def __init__(self, cmdname, args):
BaseAction.__init__(self, cmdname, args)
self._pool = CertificatePool()
self._pool.load_sources(self._args.crtsource)
self._log.debug("Loaded a total of %d unique certificates in trust store.", self._pool.certificate_count)
if self._args.format is not None:
file_format = self._args.format
else:
file_format = os.path.splitext(self._args.outfile)[1].lstrip(".")
self._active_substitutions = { name: getattr(self, "_substitute_" + name) for name in self.get_supported_substitutions() }
self._get_cert_attributes = getattr(self, "_get_cert_attributes_" + self._args.color_scheme, None)
if self._get_cert_attributes is None:
raise LazyDeveloperException("Color scheme '%s' is unsupported. This is a bug." % (self._args.color_scheme))
# Load color palettes
self._palette_traffic = AdvancedColorPalette(JSONTools.load_internal("x509sak.data", "palettes.json")["traffic"])
self._palette_flatui = AdvancedColorPalette(JSONTools.load_internal("x509sak.data", "palettes.json")["flatui"])
if file_format == "dot":
with open(self._args.outfile, "w") as dotfile:
self._write_dotfile(dotfile)
elif file_format in [ "ps", "png", "pdf" ]:
with tempfile.NamedTemporaryFile("w", prefix = "graph_", suffix = ".dot") as dotfile, open(self._args.outfile, "wb") as outfile:
self._write_dotfile(dotfile)
cmd = [ "dot", "-T%s" % (file_format), dotfile.name ]
subprocess.check_call(cmd, stdout = outfile)
else:
raise UnknownFormatException("Unknown file format: \"%s\"" % (file_format))
def to_dict(self):
result = {
"code":
self.code.name,
"topic":
self.code.topic,
"short_text":
self.code.description,
"text":
self.text,
"bits":
self.bits,
"verdict":
JSONTools.translate(self.verdict) if
(self.verdict is not None) else None,
"commonness":
JSONTools.translate(self.commonness) if
(self.commonness is not None) else None,
"compatibility":
JSONTools.translate(self.compatibility) if
(self.compatibility is not None) else None,
"standard":
self.standard.to_dict() if (self.standard is not None) else None,
"literature":
self.literature.to_dict() if
(self.literature is not None) else None,
}
return {
key: value
for (key, value) in result.items() if value is not None
}
def _show_analysis(self, output, analyses): if self._args.out_format in [ "ansitext", "text" ]: use_ansi = (self._args.out_format == "ansitext") AnalysisPrinterText(output, analyses).print(use_ansi = use_ansi) elif self._args.out_format == "json": JSONTools.write_to_fp(analyses, output, pretty = self._args.pretty_json) else: raise NotImplementedError(self._args.out_format)
def create_judgement_structure(verbose = False):
structure_data = { }
for structure_json_name in [ "number_theoretic.json", "encoding.json", "cryptography.json", "x509ext.json", "x509cert.json" ]:
partial_data = JSONTools.load_internal("x509sak.data.judgements", structure_json_name)
structure_data.update(partial_data)
structure = JudgementStructure(structure_data, verbose = verbose)
return structure
def _load_db_data():
json_data = JSONTools.load_internal("x509sak.data.ecc", "curves.json")
result = {
OID.from_str(oid): parameters
for (oid, parameters) in json_data.items()
}
for (oid, parameters) in result.items():
parameters["oid"] = oid
return result
def __init__(self, cmdname, args):
BaseAction.__init__(self, cmdname, args)
# Plausibilize input parameters
kwargs_checker = KwargsChecker(optional_arguments = set(self._DER_CLASSES.keys()))
kwargs_checker.check(self._args.include_dertype, hint = "DER classes to be included")
kwargs_checker.check(self._args.exclude_dertype, hint = "DER classes to be excluded")
# Plausibilize output directory
if os.path.exists(self._args.outdir) and (not self._args.force):
raise Exception("Directory %s already exists. Remove it first or use --force." % (self._args.outdir))
try:
os.makedirs(self._args.outdir)
except FileExistsError:
pass
# Determine active DERHandler classes
if len(self._args.include_dertype) == 0:
active_der_types = set(self._DER_CLASSES.keys())
else:
active_der_types = set(self._args.include_dertype)
active_der_types -= set(self._args.exclude_dertype)
self._active_der_types = [ self._DER_CLASSES[class_name] for class_name in active_der_types ]
self._active_der_types.sort(key = lambda handler: (handler.precedence, handler.data_type))
self._stats = ActionScrapeStats(self._args)
self._stats.set_active_der_types([ handler_class.data_type for handler_class in self._active_der_types ])
self._matches = Intervals()
self._hashes = set()
engine = ScrapeEngine(self._args.filename)
if not self._args.no_pem:
engine.search(self._find_pem, b"-----BEGIN ", min_length = 52, max_length = 32 * 1024)
if (not self._args.no_der) and (len(self._active_der_types) > 0):
self._log.debug("Looking for %d DER type(s): %s", len(self._active_der_types), ", ".join(handler.data_type for handler in self._active_der_types))
engine.search(self._find_der, bytes.fromhex("30"), min_length = 2, max_length = 32 * 1024)
end_offset = engine.commence(start_offset = self._args.seek_offset, length = self._args.analysis_length, progress_callback = self._progress_callback)
self._stats.finish(end_offset)
self._stats.dump()
if self._args.write_json is not None:
JSONTools.write_to_file(self._stats.as_dict(), self._args.write_json)
def analyze(self, crt_sources, root_certificate):
assert (isinstance(crt_source, self.CertSource)
for crt_source in crt_sources)
assert (isinstance(root_certificate, (type(None), self.CertSource)))
utcnow = datetime.datetime.utcnow()
analyses = {
"timestamp_utc": utcnow,
"data": [],
}
for crt_source in crt_sources:
for (crtno, crt) in enumerate(crt_source.crts, 1):
analysis_options = {
"rsa_testing":
AnalysisOptions.RSATesting.Fast
if self._fast_rsa else AnalysisOptions.RSATesting.Full,
"include_raw_data":
self._include_raw_data,
"purposes":
self._purposes,
"fqdn":
self._entity_name,
"utcnow":
utcnow,
}
if root_certificate is not None:
root_crt = root_certificate.crts[0]
else:
root_crt = None
analysis_options = AnalysisOptions(**analysis_options)
analysis = SecurityEstimator.handler("certificate")(
analysis_options=analysis_options).analyze(crt, root_crt)
analysis = JSONTools.translate(analysis)
analysis["source"] = {
"name": crt_source.source,
"srctype": crt_source.source_type,
"cert_no": crtno,
"certs_total": len(crt_source.crts),
}
if root_certificate is not None:
analysis["root_source"] = {
"name": root_certificate.source,
"srctype": root_certificate.source_type,
}
analyses["data"].append(analysis)
return analyses
def _load_db_data(self):
db_data = {}
for filename in ["rsa.json", "debian.json.gz"]:
data = JSONTools.load_internal("x509sak.data.moduli", filename)
for entry in data:
if "text" not in entry:
raise InvalidInternalDataException(
"Modulus database requires text for given modulus, not present for entry: %s"
% (str(entry)))
if "n" in entry:
# Directly hash modulus
db_data[self._hash_int(entry["n"])] = entry["text"]
elif "md5" in entry:
# Decode modulus
db_data[self._decode_hash(entry["md5"])] = entry["text"]
else:
raise InvalidInternalDataException(
"Modulus database requires either 'n' or 'md5' for given modulus, not present for entry: %s"
% (str(entry)))
return db_data