def MakeCASignedCert(common_name,
private_key,
ca_cert,
ca_private_key,
serial_number=2):
"""Make a cert and sign it with the CA's private key."""
public_key = private_key.GetPublicKey()
builder = x509.CertificateBuilder()
builder = builder.issuer_name(ca_cert.GetIssuer())
subject = x509.Name(
[x509.NameAttribute(oid.NameOID.COMMON_NAME, common_name)])
builder = builder.subject_name(subject)
valid_from = rdfvalue.RDFDatetime.Now() - rdfvalue.Duration("1d")
valid_until = rdfvalue.RDFDatetime.Now() + rdfvalue.Duration("3650d")
builder = builder.not_valid_before(valid_from.AsDatetime())
builder = builder.not_valid_after(valid_until.AsDatetime())
builder = builder.serial_number(serial_number)
builder = builder.public_key(public_key.GetRawPublicKey())
builder = builder.add_extension(x509.BasicConstraints(ca=False,
path_length=None),
critical=True)
certificate = builder.sign(private_key=ca_private_key.GetRawPrivateKey(),
algorithm=hashes.SHA256(),
backend=openssl.backend)
return rdf_crypto.RDFX509Cert(certificate)
def VerifyServerPEM(self, http_object):
"""Check the server PEM for validity.
This is used to determine connectivity to the server. Sometimes captive
portals return a valid HTTP status, but the data is corrupted.
Args:
http_object: The response received from the server.
Returns:
True if the response contains a valid server certificate.
"""
try:
server_pem = http_object.data
server_url = http_object.url
if b"BEGIN CERTIFICATE" in server_pem:
# Now we know that this proxy is working. We still have to verify the
# certificate. This will raise if the server cert is invalid.
server_certificate = rdf_crypto.RDFX509Cert(server_pem)
self.communicator.LoadServerCertificate(
server_certificate=server_certificate, ca_certificate=self.ca_cert)
logging.info("Server PEM re-keyed.")
return True
except Exception as e: # pylint: disable=broad-except
logging.info("Unable to verify server certificate at %s: %s", server_url,
e)
return False
def testExpiredTestCertificate(self):
pem = open(os.path.join(self.base_path, "outdated_certificate"),
"rb").read()
certificate = rdf_crypto.RDFX509Cert(pem)
exception_catcher = self.assertRaises(rdf_crypto.VerificationError)
with exception_catcher:
# We don't pass a proper key here, this will fail before it even touches
# the key.
certificate.Verify(None)
self.assertIn("Certificate expired!", str(exception_catcher.exception))
def MakeCACert(private_key,
common_name=u"grr",
issuer_cn=u"grr_test",
issuer_c=u"US"):
"""Generate a CA certificate.
Args:
private_key: The private key to use.
common_name: Name for cert.
issuer_cn: Name for issuer.
issuer_c: Country for issuer.
Returns:
The certificate.
"""
public_key = private_key.GetPublicKey()
builder = x509.CertificateBuilder()
issuer = x509.Name([
x509.NameAttribute(oid.NameOID.COMMON_NAME, issuer_cn),
x509.NameAttribute(oid.NameOID.COUNTRY_NAME, issuer_c)
])
subject = x509.Name(
[x509.NameAttribute(oid.NameOID.COMMON_NAME, common_name)])
builder = builder.subject_name(subject)
builder = builder.issuer_name(issuer)
valid_from = rdfvalue.RDFDatetime.Now() - rdfvalue.Duration.From(
1, rdfvalue.DAYS)
valid_until = rdfvalue.RDFDatetime.Now() + rdfvalue.Duration.From(
3650, rdfvalue.DAYS)
builder = builder.not_valid_before(valid_from.AsDatetime())
builder = builder.not_valid_after(valid_until.AsDatetime())
builder = builder.serial_number(1)
builder = builder.public_key(public_key.GetRawPublicKey())
builder = builder.add_extension(x509.BasicConstraints(ca=True,
path_length=None),
critical=True)
builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(
public_key.GetRawPublicKey()),
critical=False)
certificate = builder.sign(private_key=private_key.GetRawPrivateKey(),
algorithm=hashes.SHA256(),
backend=openssl.backend)
return rdf_crypto.RDFX509Cert(certificate)
CERT = rdf_crypto.RDFX509Cert("""-----BEGIN CERTIFICATE-----
MIIF7zCCA9egAwIBAgIBATANBgkqhkiG9w0BAQUFADA+MQswCQYDVQQGEwJVUzEM
MAoGA1UECBMDQ0FMMQswCQYDVQQHEwJTRjEUMBIGA1UEAxMLR1JSIFRlc3QgQ0Ew
HhcNMTEwNTI3MTIxNTExWhcNMTIwNTI2MTIxNTExWjBCMQswCQYDVQQGEwJVUzEM
MAoGA1UECBMDQ0FMMQswCQYDVQQHEwJTRjEYMBYGA1UEAxMPR1JSIFRlc3QgU2Vy
dmVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwUXBNzWSoEr88dGQ
qZWSwgJ+n/A/QQyNn/ZM57XsqI6IMO6plFmA+DZv2FkTTdniNPmhuL9mjWYA5yg4
KYMbz5igOiBoF9RBeIm2/v2Sg65VFoyCgJNgl3V34mpoDCHBYTi2A/OfoKeSQISb
UfMHsYhPHdGfhjk8dEuMo7MxjrtfAO3Y4QtjTiE07eNdoRQkFtzF0m9oSaytJ95c
BAe1eQ/2zcvxPvnF5yavR4fwKQtk8o1hc21XVG0JvqJ7da79C27cQQP3E/6EYzpN
pkh9n4berPBHV/oxlB2np4zKgXCQ4zDdiw1uEUY9+iFmVEuvzO2e5NJcfnu74sGb
oX+2a2/ph65sMZ2/NF8lRgetvIrtYUl15yypXmH3VobBYvpfGpab1rLt0J1HoVUh
V5Nsrdav0n8EQ+hln/sHz+G5rNe4ZSJbZ8w8b1TOwTENdzOYKAQH/NN9IrsbXNgE
8RHSHfPwibWnhfKS/fy7GO8qah/u2HPQ5S33gao409zbwS6c4sn0nAQhr5H6pHVD
iMLcBPFQ+w6zIk28hOv3GMa5XQtm8ONb/QhOLTbtB+ZCHKCw3bXASVDt7EwvnM/b
cSYS58wKmUQhH3unizXyihLhxC8ck/KMTkGnuGBC0Pz2d6YgcdL4BxAK6udSjSQQ
DB8sWYKJJrmlCnaN2E1eBbPV5PMCAwEAAaOB8zCB8DAJBgNVHRMEAjAAMBEGCWCG
SAGG+EIBAQQEAwIGQDArBglghkgBhvhCAQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBD
ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUywgOS64OISRSFNqpMpF83qXKDPIwbgYDVR0j
BGcwZYAUO4+Xefeqvq3W6/eaPxaNv8IHpcuhQqRAMD4xCzAJBgNVBAYTAlVTMQww
CgYDVQQIEwNDQUwxCzAJBgNVBAcTAlNGMRQwEgYDVQQDEwtHUlIgVGVzdCBDQYIJ
AIayxnA7Bp+3MAkGA1UdEgQCMAAwCQYDVR0RBAIwADANBgkqhkiG9w0BAQUFAAOC
AgEAY6z2VZdS83i6N88hVk3Y8qt0xNhP10+tfgsI7auPq2n3PsDNOLPvp2OcUcLI
csMQ/3GTI84uRm0GFnLMAc+A8BQZ14+3kPRju5jWe3KMfP1Ohz5Hm36Uf47tFhgV
VYnyIPwwCE1QPOgbnFt5jR+d3pjhx9TvjfeFKmavxMpxnDD2KWgGZfuE1UqC0DXm
rkimG2Q+dHUFBOMBUKzaklZsr7v4hlc+7XY1n5vRhiuczS9m5mVB05Cg4mrJFcVs
AUsxSuwgMhJqxuNaFw8qMmdkX7ujo5HAtwJqIi91Sdj8xNRqDysd1OagqL3Mx172
wTJu7ZIAURpw52AXxn3PpK5NS3NSvL/PE6SnpHCtfkxaHl/80W2oq7MjSaHbQt2g
8vYuwLEKYVhgEBzEK0p5AqDyabAn49bw9hfT10NElJ/tYEPCKZZwrARBHnpCxLeC
jJVIIMzPOczWnTDw92ls3l6+l075MOzXGo94GNlxt0/HLCQktl9cuF1APmRkiGUe
EaQA1dggxMyZGyZpYmEbrWCiEjKqfIXXnpyw5pxL5Rvoe4kYrQBvbJ1aaWJ87Pcz
gXJvjIkzp4x/MMAgdBOqJm5tJ4nhCHTbXWuIbYymPLn7hqXhyrDZwqnH7kQKPF2/
z5KjO8gWio6YOhsDwrketcBcIANMDYws2+TzrLs9ttuHNS0=
-----END CERTIFICATE-----""")
