def verifyCerts(self, certs):
getCommonName = lambda cert: CipherUtil.getCertSubject(cert)[
"commonName"]
if getCommonName(certs[-1]) == getCommonName(self.rootCert):
certs.pop()
certs.append(self.rootCert)
for i, cert in enumerate(certs):
if i == len(certs) - 1:
break
nextCert = certs[i + 1]
commonName = getCommonName(cert)
nextCommonName = getCommonName(nextCert)
if commonName.split(".")[:-1] != nextCommonName.split("."):
self.dbgPrint("Error: cert common name mismatch: " +
commonName + ", " + nextCommonName)
return False
commonName = getCommonName(certs[0])
peerAddressList = [str(i) for i in self.peerAddress[0].split(".")]
peerAddress = ".".join(peerAddressList)
if commonName != peerAddress:
self.dbgPrint("Error: address mismatch: " + commonName + ", " +
peerAddress)
return False
else:
return CipherUtil.ValidateCertChainSigs(certs)
def validate(self, certificate):
print("In Cert Validation")
clientissuer = CipherUtil.getCertIssuer(certificate[0])
clientsubject = CipherUtil.getCertSubject(certificate[0])
IntermediateIssuer = {'emailAddress': '*****@*****.**', 'stateOrProvinceName': 'MD', 'countryName': 'US', 'commonName': '20174.1.666', 'organizationalUnitName': 'PETF', 'localityName': 'Baltimore', 'organizationName': 'JHUNetworkSecurityFall2017'}
if clientissuer == IntermediateIssuer:
print("Issuer verified.")
Certificate_result = CipherUtil.ValidateCertChainSigs(certificate)
if Certificate_result:
return True
else:
print ("Certificate Validation Failed")
return False
def data_received(self, data):
self._deserializer.update(data)
for packet in self._deserializer.nextPackets():
if isinstance(packet, PlsData):
cipher_text = packet.Ciphertext
verification_code = packet.Mac
if self._verification_engine.verifyMac(cipher_text,
verification_code):
plain_text = self._decryption_engine.decrypt(cipher_text)
self.higherProtocol().data_received(plain_text)
else:
self.terminate_connection("validation error")
elif isinstance(packet, PlsHello):
'''
1. store certs from the other side (?)
2. get the other side's pubk from the certs
3. store the other side's nonce
4. store this message for SHA1
'''
self._certs_for_other_side = list(packet.Certs)
self._nonce_for_other_side = packet.Nonce
self._pubk_for_other_side = CertFactory.getPubkFromCert(
packet.Certs[0])
self._messages_for_handshake.append(packet.__serialize__())
'''
verify certs
'''
tmp_cert_list = []
for cert_for_other_side in self._certs_for_other_side:
tmp_cert_list.append(
CipherUtil.getCertFromBytes(cert_for_other_side))
peer_name = self.transport.get_extra_info("peername")[0]
common_name = CertFactory.GetCommonName(packet.Certs[0])
root = CipherUtil.getCertFromBytes(CertFactory.getRootCert())
issuer = CipherUtil.RSA_SIGNATURE_MAC(root.public_key())
if str(peer_name).startswith(
common_name
) and CipherUtil.ValidateCertChainSigs(tmp_cert_list) and (
packet.Certs[-1] == CertFactory.getRootCert()
or issuer.verify(packet.Certs[-1], root.signature)):
if self._state == 0:
# start to send plshello
self._nonce = random.randint(0, 2**64)
pls_hello = PlsHello(Nonce=self._nonce,
Certs=self._certs)
pls_hello_bytes = pls_hello.__serialize__()
self.transport.write(pls_hello_bytes)
self._state = 2
self._messages_for_handshake.append(pls_hello_bytes)
elif self._state == 1:
self._pre_key = CertFactory.getPreKey()
pls_key_exchange = PlsKeyExchange(
PreKey=CryptoUtil.RSAEncrypt(
self._pubk_for_other_side, self._pre_key),
NoncePlusOne=self._nonce_for_other_side + 1)
pls_key_exchange_bytes = pls_key_exchange.__serialize__(
)
self.transport.write(pls_key_exchange_bytes)
self._state = 3
self._messages_for_handshake.append(
(pls_key_exchange_bytes))
else:
# pass
self.terminate_connection("Status error")
else:
# pass
self.terminate_connection("PlsHello error")
elif isinstance(packet, PlsKeyExchange):
if packet.NoncePlusOne == self._nonce + 1:
self._pre_key_for_other_side = CryptoUtil.RSADecrypt(
self._private_key, packet.PreKey)
self._messages_for_handshake.append(packet.__serialize__())
if self._state == 2:
self._pre_key = CertFactory.getPreKey()
pls_key_exchange = PlsKeyExchange(
PreKey=CryptoUtil.RSAEncrypt(
self._pubk_for_other_side, self._pre_key),
NoncePlusOne=self._nonce_for_other_side + 1)
pls_key_exchange_bytes = pls_key_exchange.__serialize__(
)
self.transport.write(pls_key_exchange_bytes)
self._state = 4
self._messages_for_handshake.append(
pls_key_exchange_bytes)
elif self._state == 3:
m = hashlib.sha1()
m.update(self._messages_for_handshake[0] +
self._messages_for_handshake[1] +
self._messages_for_handshake[2] +
self._messages_for_handshake[3])
self._hash_for_handshake = m.digest()
pls_handshake_done = PlsHandshakeDone(
ValidationHash=self._hash_for_handshake)
self.transport.write(
pls_handshake_done.__serialize__())
self._state = 5
else:
# pass
self.terminate_connection("Status error")
else:
# pass
self.terminate_connection("PlsKeyExchange error")
elif isinstance(packet, PlsHandshakeDone):
validation_hash = packet.ValidationHash
if self._state == 4:
m = hashlib.sha1()
m.update(self._messages_for_handshake[0] +
self._messages_for_handshake[1] +
self._messages_for_handshake[2] +
self._messages_for_handshake[3])
self._hash_for_handshake = m.digest()
if self._hash_for_handshake == validation_hash:
pls_handshake_done = PlsHandshakeDone(
ValidationHash=self._hash_for_handshake)
self.transport.write(
pls_handshake_done.__serialize__())
self._state = 6
# ------------ set symmetric variables ------------
self.set_symmetric_variables(False)
# ------------ connect to higher protocol ------------
self.higherProtocol().connection_made(
PLSTransport(self.transport, self))
else:
# pass
self.terminate_connection(
"PlsHandshakeDone validation error")
elif self._state == 5:
if self._hash_for_handshake == validation_hash:
self.set_symmetric_variables(True)
self.higherProtocol().connection_made(
PLSTransport(self.transport, self))
self._state = 6
else:
# pass
self.terminate_connection(
"PlsHandshakeDone validation error")
else:
# pass
self.terminate_connection("status error")
elif isinstance(packet, PlsClose):
print("connection closed by the other side")
self.transport.close()
else:
print('PLSP is waiting for a PLS packet.')
