def verify_valid_intermediates(self, secret_ref): secret_resp = self.secret_behaviors.get_secret( secret_ref, "application/octet-stream") self.assertIsNotNone(secret_resp) self.assertIsNotNone(secret_resp.content) cert_chain = secret_resp.content crypto.load_pkcs7_data(crypto.FILETYPE_PEM, cert_chain)
def test_p7s(self): with open('clientcert.crt') as cert_file: cert_buf = cert_file.read() with open('clientkey.key') as key_file: key_buf = key_file.read() pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_buf, '12345678'.encode()) signcert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_buf.encode()) text = "Test text" # bio_in = crypto._new_mem_buf(text.encode()) # PKCS7_NOSIGS = 0x4 # defined in pkcs7.h # pkcs7 = crypto._lib.PKCS7_sign(signcert._x509, pkey._pkey, crypto._ffi.NULL, bio_in, PKCS7_NOSIGS) # noqa # bio_out = crypto._new_mem_buf() # crypto._lib.i2d_PKCS7_bio(bio_out, pkcs7) # sigbytes = crypto._bio_to_string(bio_out) crypto.load_pkcs7_data() crypto.to with open('test.p7s', 'w') as tst: tst.write(str(pkcs7))
def verify_valid_intermediates(self, secret_ref): secret_resp = self.secret_behaviors.get_secret( secret_ref, "application/pkix-cert") self.assertIsNotNone(secret_resp) self.assertIsNotNone(secret_resp.content) cert_chain = secret_resp.content crypto.load_pkcs7_data(crypto.FILETYPE_PEM, cert_chain)
def decode_certificate_data(data): """ Decodes a blob containing encoded X.509 certificates (can be DER/PEM encoded or a PKCS7 bundle). Args: data (bytes) : Buffer containing the encoded certificate(s). Returns: A list with cryptography X.509 certificates (not OpenSSL X.509 certificates!) """ # PEM encoded? try: # try to decode the first certificate directly (fails, if not PEM encoded) x509.load_pem_x509_certificate(data, default_backend()) # ok, it's PEM encoded... but it may contain multiple certificates, try to unpack! certificates = [ x509.load_pem_x509_certificate(x.as_bytes(), default_backend()) for x in pem.parse(data) ] log_debug("Successfully decoded {0} PEM encoded certificate(s):".format(len(certificates))) for x in certificates: log_debug("- subject: {0}".format(x.subject)) return certificates except ValueError: pass # DER encoded? try: certificate = x509.load_der_x509_certificate(data, default_backend()) log_debug("Successfully decoded a DER encoded certificate:") log_debug("- subject: {0}".format(certificate.subject)) return [ certificate ] except ValueError: pass # PKCS7, PEM encoded try: pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, data) certificates = get_pkcs7_certificates(pkcs7) log_debug("Successfully decoded PEM encoded PKCS#7 bundle, extracted {0} certificate(s):".format(len(certificates))) for x in certificates: log_debug("- subject: {0}".format(x.subject)) return list(certificates) except crypto.Error: pass # PKCS7, DER encoded try: pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, data) certificates = get_pkcs7_certificates(pkcs7) log_debug("Successfully decoded DER encoded PKCS#7 bundle, extracted {0} certificate(s):".format(len(certificates))) for x in certificates: log_debug("- subject: {0}".format(x.subject)) return list(certificates) except crypto.Error: pass raise ValueError("Decoding certificates failed.")
def _pkcs7_to_pem(self, pkcs7_content, outform='string'): """ convert pkcs7 to pem """ self.logger.debug('CAhandler._pkcs7_to_pem()') for filetype in (crypto.FILETYPE_PEM, crypto.FILETYPE_ASN1): try: pkcs7 = crypto.load_pkcs7_data(filetype, pkcs7_content) break except crypto.Error as _err: pkcs7 = None # print(err) cert_pem_list = [] if pkcs7: # convert cert pkcs#7 to pem cert_list = _get_certificates(pkcs7) for cert in cert_list: cert_pem_list.append(convert_byte_to_string(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))) # define output format if outform == 'string': result = ''.join(cert_pem_list) elif outform == 'list': result = cert_pem_list else: result = None self.logger.debug('Certificate._pkcs7_to_pem() ended') return result
def scan(self, file_object, options): self.metadata["total"] = {"certificates": 0, "extracted": 0} if file_object.data[:1] == b"0": crypto_file_type = crypto.FILETYPE_ASN1 self.metadata["cryptoType"] = "der" else: crypto_file_type = crypto.FILETYPE_PEM self.metadata["cryptoType"] = "pem" try: pkcs7 = crypto.load_pkcs7_data(crypto_file_type, file_object.data) pkcs7_certificates = pkcs7.get_certificates() if pkcs7_certificates is not None: self.metadata["total"]["certificates"] = len(pkcs7_certificates) for certificate in pkcs7_certificates: child_file = crypto.dump_certificate(crypto_file_type, certificate) child_filename = f"{self.scanner_name}::serial_number_{certificate.get_serial_number()}" child_fo = objects.StrelkaFile(data=child_file, filename=child_filename, depth=file_object.depth + 1, parent_uid=file_object.uid, root_uid=file_object.root_uid, parent_hash=file_object.hash, root_hash=file_object.root_hash, source=self.scanner_name) self.children.append(child_fo) self.metadata["total"]["extracted"] += 1 except crypto.Error: file_object.flags.append(f"{self.scanner_name}::load_pkcs7_error")
def remove_signature(content): """ Remove the PKCS#7 envelope from given content, making a '.xml.p7m' file content readable as it was '.xml'. As OpenSSL may not be installed, in that case a warning is issued and None is returned. """ # Prevent using the library if it had import errors if not ssl_crypto: _logger.warning( "Error reading the content, check if the OpenSSL library is installed for for PKCS#7 envelope extraction." ) return None # Load some tools from the library null = ssl_util.ffi.NULL verify = ssl_util.lib.PKCS7_verify # By default ignore the validity of the certificates, just validate the structure flags = ssl_util.lib.PKCS7_NOVERIFY | ssl_util.lib.PKCS7_NOSIGS # Read the signed data fron the content out_buffer = ssl_crypto._new_mem_buf() # This method is deprecated, but there are actually no alternatives with warnings.catch_warnings(): warnings.filterwarnings("ignore", category=DeprecationWarning) loaded_data = ssl_crypto.load_pkcs7_data(ssl_crypto.FILETYPE_ASN1, content) # Verify the signature if verify(loaded_data._pkcs7, null, null, null, out_buffer, flags) != 1: ssl_crypto._raise_current_error() # Get the content as a byte-string decoded_content = ssl_crypto._bio_to_string(out_buffer) return decoded_content
def __init__(self, cert, content_type=None): try: if cert.startswith("-----BEGIN CERTIFICATE-----"): log.debug("Loading file with content_type pem") self.cert = x509.load_pem_x509_certificate( bytes(cert), OpenSSLBackend) elif content_type == 'pkcs7-mime': pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, cert) certs = pkcs7_get_certs(pkcs7) if not len(certs): raise ValueError('No certs in pkcs7') elif len(certs) > 1: log.warning( 'Multiple certs found but only processing the first one' ) self.cert = certs[0] else: log.debug( "Loading file with content_type {0}".format(content_type)) self.cert = x509.load_der_x509_certificate( bytes(cert), OpenSSLBackend) except ValueError: raise UnsuportedCertificateType( "Failed to load cert with content_type={0}".format( content_type))
def _parse(self, buff, digestalgo): pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, buff) certs_stack = _ffi.NULL if pkcs7.type_is_signed(): certs_stack = pkcs7._pkcs7.d.sign.cert elif pkcs7.type_is_signedAndEnveloped(): certs_stack = pkcs7._pkcs7.d.signed_and_enveloped.cert pycerts = [] for i in range(_lib.sk_X509_num(certs_stack)): tmp = _lib.X509_dup(_lib.sk_X509_value(certs_stack, i)) pycert = X509._from_raw_x509_ptr(tmp) pycerts.append(pycert) if not pycerts: return None for cert in pycerts: sbj = cert.get_subject() name = 'C={}, ST={}, L={}, O={}, CN={}'.format( sbj.C, sbj.ST, sbj.L, sbj.O, sbj.CN) checksum = cert.digest(digestalgo).decode().replace(':', '') self.content.append((name, checksum))
def load_pkcs7_bio_der(p7_der): """ Load a PKCS7 object from a PKCS7 DER blob. Return PKCS7 object. """ try: return crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7_der) except crypto.Error as ex: raise PKCS7VerifyError(ex)
def decrypt_p7s(data: bytes) -> str: """ openssl cms -verify -in xxx.p7s -inform DER -noverify -outform DER -signer cert.pem -print """ p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, BytesIO(data).getvalue()) bio_out = crypto._new_mem_buf() _lib.PKCS7_verify(p7._pkcs7, _ffi.NULL, _ffi.NULL, _ffi.NULL, bio_out, _lib.PKCS7_NOVERIFY) return crypto._bio_to_string(bio_out)
def _cert_object(self): """ Returns a CSR object """ pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, self._read_cert()) certs = self._get_certificates(pkcs7) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, certs[0]) a = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.log_debug('') return a
def test_002_get_certificates(self): """ test pkcs7 convrt to pem """ cert_pem_list = [] with open(self.dir_path + '/ca/certs.p7b', 'r') as fso: pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, fso.read()) cert_list = self._get_certificates(pkcs7) for cert in cert_list: cert_pem_list.append(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) result = [b'-----BEGIN CERTIFICATE-----\nMIIFTzCCAzegAwIBAgIIAzHyhSyrXfMwDQYJKoZIhvcNAQELBQAwKzEXMBUGA1UE\nCxMOYWNtZTJjZXJ0aWZpZXIxEDAOBgNVBAMTB3Jvb3QtY2EwHhcNMjAwNTI3MTM1\nNDAwWhcNMzAwNTI2MjM1OTAwWjAqMRcwFQYDVQQLEw5hY21lMmNlcnRpZmllcjEP\nMA0GA1UEAxMGc3ViLWNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA\nxXHaGZsolXe+PBdUryngHP9VbBC1mehqeTtYI+hqsqGNH7q9a7bSrxMwFuF1kYL8\njqqxkJdtl0L94xcxJg/ZdMx7Nt0vGI+BaAuTpEpUEHeN4tqS6NhB/m/0LGkAELc/\nqkzmoO4B1FDwEEj/3IXtZcupqG80oDt7jWSGXdtF7NTjzcumznMeRXidCdhxRxT/\n/WrsChaytXo0xWZ56oeNwd6x6Dr8/39PBOWtj4fldyDcg+Q+alci2tx9pxmu2bCV\nXcB9ftCLKhDk2WEHE88bgKSp7fV2RCmq9po+Tx8JJ7qecLunUsK/F0XN4kpoQLm9\nhcymqchnMSncSiyin1dQHGHWgXDtBDdq6A2Z6rx26Qk5H9HTYvcNSe1YwFEDoGLB\nZQjbCPWiaqoaH4agBQTclPvrrSCRaVmhUSO+pBtSXDkmN4t3MDZxfgRkp8ixwkB1\n5Y5f0LTpCyAJsdQDw8+Ea0aDqO30eskh4CErnm9+Fejd9Ew2cwpdwfBXzVSbYilM\nGueQihZHvJmVRxAwU69aO2Qs8B0tQ60CfWKVlmWPiakrvYYlPp0FBsM61G6LZEN8\nhH2CKnS8hHv5IWEXZvp0Pk8V3P5h6bWN0Tl+x/V1Prt7Wp8NoiPETE8XyDDxe6dm\nKxztWBH/mTsJyMGb6ZiUoXdPU9TFUKqHxTRLHaxfsPsCAwEAAaN4MHYwEgYDVR0T\nAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUv96OjgYiIqutQ8jd1E+oq0hBPtUwDgYD\nVR0PAQH/BAQDAgGGMBEGCWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhCAQ0EERYP\neGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBCwUAA4ICAQBbHLEVyg4f9uEujroc\n31UVyDRLMdPgEPLjOenSBCBmH0N81whDmxNI/7JAAB6J14WMX8OLF0HkZnb7G77W\nvDhy1aFvQFbXHBz3/zUO9Mw9J4L2XEW6ond3Nsh1m2oXeBde3R3ANxuIzHqZDlP9\n6YrRcHjnf4+1/5AKDJAvJD+gFb5YnYUKH2iSvHUvG17xcZx98Rf2eo8LealG4JqH\nJh4sKRy0VjDQD7jXSCbweTHEb8wz+6OfNGrIo+BhTFP5vPcwE4nlJwYBoaOJ5cVa\n7gdQJ7WkLSxvwHxuxzvSVK73u3jl3I9SqTrbMLG/jeJyV0P8EvdljOaGnCtQVRwC\nzM4ptXUvKhKOHy7/nyTF/Bc35ZwwL/2xWvNK1+NibgE/6CFxupwWpdmxQbVVuoQ3\n2tUil9ty0yC6m5GKE8+t1lrZuxyA+b/TBnYNO5xo8UEMbkpxaNYSwmw+f/loxXP/\nM7sIBcLvy2ugHEBxwd9o/kLXeXT2DaRvxPjp4yk8MpJRpNmz3aB5HJwaUnaRLVo5\nZ3XWWXmjMGZ6/m0AAoDbDz/pXtOoJZT8BJdD1DuDdszVsQnLVn4B/LtIXL6FbXsF\nzfv6ERP9a5gpKUZ+4NjgrnlGtdccNZpwyWF0IXcvaq3b8hXIRO4hMjzHeHfzJN4t\njX1vlY35Ofonc4+6dRVamBiF9A==\n-----END CERTIFICATE-----\n', b'-----BEGIN CERTIFICATE-----\nMIIFcDCCA1igAwIBAgIIevLTTxOMoZgwDQYJKoZIhvcNAQELBQAwKzEXMBUGA1UE\nCxMOYWNtZTJjZXJ0aWZpZXIxEDAOBgNVBAMTB3Jvb3QtY2EwHhcNMjAwNTI3MDAw\nMDAwWhcNMzAwNTI2MjM1OTU5WjArMRcwFQYDVQQLEw5hY21lMmNlcnRpZmllcjEQ\nMA4GA1UEAxMHcm9vdC1jYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB\nAJy4UZHdZgYt64k/rFamoC676tYvtabeuiqVw1c6oVZI897cFLG6BYwyr2Eaj7tF\nrqTJDeMN4vZSudLsmLDq6m8KwX/riPzUTIlcjM5aIMANZr9rLEs3NWtcivolB5aQ\n1slhdVitUPLuxsFnYeQTyxFyP7lng9M/Z403KLG8phdmKjM0vJkaj4OuKOXf3UsW\nqWQYyRl/ms07xVj02uq08LkoeO+jtQisvyVXURdaCceZtyK/ZBQ7NFCsbK112cVR\n1e2aJol7NJAA6Wm6iBzAdkAA2l3kh40SLoEbaiaVMixLN2vilIZOOAoDXX4+T6ir\n+KnDVSJ2yu5c/OJMwuXwHrh7Lgg1vsFR5TNehknhjUuWOUO+0TkKPg2A7KTg72OZ\n2mOcLZIbxzr1P5RRvdmLQLPrTF2EJvpQPNmbXqN3ZVWEvfHTjkkTFY/dsOTvFTgS\nri15zYKch8votcU7z+BQhgmMtwO2JhPMmZ6ABd9skI7ijWpwOltAhxtdoBO6T6CB\nCrE2yXc6V/PyyAKcFglNmIght5oXsnE+ub/dtx8f9Iea/xNPdo5aGy8fdaitolDK\n16kd3Kb7OE4HMHIwOxxF1BEAqerxxhbLMRBr8hRSZI5cvLzWLvpAQ5zuhjD6V3b9\nBYFd4ujAu3zl3mbzdbYjFoGOX6aBZaGDxlc4O2W7HxntAgMBAAGjgZcwgZQwDwYD\nVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUDGVvuTFYZtEAkz3af9wRKDDvAswwHwYD\nVR0jBBgwFoAUDGVvuTFYZtEAkz3af9wRKDDvAswwDgYDVR0PAQH/BAQDAgGGMBEG\nCWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhCAQ0EERYPeGNhIGNlcnRpZmljYXRl\nMA0GCSqGSIb3DQEBCwUAA4ICAQAjko7dX+iCgT+m3Iy1Vg6j7MRevPAzq1lqHRRN\nNdt2ct530pIut7Fv5V2xYk35ka+i/G+XyOvTXa9vAUKiBtiRnUPsXu4UcS7CcrCX\nEzHx4eOtHnp5wDhO0Fx5/OUZTaP+L7Pd1GD/j953ibx5bMa/M9Rj+S486nst57tu\nDRmEAavFDiMd6L3jH4YSckjmIH2uSeDIaRa9k6ag077XmWhvVYQ9tuR7RGbSuuV3\nFc6pqcFbbWpoLhNRcFc+hbUKOsKl2cP+QEKP/H2s3WMllqgAKKZeO+1KOsGo1CDs\n475bIXyCBpFbH2HOPatmu3yZRQ9fj9ta9EW46n33DFRNLinFWa4WJs4yLVP1juge\n2TCOyA1t61iy++RRXSG3e7NFYrEZuCht1EdDAdzIUY89m9NCPwoDYS4CahgnfkkO\n7YQe6f6yqK6isyf8ZFcp1uF58eERDiF/FDqS8nLmCdURuI56DDoNvDpig5J/9RNW\nG8vEvt2p7QrjeZ3EAatx5JuYty/NKTHZwJWk51CgzEgzDwzE2JIiqeldtL5d0Sl6\neVuv0G04BEyuXxEWpgVVzBS4qEFIBSnTJzgu1PXmId3yLvg2Nr8NKvwyZmN5xKFp\n0A9BWo15zW1PXDaD+l39oTYD7agjXkzTAjYIcfNJ7ATIYFD0xAvNAOf70s7aNupF\nfvkG2Q==\n-----END CERTIFICATE-----\n'] self.assertEqual(result, cert_pem_list)
def verify_pkcs7_data(data): pdata = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, data) bio_out = crypto._new_mem_buf() crypto._lib.PKCS7_verify( pdata._pkcs7, crypto._ffi.NULL, crypto._ffi.NULL, crypto._ffi.NULL, bio_out, crypto._lib.PKCS7_NOVERIFY ) return crypto._bio_to_string(bio_out)
def decode_cert(cert_path): # Open certificate and deserialize with open(str(cert_path),'rb') as rf: pem_obj = rf.read() if pem.detect(pem_obj): type, _, _ = pem.unarmor(pem_obj) # Determine type of certificate if type == "PKCS7": pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM,pem_obj) certs = get_certificates(pkcs7) count = 0 for cert in certs: pem_cert = x509.load_pem_x509_certificate(cert, default_backend()) # Print cert issued to colorize('green') print('Issued to: (Chain ' + str(count) + ')') count += 1 colorize_edit('reset') print(pem_cert.subject.rfc4514_string()) print("Serial No: " + str(pem_cert.serial_number)) print("Fingerprint: " + str(base64.b64encode(pem_cert.fingerprint(hashes.SHA256())), 'utf-8')) print("Valid from: " + str(pem_cert.not_valid_before)) print("Valid to: " + str(pem_cert.not_valid_after)) print("Signature hash algorithm: " + pem_cert.signature_hash_algorithm.name) # Print issued by colorize('green') print('Issued by: ') colorize_edit('reset') print(pem_cert.issuer.rfc4514_string()) print('\n') elif type == "CERTIFICATE": cert = x509.load_pem_x509_certificate(pem_obj, default_backend()) # Print cert issued to colorize('green') print('Issued to: ') colorize_edit('reset') print(cert.subject.rfc4514_string()) print("Serial No: " + str(cert.serial_number)) print("Fingerprint: " + str(base64.b64encode(cert.fingerprint(hashes.SHA256())), 'utf-8')) print("Valid from: " + str(cert.not_valid_before)) print("Valid to: " + str(cert.not_valid_after)) print("Signature hash algorithm: " + cert.signature_hash_algorithm.name) # Print issued by colorize('green') print('Issued by: ') colorize_edit('reset') print(cert.issuer.rfc4514_string()) else: raise TypeError('Not a PEM or PKCS7 file.')
def test_create_ca(self): subca_dict = self._create_subca() self.assertEqual("sub ca1", subca_dict.get(cm.INFO_NAME)) self.assertIsNotNone(subca_dict.get(cm.INFO_EXPIRATION)) self.assertIsNotNone(subca_dict.get(cm.PLUGIN_CA_ID)) ca_cert = subca_dict.get(cm.INFO_CA_SIGNING_CERT) self.assertIsNotNone(ca_cert) intermediates = subca_dict.get(cm.INFO_INTERMEDIATES) self.assertIsNotNone(intermediates) cacert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert) subject = cacert.get_subject() self.assertEqual("subordinate ca signing cert", subject.CN) pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, intermediates) self.assertTrue(pkcs7.type_is_signed())
def get_decrypt_keys(apk: APK, certificate_files: list): # https://stackoverflow.com/questions/45104923/pyopenssls-pkcs7-object-provide-very-little-information-how-can-i-get-the-sha1 def get_certificates(self): from OpenSSL.crypto import _lib, _ffi, X509 """ https://github.com/pyca/pyopenssl/pull/367/files#r67300900 Returns all certificates for the PKCS7 structure, if present. Only objects of type ``signedData`` or ``signedAndEnvelopedData`` can embed certificates. :return: The certificates in the PKCS7, or :const:`None` if there are none. :rtype: :class:`tuple` of :class:`X509` or :const:`None` """ certs = _ffi.NULL if self.type_is_signed(): certs = self._pkcs7.d.sign.cert elif self.type_is_signedAndEnveloped(): certs = self._pkcs7.d.signed_and_enveloped.cert # pycerts = [] for i in range(_lib.sk_X509_num(certs)): pycert = X509.__new__(X509) pycert._x509 = _lib.sk_X509_value(certs, i) pycerts.append(pycert) # if not pycerts: return None return tuple(pycerts) sha1hashes = [] # assume there are more than one certificate file for certificate_file in certificate_files: certificate_bytes = apk.zip.read(certificate_file) pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, certificate_bytes) # assume there are more than one certificate certs = get_certificates(pkcs7) hashes = [cert.digest('sha1').decode() for cert in certs] sha1hashes.extend(hashes) keys = [] for hash in sha1hashes: keys.append(generate_key(hash)) return keys
def get_pem_data_from_pkcs7(data: bytes) -> bytes: """Extracts certificate from pkcs7 data and convert it to PEM data""" pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, data) certs = _ffi.NULL if pkcs7.type_is_signed(): certs = pkcs7._pkcs7.d.sign.cert elif pkcs7.type_is_signedAndEnveloped(): certs = pkcs7._pkcs7.d.signed_and_enveloped.cert if _lib.sk_X509_num(certs) > 1: raise Exception('Too many certificates') pycert = X509.__new__(X509) pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, 0)) return bytes(crypto.dump_certificate(crypto.FILETYPE_PEM, pycert))
def extract_smime_signature(payload, trusted, logger): """ :param payload: bytes :param trusted: list of cryptography.x509.Certificate :param logger: logger :return: bytes or None Extract public certificates from the PKCS7 binary payload. Logs human-readable info about each cert found. Identifies which are intermediates and which is the sender's public-key cert. Verifies against provided list of trusted certs. If valid, returns the PEM-serialized contents of the sender's public-key certificate. If invalid, returns None. """ pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, payload) certs = get_certificates(pkcs7) cert, intermediates = None, [] for c in certs: # Log some human-readable info about each cert c_email_addrs = [] c_issuer_info = {} for i in c.subject.get_attributes_for_oid( cryptography.x509.NameOID.EMAIL_ADDRESS): c_email_addrs.append(i.value) for i in c.issuer: c_issuer_info.update({i.oid._name: i.value}) logger.info( '| Certificate: subject email_address={},not_valid_before={},not_valid_after={},hash_algorithm={},key_size={} bytes, issuer={}' .format(c_email_addrs, c.not_valid_before, c.not_valid_after, c.signature_hash_algorithm.name, c.public_key().key_size, c_issuer_info)) # Check if this is an email user certificate, or an intermediate if c_email_addrs: cert = c else: intermediates.append(c) if verify_certificate_chain(cert, intermediates, trusted, logger): pem_bytes = cert.public_bytes(serialization.Encoding.PEM) return pem_bytes else: return None
def test_create_ca(self): subca_dict = self._create_subca() self.assertEqual("sub ca1", subca_dict.get(cm.INFO_NAME)) self.assertIsNotNone(subca_dict.get(cm.INFO_EXPIRATION)) self.assertIsNotNone(subca_dict.get(cm.PLUGIN_CA_ID)) ca_cert = subca_dict.get(cm.INFO_CA_SIGNING_CERT) self.assertIsNotNone(ca_cert) intermediates = subca_dict.get(cm.INFO_INTERMEDIATES) self.assertIsNotNone(intermediates) cacert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert) subject = cacert.get_subject() self.assertEqual( "subordinate ca signing cert", subject.CN) pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, intermediates) self.assertTrue(pkcs7.type_is_signed())
def load_certificates_from_signature(signature): signature = base64.b64decode(signature) pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, signature) raw_certificates = ffi.NULL if pkcs7.type_is_signed(): raw_certificates = pkcs7._pkcs7.d.sign.cert elif pkcs7.type_is_signedAndEnveloped(): raw_certificates = pkcs7._pkcs7.d.signed_and_enveloped.cert certificates = [] for x in range(lib.sk_X509_num(raw_certificates)): certificate = lib.X509_dup(lib.sk_X509_value(raw_certificates, x)) certificate = crypto.X509._from_raw_x509_ptr(certificate) certificate = ApplePieCertificate(certificate) certificates.append(certificate) return certificates
def cert_certificate(self) -> GreppedOut: """ Returns a PEM encoded certificate Returns ------- GreppedOut : object GreppedOut object Examples -------- >>> from glorifiedgrep import GlorifiedAndroid >>> a = GlorifiedAndroid('/path/to/apk') >>> a.cert_certificate() """ pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, self._read_cert()) certs = self._get_certificates(pkcs7) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, certs[0]) self._cert_analysis['certificate'] = [certificate] self.log_debug('') return GreppedOut([certificate])
def getXMLfromP7m(filename): from OpenSSL import crypto from OpenSSL._util import ( ffi as _ffi, lib as _lib, ) # Or, alternatively: # from cryptography.hazmat.bindings.openssl.binding import Binding # _lib = Binding.lib # _ffi = Binding.ffi with open(filename, 'rb') as f: p7data = f.read() #p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data) p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data) bio_out = crypto._new_mem_buf() res = _lib.PKCS7_verify(p7._pkcs7, _ffi.NULL, _ffi.NULL, _ffi.NULL, bio_out, _lib.PKCS7_NOVERIFY) ''' if res == 1: databytes = crypto._bio_to_string(bio_out) databytes = databytes.decode('utf8') databytes = databytes.replace('\ufeff', "") print(databytes) else: errno = _lib.ERR_get_error() errstrlib = _ffi.string(_lib.ERR_lib_error_string(errno)) errstrfunc = _ffi.string(_lib.ERR_func_error_string(errno)) errstrreason = _ffi.string(_lib.ERR_reason_error_string(errno)) ''' databytes = crypto._bio_to_string(bio_out) xmlFileName = getTempDir() + 'tmpFatt.xml' open(xmlFileName, 'wb').write(databytes) return xmlFileName
def scan(self, data, file, options, expire_at): self.event['total'] = {'certificates': 0, 'extracted': 0} if data[:1] == b'0': crypto_file_type = crypto.FILETYPE_ASN1 self.event['cryptoType'] = 'der' else: crypto_file_type = crypto.FILETYPE_PEM self.event['cryptoType'] = 'pem' try: pkcs7 = crypto.load_pkcs7_data(crypto_file_type, data) pkcs7_certificates = pkcs7.get_certificates() if pkcs7_certificates is not None: self.event['total']['certificates'] = len(pkcs7_certificates) for certificate in pkcs7_certificates: extract_file = strelka.File( name=f'sn_{certificate.get_serial_number()}', source=self.name, ) extract_data = crypto.dump_certificate( crypto_file_type, certificate, ) for c in strelka.chunk_string(extract_data): self.upload_to_cache( extract_file.pointer, c, expire_at, ) self.files.append(extract_file) self.event['total']['extracted'] += 1 except crypto.Error: self.flags.append('load_pkcs7_error')
def _parse(self, buff): pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, buff) certs_stack = _ffi.NULL if pkcs7.type_is_signed(): certs_stack = pkcs7._pkcs7.d.sign.cert elif pkcs7.type_is_signedAndEnveloped(): certs_stack = pkcs7._pkcs7.d.signed_and_enveloped.cert pycerts = [] for i in range(_lib.sk_X509_num(certs_stack)): tmp = _lib.X509_dup(_lib.sk_X509_value(certs_stack, i)) pycert = X509._from_raw_x509_ptr(tmp) pycerts.append(pycert) if not pycerts: return None for cert in pycerts: name = str(cert.get_subject())[19:-2].replace('/', ', ') md5 = cert.digest('md5').decode().replace(':', '') self.content.append((name, md5))
def cert_public_key(self) -> GreppedOut: """ Get the public key from CERT.RSA Returns ------- GreppedOut : object GreppedOut object Examples -------- >>> from glorifiedgrep import GlorifiedAndroid >>> a = GlorifiedAndroid('/path/to/apk') >>> a.cert_public_key() """ pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, self._read_cert()) certs = self._get_certificates(pkcs7) p = certs[0].get_pubkey() bio = crypto._new_mem_buf() cryptolib.PEM_write_bio_PUBKEY(bio, p._pkey) key = crypto._bio_to_string(bio) self._cert_analysis['public_key'] = [key] self.log_debug('') return GreppedOut([key])
signatureStart = (footer[0] & 255) | ((footer[1] & 255) << 8) f.seek(file_size - (commentSize + 22)) eocd = bytearray(f.read()) if eocd[0] != ord(b'\x50') or eocd[1] != ord(b'\x4b') or eocd[2] != ord( b'\x05') or eocd[3] != ord(b'\x06'): print("no signature in file (bad eocd)") sys.exit(-1) for i in range(5, len(eocd) - 4): if eocd[i] == ord(b'\x50') and eocd[i + 1] == ord(b'\x4b') and eocd[ i + 2] == ord(b'\x05') and eocd[i + 3] == ord(b'\x06'): print("EOCD marker found after start of EOCD") sys.exit(-1) block = eocd[commentSize + 22 - signatureStart:commentSize + 22] decoded = "-----BEGIN CERTIFICATE-----\n" + base64.b64encode(block).decode( 'ascii') + "\n-----END CERTIFICATE-----" PKCS7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, decoded) cert = PKCS7.get_certificates()[0] print("Certificate Fingerprints:") print("\tMD5: {}".format(cert.digest('md5').decode("utf-8"))) print("\tSHA1: {}".format(cert.digest("sha1").decode("utf-8"))) print("\tSHA256: {}".format(cert.digest("sha256").decode("utf-8")))
def download_certificates_and_create_PEM(cert_type, url): """ Download cert_type certificate bundle from url and extract the files from it and create PEM """ pem_file = "{}/{}_CABundle.pem".format(cache_dir, cert_type) if os.path.exists(pem_file) is False: filename = None parts = url.split('.') extension = parts[(len(parts) - 1)].lower() zip_type = False if (extension == "zip"): zip_type = True filename = "{}/{}.{}".format(cache_dir, cert_type, extension) if os.path.exists(filename) is False: if ("http://" in url or "https://" in url): # Download CA certs # todo: in the future could parse PKI-PKE page in IASE to get latest version, but for now just direct download print("Downloading {} CA certs...".format(cert_type)) try: r = requests.get(url, verify=False) except Exception as err: print("Error downloading {} CA certs: {}".format( cert_type, err)) return None with open(filename, 'wb') as dl_file: dl_file.write(r.content) print("Finished downloading {} CA certs.".format(cert_type)) elif (os.path.exists(url) is True): with open(url, 'rb') as sourcefile: with open(filename, 'wb') as destfile: destfile.write(sourcefile.read()) print("Finished copying {} CA certs.".format(cert_type)) else: print("Error: Unable to get {} CA certs.".format(cert_type)) return else: print("Already downloaded {} CA certs.".format(cert_type)) if (zip_type is True): print("Unzipping {} CA certs...".format(cert_type)) zip_file = zipfile.ZipFile(filename, 'r') cert_directory = "./{}/{}_Certs/".format(cache_dir, cert_type) zip_file.extractall(cert_directory) zip_file.close() print("Finished unzipping {} CA certs.".format(cert_type)) # find P7B p7b_file = None for (dirpath, dirnames, filenames) in os.walk(cert_directory): for filename in filenames: if filename.lower().endswith(".pem.p7b"): p7b_file = os.path.join(dirpath, filename) if p7b_file is None: print("Unable to find {} p7b file.".format(cert_type)) return None filename = p7b_file extension = "p7b" print("Loading {} cert data...".format(cert_type)) with open(filename, 'rb') as cert_file: if (extension == "p7b"): cert_data = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, cert_file.read()) certs = get_certificates(cert_data) print("Found {} certs.".format(len(certs))) elif (extension == "p7c"): cert_data = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, cert_file.read()) certs = get_certificates(cert_data) print("Found {} certs.".format(len(certs))) else: cert_data = crypto.load_certificate(crypto.FILETYPE_ASN1, cert_file.read()) certs = [cert_data] print("Writing {} Certs to PEM file...".format(cert_type)) with open(pem_file, 'ab') as pem: for cert in certs: certPEM = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) pem.write(certPEM) print("Finished writing {} Certs to PEM file.".format(cert_type)) return pem_file else: print("Already created {} CA PEM file.".format(cert_type)) return pem_file
print hex(IMAGE_DIRECTORY_ENTRY_SECURITY.VirtualAddress) print hex(IMAGE_DIRECTORY_ENTRY_SECURITY.Size) signature_address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[ pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress signature_size = pe.OPTIONAL_HEADER.DATA_DIRECTORY[ pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size print signature_size print hex(signature_size) signature = pe.write()[signature_address + 8:signature_address + 8 + signature_size] key = crypto.PKey() cert = DerSequence() pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, signature) print pkcs7.get_type_name() print pkcs7.type_is_signed() print pkcs7.type_is_data() print pkcs7.type_is_enveloped() der = ssl.DER_cert_to_PEM_cert(signature) # be = X509Backend() # c = be.load_der_x509_certificate(signature) # # cert = x509.load_der_x509_certificate(signature, default_backend()) with open('sig.p7', 'wb') as f: f.write(signature)
import sys from OpenSSL import crypto from OpenSSL._util import ( ffi as _ffi, lib as _lib, ) with open(sys.argv[1], 'rb') as f: p7data = f.read() p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data) bio_out =crypto._new_mem_buf() res = _lib.PKCS7_verify(p7._pkcs7, _ffi.NULL, _ffi.NULL, _ffi.NULL, bio_out, _lib.PKCS7_NOVERIFY|_lib.PKCS7_NOSIGS) if res == 1: databytes = crypto._bio_to_string(bio_out) print(databytes) else: errno = _lib.ERR_get_error() errstrlib = _ffi.string(_lib.ERR_lib_error_string(errno)) errstrfunc = _ffi.string(_lib.ERR_func_error_string(errno)) errstrreason = _ffi.string(_lib.ERR_reason_error_string(errno)) print(errstrreason)
# pycert._x509 = _lib.sk_X509_value(certs, i) # According to comment from @ Jari Turkia # to prevent segfaults use '_lib.X509_dup(' pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, i)) pycerts.append(pycert) if not pycerts: return None return tuple(pycerts) app = Flask(__name__) app.app_context().push() with open("/var/run/secrets/tls/0", "rb") as file: p7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, file.read()) certs = get_certificates(p7) cafile = open("/app/cacerts/cafile", "wb") for cert in certs: print('digest:{}'.format(cert.digest('sha256'))) cafile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) cafile.close() app.config['LDAP_BASE_DN'] = os.environ["LDAP_BASE_DN"] app.config['LDAP_USERNAME'] = ldap_username app.config['LDAP_PASSWORD'] = ldap_password app.config['LDAP_HOST'] = ldap_host app.config['LDAP_SCHEMA'] = "ldaps" app.config['LDAP_PORT'] = 636 app.config['LDAP_USE_SSL'] = True app.config['LDAP_USE_TLS'] = True
sys.exit(-1) commentSize = (footer[4] & 255) | ((footer[5] & 255) <<8) signatureStart = (footer[0] & 255) | ((footer[1] & 255) << 8) f.seek(file_size - (commentSize + 22)); eocd = bytearray(f.read()) if eocd[0] != ord(b'\x50') or eocd[1] != ord(b'\x4b') or eocd[2] != ord(b'\x05') or eocd[3] != ord(b'\x06'): print("no signature in file (bad eocd)") sys.exit(-1) for i in range(5, len(eocd)-4): if eocd[i] == ord(b'\x50') and eocd[i+1] == ord(b'\x4b') and eocd[i+2] == ord(b'\x05') and eocd[i+3] == ord(b'\x06'): print("EOCD marker found after start of EOCD") sys.exit(-1) block = eocd[commentSize+22-signatureStart:commentSize+22] decoded = "-----BEGIN CERTIFICATE-----\n" + base64.b64encode(block).decode('ascii') + "\n-----END CERTIFICATE-----" PKCS7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, decoded) cert = PKCS7.get_certificates()[0] print("Certificate Fingerprints:") print("\tMD5: {}".format(cert.digest('md5').decode("utf-8"))) print("\tSHA1: {}".format(cert.digest("sha1").decode("utf-8"))) print("\tSHA256: {}".format(cert.digest("sha256").decode("utf-8")))
def pe_get_certificates(self): """Get certificates used to sign pe file Returns: Chepy: The Chepy object. Examples: >>> Chepy("tests/files/ff.exe).read_file().pe_get_certificates().o [ { 'version': 2, 'serial': 17154717934120587862167794914071425081, 'algo': b'sha1WithRSAEncryption', 'before': b'20061110000000Z', 'after': b'20311110000000Z', 'issuer': { 'C': 'US', 'ST': None, 'L': None, 'O': 'DigiCert Inc', 'OU': 'www.digicert.com', 'CN': 'DigiCert Assured ID Root CA', 'email': None }, ... ... } """ def get_certificates(self): # pragma: no cover certs = _ffi.NULL if self.type_is_signed(): certs = self._pkcs7.d.sign.cert elif self.type_is_signedAndEnveloped(): certs = self._pkcs7.d.signed_and_enveloped.cert pycerts = [] for i in range(_lib.sk_X509_num(certs)): pycert = X509.__new__(X509) pycert._x509 = _lib.sk_X509_value(certs, i) pycerts.append(pycert) if not pycerts: return None return tuple(pycerts) pe = self._pe_object() address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY[ "IMAGE_DIRECTORY_ENTRY_SECURITY"]].VirtualAddress hold = [] if address == 0: # pragma: no cover self._warning_logger("PE file is not signed") self.state = None else: signature = pe.write()[address + 8:] pkcs = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, bytes(signature)) certs = get_certificates(pkcs) for c in certs: dump_c = crypto.dump_certificate(crypto.FILETYPE_PEM, c) cert = crypto.load_certificate(crypto.FILETYPE_PEM, dump_c) issuer = cert.get_issuer() subject = cert.get_subject() pubkey = cert.get_pubkey() info = { "version": cert.get_version(), "serial": cert.get_serial_number(), "algo": cert.get_signature_algorithm(), "before": cert.get_notBefore(), "after": cert.get_notAfter(), "issuer": { "C": issuer.C, "ST": issuer.ST, "L": issuer.L, "O": issuer.O, "OU": issuer.OU, "CN": issuer.CN, "email": issuer.emailAddress, }, "subject": { "C": subject.C, "ST": subject.ST, "L": subject.L, "O": subject.O, "OU": subject.OU, "CN": subject.CN, "email": subject.emailAddress, }, "pubkey": { "bits": pubkey.bits() }, } hold.append(info) self.state = hold return self