Beispiel #1
0
    def test_verify_with_add_crls(self):
        ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem")
        valid_cert = X509.load_cert('tests/crl_data/certs/valid_cert.pem')
        revoked_cert = X509.load_cert('tests/crl_data/certs/revoked_cert.pem')
        crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem')

        # Verify that a good cert is verified OK
        store = X509.X509_Store()
        store.add_x509(ca)
        store.set_flags(X509.m2.X509_V_FLAG_CRL_CHECK |
                       X509.m2.X509_V_FLAG_CRL_CHECK_ALL)
        crl_stack = X509.CRL_Stack()
        crl_stack.push(crl)
        store_ctx = X509.X509_Store_Context()
        store_ctx.init(store, valid_cert)
        store_ctx.add_crls(crl_stack)
        self.assertTrue(store_ctx.verify_cert())

        # Verify that a revoked cert is not verified
        store = X509.X509_Store()
        store.add_x509(ca)
        store.set_flags(X509.m2.X509_V_FLAG_CRL_CHECK |
                       X509.m2.X509_V_FLAG_CRL_CHECK_ALL)
        crl_stack = X509.CRL_Stack()
        crl_stack.push(crl)
        store_ctx = X509.X509_Store_Context()
        store_ctx.init(store, revoked_cert)
        store_ctx.add_crls(crl_stack)
        self.assertFalse(store_ctx.verify_cert())
Beispiel #2
0
    def test_verify_with_add_crls(self):
        ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem")
        valid_cert = X509.load_cert('tests/crl_data/certs/valid_cert.pem')
        revoked_cert = X509.load_cert('tests/crl_data/certs/revoked_cert.pem')
        crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem')

        # Verify that a good cert is verified OK
        store = X509.X509_Store()
        store.add_x509(ca)
        store.set_flags(X509.m2.X509_V_FLAG_CRL_CHECK |
                       X509.m2.X509_V_FLAG_CRL_CHECK_ALL)
        crl_stack = X509.CRL_Stack()
        crl_stack.push(crl)
        store_ctx = X509.X509_Store_Context()
        store_ctx.init(store, valid_cert)
        store_ctx.add_crls(crl_stack)
        self.assertTrue(store_ctx.verify_cert())

        # Verify that a revoked cert is not verified
        store = X509.X509_Store()
        store.add_x509(ca)
        store.set_flags(X509.m2.X509_V_FLAG_CRL_CHECK |
                       X509.m2.X509_V_FLAG_CRL_CHECK_ALL)
        crl_stack = X509.CRL_Stack()
        crl_stack.push(crl)
        store_ctx = X509.X509_Store_Context()
        store_ctx.init(store, revoked_cert)
        store_ctx.add_crls(crl_stack)
        self.assertFalse(store_ctx.verify_cert())
Beispiel #3
0
    def test_verify(self):
        ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem")
        crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem')
        self.assertTrue(crl.verify(ca.get_pubkey()))

        wrong_ca = X509.load_cert('tests/ca.pem')
        self.assertFalse(crl.verify(wrong_ca.get_pubkey()))
Beispiel #4
0
    def test_verify(self):
        ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem")
        crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem')
        self.assertTrue(crl.verify(ca.get_pubkey()))

        wrong_ca = X509.load_cert('tests/ca.pem')
        self.assertFalse(crl.verify(wrong_ca.get_pubkey()))
Beispiel #5
0
 def test_malformed_data(self):
     with self.assertRaises(X509.X509Error):
         X509.load_cert_string('Hello')
     with self.assertRaises(X509.X509Error):
         X509.load_cert_der_string('Hello')
     with self.assertRaises(X509.X509Error):
         X509.new_stack_from_der('Hello')
     with self.assertRaises(X509.X509Error):
         X509.load_cert('tests/alltests.py')
     with self.assertRaises(X509.X509Error):
         X509.load_request('tests/alltests.py')
     with self.assertRaises(X509.X509Error):
         X509.load_request_string('Hello')
     with self.assertRaises(X509.X509Error):
         X509.load_request_der_string('Hello')
     with self.assertRaises(X509.X509Error):
         X509.load_crl('tests/alltests.py')
Beispiel #6
0
 def test_malformed_data(self):
     with self.assertRaises(X509.X509Error):
         X509.load_cert_string('Hello')
     with self.assertRaises(X509.X509Error):
         X509.load_cert_der_string('Hello')
     with self.assertRaises(X509.X509Error):
         X509.new_stack_from_der('Hello')
     with self.assertRaises(X509.X509Error):
         X509.load_cert('tests/alltests.py')
     with self.assertRaises(X509.X509Error):
         X509.load_request('tests/alltests.py')
     with self.assertRaises(X509.X509Error):
         X509.load_request_string('Hello')
     with self.assertRaises(X509.X509Error):
         X509.load_request_der_string('Hello')
     with self.assertRaises(X509.X509Error):
         X509.load_crl('tests/alltests.py')
Beispiel #7
0
    def main(self, files):

        values = {}
        i = 0
        for f in files:
            fd = open(f["meta"])
            data = fd.read()
            fd.close()

            off = 0
            offset = struct.unpack_from("<L", data, off)[0]
            off += struct.calcsize("<L")
            offset += off

            struct.unpack_from("<2L", data, off)
            off += struct.calcsize("<2L")

            length = struct.unpack_from("<L", data, off)[0]
            off += struct.calcsize("<L")

            tstamp = struct.unpack_from("<Q", data, off)[0]
            off += struct.calcsize("<Q")

            url = data[offset:offset + length].decode("UTF-16LE")[:-1]

            if tstamp > 0:
                tstamp /= 10000000
                tstamp -= 11644473600

            ## dealing with CRL ASN.1 file now
            try:
                fd = open(f["content"])
                content = base64.b64encode(fd.read())
                fd.close()
                t = ['-----BEGIN X509 CRL-----']
                while len(content) > 64:
                    t.append(content[:64])
                    content = content[64:]
                t.append(content)
                t.append('-----END X509 CRL-----')
                t.append('')
                fd = tempfile.NamedTemporaryFile(delete=False)
                fd.write("\n".join(t))
                fd.close()
                crl = X509.load_crl(fd.name)
                t = map(lambda x: x.strip(), crl.as_text().splitlines())
                serial = t[t.index('X509v3 CRL Number:') + 1]
                os.unlink(fd.name)
            except:
                serial = None
                crl = None
            i += 1
            values["url%d" % i] = {'timestamp': tstamp, 'url': url}
            #            if crl is not None:
            #                values["url%d" % i]['crl'] = crl.as_text()
            if serial is not None:
                values["url%d" % i]['serial'] = serial
        return {self.__class__.__name__: values}
Beispiel #8
0
    def main(self, files):

        values = {}
        i = 0
        for f in files:
            fd = open(f["meta"])
            data = fd.read()
            fd.close()

            off = 0
            offset = struct.unpack_from("<L", data, off)[0]
            off += struct.calcsize("<L")
            offset += off

            struct.unpack_from("<2L", data, off)
            off += struct.calcsize("<2L")

            length = struct.unpack_from("<L", data, off)[0]
            off += struct.calcsize("<L")

            tstamp = struct.unpack_from("<Q", data, off)[0]
            off += struct.calcsize("<Q")

            url = data[offset:offset+length].decode("UTF-16LE")[:-1]

            if tstamp > 0:
                tstamp /= 10000000
                tstamp -= 11644473600

            ## dealing with CRL ASN.1 file now
            try:
                fd = open(f["content"])
                content = base64.b64encode(fd.read())
                fd.close()
                t = [ '-----BEGIN X509 CRL-----']
                while len(content) > 64:
                    t.append(content[:64])
                    content = content[64:]
                t.append(content)
                t.append('-----END X509 CRL-----')
                t.append('')
                fd = tempfile.NamedTemporaryFile(delete=False)
                fd.write("\n".join(t))
                fd.close()
                crl = X509.load_crl(fd.name)
                t = map(lambda x: x.strip(), crl.as_text().splitlines())
                serial = t[t.index('X509v3 CRL Number:') + 1]
                os.unlink(fd.name)
            except:
                serial = None
                crl = None
            i += 1
            values["url%d" % i] = { 'timestamp': tstamp, 'url': url }
#            if crl is not None:
#                values["url%d" % i]['crl'] = crl.as_text()
            if serial is not None:
                values["url%d" % i]['serial'] = serial
        return { self.__class__.__name__: values }
Beispiel #9
0
    def test_get_issuer(self):
        ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem")
        crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem')
        ca_issuer = ca.get_issuer()
        crl_issuer = crl.get_issuer()
        self.assertEqual(ca_issuer.as_hash(), crl_issuer.as_hash())

        wrong_ca = X509.load_cert('tests/ca.pem')
        wrong_ca_issuer = wrong_ca.get_issuer()
        self.assertNotEqual(wrong_ca_issuer.as_hash(), crl_issuer.as_hash())
Beispiel #10
0
    def test_get_issuer(self):
        ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem")
        crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem')
        ca_issuer = ca.get_issuer()
        crl_issuer = crl.get_issuer()
        self.assertEqual(ca_issuer.as_hash(), crl_issuer.as_hash())

        wrong_ca = X509.load_cert('tests/ca.pem')
        wrong_ca_issuer = wrong_ca.get_issuer()
        self.assertNotEqual(wrong_ca_issuer.as_hash(), crl_issuer.as_hash())
Beispiel #11
0
    def get_crl_stack(self, issuer_hash, crl_dir=None):
        """
        @param issuer_hash: Hash value of the issuing certificate
        @type  issuer_hash: unsigned long

        @param crl_dir: Path to search for CRLs, default is None which defaults to configuration file parameter
        @type  crl_dir: str

        @return CRL_Stack of any CRLs issued by the issuer_hash
        @rtype: CRL_Stack: M2Crypto.X509.CRL_Stack
        """
        crl_stack = X509.CRL_Stack()
        if not crl_dir:
            crl_dir = self._crl_directory()
        if os.path.exists(crl_dir):
            search_path = "%s/%x.r*" % (crl_dir, issuer_hash)
            crl_paths = glob(search_path)
            for c in crl_paths:
                try:
                    crl = X509.load_crl(c)
                    crl_stack.push(crl)
                except:
                    LOG.exception("Unable to load CRL file: %s" % (c))
        return crl_stack
Beispiel #12
0
    def load_ca_crl(self,filename):
        crltext = str(X509.load_crl(filename).as_text())
        lines = crltext.split('\n')
        if 'Certificate Revocation List (CRL):' != lines[0]:
            return False
        section = 0

        regex_issuer = re.compile('        Issuer: ')
        regex_crl_created = re.compile('        Last Update: ')
        regex_crl_expires = re.compile('        Next Update: ')


        regex_serial = re.compile('    Serial Number: ')
        #regex_revoke_date = re.compile('        Revocation Date:')

        regex_section_revoked = re.compile('Revoked Certificates:')
        regex_section_revoked2 = re.compile('No Revoked Certificates.')
        regex_section_signature = re.compile('    Signature Algorithm: ')

        Issuer = None
        crl_update_created = None
        crl_update_expires = None
        revokationlist = set([])
        for line in lines:
            if section == 0:
                match_issuer = regex_issuer.match(line)
                if match_issuer:
                    Issuer = line[match_issuer.end():].strip()
                    continue
                match_crl_created = regex_crl_created.match(line)
                if match_crl_created:
                    crl_update_created = parse_crl_date(line[match_crl_created.end():].strip())
                    continue
                match_crl_expires = regex_crl_expires.match(line)
                if match_crl_expires:
                    crl_update_expires = parse_crl_date(line[match_crl_expires.end():].strip())
                    continue
                if regex_section_revoked.match(line) or regex_section_revoked2.match(line):
                    section = 1
                    continue
                #print line
            if section == 1:
                match_serial = regex_serial.match(line)
                if match_serial:
                    serial_num_string =  int(line[match_serial.end():].strip(),16)
                    revokationlist.add(serial_num_string)
                #match_revokedate = regex_revoke_date.match(line)
                #if match_revokedate:
                #    testerdate =  parse_crl_date(line[match_revokedate.end():].strip())
                #    if testerdate == None:
                #        print 'sdfsdf%s' % (line[match_revokedate.end():].strip())
                #    print testerdate.strftime("%b %d %H:%M:%S %Y GMT")
                if regex_section_signature.match(line):
                    section = 2
                    continue
                #print line
            if section == 2:
                continue
        if None == Issuer:
            self.logger.warning("CRL Issuer not found:%s" % (filename))
            return False
        if not Issuer in self.ca.keys():
            self.logger.debug("Namespace for Issuer '%s' does not exist:%s" % (Issuer,filename))
            return False
        self.ca[Issuer].crl = revokationlist
        self.ca[Issuer].crl_created = crl_update_created
        self.ca[Issuer].crl_expires = crl_update_expires
        if None == crl_update_created:
            self.logger.warning("CRL creation date not found:%s:%s" % (filename,Issuer))
            return False
        if None == crl_update_expires:
            self.logger.warning("CRL expiry date not found:%s:%s" % (filename,Issuer))
            return False
        now = datetime.datetime.now()
        if now <= crl_update_created:
            self.logger.debug("CRL created in the future :%s:%s" % (filename,Issuer))
            return False
        if now >= crl_update_expires:
            self.logger.info("at %s the CRL expired:%s:%s" % (crl_update_expires,filename,Issuer))
            return False
        return True
Beispiel #13
0
    def load_ca_crl(self, filename):
        crltext = str(X509.load_crl(filename).as_text())
        lines = crltext.split('\n')
        if 'Certificate Revocation List (CRL):' != lines[0]:
            return False
        section = 0

        regex_issuer = re.compile('        Issuer: ')
        regex_crl_created = re.compile('        Last Update: ')
        regex_crl_expires = re.compile('        Next Update: ')

        regex_serial = re.compile('    Serial Number: ')
        #regex_revoke_date = re.compile('        Revocation Date:')

        regex_section_revoked = re.compile('Revoked Certificates:')
        regex_section_revoked2 = re.compile('No Revoked Certificates.')
        regex_section_signature = re.compile('    Signature Algorithm: ')

        Issuer = None
        crl_update_created = None
        crl_update_expires = None
        revokationlist = set([])
        for line in lines:
            if section == 0:
                match_issuer = regex_issuer.match(line)
                if match_issuer:
                    Issuer = line[match_issuer.end():].strip()
                    continue
                match_crl_created = regex_crl_created.match(line)
                if match_crl_created:
                    crl_update_created = parse_crl_date(
                        line[match_crl_created.end():].strip())
                    continue
                match_crl_expires = regex_crl_expires.match(line)
                if match_crl_expires:
                    crl_update_expires = parse_crl_date(
                        line[match_crl_expires.end():].strip())
                    continue
                if regex_section_revoked.match(
                        line) or regex_section_revoked2.match(line):
                    section = 1
                    continue
                #print line
            if section == 1:
                match_serial = regex_serial.match(line)
                if match_serial:
                    serial_num_string = int(line[match_serial.end():].strip(),
                                            16)
                    revokationlist.add(serial_num_string)
                #match_revokedate = regex_revoke_date.match(line)
                #if match_revokedate:
                #    testerdate =  parse_crl_date(line[match_revokedate.end():].strip())
                #    if testerdate == None:
                #        print 'sdfsdf%s' % (line[match_revokedate.end():].strip())
                #    print testerdate.strftime("%b %d %H:%M:%S %Y GMT")
                if regex_section_signature.match(line):
                    section = 2
                    continue
                #print line
            if section == 2:
                continue
        if None == Issuer:
            self.logger.warning("CRL Issuer not found:%s" % (filename))
            return False
        if not Issuer in self.ca.keys():
            self.logger.debug("Namespace for Issuer '%s' does not exist:%s" %
                              (Issuer, filename))
            return False
        self.ca[Issuer].crl = revokationlist
        self.ca[Issuer].crl_created = crl_update_created
        self.ca[Issuer].crl_expires = crl_update_expires
        if None == crl_update_created:
            self.logger.warning("CRL creation date not found:%s:%s" %
                                (filename, Issuer))
            return False
        if None == crl_update_expires:
            self.logger.warning("CRL expiry date not found:%s:%s" %
                                (filename, Issuer))
            return False
        now = datetime.datetime.utcnow()
        if now <= crl_update_created:
            self.logger.debug("CRL created in the future :%s:%s" %
                              (filename, Issuer))
            return False
        if now >= crl_update_expires:
            self.logger.info("at %s the CRL expired:%s:%s" %
                             (crl_update_expires, filename, Issuer))
            return False
        return True
Beispiel #14
0
 def test_get_next_update(self):
     expected_nextUpdate = "Jan 18 16:55:58 2015 GMT"
     crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem')
     self.assertEquals(str(crl.get_nextUpdate()), expected_nextUpdate)
Beispiel #15
0
 def test_load_crl(self):
     crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem')
     self.assertIsNotNone(crl)
     self.assertIsInstance(crl, X509.CRL)
Beispiel #16
0
 def test_load_crl(self):
     crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem')
     self.assertIsNotNone(crl)
     self.assertIsInstance(crl, X509.CRL)
Beispiel #17
0
 def test_get_next_update(self):
     expected_nextUpdate = "Jan 18 16:55:58 2015 GMT"
     crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem')
     self.assertEquals(str(crl.get_nextUpdate()), expected_nextUpdate)
Beispiel #18
0
sk = X509.X509_Stack()
# Load the data, verify it.
p7, data = SMIME.smime_load_pkcs7('bill')
stack =  p7.get0_signers(sk)

looping = True
while looping:
    one = stack.pop()
    if one == None:
        break
    print one.get_subject()
    print one.get_serial_number()
    print one.get_issuer()


crl = X509.load_crl('/etc/grid-security/certificates/dd4b34ea.r0')

print crl.as_text()
#print crl.crl.own()

s = SMIME.SMIME()

x509c = X509.load_cert('/etc/grid-security/certificates/dd4b34ea.0')
sk = X509.X509_Stack()
sk.push(x509c)
s.set_x509_stack(sk)

# Load the signer's CA cert. In this case, because the signer's
# cert is self-signed, it is the signer's cert itself.
st = X509.X509_Store()
st.load_info('/etc/grid-security/certificates/dd4b34ea.0')
Beispiel #19
0
        if self.check:
            if self.ca:
                logger.debug("Load certificate authority (%s) file" % self.ca)
                ok = context.load_verify_locations(self.encodeFilename(self.ca))
                if not ok:
                    raise SSLConfigError(
                        tr("Unable to open the certificate authority: %s")
                        % self.ca)
            else:
                logger.info("Warning: No certificate authority")

            if self.crl:
                logger.debug("Load certificate revokation list (%s) file" % self.crl)
                try:
                    crl = X509.load_crl(self.crl)
                except Exception, err:
                    raise SSLConfigError(
                        tr("Unable to open the certificate revokation list: %s")
                        % exceptionAsUnicode(err))
                cert_store = context.get_cert_store()
                try:
                    cert_store.add_crl(crl)
                    cert_store.set_flags(m2.X509_V_FLAG_CRL_CHECK)
                except AttributeError:
                    logger.error("Your m2crypto version doesn't support CRL")
            else:
                logger.info("Warning: No certificate revokation list")

            logger.info("Check SSL peer certificate using M2Crypto")
            mode = SSL.verify_peer
Beispiel #20
0
# Instantiate an SMIME object.
sk = X509.X509_Stack()
# Load the data, verify it.
p7, data = SMIME.smime_load_pkcs7('bill')
stack = p7.get0_signers(sk)

looping = True
while looping:
    one = stack.pop()
    if one == None:
        break
    print one.get_subject()
    print one.get_serial_number()
    print one.get_issuer()

crl = X509.load_crl('/etc/grid-security/certificates/dd4b34ea.r0')

print crl.as_text()
#print crl.crl.own()

s = SMIME.SMIME()

x509c = X509.load_cert('/etc/grid-security/certificates/dd4b34ea.0')
sk = X509.X509_Stack()
sk.push(x509c)
s.set_x509_stack(sk)

# Load the signer's CA cert. In this case, because the signer's
# cert is self-signed, it is the signer's cert itself.
st = X509.X509_Store()
st.load_info('/etc/grid-security/certificates/dd4b34ea.0')