Beispiel #1
0
def get_public_key(transport_cert):
    """ This function returns public key of the transport cert which will be 
        used to wrap the session key """
    # First convert from PEM to DER Format
    #transport_cert_der =  nss.base64_to_binary(transport_cert)
    # Read the contents of the file 
    certItem = nss.read_der_from_file(transport_cert, ascii=True)
    # We need to have an Object of nss.Certificate
    CertObject = nss.Certificate(certItem)
    # Get the public Key from the cert
    public_key = CertObject.subject_public_key_info.public_key
    return public_key
def get_public_key(transport_cert):
    """ This function returns public key of the transport cert which will be 
        used to wrap the session key """
    # First convert from PEM to DER Format
    #transport_cert_der =  nss.base64_to_binary(transport_cert)
    # Read the contents of the file
    certItem = nss.read_der_from_file(transport_cert, ascii=True)
    # We need to have an Object of nss.Certificate
    CertObject = nss.Certificate(certItem)
    # Get the public Key from the cert
    public_key = CertObject.subject_public_key_info.public_key
    return public_key
Beispiel #3
0
def main():
    global options

    parser = argparse.ArgumentParser(
        description='certificate validation example')

    # === NSS Database Group ===
    group = parser.add_argument_group('NSS Database',
                                      'Specify & control the NSS Database')
    group.add_argument('-d',
                       '--db-name',
                       help='NSS database name (e.g. "sql:pki")')

    group.add_argument('-P', '--db-passwd', help='NSS database password')

    # === Certificate Group ===
    group = parser.add_argument_group('Certificate',
                                      'Specify how the certificate is loaded')

    group.add_argument('-f',
                       '--file',
                       dest='cert_filename',
                       help='read cert from file')

    group.add_argument('-F',
                       '--input-format',
                       choices=['pem', 'der'],
                       help='format of input cert')

    group.add_argument(
        '-n',
        '--nickname',
        dest='cert_nickname',
        help='load cert from NSS database by looking it up under this nickname'
    )

    # === Validation Group ===
    group = parser.add_argument_group('Validation', 'Control the validation')

    group.add_argument(
        '-u',
        '--usage',
        dest='cert_usage',
        action='append',
        choices=list(cert_usage_map.keys()),
        help='certificate usage flags, may be specified multiple times')
    group.add_argument('-c',
                       '--check-sig',
                       action='store_true',
                       dest='check_sig',
                       help='check signature')
    group.add_argument('-C',
                       '--no-check-sig',
                       action='store_false',
                       dest='check_sig',
                       help='do not check signature')
    group.add_argument('-l',
                       '--log',
                       action='store_true',
                       dest='with_log',
                       help='use verify log')
    group.add_argument('-L',
                       '--no-log',
                       action='store_false',
                       dest='with_log',
                       help='do not use verify log')
    group.add_argument('-a',
                       '--check-ca',
                       action='store_true',
                       dest='check_ca',
                       help='check if cert is CA')
    group.add_argument('-A',
                       '--no-check-ca',
                       action='store_false',
                       dest='check_ca',
                       help='do not check if cert is CA')

    # === Miscellaneous Group ===
    group = parser.add_argument_group('Miscellaneous', 'Miscellaneous options')

    group.add_argument('-p',
                       '--print-cert',
                       action='store_true',
                       dest='print_cert',
                       help='print the certificate in a friendly fashion')

    parser.set_defaults(
        db_name='sql:pki',
        db_passwd='db_passwd',
        input_format='pem',
        check_sig=True,
        with_log=True,
        check_ca=True,
        print_cert=False,
    )

    options = parser.parse_args()

    # Process the command line arguments

    # Get usage bitmask
    if options.cert_usage:
        intended_usage = 0
        for usage in options.cert_usage:
            try:
                flag = cert_usage_map[usage]
            except KeyError:
                print("Unknown usage '%s', valid values: %s" %
                      (usage, ', '.join(sorted(cert_usage_map.keys()))))
                return 1
            else:
                intended_usage |= flag
    else:
        # We can't use nss.certificateUsageCheckAllUsages here because
        # it's a special value of zero instead of being the bitwise OR
        # of all the certificateUsage* flags (go figure!)
        intended_usage = 0
        for usage in list(cert_usage_map.values()):
            intended_usage |= usage

    if options.cert_filename and options.cert_nickname:
        print(
            "You may not specify both a cert filename and a nickname, only one or the other",
            file=sys.stderr)
        return 1

    if not options.cert_filename and not options.cert_nickname:
        print("You must specify either a cert filename or a nickname to load",
              file=sys.stderr)
        return 1

    # Initialize NSS.
    print(indented_output('NSS Database', options.db_name))
    print()
    nss.nss_init(options.db_name)
    certdb = nss.get_default_certdb()
    nss.set_password_callback(password_callback)

    # Load the cert
    if options.cert_filename:
        # Read the certificate as DER encoded data then initialize a Certificate from the DER data
        filename = options.cert_filename
        si = nss.read_der_from_file(filename,
                                    options.input_format.lower() == 'pem')
        # Parse the DER encoded data returning a Certificate object
        cert = nss.Certificate(si)
    else:
        try:
            cert = nss.find_cert_from_nickname(options.cert_nickname)
        except Exception as e:
            print(e)
            print('Unable to load cert nickname "%s" from database "%s"' % \
                (options.cert_nickname, options.db_name), file=sys.stderr)
            return 1

    # Dump the cert if the user wants to see it
    if options.print_cert:
        print(cert)
    else:
        print(indented_output('cert subject', cert.subject))
    print()

    # Dump the usages attached to the cert
    print(
        indented_output('cert has these usages',
                        nss.cert_type_flags(cert.cert_type)))

    # Should we check if the cert is a CA cert?
    if options.check_ca:
        # CA Cert?
        is_ca, cert_type = cert.is_ca_cert(True)
        print()
        print(indented_output('is CA cert boolean', is_ca))
        print(
            indented_output('is CA cert returned usages',
                            nss.cert_type_flags(cert_type)))

    print()
    print(
        indented_output('verifying usages for',
                        nss.cert_usage_flags(intended_usage)))
    print()

    # Use the log or non-log variant to verify the cert
    #
    # Note: Anytime a NSPR or NSS function returns an error in python-nss it
    # raises a NSPRError exception. When an exception is raised the normal
    # return values are discarded because the flow of control continues at
    # the first except block prepared to catch the exception. Normally this
    # is what is desired because the return values would be invalid due to
    # the error. However the certificate verification functions are an
    # exception (no pun intended). An error might be returned indicating the
    # cert failed verification but you may still need access to the returned
    # usage bitmask and the log (if using the log variant). To handle this a
    # special error exception `CertVerifyError` (derived from `NSPRError`)
    # is defined which in addition to the normal NSPRError fields will also
    # contain the returned usages and optionally the CertVerifyLog
    # object. If no exception is raised these are returned as normal return
    # values.

    approved_usage = 0
    if options.with_log:
        try:
            approved_usage, log = cert.verify_with_log(certdb,
                                                       options.check_sig,
                                                       intended_usage, None)
        except nss_error.CertVerifyError as e:
            # approved_usage and log available in CertVerifyError exception on failure.
            print(e)
            print()
            print(indented_obj('log', e.log))
            print()
            print(
                indented_output('approved usages from exception',
                                nss.cert_usage_flags(e.usages)))
            approved_usage = e.usages  # Get the returned usage bitmask from the exception
        except Exception as e:
            print(e)
        else:
            print(
                indented_output('approved usages',
                                nss.cert_usage_flags(approved_usage)))
            if log.count:
                print()
                print(indented_obj('log', log))
    else:
        try:
            approved_usage = cert.verify(certdb, options.check_sig,
                                         intended_usage, None)
        except nss_error.CertVerifyError as e:
            # approved_usage available in CertVerifyError exception on failure.
            print(e)
            print(
                indented_output('approved usages from exception',
                                nss.cert_usage_flags(e.usages)))
            approved_usage = e.usages  # Get the returned usage bitmask from the exception
        except Exception as e:
            print(e)
        else:
            print(
                indented_output('approved usages',
                                nss.cert_usage_flags(approved_usage)))

    # The cert is valid if all the intended usages are in the approved usages
    valid = (intended_usage & approved_usage) == intended_usage

    print()
    if valid:
        print(
            indented_output('SUCCESS: cert is approved for',
                            nss.cert_usage_flags(intended_usage)))
        return 0
    else:
        print(
            indented_output(
                'FAIL: cert not approved for',
                nss.cert_usage_flags(intended_usage ^ approved_usage)))
        return 1
Beispiel #4
0
def main():
    global options

    parser = argparse.ArgumentParser(description='certificate validation example')

    # === NSS Database Group ===
    group = parser.add_argument_group('NSS Database',
                                      'Specify & control the NSS Database')
    group.add_argument('-d', '--db-name',
                       help='NSS database name (e.g. "sql:pki")')

    group.add_argument('-P', '--db-passwd',
                       help='NSS database password')

    # === Certificate Group ===
    group = parser.add_argument_group('Certificate',
                                      'Specify how the certificate is loaded')

    group.add_argument('-f', '--file', dest='cert_filename',
                       help='read cert from file')

    group.add_argument('-F', '--input-format', choices=['pem', 'der'],
                       help='format of input cert')

    group.add_argument('-n', '--nickname', dest='cert_nickname',
                       help='load cert from NSS database by looking it up under this nickname')

    # === Validation Group ===
    group = parser.add_argument_group('Validation',
                                      'Control the validation')

    group.add_argument('-u', '--usage', dest='cert_usage', action='append', choices=list(cert_usage_map.keys()),
                           help='certificate usage flags, may be specified multiple times')
    group.add_argument('-c', '--check-sig', action='store_true', dest='check_sig',
                           help='check signature')
    group.add_argument('-C', '--no-check-sig', action='store_false', dest='check_sig',
                           help='do not check signature')
    group.add_argument('-l', '--log', action='store_true', dest='with_log',
                           help='use verify log')
    group.add_argument('-L', '--no-log', action='store_false', dest='with_log',
                           help='do not use verify log')
    group.add_argument('-a', '--check-ca', action='store_true', dest='check_ca',
                           help='check if cert is CA')
    group.add_argument('-A', '--no-check-ca', action='store_false', dest='check_ca',
                           help='do not check if cert is CA')

    # === Miscellaneous Group ===
    group = parser.add_argument_group('Miscellaneous',
                                      'Miscellaneous options')

    group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert',
                       help='print the certificate in a friendly fashion')


    parser.set_defaults(db_name = 'sql:pki',
                        db_passwd = 'db_passwd',
                        input_format = 'pem',
                        check_sig = True,
                        with_log = True,
                        check_ca = True,
                        print_cert = False,
                        )

    options = parser.parse_args()

    # Process the command line arguments

    # Get usage bitmask
    if options.cert_usage:
        intended_usage = 0
        for usage in options.cert_usage:
            try:
                flag = cert_usage_map[usage]
            except KeyError:
                print("Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys()))))
                return 1
            else:
                intended_usage |= flag
    else:
        # We can't use nss.certificateUsageCheckAllUsages here because
        # it's a special value of zero instead of being the bitwise OR
        # of all the certificateUsage* flags (go figure!)
        intended_usage = 0
        for usage in list(cert_usage_map.values()):
            intended_usage |= usage

    if options.cert_filename and options.cert_nickname:
        print("You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr)
        return 1

    if not options.cert_filename and not options.cert_nickname:
        print("You must specify either a cert filename or a nickname to load", file=sys.stderr)
        return 1

    # Initialize NSS.
    print(indented_output('NSS Database', options.db_name))
    print()
    nss.nss_init(options.db_name)
    certdb = nss.get_default_certdb()
    nss.set_password_callback(password_callback)

    # Load the cert
    if options.cert_filename:
        # Read the certificate as DER encoded data then initialize a Certificate from the DER data
        filename = options.cert_filename
        si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem')
        # Parse the DER encoded data returning a Certificate object
        cert = nss.Certificate(si)
    else:
        try:
            cert = nss.find_cert_from_nickname(options.cert_nickname)
        except Exception as e:
            print(e)
            print('Unable to load cert nickname "%s" from database "%s"' % \
                (options.cert_nickname, options.db_name), file=sys.stderr)
            return 1

    # Dump the cert if the user wants to see it
    if options.print_cert:
        print(cert)
    else:
        print(indented_output('cert subject', cert.subject))
    print()

    # Dump the usages attached to the cert
    print(indented_output('cert has these usages', nss.cert_type_flags(cert.cert_type)))

    # Should we check if the cert is a CA cert?
    if options.check_ca:
        # CA Cert?
        is_ca, cert_type = cert.is_ca_cert(True)
        print()
        print(indented_output('is CA cert boolean', is_ca))
        print(indented_output('is CA cert returned usages', nss.cert_type_flags(cert_type)))

    print()
    print(indented_output('verifying usages for', nss.cert_usage_flags(intended_usage)))
    print()

    # Use the log or non-log variant to verify the cert
    #
    # Note: Anytime a NSPR or NSS function returns an error in python-nss it
    # raises a NSPRError exception. When an exception is raised the normal
    # return values are discarded because the flow of control continues at
    # the first except block prepared to catch the exception. Normally this
    # is what is desired because the return values would be invalid due to
    # the error. However the certificate verification functions are an
    # exception (no pun intended). An error might be returned indicating the
    # cert failed verification but you may still need access to the returned
    # usage bitmask and the log (if using the log variant). To handle this a
    # special error exception `CertVerifyError` (derived from `NSPRError`)
    # is defined which in addition to the normal NSPRError fields will also
    # contain the returned usages and optionally the CertVerifyLog
    # object. If no exception is raised these are returned as normal return
    # values.

    approved_usage = 0
    if options.with_log:
        try:
            approved_usage, log = cert.verify_with_log(certdb, options.check_sig, intended_usage, None)
        except nss_error.CertVerifyError as e:
            # approved_usage and log available in CertVerifyError exception on failure.
            print(e)
            print()
            print(indented_obj('log', e.log))
            print()
            print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages)))
            approved_usage = e.usages # Get the returned usage bitmask from the exception
        except Exception as e:
            print(e)
        else:
            print(indented_output('approved usages', nss.cert_usage_flags(approved_usage)))
            if log.count:
                print()
                print(indented_obj('log', log))
    else:
        try:
            approved_usage = cert.verify(certdb, options.check_sig, intended_usage, None)
        except nss_error.CertVerifyError as e:
            # approved_usage available in CertVerifyError exception on failure.
            print(e)
            print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages)))
            approved_usage = e.usages # Get the returned usage bitmask from the exception
        except Exception as e:
            print(e)
        else:
            print(indented_output('approved usages', nss.cert_usage_flags(approved_usage)))

    # The cert is valid if all the intended usages are in the approved usages
    valid = (intended_usage & approved_usage) == intended_usage

    print()
    if valid:
        print(indented_output('SUCCESS: cert is approved for', nss.cert_usage_flags(intended_usage)))
        return 0
    else:
        print(indented_output('FAIL: cert not approved for', nss.cert_usage_flags(intended_usage ^ approved_usage)))
        return 1
def main():
    # Command line argument processing
    parser = optparse.OptionParser()

    parser.set_defaults(dbdir = '/etc/pki/nssdb',
                        db_passwd = 'db_passwd',
                        input_format = 'pem',
                        check_sig = True,
                        print_cert = False,
                        with_log = True,
                        check_ca = True,
                        )

    param_group = optparse.OptionGroup(parser, 'NSS Database',
                                       'Specify & control the NSS Database')

    param_group.add_option('-d', '--dbdir', dest='dbdir',
                           help='NSS database directory, default="%default"')
    param_group.add_option('-P', '--db-passwd', dest='db_passwd',
                           help='NSS database password, default="%default"')

    parser.add_option_group(param_group)

    param_group = optparse.OptionGroup(parser, 'Certificate',
                                       'Specify how the certificate is loaded')

    param_group.add_option('-f', '--file', dest='cert_filename',
                           help='read cert from file')
    param_group.add_option('--format', dest='input_format', choices=['pem', 'der'],
                           help='import format for certificate (der|pem) default="%default"')
    param_group.add_option('-n', '--nickname', dest='cert_nickname',
                           help='load cert from NSS database by looking it up under this nickname')


    parser.add_option_group(param_group)

    param_group = optparse.OptionGroup(parser, 'Validation',
                                       'Control the validation')

    param_group.add_option('-u', '--usage', dest='cert_usage', action='append', choices=cert_usage_map.keys(),
                           help='may be specified multiple times, default="CheckAllUsages", may be one of: %s' % ', '.join(sorted(cert_usage_map.keys())))
    param_group.add_option('-c', '--check-sig', action='store_true', dest='check_sig',
                           help='check signature default=%default')
    param_group.add_option('-C', '--no-check-sig', action='store_false', dest='check_sig',
                           help='check signature')
    param_group.add_option('-l', '--log', action='store_true', dest='with_log',
                           help='use verify log, default=%default')
    param_group.add_option('-L', '--no-log', action='store_false', dest='with_log',
                           help='use verify log, default=%default')
    param_group.add_option('-a', '--check-ca', action='store_true', dest='check_ca',
                           help='check if cert is CA, default=%default')
    param_group.add_option('-A', '--no-check-ca', action='store_false', dest='check_ca',
                           help='check if cert is CA, default=%default')

    parser.add_option_group(param_group)

    param_group = optparse.OptionGroup(parser, 'Miscellaneous',
                                       'Miscellaneous options')

    param_group.add_option('-p', '--print-cert', action='store_true', dest='print_cert',
                           help='print the certificate in a friendly fashion, default=%default')

    parser.add_option_group(param_group)

    options, args = parser.parse_args()

    # Process the command line arguments

    # Get usage bitmask
    if options.cert_usage:
        intended_usage = 0
        for usage in options.cert_usage:
            try:
                flag = cert_usage_map[usage]
            except KeyError:
                print "Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys())))
                return 1
            else:
                intended_usage |= flag
    else:
        # We can't use nss.certificateUsageCheckAllUsages here because
        # it's a special value of zero instead of being the bitwise OR
        # of all the certificateUsage* flags (go figure!)
        intended_usage = 0
        for usage in cert_usage_map.values():
            intended_usage |= usage

    if options.cert_filename and options.cert_nickname:
        print >>sys.stderr, "You may not specify both a cert filename and a nickname, only one or the other"
        return 1

    if not options.cert_filename and not options.cert_nickname:
        print >>sys.stderr, "You must specify either a cert filename or a nickname to load"
        return 1

    # Initialize NSS.
    print indented_output('NSS Database', options.dbdir)
    print
    nss.nss_init(options.dbdir)
    certdb = nss.get_default_certdb()
    nss.set_password_callback(password_callback)

    # Load the cert
    if options.cert_filename:
        # Read the certificate as DER encoded data then initialize a Certificate from the DER data
        filename = options.cert_filename
        si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem')
        # Parse the DER encoded data returning a Certificate object
        cert = nss.Certificate(si)
    else:
        try:
            cert = nss.find_cert_from_nickname(options.cert_nickname)
        except Exception, e:
            print e
            print >>sys.stderr, 'Unable to load cert nickname "%s" from database "%s"' % \
                (options.cert_nickname, options.dbdir)
            return 1
Beispiel #6
0
    elif o in ("-d", "--der"):
        is_pem_format = False


filename = sys.argv[1]

# Perform basic configuration and setup
nss.nss_init_nodb()

if len(args):
    filename = args[0]

print "certificate filename=%s" % (filename)

# Read the certificate as DER encoded data
si = nss.read_der_from_file(filename, is_pem_format)
# Parse the DER encoded data returning a Certificate object
cert = nss.Certificate(si)

# Get the extension list from the certificate
extensions = cert.extensions

print nss.indented_format([(0, 'Certificate:'),
                           (1, 'Data:')])
print nss.indented_format([(2, 'Version: %d (%#x)' % (cert.version+1, cert.version))])
print nss.indented_format([(2, 'Serial Number: %d (%#x)' % (cert.serial_number, cert.serial_number))])
print nss.indented_format([(2, 'Signature Algorithm:')])
print nss.indented_format(cert.signature_algorithm.format_lines(3))
print nss.indented_format([(2, 'Issuer: "%s"' % cert.issuer)])
print nss.indented_format([(2, 'Validity:'),
                           (3, 'Not Before: %s' % cert.valid_not_before_str),
Beispiel #7
0
                    help='input cert file to process')

parser.set_defaults(cert_format='pem',
                    print_cert=False
                    )
options = parser.parse_args()

# Perform basic configuration and setup
nss.nss_init_nodb()

filename = options.cert_file[0]

print("certificate filename=%s" % (filename))

# Read the certificate as DER encoded data
si = nss.read_der_from_file(filename, options.cert_format == 'pem')
# Parse the DER encoded data returning a Certificate object
cert = nss.Certificate(si)

# Useful for comparing the internal cert rendering to what this script generates.
if options.print_cert:
    print(cert)

# Get the extension list from the certificate
extensions = cert.extensions

print(nss.indented_format([(0, 'Certificate:'),
                           (1, 'Data:')]))
print(nss.indented_format([(2, 'Version: %d (%#x)' % (cert.version+1, cert.version))]))
print(nss.indented_format([(2, 'Serial Number: %d (%#x)' % (cert.serial_number, cert.serial_number))]))
print(nss.indented_format([(2, 'Signature Algorithm:')]))
Beispiel #8
0
                    action='store_true',
                    help='print the cert using the internal rendering code')
parser.add_argument('cert_file', nargs=1, help='input cert file to process')

parser.set_defaults(cert_format='pem', print_cert=False)
options = parser.parse_args()

# Perform basic configuration and setup
nss.nss_init_nodb()

filename = options.cert_file[0]

print("certificate filename=%s" % (filename))

# Read the certificate as DER encoded data
si = nss.read_der_from_file(filename, options.cert_format == 'pem')
# Parse the DER encoded data returning a Certificate object
cert = nss.Certificate(si)

# Useful for comparing the internal cert rendering to what this script generates.
if options.print_cert:
    print(cert)

# Get the extension list from the certificate
extensions = cert.extensions

print(nss.indented_format([(0, 'Certificate:'), (1, 'Data:')]))
print(
    nss.indented_format([
        (2, 'Version: %d (%#x)' % (cert.version + 1, cert.version))
    ]))
Beispiel #9
0
def main():
    global options

    parser = argparse.ArgumentParser(description='certificate trust example')

    # === NSS Database Group ===
    group = parser.add_argument_group('NSS Database',
                                      'Specify & control the NSS Database')
    group.add_argument('-d', '--db-name',
                       help='NSS database name (e.g. "sql:pki")')

    group.add_argument('-P', '--db-passwd',
                       help='NSS database password')

    # === Certificate Group ===
    group = parser.add_argument_group('Certificate',
                                      'Specify how the certificate is loaded')

    group.add_argument('-f', '--file', dest='cert_filename',
                       help='read cert from file')

    group.add_argument('-F', '--input-format', choices=['pem', 'der'],
                       help='format of input cert')

    group.add_argument('-n', '--nickname', dest='cert_nickname',
                       help='load cert from NSS database by looking it up under this nickname')

    group.add_argument('-t', '--trust', dest='cert_trust',
                       help='set the cert trust flags, see certutil for format')

    group.add_argument('-i', '--install-cert', action='store_true', dest='cert_perm',
                           help='check signature')
    group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert',
                       help='print the certificate in a friendly fashion')

    parser.set_defaults(db_name = 'sql:pki',
                        db_passwd = 'db_passwd',
                        input_format = 'pem',
                        install_cert = False,
                        print_cert = False,
                        )

    options = parser.parse_args()

    # Process the command line arguments

    if options.cert_perm:
        if not options.cert_filename:
            print("You must specify a cert filename to install a cert in the database", file=sys.stderr)
            return 1

        if not options.cert_nickname:
            print("You must specify a cert nickname to install a cert in the database", file=sys.stderr)
            return 1
    else:
        if options.cert_filename and options.cert_nickname:
            print("You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr)
            return 1

        if not options.cert_filename and not options.cert_nickname:
            print("You must specify either a cert filename or a nickname to load", file=sys.stderr)
            return 1


    # Initialize NSS.
    print('NSS Database: %s' % (options.db_name))
    print()
    # Initialize the database as read/write, otherwise we would not
    # be able to import a cert
    nss.nss_init_read_write(options.db_name)
    certdb = nss.get_default_certdb()

    # Since we may update the cert make sure we're using the key slot
    # and not just the internal slot
    slot = nss.get_internal_key_slot()

    # If we're importing or modifying a cert we'll need to authenticate
    # to the database, the password callback supplies the password during
    # authentication.
    nss.set_password_callback(password_callback)

    # Load the cert
    if options.cert_filename:
        # Read the certificate as DER encoded data then initialize a Certificate from the DER data
        filename = options.cert_filename
        si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem')
        # Parse the DER encoded data returning a Certificate object.
        #
        # If we've been asked to install the cert in the database the
        # options.cert_perm flag will be True and we'll need to supply
        # the nickname (which is used to locate the cert in the database).
        cert = nss.Certificate(si, certdb,
                               options.cert_perm, options.cert_nickname)
    else:
        try:
            cert = nss.find_cert_from_nickname(options.cert_nickname)
        except Exception as e:
            print(e)
            print('Unable to load cert nickname "%s" from database "%s"' % \
                (options.cert_nickname, options.db_name), file=sys.stderr)
            return 1

    # Dump the cert if the user wants to see it
    if options.print_cert:
        print(cert)
    else:
        print('cert subject: %s' % (cert.subject))
    print()

    # Change the cert trust if specified
    if options.cert_trust:
        cert.set_trust_attributes(options.cert_trust, certdb, slot)

    illustrate_ssl_trust(cert)

    return 0
Beispiel #10
0
        is_pem_format = True
    elif o in ("-d", "--der"):
        is_pem_format = False

filename = sys.argv[1]

# Perform basic configuration and setup
nss.nss_init_nodb()

if len(args):
    filename = args[0]

print "certificate filename=%s" % (filename)

# Read the certificate as DER encoded data
si = nss.read_der_from_file(filename, is_pem_format)
# Parse the DER encoded data returning a Certificate object
cert = nss.Certificate(si)

# Get the extension list from the certificate
extensions = cert.extensions

print nss.indented_format([(0, 'Certificate:'), (1, 'Data:')])
print nss.indented_format([
    (2, 'Version: %d (%#x)' % (cert.version + 1, cert.version))
])
print nss.indented_format([
    (2, 'Serial Number: %d (%#x)' % (cert.serial_number, cert.serial_number))
])
print nss.indented_format([(2, 'Signature Algorithm:')])
print nss.indented_format(cert.signature_algorithm.format_lines(3))