Beispiel #1
def auth_certificate_callback(sock, check_sig, is_server, certdb):
    cert_is_valid = False

    cert = sock.get_peer_certificate()

    pin_args = sock.get_pkcs11_pin_arg()
    if pin_args is None:
        pin_args = ()

    # Define how the cert is being used based upon the is_server flag.  This may
    # seem backwards, but isn't. If we're a server we're trying to validate a
    # client cert. If we're a client we're trying to validate a server cert.
    if is_server:
        intended_usage = nss.certificateUsageSSLClient
        intended_usage = nss.certificateUsageSSLServer

        # If the cert fails validation it will raise an exception, the errno attribute
        # will be set to the error code matching the reason why the validation failed
        # and the strerror attribute will contain a string describing the reason.
        approved_usage = cert.verify_now(certdb, check_sig, intended_usage,
    except Exception as e:
        root_logger.error('cert validation failed for "%s" (%s)', cert.subject,
                          e.strerror)  # pylint: disable=no-member
        cert_is_valid = False
        return cert_is_valid

    root_logger.debug("approved_usage = %s intended_usage = %s",
                      ', '.join(nss.cert_usage_flags(approved_usage)),
                      ', '.join(nss.cert_usage_flags(intended_usage)))

    # Is the intended usage a proper subset of the approved usage
    cert_is_valid = bool(approved_usage & intended_usage)

    # If this is a server, we're finished
    if is_server or not cert_is_valid:
        root_logger.debug('cert valid %s for "%s"', cert_is_valid,
        return cert_is_valid

    # Certificate is OK.  Since this is the client side of an SSL
    # connection, we need to verify that the name field in the cert
    # matches the desired hostname.  This is our defense against
    # man-in-the-middle attacks.

    hostname = sock.get_hostname()
        # If the cert fails validation it will raise an exception
        cert_is_valid = cert.verify_hostname(hostname)
    except Exception as e:
            'failed verifying socket hostname "%s" matches cert subject "%s" (%s)',
            hostname, cert.subject, e.strerror)  # pylint: disable=no-member
        cert_is_valid = False
        return cert_is_valid

    root_logger.debug('cert valid %s for "%s"', cert_is_valid, cert.subject)
    return cert_is_valid
Beispiel #2
def auth_certificate_callback(sock, check_sig, is_server, certdb):
    cert_is_valid = False

    cert = sock.get_peer_certificate()

    pin_args = sock.get_pkcs11_pin_arg()
    if pin_args is None:
        pin_args = ()

    # Define how the cert is being used based upon the is_server flag.  This may
    # seem backwards, but isn't. If we're a server we're trying to validate a
    # client cert. If we're a client we're trying to validate a server cert.
    if is_server:
        intended_usage = nss.certificateUsageSSLClient
        intended_usage = nss.certificateUsageSSLServer

        # If the cert fails validation it will raise an exception, the errno attribute
        # will be set to the error code matching the reason why the validation failed
        # and the strerror attribute will contain a string describing the reason.
        approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args)
    except Exception as e:
        root_logger.error('cert validation failed for "%s" (%s)', cert.subject, e.strerror)  # pylint: disable=no-member
        cert_is_valid = False
        return cert_is_valid

        "approved_usage = %s intended_usage = %s",
        ", ".join(nss.cert_usage_flags(approved_usage)),
        ", ".join(nss.cert_usage_flags(intended_usage)),

    # Is the intended usage a proper subset of the approved usage
    cert_is_valid = bool(approved_usage & intended_usage)

    # If this is a server, we're finished
    if is_server or not cert_is_valid:
        root_logger.debug('cert valid %s for "%s"', cert_is_valid, cert.subject)
        return cert_is_valid

    # Certificate is OK.  Since this is the client side of an SSL
    # connection, we need to verify that the name field in the cert
    # matches the desired hostname.  This is our defense against
    # man-in-the-middle attacks.

    hostname = sock.get_hostname()
        # If the cert fails validation it will raise an exception
        cert_is_valid = cert.verify_hostname(hostname)
    except Exception as e:
            'failed verifying socket hostname "%s" matches cert subject "%s" (%s)', hostname, cert.subject, e.strerror
        )  # pylint: disable=no-member
        cert_is_valid = False
        return cert_is_valid

    root_logger.debug('cert valid %s for "%s"', cert_is_valid, cert.subject)
    return cert_is_valid
Beispiel #3
    def _auth_certificate_callback(self, sock, check_sig, is_server, certdb):
        cert = sock.get_peer_certificate()
        intended_usage = nss.certificateUsageSSLServer
            # If the cert fails validation it will raise an exception, the errno attribute
            # will be set to the error code matching the reason why the validation failed
            # and the strerror attribute will contain a string describing the reason.

            # XXX: After python3 migration, this is not working properly. Assume that
            # the intented usage is valid for now.
            #pin_args = sock.get_pkcs11_pin_arg() or ()
            #approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args)
            approved_usage = intended_usage
        except Exception as e:
            # XXX: Why isn't the certificate valid?
  'cert validation failed for "%s" (%s)', cert.subject,
            approved_usage = intended_usage

        logging.debug("approved_usage = %s intended_usage = %s",
                      ', '.join(nss.cert_usage_flags(approved_usage)),
                      ', '.join(nss.cert_usage_flags(intended_usage)))

        if not bool(approved_usage & intended_usage):
            logging.debug('cert not valid for "%s"', cert.subject)
            return False

        # Certificate is OK.  Since this is the client side of an SSL
        # connection, we need to verify that the name field in the cert
        # matches the desired hostname.  This is our defense against
        # man-in-the-middle attacks.
        hostname = sock.get_hostname()
            # If the cert fails validation it will raise an exception
            cert_is_valid = cert.verify_hostname(hostname)
        except Exception as e:
                'failed verifying socket hostname "%s" matches cert subject "%s" (%s)',
                hostname, cert.subject, e.strerror)
            return False

        logging.debug('cert valid %s for "%s"', cert_is_valid, cert.subject)
        return cert_is_valid
Beispiel #4
    def _auth_certificate_callback(self, sock, check_sig, is_server, certdb):
        cert = sock.get_peer_certificate()
        intended_usage = nss.certificateUsageSSLServer
            # If the cert fails validation it will raise an exception, the errno attribute
            # will be set to the error code matching the reason why the validation failed
            # and the strerror attribute will contain a string describing the reason.

            # XXX: After python3 migration, this is not working properly. Assume that
            # the intented usage is valid for now.
            #pin_args = sock.get_pkcs11_pin_arg() or ()
            #approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args)
            approved_usage = intended_usage
        except Exception as e:
            # XXX: Why isn't the certificate valid?
  'cert validation failed for "%s" (%s)', cert.subject, e.strerror)
            approved_usage = intended_usage

        logging.debug("approved_usage = %s intended_usage = %s",
                      ', '.join(nss.cert_usage_flags(approved_usage)),
                      ', '.join(nss.cert_usage_flags(intended_usage)))

        if not bool(approved_usage & intended_usage):
            logging.debug('cert not valid for "%s"', cert.subject)
            return False

        # Certificate is OK.  Since this is the client side of an SSL
        # connection, we need to verify that the name field in the cert
        # matches the desired hostname.  This is our defense against
        # man-in-the-middle attacks.
        hostname = sock.get_hostname()
            # If the cert fails validation it will raise an exception
            cert_is_valid = cert.verify_hostname(hostname)
        except Exception as e:
            logging.error('failed verifying socket hostname "%s" matches cert subject "%s" (%s)',
                          hostname, cert.subject, e.strerror)
            return False

        logging.debug('cert valid %s for "%s"', cert_is_valid, cert.subject)
        return cert_is_valid
Beispiel #5
def main():
    global options

    parser = argparse.ArgumentParser(
        description='certificate validation example')

    # === NSS Database Group ===
    group = parser.add_argument_group('NSS Database',
                                      'Specify & control the NSS Database')
                       help='NSS database name (e.g. "sql:pki")')

    group.add_argument('-P', '--db-passwd', help='NSS database password')

    # === Certificate Group ===
    group = parser.add_argument_group('Certificate',
                                      'Specify how the certificate is loaded')

                       help='read cert from file')

                       choices=['pem', 'der'],
                       help='format of input cert')

        help='load cert from NSS database by looking it up under this nickname'

    # === Validation Group ===
    group = parser.add_argument_group('Validation', 'Control the validation')

        help='certificate usage flags, may be specified multiple times')
                       help='check signature')
                       help='do not check signature')
                       help='use verify log')
                       help='do not use verify log')
                       help='check if cert is CA')
                       help='do not check if cert is CA')

    # === Miscellaneous Group ===
    group = parser.add_argument_group('Miscellaneous', 'Miscellaneous options')

                       help='print the certificate in a friendly fashion')


    options = parser.parse_args()

    # Process the command line arguments

    # Get usage bitmask
    if options.cert_usage:
        intended_usage = 0
        for usage in options.cert_usage:
                flag = cert_usage_map[usage]
            except KeyError:
                print("Unknown usage '%s', valid values: %s" %
                      (usage, ', '.join(sorted(cert_usage_map.keys()))))
                return 1
                intended_usage |= flag
        # We can't use nss.certificateUsageCheckAllUsages here because
        # it's a special value of zero instead of being the bitwise OR
        # of all the certificateUsage* flags (go figure!)
        intended_usage = 0
        for usage in list(cert_usage_map.values()):
            intended_usage |= usage

    if options.cert_filename and options.cert_nickname:
            "You may not specify both a cert filename and a nickname, only one or the other",
        return 1

    if not options.cert_filename and not options.cert_nickname:
        print("You must specify either a cert filename or a nickname to load",
        return 1

    # Initialize NSS.
    print(indented_output('NSS Database', options.db_name))
    certdb = nss.get_default_certdb()

    # Load the cert
    if options.cert_filename:
        # Read the certificate as DER encoded data then initialize a Certificate from the DER data
        filename = options.cert_filename
        si = nss.read_der_from_file(filename,
                                    options.input_format.lower() == 'pem')
        # Parse the DER encoded data returning a Certificate object
        cert = nss.Certificate(si)
            cert = nss.find_cert_from_nickname(options.cert_nickname)
        except Exception as e:
            print('Unable to load cert nickname "%s" from database "%s"' % \
                (options.cert_nickname, options.db_name), file=sys.stderr)
            return 1

    # Dump the cert if the user wants to see it
    if options.print_cert:
        print(indented_output('cert subject', cert.subject))

    # Dump the usages attached to the cert
        indented_output('cert has these usages',

    # Should we check if the cert is a CA cert?
    if options.check_ca:
        # CA Cert?
        is_ca, cert_type = cert.is_ca_cert(True)
        print(indented_output('is CA cert boolean', is_ca))
            indented_output('is CA cert returned usages',

        indented_output('verifying usages for',

    # Use the log or non-log variant to verify the cert
    # Note: Anytime a NSPR or NSS function returns an error in python-nss it
    # raises a NSPRError exception. When an exception is raised the normal
    # return values are discarded because the flow of control continues at
    # the first except block prepared to catch the exception. Normally this
    # is what is desired because the return values would be invalid due to
    # the error. However the certificate verification functions are an
    # exception (no pun intended). An error might be returned indicating the
    # cert failed verification but you may still need access to the returned
    # usage bitmask and the log (if using the log variant). To handle this a
    # special error exception `CertVerifyError` (derived from `NSPRError`)
    # is defined which in addition to the normal NSPRError fields will also
    # contain the returned usages and optionally the CertVerifyLog
    # object. If no exception is raised these are returned as normal return
    # values.

    approved_usage = 0
    if options.with_log:
            approved_usage, log = cert.verify_with_log(certdb,
                                                       intended_usage, None)
        except nss_error.CertVerifyError as e:
            # approved_usage and log available in CertVerifyError exception on failure.
            print(indented_obj('log', e.log))
                indented_output('approved usages from exception',
            approved_usage = e.usages  # Get the returned usage bitmask from the exception
        except Exception as e:
                indented_output('approved usages',
            if log.count:
                print(indented_obj('log', log))
            approved_usage = cert.verify(certdb, options.check_sig,
                                         intended_usage, None)
        except nss_error.CertVerifyError as e:
            # approved_usage available in CertVerifyError exception on failure.
                indented_output('approved usages from exception',
            approved_usage = e.usages  # Get the returned usage bitmask from the exception
        except Exception as e:
                indented_output('approved usages',

    # The cert is valid if all the intended usages are in the approved usages
    valid = (intended_usage & approved_usage) == intended_usage

    if valid:
            indented_output('SUCCESS: cert is approved for',
        return 0
                'FAIL: cert not approved for',
                nss.cert_usage_flags(intended_usage ^ approved_usage)))
        return 1
Beispiel #6
def main():
    global options

    parser = argparse.ArgumentParser(description='certificate validation example')

    # === NSS Database Group ===
    group = parser.add_argument_group('NSS Database',
                                      'Specify & control the NSS Database')
    group.add_argument('-d', '--db-name',
                       help='NSS database name (e.g. "sql:pki")')

    group.add_argument('-P', '--db-passwd',
                       help='NSS database password')

    # === Certificate Group ===
    group = parser.add_argument_group('Certificate',
                                      'Specify how the certificate is loaded')

    group.add_argument('-f', '--file', dest='cert_filename',
                       help='read cert from file')

    group.add_argument('-F', '--input-format', choices=['pem', 'der'],
                       help='format of input cert')

    group.add_argument('-n', '--nickname', dest='cert_nickname',
                       help='load cert from NSS database by looking it up under this nickname')

    # === Validation Group ===
    group = parser.add_argument_group('Validation',
                                      'Control the validation')

    group.add_argument('-u', '--usage', dest='cert_usage', action='append', choices=list(cert_usage_map.keys()),
                           help='certificate usage flags, may be specified multiple times')
    group.add_argument('-c', '--check-sig', action='store_true', dest='check_sig',
                           help='check signature')
    group.add_argument('-C', '--no-check-sig', action='store_false', dest='check_sig',
                           help='do not check signature')
    group.add_argument('-l', '--log', action='store_true', dest='with_log',
                           help='use verify log')
    group.add_argument('-L', '--no-log', action='store_false', dest='with_log',
                           help='do not use verify log')
    group.add_argument('-a', '--check-ca', action='store_true', dest='check_ca',
                           help='check if cert is CA')
    group.add_argument('-A', '--no-check-ca', action='store_false', dest='check_ca',
                           help='do not check if cert is CA')

    # === Miscellaneous Group ===
    group = parser.add_argument_group('Miscellaneous',
                                      'Miscellaneous options')

    group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert',
                       help='print the certificate in a friendly fashion')

    parser.set_defaults(db_name = 'sql:pki',
                        db_passwd = 'db_passwd',
                        input_format = 'pem',
                        check_sig = True,
                        with_log = True,
                        check_ca = True,
                        print_cert = False,

    options = parser.parse_args()

    # Process the command line arguments

    # Get usage bitmask
    if options.cert_usage:
        intended_usage = 0
        for usage in options.cert_usage:
                flag = cert_usage_map[usage]
            except KeyError:
                print("Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys()))))
                return 1
                intended_usage |= flag
        # We can't use nss.certificateUsageCheckAllUsages here because
        # it's a special value of zero instead of being the bitwise OR
        # of all the certificateUsage* flags (go figure!)
        intended_usage = 0
        for usage in list(cert_usage_map.values()):
            intended_usage |= usage

    if options.cert_filename and options.cert_nickname:
        print("You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr)
        return 1

    if not options.cert_filename and not options.cert_nickname:
        print("You must specify either a cert filename or a nickname to load", file=sys.stderr)
        return 1

    # Initialize NSS.
    print(indented_output('NSS Database', options.db_name))
    certdb = nss.get_default_certdb()

    # Load the cert
    if options.cert_filename:
        # Read the certificate as DER encoded data then initialize a Certificate from the DER data
        filename = options.cert_filename
        si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem')
        # Parse the DER encoded data returning a Certificate object
        cert = nss.Certificate(si)
            cert = nss.find_cert_from_nickname(options.cert_nickname)
        except Exception as e:
            print('Unable to load cert nickname "%s" from database "%s"' % \
                (options.cert_nickname, options.db_name), file=sys.stderr)
            return 1

    # Dump the cert if the user wants to see it
    if options.print_cert:
        print(indented_output('cert subject', cert.subject))

    # Dump the usages attached to the cert
    print(indented_output('cert has these usages', nss.cert_type_flags(cert.cert_type)))

    # Should we check if the cert is a CA cert?
    if options.check_ca:
        # CA Cert?
        is_ca, cert_type = cert.is_ca_cert(True)
        print(indented_output('is CA cert boolean', is_ca))
        print(indented_output('is CA cert returned usages', nss.cert_type_flags(cert_type)))

    print(indented_output('verifying usages for', nss.cert_usage_flags(intended_usage)))

    # Use the log or non-log variant to verify the cert
    # Note: Anytime a NSPR or NSS function returns an error in python-nss it
    # raises a NSPRError exception. When an exception is raised the normal
    # return values are discarded because the flow of control continues at
    # the first except block prepared to catch the exception. Normally this
    # is what is desired because the return values would be invalid due to
    # the error. However the certificate verification functions are an
    # exception (no pun intended). An error might be returned indicating the
    # cert failed verification but you may still need access to the returned
    # usage bitmask and the log (if using the log variant). To handle this a
    # special error exception `CertVerifyError` (derived from `NSPRError`)
    # is defined which in addition to the normal NSPRError fields will also
    # contain the returned usages and optionally the CertVerifyLog
    # object. If no exception is raised these are returned as normal return
    # values.

    approved_usage = 0
    if options.with_log:
            approved_usage, log = cert.verify_with_log(certdb, options.check_sig, intended_usage, None)
        except nss_error.CertVerifyError as e:
            # approved_usage and log available in CertVerifyError exception on failure.
            print(indented_obj('log', e.log))
            print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages)))
            approved_usage = e.usages # Get the returned usage bitmask from the exception
        except Exception as e:
            print(indented_output('approved usages', nss.cert_usage_flags(approved_usage)))
            if log.count:
                print(indented_obj('log', log))
            approved_usage = cert.verify(certdb, options.check_sig, intended_usage, None)
        except nss_error.CertVerifyError as e:
            # approved_usage available in CertVerifyError exception on failure.
            print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages)))
            approved_usage = e.usages # Get the returned usage bitmask from the exception
        except Exception as e:
            print(indented_output('approved usages', nss.cert_usage_flags(approved_usage)))

    # The cert is valid if all the intended usages are in the approved usages
    valid = (intended_usage & approved_usage) == intended_usage

    if valid:
        print(indented_output('SUCCESS: cert is approved for', nss.cert_usage_flags(intended_usage)))
        return 0
        print(indented_output('FAIL: cert not approved for', nss.cert_usage_flags(intended_usage ^ approved_usage)))
        return 1
        intended_usage = nss.certificateUsageSSLClient
        intended_usage = nss.certificateUsageSSLServer

        # If the cert fails validation it will raise an exception, the errno attribute
        # will be set to the error code matching the reason why the validation failed
        # and the strerror attribute will contain a string describing the reason.
        approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args)
    except Exception, e:
        print >>sys.stderr, "auth_certificate_callback: %s" % e
        cert_is_valid = False
        if verbose: print "Returning cert_is_valid = %s" % cert_is_valid
        return cert_is_valid

    if verbose: print "approved_usage = %s" % ', '.join(nss.cert_usage_flags(approved_usage))

    # Is the intended usage a proper subset of the approved usage
    if approved_usage & intended_usage:
        cert_is_valid = True
        cert_is_valid = False

    # If this is a server, we're finished
    if is_server or not cert_is_valid:
        if verbose: print "Returning cert_is_valid = %s" % cert_is_valid
        return cert_is_valid

    # Certificate is OK.  Since this is the client side of an SSL
    # connection, we need to verify that the name field in the cert
    # matches the desired hostname.  This is our defense against
Beispiel #8
        intended_usage = nss.certificateUsageSSLServer

        # If the cert fails validation it will raise an exception, the errno attribute
        # will be set to the error code matching the reason why the validation failed
        # and the strerror attribute will contain a string describing the reason.
        approved_usage = cert.verify_now(certdb, check_sig, intended_usage,
    except Exception, e:
        print e.strerror
        cert_is_valid = False
        print "Returning cert_is_valid = %s" % cert_is_valid
        return cert_is_valid

    print "approved_usage = %s" % nss.cert_usage_flags(approved_usage)

    # Is the intended usage a proper subset of the approved usage
    if approved_usage & intended_usage:
        cert_is_valid = True
        cert_is_valid = False

    # If this is a server, we're finished
    if is_server or not cert_is_valid:
        print "Returning cert_is_valid = %s" % cert_is_valid
        return cert_is_valid

    # Certificate is OK.  Since this is the client side of an SSL
    # connection, we need to verify that the name field in the cert
    # matches the desired hostname.  This is our defense against
        print indented_output('cert subject', cert.subject)

    # Dump the usages attached to the cert
    print indented_output('cert has these usages', nss.cert_type_flags(cert.cert_type))

    # Should we check if the cert is a CA cert?
    if options.check_ca:
        # CA Cert?
        is_ca, cert_type = cert.is_ca_cert(True)
        print indented_output('is CA cert boolean', is_ca)
        print indented_output('is CA cert returned usages', nss.cert_type_flags(cert_type))

    print indented_output('verifying usages for', nss.cert_usage_flags(intended_usage))

    # Use the log or non-log variant to verify the cert
    # Note: Anytime a NSPR or NSS function returns an error in python-nss it
    # raises a NSPRError exception. When an exception is raised the normal
    # return values are discarded because the flow of control continues at
    # the first except block prepared to catch the exception. Normally this
    # is what is desired because the return values would be invalid due to
    # the error. However the certificate verification functions are an
    # exception (no pun intended). An error might be returned indicating the
    # cert failed verification but you may still need access to the returned
    # usage bitmask and the log (if using the log variant). To handle this a
    # special error exception `CertVerifyError` (derived from `NSPRError`)
    # is defined which in addition to the normal NSPRError fields will also
Beispiel #10
        intended_usage = nss.certificateUsageSSLClient
        intended_usage = nss.certificateUsageSSLServer

        # If the cert fails validation it will raise an exception, the errno attribute
        # will be set to the error code matching the reason why the validation failed
        # and the strerror attribute will contain a string describing the reason.
        approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args)
    except Exception, e:
        root_logger.error('cert validation failed for "%s" (%s)', cert.subject, e.strerror)
        cert_is_valid = False
        return cert_is_valid

    root_logger.debug("approved_usage = %s intended_usage = %s",
                              ', '.join(nss.cert_usage_flags(approved_usage)),
                              ', '.join(nss.cert_usage_flags(intended_usage)))

    # Is the intended usage a proper subset of the approved usage
    if approved_usage & intended_usage:
        cert_is_valid = True
        cert_is_valid = False

    # If this is a server, we're finished
    if is_server or not cert_is_valid:
        root_logger.debug('cert valid %s for "%s"', cert_is_valid,  cert.subject)
        return cert_is_valid

    # Certificate is OK.  Since this is the client side of an SSL
    # connection, we need to verify that the name field in the cert
Beispiel #11
def auth_certificate_callback(sock, check_sig, is_server, certdb):
    if verbose:
        print("auth_certificate_callback: check_sig=%s is_server=%s" %
              (check_sig, is_server))
    cert_is_valid = False

    cert = sock.get_peer_certificate()
    pin_args = sock.get_pkcs11_pin_arg()
    if pin_args is None:
        pin_args = ()

    #if verbose:
    #    print("cert:\n%s" % cert)

    # Define how the cert is being used based upon the is_server flag.  This may
    # seem backwards, but isn't. If we're a server we're trying to validate a
    # client cert. If we're a client we're trying to validate a server cert.
    if is_server:
        intended_usage = nss.certificateUsageSSLClient
        intended_usage = nss.certificateUsageSSLServer

        # If the cert fails validation it will raise an exception, the errno attribute
        # will be set to the error code matching the reason why the validation failed
        # and the strerror attribute will contain a string describing the reason.
        approved_usage = cert.verify_now(certdb, check_sig, intended_usage,
    except Exception as e:
        print("auth_certificate_callback: %s" % e, file=sys.stderr)
        cert_is_valid = False
        if verbose:
            print("Returning cert_is_valid = %s" % cert_is_valid)
        return cert_is_valid

    if verbose:
        print("approved_usage = %s" %
              ', '.join(nss.cert_usage_flags(approved_usage)))

    # Is the intended usage a proper subset of the approved usage
    if approved_usage & intended_usage:
        cert_is_valid = True
        cert_is_valid = False

    # If this is a server, we're finished
    if is_server or not cert_is_valid:
        if verbose:
            print("Returning cert_is_valid = %s" % cert_is_valid)
        return cert_is_valid

    # Certificate is OK.  Since this is the client side of an SSL
    # connection, we need to verify that the name field in the cert
    # matches the desired hostname.  This is our defense against
    # man-in-the-middle attacks.

    hostname = sock.get_hostname()
    if verbose:
        print("verifying socket hostname (%s) matches cert subject (%s)" %
              (hostname, cert.subject))
        # If the cert fails validation it will raise an exception
        cert_is_valid = cert.verify_hostname(hostname)
    except Exception as e:
        print("auth_certificate_callback: %s" % e, file=sys.stderr)
        cert_is_valid = False
        if verbose:
            print("Returning cert_is_valid = %s" % cert_is_valid)
        return cert_is_valid

    if verbose:
        print("Returning cert_is_valid = %s" % cert_is_valid)
    return cert_is_valid
Beispiel #12
        # If the cert fails validation it will raise an exception, the errno attribute
        # will be set to the error code matching the reason why the validation failed
        # and the strerror attribute will contain a string describing the reason.
        approved_usage = cert.verify_now(certdb, check_sig, intended_usage,
    except Exception, e:
        print >> sys.stderr, "auth_certificate_callback: %s" % e
        cert_is_valid = False
        if verbose: print "Returning cert_is_valid = %s" % cert_is_valid
        return cert_is_valid

    if verbose:
        print "approved_usage = %s" % ', '.join(

    # Is the intended usage a proper subset of the approved usage
    if approved_usage & intended_usage:
        cert_is_valid = True
        cert_is_valid = False

    # If this is a server, we're finished
    if is_server or not cert_is_valid:
        if verbose: print "Returning cert_is_valid = %s" % cert_is_valid
        return cert_is_valid

    # Certificate is OK.  Since this is the client side of an SSL
    # connection, we need to verify that the name field in the cert
    # matches the desired hostname.  This is our defense against
Beispiel #13
def auth_certificate_callback(sock, check_sig, is_server, certdb):
    print("auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server))
    cert_is_valid = False

    cert = sock.get_peer_certificate()
    pin_args = sock.get_pkcs11_pin_arg()
    if pin_args is None:
        pin_args = ()

    print("peer cert:\n%s" % cert)

    # Define how the cert is being used based upon the is_server flag.  This may
    # seem backwards, but isn't. If we're a server we're trying to validate a
    # client cert. If we're a client we're trying to validate a server cert.
    if is_server:
        intended_usage = nss.certificateUsageSSLClient
        intended_usage = nss.certificateUsageSSLServer

        # If the cert fails validation it will raise an exception, the errno attribute
        # will be set to the error code matching the reason why the validation failed
        # and the strerror attribute will contain a string describing the reason.
        approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args)
    except Exception as e:
        cert_is_valid = False
        print("Returning cert_is_valid = %s" % cert_is_valid)
        return cert_is_valid

    print("approved_usage = %s" % ', '.join(nss.cert_usage_flags(approved_usage)))

    # Is the intended usage a proper subset of the approved usage
    if approved_usage & intended_usage:
        cert_is_valid = True
        cert_is_valid = False

    # If this is a server, we're finished
    if is_server or not cert_is_valid:
        print("Returning cert_is_valid = %s" % cert_is_valid)
        return cert_is_valid

    # Certificate is OK.  Since this is the client side of an SSL
    # connection, we need to verify that the name field in the cert
    # matches the desired hostname.  This is our defense against
    # man-in-the-middle attacks.

    hostname = sock.get_hostname()
    print("verifying socket hostname (%s) matches cert subject (%s)" % (hostname, cert.subject))
        # If the cert fails validation it will raise an exception
        cert_is_valid = cert.verify_hostname(hostname)
    except Exception as e:
        cert_is_valid = False
        print("Returning cert_is_valid = %s" % cert_is_valid)
        return cert_is_valid

    print("Returning cert_is_valid = %s" % cert_is_valid)
    return cert_is_valid
        intended_usage = nss.certificateUsageSSLClient
        intended_usage = nss.certificateUsageSSLServer

        # If the cert fails validation it will raise an exception, the errno attribute
        # will be set to the error code matching the reason why the validation failed
        # and the strerror attribute will contain a string describing the reason.
        approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args)
    except Exception, e:
        print e.strerror
        cert_is_valid = False
        print "Returning cert_is_valid = %s" % cert_is_valid
        return cert_is_valid

    print "approved_usage = %s" % nss.cert_usage_flags(approved_usage)

    # Is the intended usage a proper subset of the approved usage
    if approved_usage & intended_usage:
        cert_is_valid = True
        cert_is_valid = False

    # If this is a server, we're finished
    if is_server or not cert_is_valid:
        print "Returning cert_is_valid = %s" % cert_is_valid
        return cert_is_valid

    # Certificate is OK.  Since this is the client side of an SSL
    # connection, we need to verify that the name field in the cert
    # matches the desired hostname.  This is our defense against
Beispiel #15
        intended_usage = nss.certificateUsageSSLClient
        intended_usage = nss.certificateUsageSSLServer

        # If the cert fails validation it will raise an exception, the errno attribute
        # will be set to the error code matching the reason why the validation failed
        # and the strerror attribute will contain a string describing the reason.
        approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args)
    except Exception, e:
        print e.strerror
        cert_is_valid = False
        print "Returning cert_is_valid = %s" % cert_is_valid
        return cert_is_valid

    print "approved_usage = %s" % ', '.join(nss.cert_usage_flags(approved_usage))

    # Is the intended usage a proper subset of the approved usage
    if approved_usage & intended_usage:
        cert_is_valid = True
        cert_is_valid = False

    # If this is a server, we're finished
    if is_server or not cert_is_valid:
        print "Returning cert_is_valid = %s" % cert_is_valid
        return cert_is_valid

    # Certificate is OK.  Since this is the client side of an SSL
    # connection, we need to verify that the name field in the cert
    # matches the desired hostname.  This is our defense against