def configure(app): POSTGRES = { 'user': '******', 'pw': 'root', 'db': 'db_ocsp', 'host': 'localhost', 'port': '5432', } app.config['SQLALCHEMY_DATABASE_URI'] = 'postgresql://%(user)s:\ %(pw)s@%(host)s:%(port)s/%(db)s' % POSTGRES register_extensions(app) app.config.from_pyfile('config.py') app.config.from_pyfile pem_responder_cert = pem.parse_file(app.config['CERT_PATH'])[0] pem_responder_key = pem.parse_file(app.config['KEY_PATH'])[0] app.config['CERT'] = load_pem_x509_certificate( pem_responder_cert.as_bytes(), backend=default_backend() ) app.config['KEY'] = load_pem_private_key( pem_responder_key.as_bytes(), password=None, backend=default_backend() )
def main(files, check_chain, root_certs, details, quiet): ''' Expects PEM files formatted as Private key -> Certificate -> Certificate chain Checks each file in turn for private key/cert mismatches, expired certs, and valid chain of trust. ''' root_certs = [str(c) for c in pem.parse_file(root_certs)] for filename in files: certs = [str(c) for c in pem.parse_file(filename)] key, crt, chain = (lambda key, crt, *chain: (key, crt, list(chain)))(*certs) if details: msg_details = "{} (CN: {} SAN: {})".format( filename, get_subject(crt).commonName, get_san(crt)) else: msg_details = filename if not private_key_matches_certificate(key, crt): error_msg("key/cert mismatch", msg_details) continue if certificate_expired(crt): error_msg("certificate expired", msg_details) continue if check_chain and not verify_chain_of_trust(crt, root_certs + chain): error_msg("can't verify chain of trust", msg_details) continue if not quiet: verified_msg(msg_details)
def get_cert_and_key(self, subdomain): cert = '' key = '' key_path = self.get_key_path(subdomain) if not os.path.exists(key_path): raise ValueError('key not found: {}'.format(key_path)) key = str(pem.parse_file(key_path)[0]) cert_path = self.get_cert_path(subdomain) if not os.path.exists(cert_path): raise ValueError('cert not found: {}'.format(cert_path)) cert = str(pem.parse_file(cert_path)[0]) return cert, key, subdomain
def main(filename, check_chain): certs = [str(c) for c in pem.parse_file(filename)] root_certs = [ str(c) for c in pem.parse_file('/etc/pki/tls/certs/ca-bundle.crt') ] if check_associate_cert_with_private_key(certs[1], certs[0]): if check_chain: if verify_chain_of_trust(certs[1], certs[2:] + root_certs): print filename, "VERIFIED" else: print filename, "FAILED: can't verify chain of trust" else: print filename, "VERIFIED" else: print filename, "FAILED: key/cert mismatch"
def test_add_and_remove_authority(): bundle = X509Bundle(trust_domain, None) pem_certs = pem.parse_file(_TEST_CERTS_PATH.format('certs.pem')) x509_cert_1 = x509.load_pem_x509_certificate(pem_certs[0].as_bytes(), default_backend()) x509_cert_2 = x509.load_pem_x509_certificate(pem_certs[1].as_bytes(), default_backend()) # adding an object to the returned set, as it is a copy, it doesn't change the bundle bundle.x509_authorities().add(x509_cert_1) assert len(bundle.x509_authorities()) == 0 bundle.add_authority(x509_cert_1) bundle.add_authority(x509_cert_2) assert len(bundle.x509_authorities()) == 2 # repeat the adds bundle.add_authority(x509_cert_1) bundle.add_authority(x509_cert_2) assert len(bundle.x509_authorities()) == 2 for a in bundle.x509_authorities(): assert isinstance(a, Certificate) assert 'CN=PEMUTILTEST' in a.subject.rfc4514_string() bundle.remove_authority(x509_cert_1) assert len(bundle.x509_authorities()) == 1 bundle.remove_authority(x509_cert_2) assert len(bundle.x509_authorities()) == 0 # removing an authority that is not present, do nothing bundle.remove_authority(x509_cert_1) bundle.remove_authority(x509_cert_2)
def load_revokations(self): """ Load PEM formatted certificates that are no longer trustworthy and store the suject and issuer. `cert_list` is the path to a file that contains glob-like patterns to PEM-formatted certificates. """ revoke_file = self.revoke_file revoke_state = self.revoke_state if revoke_file is not None: last_mod_time = revoke_state['last_mod_time'] fp = FilePath(revoke_file) if not fp.exists(): return mod_time = fp.getModificationTime() if last_mod_time is None or mod_time > last_mod_time: log.msg("[INFO] Loading revoked certificate files specified in '{0}'.".format( revoke_file)) revoke_state['last_mod_time'] = mod_time revoked = set([]) with open(revoke_file) as f: for line in f: pattern = line.rstrip('\r\n') if pattern == '' or pattern.startswith('#'): continue for path in glob.glob(pattern): certs = [pem_cert_to_x509(cert) for cert in pem.parse_file(path)] for certificate in certs: revoked.add(( tuple(certificate.get_subject().get_components()), tuple(certificate.get_issuer().get_components()))) revoke_state['revoked'] = revoked
def createSSLContext_(**kwargs): privateKey = kwargs.get('privateKey', None) assert privateKey is not None, '`tls:` endpoint requires `privateKey` option.' certKey = kwargs.get('certKey', privateKey) extraCertChain = kwargs.get('extraCertChain', None) sslmethod = kwargs.get('sslmethod', None) dhParameters = kwargs.get('dhParameters', None) authorities_file = kwargs.get('authorities', None) if authorities_file is not None: verify_client = True else: verify_client = False pem_files = [privateKey, certKey] if extraCertChain is not None: pem_files.append(extraCertChain) kwds = {'method': SSL.SSLv23_METHOD} if verify_client: authorities = [pem_cert_to_x509(cert) for cert in pem.parse_file(authorities_file)] kwds['caCerts'] = authorities kwds['verify'] = verify_client if dhParameters is not None: kwds['dhParameters'] = pem.DiffieHellmanParameters.fromFile(dhParameters) ctxFactory = pem.certificateOptionsFromFiles( *pem_files, **kwds) ssl_context = ctxFactory.getContext() ssl_context.set_options(SSL.OP_NO_SSLv2) if sslmethod is not None: ssl_method_options = sslmethod.split('+') for ssl_opt in ssl_method_options: ssl_context.set_options(ssl_opt) return (verify_client, ctxFactory)
def modifycacerts_pkcs12(id, outputdir, password): """ Modifies the ca certificates in a pkcs12. Arguments: id - unique identifier to identify key and csr. These will be out to files based on the id Returns: The p12 object """ # st_cert=open(cert, 'rt').read() # cert = crypto.load_certificate(c.FILETYPE_PEM, cert) p12file = os.path.join(outputdir, id + '.p12') p12 = OpenSSL.crypto.load_pkcs12(open(p12file, "rb").read(), password) try: #f = open(cacert, 'rt') cacertlist = pem.parse_file(cacert) x509cacertlist = [] #cacertlist = [] for cert in range(len(cacertlist)): x509cacertlist.append( OpenSSL.crypto.load_certificate(crypto.FILETYPE_PEM, cacertlist[cert].as_bytes())) p12.set_ca_certificates(x509cacertlist) pkcs12handle = open(p12file, "wb") pkcs12handle.write( p12.export(passphrase=password, iter=2048, maciter=2048)) logger.info("PKCS12 Modified for id:%s and written to %s", id, p12file) pkcs12handle.close() except crypto.Error as e: logger.warning("Certificate file '%s' could not be loaded: %s", cacert, e) return None
def createSSLContext_(**kwargs): privateKey = kwargs.get('privateKey', None) assert privateKey is not None, '`tls:` endpoint requires `privateKey` option.' certKey = kwargs.get('certKey', privateKey) extraCertChain = kwargs.get('extraCertChain', None) sslmethod = kwargs.get('sslmethod', None) dhParameters = kwargs.get('dhParameters', None) authorities_file = kwargs.get('authorities', None) if authorities_file is not None: verify_client = True else: verify_client = False pem_files = [privateKey, certKey] if extraCertChain is not None: pem_files.append(extraCertChain) kwds = {'method': SSL.SSLv23_METHOD} if verify_client: authorities = [ pem_cert_to_x509(cert) for cert in pem.parse_file(authorities_file) ] kwds['caCerts'] = authorities kwds['verify'] = verify_client if dhParameters is not None: kwds['dhParameters'] = pem.DiffieHellmanParameters.fromFile( dhParameters) ctxFactory = pem.certificateOptionsFromFiles(*pem_files, **kwds) ssl_context = ctxFactory.getContext() ssl_context.set_options(SSL.OP_NO_SSLv2) if sslmethod is not None: ssl_method_options = sslmethod.split('+') for ssl_opt in ssl_method_options: ssl_context.set_options(ssl_opt) return (verify_client, ctxFactory)
def _load_from_directory(self, fpath, filetype): ####################################################################### """Helper function to read in (keys|certs) and store them correctly""" ####################################################################### try: print("Loading certs into database") for fname in tqdm(listdir(fpath)): if fname.endswith(tuple(self.extensions[filetype])): uid = fname.split(".")[0] filepath = path.join(fpath, fname) if filetype == "certificate": self.load_db( uid, certlist=[x.as_text() for x in parse_file(filepath)] ) elif filetype == "key": session = sessionmaker(bind=self.args["db"]["engine"])() create_or_update( session, Recipient, unique_identifiers=["name"], **{ "name": uid, "key": filepath, }, ) session.commit() except OSError as error: raise FileOpenError(fpath, str(error.strerror)) from error
def test_loads_certifi(self): """ Loading certifi returns a list of Certificates. """ cas = pem.parse_file(certifi.where()) assert isinstance(cas, list) assert all(isinstance(ca, pem.Certificate) for ca in cas)
def ca_store(cls): crt_paths = os.environ.get('CRT_PATH', '/etc/ssl') crt_flush = os.environ.get('CRT_FLUSH') if hasattr(cls, 'store') and not crt_flush: return cls.store else: cls.store = crypto.X509Store() suffix = r'(.+)\.(crt|pem)$' for crt_path in crt_paths.split(':'): for root, ds, fs in os.walk(crt_path): for p in filter(lambda f: re.match(suffix, f), fs): for cert in pem.parse_file(os.path.join(root, p)): try: cls.store.add_cert( crypto.load_certificate( crypto.FILETYPE_PEM, cert.as_bytes())) except crypto.Error: pass return cls.store
def get_pem_text_from_file(private_key_path: str) -> str: ''' Parses the pem file to get its value as unicode text. Check the pem permission, parse file generates a list of PEM objects and return plain text from it. Args: private_key_path (str): Path to the private key file. Returns: str: Text from PEM parsed file Raises: PermissionError: PEM File is not accessible ValueError: PEM file is invalid, no certificates found. ''' if not os.access(private_key_path, os.R_OK): raise PermissionError() certs = pem.parse_file(private_key_path) if not certs: raise ValueError('Invalid pem file.') return certs[0].as_text()
def _generateJWT(self, pem_file): """ Generates Json web token Method will take the permissions (.pem) file provided and populate the json web token attribute """ # iss is the app id # Ensuring that we request an access token that expires after a minute payload = { "iat": datetime.datetime.utcnow(), "exp": datetime.datetime.utcnow() + datetime.timedelta(seconds=60), "iss": self._app_id, } PEM = "" if pem_file == "": if "GITHUB_APP_PEM" in os.environ: pem_file = os.environ.get("GITHUB_APP_PEM") else: error_msg = "A pem file has not been specified and GITHUB_APP_PEM env varaible is not defined" raise Exception(error_msg) self._log.info("File loc %s" % pem_file) certs = pem.parse_file(pem_file) PEM = str(certs[0]) if PEM == "": error_msg = ( "No permissions enabled for parthenon metrics app, either a pem file needs to " "be provided or the GITHUB_APP_PEM variable needs to be defined" ) raise Exception(error_msg) self._jwt_token = jwt.encode(payload, PEM, algorithm="RS256").decode("utf-8")
def load_starttls_trust_anchor(self, pem_path): """ Load the startTLS trust anchor from a file in PEM format. """ log = self.log if not self.use_starttls: return if pem_path is None: return starttls_hostname = six.u(self.starttls_hostname) log.debug("type: {type}, value: {value}", type=type(starttls_hostname), value=starttls_hostname) assert starttls_hostname is not None, "Must set option `starttls_hostname` when using `starttls_trust_anchor`." log.debug("Reading PEM file {pem_path}.", pem_path=pem_path) #with open(pem_path, "r") as f: # data = f.read() #authority = ssl.Certificate.loadPEM(data) certs = pem.parse_file(pem_path) log.debug("Length `certs`: {len}", len=len(certs)) for c in certs: log.debug("Cert: {cert}", cert=str(c)) authority = ssl.Certificate.loadPEM('\n'.join( str(cert) for cert in certs)) log.debug("StartTLS authority: {authority}", authority=authority.inspect()) log.debug("StartTLS hostname: '{hostname}'", hostname=starttls_hostname) self.starttls_trust_anchor = ssl.optionsForClientTLS( starttls_hostname, authority)
def test_get_pem_text_from_file_parses_the_pem_file(lti_config_environ): pem_key = os.environ.get('LTI13_PRIVATE_KEY') certs = pem.parse_file(pem_key) with patch.object(pem, 'parse_file', return_value=certs) as mock_pem_parse_file: get_pem_text_from_file(pem_key) assert mock_pem_parse_file.called
def get_token(name): payload = requests.get('http://localhost:8000/api/payload/' + name) KEY = pem.parse_file('../keys/sluicekey.pem') print(payload.status_code) payload_json = json.loads(payload.text) print(payload.text) token = jwt.encode(payload_json, str(KEY[0]), algorithm='RS512') return token
def __call__(self, parser, namespace, values, option_string=None): try: pem_parsed = pem.parse_file(values) if not isinstance(pem_parsed, list) or len(pem_parsed) != 1: raise TypeError('PEM file is not valid') setattr(namespace, self.dest, values) except Exception as e: parser.error(e)
def count_keys_in_file(pem_path): counter = 0 for raw_pem in pem.parse_file(pem_path): if type(raw_pem) == pem._core.PrivateKey: counter += 1 elif type(raw_pem) == pem._core.RSAPrivateKey: counter += 1 return counter
def add_pki_cert(self, filename, trusted): certs = [] for cert in pem.parse_file(filename): content = "".join(cert.as_text().splitlines()[1:-1]) resp = self.post(amt.wsman.add_cert(self.path, content, trusted)) rv = _return_value(resp, AMT_PublicKeyManagementService) selector = _find_node(resp, _WSMAN, "Selector") certs.append((rv, None if selector is None else selector.text)) return certs
def lndconnect_node(node): chain = pem.parse_file(node.cert()) chainCert = ssl.Certificate.loadPEM(str(chain[0])) cert = base64.urlsafe_b64encode(chainCert.dump()) with open(node.macaroon(), 'rb') as macaroon_file: macaroon = base64.urlsafe_b64encode(macaroon_file.read()) click.echo(click.style(f'lndconnect://127.0.0.1:{node.rpc_port}?cert={cert.decode()}&macaroon={macaroon.decode()}', fg='green'))
def sign_pki_csr(self, filename, selector): requests = [] for request in pem.parse_file(filename): content = "".join(request.as_text().splitlines()[1:-1]) resp = self.post(amt.wsman.sign_pki_csr(self.path, content, "InstanceID", selector)) rv = _return_value(resp, AMT_PublicKeyManagementService) signed_request = _find_node(resp, AMT_PublicKeyManagementService, "SignedCertificateRequest") requests.append((rv, None if signed_request is None else signed_request.text)) return requests
def add_pki_key(self, filename): keys = [] for key in pem.parse_file(filename): content = "".join(key.as_text().splitlines()[1:-1]) resp = self.post(amt.wsman.add_key(self.path, content)) rv = _return_value(resp, AMT_PublicKeyManagementService) selector = _find_node(resp, _WSMAN, "Selector") keys.append((rv, None if selector is None else selector.text)) return keys
async def test_get_lms_access_token_calls_get_pem_text_from_file( mock_get_headers_to_jwt, mock_get_pem_text, lti_config_environ, http_async_httpclient_with_simple_response): pem_key = os.environ.get('LTI13_PRIVATE_KEY') mock_get_headers_to_jwt.return_value = None mock_get_pem_text.return_value = pem.parse_file(pem_key)[0].as_text() # here we're using a httpclient mocked await get_lms_access_token('url', pem_key, 'client-id') assert mock_get_pem_text.called
def test_file(self, tmpdir): """ A file with multiple certificate PEMs is parsed into a list of corresponding Certificates. """ certs_file = tmpdir.join('certs.pem') certs_file.write(b''.join(CERT_PEMS)) certs = pem.parse_file(str(certs_file)) assert all(isinstance(c, pem.Certificate) for c in certs) assert CERT_PEMS == [cert.as_bytes() for cert in certs]
def getTlsAuthority_(self, startTlsCaCert): if startTlsCaCert is None: return None authorities = [str(cert) for cert in pem.parse_file(startTlsCaCert)] if len(authorities) != 1: raise Exception( ("The provided CA cert file, '{0}', " "contained {1} certificates. It must contain exactly one." ).format(startTlsCaCert, len(authorities))) return Certificate.loadPEM(authorities[0])
def createCustomPolicyFactoryFromPEMs(*pem_files): authorities = [] for pem_file in pem_files: for cert in pem.parse_file(pem_file): authorities.append(pem_cert_to_x509(cert)) def _policyFactory(): return CustomPolicyForHTTPS(authorities) return _policyFactory
def test_file(self, tmpdir): """ A file with multiple certificate PEMs is parsed into a list of corresponding Certificates. """ certs_file = tmpdir.join('certs.pem') certs_file.write(''.join(CERT_PEMS)) certs = pem.parse_file(str(certs_file)) assert all(isinstance(c, pem.Certificate) for c in certs) assert CERT_PEMS == [str(cert) for cert in certs]
def getTlsAuthority_(self, startTlsCaCert): if startTlsCaCert is None: return None authorities = [str(cert) for cert in pem.parse_file(startTlsCaCert)] if len(authorities) != 1: raise Exception( ("The provided CA cert file, '{0}', " "contained {1} certificates. It must contain exactly one.").format( startTlsCaCert, len(authorities))) return Certificate.loadPEM(authorities[0])
def get_certificates_from_pem(file_name, certificates): """Finds all certificate entries from PEM file and adds them to given list. """ entries = pem.parse_file(file_name) index = 0 for entry in entries: if type(entry) == pem.Certificate: cert = load_certificate(FILETYPE_PEM, entry.as_bytes()) certificates.append(CertEntry(file_name, index, cert)) index = index + 1
def run(): token = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODY4MTYzMTIsImZvbyI6ImJhciIsImlhdCI6MTU4NjgxNjI1MiwianRpIjoiV1VJbkhrT01RSFMzSC1LUURIYUpZdyIsIm5iZiI6MTU4NjgxNjI1Miwid3VwIjo5MH0.Ep0hCSDh5FBTxwbPadjh-9P42ePrcTmWgWNv46oyQrSB6jgA9z3kPlZ9NKK7v_MmrfV_Pj1MlUhs1-Umvyk8Cr6gDVb7Mm9mcqDxf3e-sgmYCMxmPPofTPX_b0-faDzL7K_zjdjHmoVFUpsIBONZ8jU8YBXHxu4sKJXIyPNPiYp2kzffnMj8TClUXmCMRK7mrHYgD0RHXwdo9aJT3glmtnxGYdHqkV6ygiasOC5jGSdYKf3jBKzY10vYocOvsMniT25a8Z-CbeFNWriCCDcBOB3Z74speoGreqxBrqVu5h8AJ0EPQ6GJvrRSToNMQMCddEsqNGanU-Rt0wibTZ7hbg' key_uri = os.path.join(BASE_DIR, 'afinidata.key') key_file = pem.parse_file(key_uri) key_string = str(key_file[0]).encode() key = jwk.JWK.from_pem(key_string) try: header, claims = jwt.verify_jwt(token, key, ['RS256']) print(header, claims) except: print('expired')
def validate_rsa_cert(rsa_cert_file): """ Verify that the RSA Certificate File is in our specific format :param rsa_cert_file: :return: contents of certificate file """ if check_rsa_file(rsa_cert_file, CERTIFICATE_FILE_HEADER): return pem.parse_file(rsa_cert_file) else: print("Invalid RSA Cert!") exit()
def load_certs_from_file(pem_path): for raw_pem in pem.parse_file(pem_path): if type(raw_pem) == pem._core.Certificate: yield crypto.load_certificate(crypto.FILETYPE_PEM, str(raw_pem)) elif type(raw_pem) == pem._core.PrivateKey: continue elif type(raw_pem) == pem._core.RSAPrivateKey: continue else: raise Exception("Invalid PEM file")
def validate_rsa_key(rsa_key_file): """ Verify that the RSA Ke file is in our specific format :param rsa_key_file: :return: contents of key file """ if check_rsa_file(rsa_key_file, KEY_FILE_HEADER): return pem.parse_file(rsa_key_file) else: print("Invalid RSA Key!") exit()
def get_jira_client(): """ Return a connected JIRA API client, configured by environment """ options = { 'server': os.environ.get('SERVER') } key_cert_data = pem.parse_file("mt-jira.pem") key_cert_data = str(key_cert_data[0]) # key_cert_data = os.environ.get('JIRA_KEY') # key_cert_data = open('mt-jira.pem', 'r') oauth_dict = { 'access_token': os.environ.get('ACCESS_TOKEN'), 'access_token_secret': os.environ.get('ACCESS_TOKEN_SECRET'), 'consumer_key': os.environ.get('CONSUMER_KEY'), 'key_cert': key_cert_data } return JIRA(options, oauth=oauth_dict)
def test_file(self, tmpdir): certs_file = tmpdir.join('certs.pem') certs_file.write(''.join(CERT_PEMS)) certs = pem.parse_file(str(certs_file)) assert CERT_PEMS == [str(cert) for cert in certs]
def main(basefp): print sys.argv default_port = 443 port = None ssl_enabled = True redirect_port = 80 for arg in sys.argv: if arg.startswith('--port='): port = int(arg[len('--port='):]) elif arg.startswith('--redirectport='): redirect_port = int(arg[len('--redirectport='):]) elif arg == '--dev': ssl_enabled = False redirect_port = None default_port = 8000 elif arg == '--nossl': ssl_enabled = False redirect_port = None default_port = 80 elif arg == '--noredirect': redirect_port = None if port is None: port = default_port config = Config() logging.basicConfig( stream = sys.stdout, level = logging.DEBUG, format = '%(asctime)s %(levelname) 7s [%(name)-65s L%(lineno)d] %(message)s', datefmt = '%Y-%m-%dT%H:%M:%S%z', ) root_log = logging.getLogger(__name__) site = make_site(basefp, config) root_log.info('Listening on port %d...' % (port,)) if ssl_enabled: root_log.info('SSL/TLS is enabled (start with --nossl to disable).') KEYFILE = '../secret_config/rapidssl/server.key' CERTFILE = '../secret_config/rapidssl/server.crt' assert os.path.exists(KEYFILE), "Private key file %s not found" % (KEYFILE,) assert os.path.exists(CERTFILE), "Certificate file %s not found" % (CERTFILE,) from twisted.internet import ssl import pem with open(KEYFILE) as keyFile: key = keyFile.read() certs = pem.parse_file(CERTFILE) cert = ssl.PrivateCertificate.loadPEM(str(key) + str(certs[0])) extraCertChain = [ssl.Certificate.loadPEM(str(certData)).original for certData in certs[1 :]] cert_options = ssl.CertificateOptions( privateKey=cert.privateKey.original, certificate=cert.original, extraCertChain=extraCertChain, ) reactor.listenSSL(port, site, cert_options) if redirect_port is not None: root_log.info('http->https redirector listening on port %d...' % (redirect_port,)) reactor.listenTCP(redirect_port, make_redirector_site(port)) else: root_log.info('SSL/TLS is disabled.') reactor.listenTCP(port, site)