def verify_valid_intermediates(self, secret_ref):
     secret_resp = self.secret_behaviors.get_secret(
         secret_ref, "application/octet-stream")
     self.assertIsNotNone(secret_resp)
     self.assertIsNotNone(secret_resp.content)
     cert_chain = secret_resp.content
     crypto.load_pkcs7_data(crypto.FILETYPE_PEM, cert_chain)
    def test_p7s(self):
        with open('clientcert.crt') as cert_file:
            cert_buf = cert_file.read()

        with open('clientkey.key') as key_file:
            key_buf = key_file.read()

        pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_buf,
                                      '12345678'.encode())
        signcert = crypto.load_certificate(crypto.FILETYPE_PEM,
                                           cert_buf.encode())

        text = "Test text"

        # bio_in = crypto._new_mem_buf(text.encode())
        # PKCS7_NOSIGS = 0x4  # defined in pkcs7.h
        # pkcs7 = crypto._lib.PKCS7_sign(signcert._x509, pkey._pkey, crypto._ffi.NULL, bio_in, PKCS7_NOSIGS)  # noqa
        # bio_out = crypto._new_mem_buf()
        # crypto._lib.i2d_PKCS7_bio(bio_out, pkcs7)
        # sigbytes = crypto._bio_to_string(bio_out)

        crypto.load_pkcs7_data()
        crypto.to

        with open('test.p7s', 'w') as tst:
            tst.write(str(pkcs7))
 def verify_valid_intermediates(self, secret_ref):
     secret_resp = self.secret_behaviors.get_secret(
         secret_ref,
         "application/pkix-cert")
     self.assertIsNotNone(secret_resp)
     self.assertIsNotNone(secret_resp.content)
     cert_chain = secret_resp.content
     crypto.load_pkcs7_data(crypto.FILETYPE_PEM, cert_chain)
Example #4
0
def decode_certificate_data(data):
    """
    Decodes a blob containing encoded X.509 certificates (can be DER/PEM encoded or a PKCS7 bundle).

    Args:
        data (bytes) : Buffer containing the encoded certificate(s).

    Returns:
        A list with cryptography X.509 certificates (not OpenSSL X.509 certificates!)

    """

    # PEM encoded?
    try:
        # try to decode the first certificate directly (fails, if not PEM encoded)
        x509.load_pem_x509_certificate(data, default_backend())
        # ok, it's PEM encoded... but it may contain multiple certificates, try to unpack!
        certificates = [ x509.load_pem_x509_certificate(x.as_bytes(), default_backend()) for x in pem.parse(data) ]
        log_debug("Successfully decoded {0} PEM encoded certificate(s):".format(len(certificates)))
        for x in certificates: log_debug("- subject: {0}".format(x.subject))
        return certificates
    except ValueError:
        pass

    # DER encoded?
    try:
        certificate = x509.load_der_x509_certificate(data, default_backend())
        log_debug("Successfully decoded a DER encoded certificate:")
        log_debug("- subject: {0}".format(certificate.subject))
        return [ certificate ]
    except ValueError:
        pass

    # PKCS7, PEM encoded
    try:
        pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, data)
        certificates = get_pkcs7_certificates(pkcs7)
        log_debug("Successfully decoded PEM encoded PKCS#7 bundle, extracted {0} certificate(s):".format(len(certificates)))
        for x in certificates: log_debug("- subject: {0}".format(x.subject))
        return list(certificates)
    except crypto.Error:
        pass

    # PKCS7, DER encoded
    try:
        pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, data)
        certificates = get_pkcs7_certificates(pkcs7)
        log_debug("Successfully decoded DER encoded PKCS#7 bundle, extracted {0} certificate(s):".format(len(certificates)))
        for x in certificates: log_debug("- subject: {0}".format(x.subject))
        return list(certificates)
    except crypto.Error:
        pass

    raise ValueError("Decoding certificates failed.")
    def _pkcs7_to_pem(self, pkcs7_content, outform='string'):
        """ convert pkcs7 to pem """
        self.logger.debug('CAhandler._pkcs7_to_pem()')
        for filetype in (crypto.FILETYPE_PEM, crypto.FILETYPE_ASN1):
            try:
                pkcs7 = crypto.load_pkcs7_data(filetype, pkcs7_content)
                break
            except crypto.Error as _err:
                pkcs7 = None
                # print(err)

        cert_pem_list = []
        if pkcs7:
            # convert cert pkcs#7 to pem
            cert_list = _get_certificates(pkcs7)
            for cert in cert_list:
                cert_pem_list.append(convert_byte_to_string(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)))

        # define output format
        if outform == 'string':
            result = ''.join(cert_pem_list)
        elif outform == 'list':
            result = cert_pem_list
        else:
            result = None

        self.logger.debug('Certificate._pkcs7_to_pem() ended')
        return result
Example #6
0
    def scan(self, file_object, options):
        self.metadata["total"] = {"certificates": 0, "extracted": 0}

        if file_object.data[:1] == b"0":
            crypto_file_type = crypto.FILETYPE_ASN1
            self.metadata["cryptoType"] = "der"
        else:
            crypto_file_type = crypto.FILETYPE_PEM
            self.metadata["cryptoType"] = "pem"

        try:
            pkcs7 = crypto.load_pkcs7_data(crypto_file_type, file_object.data)
            pkcs7_certificates = pkcs7.get_certificates()
            if pkcs7_certificates is not None:
                self.metadata["total"]["certificates"] = len(pkcs7_certificates)
                for certificate in pkcs7_certificates:
                    child_file = crypto.dump_certificate(crypto_file_type,
                                                         certificate)
                    child_filename = f"{self.scanner_name}::serial_number_{certificate.get_serial_number()}"
                    child_fo = objects.StrelkaFile(data=child_file,
                                                   filename=child_filename,
                                                   depth=file_object.depth + 1,
                                                   parent_uid=file_object.uid,
                                                   root_uid=file_object.root_uid,
                                                   parent_hash=file_object.hash,
                                                   root_hash=file_object.root_hash,
                                                   source=self.scanner_name)
                    self.children.append(child_fo)
                    self.metadata["total"]["extracted"] += 1

        except crypto.Error:
            file_object.flags.append(f"{self.scanner_name}::load_pkcs7_error")
Example #7
0
def remove_signature(content):
    """ Remove the PKCS#7 envelope from given content, making a '.xml.p7m' file content readable as it was '.xml'.
        As OpenSSL may not be installed, in that case a warning is issued and None is returned. """

    # Prevent using the library if it had import errors
    if not ssl_crypto:
        _logger.warning(
            "Error reading the content, check if the OpenSSL library is installed for for PKCS#7 envelope extraction."
        )
        return None

    # Load some tools from the library
    null = ssl_util.ffi.NULL
    verify = ssl_util.lib.PKCS7_verify

    # By default ignore the validity of the certificates, just validate the structure
    flags = ssl_util.lib.PKCS7_NOVERIFY | ssl_util.lib.PKCS7_NOSIGS

    # Read the signed data fron the content
    out_buffer = ssl_crypto._new_mem_buf()

    # This method is deprecated, but there are actually no alternatives
    with warnings.catch_warnings():
        warnings.filterwarnings("ignore", category=DeprecationWarning)
        loaded_data = ssl_crypto.load_pkcs7_data(ssl_crypto.FILETYPE_ASN1,
                                                 content)

    # Verify the signature
    if verify(loaded_data._pkcs7, null, null, null, out_buffer, flags) != 1:
        ssl_crypto._raise_current_error()

    # Get the content as a byte-string
    decoded_content = ssl_crypto._bio_to_string(out_buffer)
    return decoded_content
 def __init__(self, cert, content_type=None):
     try:
         if cert.startswith("-----BEGIN CERTIFICATE-----"):
             log.debug("Loading file with content_type pem")
             self.cert = x509.load_pem_x509_certificate(
                 bytes(cert), OpenSSLBackend)
         elif content_type == 'pkcs7-mime':
             pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, cert)
             certs = pkcs7_get_certs(pkcs7)
             if not len(certs):
                 raise ValueError('No certs in pkcs7')
             elif len(certs) > 1:
                 log.warning(
                     'Multiple certs found but only processing the first one'
                 )
             self.cert = certs[0]
         else:
             log.debug(
                 "Loading file with content_type {0}".format(content_type))
             self.cert = x509.load_der_x509_certificate(
                 bytes(cert), OpenSSLBackend)
     except ValueError:
         raise UnsuportedCertificateType(
             "Failed to load cert with content_type={0}".format(
                 content_type))
Example #9
0
    def _parse(self, buff, digestalgo):
        pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, buff)

        certs_stack = _ffi.NULL
        if pkcs7.type_is_signed():
            certs_stack = pkcs7._pkcs7.d.sign.cert
        elif pkcs7.type_is_signedAndEnveloped():
            certs_stack = pkcs7._pkcs7.d.signed_and_enveloped.cert

        pycerts = []

        for i in range(_lib.sk_X509_num(certs_stack)):
            tmp = _lib.X509_dup(_lib.sk_X509_value(certs_stack, i))
            pycert = X509._from_raw_x509_ptr(tmp)
            pycerts.append(pycert)

        if not pycerts:
            return None

        for cert in pycerts:
            sbj = cert.get_subject()
            name = 'C={}, ST={}, L={}, O={}, CN={}'.format(
                sbj.C, sbj.ST, sbj.L, sbj.O, sbj.CN)
            checksum = cert.digest(digestalgo).decode().replace(':', '')
            self.content.append((name, checksum))
def load_pkcs7_bio_der(p7_der):
    """
    Load a PKCS7 object from a PKCS7 DER blob.
    Return PKCS7 object.
    """
    try:
        return crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7_der)
    except crypto.Error as ex:
        raise PKCS7VerifyError(ex)
Example #11
0
def load_pkcs7_bio_der(p7_der):
    """
    Load a PKCS7 object from a PKCS7 DER blob.
    Return PKCS7 object.
    """
    try:
        return crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7_der)
    except crypto.Error as ex:
        raise PKCS7VerifyError(ex)
Example #12
0
def decrypt_p7s(data: bytes) -> str:
    """
    openssl cms -verify -in xxx.p7s -inform DER -noverify -outform DER -signer cert.pem -print
    """
    p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, BytesIO(data).getvalue())
    bio_out = crypto._new_mem_buf()
    _lib.PKCS7_verify(p7._pkcs7, _ffi.NULL, _ffi.NULL, _ffi.NULL, bio_out,
                      _lib.PKCS7_NOVERIFY)

    return crypto._bio_to_string(bio_out)
Example #13
0
 def _cert_object(self):
     """
     Returns a CSR object
     """
     pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, self._read_cert())
     certs = self._get_certificates(pkcs7)
     certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, certs[0])
     a = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
     self.log_debug('')
     return a
Example #14
0
    def test_002_get_certificates(self):
        """ test pkcs7 convrt to pem """
        cert_pem_list = []
        with open(self.dir_path + '/ca/certs.p7b', 'r') as fso:
            pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, fso.read())
            cert_list = self._get_certificates(pkcs7)

            for cert in cert_list:
                cert_pem_list.append(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
        result = [b'-----BEGIN CERTIFICATE-----\nMIIFTzCCAzegAwIBAgIIAzHyhSyrXfMwDQYJKoZIhvcNAQELBQAwKzEXMBUGA1UE\nCxMOYWNtZTJjZXJ0aWZpZXIxEDAOBgNVBAMTB3Jvb3QtY2EwHhcNMjAwNTI3MTM1\nNDAwWhcNMzAwNTI2MjM1OTAwWjAqMRcwFQYDVQQLEw5hY21lMmNlcnRpZmllcjEP\nMA0GA1UEAxMGc3ViLWNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA\nxXHaGZsolXe+PBdUryngHP9VbBC1mehqeTtYI+hqsqGNH7q9a7bSrxMwFuF1kYL8\njqqxkJdtl0L94xcxJg/ZdMx7Nt0vGI+BaAuTpEpUEHeN4tqS6NhB/m/0LGkAELc/\nqkzmoO4B1FDwEEj/3IXtZcupqG80oDt7jWSGXdtF7NTjzcumznMeRXidCdhxRxT/\n/WrsChaytXo0xWZ56oeNwd6x6Dr8/39PBOWtj4fldyDcg+Q+alci2tx9pxmu2bCV\nXcB9ftCLKhDk2WEHE88bgKSp7fV2RCmq9po+Tx8JJ7qecLunUsK/F0XN4kpoQLm9\nhcymqchnMSncSiyin1dQHGHWgXDtBDdq6A2Z6rx26Qk5H9HTYvcNSe1YwFEDoGLB\nZQjbCPWiaqoaH4agBQTclPvrrSCRaVmhUSO+pBtSXDkmN4t3MDZxfgRkp8ixwkB1\n5Y5f0LTpCyAJsdQDw8+Ea0aDqO30eskh4CErnm9+Fejd9Ew2cwpdwfBXzVSbYilM\nGueQihZHvJmVRxAwU69aO2Qs8B0tQ60CfWKVlmWPiakrvYYlPp0FBsM61G6LZEN8\nhH2CKnS8hHv5IWEXZvp0Pk8V3P5h6bWN0Tl+x/V1Prt7Wp8NoiPETE8XyDDxe6dm\nKxztWBH/mTsJyMGb6ZiUoXdPU9TFUKqHxTRLHaxfsPsCAwEAAaN4MHYwEgYDVR0T\nAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUv96OjgYiIqutQ8jd1E+oq0hBPtUwDgYD\nVR0PAQH/BAQDAgGGMBEGCWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhCAQ0EERYP\neGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBCwUAA4ICAQBbHLEVyg4f9uEujroc\n31UVyDRLMdPgEPLjOenSBCBmH0N81whDmxNI/7JAAB6J14WMX8OLF0HkZnb7G77W\nvDhy1aFvQFbXHBz3/zUO9Mw9J4L2XEW6ond3Nsh1m2oXeBde3R3ANxuIzHqZDlP9\n6YrRcHjnf4+1/5AKDJAvJD+gFb5YnYUKH2iSvHUvG17xcZx98Rf2eo8LealG4JqH\nJh4sKRy0VjDQD7jXSCbweTHEb8wz+6OfNGrIo+BhTFP5vPcwE4nlJwYBoaOJ5cVa\n7gdQJ7WkLSxvwHxuxzvSVK73u3jl3I9SqTrbMLG/jeJyV0P8EvdljOaGnCtQVRwC\nzM4ptXUvKhKOHy7/nyTF/Bc35ZwwL/2xWvNK1+NibgE/6CFxupwWpdmxQbVVuoQ3\n2tUil9ty0yC6m5GKE8+t1lrZuxyA+b/TBnYNO5xo8UEMbkpxaNYSwmw+f/loxXP/\nM7sIBcLvy2ugHEBxwd9o/kLXeXT2DaRvxPjp4yk8MpJRpNmz3aB5HJwaUnaRLVo5\nZ3XWWXmjMGZ6/m0AAoDbDz/pXtOoJZT8BJdD1DuDdszVsQnLVn4B/LtIXL6FbXsF\nzfv6ERP9a5gpKUZ+4NjgrnlGtdccNZpwyWF0IXcvaq3b8hXIRO4hMjzHeHfzJN4t\njX1vlY35Ofonc4+6dRVamBiF9A==\n-----END CERTIFICATE-----\n', b'-----BEGIN CERTIFICATE-----\nMIIFcDCCA1igAwIBAgIIevLTTxOMoZgwDQYJKoZIhvcNAQELBQAwKzEXMBUGA1UE\nCxMOYWNtZTJjZXJ0aWZpZXIxEDAOBgNVBAMTB3Jvb3QtY2EwHhcNMjAwNTI3MDAw\nMDAwWhcNMzAwNTI2MjM1OTU5WjArMRcwFQYDVQQLEw5hY21lMmNlcnRpZmllcjEQ\nMA4GA1UEAxMHcm9vdC1jYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB\nAJy4UZHdZgYt64k/rFamoC676tYvtabeuiqVw1c6oVZI897cFLG6BYwyr2Eaj7tF\nrqTJDeMN4vZSudLsmLDq6m8KwX/riPzUTIlcjM5aIMANZr9rLEs3NWtcivolB5aQ\n1slhdVitUPLuxsFnYeQTyxFyP7lng9M/Z403KLG8phdmKjM0vJkaj4OuKOXf3UsW\nqWQYyRl/ms07xVj02uq08LkoeO+jtQisvyVXURdaCceZtyK/ZBQ7NFCsbK112cVR\n1e2aJol7NJAA6Wm6iBzAdkAA2l3kh40SLoEbaiaVMixLN2vilIZOOAoDXX4+T6ir\n+KnDVSJ2yu5c/OJMwuXwHrh7Lgg1vsFR5TNehknhjUuWOUO+0TkKPg2A7KTg72OZ\n2mOcLZIbxzr1P5RRvdmLQLPrTF2EJvpQPNmbXqN3ZVWEvfHTjkkTFY/dsOTvFTgS\nri15zYKch8votcU7z+BQhgmMtwO2JhPMmZ6ABd9skI7ijWpwOltAhxtdoBO6T6CB\nCrE2yXc6V/PyyAKcFglNmIght5oXsnE+ub/dtx8f9Iea/xNPdo5aGy8fdaitolDK\n16kd3Kb7OE4HMHIwOxxF1BEAqerxxhbLMRBr8hRSZI5cvLzWLvpAQ5zuhjD6V3b9\nBYFd4ujAu3zl3mbzdbYjFoGOX6aBZaGDxlc4O2W7HxntAgMBAAGjgZcwgZQwDwYD\nVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUDGVvuTFYZtEAkz3af9wRKDDvAswwHwYD\nVR0jBBgwFoAUDGVvuTFYZtEAkz3af9wRKDDvAswwDgYDVR0PAQH/BAQDAgGGMBEG\nCWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhCAQ0EERYPeGNhIGNlcnRpZmljYXRl\nMA0GCSqGSIb3DQEBCwUAA4ICAQAjko7dX+iCgT+m3Iy1Vg6j7MRevPAzq1lqHRRN\nNdt2ct530pIut7Fv5V2xYk35ka+i/G+XyOvTXa9vAUKiBtiRnUPsXu4UcS7CcrCX\nEzHx4eOtHnp5wDhO0Fx5/OUZTaP+L7Pd1GD/j953ibx5bMa/M9Rj+S486nst57tu\nDRmEAavFDiMd6L3jH4YSckjmIH2uSeDIaRa9k6ag077XmWhvVYQ9tuR7RGbSuuV3\nFc6pqcFbbWpoLhNRcFc+hbUKOsKl2cP+QEKP/H2s3WMllqgAKKZeO+1KOsGo1CDs\n475bIXyCBpFbH2HOPatmu3yZRQ9fj9ta9EW46n33DFRNLinFWa4WJs4yLVP1juge\n2TCOyA1t61iy++RRXSG3e7NFYrEZuCht1EdDAdzIUY89m9NCPwoDYS4CahgnfkkO\n7YQe6f6yqK6isyf8ZFcp1uF58eERDiF/FDqS8nLmCdURuI56DDoNvDpig5J/9RNW\nG8vEvt2p7QrjeZ3EAatx5JuYty/NKTHZwJWk51CgzEgzDwzE2JIiqeldtL5d0Sl6\neVuv0G04BEyuXxEWpgVVzBS4qEFIBSnTJzgu1PXmId3yLvg2Nr8NKvwyZmN5xKFp\n0A9BWo15zW1PXDaD+l39oTYD7agjXkzTAjYIcfNJ7ATIYFD0xAvNAOf70s7aNupF\nfvkG2Q==\n-----END CERTIFICATE-----\n']
        self.assertEqual(result, cert_pem_list)
Example #15
0
def verify_pkcs7_data(data):
    pdata = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, data)
    bio_out = crypto._new_mem_buf()
    crypto._lib.PKCS7_verify(
        pdata._pkcs7,
        crypto._ffi.NULL,
        crypto._ffi.NULL,
        crypto._ffi.NULL,
        bio_out,
        crypto._lib.PKCS7_NOVERIFY
    )
    return crypto._bio_to_string(bio_out)
Example #16
0
def decode_cert(cert_path):
    # Open certificate and deserialize
    with open(str(cert_path),'rb') as rf:
        pem_obj = rf.read()
        if pem.detect(pem_obj):
            type, _, _ = pem.unarmor(pem_obj)
            # Determine type of certificate
            if type == "PKCS7":
                pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM,pem_obj)
                certs = get_certificates(pkcs7)
                count = 0
                for cert in certs:
                    pem_cert = x509.load_pem_x509_certificate(cert, default_backend())
                    # Print cert issued to
                    colorize('green')
                    print('Issued to: (Chain ' + str(count) + ')')
                    count += 1
                    colorize_edit('reset')
                    print(pem_cert.subject.rfc4514_string())
                    print("Serial No: " + str(pem_cert.serial_number))
                    print("Fingerprint: " + str(base64.b64encode(pem_cert.fingerprint(hashes.SHA256())), 'utf-8'))
                    print("Valid from: " + str(pem_cert.not_valid_before))
                    print("Valid to: " + str(pem_cert.not_valid_after))
                    print("Signature hash algorithm: " + pem_cert.signature_hash_algorithm.name)
                    # Print issued by
                    colorize('green')
                    print('Issued by: ')
                    colorize_edit('reset')
                    print(pem_cert.issuer.rfc4514_string())
                    print('\n')

            elif type == "CERTIFICATE":
                cert = x509.load_pem_x509_certificate(pem_obj, default_backend())
                # Print cert issued to
                colorize('green')
                print('Issued to: ')
                colorize_edit('reset')
                print(cert.subject.rfc4514_string())
                print("Serial No: " + str(cert.serial_number))
                print("Fingerprint: " + str(base64.b64encode(cert.fingerprint(hashes.SHA256())), 'utf-8'))
                print("Valid from: " + str(cert.not_valid_before))
                print("Valid to: " + str(cert.not_valid_after))
                print("Signature hash algorithm: " + cert.signature_hash_algorithm.name)
                # Print issued by
                colorize('green')
                print('Issued by: ')
                colorize_edit('reset')
                print(cert.issuer.rfc4514_string())
            else:
                raise TypeError('Not a PEM or PKCS7 file.')
    def test_create_ca(self):
        subca_dict = self._create_subca()
        self.assertEqual("sub ca1", subca_dict.get(cm.INFO_NAME))
        self.assertIsNotNone(subca_dict.get(cm.INFO_EXPIRATION))
        self.assertIsNotNone(subca_dict.get(cm.PLUGIN_CA_ID))
        ca_cert = subca_dict.get(cm.INFO_CA_SIGNING_CERT)
        self.assertIsNotNone(ca_cert)

        intermediates = subca_dict.get(cm.INFO_INTERMEDIATES)
        self.assertIsNotNone(intermediates)

        cacert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert)
        subject = cacert.get_subject()
        self.assertEqual("subordinate ca signing cert", subject.CN)

        pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, intermediates)
        self.assertTrue(pkcs7.type_is_signed())
def get_decrypt_keys(apk: APK, certificate_files: list):
    # https://stackoverflow.com/questions/45104923/pyopenssls-pkcs7-object-provide-very-little-information-how-can-i-get-the-sha1
    def get_certificates(self):
        from OpenSSL.crypto import _lib, _ffi, X509
        """
        https://github.com/pyca/pyopenssl/pull/367/files#r67300900

        Returns all certificates for the PKCS7 structure, if present. Only
        objects of type ``signedData`` or ``signedAndEnvelopedData`` can embed
        certificates.

        :return: The certificates in the PKCS7, or :const:`None` if
            there are none.
        :rtype: :class:`tuple` of :class:`X509` or :const:`None`
        """
        certs = _ffi.NULL
        if self.type_is_signed():
            certs = self._pkcs7.d.sign.cert
        elif self.type_is_signedAndEnveloped():
            certs = self._pkcs7.d.signed_and_enveloped.cert
        #
        pycerts = []
        for i in range(_lib.sk_X509_num(certs)):
            pycert = X509.__new__(X509)
            pycert._x509 = _lib.sk_X509_value(certs, i)
            pycerts.append(pycert)
        #
        if not pycerts:
            return None
        return tuple(pycerts)

    sha1hashes = []
    # assume there are more than one certificate file
    for certificate_file in certificate_files:
        certificate_bytes = apk.zip.read(certificate_file)
        pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, certificate_bytes)
        # assume there are more than one certificate
        certs = get_certificates(pkcs7)
        hashes = [cert.digest('sha1').decode() for cert in certs]
        sha1hashes.extend(hashes)

    keys = []
    for hash in sha1hashes:
        keys.append(generate_key(hash))

    return keys
Example #19
0
def get_pem_data_from_pkcs7(data: bytes) -> bytes:
    """Extracts certificate from pkcs7 data and convert it to PEM data"""
    pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, data)
    certs = _ffi.NULL

    if pkcs7.type_is_signed():
        certs = pkcs7._pkcs7.d.sign.cert
    elif pkcs7.type_is_signedAndEnveloped():
        certs = pkcs7._pkcs7.d.signed_and_enveloped.cert

    if _lib.sk_X509_num(certs) > 1:
        raise Exception('Too many certificates')

    pycert = X509.__new__(X509)
    pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, 0))

    return bytes(crypto.dump_certificate(crypto.FILETYPE_PEM, pycert))
Example #20
0
def extract_smime_signature(payload, trusted, logger):
    """
    :param payload: bytes
    :param trusted: list of cryptography.x509.Certificate
    :param logger: logger
    :return: bytes or None

    Extract public certificates from the PKCS7 binary payload. Logs human-readable info about each cert found.
    Identifies which are intermediates and which is the sender's public-key cert.

    Verifies against provided list of trusted certs.
    If valid, returns the PEM-serialized contents of the sender's public-key certificate.
    If invalid, returns None.
    """
    pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, payload)
    certs = get_certificates(pkcs7)

    cert, intermediates = None, []
    for c in certs:
        # Log some human-readable info about each cert
        c_email_addrs = []
        c_issuer_info = {}
        for i in c.subject.get_attributes_for_oid(
                cryptography.x509.NameOID.EMAIL_ADDRESS):
            c_email_addrs.append(i.value)
        for i in c.issuer:
            c_issuer_info.update({i.oid._name: i.value})
        logger.info(
            '| Certificate: subject email_address={},not_valid_before={},not_valid_after={},hash_algorithm={},key_size={} bytes, issuer={}'
            .format(c_email_addrs, c.not_valid_before, c.not_valid_after,
                    c.signature_hash_algorithm.name,
                    c.public_key().key_size, c_issuer_info))

        # Check if this is an email user certificate, or an intermediate
        if c_email_addrs:
            cert = c
        else:
            intermediates.append(c)

    if verify_certificate_chain(cert, intermediates, trusted, logger):
        pem_bytes = cert.public_bytes(serialization.Encoding.PEM)
        return pem_bytes
    else:
        return None
Example #21
0
    def test_create_ca(self):
        subca_dict = self._create_subca()
        self.assertEqual("sub ca1", subca_dict.get(cm.INFO_NAME))
        self.assertIsNotNone(subca_dict.get(cm.INFO_EXPIRATION))
        self.assertIsNotNone(subca_dict.get(cm.PLUGIN_CA_ID))
        ca_cert = subca_dict.get(cm.INFO_CA_SIGNING_CERT)
        self.assertIsNotNone(ca_cert)

        intermediates = subca_dict.get(cm.INFO_INTERMEDIATES)
        self.assertIsNotNone(intermediates)

        cacert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert)
        subject = cacert.get_subject()
        self.assertEqual(
            "subordinate ca signing cert",
            subject.CN)

        pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, intermediates)
        self.assertTrue(pkcs7.type_is_signed())
Example #22
0
    def load_certificates_from_signature(signature):
        signature = base64.b64decode(signature)
        pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, signature)

        raw_certificates = ffi.NULL

        if pkcs7.type_is_signed():
            raw_certificates = pkcs7._pkcs7.d.sign.cert
        elif pkcs7.type_is_signedAndEnveloped():
            raw_certificates = pkcs7._pkcs7.d.signed_and_enveloped.cert

        certificates = []

        for x in range(lib.sk_X509_num(raw_certificates)):
            certificate = lib.X509_dup(lib.sk_X509_value(raw_certificates, x))
            certificate = crypto.X509._from_raw_x509_ptr(certificate)
            certificate = ApplePieCertificate(certificate)
            certificates.append(certificate)

        return certificates
Example #23
0
    def cert_certificate(self) -> GreppedOut:
        """
        Returns a PEM encoded certificate

        Returns
        -------
        GreppedOut : object
            GreppedOut object

        Examples
        --------
        >>> from glorifiedgrep import GlorifiedAndroid
        >>> a = GlorifiedAndroid('/path/to/apk')
        >>> a.cert_certificate()
        """
        pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, self._read_cert())
        certs = self._get_certificates(pkcs7)
        certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, certs[0])
        self._cert_analysis['certificate'] = [certificate]
        self.log_debug('')
        return GreppedOut([certificate])
Example #24
0
def getXMLfromP7m(filename):
    from OpenSSL import crypto
    from OpenSSL._util import (
        ffi as _ffi,
        lib as _lib,
    )

    # Or, alternatively:
    # from cryptography.hazmat.bindings.openssl.binding import Binding
    # _lib = Binding.lib
    # _ffi = Binding.ffi

    with open(filename, 'rb') as f:
        p7data = f.read()
    #p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data)
    p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data)

    bio_out = crypto._new_mem_buf()
    res = _lib.PKCS7_verify(p7._pkcs7, _ffi.NULL, _ffi.NULL, _ffi.NULL,
                            bio_out, _lib.PKCS7_NOVERIFY)
    '''
    if res == 1:
        databytes = crypto._bio_to_string(bio_out)
        databytes = databytes.decode('utf8')
        databytes = databytes.replace('\ufeff', "")
        print(databytes)

    else:
        errno = _lib.ERR_get_error()
        errstrlib = _ffi.string(_lib.ERR_lib_error_string(errno))
        errstrfunc = _ffi.string(_lib.ERR_func_error_string(errno))
        errstrreason = _ffi.string(_lib.ERR_reason_error_string(errno))
    '''

    databytes = crypto._bio_to_string(bio_out)
    xmlFileName = getTempDir() + 'tmpFatt.xml'
    open(xmlFileName, 'wb').write(databytes)

    return xmlFileName
Example #25
0
    def scan(self, data, file, options, expire_at):
        self.event['total'] = {'certificates': 0, 'extracted': 0}

        if data[:1] == b'0':
            crypto_file_type = crypto.FILETYPE_ASN1
            self.event['cryptoType'] = 'der'
        else:
            crypto_file_type = crypto.FILETYPE_PEM
            self.event['cryptoType'] = 'pem'

        try:
            pkcs7 = crypto.load_pkcs7_data(crypto_file_type, data)
            pkcs7_certificates = pkcs7.get_certificates()
            if pkcs7_certificates is not None:
                self.event['total']['certificates'] = len(pkcs7_certificates)
                for certificate in pkcs7_certificates:
                    extract_file = strelka.File(
                        name=f'sn_{certificate.get_serial_number()}',
                        source=self.name,
                    )

                    extract_data = crypto.dump_certificate(
                        crypto_file_type,
                        certificate,
                    )

                    for c in strelka.chunk_string(extract_data):
                        self.upload_to_cache(
                            extract_file.pointer,
                            c,
                            expire_at,
                        )

                    self.files.append(extract_file)
                    self.event['total']['extracted'] += 1

        except crypto.Error:
            self.flags.append('load_pkcs7_error')
Example #26
0
    def _parse(self, buff):
        pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, buff)

        certs_stack = _ffi.NULL
        if pkcs7.type_is_signed():
            certs_stack = pkcs7._pkcs7.d.sign.cert
        elif pkcs7.type_is_signedAndEnveloped():
            certs_stack = pkcs7._pkcs7.d.signed_and_enveloped.cert

        pycerts = []

        for i in range(_lib.sk_X509_num(certs_stack)):
            tmp = _lib.X509_dup(_lib.sk_X509_value(certs_stack, i))
            pycert = X509._from_raw_x509_ptr(tmp)
            pycerts.append(pycert)

        if not pycerts:
            return None

        for cert in pycerts:
            name = str(cert.get_subject())[19:-2].replace('/', ', ')
            md5 = cert.digest('md5').decode().replace(':', '')

            self.content.append((name, md5))
Example #27
0
    def cert_public_key(self) -> GreppedOut:
        """
        Get the public key from CERT.RSA

        Returns
        -------
        GreppedOut : object
            GreppedOut object

        Examples
        --------
        >>> from glorifiedgrep import GlorifiedAndroid
        >>> a = GlorifiedAndroid('/path/to/apk')
        >>> a.cert_public_key()
        """
        pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, self._read_cert())
        certs = self._get_certificates(pkcs7)
        p = certs[0].get_pubkey()
        bio = crypto._new_mem_buf()
        cryptolib.PEM_write_bio_PUBKEY(bio, p._pkey)
        key = crypto._bio_to_string(bio)
        self._cert_analysis['public_key'] = [key]
        self.log_debug('')
        return GreppedOut([key])
Example #28
0
signatureStart = (footer[0] & 255) | ((footer[1] & 255) << 8)

f.seek(file_size - (commentSize + 22))
eocd = bytearray(f.read())

if eocd[0] != ord(b'\x50') or eocd[1] != ord(b'\x4b') or eocd[2] != ord(
        b'\x05') or eocd[3] != ord(b'\x06'):
    print("no signature in file (bad eocd)")
    sys.exit(-1)

for i in range(5, len(eocd) - 4):
    if eocd[i] == ord(b'\x50') and eocd[i + 1] == ord(b'\x4b') and eocd[
            i + 2] == ord(b'\x05') and eocd[i + 3] == ord(b'\x06'):
        print("EOCD marker found after start of EOCD")
        sys.exit(-1)

block = eocd[commentSize + 22 - signatureStart:commentSize + 22]

decoded = "-----BEGIN CERTIFICATE-----\n" + base64.b64encode(block).decode(
    'ascii') + "\n-----END CERTIFICATE-----"

PKCS7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, decoded)

cert = PKCS7.get_certificates()[0]

print("Certificate Fingerprints:")

print("\tMD5: {}".format(cert.digest('md5').decode("utf-8")))
print("\tSHA1: {}".format(cert.digest("sha1").decode("utf-8")))
print("\tSHA256: {}".format(cert.digest("sha256").decode("utf-8")))
Example #29
0
def download_certificates_and_create_PEM(cert_type, url):
    """
    Download cert_type certificate bundle from url and extract the files from it and create PEM
    """
    pem_file = "{}/{}_CABundle.pem".format(cache_dir, cert_type)
    if os.path.exists(pem_file) is False:
        filename = None
        parts = url.split('.')
        extension = parts[(len(parts) - 1)].lower()
        zip_type = False
        if (extension == "zip"):
            zip_type = True
        filename = "{}/{}.{}".format(cache_dir, cert_type, extension)
        if os.path.exists(filename) is False:
            if ("http://" in url or "https://" in url):
                # Download CA certs
                # todo: in the future could parse PKI-PKE page in IASE to get latest version, but for now just direct download
                print("Downloading {} CA certs...".format(cert_type))
                try:
                    r = requests.get(url, verify=False)
                except Exception as err:
                    print("Error downloading {} CA certs: {}".format(
                        cert_type, err))
                    return None
                with open(filename, 'wb') as dl_file:
                    dl_file.write(r.content)
                print("Finished downloading {} CA certs.".format(cert_type))
            elif (os.path.exists(url) is True):
                with open(url, 'rb') as sourcefile:
                    with open(filename, 'wb') as destfile:
                        destfile.write(sourcefile.read())
                print("Finished copying {} CA certs.".format(cert_type))
            else:
                print("Error: Unable to get {} CA certs.".format(cert_type))
                return
        else:
            print("Already downloaded {} CA certs.".format(cert_type))

        if (zip_type is True):
            print("Unzipping {} CA certs...".format(cert_type))
            zip_file = zipfile.ZipFile(filename, 'r')
            cert_directory = "./{}/{}_Certs/".format(cache_dir, cert_type)
            zip_file.extractall(cert_directory)
            zip_file.close()
            print("Finished unzipping {} CA certs.".format(cert_type))

            # find P7B
            p7b_file = None
            for (dirpath, dirnames, filenames) in os.walk(cert_directory):
                for filename in filenames:
                    if filename.lower().endswith(".pem.p7b"):
                        p7b_file = os.path.join(dirpath, filename)
            if p7b_file is None:
                print("Unable to find {} p7b file.".format(cert_type))
                return None
            filename = p7b_file
            extension = "p7b"

        print("Loading {} cert data...".format(cert_type))
        with open(filename, 'rb') as cert_file:
            if (extension == "p7b"):
                cert_data = crypto.load_pkcs7_data(crypto.FILETYPE_PEM,
                                                   cert_file.read())
                certs = get_certificates(cert_data)
                print("Found {} certs.".format(len(certs)))
            elif (extension == "p7c"):
                cert_data = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1,
                                                   cert_file.read())
                certs = get_certificates(cert_data)
                print("Found {} certs.".format(len(certs)))
            else:
                cert_data = crypto.load_certificate(crypto.FILETYPE_ASN1,
                                                    cert_file.read())
                certs = [cert_data]
        print("Writing {} Certs to PEM file...".format(cert_type))
        with open(pem_file, 'ab') as pem:
            for cert in certs:
                certPEM = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
                pem.write(certPEM)
        print("Finished writing {} Certs to PEM file.".format(cert_type))
        return pem_file
    else:
        print("Already created {} CA PEM file.".format(cert_type))
        return pem_file
Example #30
0
print hex(IMAGE_DIRECTORY_ENTRY_SECURITY.VirtualAddress)
print hex(IMAGE_DIRECTORY_ENTRY_SECURITY.Size)
signature_address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[
    pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
signature_size = pe.OPTIONAL_HEADER.DATA_DIRECTORY[
    pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size
print signature_size
print hex(signature_size)
signature = pe.write()[signature_address + 8:signature_address + 8 +
                       signature_size]

key = crypto.PKey()

cert = DerSequence()

pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, signature)
print pkcs7.get_type_name()
print pkcs7.type_is_signed()
print pkcs7.type_is_data()
print pkcs7.type_is_enveloped()

der = ssl.DER_cert_to_PEM_cert(signature)

# be = X509Backend()
# c = be.load_der_x509_certificate(signature)
#
# cert = x509.load_der_x509_certificate(signature, default_backend())

with open('sig.p7', 'wb') as f:
    f.write(signature)
Example #31
0
import sys
from OpenSSL import crypto
from OpenSSL._util import (
	ffi as _ffi,
	lib as _lib,
)

with open(sys.argv[1], 'rb') as f:
	p7data = f.read()
p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data)

bio_out =crypto._new_mem_buf()
res = _lib.PKCS7_verify(p7._pkcs7, _ffi.NULL, _ffi.NULL, _ffi.NULL, bio_out, _lib.PKCS7_NOVERIFY|_lib.PKCS7_NOSIGS)
if res == 1:
	databytes = crypto._bio_to_string(bio_out)
	print(databytes)
else:
	errno = _lib.ERR_get_error()
	errstrlib = _ffi.string(_lib.ERR_lib_error_string(errno))
	errstrfunc = _ffi.string(_lib.ERR_func_error_string(errno))
	errstrreason = _ffi.string(_lib.ERR_reason_error_string(errno))
	print(errstrreason)
Example #32
0
        # pycert._x509 = _lib.sk_X509_value(certs, i)
        # According to comment from @ Jari Turkia
        # to prevent segfaults use '_lib.X509_dup('
        pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, i))
        pycerts.append(pycert)

    if not pycerts:
        return None
    return tuple(pycerts)


app = Flask(__name__)
app.app_context().push()

with open("/var/run/secrets/tls/0", "rb") as file:
    p7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, file.read())
    certs = get_certificates(p7)
    cafile = open("/app/cacerts/cafile", "wb")
    for cert in certs:
        print('digest:{}'.format(cert.digest('sha256')))
        cafile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
    cafile.close()

app.config['LDAP_BASE_DN'] = os.environ["LDAP_BASE_DN"]
app.config['LDAP_USERNAME'] = ldap_username
app.config['LDAP_PASSWORD'] = ldap_password
app.config['LDAP_HOST'] = ldap_host
app.config['LDAP_SCHEMA'] = "ldaps"
app.config['LDAP_PORT'] = 636
app.config['LDAP_USE_SSL'] = True
app.config['LDAP_USE_TLS'] = True
Example #33
0
    sys.exit(-1)

commentSize = (footer[4] & 255) | ((footer[5] & 255) <<8)
signatureStart = (footer[0] & 255) | ((footer[1] & 255) << 8)

f.seek(file_size - (commentSize + 22));
eocd = bytearray(f.read())

if eocd[0] != ord(b'\x50') or eocd[1] != ord(b'\x4b') or eocd[2] != ord(b'\x05') or eocd[3] != ord(b'\x06'):
    print("no signature in file (bad eocd)")
    sys.exit(-1)

for i in range(5, len(eocd)-4):
    if eocd[i] == ord(b'\x50') and eocd[i+1] == ord(b'\x4b') and eocd[i+2] == ord(b'\x05') and eocd[i+3] == ord(b'\x06'):
        print("EOCD marker found after start of EOCD")
        sys.exit(-1)

block = eocd[commentSize+22-signatureStart:commentSize+22]

decoded = "-----BEGIN CERTIFICATE-----\n" + base64.b64encode(block).decode('ascii') + "\n-----END CERTIFICATE-----"

PKCS7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, decoded)

cert = PKCS7.get_certificates()[0]

print("Certificate Fingerprints:")

print("\tMD5: {}".format(cert.digest('md5').decode("utf-8")))
print("\tSHA1: {}".format(cert.digest("sha1").decode("utf-8")))
print("\tSHA256: {}".format(cert.digest("sha256").decode("utf-8")))
Example #34
0
    def pe_get_certificates(self):
        """Get certificates used to sign pe file
        
        Returns:
            Chepy: The Chepy object. 

        Examples:
            >>> Chepy("tests/files/ff.exe).read_file().pe_get_certificates().o
            [
                {
                    'version': 2,
                    'serial': 17154717934120587862167794914071425081,
                    'algo': b'sha1WithRSAEncryption',
                    'before': b'20061110000000Z',
                    'after': b'20311110000000Z',
                    'issuer': {
                        'C': 'US',
                        'ST': None,
                        'L': None,
                        'O': 'DigiCert Inc',
                        'OU': 'www.digicert.com',
                        'CN': 'DigiCert Assured ID Root CA',
                        'email': None
                    },
                    ...
                ...
            }
        """
        def get_certificates(self):  # pragma: no cover
            certs = _ffi.NULL
            if self.type_is_signed():
                certs = self._pkcs7.d.sign.cert
            elif self.type_is_signedAndEnveloped():
                certs = self._pkcs7.d.signed_and_enveloped.cert

            pycerts = []
            for i in range(_lib.sk_X509_num(certs)):
                pycert = X509.__new__(X509)
                pycert._x509 = _lib.sk_X509_value(certs, i)
                pycerts.append(pycert)

            if not pycerts:
                return None
            return tuple(pycerts)

        pe = self._pe_object()

        address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY[
            "IMAGE_DIRECTORY_ENTRY_SECURITY"]].VirtualAddress

        hold = []
        if address == 0:  # pragma: no cover
            self._warning_logger("PE file is not signed")
            self.state = None
        else:
            signature = pe.write()[address + 8:]

            pkcs = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1,
                                          bytes(signature))
            certs = get_certificates(pkcs)

            for c in certs:
                dump_c = crypto.dump_certificate(crypto.FILETYPE_PEM, c)
                cert = crypto.load_certificate(crypto.FILETYPE_PEM, dump_c)
                issuer = cert.get_issuer()
                subject = cert.get_subject()
                pubkey = cert.get_pubkey()
                info = {
                    "version": cert.get_version(),
                    "serial": cert.get_serial_number(),
                    "algo": cert.get_signature_algorithm(),
                    "before": cert.get_notBefore(),
                    "after": cert.get_notAfter(),
                    "issuer": {
                        "C": issuer.C,
                        "ST": issuer.ST,
                        "L": issuer.L,
                        "O": issuer.O,
                        "OU": issuer.OU,
                        "CN": issuer.CN,
                        "email": issuer.emailAddress,
                    },
                    "subject": {
                        "C": subject.C,
                        "ST": subject.ST,
                        "L": subject.L,
                        "O": subject.O,
                        "OU": subject.OU,
                        "CN": subject.CN,
                        "email": subject.emailAddress,
                    },
                    "pubkey": {
                        "bits": pubkey.bits()
                    },
                }
                hold.append(info)

        self.state = hold
        return self