def test_ordering(self, backend):
certs = load_vectors_from_file(
os.path.join("pkcs7", "amazon-roots.der"),
lambda derfile: pkcs7.load_der_pkcs7_certificates(derfile.read()),
mode="rb",
)
p7 = pkcs7.serialize_certificates(list(reversed(certs)),
serialization.Encoding.DER)
certs2 = pkcs7.load_der_pkcs7_certificates(p7)
assert certs != certs2
def test_der_matches_vector(self, backend):
p7_der = load_vectors_from_file(
os.path.join("pkcs7", "amazon-roots.der"),
lambda p: p.read(),
mode="rb",
)
certs = pkcs7.load_der_pkcs7_certificates(p7_der)
p7 = pkcs7.serialize_certificates(certs, serialization.Encoding.DER)
assert p7 == p7_der
def test_roundtrip(self, encoding, loader, backend):
certs = load_vectors_from_file(
os.path.join("pkcs7", "amazon-roots.der"),
lambda derfile: pkcs7.load_der_pkcs7_certificates(derfile.read()),
mode="rb",
)
p7 = pkcs7.serialize_certificates(certs, encoding)
certs2 = loader(p7)
assert certs == certs2
def printData(data, showPub=True):
try:
xcert = x509.load_der_x509_certificate(data)
except:
try:
xcert = x509.load_pem_x509_certificate(data)
except:
try:
xcert = pkcs7.load_der_pkcs7_certificates(data)
except:
xcert = pkcs7.load_pem_pkcs7_certificates(data)
if len(xcert) > 1:
print('// Warning: TODO: pkcs7 has {} entries'.format(
len(xcert)))
xcert = xcert[0]
cn = ''
for dn in xcert.subject.rfc4514_string().split(','):
keyval = dn.split('=')
if keyval[0] == 'CN':
cn += keyval[1]
name = re.sub('[^a-zA-Z0-9_]', '_', cn)
print('// CN: {} => name: {}'.format(cn, name))
print('// not valid before:', xcert.not_valid_before)
print('// not valid after: ', xcert.not_valid_after)
if showPub:
fingerprint = xcert.fingerprint(hashes.SHA1()).hex(':')
print('const char fingerprint_{} [] PROGMEM = "{}";'.format(
name, fingerprint))
pem = xcert.public_key().public_bytes(
Encoding.PEM, PublicFormat.SubjectPublicKeyInfo).decode('utf-8')
print('const char pubkey_{} [] PROGMEM = R"PUBKEY('.format(name))
print(pem + ')PUBKEY";')
else:
cert = xcert.public_bytes(Encoding.PEM).decode('utf-8')
print('const char cert_{} [] PROGMEM = R"CERT('.format(name))
print(cert + ')CERT";')
cas = []
for ext in xcert.extensions:
if ext.oid == x509.ObjectIdentifier("1.3.6.1.5.5.7.1.1"):
for desc in ext.value:
if desc.access_method == x509.oid.AuthorityInformationAccessOID.CA_ISSUERS:
cas.append(desc.access_location.value)
for ca in cas:
with urllib.request.urlopen(ca) as crt:
print()
print('// ' + ca)
printData(crt.read(), False)
print()
def test_load_pkcs7_der(self, backend):
certs = load_vectors_from_file(
os.path.join("pkcs7", "amazon-roots.p7b"),
lambda derfile: pkcs7.load_der_pkcs7_certificates(derfile.read()),
mode="rb",
)
assert len(certs) == 2
assert certs[0].subject.get_attributes_for_oid(
x509.oid.NameOID.COMMON_NAME) == [
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME,
"Amazon Root CA 3")
]
assert certs[1].subject.get_attributes_for_oid(
x509.oid.NameOID.COMMON_NAME) == [
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME,
"Amazon Root CA 2")
]
def estissuer_create(spec, patch, body, **_):
"""validate and mark issuers as ready"""
# Secret must exist and be the correct type
secret = get_secret_from_resource(body)
if secret is None:
raise kopf.TemporaryError(f"{spec['secretName']} not found")
baseUrl = f"https://{spec['host']}:{spec.get('port', 443)}"
path = "/".join(
i for i in [WELLKNOWN, spec.get("label"), "cacerts"] if i is not None)
# fetch /cacerts using explicit TA
cacert = base64.b64decode(spec["cacert"])
with tempfile.NamedTemporaryFile(suffix=".pem") as cafile:
cafile.write(cacert)
cafile.seek(0)
session = requests.Session()
session.mount(baseUrl, SSLContextAdapter())
try:
response = session.get(baseUrl + path, verify=cafile.name)
except (
requests.exceptions.SSLError,
requests.exceptions.RequestException,
) as err:
patch.metadata.annotations["estoperator-perm-fail"] = "yes"
raise kopf.PermanentError(err) from err
# 200 OK is good, anything else is an error
if response.status_code != 200:
raise kopf.TemporaryError(
f"Unexpected response: {response.status}, {response.reason}", )
# configured cacert must be in EST portal bundle
explicit = pem.parse(cacert)
store = X509Store()
for cert in explicit:
store.add_cert(load_certificate(FILETYPE_PEM, cert.as_text()))
try:
for leaf in pkcs7.load_der_pkcs7_certificates(
base64.b64decode(response.content)):
context = X509StoreContext(
store,
load_certificate(FILETYPE_PEM,
leaf.public_bytes(Encoding.PEM)),
)
context.verify_certificate()
except X509StoreContextError as err:
raise kopf.PermanentError(
f"Unable to verify /cacerts content: {err}") from err
return {"Ready": "True"}
def test_invalid_types(self):
certs = load_vectors_from_file(
os.path.join("pkcs7", "amazon-roots.der"),
lambda derfile: pkcs7.load_der_pkcs7_certificates(derfile.read()),
mode="rb",
)
with pytest.raises(TypeError):
pkcs7.serialize_certificates(
"not a list of certs", # type: ignore[arg-type]
serialization.Encoding.PEM,
)
with pytest.raises(TypeError):
pkcs7.serialize_certificates([], serialization.Encoding.PEM)
with pytest.raises(TypeError):
pkcs7.serialize_certificates(
certs,
"not an encoding" # type: ignore[arg-type]
)
def ProcessPKCS7(msg, from_addr):
subjaltnames = None
for att in msg.iter_attachments():
if (att.get_content_type() == 'application/pkcs7-signature'):
certs = pkcs7.load_der_pkcs7_certificates(att.get_content())
for cert in certs:
try:
ex = cert.extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
except x509.ExtensionNotFound:
continue
if (not ex.value.ca):
try:
ex = cert.extensions.get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
except x509.ExtensionNotFound:
continue
subjaltnames = ex.value.get_values_for_type(x509.RFC822Name)
break
if (not subjaltnames):
raise NoSANFound
if (from_addr not in subjaltnames):
raise FromAddrNotInSAN()
def test_not_bytes_der(self, backend):
with pytest.raises(TypeError):
pkcs7.load_der_pkcs7_certificates(38) # type: ignore[arg-type]
def test_load_invalid_der_pkcs7(self, backend):
with pytest.raises(ValueError):
pkcs7.load_der_pkcs7_certificates(b"nonsense")
def load_key(filename: str,
private: bool = False,
password: Optional[bytes] = None,
extensive: bool = False) -> KEY_ALL_TYPES:
key = None
if password is None and not extensive:
with open(filename, 'r') as f:
if 'ENCRYPTED' in f.readline():
password = input("Password: "******"Multiple certificates found, using first entry [%s]" %
certs[0].subject,
file=sys.stderr)
key = certs[0].public_key()
# PKCS#12 Certificate (Private and/or Public Key)
if not key:
try:
private_key, cert, more_certs = load_key_and_certificates(
data, password=password)
if not private and cert:
key = cert.public_key()
elif private:
key = private_key
except:
pass
# X.509 Certificate
if not key and not private:
cert = None
try:
cert = load_der_x509_certificate(data)
except:
try:
cert = load_pem_x509_certificate(data)
except:
pass
if cert:
key = cert.public_key()
if key:
if private and is_private_key(key):
return key
elif not private and is_private_key(key):
return key.public_key()
elif not private and is_public_key(key):
return key
raise FileException("Could not read key")
def test_not_bytes_der(self):
with pytest.raises(TypeError):
pkcs7.load_der_pkcs7_certificates(38)
def load_der_to_x509(bytes_input):
try:
return x509.load_der_x509_certificate(bytes_input)
except ValueError:
return load_der_pkcs7_certificates(bytes_input)[0]
