def testOpenTypes(self):
substrate = pem.readBase64fromText(self.cert_pem_text)
asn1Object, rest = der_decode(substrate,
asn1Spec=self.asn1Spec,
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
clearance_sponsor_found = False
for extn in asn1Object['tbsCertificate']['extensions']:
if extn['extnID'] == rfc5280.id_ce_subjectDirectoryAttributes:
assert extn['extnID'] in rfc5280.certificateExtensionsMap.keys()
ev, rest = der_decode(extn['extnValue'],
asn1Spec=rfc5280.certificateExtensionsMap[extn['extnID']],
decodeOpenTypes=True)
assert not rest
assert ev.prettyPrint()
assert der_encode(ev) == extn['extnValue']
for attr in ev:
if attr['type'] == rfc5917.id_clearanceSponsor:
hrd = u'Human Resources Department'
assert attr['values'][0]['utf8String'] == hrd
clearance_sponsor_found = True
assert clearance_sponsor_found
def testDerCodec(self):
asn1Spec = rfc5280.Certificate()
substrate = pem.readBase64fromText(self.kea_cert_pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
spki_a = asn1Object['tbsCertificate']['subjectPublicKeyInfo'][
'algorithm']
assert spki_a['algorithm'] == rfc3279.id_keyExchangeAlgorithm
spki_a_p, rest = der_decode(spki_a['parameters'],
asn1Spec=rfc3279.KEA_Parms_Id())
assert not rest
assert spki_a_p.prettyPrint()
assert der_encode(spki_a_p) == spki_a['parameters']
assert spki_a_p == univ.OctetString(hexValue='5cf8f127e6569d6d88b3')
assert asn1Object['tbsCertificate']['signature'][
'algorithm'] == rfc3279.id_dsa_with_sha1
assert asn1Object['signatureAlgorithm'][
'algorithm'] == rfc3279.id_dsa_with_sha1
sig_value, rest = der_decode(asn1Object['signature'].asOctets(),
asn1Spec=rfc3279.Dss_Sig_Value())
assert not rest
assert sig_value.prettyPrint()
assert der_encode(sig_value) == asn1Object['signature'].asOctets()
assert sig_value['r'].hasValue()
assert sig_value['s'].hasValue()
def testDerCodec(self):
substrate = pem.readBase64fromText(self.dsa_cert_pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
spki_a = asn1Object['tbsCertificate']['subjectPublicKeyInfo'][
'algorithm']
assert spki_a['algorithm'] == rfc3279.id_dsa
spki_a_p, rest = der_decode(spki_a['parameters'],
asn1Spec=rfc3279.Dss_Parms())
assert not rest
assert spki_a_p.prettyPrint()
assert der_encode(spki_a_p) == spki_a['parameters']
q_value = 1260916123897116834511257683105158021801897369967
assert spki_a_p['q'] == q_value
sig_value, rest = der_decode(asn1Object['signature'].asOctets(),
asn1Spec=rfc3279.Dss_Sig_Value())
assert not rest
assert sig_value.prettyPrint()
assert der_encode(sig_value) == asn1Object['signature'].asOctets()
assert sig_value['r'].hasValue()
assert sig_value['s'].hasValue()
def testOpenTypes(self):
substrate = pem.readBase64fromText(self.cert_pem_text)
asn1Object, rest = der_decode(substrate,
asn1Spec=self.asn1Spec,
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
nai_realm_oid = rfc7585.id_on_naiRealm
nai_realm_found = False
for extn in asn1Object['tbsCertificate']['extensions']:
if extn['extnID'] == rfc5280.id_ce_subjectAltName:
extnValue, rest = der_decode(extn['extnValue'],
asn1Spec=rfc5280.SubjectAltName(),
decodeOpenTypes=True)
assert not rest
assert extnValue.prettyPrint()
assert der_encode(extnValue) == extn['extnValue']
for gn in extnValue:
if gn['otherName'].hasValue():
assert gn['otherName']['type-id'] == nai_realm_oid
assert 'example' in gn['otherName']['value']
nai_realm_found = True
assert nai_realm_found
def testDerCodec(self):
substrate = pem.readBase64fromText(self.pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['contentType'] == rfc5652.id_ct_authData
ad, rest = der_decode(asn1Object['content'],
asn1Spec=rfc5652.AuthenticatedData())
assert not rest
assert ad.prettyPrint()
assert der_encode(ad) == asn1Object['content']
assert ad['version'] == 0
assert ad['digestAlgorithm'][
'algorithm'] == rfc6210.id_alg_MD5_XOR_EXPERIMENT
mac_alg_p, rest = der_decode(ad['digestAlgorithm']['parameters'],
asn1Spec=rfc5280.algorithmIdentifierMap[
ad['digestAlgorithm']['algorithm']])
assert not rest
assert mac_alg_p.prettyPrint()
assert der_encode(mac_alg_p) == ad['digestAlgorithm']['parameters']
assert mac_alg_p.prettyPrint()[:10] == "0x01020304"
def testDerCodec(self):
substrate = pem.readBase64fromText(self.mud_cert_pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
for extn in asn1Object['tbsCertificate']['extensions']:
if extn['extnID'] == rfc8520.id_pe_mudsigner:
mudsigner, rest = der_decode(extn['extnValue'],
rfc8520.MUDsignerSyntax())
assert der_encode(mudsigner) == extn['extnValue']
c = rfc5280.X520countryName(value="CH")
assert mudsigner[0][0][0]['value'] == der_encode(c)
e = rfc5280.EmailAddress(value="*****@*****.**")
assert mudsigner[0][1][0]['value'] == der_encode(e)
cn = rfc5280.X520CommonName()
cn['printableString'] = "Eliot Lear"
assert mudsigner[0][2][0]['value'] == der_encode(cn)
if extn['extnID'] == rfc8520.id_pe_mud_url:
mudurl, rest = der_decode(extn['extnValue'],
rfc8520.MUDURLSyntax())
assert der_encode(mudurl) == extn['extnValue']
assert mudurl[-5:] == ".json"
def testDerCodec(self):
substrate = pem.readBase64fromText(self.xmpp_server_cert_pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
count = 0
for extn in asn1Object['tbsCertificate']['extensions']:
if extn['extnID'] == rfc5280.id_ce_subjectAltName:
extnValue, rest = der_decode(extn['extnValue'],
asn1Spec=rfc5280.SubjectAltName())
assert not rest
assert extnValue.prettyPrint()
assert der_encode(extnValue) == extn['extnValue']
for gn in extnValue:
if gn['otherName'].hasValue():
gn_on = gn['otherName']
if gn_on['type-id'] == rfc6120.id_on_xmppAddr:
assert gn_on['type-id'] in rfc5280.anotherNameMap.keys()
spec = rfc5280.anotherNameMap[gn['otherName']['type-id']]
on, rest = der_decode(gn_on['value'], asn1Spec=spec)
assert not rest
assert on.prettyPrint()
assert der_encode(on) == gn_on['value']
assert on == u'im.example.com'
count += 1
assert count == 1
def testDerCodec(self):
substrate = pem.readBase64fromText(self.encrypted_key_pkg_pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['contentType'] == rfc6032.id_ct_KP_encryptedKeyPkg
content, rest = der_decode(asn1Object['content'],
rfc6032.EncryptedKeyPackage())
assert not rest
assert content.prettyPrint()
assert der_encode(content) == asn1Object['content']
assert content.getName() == 'encrypted'
eci = content['encrypted']['encryptedContentInfo']
assert eci['contentType'] == rfc6032.id_ct_KP_encryptedKeyPkg
attrType = content['encrypted']['unprotectedAttrs'][0]['attrType']
assert attrType == rfc6032.id_aa_KP_contentDecryptKeyID
attrVal0 = content['encrypted']['unprotectedAttrs'][0]['attrValues'][0]
keyid, rest = der_decode(attrVal0, rfc6032.ContentDecryptKeyID())
assert not rest
assert keyid.prettyPrint()
assert der_encode(keyid) == attrVal0
assert keyid == b'ptf-kdc-812374'
def testDerCodec(self):
smimeCapMap = {
univ.ObjectIdentifier('1.2.3.4.5.6.77'): univ.OctetString(),
}
smimeCapMap.update(rfc5751.smimeCapabilityMap)
substrate = pem.readBase64fromText(self.pem_text)
asn1Object, rest = der_decode(substrate,
asn1Spec=self.asn1Spec,
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['contentType'] == rfc5652.id_signedData
assert asn1Object['content']['version'] == 1
for si in asn1Object['content']['signerInfos']:
assert si['version'] == 1
for attr in si['signedAttrs']:
if attr['attrType'] == rfc5751.smimeCapabilities:
for scap in attr['attrValues'][0]:
if scap['capabilityID'] in smimeCapMap.keys():
scap_p, rest = der_decode(
scap['parameters'],
asn1Spec=smimeCapMap[scap['capabilityID']])
assert not rest
assert der_encode(scap_p) == scap['parameters']
assert 'parameters' in scap_p.prettyPrint()
if attr['attrType'] == rfc5751.id_aa_encrypKeyPref:
ekp_issuer_serial = attr['attrValues'][0][
'issuerAndSerialNumber']
assert ekp_issuer_serial['serialNumber'] == 173360179
def testDerCodec(self):
substrate = pem.readBase64fromText(self.pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
extn_list = []
for extn in asn1Object['tbsCertificate']['extensions']:
extn_list.append(extn['extnID'])
if extn['extnID'] == rfc7773.id_ce_authContext:
s = extn['extnValue']
acs, rest = der_decode(
s,
asn1Spec=rfc5280.certificateExtensionsMap[extn['extnID']])
assert not rest
assert acs.prettyPrint()
assert s == der_encode(acs)
assert u'id.elegnamnden.se' in acs[0]['contextType']
assert u'AuthContextInfo IdentityProvider' in acs[0][
'contextInfo']
assert rfc7773.id_ce_authContext in extn_list
def testOpenTypes(self):
substrate = pem.readBase64fromText(self.cert_pem_text)
asn1Object, rest = der_decode(substrate,
asn1Spec=self.asn1Spec,
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
perm_id_oid = rfc4043.id_on_permanentIdentifier
assigner_oid = univ.ObjectIdentifier('1.3.6.1.4.1.22112.48')
permanent_identifier_found = False
for extn in asn1Object['tbsCertificate']['extensions']:
if extn['extnID'] == rfc5280.id_ce_subjectAltName:
extnValue, rest = der_decode(extn['extnValue'],
asn1Spec=rfc5280.SubjectAltName(),
decodeOpenTypes=True)
assert not rest
assert extnValue.prettyPrint()
assert der_encode(extnValue) == extn['extnValue']
for gn in extnValue:
if gn['otherName'].hasValue():
on = gn['otherName']
assert on['type-id'] == perm_id_oid
assert on['value']['assigner'] == assigner_oid
permanent_identifier_found = True
assert permanent_identifier_found
def testDerCodec(self):
substrate = pem.readBase64fromText(self.ocsp_resp_pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['responseStatus'] == 0
rb = asn1Object['responseBytes']
assert rb['responseType'] in rfc6960.ocspResponseMap.keys()
resp, rest = der_decode(
rb['response'],
asn1Spec=rfc6960.ocspResponseMap[rb['responseType']])
assert not rest
assert resp.prettyPrint()
assert der_encode(resp) == rb['response']
resp['tbsResponseData']['version'] == 0
count = 0
for extn in resp['tbsResponseData']['responseExtensions']:
assert extn['extnID'] in rfc5280.certificateExtensionsMap.keys()
ev, rest = der_decode(
extn['extnValue'],
asn1Spec=rfc5280.certificateExtensionsMap[extn['extnID']])
assert not rest
assert ev.prettyPrint()
assert der_encode(ev) == extn['extnValue']
count += 1
assert count == 1
def testOpenTypes(self):
substrate = pem.readBase64fromText(self.ocsp_resp_pem_text)
asn1Object, rest = der_decode(substrate,
asn1Spec=self.asn1Spec,
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['responseStatus'] == 0
rb = asn1Object['responseBytes']
assert rb['responseType'] in rfc6960.ocspResponseMap.keys()
resp, rest = der_decode(
rb['response'],
asn1Spec=rfc6960.ocspResponseMap[rb['responseType']],
decodeOpenTypes=True)
assert not rest
assert resp.prettyPrint()
assert der_encode(resp) == rb['response']
resp['tbsResponseData']['version'] == 0
for rdn in resp['tbsResponseData']['responderID']['byName'][
'rdnSequence']:
for attr in rdn:
if attr['type'] == rfc5280.id_emailAddress:
assert attr['value'] == '*****@*****.**'
for r in resp['tbsResponseData']['responses']:
ha = r['certID']['hashAlgorithm']
assert ha['algorithm'] == rfc4055.id_sha1
assert ha['parameters'] == univ.Null("")
def testOpenTypes(self):
substrate = pem.readBase64fromText(self.cert_pem_text)
asn1Object, rest = der_decode(substrate,
asn1Spec=self.asn1Spec,
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
cat_value_found = False
for extn in asn1Object['tbsCertificate']['extensions']:
if extn['extnID'] == rfc5913.id_pe_clearanceConstraints:
assert extn['extnID'] in rfc5280.certificateExtensionsMap.keys(
)
ev, rest = der_decode(
extn['extnValue'],
asn1Spec=rfc5280.certificateExtensionsMap[extn['extnID']],
decodeOpenTypes=True)
assert not rest
assert ev.prettyPrint()
assert der_encode(ev) == extn['extnValue']
for c in ev:
if c['policyId'] == rfc3114.id_tsp_TEST_Whirlpool:
for sc in c['securityCategories']:
assert sc[
'type'] in rfc5755.securityCategoryMap.keys()
for cat in sc['value']:
assert u'USE ONLY' in cat
cat_value_found = True
assert cat_value_found
def testDerCodec(self):
access_methods = [
rfc6487.id_ad_rpkiManifest,
rfc6487.id_ad_signedObject,
]
substrate = pem.readBase64fromText(self.rpki_cert_pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
count = 0
for extn in asn1Object['tbsCertificate']['extensions']:
if extn['extnID'] == rfc5280.id_pe_subjectInfoAccess:
extnValue, rest = der_decode(
extn['extnValue'],
asn1Spec=rfc5280.SubjectInfoAccessSyntax())
for ad in extnValue:
if ad['accessMethod'] in access_methods:
uri = ad['accessLocation']['uniformResourceIdentifier']
assert 'rpki.apnic.net' in uri
count += 1
assert count == 1
def testDerCodec(self):
substrate = pem.readBase64fromText(self.message1_pem_text)
asn1Object, rest = der_decode (substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['contentType'] == rfc5652.id_signedData
sd, rest = der_decode (asn1Object['content'],
asn1Spec=rfc5652.SignedData())
for sa in sd['signerInfos'][0]['signedAttrs']:
sat = sa['attrType']
sav0 = sa['attrValues'][0]
if sat == rfc7191.id_aa_KP_keyPkgIdAndReceiptReq:
sav, rest = der_decode(sav0,
asn1Spec=rfc7191.KeyPkgIdentifierAndReceiptReq())
assert not rest
assert sav.prettyPrint()
assert der_encode(sav) == sav0
package_id_pem_text = "J7icVjsWIlGdF4cceb+siG3f+D0="
package_id = pem.readBase64fromText(package_id_pem_text)
assert sav['pkgID'] == package_id
def testOpenTypes(self):
substrate = pem.readBase64fromText(self.tau_pem_text)
asn1Object, rest = der_decode(substrate,
asn1Spec=rfc5652.ContentInfo(),
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
eci = asn1Object['content']['encapContentInfo']
assert eci['eContentType'] in rfc5652.cmsContentTypesMap.keys()
assert eci['eContentType'] == rfc5934.id_ct_TAMP_update
tau, rest = der_decode(
eci['eContent'],
asn1Spec=rfc5652.cmsContentTypesMap[eci['eContentType']],
decodeOpenTypes=True)
assert not rest
assert tau.prettyPrint()
assert der_encode(tau) == eci['eContent']
assert tau['version'] == 2
assert tau['msgRef']['target'] == univ.Null("")
assert tau['msgRef']['seqNum'] == 1568307088
count = 0
for u in tau['updates']:
count += 1
assert count == 1
def testOpenTypes(self):
substrate = pem.readBase64fromText(self.pfx_pem_text)
asn1Object, rest = der_decode(substrate,
asn1Spec=self.asn1Spec,
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
digest_alg = asn1Object['macData']['mac']['digestAlgorithm']
assert not digest_alg['parameters'].hasValue()
authsafe, rest = der_decode(asn1Object['authSafe']['content'],
asn1Spec=rfc7292.AuthenticatedSafe(),
decodeOpenTypes=True)
assert not rest
assert authsafe.prettyPrint()
assert der_encode(authsafe) == asn1Object['authSafe']['content']
for ci in authsafe:
assert ci['contentType'] == rfc5652.id_data
sc, rest = der_decode(ci['content'],
asn1Spec=rfc7292.SafeContents(),
decodeOpenTypes=True)
assert not rest
assert sc.prettyPrint()
assert der_encode(sc) == ci['content']
for sb in sc:
if sb['bagId'] == rfc7292.id_pkcs8ShroudedKeyBag:
bv = sb['bagValue']
enc_alg = bv['encryptionAlgorithm']['algorithm']
assert enc_alg == rfc7292.pbeWithSHAAnd3_KeyTripleDES_CBC
enc_alg_param = bv['encryptionAlgorithm']['parameters']
assert enc_alg_param['iterations'] == 2000
def testDerCodec(self):
substrate = pem.readBase64fromText(self.signed_receipt_pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['contentType'] == rfc5652.id_signedData
sd, rest = der_decode(asn1Object['content'],
asn1Spec=rfc5652.SignedData())
assert not rest
assert sd.prettyPrint()
assert der_encode(sd) == asn1Object['content']
assert sd['encapContentInfo']['eContentType'] == rfc5035.id_ct_receipt
receipt, rest = der_decode(sd['encapContentInfo']['eContent'],
asn1Spec=rfc5035.Receipt())
assert not rest
assert receipt.prettyPrint()
assert der_encode(receipt) == sd['encapContentInfo']['eContent']
for sa in sd['signerInfos'][0]['signedAttrs']:
sat = sa['attrType']
sav0 = sa['attrValues'][0]
if sat in rfc5035.ESSAttributeMap.keys():
sav, rest = der_decode(sav0,
asn1Spec=rfc5035.ESSAttributeMap[sat])
assert not rest
assert sav.prettyPrint()
assert der_encode(sav) == sav0
def testOpenTypes(self):
substrate = pem.readBase64fromText(self.signed_receipt_pem_text)
rfc5652.cmsContentTypesMap.update(rfc5035.cmsContentTypesMapUpdate)
rfc5652.cmsAttributesMap.update(rfc5035.ESSAttributeMap)
asn1Object, rest = der_decode(substrate,
asn1Spec=self.asn1Spec,
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['contentType'] in rfc5652.cmsContentTypesMap.keys()
assert asn1Object['contentType'] == rfc5652.id_signedData
sd = asn1Object['content']
assert sd['version'] == rfc5652.CMSVersion().subtype(value='v3')
assert sd['encapContentInfo'][
'eContentType'] in rfc5652.cmsContentTypesMap.keys()
assert sd['encapContentInfo']['eContentType'] == rfc5035.id_ct_receipt
for sa in sd['signerInfos'][0]['signedAttrs']:
assert sa['attrType'] in rfc5652.cmsAttributesMap.keys()
if sa['attrType'] == rfc5035.id_aa_msgSigDigest:
sa['attrValues'][0].prettyPrint()[:10] == '0x167378'
# Since receipt is inside an OCTET STRING, decodeOpenTypes=True cannot
# automatically decode it
receipt, rest = der_decode(sd['encapContentInfo']['eContent'],
asn1Spec=rfc5652.cmsContentTypesMap[
sd['encapContentInfo']['eContentType']])
assert receipt['version'] == rfc5035.ESSVersion().subtype(value='v1')
def recover_key(c1, sig1, c2, sig2):
#using the same variable names as in:
#http://en.wikipedia.org/wiki/Elliptic_Curve_DSA
n = curve_order
# s1 = string_to_number(sig1[0:47])
# s2 = string_to_number(sig2[0:47])
sig, _ = der_decode(sig1, asn1Spec=EcSignature())
s1 = int(sig["s"])
r = int(sig["r"])
sig, _ = der_decode(sig2, asn1Spec=EcSignature())
s2 = int(sig["s"])
# r = string_to_number(sig1[48:95])
print s2
print r
z1 = string_to_number(sha256(c1))
z2 = string_to_number(sha256(c2))
sdiff_inv = inverse_mod(((s1 - s2) % n), n)
k = (((z1 - z2) % n) * sdiff_inv) % n
r_inv = inverse_mod(r, n)
da = (((((s1 * k) % n) - z1) % n) * r_inv) % n
recovered_private_key_ec = SigningKey.from_secret_exponent(da,
curve=SECP256k1)
print recovered_private_key_ec.privkey.secret_multiplier
return recovered_private_key_ec.to_pem()
def getKey(directory: Path, masterPassword=""):
dbfile: Path = directory / "key4.db"
if not dbfile.exists():
raise NoDatabase()
# firefox 58.0.2 / NSS 3.35 with key4.db in SQLite
conn = sqlite3.connect(dbfile.as_posix())
c = conn.cursor()
# first check password
c.execute("SELECT item1,item2 FROM metadata WHERE id = 'password';")
row = next(c)
globalSalt = row[0] # item1
item2 = row[1]
decodedItem2, _ = der_decode(item2)
entrySalt = decodedItem2[0][1][0].asOctets()
cipherT = decodedItem2[1].asOctets()
clearText = decrypt3DES(globalSalt, masterPassword, entrySalt,
cipherT) # usual Mozilla PBE
if clearText != b"password-check\x02\x02":
raise WrongPassword()
#if args.verbose:
# print("password checked", file=sys.stderr)
# decrypt 3des key to decrypt "logins.json" content
c.execute("SELECT a11,a102 FROM nssPrivate;")
for row in c:
if row[1] == MAGIC1:
break
a11 = row[0] # CKA_VALUE
assert row[1] == MAGIC1 # CKA_ID
decodedA11, _ = der_decode(a11)
entrySalt = decodedA11[0][1][0].asOctets()
cipherT = decodedA11[1].asOctets()
key = decrypt3DES(globalSalt, masterPassword, entrySalt, cipherT)
#if args.verbose:
# print("3deskey", key.hex(), file=sys.stderr)
return key[:24]
def testDerCodec(self):
substrate = pem.readBase64fromText(self.pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
ea = asn1Object['encryptionAlgorithm']
assert ea['algorithm'] == rfc8018.id_PBES2
assert ea['algorithm'] in rfc5280.algorithmIdentifierMap.keys()
params, rest = der_decode(ea['parameters'],
asn1Spec=rfc5280.algorithmIdentifierMap[ea['algorithm']])
assert not rest
assert params.prettyPrint()
assert der_encode(params) == ea['parameters']
kdf = params['keyDerivationFunc']
assert kdf['algorithm'] == rfc7914.id_scrypt
assert kdf['algorithm'] in rfc5280.algorithmIdentifierMap.keys()
kdfp, rest = der_decode(kdf['parameters'],
asn1Spec=rfc5280.algorithmIdentifierMap[kdf['algorithm']])
assert not rest
assert kdfp.prettyPrint()
assert der_encode(kdfp) == kdf['parameters']
assert kdfp['costParameter'] == 1048576
def testDerCodec(self):
substrate = pem.readBase64fromText(self.pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['acinfo']['version'] == 1
attributeMap = {
rfc3281.id_at_role: rfc3281.RoleSyntax(),
rfc3281.id_aca_authenticationInfo: rfc3281.SvceAuthInfo(),
rfc3281.id_aca_accessIdentity: rfc3281.SvceAuthInfo(),
rfc3281.id_aca_chargingIdentity: rfc3281.IetfAttrSyntax(),
rfc3281.id_aca_group: rfc3281.IetfAttrSyntax(),
}
count = 0
for attr in asn1Object['acinfo']['attributes']:
assert attr['type'] in attributeMap
av, rest = der_decode(attr['values'][0],
asn1Spec=attributeMap[attr['type']])
assert not rest
assert av.prettyPrint()
assert der_encode(av) == attr['values'][0]
count += 1
assert count == 5
def testDerCodec(self):
substrate = pem.readBase64fromText(self.message3_pem_text)
asn1Object, rest = der_decode (substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['contentType'] == rfc5652.id_signedData
sd, rest = der_decode (asn1Object['content'],
asn1Spec=rfc5652.SignedData())
assert not rest
assert sd.prettyPrint()
assert der_encode(sd) == asn1Object['content']
oid = sd['encapContentInfo']['eContentType']
assert oid == rfc7191.id_ct_KP_keyPackageError
kpe, rest = der_decode(sd['encapContentInfo']['eContent'],
asn1Spec=rfc7191.KeyPackageError())
assert not rest
assert kpe.prettyPrint()
assert der_encode(kpe) == sd['encapContentInfo']['eContent']
package_id_pem_text = "J7icVjsWIlGdF4cceb+siG3f+D0="
package_id = pem.readBase64fromText(package_id_pem_text)
assert kpe['errorOf']['pkgID'] == package_id
assert kpe['errorCode'] == rfc7191.EnumeratedErrorCode(value=10)
def testOpenTypes(self):
substrate = pem.readBase64fromText(self.message3_pem_text)
asn1Object, rest = der_decode (substrate,
asn1Spec=self.asn1Spec,
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['contentType'] == rfc5652.id_signedData
v3 = rfc5652.CMSVersion().subtype(value='v3')
assert asn1Object['content']['version'] == v3
for sa in asn1Object['content']['signerInfos'][0]['signedAttrs']:
assert sa['attrType'] in rfc5652.cmsAttributesMap.keys()
if sa['attrType'] == rfc5652.id_messageDigest:
assert '0xa05c54d4737' in sa['attrValues'][0].prettyPrint()
ct_oid = asn1Object['content']['encapContentInfo']['eContentType']
assert ct_oid in rfc5652.cmsContentTypesMap.keys()
assert ct_oid == rfc7191.id_ct_KP_keyPackageError
# Since receipt is inside an OCTET STRING, decodeOpenTypes=True cannot
# automatically decode it
sd_eci = asn1Object['content']['encapContentInfo']
kpe, rest = der_decode(sd_eci['eContent'],
asn1Spec=rfc5652.cmsContentTypesMap[sd_eci['eContentType']])
package_id_pem_text = "J7icVjsWIlGdF4cceb+siG3f+D0="
package_id = pem.readBase64fromText(package_id_pem_text)
assert kpe['errorOf']['pkgID'] == package_id
assert kpe['errorCode'] == rfc7191.EnumeratedErrorCode(value=10)
def testOpenTypes(self):
substrate = pem.readBase64fromText(self.cert_pem_text)
asn1Object, rest = der_decode(substrate,
asn1Spec=self.asn1Spec,
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
extn_list = []
for extn in asn1Object['tbsCertificate']['extensions']:
extn_list.append(extn['extnID'])
if extn['extnID'] in rfc5280.certificateExtensionsMap.keys():
extnValue, rest = der_decode(
extn['extnValue'],
asn1Spec=rfc5280.certificateExtensionsMap[extn['extnID']])
assert der_encode(extnValue) == extn['extnValue']
if extn['extnID'] == rfc4334.id_pe_wlanSSID:
assert str2octs('Example') in extnValue
if extn['extnID'] == rfc5280.id_ce_extKeyUsage:
assert rfc4334.id_kp_eapOverLAN in extnValue
assert rfc4334.id_kp_eapOverPPP in extnValue
assert rfc4334.id_pe_wlanSSID in extn_list
assert rfc5280.id_ce_extKeyUsage in extn_list
def testOpenTypes(self):
substrate = pem.readBase64fromText(self.tsr_pem_text)
asn1Object, rest = der_decode(substrate,
asn1Spec=rfc5652.ContentInfo(),
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
eci = asn1Object['content']['encapContentInfo']
assert eci['eContentType'] in rfc5652.cmsContentTypesMap.keys()
assert eci['eContentType'] == rfc5934.id_ct_TAMP_statusResponse
tsr, rest = der_decode(
eci['eContent'],
asn1Spec=rfc5652.cmsContentTypesMap[eci['eContentType']],
decodeOpenTypes=True)
assert not rest
assert tsr.prettyPrint()
assert der_encode(tsr) == eci['eContent']
assert tsr['version'] == 2
assert tsr['query']['target'] == univ.Null("")
assert tsr['query']['seqNum'] == 1568307071
assert tsr['usesApex'] == False
count = 0
for tai in tsr['response']['verboseResponse']['taInfo']:
count += 1
assert tai['taInfo']['version'] == 1
assert count == 3
async def get_old_timestamp(signature, timestamp_url=None):
"""Retrieve an old style timestamp countersignature.
Args:
signature (str): the signature to get a counter signature for. This is
usally the encryptedDigest of our file's signerInfo section.
timestamp_url (str): what service to use to fetch the timestamp countersignature from.
defaults to 'http://timestamp.digicert.com'.
Returns:
SignedData object
"""
req = OldTimeStampReq()
req["type"] = univ.ObjectIdentifier("1.3.6.1.4.1.311.3.2.1")
req["blob"]["signature"] = signature
req["blob"]["type"] = univ.ObjectIdentifier("1.2.840.113549.1.7.1")
encoded_req = der_encode(req)
b64_req = base64.b64encode(encoded_req)
url = timestamp_url or "http://timestamp.digicert.com"
async with aiohttp.request(
"POST", url, data=b64_req, headers={"Content-Type": "application/octet-stream"}
) as resp:
# Uncomment below to capture a real response
# open('old-ts.dat', 'wb').write(resp.content)
ci, _ = der_decode(base64.b64decode(await resp.read()), ContentInfo())
ts, _ = der_decode(ci["content"], SignedData())
return ts
def testDerCodec(self):
substrate = pem.readBase64fromText(self.constrained_pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['extnID'] == rfc6010.id_pe_cmsContentConstraints
evalue, rest = der_decode(asn1Object['extnValue'],
asn1Spec=rfc6010.CMSContentConstraints())
assert not rest
assert evalue.prettyPrint()
assert der_encode(evalue) == asn1Object['extnValue']
constraint_count = 0
attribute_count = 0
cannot_count = 0
for ccc in evalue:
constraint_count += 1
if ccc['canSource'] == 1:
cannot_count += 1
if ccc['attrConstraints'].hasValue():
for attr in ccc['attrConstraints']:
attribute_count += 1
assert constraint_count == 4
assert attribute_count == 3
assert cannot_count == 1
def testDerCodec(self):
substrate = pem.readBase64fromText(self.pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['attrType'] == rfc6019.id_aa_binarySigningTime
bintime, rest = der_decode(asn1Object['attrValues'][0], asn1Spec=rfc6019.BinaryTime())
assert bintime == 0x5cbf8654
def __init__ (self, b64val, challenge = None, *extensions, ** kw) :
""" This gets a base64 encoded value as returned by a browser
when filling in a form with a keygen element.
The optional challenge is the challenge string issued by the
web server and is checked against the signed challenge value
returned by the browser (inside the b64val).
We generally return a SPKAC_Decode_Error in case something
cannot be parsed.
The base64 encoded value is ASN.1 and stores the following
Netscape SPKI/SPKAC data structure:
ASN.1 notation of this (see HTML-5 keygen docs)
PublicKeyAndChallenge ::= SEQUENCE {
spki SubjectPublicKeyInfo,
challenge IA5STRING
}
SignedPublicKeyAndChallenge ::= SEQUENCE {
publicKeyAndChallenge PublicKeyAndChallenge,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING
}
"""
try :
seq, rest = der_decode (b64decode (b64val))
except PyAsn1Error, e :
raise SPKAC_Decode_Error (e)
def __init__(self, subject, last_update=None, next_update=None):
self.asn1_subject, rest = der_decode(subject.as_der())
assert not rest
self.crl = []
lu = last_update or long(time())
nu = next_update or lu + 60 * 60 * 24 * 31
self.last_update = UTCTime(strftime(self.time_fmt, gmtime(lu)))
self.next_update = UTCTime(strftime(self.time_fmt, gmtime(nu)))
def testDerCodec(self):
substrate = pem.readBase64fromText(self.pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
assert asn1Object['contentType'] == rfc5652.id_signedData
inner, rest = der_decode(asn1Object['content'], asn1Spec=rfc5652.SignedData())
assert inner['encapContentInfo']['eContentType'] == rfc4108.id_ct_firmwarePackage
assert inner['encapContentInfo']['eContent']
found_target_hardware_identifier_attribute = False
for attr in inner['signerInfos'][0]['signedAttrs']:
if attr['attrType'] == rfc4108.id_aa_targetHardwareIDs:
found_target_hardware_identifier_attribute = True
assert found_target_hardware_identifier_attribute
def from_binary(data):
"""
Create a Condition object from a binary blob.
This method will parse a stream of binary data and construct a
corresponding Condition object.
Args:
data (bytes): Binary data representing the condition.
Returns:
Condition: Resulting object
"""
asn1_condtion_obj, residue = der_decode(data, asn1Spec=Asn1Condition())
asn1_condition_dict = nat_encode(asn1_condtion_obj)
return Condition.from_asn1_dict(asn1_condition_dict)
def from_binary(data):
"""
Create a Fulfillment object from a DER encoded binary
representation of a fulfillment.
Args:
data (bytes): DER encoded fulfillment in bytes.
Returns:
Fulfillment: :class:`~.Fulfillment` instance.
"""
try:
asn1_obj, _ = der_decode(data, asn1Spec=Asn1Fulfillment())
except (SubstrateUnderrunError, PyAsn1Error, TypeError) as exc:
raise ASN1DecodeError('Failed to decode fulfillment.') from exc
asn1_dict = nat_encode(asn1_obj)
return Fulfillment.from_asn1_dict(asn1_dict)
def decrypt_blob(self, blob):
if blob == None:
return ""
if len(blob) < 48:
print "keychain blob length must be >= 48"
return
version, clas = struct.unpack("<LL", blob[0:8])
clas &= 0xF
self.clas = clas
if version == 0:
wrappedkey = blob[8 : 8 + 40]
encrypted_data = blob[48:]
elif version == 2:
l = struct.unpack("<L", blob[8:12])[0]
wrappedkey = blob[12 : 12 + l]
encrypted_data = blob[12 + l : -16]
elif version == 3:
l = struct.unpack("<L", blob[8:12])[0]
wrappedkey = blob[12 : 12 + l]
encrypted_data = blob[12 + l : -16]
else:
raise Exception("unknown keychain verson ", version)
return
unwrappedkey = self.keybag.unwrapKeyForClass(clas, wrappedkey, False)
if not unwrappedkey:
return
if version == 0:
return AESdecryptCBC(encrypted_data, unwrappedkey, padding=True)
elif version == 2:
binaryplist = gcm_decrypt(unwrappedkey, "", encrypted_data, "", blob[-16:])
return BPlistReader(binaryplist).parse()
elif version == 3:
der = gcm_decrypt(unwrappedkey, "", encrypted_data, "", blob[-16:])
stuff = der_decode(der)[0]
rval = {}
for k, v in stuff:
k = str(k)
# NB - this is binary and may not be valid UTF8 data
v = str(v)
rval[k] = v
return rval
def parse_pem_to_certs(pem):
"""
Convert PEM formatted certificates into DER format.
:param pem: String containing a list of PEM encoded certificates
:returns: List of Python objects representing certificates
"""
certs_der = []
acc = ""
state = "PRE"
for line in pem.split("\n"):
if state == "PRE" and line == "-----BEGIN CERTIFICATE-----":
state = "BODY_OR_META"
elif state == "PRE" and not line:
pass
elif state == "BODY_OR_META" and ":" in line:
state = "META"
elif state == "BODY" and line == "-----END CERTIFICATE-----":
certs_der.append(base64.b64decode(acc))
acc = ""
state = "PRE"
elif state == "META" and not line:
state = "BODY"
elif state == "BODY" or state == "BODY_OR_META":
acc += line
state = "BODY"
else:
raise CertificateParseError(f'Unexpected input "{line}" in state "{state}"')
if acc:
raise CertificateParseError(f"Unexpected end of input. Leftover: {acc}")
certs_py = []
for der in certs_der:
cert, rest_of_input = der_decode(der, asn1Spec=rfc5280.Certificate())
assert not rest_of_input # assert no left over input
certs_py.append(python_encode(cert))
return certs_py
def ParseIt(self, data, tblname, export):
record = {}
Decoded = der_decode(data)[0]
for k, v in Decoded: #self.datadict.items():
data = '%s'%v
if k == 'atyp':
data = self.GetAuthType(data)
elif k == 'pdmn':
data = self.GetAccessibleName(data)
elif k == 'cdat' or k == 'mdat':
data = self.Getdate(data)
elif k == 'ptcl':
data = self.GetProtoFullName(data)
elif k == 'klbl':
data = data.encode('hex')
if export == 0:
k = self.GetColumnFullName('%s'%k)
record[k] = data
return record
