify
x509 = X509.load_cert('tests/signer.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
st = X509.X509_Store()
st.load_info('tests/ca.pem')
s.set_x509_store(st)
p7_bio = BIO.MemoryBuffer(out)
p7, data = SMIME.smime_load_pkcs7_bio(p7_bio)
v = s.verify(p7)
self.assertEqual(v, self.cleartext)
def get_peer_cert_chain(self):
"""Return the peer certificate chain; if the peer did not provide
a certificate chain, return None."""
c = m2.ssl_get_peer_cert_chain(self.ssl)
if c is None:
return None
# No need to free the pointer coz OpenSSL does.
return X509.X509_Stack(c)
def show_signer(self):
""" List info about the signer that is in pkcs7 document"""
sk = X509.X509_Stack()
tempSt = self.__p7.get0_signers(sk)
ldb = ListDb(tempSt.pop(), tip=1)
ldb.per_info()
def smime_encrypt(raw_message, recipients):
if not get_bool_from_cfg('smime', 'cert_path'):
log("No valid path for S/MIME certs found in config file. S/MIME encryption aborted."
)
return recipients
cert_path = cfg['smime']['cert_path'] + "/"
s = SMIME.SMIME()
sk = X509.X509_Stack()
smime_to = list()
unsmime_to = list()
for addr in recipients:
cert_and_email = get_cert_for_email(addr, cert_path)
if not (cert_and_email is None):
(to_cert, normal_email) = cert_and_email
if verbose:
log("Found cert " + to_cert + " for " + addr + ": " +
normal_email)
smime_to.append(addr)
x509 = X509.load_cert(to_cert, format=X509.FORMAT_PEM)
sk.push(x509)
else:
unsmime_to.append(addr)
if smime_to != list():
s.set_x509_stack(sk)
s.set_cipher(SMIME.Cipher('aes_192_cbc'))
p7 = s.encrypt(BIO.MemoryBuffer(raw_message.as_string()))
# Output p7 in mail-friendly format.
out = BIO.MemoryBuffer()
out.write('From: ' + from_addr + '\n')
out.write('To: ' + raw_message['To'] + '\n')
if raw_message['Cc']:
out.write('Cc: ' + raw_message['Cc'] + '\n')
if raw_message['Bcc']:
out.write('Bcc: ' + raw_message['Bcc'] + '\n')
if raw_message['Subject']:
out.write('Subject: ' + raw_message['Subject'] + '\n')
if get_bool_from_cfg('default', 'add_header', 'yes'):
out.write('X-GPG-Mailgate: Encrypted by GPG Mailgate\n')
s.write(out, p7)
if verbose:
log("Sending message from " + from_addr + " to " + str(smime_to))
send_msg(out.read(), smime_to)
if unsmime_to != list():
if verbose:
log("Unable to find valid S/MIME certificates for " +
str(unsmime_to))
return unsmime_to
def run(self):
"""Run analysis.
@return: analysis results dict or None.
"""
if not os.path.exists(self.file_path):
return None
try:
self.pe = pefile.PE(self.file_path)
except pefile.PEFormatError:
return None
results = {}
results["peid_signatures"] = self._get_peid_signatures()
results["pe_imports"] = self._get_imported_symbols()
results["pe_exports"] = self._get_exported_symbols()
results["pe_dirents"] = self._get_directory_entries()
results["pe_sections"] = self._get_sections()
results["pe_overlay"] = self._get_overlay()
results["pe_resources"] = self._get_resources()
results["pe_versioninfo"] = self._get_versioninfo()
results["pe_imphash"] = self._get_imphash()
results["pe_timestamp"] = self._get_timestamp()
results["imported_dll_count"] = len(
[x for x in results["pe_imports"] if x.get("dll")])
if HAVE_CRYPTO:
address = self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[
pefile.DIRECTORY_ENTRY[
'IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
#check if file is digitally signed
if address == 0:
return results
signature = self.pe.write()[address + 8:]
bio = BIO.MemoryBuffer(signature)
if bio:
swig_pkcs7 = m2.pkcs7_read_bio_der(bio.bio_ptr())
if swig_pkcs7:
p7 = SMIME.PKCS7(swig_pkcs7)
xst = p7.get0_signers(X509.X509_Stack())
results["digital_signer"] = {}
if xst:
for cert in xst:
sn = cert.get_serial_number()
subject_str = str(cert.get_subject())
cn = subject_str[subject_str.index("/CN=") +
len("/CN="):]
results["digital_signer"] = [{
"sn": str(sn),
"cn": cn
}]
return results
