def verify_cert(self, domain: str, cert: crypto.X509) -> bool: """Verify tls-alpn-01 challenge certificate. :param str domain: Domain name being validated. :param OpensSSL.crypto.X509 cert: Challenge certificate. :returns: Whether the certificate was successfully verified. :rtype: bool """ # pylint: disable=protected-access names = crypto_util._pyopenssl_cert_or_req_all_names(cert) # Type ignore needed due to # https://github.com/pyca/pyopenssl/issues/730. logger.debug('Certificate %s. SANs: %s', cert.digest('sha256'), names) if len(names) != 1 or names[0].lower() != domain.lower(): return False for i in range(cert.get_extension_count()): ext = cert.get_extension(i) # FIXME: assume this is the ACME extension. Currently there is no # way to get full OID of an unknown extension from pyopenssl. if ext.get_short_name() == b'UNDEF': data = ext.get_data() return data == self.h return False
def get_extension_data(cert: X509) -> Dict[bytes, Union[str, bytes]]: """ Returns the extension data of an X509 certificate. """ extensions = [ cert.get_extension(i) for i in range(cert.get_extension_count()) ] extension_data = {} for e in extensions: short_name = e.get_short_name() try: if short_name == b"authorityKeyIdentifier": prefix = "keyid:" extension_data[short_name] = e.__str__( )[e.__str__().startswith(prefix) and len(prefix):].strip() elif short_name in [ b"subjectKeyIdentifier", b"extendedKeyUsage", b"basicConstraints", b"crlDistributionPoints", ]: extension_data[short_name] = e.__str__() else: extension_data[short_name] = e.get_data() except Error: extension_data[short_name] = e.get_data() return extension_data
def get_subject_alternative_names(self, cert_obj: X509) -> List[str]: domains_list = [] for i in range(0, cert_obj.get_extension_count()): ext = cert_obj.get_extension(i) if "subjectAltName" in str(ext.get_short_name()): content = ext.__str__() for d in content.split(","): domains_list.append(d.strip()[4:]) return domains_list
def _extract_certificate_san(cls, x509cert: X509) -> Optional[List[str]]: san = [] for i in range(0, x509cert.get_extension_count()): ext = x509cert.get_extension(i) if 'subjectAltName' in ext.get_short_name().decode('utf-8'): for san_item in str(ext).lower().split(', '): if san_item.startswith('dns:'): san.append(san_item[4:].strip()) if len(san) > 0: return san else: return None
def get_cert_info(cert: X509) -> CertInfo: names: Set[str] = set() key_usage: Set[str] = set() subj = cert.get_subject() names.add(subj.commonName) for i in range(cert.get_extension_count()): ext = cert.get_extension(i) if ext.get_short_name() == b'subjectAltName': for san in str(ext).split(','): san = san.strip() if san.startswith('DNS:'): san = san[4:] names.add(san) elif ext.get_short_name() == b'extendedKeyUsage': key_usage.add(str(ext)) return CertInfo(names=names, key_usage=key_usage)
def verify_sans(amazon_cert: crypto.X509) -> bool: """Verifies Subject Alternative Names (SANs) for Amazon certificate. Args: amazon_cert: Pycrypto X509 Amazon certificate. Returns: result: True if verification was successful, False if not. """ cert_extentions = [amazon_cert.get_extension(i) for i in range(amazon_cert.get_extension_count())] subject_alt_names = '' for extention in cert_extentions: if 'subjectAltName' in str(extention.get_short_name()): subject_alt_names = extention.__str__() break result = 'echo-api.amazon.com' in subject_alt_names return result