def as_view(cls, responder_key, responder_cert, **kwargs):
priv_err_msg = '%s: Could not read private key.' % responder_key
pub_err_msg = '%s: Could not read public key.' % responder_cert
# Preload the responder key and certificate for faster access.
try:
with open(responder_key, 'rb') as stream:
responder_key = stream.read()
except:
raise ImproperlyConfigured(priv_err_msg)
try:
# try to load responder key and cert with oscrypto, to make sure they are actually usable
load_private_key(responder_key)
except:
raise ImproperlyConfigured(priv_err_msg)
if os.path.exists(responder_cert):
with open(responder_cert, 'rb') as stream:
responder_cert = stream.read()
if not responder_cert:
raise ImproperlyConfigured(pub_err_msg)
try:
load_certificate(responder_cert)
except:
raise ImproperlyConfigured(pub_err_msg)
return super(OCSPView, cls).as_view(responder_key=responder_key,
responder_cert=responder_cert,
**kwargs)
def test_dump_certificate(self):
cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'keys/test.crt'))
pem_serialized = asymmetric.dump_certificate(cert)
cert_reloaded = asymmetric.load_certificate(pem_serialized)
self.assertIsInstance(cert_reloaded, asymmetric.Certificate)
self.assertEqual('rsa', cert_reloaded.algorithm)
def test_build_revoked_no_reason(self):
issuer_key = asymmetric.load_private_key(
os.path.join(fixtures_dir, 'test.key'))
issuer_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test.crt'))
subject_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test-inter.crt'))
revoked_time = datetime(2015, 9, 1, 12, 0, 0, tzinfo=timezone.utc)
builder = OCSPResponseBuilder('successful',
[{
'certificate': subject_cert,
'certificate_status': 'revoked',
'revocation_date': revoked_time
}])
ocsp_response = builder.build(issuer_key, issuer_cert)
der_bytes = ocsp_response.dump()
new_response = asn1crypto.ocsp.OCSPResponse.load(der_bytes)
basic_response = new_response['response_bytes']['response'].parsed
response_data = basic_response['tbs_response_data']
cert_response = response_data['responses'][0]
self.assertEqual('revoked', cert_response['cert_status'].name)
self.assertEqual(
revoked_time,
cert_response['cert_status'].chosen['revocation_time'].native)
self.assertEqual(
'unspecified',
cert_response['cert_status'].chosen['revocation_reason'].native)
def ocsp_validation(self, subject_cert, issuer_cert):
ocsp_link = self.get_ocsp_link(subject_cert)
subject_cert = asymmetric.load_certificate(
crypto.dump_certificate(
crypto.FILETYPE_ASN1,
subject_cert
)
)
issuer_cert = asymmetric.load_certificate(
crypto.dump_certificate(
crypto.FILETYPE_ASN1,
issuer_cert
))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request = builder.build()
flag = False
for x in range(1,3):
try:
r = requests.post(
ocsp_link,
data = ocsp_request.dump(),
headers={"Content-Type": "application/ocsp-request"}
)
resposta = asn1crypto.ocsp.OCSPResponse.load(r.content)
break
except Exception as e:
print("failed OCSP {0} times".format(x))
return "good" == resposta['response_bytes']['response'].parsed['tbs_response_data']["responses"][0]["cert_status"].name
def test_build_no_certificate(self):
issuer_key = asymmetric.load_private_key(
os.path.join(fixtures_dir, 'test.key'))
issuer_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test.crt'))
subject_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test-inter.crt'))
with self.assertRaisesRegexp(
ValueError,
'must be set if the response_status is "successful"'):
builder = OCSPResponseBuilder('successful', subject_cert, 'good')
builder.certificate = None
builder.build(issuer_key, issuer_cert)
with self.assertRaisesRegexp(
ValueError,
'must be set if the response_status is "successful"'):
builder = OCSPResponseBuilder('successful', subject_cert, 'good')
builder.certificate_status = None
builder.build(issuer_key, issuer_cert)
with self.assertRaisesRegexp(
ValueError,
'must be set if the response_status is "successful"'):
builder = OCSPResponseBuilder('successful', subject_cert)
builder.build(issuer_key, issuer_cert)
with self.assertRaisesRegexp(
ValueError,
'must be set if the response_status is "successful"'):
builder = OCSPResponseBuilder('successful', None, 'good')
builder.build(issuer_key, issuer_cert)
def test_build_basic_request(self):
issuer_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test.crt'))
subject_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test-inter.crt'))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request = builder.build()
der_bytes = ocsp_request.dump()
new_request = asn1crypto.ocsp.OCSPRequest.load(der_bytes)
tbs_request = new_request['tbs_request']
self.assertEqual(None, new_request['optional_signature'].native)
self.assertEqual('v1', tbs_request['version'].native)
self.assertEqual(None, tbs_request['requestor_name'].native)
self.assertEqual(1, len(tbs_request['request_list']))
request = tbs_request['request_list'][0]
self.assertEqual(
'sha1', request['req_cert']['hash_algorithm']['algorithm'].native)
self.assertEqual(issuer_cert.asn1.subject.sha1,
request['req_cert']['issuer_name_hash'].native)
self.assertEqual(issuer_cert.asn1.public_key.sha1,
request['req_cert']['issuer_key_hash'].native)
self.assertEqual(subject_cert.asn1.serial_number,
request['req_cert']['serial_number'].native)
self.assertEqual(0, len(request['single_request_extensions']))
self.assertEqual(1, len(tbs_request['request_extensions']))
extn = tbs_request['request_extensions'][0]
self.assertEqual('nonce', extn['extn_id'].native)
self.assertEqual(16, len(extn['extn_value'].parsed.native))
def test_build_basic_request(self):
issuer_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, "test.crt"))
subject_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, "test-inter.crt"))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request = builder.build()
der_bytes = ocsp_request.dump()
new_request = asn1crypto.ocsp.OCSPRequest.load(der_bytes)
tbs_request = new_request["tbs_request"]
self.assertEqual(None, new_request["optional_signature"].native)
self.assertEqual("v1", tbs_request["version"].native)
self.assertEqual(None, tbs_request["requestor_name"].native)
self.assertEqual(1, len(tbs_request["request_list"]))
request = tbs_request["request_list"][0]
self.assertEqual("sha1", request["req_cert"]["hash_algorithm"]["algorithm"].native)
self.assertEqual(issuer_cert.asn1.subject.sha1, request["req_cert"]["issuer_name_hash"].native)
self.assertEqual(issuer_cert.asn1.public_key.sha1, request["req_cert"]["issuer_key_hash"].native)
self.assertEqual(subject_cert.asn1.serial_number, request["req_cert"]["serial_number"].native)
self.assertEqual(0, len(request["single_request_extensions"]))
self.assertEqual(1, len(tbs_request["request_extensions"]))
extn = tbs_request["request_extensions"][0]
self.assertEqual("nonce", extn["extn_id"].native)
self.assertEqual(16, len(extn["extn_value"].parsed.native))
def test_build_signed_request(self):
issuer_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, "test.crt"))
subject_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, "test-inter.crt"))
requestor_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, "test-third.crt"))
requestor_key = asymmetric.load_private_key(os.path.join(fixtures_dir, "test-third.key"))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request = builder.build(requestor_key, requestor_cert, [subject_cert, issuer_cert])
der_bytes = ocsp_request.dump()
new_request = asn1crypto.ocsp.OCSPRequest.load(der_bytes)
tbs_request = new_request["tbs_request"]
signature = new_request["optional_signature"]
self.assertEqual("sha256", signature["signature_algorithm"].hash_algo)
self.assertEqual("rsassa_pkcs1v15", signature["signature_algorithm"].signature_algo)
self.assertEqual(3, len(signature["certs"]))
self.assertEqual("v1", tbs_request["version"].native)
self.assertEqual(requestor_cert.asn1.subject, tbs_request["requestor_name"].chosen)
self.assertEqual(1, len(tbs_request["request_list"]))
request = tbs_request["request_list"][0]
self.assertEqual("sha1", request["req_cert"]["hash_algorithm"]["algorithm"].native)
self.assertEqual(issuer_cert.asn1.subject.sha1, request["req_cert"]["issuer_name_hash"].native)
self.assertEqual(issuer_cert.asn1.public_key.sha1, request["req_cert"]["issuer_key_hash"].native)
self.assertEqual(subject_cert.asn1.serial_number, request["req_cert"]["serial_number"].native)
self.assertEqual(0, len(request["single_request_extensions"]))
self.assertEqual(1, len(tbs_request["request_extensions"]))
extn = tbs_request["request_extensions"][0]
self.assertEqual("nonce", extn["extn_id"].native)
self.assertEqual(16, len(extn["extn_value"].parsed.native))
def __init__(self, issuer_cert: str, responder_cert: str, responder_key: str,
fault: str, next_update_seconds: int):
"""
Create a new OCSPResponder instance.
:param issuer_cert: Path to the issuer certificate.
:param responder_cert: Path to the certificate of the OCSP responder
with the `OCSP Signing` extension.
:param responder_key: Path to the private key belonging to the
responder cert.
:param validate_func: A function that - given a certificate serial -
will return the appropriate :class:`CertificateStatus` and -
depending on the status - a revocation datetime.
:param cert_retrieve_func: A function that - given a certificate serial -
will return the corresponding certificate as a string.
:param next_update_seconds: The ``nextUpdate`` value that will be written
into the response. Default: 9 hours.
"""
# Certs and keys
self._issuer_cert = asymmetric.load_certificate(issuer_cert)
self._responder_cert = asymmetric.load_certificate(responder_cert)
self._responder_key = asymmetric.load_private_key(responder_key)
# Next update
self._next_update_seconds = next_update_seconds
self._fault = fault
def test_build_good_response(self):
issuer_key = asymmetric.load_private_key(os.path.join(fixtures_dir, 'test.key'))
issuer_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, 'test.crt'))
subject_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, 'test-inter.crt'))
builder = OCSPResponseBuilder('successful', subject_cert, 'good')
ocsp_response = builder.build(issuer_key, issuer_cert)
der_bytes = ocsp_response.dump()
new_response = asn1crypto.ocsp.OCSPResponse.load(der_bytes)
basic_response = new_response['response_bytes']['response'].parsed
response_data = basic_response['tbs_response_data']
self.assertEqual('sha256', basic_response['signature_algorithm'].hash_algo)
self.assertEqual('rsassa_pkcs1v15', basic_response['signature_algorithm'].signature_algo)
self.assertEqual('v1', response_data['version'].native)
self.assertEqual('by_key', response_data['responder_id'].name)
self.assertEqual(
issuer_cert.asn1.public_key.sha1,
response_data['responder_id'].chosen.native
)
self.assertGreaterEqual(datetime.now(timezone.utc), response_data['produced_at'].native)
self.assertEqual(1, len(response_data['responses']))
self.assertEqual(0, len(response_data['response_extensions']))
cert_response = response_data['responses'][0]
self.assertEqual('sha1', cert_response['cert_id']['hash_algorithm']['algorithm'].native)
self.assertEqual(issuer_cert.asn1.subject.sha1, cert_response['cert_id']['issuer_name_hash'].native)
self.assertEqual(issuer_cert.asn1.public_key.sha1, cert_response['cert_id']['issuer_key_hash'].native)
self.assertEqual(subject_cert.asn1.serial_number, cert_response['cert_id']['serial_number'].native)
self.assertEqual('good', cert_response['cert_status'].name)
self.assertGreaterEqual(datetime.now(timezone.utc), cert_response['this_update'].native)
self.assertGreaterEqual(set(), cert_response.critical_extensions)
def frompem(cls, issuer_cert: StrOrBytes, responder_cert: StrOrBytes, responder_key: StrOrBytes,
validate_func: ValidateFunc, cert_retrieve_func: CertRetrieveFunc = None,
next_update_days: int = 7):
"""
Create a new OCSPResponder instance from filepaths or bytes.
:param issuer_cert: Path to or Bytes of the issuer certificate.
:param responder_cert: Path to or Bytes of the certificate of the OCSP responder
with the `OCSP Signing` extension.
:param responder_key: Path to or Bytes of the private key belonging to the
responder cert.
:param validate_func: A function that - given a certificate serial -
will return the appropriate :class:`CertificateStatus` and -
depending on the status - a revocation datetime.
:param cert_retrieve_func: A function that - given a certificate serial -
will return the corresponding certificate as a string.
:param next_update_days: The ``nextUpdate`` value that will be written
into the response. Default: 7 days.
"""
# Certs and keys
_issuer_cert = asymmetric.load_certificate(issuer_cert)
_responder_cert = asymmetric.load_certificate(responder_cert)
_responder_key = asymmetric.load_private_key(responder_key)
return cls(_issuer_cert, _responder_cert, _responder_key,
validate_func=validate_func,
cert_retrieve_func=cert_retrieve_func,
next_update_days=next_update_days)
def test_build_revoked_response(self):
issuer_key = asymmetric.load_private_key(
os.path.join(fixtures_dir, 'test.key'))
issuer_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test.crt'))
subject_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test-inter.crt'))
revoked_time = datetime(2015, 9, 1, 12, 0, 0, tzinfo=timezone.utc)
builder = OCSPResponseBuilder(
'successful', [{
'certificate': subject_cert,
'certificate_status': 'key_compromise',
'revocation_date': revoked_time
}])
ocsp_response = builder.build(issuer_key, issuer_cert)
der_bytes = ocsp_response.dump()
new_response = asn1crypto.ocsp.OCSPResponse.load(der_bytes)
basic_response = new_response['response_bytes']['response'].parsed
response_data = basic_response['tbs_response_data']
self.assertEqual('sha256',
basic_response['signature_algorithm'].hash_algo)
self.assertEqual('rsassa_pkcs1v15',
basic_response['signature_algorithm'].signature_algo)
self.assertEqual('v1', response_data['version'].native)
self.assertEqual('by_key', response_data['responder_id'].name)
self.assertEqual(issuer_cert.asn1.public_key.sha1,
response_data['responder_id'].chosen.native)
self.assertGreaterEqual(datetime.now(timezone.utc),
response_data['produced_at'].native)
self.assertEqual(1, len(response_data['responses']))
self.assertEqual(0, len(response_data['response_extensions']))
cert_response = response_data['responses'][0]
self.assertEqual(
'sha1',
cert_response['cert_id']['hash_algorithm']['algorithm'].native)
self.assertEqual(issuer_cert.asn1.subject.sha1,
cert_response['cert_id']['issuer_name_hash'].native)
self.assertEqual(issuer_cert.asn1.public_key.sha1,
cert_response['cert_id']['issuer_key_hash'].native)
self.assertEqual(subject_cert.asn1.serial_number,
cert_response['cert_id']['serial_number'].native)
self.assertEqual('revoked', cert_response['cert_status'].name)
self.assertEqual(
revoked_time,
cert_response['cert_status'].chosen['revocation_time'].native)
self.assertEqual(
'key_compromise',
cert_response['cert_status'].chosen['revocation_reason'].native)
self.assertGreaterEqual(datetime.now(timezone.utc),
cert_response['this_update'].native)
self.assertGreaterEqual(set(), cert_response.critical_extensions)
def get_ocsp_status(self,cert,is_cert,cert_url,is_cert_url):
t0 = time.clock()
#print "Issuer Certificate is >> %s" %(is_cert_name)
c = OpenSSL.crypto
if not isinstance(cert, c.X509) or not isinstance(is_cert, c.X509):
return False
id_cert_buf = c.dump_certificate(c.FILETYPE_PEM, cert)
issuer_cert_buf = c.dump_certificate(c.FILETYPE_PEM, is_cert)
# with open(cert_name,"rb") as f:
# id_cert_buf = f.read()
# with open(is_cert_name,"rb") as f:
# issuer_cert_buf = f.read()
id_cert = asymmetric.load_certificate(id_cert_buf)
issuer_cert = asymmetric.load_certificate(issuer_cert_buf)
builder = OCSPRequestBuilder(id_cert, issuer_cert)
ocsp_request = builder.build()
ocsp_req_dump = ocsp_request.dump()
cert_ocsp_url = cert_url
is_ocsp_url = is_cert_url
resp = requests.post(cert_ocsp_url, ocsp_req_dump)
ocsp_response = resp.content
ocspResponse = OCSPResponse()
basicOcspResponse = BasicOCSPResponse()
decoded_resp = der_decoder.decode(ocsp_response, asn1Spec=ocspResponse)
for resp in decoded_resp:
if isinstance(resp, OCSPResponse):
ocsp_response_status = resp.getComponentByName('responseStatus')
ocsp_resp_bytes = resp.getComponentByName('responseBytes')
ocsp_resp = ocsp_resp_bytes.getComponentByName('response')
basic_ocsp_response, _ = der_decoder.decode(ocsp_resp, asn1Spec=basicOcspResponse)
tbs_response_data = basic_ocsp_response.getComponentByName('tbsResponseData')
responses = tbs_response_data.getComponentByName('responses')
for response in responses:
serial_no = response.getComponentByName('certID').getComponentByName('serialNumber')
#print str(serial_no)
#print response.getComponentByName('certStatus').getName()
print time.clock() - t0
if response.getComponentByName('certStatus').getName() == "good":
return True
else:
return False
def test_build_delta_crl(self):
root_certificate = asymmetric.load_certificate(os.path.join(fixtures_dir, 'root.crt'))
crl_issuer_private_key = asymmetric.load_private_key(
os.path.join(fixtures_dir, 'crl_issuer.key'),
'password123'
)
crl_issuer_certificate = asymmetric.load_certificate(os.path.join(fixtures_dir, 'crl_issuer.crt'))
builder = CertificateListBuilder(
'http://crl.example.com/delta',
crl_issuer_certificate,
50001
)
builder.certificate_issuer = root_certificate
builder.issuer_certificate_url = 'http://download.example.com/crl_issuer'
builder.delta_of = 50000
certificate_list = builder.build(crl_issuer_private_key)
der_bytes = certificate_list.dump()
new_cert_list = crl.CertificateList.load(der_bytes)
tbs_cert_list = new_cert_list['tbs_cert_list']
revoked_certificates = tbs_cert_list['revoked_certificates']
now = datetime.now(timezone.utc)
self.assertEqual('v3', tbs_cert_list['version'].native)
self.assertEqual('rsassa_pkcs1v15', tbs_cert_list['signature'].signature_algo)
self.assertEqual('sha256', tbs_cert_list['signature'].hash_algo)
self.assertEqual(crl_issuer_certificate.asn1.subject, tbs_cert_list['issuer'])
self.assertEqual(crl_issuer_certificate.asn1.subject.sha256, tbs_cert_list['issuer'].sha256)
self.assertGreaterEqual(now, tbs_cert_list['this_update'].native)
self.assertLess(now, tbs_cert_list['next_update'].native)
self.assertEqual(set(['issuing_distribution_point', 'delta_crl_indicator']), new_cert_list.critical_extensions)
self.assertEqual(0, len(revoked_certificates))
self.assertEqual(None, new_cert_list.issuer_alt_name_value)
self.assertEqual(50001, new_cert_list.crl_number_value.native)
self.assertEqual(50000, new_cert_list.delta_crl_indicator_value.native)
self.assertEqual('full_name', new_cert_list.issuing_distribution_point_value['distribution_point'].name)
self.assertEqual(
'uniform_resource_identifier',
new_cert_list.issuing_distribution_point_value['distribution_point'].chosen[0].name
)
self.assertEqual(
'http://crl.example.com/delta',
new_cert_list.issuing_distribution_point_value['distribution_point'].chosen[0].native
)
self.assertEqual(crl_issuer_certificate.asn1.key_identifier, new_cert_list.authority_key_identifier)
self.assertEqual([], new_cert_list.delta_crl_distribution_points)
self.assertEqual(['http://download.example.com/crl_issuer'], new_cert_list.issuer_cert_urls)
def test_build_delegated_good_response_cert_serial(self):
responder_key = asymmetric.load_private_key(
os.path.join(fixtures_dir, 'test-ocsp.key'), 'password')
responder_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test-ocsp.crt'))
issuer_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test.crt'))
subject_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test-inter.crt'))
builder = OCSPResponseBuilder('successful', None, 'good')
builder.certificate_issuer = issuer_cert
builder.certificate_serial_number = subject_cert.asn1.serial_number
ocsp_response = builder.build(responder_key, responder_cert)
der_bytes = ocsp_response.dump()
new_response = asn1crypto.ocsp.OCSPResponse.load(der_bytes)
basic_response = new_response['response_bytes']['response'].parsed
response_data = basic_response['tbs_response_data']
self.assertEqual('sha256',
basic_response['signature_algorithm'].hash_algo)
self.assertEqual('rsassa_pkcs1v15',
basic_response['signature_algorithm'].signature_algo)
self.assertEqual('v1', response_data['version'].native)
self.assertEqual('by_key', response_data['responder_id'].name)
self.assertEqual(responder_cert.asn1.public_key.sha1,
response_data['responder_id'].chosen.native)
self.assertGreaterEqual(datetime.now(timezone.utc),
response_data['produced_at'].native)
self.assertEqual(1, len(response_data['responses']))
self.assertEqual(0, len(response_data['response_extensions']))
cert_response = response_data['responses'][0]
self.assertEqual(
'sha1',
cert_response['cert_id']['hash_algorithm']['algorithm'].native)
self.assertEqual(issuer_cert.asn1.subject.sha1,
cert_response['cert_id']['issuer_name_hash'].native)
self.assertEqual(issuer_cert.asn1.public_key.sha1,
cert_response['cert_id']['issuer_key_hash'].native)
self.assertEqual(subject_cert.asn1.serial_number,
cert_response['cert_id']['serial_number'].native)
self.assertEqual('good', cert_response['cert_status'].name)
self.assertGreaterEqual(datetime.now(timezone.utc),
cert_response['this_update'].native)
self.assertGreaterEqual(set(), cert_response.critical_extensions)
def test_build_delta_crl(self):
root_certificate = asymmetric.load_certificate(os.path.join(fixtures_dir, "root.crt"))
crl_issuer_private_key = asymmetric.load_private_key(
os.path.join(fixtures_dir, "crl_issuer.key"), "password123"
)
crl_issuer_certificate = asymmetric.load_certificate(os.path.join(fixtures_dir, "crl_issuer.crt"))
builder = CertificateListBuilder("http://crl.example.com/delta", crl_issuer_certificate, 50001)
builder.certificate_issuer = root_certificate
builder.issuer_certificate_url = "http://download.example.com/crl_issuer"
builder.delta_of = 50000
certificate_list = builder.build(crl_issuer_private_key)
der_bytes = certificate_list.dump()
new_cert_list = crl.CertificateList.load(der_bytes)
tbs_cert_list = new_cert_list["tbs_cert_list"]
revoked_certificates = tbs_cert_list["revoked_certificates"]
now = datetime.now(timezone.utc)
self.assertEqual("v3", tbs_cert_list["version"].native)
self.assertEqual("rsassa_pkcs1v15", tbs_cert_list["signature"].signature_algo)
self.assertEqual("sha256", tbs_cert_list["signature"].hash_algo)
self.assertEqual(crl_issuer_certificate.asn1.subject, tbs_cert_list["issuer"])
self.assertEqual(crl_issuer_certificate.asn1.subject.sha256, tbs_cert_list["issuer"].sha256)
self.assertGreaterEqual(now, tbs_cert_list["this_update"].native)
self.assertLess(now, tbs_cert_list["next_update"].native)
self.assertEqual(set(["issuing_distribution_point", "delta_crl_indicator"]), new_cert_list.critical_extensions)
self.assertEqual(0, len(revoked_certificates))
self.assertEqual(None, new_cert_list.issuer_alt_name_value)
self.assertEqual(50001, new_cert_list.crl_number_value.native)
self.assertEqual(50000, new_cert_list.delta_crl_indicator_value.native)
self.assertEqual("full_name", new_cert_list.issuing_distribution_point_value["distribution_point"].name)
self.assertEqual(
"uniform_resource_identifier",
new_cert_list.issuing_distribution_point_value["distribution_point"].chosen[0].name,
)
self.assertEqual(
"http://crl.example.com/delta",
new_cert_list.issuing_distribution_point_value["distribution_point"].chosen[0].native,
)
self.assertEqual(crl_issuer_certificate.asn1.key_identifier, new_cert_list.authority_key_identifier)
self.assertEqual([], new_cert_list.delta_crl_distribution_points)
self.assertEqual(["http://download.example.com/crl_issuer"], new_cert_list.issuer_cert_urls)
def setup(self, initial_data: dict = None):
"""
Receives a user certificate from the front end
"""
try:
certificate_hex = initial_data["certificate"]
except (TypeError, KeyError) as e:
raise InvalidParameter("Missing required parameter 'certificate'",
param="certificate") from e
try:
certificate = binascii.a2b_hex(certificate_hex)
except (TypeError, ValueError) as e:
raise InvalidParameter(
"Failed to decode parameter `certificate` from hex-encoding",
param="certificate") from e
try:
self._certificate_handle = load_certificate(certificate)
except ValueError as e:
raise InvalidParameter(
"Failed to recognize `certificate` as a supported certificate format",
param="certificate") from e
self.certificate = certificate
def get_responder_cert(self):
# User configured a loaded certificate
if isinstance(self.responder_cert, asymmetric.Certificate):
return self.responder_cert
responder_cert = self.get_responder_cert_data()
return load_certificate(responder_cert)
def test_signing():
"""Test the signing and verification functions."""
# Load the signature key
with open(os.path.join(TEST_DIR, "cert_test.p12"), "rb") as fp:
sign_key = Organization.load_key(fp.read(), "test")
with open(os.path.join(TEST_DIR, "cert_test_public.pem"), "rb") as fp:
verify_cert = asymmetric.load_certificate(fp.read())
# Test failure of signature verification
with pytest.raises(IntegrityError):
cms.verify_message(b"data", INVALID_DATA, None)
# Test signature without signed attributes
cms.sign_message(b"data",
digest_alg="sha256",
sign_key=sign_key,
use_signed_attributes=False)
# Test pss signature and verification
signature = cms.sign_message(b"data",
digest_alg="sha256",
sign_key=sign_key,
sign_alg="rsassa_pss")
cms.verify_message(b"data", signature, verify_cert)
# Test unsupported signature alg
with pytest.raises(AS2Exception):
cms.sign_message(b"data",
digest_alg="sha256",
sign_key=sign_key,
sign_alg="rsassa_pssa")
def load_key(key_str, key_pass):
""" Function to load password protected key file in p12 or pem format"""
try:
# First try to parse as a p12 file
key, cert, _ = asymmetric.load_pkcs12(key_str, key_pass)
except ValueError as e:
# If it fails due to invalid password raise error here
if e.args[0] == 'Password provided is invalid':
raise AS2Exception('Password not valid for Private Key.')
# if not try to parse as a pem file
key, cert = None, None
for kc in split_pem(key_str):
try:
cert = asymmetric.load_certificate(kc)
except (ValueError, TypeError):
try:
key = asymmetric.load_private_key(kc, key_pass)
except OSError:
raise AS2Exception(
'Invalid Private Key or password is not correct.')
if not key or not cert:
raise AS2Exception(
'Invalid Private key file or Public key not included.')
return key, cert
def from_certificate(
cls,
cert: "Union[bytes, Asn1CryptoCertificate, OsCryptoCertificate]"):
"""
Get personal info from an oscrypto/asn1crypto Certificate object
For a closer look at where the attributes come from:
asn1crypto.x509.NameType
"""
if isinstance(cert, bytes):
cert = load_certificate(cert)
cert: "Asn1CryptoCertificate" = getattr(cert, "asn1", cert)
subject = cert.subject.native
# ID codes usually given as PNO{EE,LT,LV}-XXXXXX.
# LV ID codes contain a dash so we need to be careful about it.
id_code = subject["serial_number"]
if id_code.startswith("PNO"):
prefix, id_code = id_code.split("-", 1) # pylint: disable=unused-variable
return cls(
country=subject["country_name"],
id_code=id_code,
given_name=subject["given_name"],
surname=subject["surname"],
asn1_certificate=cert,
)
def test_encryption():
"""Test the encryption and decryption functions."""
with open(os.path.join(TEST_DIR, "cert_test.p12"), "rb") as fp:
decrypt_key = Organization.load_key(fp.read(), "test")
with open(os.path.join(TEST_DIR, "cert_test_public.pem"), "rb") as fp:
encrypt_cert = asymmetric.load_certificate(fp.read())
with pytest.raises(DecryptionError):
cms.decrypt_message(INVALID_DATA, None)
# Test all the encryption algorithms
enc_algorithms = [
"rc2_128_cbc",
"rc4_128_cbc",
"aes_128_cbc",
"aes_192_cbc",
"aes_256_cbc",
]
for enc_algorithm in enc_algorithms:
encrypted_data = cms.encrypt_message(b"data", enc_algorithm, encrypt_cert)
_, decrypted_data = cms.decrypt_message(encrypted_data, decrypt_key)
assert decrypted_data == b"data"
# Test no encryption algorithm
with pytest.raises(AS2Exception):
cms.encrypt_message(b"data", "rc5_128_cbc", encrypt_cert)
# Test no encryption algorithm on decrypt
encrypted_data = cms.encrypt_message(b"data", "des_64_cbc", encrypt_cert)
with pytest.raises(AS2Exception):
cms.decrypt_message(encrypted_data, decrypt_key)
def test_cert_ec_attributes(self):
cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'keys/test-ec-named.crt'))
self.assertEqual(256, cert.bit_size)
self.assertEqual(32, cert.byte_size)
self.assertEqual('secp256r1', cert.curve)
self.assertEqual('ec', cert.algorithm)
def get_responder_cert(self):
try:
pub = force_bytes(Certificate.objects.get(serial=self.responder_cert).pub)
except Certificate.DoesNotExist:
with open(self.responder_cert, 'rb') as stream:
pub = stream.read()
return load_certificate(pub)
def validate(self, msg, sig):
if self._cert is None:
raise CryptoException("Cannot validate: no certificate")
try:
oscrypto_asymmetric.rsa_pkcs1v15_verify(oscrypto_asymmetric.load_certificate(self._cert), sig, msg, "sha1")
except oscrypto_errors.SignatureError as err:
raise CryptoException("Cannot validate: %s" % (err))
def get_responder_cert(self):
if os.path.exists(self.responder_cert):
with open(self.responder_cert, 'rb') as stream:
responder_cert = stream.read()
else:
responder_cert = Certificate.objects.get(serial=self.responder_cert)
return load_certificate(responder_cert)
def convert_to_oscrypto(chain):
"""Converts a list of certs from OpenSSL.crypto.x509 to oscrypto._openssl.asymmetric.Certificate"""
l = []
for c in chain:
l.append(
asymmetric.load_certificate(
crypto.dump_certificate(crypto.FILETYPE_PEM, c)))
return l
def test_build_signed_request(self):
issuer_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test.crt'))
subject_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test-inter.crt'))
requestor_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test-third.crt'))
requestor_key = asymmetric.load_private_key(
os.path.join(fixtures_dir, 'test-third.key'))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request = builder.build(requestor_key, requestor_cert,
[subject_cert, issuer_cert])
der_bytes = ocsp_request.dump()
new_request = asn1crypto.ocsp.OCSPRequest.load(der_bytes)
tbs_request = new_request['tbs_request']
signature = new_request['optional_signature']
self.assertEqual('sha256', signature['signature_algorithm'].hash_algo)
self.assertEqual('rsassa_pkcs1v15',
signature['signature_algorithm'].signature_algo)
self.assertEqual(3, len(signature['certs']))
self.assertEqual('v1', tbs_request['version'].native)
self.assertEqual(requestor_cert.asn1.subject,
tbs_request['requestor_name'].chosen)
self.assertEqual(1, len(tbs_request['request_list']))
request = tbs_request['request_list'][0]
self.assertEqual(
'sha1', request['req_cert']['hash_algorithm']['algorithm'].native)
self.assertEqual(issuer_cert.asn1.subject.sha1,
request['req_cert']['issuer_name_hash'].native)
self.assertEqual(issuer_cert.asn1.public_key.sha1,
request['req_cert']['issuer_key_hash'].native)
self.assertEqual(subject_cert.asn1.serial_number,
request['req_cert']['serial_number'].native)
self.assertEqual(0, len(request['single_request_extensions']))
self.assertEqual(1, len(tbs_request['request_extensions']))
extn = tbs_request['request_extensions'][0]
self.assertEqual('nonce', extn['extn_id'].native)
self.assertEqual(16, len(extn['extn_value'].parsed.native))
def verifycert(certificate,store,server=False):
# Load do cert ja feito
# DO OCSP para ver as crl
if server == False:
cert = oscrypto.load_certificate(openssl.dump_certificate(openssl.FILETYPE_ASN1, certificate))
issuer_cert = oscrypto.load_certificate(getIssuer(certificate))
ocsp_builder = OCSPRequestBuilder(cert, issuer_cert)
ocsp_request = ocsp_builder.build().dump()
CN = certificate.get_subject().commonName
if CN in ('Baltimore CyberTrust Root', 'ECRaizEstado'):
url = 'http://ocsp.omniroot.com/baltimoreroot/'
elif CN[:-4] == 'Cartao de Cidadao':
url = 'http://ocsp.ecee.gov.pt/'
elif CN[:-5] == 'EC de Autenticacao do Cartao de Cidadao':
url = 'http://ocsp.root.cartaodecidadao.pt/publico/ocsp'
else:
url = 'http://ocsp.auc.cartaodecidadao.pt/publico/ocsp'
http_req = urllib2.Request(
url,
data=ocsp_request,
headers={'Content-Type': 'application/ocsp-request'}
)
http = urllib2.urlopen(http_req)
ocsp_response = http.read()
ocsp_response = asn1crypto.ocsp.OCSPResponse.load(ocsp_response)
response_data = ocsp_response.basic_ocsp_response['tbs_response_data']
cert_response = response_data['responses'][0]
#print cert_response['cert_status'].name
if cert_response['cert_status'].name != 'good':
return False
try:
certV = openssl.X509StoreContext(store, certificate)
certV.verify_certificate()
except:
return False
return True
def test_build_revoked_no_reason(self):
issuer_key = asymmetric.load_private_key(os.path.join(fixtures_dir, 'test.key'))
issuer_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, 'test.crt'))
subject_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, 'test-inter.crt'))
revoked_time = datetime(2015, 9, 1, 12, 0, 0, tzinfo=timezone.utc)
builder = OCSPResponseBuilder('successful', subject_cert, 'revoked', revoked_time)
ocsp_response = builder.build(issuer_key, issuer_cert)
der_bytes = ocsp_response.dump()
new_response = asn1crypto.ocsp.OCSPResponse.load(der_bytes)
basic_response = new_response['response_bytes']['response'].parsed
response_data = basic_response['tbs_response_data']
cert_response = response_data['responses'][0]
self.assertEqual('revoked', cert_response['cert_status'].name)
self.assertEqual(revoked_time, cert_response['cert_status'].chosen['revocation_time'].native)
self.assertEqual('unspecified', cert_response['cert_status'].chosen['revocation_reason'].native)
def validateCert(store, cert, server=False):
if not server:
issuer = getIssuerCertificate(cert)
subject_cert = asymmetric.load_certificate(dumpCertificate(
cert, False))
issuer_cert = asymmetric.load_certificate(
dumpCertificate(issuer, False))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request_der = builder.build().dump()
cert_name = cert.get_subject().commonName
if cert_name in ('Baltimore CyberTrust Root', 'ECRaizEstado'):
ocsp_url = 'http://ocsp.omniroot.com/baltimoreroot/'
elif cert_name[:-4] == 'Cartao de Cidadao':
ocsp_url = 'http://ocsp.ecee.gov.pt/'
elif cert_name[:-5] == 'EC de Autenticacao do Cartao de Cidadao':
ocsp_url = 'http://ocsp.root.cartaodecidadao.pt/publico/ocsp'
else:
ocsp_url = 'http://ocsp.auc.cartaodecidadao.pt/publico/ocsp'
http_req = urllib2.Request(
ocsp_url,
data=ocsp_request_der,
headers={'Content-Type': 'application/ocsp-request'})
http = urllib2.urlopen(http_req)
ocsp_response_der = http.read()
ocsp_response = asn1crypto.ocsp.OCSPResponse.load(ocsp_response_der)
response_data = ocsp_response.basic_ocsp_response['tbs_response_data']
cert_response = response_data['responses'][0]
if cert_response['cert_status'].name != 'good':
return False
context_store = openssl.X509StoreContext(store, cert)
try:
context_store.verify_certificate()
return True
except:
return False
def ocsp_request(self):
"""
Generate an OCSP request or return an already cached request.
:return bytes: A binary representation of a
:class:`asn1crypto.ocsp.OCSPRequest` which is in turn represented
by a :class:`asn1crypto.core.Sequence`.
"""
ocsp_request_builder = ocspbuilder.OCSPRequestBuilder(
asymmetric.load_certificate(self.end_entity),
asymmetric.load_certificate(self.chain[-2]))
ocsp_request_builder.nonce = False
ocsp_request = ocsp_request_builder.build().dump()
# This data can be posted to the OCSP URI to debug further
if LOG.isEnabledFor(logging.DEBUG):
LOG.debug(
"Request data: \n%s",
pretty_base64(ocsp_request, line_len=75, prefix=" " * 36))
return ocsp_request
def validate(self, msg, sig):
if self._cert is None:
raise CryptoException('Cannot validate: no certificate')
try:
oscrypto_asymmetric.rsa_pkcs1v15_verify(
oscrypto_asymmetric.load_certificate(self._cert),
sig, msg, 'sha1')
except oscrypto_errors.SignatureError as err:
raise CryptoException('Cannot validate: {}'.format(err))
def generate_certificate(self, domain, save_model):
"""This function takes a domain name as a parameter and then creates
a certificate and key with the domain name (replacing dots
by underscores), finally signing the certificate using specified CA and
returns the path of key and cert files. If you are yet to generate a CA
then check the top comments"""
logger.info("SimpleCA: certificate creation request %s" % (domain,))
ca_private_key = asymmetric.load_private_key(
self.ca_key,
password=settings.CA_KEY_PASSWD)
ca_certificate = asymmetric.load_certificate(self.ca_crt)
end_entity_public_key, end_entity_private_key = \
asymmetric.generate_pair('rsa', bit_size=2048)
builder = CertificateBuilder(
{
'country_name': 'CR',
'state_or_province_name': 'San Jose',
'locality_name': 'Costa Rica',
'organization_name': save_model.name,
"organizational_unit_name": save_model.institution_unit,
'common_name': domain,
},
end_entity_public_key
)
now = timezone.now()
builder.issuer = ca_certificate
builder.begin_date = now
builder.end_date = now+timedelta(settings.CA_CERT_DURATION)
builder.key_usage = set(['digital_signature'])
end_entity_certificate = builder.build(ca_private_key)
# settings.CA_CERT_DURATION
server_public_key, server_private_key = \
asymmetric.generate_pair('rsa', bit_size=2048)
save_model.private_key = asymmetric.dump_private_key(
end_entity_private_key, None)
save_model.public_key = asymmetric.dump_public_key(
end_entity_public_key)
save_model.public_certificate = pem_armor_certificate(
end_entity_certificate)
save_model.server_sign_key = asymmetric.dump_private_key(
server_private_key, None)
save_model.server_public_key = asymmetric.dump_public_key(
server_public_key)
logger.debug("SimpleCA: New certificate for %s is %r" %
(domain, save_model.public_certificate))
return save_model
def test_build_basic_crl(self):
root_private_key = asymmetric.load_private_key(os.path.join(fixtures_dir, 'root.key'), 'password123')
root_certificate = asymmetric.load_certificate(os.path.join(fixtures_dir, 'root.crt'))
builder = CertificateListBuilder(
'http://crl.example.com',
root_certificate,
50000
)
revoked_at = datetime(2015, 8, 1, 12, 0, 0, tzinfo=timezone.utc)
builder.add_certificate(29232181, revoked_at, 'key_compromise')
certificate_list = builder.build(root_private_key)
der_bytes = certificate_list.dump()
new_cert_list = crl.CertificateList.load(der_bytes)
tbs_cert_list = new_cert_list['tbs_cert_list']
revoked_certificates = tbs_cert_list['revoked_certificates']
now = datetime.now(timezone.utc)
self.assertEqual('v3', tbs_cert_list['version'].native)
self.assertEqual('rsassa_pkcs1v15', tbs_cert_list['signature'].signature_algo)
self.assertEqual('sha256', tbs_cert_list['signature'].hash_algo)
self.assertEqual(root_certificate.asn1.subject, tbs_cert_list['issuer'])
self.assertEqual(root_certificate.asn1.subject.sha256, tbs_cert_list['issuer'].sha256)
self.assertGreaterEqual(now, tbs_cert_list['this_update'].native)
self.assertLess(now, tbs_cert_list['next_update'].native)
self.assertEqual(set(['issuing_distribution_point']), new_cert_list.critical_extensions)
self.assertEqual(1, len(revoked_certificates))
revoked_cert = revoked_certificates[0]
self.assertEqual(29232181, revoked_cert['user_certificate'].native)
self.assertEqual(revoked_at, revoked_cert['revocation_date'].native)
self.assertEqual(set(), revoked_cert.critical_extensions)
self.assertEqual('key_compromise', revoked_cert.crl_reason_value.native)
self.assertEqual(None, revoked_cert.invalidity_date_value)
self.assertEqual(None, revoked_cert.certificate_issuer_value)
self.assertEqual(None, revoked_cert.issuer_name)
self.assertEqual(None, new_cert_list.issuer_alt_name_value)
self.assertEqual(50000, new_cert_list.crl_number_value.native)
self.assertEqual(None, new_cert_list.delta_crl_indicator_value)
self.assertEqual('full_name', new_cert_list.issuing_distribution_point_value['distribution_point'].name)
self.assertEqual(
'uniform_resource_identifier',
new_cert_list.issuing_distribution_point_value['distribution_point'].chosen[0].name
)
self.assertEqual(
'http://crl.example.com',
new_cert_list.issuing_distribution_point_value['distribution_point'].chosen[0].native
)
self.assertEqual(root_certificate.asn1.key_identifier, new_cert_list.authority_key_identifier)
self.assertEqual(None, new_cert_list.freshest_crl_value)
self.assertEqual(None, new_cert_list.authority_information_access_value)
def isRevoked(url, rawCert):
subject_cert = asymmetric.load_certificate(base64.b64decode(rawCert))
builder = OCSPRequestBuilder(subject_cert, issuerCerts[url])
ocsp_request = builder.build()
url = urlparse(url)
headers = {}
conn = httplib.HTTPConnection(url.netloc)
conn.request("POST", url.path, ocsp_request.dump(), headers)
res = conn.getresponse().read()
ocspResponseClass = ocsp.OCSPResponse.load(res)
return (ocspResponseClass.response_data['responses'][0]['cert_status'].name != 'good')
def handle_ocsp_requests(caid):
# Import section (specifically for OCSP)
from asn1crypto.util import timezone
from asn1crypto.ocsp import OCSPRequest
from oscrypto import asymmetric
from ocspbuilder import OCSPResponseBuilder
# Getting CA information
key = Key.query.filter_by(ca=caid).first()
if not key:
abort(config.http_notfound, {"message": config.error_pkey_notfound})
private, public = key.dump(config.path_keys)
with open(private, "rb") as f:
issuer_key = asymmetric.load_private_key(f.read(), "testtest")
with open(public, "rb") as f:
issuer_cert = asymmetric.load_certificate(f.read())
# Parsing the OCSP request
ocsp = OCSPRequest.load(request.get_data())
tbs_request = ocsp['tbs_request']
request_list = tbs_request['request_list']
if len(request_list) != 1:
abort(config.http_notimplemented,
{"message": config.error_multiple_requests})
single_request = request_list[0] # TODO: Support more than one request
req_cert = single_request['req_cert']
serial = hex(req_cert['serial_number'].native)[2:]
# Getting certificate
cert = Certificate.query.filter_by(serial=serial).first()
if not cert:
abort(config.http_notfound, {"message": config.error_cert_notfound})
cert_path = cert.dump(config.path_keys)
with open(cert_path, "rb") as f:
subject_cert = asymmetric.load_certificate(f.read())
# A response for a certificate in good standing
builder = OCSPResponseBuilder(u'successful', subject_cert, u'good')
ocsp_response = builder.build(issuer_key, issuer_cert)
return ocsp_response.dump()
def test_build_no_certificate(self):
issuer_key = asymmetric.load_private_key(os.path.join(fixtures_dir, 'test.key'))
issuer_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, 'test.crt'))
subject_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, 'test-inter.crt'))
with self.assertRaisesRegexp(ValueError, 'must be set if the response_status is "successful"'):
builder = OCSPResponseBuilder('successful', subject_cert, 'good')
builder.certificate = None
ocsp_response = builder.build(issuer_key, issuer_cert)
with self.assertRaisesRegexp(ValueError, 'must be set if the response_status is "successful"'):
builder = OCSPResponseBuilder('successful', subject_cert, 'good')
builder.certificate_status = None
ocsp_response = builder.build(issuer_key, issuer_cert)
with self.assertRaisesRegexp(ValueError, 'must be set if the response_status is "successful"'):
builder = OCSPResponseBuilder('successful', subject_cert)
ocsp_response = builder.build(issuer_key, issuer_cert)
with self.assertRaisesRegexp(ValueError, 'must be set if the response_status is "successful"'):
builder = OCSPResponseBuilder('successful', None, 'good')
ocsp_response = builder.build(issuer_key, issuer_cert)
def test_build_basic_crl(self):
root_private_key = asymmetric.load_private_key(os.path.join(fixtures_dir, "root.key"), "password123")
root_certificate = asymmetric.load_certificate(os.path.join(fixtures_dir, "root.crt"))
builder = CertificateListBuilder("http://crl.example.com", root_certificate, 50000)
revoked_at = datetime(2015, 8, 1, 12, 0, 0, tzinfo=timezone.utc)
builder.add_certificate(29232181, revoked_at, "key_compromise")
certificate_list = builder.build(root_private_key)
der_bytes = certificate_list.dump()
new_cert_list = crl.CertificateList.load(der_bytes)
tbs_cert_list = new_cert_list["tbs_cert_list"]
revoked_certificates = tbs_cert_list["revoked_certificates"]
now = datetime.now(timezone.utc)
self.assertEqual("v3", tbs_cert_list["version"].native)
self.assertEqual("rsassa_pkcs1v15", tbs_cert_list["signature"].signature_algo)
self.assertEqual("sha256", tbs_cert_list["signature"].hash_algo)
self.assertEqual(root_certificate.asn1.subject, tbs_cert_list["issuer"])
self.assertEqual(root_certificate.asn1.subject.sha256, tbs_cert_list["issuer"].sha256)
self.assertGreaterEqual(now, tbs_cert_list["this_update"].native)
self.assertLess(now, tbs_cert_list["next_update"].native)
self.assertEqual(set(["issuing_distribution_point"]), new_cert_list.critical_extensions)
self.assertEqual(1, len(revoked_certificates))
revoked_cert = revoked_certificates[0]
self.assertEqual(29232181, revoked_cert["user_certificate"].native)
self.assertEqual(revoked_at, revoked_cert["revocation_date"].native)
self.assertEqual(set(), revoked_cert.critical_extensions)
self.assertEqual("key_compromise", revoked_cert.crl_reason_value.native)
self.assertEqual(None, revoked_cert.invalidity_date_value)
self.assertEqual(None, revoked_cert.certificate_issuer_value)
self.assertEqual(None, revoked_cert.issuer_name)
self.assertEqual(None, new_cert_list.issuer_alt_name_value)
self.assertEqual(50000, new_cert_list.crl_number_value.native)
self.assertEqual(None, new_cert_list.delta_crl_indicator_value)
self.assertEqual("full_name", new_cert_list.issuing_distribution_point_value["distribution_point"].name)
self.assertEqual(
"uniform_resource_identifier",
new_cert_list.issuing_distribution_point_value["distribution_point"].chosen[0].name,
)
self.assertEqual(
"http://crl.example.com",
new_cert_list.issuing_distribution_point_value["distribution_point"].chosen[0].native,
)
self.assertEqual(root_certificate.asn1.key_identifier, new_cert_list.authority_key_identifier)
self.assertEqual(None, new_cert_list.freshest_crl_value)
self.assertEqual(None, new_cert_list.authority_information_access_value)
def __init__(self, issuer_cert: str, responder_cert: str, responder_key: str,
validate_func: ValidateFunc, cert_retrieve_func: CertRetrieveFunc,
next_update_days: int = 7):
"""
Create a new OCSPResponder instance.
:param issuer_cert: Path to the issuer certificate.
:param responder_cert: Path to the certificate of the OCSP responder
with the `OCSP Signing` extension.
:param responder_key: Path to the private key belonging to the
responder cert.
:param validate_func: A function that - given a certificate serial -
will return the appropriate :class:`CertificateStatus` and -
depending on the status - a revocation datetime.
:param cert_retrieve_func: A function that - given a certificate serial -
will return the corresponding certificate as a string.
:param next_update_days: The ``nextUpdate`` value that will be written
into the response. Default: 7 days.
"""
# Certs and keys
self._issuer_cert = asymmetric.load_certificate(issuer_cert)
self._responder_cert = asymmetric.load_certificate(responder_cert)
self._responder_key = asymmetric.load_private_key(responder_key)
# Functions
self._validate = validate_func
self._cert_retrieve = cert_retrieve_func
# Next update
self._next_update_days = next_update_days
# Bottle
self._app = Bottle()
# Initialize routing
self._route()
# coding: utf-8
from __future__ import unicode_literals, division, absolute_import, print_function
import os
from oscrypto import asymmetric
from certbuilder import CertificateBuilder
fixtures_dir = os.path.join(os.path.dirname(__file__), '..', 'tests', 'fixtures')
root_ca_private_key = asymmetric.load_private_key(os.path.join(fixtures_dir, 'test.key'))
root_ca_certificate = asymmetric.load_certificate(os.path.join(fixtures_dir, 'test.crt'))
root_ocsp_public_key, root_ocsp_private_key = asymmetric.generate_pair('rsa', bit_size=2048)
with open(os.path.join(fixtures_dir, 'test-ocsp.key'), 'wb') as f:
f.write(asymmetric.dump_private_key(root_ocsp_private_key, 'password', target_ms=20))
builder = CertificateBuilder(
{
'country_name': 'US',
'state_or_province_name': 'Massachusetts',
'locality_name': 'Newbury',
'organization_name': 'Codex Non Sufficit LC',
'organization_unit_name': 'Testing',
'common_name': 'CodexNS OCSP Responder',
},
root_ocsp_public_key
)
def test_dump_certificate(self):
cert = asymmetric.load_certificate(os.path.join(fixtures_dir, 'keys/test.crt'))
pem_serialized = asymmetric.dump_certificate(cert)
cert_reloaded = asymmetric.load_certificate(pem_serialized)
self.assertIsInstance(cert_reloaded, asymmetric.Certificate)
self.assertEqual('rsa', cert_reloaded.algorithm)
def test_cert_ec_attributes(self):
cert = asymmetric.load_certificate(os.path.join(fixtures_dir, 'keys/test-ec-named.crt'))
self.assertEqual(256, cert.bit_size)
self.assertEqual(32, cert.byte_size)
self.assertEqual('secp256r1', cert.curve)
self.assertEqual('ec', cert.algorithm)
def _build_ocsp_response(self, ocsp_request: OCSPRequest) -> OCSPResponse:
"""
Create and return an OCSP response from an OCSP request.
"""
# Get the certificate serial
tbs_request = ocsp_request['tbs_request']
request_list = tbs_request['request_list']
if len(request_list) != 1:
logger.warning('Received OCSP request with multiple sub requests')
raise NotImplemented('Combined requests not yet supported')
single_request = request_list[0] # TODO: Support more than one request
req_cert = single_request['req_cert']
serial = req_cert['serial_number'].native
# Check certificate status
try:
certificate_status, revocation_date = self._validate(serial)
except Exception as e:
logger.exception('Could not determine certificate status: %s', e)
return self._fail(ResponseStatus.internal_error)
# Retrieve certificate
try:
subject_cert_contents = self._cert_retrieve(serial)
except Exception as e:
logger.exception('Could not retrieve certificate with serial %s: %s', serial, e)
return self._fail(ResponseStatus.internal_error)
# Parse certificate
try:
subject_cert = asymmetric.load_certificate(subject_cert_contents.encode('utf8'))
except Exception as e:
logger.exception('Returned certificate with serial %s is invalid: %s', serial, e)
return self._fail(ResponseStatus.internal_error)
# Build the response
builder = OCSPResponseBuilder(**{
'response_status': ResponseStatus.successful.value,
'certificate': subject_cert,
'certificate_status': certificate_status.value,
'revocation_date': revocation_date,
})
# Parse extensions
for extension in tbs_request['request_extensions']:
extn_id = extension['extn_id'].native
critical = extension['critical'].native
value = extension['extn_value'].parsed
# This variable tracks whether any unknown extensions were encountered
unknown = False
# Handle nonce extension
if extn_id == 'nonce':
builder.nonce = value.native
# That's all we know
else:
unknown = True
# If an unknown critical extension is encountered (which should not
# usually happen, according to RFC 6960 4.1.2), we should throw our
# hands up in despair and run.
if unknown is True and critical is True:
logger.warning('Could not parse unknown critical extension: %r',
dict(extension.native))
return self._fail(ResponseStatus.internal_error)
# If it's an unknown non-critical extension, we can safely ignore it.
elif unknown is True:
logger.info('Ignored unknown non-critical extension: %r', dict(extension.native))
# Set certificate issuer
builder.certificate_issuer = self._issuer_cert
# Set next update date
builder.next_update = datetime.now(timezone.utc) + timedelta(days=self._next_update_days)
return builder.build(self._responder_key, self._responder_cert)
def test_cert_attributes(self):
cert = asymmetric.load_certificate(os.path.join(fixtures_dir, 'keys/test.crt'))
self.assertEqual(2048, cert.bit_size)
self.assertEqual(256, cert.byte_size)
self.assertEqual('rsa', cert.algorithm)
def get_ocsp_response(self, data):
try:
ocsp_request = asn1crypto.ocsp.OCSPRequest.load(data)
tbs_request = ocsp_request['tbs_request']
request_list = tbs_request['request_list']
if len(request_list) != 1:
log.error('Received OCSP request with multiple sub requests')
raise NotImplemented('Combined requests not yet supported')
single_request = request_list[0] # TODO: Support more than one request
req_cert = single_request['req_cert']
serial = serial_from_int(req_cert['serial_number'].native)
except Exception as e:
log.exception('Error parsing OCSP request: %s', e)
return self.fail('malformed_request')
ca = CertificateAuthority.objects.get(serial=self.ca_serial)
try:
cert = Certificate.objects.filter(ca=ca).get(serial=serial)
except Certificate.DoesNotExist:
log.warn('OCSP request for unknown cert received.')
return self.fail('internal_error') # TODO: return a 'unkown' response instead
builder = OCSPResponseBuilder(
response_status='successful', # ResponseStatus.successful.value,
certificate=load_certificate(force_bytes(cert.pub)),
certificate_status=cert.ocsp_status,
revocation_date=cert.revoked_date,
)
# Parse extensions
for extension in tbs_request['request_extensions']:
extn_id = extension['extn_id'].native
critical = extension['critical'].native
value = extension['extn_value'].parsed
# This variable tracks whether any unknown extensions were encountered
unknown = False
# Handle nonce extension
if extn_id == 'nonce':
builder.nonce = value.native
# That's all we know
else:
unknown = True
# If an unknown critical extension is encountered (which should not
# usually happen, according to RFC 6960 4.1.2), we should throw our
# hands up in despair and run.
if unknown is True and critical is True:
log.warning('Could not parse unknown critical extension: %r',
dict(extension.native))
return self._fail('internal_error')
# If it's an unknown non-critical extension, we can safely ignore it.
elif unknown is True:
log.info('Ignored unknown non-critical extension: %r', dict(extension.native))
builder.certificate_issuer = load_certificate(force_bytes(ca.pub))
builder.next_update = timezone.now() + timedelta(days=1)
responder_cert = self.get_responder_cert()
return builder.build(self.responder_key, responder_cert)
def load_cert(name):
return asymmetric.load_certificate(path.join(
certs_dir,
'{}.crt'.format(name)
))
from oscrypto import asymmetric from ocspbuilder import OCSPRequestBuilder from pyasn1_modules.rfc2560 import OCSPResponse, BasicOCSPResponse from OpenSSL import crypto import OpenSSL id_cert_path = 'certs/pem/citi.co.in.pem' issuer_cert_path = 'certs/pem/citi.intermediate.ca.pem' id_cert_buf = open(id_cert_path, 'r').read() issuer_cert_buf = open(issuer_cert_path, 'r').read() id_cert = asymmetric.load_certificate(id_cert_buf) issuer_cert = asymmetric.load_certificate(issuer_cert_buf) id_cert_filebuf = open(id_cert_path, 'r').read() id_cert_x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, id_cert_filebuf) #print dir(id_cert_x509) #print id_cert_x509.get_serial_number() id_cert_serial_number = format(id_cert_x509.get_serial_number(), 'x') print "Checking OCSP status for cert : " + id_cert_serial_number print '\n' builder = OCSPRequestBuilder(id_cert, issuer_cert) ocsp_request = builder.build() #print type(ocsp_request) ocsp_req_dump = ocsp_request.dump()
