def _scan_der_cert(der_certs, checks):
current = -1
try:
result = []
for log_index, der_cert, der_chain in der_certs:
current = log_index
partial_result = []
strict_failure = False
try:
certificate = cert.Certificate(der_cert)
except error.Error as e:
try:
certificate = cert.Certificate(der_cert, strict_der=False)
except error.Error as e:
partial_result.append(asn1.All())
strict_failure = True
else:
if isinstance(e, error.ASN1IllegalCharacter):
partial_result.append(
asn1.Strict(reason=e.args[0],
details=(e.string, e.index)))
else:
partial_result.append(asn1.Strict(reason=str(e)))
if not strict_failure:
for check in checks:
partial_result += check.check(certificate) or []
desc = cert_desc.from_cert(certificate, partial_result)
else:
desc = certificate_pb2.X509Description()
desc.der = der_cert
desc.sha256_hash = hashlib.sha256(der_cert).digest()
try:
root = cert.Certificate(der_chain[-1], strict_der=False)
except error.Error:
pass
else:
for iss in [
(type_.short_name,
cert_desc.to_unicode('.'.join(
cert_desc.process_name(value.human_readable()))))
for type_, value in root.issuer()
]:
proto_iss = desc.root_issuer.add()
proto_iss.type, proto_iss.value = iss
result.append((desc, log_index, partial_result))
return result
except Exception:
_, exception, exception_traceback = sys.exc_info()
exception_traceback = traceback.format_exc(exception_traceback)
raise PoolException((exception, exception_traceback, der_certs[0][0],
der_certs[-1][0], current))
def test_scan_der_cert_check_non_strict(self):
report = self.CertificateReportBase([FakeCheck()])
report.scan_der_certs([(0, NON_STRICT_DER, [], client_pb2.X509_ENTRY)])
result = report.report()
# There should be FakeCheck and asn.1 strict parsing failure
self.assertEqual(len(sum(result.values(), [])), 2)
self.assertObservationIn(asn1.Strict("Boom!"), sum(result.values(), []))
def test_scan_der_cert_check(self):
report = self.CertificateReportBase([FakeCheck()])
report.scan_der_certs([(0, STRICT_DER, [], client_pb2.X509_ENTRY)])
result = report.report()
self.assertObservationIn(asn1.Strict("Boom!"),
sum(result.values(), []))
self.assertEqual(len(result), 1)
def check(certificate):
return [asn1.Strict("Boom!")]
def _scan_der_cert(der_certs, checks):
current = -1
result = []
for log_index, der_cert, der_chain, entry_type in der_certs:
try:
current = log_index
partial_result = []
certificate = None
strict_failure = False
try:
certificate = cert.Certificate(der_cert)
except error.Error as e:
try:
certificate = cert.Certificate(der_cert, strict_der=False)
except error.Error as e:
partial_result.append(asn1.All())
strict_failure = True
else:
if isinstance(e, error.ASN1IllegalCharacter):
partial_result.append(asn1.Strict(reason=e.args[0],
details=(e.string, e.index)))
else:
partial_result.append(asn1.Strict(reason=str(e)))
if not strict_failure:
for check in checks:
partial_result += check.check(certificate) or []
desc = cert_desc.from_cert(certificate, partial_result)
else:
desc = certificate_pb2.X509Description()
desc.der = der_cert
desc.sha256_hash = hashlib.sha256(der_cert).digest()
desc.entry_type = entry_type
root = None
if der_chain:
try:
issuer = cert.Certificate(der_chain[0], strict_der=False)
except error.Error:
pass
else:
desc.issuer_pk_sha256_hash = issuer.key_hash(hashfunc="sha256")
try:
root = cert.Certificate(der_chain[-1], strict_der=False)
except error.Error:
pass
else:
# No chain implies this is a root certificate.
# Note that certificate may be None.
root = certificate
if root:
for iss in [(type_.short_name, cert_desc.to_unicode(
'.'.join(cert_desc.process_name(value.human_readable()))))
for type_, value in root.issuer()]:
proto_iss = desc.root_issuer.add()
proto_iss.type, proto_iss.value = iss
result.append((desc, log_index, partial_result))
except:
batch_start_index, batch_end_index = (
der_certs[0][0], der_certs[-1][0])
logging.exception(
"Error scanning certificate %d in batch <%d, %d> - it will "
"be excluded from the scan results",
current, batch_start_index, batch_end_index)
return result
