def test_hmac(self):
assert util.octx_to_num(
EVP.hmac('key', 'data')
) == 92800611269186718152770431077867383126636491933, util.octx_to_num(
EVP.hmac('key', 'data'))
if not fips_mode: # Disabled algorithms
assert util.octx_to_num(
EVP.hmac('key', 'data', algo='md5')
) == 209168838103121722341657216703105225176, util.octx_to_num(
EVP.hmac('key', 'data', algo='md5'))
assert util.octx_to_num(
EVP.hmac('key', 'data', algo='ripemd160')
) == 1176807136224664126629105846386432860355826868536, util.octx_to_num(
EVP.hmac('key', 'data', algo='ripemd160'))
if m2.OPENSSL_VERSION_NUMBER >= 0x90800F:
assert util.octx_to_num(
EVP.hmac('key', 'data', algo='sha224')
) == 2660082265842109788381286338540662430962855478412025487066970872635, util.octx_to_num(
EVP.hmac('key', 'data', algo='sha224'))
assert util.octx_to_num(
EVP.hmac('key', 'data', algo='sha256')
) == 36273358097036101702192658888336808701031275731906771612800928188662823394256, util.octx_to_num(
EVP.hmac('key', 'data', algo='sha256'))
assert util.octx_to_num(
EVP.hmac('key', 'data', algo='sha384')
) == 30471069101236165765942696708481556386452105164815350204559050657318908408184002707969468421951222432574647369766282, util.octx_to_num(
EVP.hmac('key', 'data', algo='sha384'))
assert util.octx_to_num(
EVP.hmac('key', 'data', algo='sha512')
) == 3160730054100700080556942280820129108466291087966635156623014063982211353635774277148932854680195471287740489442390820077884317620321797003323909388868696, util.octx_to_num(
EVP.hmac('key', 'data', algo='sha512'))
self.assertRaises(ValueError, EVP.hmac, 'key', 'data', algo='sha513')
def __call__(self, peerCert, host=None):
if peerCert is None:
raise NoCertificate('peer did not return certificate')
if host is not None:
self.host = host
if self.fingerprint:
if self.digest not in ('sha1', 'md5'):
raise ValueError('unsupported digest "%s"' % (self.digest))
if (self.digest == 'sha1' and len(self.fingerprint) != 40) or \
(self.digest == 'md5' and len(self.fingerprint) != 32):
raise WrongCertificate(
'peer certificate fingerprint length does not match')
der = peerCert.as_der()
md = EVP.MessageDigest(self.digest)
md.update(der)
digest = md.final()
if util.octx_to_num(digest) != int(self.fingerprint, 16):
raise WrongCertificate(
'peer certificate fingerprint does not match')
if self.host:
commonNameValid = False
subjectAltNameValid = False
# XXX subjectAltName might contain multiple fields
# subjectAltName=DNS:somehost, DNS:someotherhost, otherkey:val
try:
subjectAltName = peerCert.get_ext('subjectAltName').get_value()
sanlist = subjectAltName.split(",")
for field in sanlist:
if self._match(self.host, field, True):
subjectAltNameValid = True
if not subjectAltNameValid:
raise WrongHost(expectedHost=self.host,
actualHost=subjectAltName,
fieldName='subjectAltName')
# Ignore if cert has no subjectAltName extension
# But then commonName *must* match for validation
except LookupError:
pass
if not subjectAltNameValid:
# commonName=somehost
try:
commonName = peerCert.get_subject().CN
if self._match(self.host, commonName):
commonNameValid = True
else:
raise WrongHost(expectedHost=self.host,
actualHost=commonName,
fieldName='commonName')
except AttributeError:
raise WrongCertificate('no commonName in peer certificate')
return True
def __init__(self, ctb, body=None):
packet.__init__(self, ctb, body)
if body is not None:
self._version = self.body.read(1)
self._keyid = self.body.read(8)
self._pkc = ord(self.body.read(1))
deklen = (struct.unpack('>H', self.body.read(2))[0] + 7 ) / 8
self._dek = octx_to_num(self.body.read(deklen))
def __init__(self, ctb, body=None):
packet.__init__(self, ctb, body)
if body is not None:
self._version = self.body.read(1)
self._keyid = self.body.read(8)
self._pkc = ord(self.body.read(1))
deklen = (struct.unpack('>H', self.body.read(2))[0] + 7) / 8
self._dek = octx_to_num(self.body.read(deklen))
def _get_fingerprint(self, algorithm='sha1'):
""" Workaround for RHEL5 with ancient version of M2Crypto """
if LooseVersion(M2Crypto.version) < StrictVersion("0.17"):
der = self.openssl_certificate.as_der()
md = EVP.MessageDigest(algorithm)
md.update(der)
digest = md.final()
return hex(util.octx_to_num(digest))[2:-1].upper()
else:
return self.openssl_certificate.get_fingerprint()
def test_MessageDigest(self):
with self.assertRaises(ValueError):
EVP.MessageDigest('sha513')
md = EVP.MessageDigest('sha1')
self.assertEqual(md.update('Hello'), 1)
self.assertEqual(util.octx_to_num(md.final()), 1415821221623963719413415453263690387336440359920)
# temporarily remove sha1 from m2
old_sha1 = m2.sha1
del m2.sha1
# now run the same test again, relying on EVP.MessageDigest() to call
# get_digestbyname() under the hood
md = EVP.MessageDigest('sha1')
self.assertEqual(md.update('Hello'), 1)
self.assertEqual(util.octx_to_num(md.final()), 1415821221623963719413415453263690387336440359920)
# put sha1 back in place
m2.sha1 = old_sha1
def _get_fingerprint(self, algorithm='sha1'):
""" Workaround for RHEL5 with ancient version of M2Crypto """
if LooseVersion(M2Crypto.version) < StrictVersion("0.17"):
der = self.openssl_certificate.as_der()
md = EVP.MessageDigest(algorithm)
md.update(der)
digest = md.final()
return hex(util.octx_to_num(digest))[2:-1].upper()
else:
return self.openssl_certificate.get_fingerprint()
def get_fingerprint(self, md='md5'):
"""
Get the fingerprint of the certificate.
@param md: Message digest algorithm to use.
@return: String containing the fingerprint in hex format.
"""
der = self.as_der()
md = EVP.MessageDigest(md)
md.update(der)
digest = md.final()
return hex(util.octx_to_num(digest))[2:-1].upper()
def get_fingerprint(self, md='md5'):
"""
Get the fingerprint of the certificate.
@param md: Message digest algorithm to use.
@return: String containing the fingerprint in hex format.
"""
der = self.as_der()
md = EVP.MessageDigest(md)
md.update(der)
digest = md.final()
return hex(util.octx_to_num(digest))[2:-1].upper()
def test_MessageDigest(self): # noqa
with self.assertRaises(ValueError):
EVP.MessageDigest('sha513')
md = EVP.MessageDigest('sha1')
self.assertEqual(md.update(b'Hello'), 1)
self.assertEqual(util.octx_to_num(md.final()),
1415821221623963719413415453263690387336440359920)
# temporarily remove sha1 from m2
old_sha1 = m2.sha1
del m2.sha1
# now run the same test again, relying on EVP.MessageDigest() to call
# get_digestbyname() under the hood
md = EVP.MessageDigest('sha1')
self.assertEqual(md.update(b'Hello'), 1)
self.assertEqual(util.octx_to_num(md.final()),
1415821221623963719413415453263690387336440359920)
# put sha1 back in place
m2.sha1 = old_sha1
def test_hmac(self):
assert util.octx_to_num(EVP.hmac('key', 'data')) == 92800611269186718152770431077867383126636491933, util.octx_to_num(EVP.hmac('key', 'data'))
assert util.octx_to_num(EVP.hmac('key', 'data', algo='md5')) == 209168838103121722341657216703105225176, util.octx_to_num(EVP.hmac('key', 'data', algo='md5'))
assert util.octx_to_num(EVP.hmac('key', 'data', algo='ripemd160')) == 1176807136224664126629105846386432860355826868536, util.octx_to_num(EVP.hmac('key', 'data', algo='ripemd160'))
if m2.OPENSSL_VERSION_NUMBER >= 0x90800F:
assert util.octx_to_num(EVP.hmac('key', 'data', algo='sha224')) == 2660082265842109788381286338540662430962855478412025487066970872635, util.octx_to_num(EVP.hmac('key', 'data', algo='sha224'))
assert util.octx_to_num(EVP.hmac('key', 'data', algo='sha256')) == 36273358097036101702192658888336808701031275731906771612800928188662823394256, util.octx_to_num(EVP.hmac('key', 'data', algo='sha256'))
assert util.octx_to_num(EVP.hmac('key', 'data', algo='sha384')) == 30471069101236165765942696708481556386452105164815350204559050657318908408184002707969468421951222432574647369766282, util.octx_to_num(EVP.hmac('key', 'data', algo='sha384'))
assert util.octx_to_num(EVP.hmac('key', 'data', algo='sha512')) == 3160730054100700080556942280820129108466291087966635156623014063982211353635774277148932854680195471287740489442390820077884317620321797003323909388868696, util.octx_to_num(EVP.hmac('key', 'data', algo='sha512'))
self.assertRaises(ValueError, EVP.hmac, 'key', 'data', algo='sha513')
def fingerprint(x509, md='sha1'):
"""
Return the fingerprint of the X509 certificate.
@param x509: X509 object.
@type x509: M2Crypto.X509.X509
@param md: The message digest algorithm.
@type md: str
"""
der = x509.as_der()
md = EVP.MessageDigest(md)
md.update(der)
digest = md.final()
return hex(util.octx_to_num(digest))
def fingerprint(x509, md='sha1'):
"""
Return the fingerprint of the X509 certificate.
@param x509: X509 object.
@type x509: M2Crypto.X509.X509
@param md: The message digest algorithm.
@type md: str
"""
der = x509.as_der()
md = EVP.MessageDigest(md)
md.update(der)
digest = md.final()
return hex(util.octx_to_num(digest))
def __call__(self, peerCert, host=None):
if peerCert is None:
raise NoCertificate('peer did not return certificate')
if host is not None:
self.host = host
if self.fingerprint:
if self.digest not in ('sha1', 'md5'):
raise ValueError('unsupported digest "%s"' % (self.digest))
if (self.digest == 'sha1' and len(self.fingerprint) != 40) or \
(self.digest == 'md5' and len(self.fingerprint) != 32):
raise WrongCertificate(
'peer certificate fingerprint length does not match')
der = peerCert.as_der()
md = EVP.MessageDigest(self.digest)
md.update(der)
digest = md.final()
if util.octx_to_num(digest) != int(self.fingerprint, 16):
raise WrongCertificate(
'peer certificate fingerprint does not match')
if self.host:
hostValidationPassed = False
self.useSubjectAltNameOnly = False
# subjectAltName=DNS:somehost[, ...]*
try:
subjectAltName = peerCert.get_ext('subjectAltName').get_value()
if self._splitSubjectAltName(self.host, subjectAltName):
hostValidationPassed = True
elif self.useSubjectAltNameOnly:
raise WrongHost(expectedHost=self.host,
actualHost=subjectAltName,
fieldName='subjectAltName')
except LookupError:
pass
# commonName=somehost[, ...]*
if not hostValidationPassed:
hasCommonName = False
commonNames = ''
for entry in peerCert.get_subject().get_entries_by_nid(
m2.NID_commonName):
hasCommonName = True
commonName = entry.get_data().as_text()
if not commonNames:
commonNames = commonName
else:
commonNames += ',' + commonName
if self._match(self.host, commonName):
hostValidationPassed = True
break
if not hasCommonName:
raise WrongCertificate('no commonName in peer certificate')
if not hostValidationPassed:
raise WrongHost(expectedHost=self.host,
actualHost=commonNames,
fieldName='commonName')
return True
def test_MessageDigest(self):
self.assertRaises(ValueError, EVP.MessageDigest, 'sha513')
md = EVP.MessageDigest('sha1')
assert md.update('Hello') == 1
assert util.octx_to_num(md.final()) == 1415821221623963719413415453263690387336440359920
def test_MessageDigest(self):
self.assertRaises(ValueError, EVP.MessageDigest, 'sha513')
md = EVP.MessageDigest('sha1')
assert md.update('Hello') == 1
assert util.octx_to_num(
md.final()) == 1415821221623963719413415453263690387336440359920
def __call__(self, peerCert, host=None):
if peerCert is None:
raise NoCertificate('peer did not return certificate')
if host is not None:
self.host = host
if self.fingerprint:
if self.digest not in ('sha1', 'md5'):
raise ValueError('unsupported digest "%s"' %(self.digest))
if (self.digest == 'sha1' and len(self.fingerprint) != 40) or \
(self.digest == 'md5' and len(self.fingerprint) != 32):
raise WrongCertificate('peer certificate fingerprint length does not match')
der = peerCert.as_der()
md = EVP.MessageDigest(self.digest)
md.update(der)
digest = md.final()
if util.octx_to_num(digest) != int(self.fingerprint, 16):
raise WrongCertificate('peer certificate fingerprint does not match')
if self.host:
hostValidationPassed = False
self.useSubjectAltNameOnly = False
# subjectAltName=DNS:somehost[, ...]*
try:
subjectAltName = peerCert.get_ext('subjectAltName').get_value()
if self._splitSubjectAltName(self.host, subjectAltName):
hostValidationPassed = True
elif self.useSubjectAltNameOnly:
raise WrongHost(expectedHost=self.host,
actualHost=subjectAltName,
fieldName='subjectAltName')
except LookupError:
pass
# commonName=somehost[, ...]*
if not hostValidationPassed:
hasCommonName = False
commonNames = ''
for entry in peerCert.get_subject().get_entries_by_nid(m2.NID_commonName):
hasCommonName = True
commonName = entry.get_data().as_text()
if not commonNames:
commonNames = commonName
else:
commonNames += ',' + commonName
if self._match(self.host, commonName):
hostValidationPassed = True
break
if not hasCommonName:
raise WrongCertificate('no commonName in peer certificate')
if not hostValidationPassed:
raise WrongHost(expectedHost=self.host,
actualHost=commonNames,
fieldName='commonName')
return True
def _fingerprint(x509, md='sha1'):
der = x509.as_der()
md = EVP.MessageDigest(md)
md.update(der)
digest = md.final()
return hex(util.octx_to_num(digest))
def fingerprint(x509):
der = x509.as_der()
md = MessageDigest('sha1')
md.update(der)
digest = md.final()
return hex(util.octx_to_num(digest))
def fingerprint(x509):
der = x509.as_der()
md = MessageDigest('sha1')
md.update(der)
digest = md.final()
return hex(util.octx_to_num(digest))
def _fingerprint(x509, md='sha1'):
der = x509.as_der()
md = EVP.MessageDigest(md)
md.update(der)
digest = md.final()
return hex(util.octx_to_num(digest))
