def checkCertificates(self, certs):
certs = json.loads(certs)
depth = len(certs.keys())
leaf = crypto.load_certificate(crypto.FILETYPE_PEM,
certs[str(depth - 1)])
intermediates = []
for i in range(1, depth - 1):
intermediates.append(
crypto.load_certificate(crypto.FILETYPE_PEM, certs[str(i)]))
bad_store = crypto.X509Store()
# add the AC root
f = open('AC.pem')
acCert = f.read()
f.close()
bad_store.add_cert(crypto.load_certificate(crypto.FILETYPE_PEM,
acCert))
for intermediate in intermediates:
bad_store.add_cert(intermediate)
bad_store_ctx = crypto.X509StoreContext(bad_store, leaf)
try:
bad_store_ctx.verify_certificate()
print("== CHAIN IS VALID ==")
except Exception as e:
print("== CHAIN FAILED VALIDATION ==")
return False
return True
def verify_certificate_chain(cert_str, trusted_certs, ignore_self_signed=True):
""" Verify a given certificate against a trust store"""
# Load the certificate
certificate = crypto.load_certificate(crypto.FILETYPE_ASN1, cert_str)
# Create a certificate store and add your trusted certs
try:
store = crypto.X509Store()
if ignore_self_signed:
store.add_cert(certificate)
# Assuming the certificates are in PEM format in a trusted_certs list
for _cert in trusted_certs:
store.add_cert(crypto.load_certificate(crypto.FILETYPE_ASN1,
_cert))
# Create a certificate context using the store and the certificate
store_ctx = crypto.X509StoreContext(store, certificate)
# Verify the certificate, returns None if certificate is not valid
store_ctx.verify_certificate()
return True
except crypto.X509StoreContextError as e:
raise AS2Exception('Partner Certificate Invalid: %s' % e.args[-1][-1])
def test_new(self):
cert = self._create_cert()
self.assertNotEqual(cert.certificate, '')
self.assertNotEqual(cert.private_key, '')
x509 = cert.x509
self.assertEqual(x509.get_serial_number(), cert.serial_number)
subject = x509.get_subject()
# check subject
self.assertEqual(subject.countryName, cert.country_code)
self.assertEqual(subject.stateOrProvinceName, cert.state)
self.assertEqual(subject.localityName, cert.city)
self.assertEqual(subject.organizationName, cert.organization_name)
self.assertEqual(subject.emailAddress, cert.email)
self.assertEqual(subject.commonName, cert.common_name)
# check issuer
issuer = x509.get_issuer()
ca = cert.ca
self.assertEqual(issuer.countryName, ca.country_code)
self.assertEqual(issuer.stateOrProvinceName, ca.state)
self.assertEqual(issuer.localityName, ca.city)
self.assertEqual(issuer.organizationName, ca.organization_name)
self.assertEqual(issuer.emailAddress, ca.email)
self.assertEqual(issuer.commonName, ca.common_name)
# check signature
store = crypto.X509Store()
store.add_cert(ca.x509)
store_ctx = crypto.X509StoreContext(store, cert.x509)
store_ctx.verify_certificate()
# ensure version is 3 (indexed 0 based counting)
self.assertEqual(x509.get_version(), 2)
# basic constraints
e = cert.x509.get_extension(0)
self.assertEqual(e.get_critical(), 0)
self.assertEqual(e.get_short_name().decode(), 'basicConstraints')
self.assertEqual(e.get_data(), b'0\x00')
def load_ssl_certs(ssl_cert_path):
"""Opens, validates, and returns a dict containing one or more SSL certificates.
Self-signed certs will check out fine. Cert chain order will not be checked here.
Args:
ssl_cert_path (str): Possibly empty path to SSL certificate
Returns:
(SslCertFileResult, [certificates]): the result of the test and the actual certificate data
"""
if not ssl_cert_path:
return SslCertFileResult(False, ssl_cert_path), None
try:
with open(ssl_cert_path) as fd:
cert_input = fd.read()
if _contains_truncated_certs(cert_input):
raise Exception(
"Certificate at {0} contains a mismatched number of BEGIN and END CERTIFICATE lines. "
"Please re-check your certificate to make sure all contained certificates begin with "
"'-----BEGIN CERTIFICATE-----' and end with '-----END CERTIFICATE-----'."
.format(ssl_cert_path))
ssl_certs = load_ca_bundle(cert_input)
cert_store = crypto.X509Store()
for cert in ssl_certs:
cert_store.add_cert(cert)
cert_context = crypto.X509StoreContext(cert_store, ssl_certs[0])
cert_context.verify_certificate()
return SslCertFileResult(True, ssl_cert_path), ssl_certs
except Exception as e: # can be IOError, crypto.Error, and possibly others
return SslCertFileResult(False, ssl_cert_path, exception=e), None
def create_cert_store():
"""
Create the Certificate Store to use for Validation
"""
trust_chain1 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM1)
trust_chain2 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM2)
trust_chain3 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM3)
trust_chain4 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM4)
trust_chain5 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM5)
trust_chain6 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM6)
trust_chain7 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM7)
trust_chain8 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM8)
trust_chain9 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM9)
trust_chain10 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM10)
trust_chain11 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM11)
trust_chain12 = crypto.load_certificate(crypto.FILETYPE_PEM, TRUST_CHAIN_PEM12)
store = crypto.X509Store()
store.add_cert(trust_chain1)
store.add_cert(trust_chain2)
store.add_cert(trust_chain3)
store.add_cert(trust_chain4)
store.add_cert(trust_chain5)
store.add_cert(trust_chain6)
store.add_cert(trust_chain7)
store.add_cert(trust_chain8)
store.add_cert(trust_chain9)
store.add_cert(trust_chain10)
store.add_cert(trust_chain11)
store.add_cert(trust_chain12)
return store
def verify_certificate(self, cert_pem):
'''
Verifies whether a provided Portuguese Citizenship Card Certificate is valid
:param cert_pem: The to-be validated certificate
:return: True or False
'''
certificate = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
# Create and fill a X509Sore with trusted certs
store = crypto.X509Store()
path = "./certs_dev/"
for c in os.listdir(path):
pem = open(path + c, 'r').read()
store.add_cert(crypto.load_certificate(crypto.FILETYPE_PEM, pem))
# Now we add the crls to the X509 store
#crl = crypto.load_crl(crypto.FILETYPE_PEM, CRL_CERTS)
#store.add_crl(crl)
context = crypto.X509StoreContext(store, certificate)
context.set_store(store)
# Create a X590StoreContext with the cert and trusted certs
# and verify the the chain of trust
# verify_certificate() returns None if certificate can be validated
valid = False
try:
valid = context.verify_certificate()
except crypto.X509StoreContextError as e:
print e.message
print e.certificate.get_subject()
else:
valid = True
return valid
def verify(cert, trusted_certs):
store = crypto.X509Store()
# Obtenemos los certificados del fichero a analizar
# El primero asumimos que es el que queremos analizar
# El resto se pasan como autoridades certificadoras
certificates = read_cert(cert)
certificate = certificates.pop(0)
for c in certificates:
print(
"Pasando un certificado del fichero a analizar como autoridad certificadora"
)
store.add_cert(c)
# Puede que un trusted_certs este compuesto por varios certs
for tc in trusted_certs:
for c in read_cert(tc):
store.add_cert(c)
# Create a X590StoreContext with the cert and trusted certs
# and verify the the chain of trust
store_ctx = crypto.X509StoreContext(store, certificate)
# Returns None if certificate can be validated
try:
result = store_ctx.verify_certificate()
except crypto.X509StoreContextError:
return False
return True
def validate(self, certificate0, certificate1, certificate2):
#cert = x509.load_pem_x509_certificate(str.encode(certificate[0]), default_backend())
self.certificate = []
self.certificate.append(certificate0)
self.certificate.append(certificate1)
self.certificate.append(certificate2)
cert1 = crypto.load_certificate(crypto.FILETYPE_PEM, certificate0)
clientIssuer = str(cert1.get_issuer())
IntermediateIssuer = "<X509Name object '/C=US/ST=MD/L=Baltimore/O=JHUNetworkSecurityFall2017/OU=PETF/CN=20174.1.666/[email protected]'>"
if clientIssuer == IntermediateIssuer:
print("Issuer verified.")
try:
cert_store = crypto.X509Store()
certpub = crypto.load_certificate(crypto.FILETYPE_PEM,
certificate1)
certroot = crypto.load_certificate(crypto.FILETYPE_PEM,
certificate2)
cert_store.add_cert(certpub)
cert_store.add_cert(certroot)
print("Client certificates added to the trust store.")
store_ctx = crypto.X509StoreContext(cert_store, cert1)
store_ctx.verify_certificate()
return True
except Exception as e:
print(e)
return True
def verify_certificate_chain(cert_path, trusted_certs):
# Download the certificate from the url and load the certificate
certificate = _load_certificate(cert_path)
logging.debug(trusted_certs)
# Create a certificate store and add your trusted certs
try:
store = crypto.X509Store()
# Assuming the certificates are in PEM format in a trusted_certs list
for _cert in trusted_certs:
logging.debug(_cert)
client_certificate = _load_certificate(_cert)
store.add_cert(client_certificate)
# Create a certificate context using the store and the downloaded certificate
store_ctx = crypto.X509StoreContext(store, certificate)
# Verify the certificate, returns None if it can validate the certificate
logging.debug(store_ctx.verify_certificate())
return True
except Exception as e:
print(e)
return False
def registerOrdererAdminTuple(self, userName, ordererName,
organizationName):
' Assign the user as orderer admin'
ordererAdminTuple = NodeAdminTuple(user=userName,
nodeName=ordererName,
organization=organizationName)
assert ordererAdminTuple not in self.ordererAdminTuples, "Orderer admin tuple already registered {0}".format(
ordererAdminTuple)
assert organizationName in self.organizations, "Orderer Organization not defined {0}".format(
organizationName)
user = self.getUser(userName, shouldCreate=True)
certReq = user.createCertRequest(ordererAdminTuple.nodeName)
userCert = self.getOrganization(organizationName).createCertificate(
certReq)
# Verify the newly created certificate
store = crypto.X509Store()
# Assuming a list of trusted certs
for trustedCert in [self.getOrganization(organizationName).signedCert]:
store.add_cert(trustedCert)
# Create a certificate context using the store and the certificate to verify
store_ctx = crypto.X509StoreContext(store, userCert)
# Verify the certificate, returns None if it can validate the certificate
store_ctx.verify_certificate()
print(
"new Certificate for '{0}' on orderer '{1}' signed by '{2}': \n{3}"
.format(userName, ordererName, organizationName,
crypto.dump_certificate(crypto.FILETYPE_PEM, userCert)))
self.ordererAdminTuples[ordererAdminTuple] = userCert
def basic_assertions(self, cdir, cert, key, cacert=None):
'''
test basic certificate assumptions
Args:
cdir (s_certdir.CertDir): certdir object
cert (crypto.X509): Cert to test
key (crypto.PKey): Key for the certification
cacert (crypto.X509): Corresponding CA cert (optional)
'''
self.nn(cert)
self.nn(key)
# Make sure the certs were generated with the expected number of bits
self.eq(cert.get_pubkey().bits(), cdir.crypto_numbits)
self.eq(key.bits(), cdir.crypto_numbits)
# Make sure the certs were generated with the correct version number
self.eq(cert.get_version(), 2)
# ensure we can sign / verify data with our keypair
buf = b'The quick brown fox jumps over the lazy dog.'
sig = crypto.sign(key, buf, 'sha256')
sig2 = crypto.sign(key, buf + b'wut', 'sha256')
self.none(crypto.verify(cert, sig, buf, 'sha256'))
self.raises(crypto.Error, crypto.verify, cert, sig2, buf, 'sha256')
# ensure that a ssl context using both cert/key match
sslcontext = SSL.Context(SSL.TLSv1_2_METHOD)
sslcontext.use_certificate(cert)
sslcontext.use_privatekey(key)
self.none(sslcontext.check_privatekey())
if cacert:
# Make sure the cert was signed by the CA
self.eq(cert.get_issuer().der(), cacert.get_subject().der())
store = crypto.X509Store()
ctx = crypto.X509StoreContext(store, cert)
# OpenSSL should NOT be able to verify the certificate if its CA is not loaded
store.add_cert(cert)
self.raises(crypto.X509StoreContextError, ctx.verify_certificate
) # unable to get local issuer certificate
# Generate a separate CA that did not sign the certificate
try:
cdir.genCaCert('otherca')
except s_exc.DupFileName:
pass
# OpenSSL should NOT be able to verify the certificate if its CA is not loaded
store.add_cert(cdir.getCaCert('otherca'))
self.raises(crypto.X509StoreContextError, ctx.verify_certificate
) # unable to get local issuer certificate
# OpenSSL should be able to verify the certificate, once its CA is loaded
store.add_cert(cacert)
self.none(ctx.verify_certificate()) # valid
def make_trust_store(trusted_cert_paths):
cert_store = crypto.X509Store()
for trusted_cert_path in trusted_cert_paths:
trusted_cert = open(trusted_cert_path, 'rt').read()
cert_store.add_cert(
crypto.load_certificate(crypto.FILETYPE_PEM, trusted_cert))
return cert_store
def verify_certificate_chain(cert_path, trusted_certs):
# Download the certificate from the url and load the certificate
cert_file = open(cert_path, 'r')
cert_data = cert_file.read()
certificate = crypto.load_certificate(crypto.FILETYPE_PEM, cert_data)
#Create a certificate store and add your trusted certs
try:
store = crypto.X509Store()
# Assuming the certificates are in PEM format in a trusted_certs list
for _cert in trusted_certs:
cert_file = open(_cert, 'r')
cert_data = cert_file.read()
client_certificate = crypto.load_certificate(crypto.FILETYPE_PEM, cert_data)
store.add_cert(client_certificate)
# Create a certificate context using the store and the downloaded certificate
store_ctx = crypto.X509StoreContext(store, certificate)
# Verify the certificate, returns None if it can validate the certificate
store_ctx.verify_certificate()
return True
except Exception as e:
print(e)
#return False
raise e
def verify_chain_of_trust(self, cert_pem, trusted_cert_pems):
try:
print(cert_pem)
#cert = x509.load_pem_x509_certificate(cert_pem, default_backend())
#print(cert)
#base64.b64decode(cert_pem)
certificate = crypto.load_certificate(crypto.FILETYPE_PEM,
cert_pem)
# Create and fill a X509Sore with trusted certs
store = crypto.X509Store()
for trusted_cert_pem in trusted_cert_pems:
trusted_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
trusted_cert_pem)
store.add_cert(trusted_cert)
# Create a X590StoreContext with the cert and trusted certs
# and verify the the chain of trust
store_ctx = crypto.X509StoreContext(store, certificate)
# Returns None if certificate can be validated
result = store_ctx.verify_certificate()
if result is None:
return True
else:
return False
except:
return False
def ca_store(cls):
crt_paths = os.environ.get('CRT_PATH', '/etc/ssl')
crt_flush = os.environ.get('CRT_FLUSH')
if hasattr(cls, 'store') and not crt_flush:
return cls.store
else:
cls.store = crypto.X509Store()
suffix = r'(.+)\.(crt|pem)$'
for crt_path in crt_paths.split(':'):
for root, ds, fs in os.walk(crt_path):
for p in filter(lambda f: re.match(suffix, f), fs):
for cert in pem.parse_file(os.path.join(root, p)):
try:
cls.store.add_cert(
crypto.load_certificate(
crypto.FILETYPE_PEM, cert.as_bytes()))
except crypto.Error:
pass
return cls.store
def __verify_chain_of_trust(self, is_mfr):
"""Verify the CVC chain.
:is_mfr:
:return: True or False.
"""
# Create and fill a X509Sore with trusted certs
store = c.X509Store()
if is_mfr == True:
cert = self.mfr_cvc
cert_ca = self.mfr_cvc_ca
else:
cert = self.mso_cvc
cert_ca = self.mso_cvc_ca
store.add_cert(cert_ca)
store.add_cert(self.root_cert)
# Create a X590StoreContext with the cert and trusted certs
# and verify the the chain of trust
store_ctx = c.X509StoreContext(store, cert)
# Returns None if certificate can be validated
result = store_ctx.verify_certificate()
if result is None:
return True
else:
return False
def verify_chain_of_trust(certificate):
#Carregar o ficheiro CA.cer
cert = crypto.load_certificate(crypto.FILETYPE_ASN1,
open('CA.cer', "rb").read())
print(certificate)
#Converter CA.cer em CA.pem
trusted_cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
# Create and fill a X509Sore with trusted certs
store = crypto.X509Store()
trusted_cert = crypto.load_certificate(crypto.FILETYPE_PEM, trusted_cert_pem)
store.add_cert(trusted_cert)
# Create a X590StoreContext with the cert and trusted certs
# and verify the the chain of trust
store_ctx = crypto.X509StoreContext(store, certificate)
# Returns None if certificate can be validated
result = store_ctx.verify_certificate()
if result is None:
print("OK")
return True
else:
print("ERRO")
return False
def verify_chain_of_trust(certificate):
#Carregar o ficheiro da CA intermédia
cert_int = crypto.load_certificate(crypto.FILETYPE_PEM,
open('./root/ca/intermediate/certs/intermediate.cert.pem', "rb").read())
#Converter CA.cer em CA.pem
trusted_cert_pem_int = crypto.dump_certificate(crypto.FILETYPE_PEM, cert_int)
cert_root = crypto.load_certificate(crypto.FILETYPE_PEM,
open('./root/ca/certs/ca.cert.pem', "rb").read())
#Converter CA.cer em CA.pem
trusted_cert_pem_root = crypto.dump_certificate(crypto.FILETYPE_PEM, cert_root)
# Create and fill a X509Sore with trusted certs
store = crypto.X509Store()
trusted_cert_root = crypto.load_certificate(crypto.FILETYPE_PEM, trusted_cert_pem_root)
store.add_cert(trusted_cert_root)
trusted_cert_int = crypto.load_certificate(crypto.FILETYPE_PEM, trusted_cert_pem_int)
store.add_cert(trusted_cert_int)
# Create a X590StoreContext with the cert and trusted certs
# and verify the the chain of trust
store_ctx = crypto.X509StoreContext(store, certificate)
# Returns None if certificate can be validated
result = store_ctx.verify_certificate()
if result is None:
print("OK")
return True
else:
print("ERRO")
return False
def generateCertChain(cert):
#print "generate chain"
store = crypto.X509Store()
while True:
# print "Subject"
subject = cert.get_subject().__getattr__('CN')
#print subject
issuer = cert.get_issuer().__getattr__('CN')
#print issuer
new_cert = None
if issuer == subject:
break
elif issuer == 'Baltimore CyberTrust Root':
new_cert = crypto.load_certificate(
crypto.FILETYPE_PEM,
open('/etc/ssl/certs/Baltimore_CyberTrust_Root.pem').read())
else:
new_cert = getCertificateFromName(issuer)
if new_cert != None:
store.add_cert(new_cert)
else:
print "Cannot load cert " + new_cert
cert = new_cert
store.set_flags(crypto.X509StoreFlags.CRL_CHECK_ALL)
store.set_flags(crypto.X509StoreFlags.CHECK_SS_SIGNATURE)
store.set_flags(crypto.X509StoreFlags.X509_STRICT)
return store
def loadCAFromPFX(self, pfx):
CAcerts = pfx.get_ca_certificates()
if len(CAcerts) != 1:
LOG.error("Incompatible Root CA structure!")
raise IncompatibleRootCAException
self.CA = crypto.X509Store()
self.CA.add_cert(CAcerts[0])
def verify_certificate_chain(self, cert, chain, crl_list, datetime):
crl_list = self.crl_files_to_objects(crl_list)
certificate = cert
try:
store = crypto.X509Store()
store.set_flags(crypto.X509StoreFlags.CRL_CHECK_ALL)
for cert in chain:
store.add_cert(cert)
for crl in crl_list:
store.add_crl(crl)
if datetime:
store.set_time(datetime)
store_ctx = crypto.X509StoreContext(store, certificate)
store_ctx.verify_certificate()
return True
except Exception as e:
raise e
def verify():
p12_client = crypto.load_pkcs12(open("Servidor.p12", 'rb').read(), "1234")
client_certific = crypto.dump_certificate(crypto.FILETYPE_PEM, p12_client.get_certificate())
public_key_ssl_client = x509.load_pem_x509_certificate(client_certific, default_backend()).public_key()
print(len(client_certific))
#p12_server = crypto.load_pkcs12(open("Servidor.p12", 'rb').read(), "1234")
#p12_server.get_certificate()
ca = crypto.load_certificate(crypto.FILETYPE_ASN1, open("CA.cer", 'rb').read())
cert = crypto.dump_certificate(crypto.FILETYPE_PEM, ca)
#manda para a funçao
try:
trusted = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
c = crypto.load_certificate(crypto.FILETYPE_PEM, client_certific)
store = crypto.X509Store()
store.add_cert(trusted)
store_ctx = crypto.X509StoreContext(store, c)
store_ctx.verify_certificate()
print("certificado confirmado")
except Exception as e:
print(e)
print("com e")
def valUserCert(self, byts, cacerts=None):
'''
Validate the PEM encoded x509 user certificate bytes and return it.
Args:
byts (bytes): The bytes for the User Certificate.
cacerts (tuple): A tuple of OpenSSL.crypto.X509 CA Certificates.
Raises:
OpenSSL.crypto.X509StoreContextError: If the certificate is not valid.
Returns:
OpenSSL.crypto.X509: The certificate, if it is valid.
'''
cert = crypto.load_certificate(crypto.FILETYPE_PEM, byts)
if cacerts is None:
cacerts = self.getCaCerts()
store = crypto.X509Store()
[store.add_cert(cacert) for cacert in cacerts]
ctx = crypto.X509StoreContext(store, cert)
ctx.verify_certificate() # raises X509StoreContextError if unable to verify
return cert
def test_openssl():
codeur_bundle = SSLCABundle('c:/private/tranquilit-codeur.crt')
codeur = codeur_bundle.certificates()[0]
trusted_ca = SSLCABundle(certifi.where())
print codeur_bundle.certificate_chain(codeur)
codeur.verify_signature_with(codeur_bundle)
print trusted_ca.certificate_chain(codeur)
for ca in codeur_bundle.certificate_chain(codeur):
print ca.crl_urls()
for ca in trusted_ca.certificates():
print ca.crl_urls()
store = crypto.X509Store()
store.set_flags( (
crypto.X509StoreFlags.CRL_CHECK |
crypto.X509StoreFlags.CB_ISSUER_CHECK
))
for cert in trusted_ca.certificates():
store.add_cert(cert.as_X509())
# load all the crl...
issuer = trusted_ca.is_known_issuer(codeur)
crl = requests.get('http://crl.usertrust.com/UTN-USERFirst-Object.crl').content
crlcert = crypto.load_crl(crypto.FILETYPE_ASN1,crl)
store.add_crl(crlcert)
store_ctx = crypto.X509StoreContext(store,cert.as_X509())
try:
print store_ctx.verify_certificate()
except Exception as e:
print e
def verify_certificate_chain(cert, trusted_certs):
# Download the certificate from the url and load the certificate
assert (len(trusted_certs) != 0)
certificate = x509.load_pem_x509_certificate(cert, default_backend())
# Create a certificate store and add your trusted certs
try:
store = crypto.X509Store()
# Assuming the certificates are in PEM format in a trusted_certs list
for _cert in trusted_certs:
cert_data = _cert
client_certificate = crypto.load_certificate(
crypto.FILETYPE_PEM, cert_data)
store.add_cert(client_certificate)
# Create a certificate context using the store and the downloaded certificate
store_ctx = crypto.X509StoreContext(store, certificate)
# Verify the certificate, returns None if it can validate the certificate
store_ctx.verify_certificate()
return True
except Exception as e:
print(e)
return False
def __init__(self, trustedCerts=None):
self.store = crypto.X509Store()
if trustedCerts is not None:
for cert in trustedCerts:
cert = crypto.load_certificate(crypto.FILETYPE_ASN1,
bytes(cert))
self.add_cert(cert)
def init_cert_store(self, pychain):
store= crypto.X509Store()
for tcert in pychain:
store.add_cert(tcert)
return store
def verify_certs_chain(certs_chain: List[crypto.X509],
amazon_cert: crypto.X509) -> bool:
"""Verifies if Amazon and additional certificates creates chain of trust to a root CA.
Args:
certs_chain: List of pycrypto X509 intermediate certificates from signature chain URL.
amazon_cert: Pycrypto X509 Amazon certificate.
Returns:
result: True if verification was successful, False if not.
"""
store = crypto.X509Store()
# add certificates from Amazon provided certs chain
for cert in certs_chain:
store.add_cert(cert)
# add CA certificates
default_verify_paths = ssl.get_default_verify_paths()
default_verify_file = default_verify_paths.cafile
default_verify_file = Path(
default_verify_file).resolve() if default_verify_file else None
default_verify_path = default_verify_paths.capath
default_verify_path = Path(
default_verify_path).resolve() if default_verify_path else None
ca_files = [ca_file for ca_file in default_verify_path.iterdir()
] if default_verify_path else []
if default_verify_file:
ca_files.append(default_verify_file)
for ca_file in ca_files:
ca_file: Path
if ca_file.is_file():
with ca_file.open('r', encoding='ascii') as crt_f:
ca_certs_txt = crt_f.read()
ca_certs = extract_certs(ca_certs_txt)
for cert in ca_certs:
store.add_cert(cert)
# add CA certificates (Windows)
ssl_context = ssl.create_default_context()
der_certs = ssl_context.get_ca_certs(binary_form=True)
pem_certs = '\n'.join(
[ssl.DER_cert_to_PEM_cert(der_cert) for der_cert in der_certs])
ca_certs = extract_certs(pem_certs)
for ca_cert in ca_certs:
store.add_cert(ca_cert)
store_context = crypto.X509StoreContext(store, amazon_cert)
try:
store_context.verify_certificate()
result = True
except crypto.X509StoreContextError:
result = False
return result
def verify_chain_of_trust(cert_pem, trusted_cert_pems):
'''
This method uses the pyOpenSSL module to verify the chain of X509 PEM encoded certificates
NOTE: This requires a newer version of pyOpenSSL that does not come with CentOS/RHEL
Need to install an updated version of pyOpenSSL using pip install pyopenssl
Tested with version: pyopenssl-17.5.0
'''
certificate = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
# Create and fill a X509Sore with trusted certs
store = crypto.X509Store()
for trusted_cert_pem in trusted_cert_pems:
trusted_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
trusted_cert_pem)
store.add_cert(trusted_cert)
# Create a X590StoreContext with the cert and trusted certs
# and verify the the chain of trust
store_ctx = crypto.X509StoreContext(store, certificate)
# Returns None if certificate can be validated
result = store_ctx.verify_certificate()
if result is None:
return True
else:
return False
def verify_chain_of_trust(cert_pem, trusted_cert_pems):
#Transformar o pkcs12 em pem
p12 = crypto.load_pkcs12(open(cert_pem, 'rb').read(), "1234")
privatekey = p12.get_privatekey()
cert = p12.get_certificate()
pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
certificate = crypto.load_certificate(crypto.FILETYPE_PEM, pem)
#print(cert_pem.load_privatekey(crypto.FILETYPE_PEM, "1234"))
# Create and fill a X509Sore with trusted certs
store = crypto.X509Store()
for trusted_cert_pem in trusted_cert_pems:
trusted_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
trusted_cert_pem)
store.add_cert(trusted_cert)
# Create a X590StoreContext with the cert and trusted certs
# and verify the the chain of trust
store_ctx = crypto.X509StoreContext(store, certificate)
# Returns None if certificate can be validated
result = store_ctx.verify_certificate()
if result is None:
print("OK")
return True
else:
print("ERRO")
return False
