def signTBSCert(self, tbsCert, h=None):
"""
Note that this will always copy the signature field from the
tbsCertificate into the signatureAlgorithm field of the result,
regardless of the coherence between its contents (which might
indicate ecdsa-with-SHA512) and the result (e.g. RSA signing MD2).
There is a small inheritance trick for the computation of sigVal
below: in order to use a sign() method which would apply
to both PrivKeyRSA and PrivKeyECDSA, the sign() methods of the
subclasses accept any argument, be it from the RSA or ECDSA world,
and then they keep the ones they're interested in.
Here, t will be passed eventually to pkcs1._DecryptAndSignRSA.sign(),
while sigencode will be passed to ecdsa.keys.SigningKey.sign().
"""
sigAlg = tbsCert.signature
h = h or hash_by_oid[sigAlg.algorithm.val]
sigVal = self.sign(str(tbsCert),
h=h,
t='pkcs',
sigencode=ecdsa.util.sigencode_der)
c = X509_Cert()
c.tbsCertificate = tbsCert
c.signatureAlgorithm = sigAlg
c.signatureValue = ASN1_BIT_STRING(sigVal, readable=True)
return c
class IKEv2_payload_CERT_CRT(IKEv2_payload_CERT):
name = "IKEv2 Certificate"
fields_desc = [
ByteEnumField("next_payload", None, IKEv2_payload_type),
ByteField("res", 0),
FieldLenField("length", None, "x509Cert", "H", adjust=lambda pkt, x: x + len(pkt.x509Cert) + 5),
ByteEnumField("cert_type", 4, IKEv2CertificateEncodings),
PacketLenField("x509Cert", X509_Cert(''), X509_Cert, length_from=lambda x:x.length - 5),
]
def __call__(cls, cert_path):
obj = _PKIObjMaker.__call__(cls, cert_path,
_MAX_CERT_SIZE, "CERTIFICATE")
obj.__class__ = Cert
try:
cert = X509_Cert(obj.der)
except:
raise Exception("Unable to import certificate")
obj.import_from_asn1pkt(cert)
return obj
def xxx_scan_certificates(self, target, starttls=None, test_params=None):
"""Plugin for identyfing server certificates in DTLS"""
# with open("512b-dsa-example-cert.der", "r") as file_handle:
# test_packet = file_handle.read().strip()
# print("Test packet = ")
# print(test_packet)
# print("==============")
test_packet = "123123123"
# print("_scan_certificates")
pkt_hello = DTLSRecord(
sequence=0,
content_type=TLSContentType.HANDSHAKE,
version=ENUM_DTLS_VERSIONS.DTLS_1_1,
) / DTLSHandshakes(handshakes=[
DTLSHandshake(fragment_offset=0) / DTLSClientHello(
version=ENUM_DTLS_VERSIONS.DTLS_1_1,
cipher_suites=list(range(0xFE))[::-1],
compression_methods=0,
)
])
pkt = DTLSRecord(
sequence=0,
content_type=TLSContentType.HANDSHAKE,
version=ENUM_DTLS_VERSIONS.DTLS_1_1,
) / DTLSHandshakes(handshakes=[
DTLSHandshake(fragment_offset=0) / TLSCertificateList() /
TLS13Certificate(
certificates=[TLSCertificate(data=X509_Cert(test_packet))],
length=600,
)
])
# show_verbose(test_params, pkt)
print(pkt)
try:
client = DTLSClient(target,
starttls=starttls,
test_params=test_params)
pkt_hello[DTLSClientHello].cookie = client.cookie
pkt_hello[DTLSClientHello].cookie_length = client.cookie_length
sent_time = test_params.report_sent_packet()
client.sendall(pkt_hello)
resp = client.recvall(timeout=0.1)
test_params.report_received_packet(sent_time)
sent_time = test_params.report_sent_packet()
client.sendall(pkt)
resp = client.recvall(timeout=0.5)
test_params.report_received_packet(sent_time)
self.capabilities.insert(resp, client=False)
except socket.error as sock_err:
print(repr(sock_err))
def __init__(self, ip, port):
TorSocket.__init__(self)
self.get_socket().connect((ip, port))
self.sock = ssl.wrap_socket(self.get_socket(), ssl_version=SSL_VERSION)
self.peer_sslcertificate = X509_Cert(
self.sock.getpeercert(binary_form=True))