def __load_cert(self): """Recovery the website certificate and its public key""" conn = ssl.create_connection((self.hostname, self.port_number)) context = ssl.SSLContext(ssl.PROTOCOL_TLS) sock = context.wrap_socket(conn, server_hostname=self.hostname) self.pem_data = ssl.DER_cert_to_PEM_cert(sock.getpeercert(True)) self.certOpenSSL = crypto.load_certificate(crypto.FILETYPE_PEM, self.pem_data) self.certificate = self.certOpenSSL.to_cryptography() self.pubKey = self.certificate.public_key()
def x5c_to_pems(x5c): """ Takes a x5c value from a JWK and converts it into a list of PEM formated certificates. :param x5c: List of strings :return: """ return [ ssl.DER_cert_to_PEM_cert(d) for d in [base64.b64decode(x) for x in [as_bytes(y) for y in x5c]] ]
def handleEvent(self, event): eventName = event.eventType srcModuleName = event.module eventData = event.data self.sf.debug("Received event, " + eventName + ", from " + srcModuleName) if eventName == "LINKED_URL_INTERNAL": fqdn = self.sf.urlFQDN(eventData.lower()) else: fqdn = eventData if fqdn not in self.results: self.results[fqdn] = True else: return None if not eventData.lower().startswith( "https://") and not self.opts['tryhttp']: return None self.sf.debug("Testing SSL for: " + eventData) # Re-fetch the certificate from the site and process try: s = socket.socket() s.settimeout(int(self.opts['ssltimeout'])) s.connect((fqdn, 443)) sock = ssl.wrap_socket(s) sock.do_handshake() rawcert = sock.getpeercert(True) cert = ssl.DER_cert_to_PEM_cert(rawcert) m2cert = M2Crypto.X509.load_cert_string( str(cert).replace('\r', '')) except BaseException as x: self.sf.info("Unable to SSL-connect to " + fqdn) return None # Generate the event for the raw cert (in text form) # Cert raw data text contains a lot of gems.. rawevt = SpiderFootEvent("SSL_CERTIFICATE_RAW", m2cert.as_text().encode('raw_unicode_escape'), self.__name__, event) self.notifyListeners(rawevt) # Generate events for other cert aspects self.getIssued(m2cert, event) self.getIssuer(m2cert, event) self.checkHostMatch(m2cert, fqdn, event) try: self.checkExpiry(m2cert, event) except M2Crypto.X509.X509Error as e: self.sf.error("Error processing certificate: " + str(e), False)
def _dump_ssl_info(self, cert, cert_der, cipher): '''Dump X509 certificate.''' res = '\n== Certificate information ==\n' res += pformat(cert) res += '\n\n== Used cipher ==\n' + pformat(cipher) res += '\n\n== Certificate dump ==\n' + \ ssl.DER_cert_to_PEM_cert(cert_der) # Indent res = res.replace('\n', '\n ') res = ' ' + res return res
def pair_client(clientsocket, q): print "wants to pair" mycert = open(os.path.join(configmanager.keydir, "server.crt"), "r").read() secure_port = str(configmanager.secure_port) myder_cert = ssl.PEM_cert_to_DER_cert(mycert) m = hashlib.sha256(myder_cert) myfp = m.hexdigest().upper() myfp = " ".join(myfp[i:i + 4] for i in range(0, len(myfp), 4)) print "\nMy SHA256: " + myfp #send my certiuficate clientsocket.sendall(myder_cert.encode('base64')) #receive client Certificate clientcert = clientsocket.recv(2048) m = hashlib.sha256(clientcert) devicefp = m.hexdigest().upper() devicefp = " ".join(devicefp[i:i + 4] for i in range(0, len(devicefp), 4)) print "\nClient SHA256: " + devicefp if (q): #GUI q.put([myfp, devicefp]) vout = q.get(True) else: #CMDLine only vout = raw_input("Do they match?(yes/no)\n") if (vout.strip().lower() == "yes"): clientsocket.sendall(secure_port + "\n") else: clientsocket.sendall("0\n") pass print "wait for Device..." ack = clientsocket.recv(2) if (ack == "OK"): #save pub key with open(os.path.join(configmanager.keydir, "cas.pem"), 'a') as the_file: the_file.write(ssl.DER_cert_to_PEM_cert(clientcert)) if (q): q.put(1) restart_server() print "Successfully paired the Device!" else: if (q): q.put(0) print "Failed to pair Device."
def start_tcp(self): self.connection_msg = self.host + ':%d' % self.port if self.proxy is not None: socks.setdefaultproxy(self.proxy_mode, self.proxy["host"], int(self.proxy["port"])) socket.socket = socks.socksocket # prevent dns leaks, see http://stackoverflow.com/questions/13184205/dns-over-proxy def getaddrinfo(*args): return [(socket.AF_INET, socket.SOCK_STREAM, 6, '', (args[0], args[1]))] socket.getaddrinfo = getaddrinfo if self.use_ssl: cert_path = os.path.join(self.config.path, 'certs', self.host) if not os.path.exists(cert_path): is_new = True # get server certificate. # Do not use ssl.get_server_certificate because it does not work with proxy s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((self.host, self.port)) except: # print_error("failed to connect", self.host, self.port) return try: s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv3, cert_reqs=ssl.CERT_NONE, ca_certs=None) except ssl.SSLError, e: print_error("SSL error:", self.host, e) return dercert = s.getpeercert(True) s.close() cert = ssl.DER_cert_to_PEM_cert(dercert) # workaround android bug cert = re.sub("([^\n])-----END CERTIFICATE-----", "\\1\n-----END CERTIFICATE-----", cert) temporary_path = cert_path + '.temp' with open(temporary_path, "w") as f: f.write(cert) else: is_new = False
def test_crl_distribution_list(website_addr, crl_distribution_list, HTTPS_PORT=443, crl_failure_is_invalid=False): ''' There can be multiple crls for a cert we should check at least one that works if one fails move on to the next if none work we return True or False based on value of crl_distribution_list ''' hostname = extract_hostname(website_addr) CRL_DISTRIBUTION_SUCCESS = False for crl_distribution in crl_distribution_list: try: raw_crl = urllib.request.urlopen(crl_distribution, timeout=5) if raw_crl.status != 200: raise else: with open('.crl_file.pem', 'w') as crl_file: crl_file.write( ssl.DER_cert_to_PEM_cert(raw_crl.read()).replace( 'CERTIFICATE', 'X509 CRL')) CRL_DISTRIBUTION_SUCCESS = True break except Exception: logging.Warning( f'issue with {crl_distribution} trying next distribution') if not CRL_DISTRIBUTION_SUCCESS and crl_failure_is_invalid: return False ssl_context = ssl.create_default_context() ssl_context.load_verify_locations(cafile='.crl_file.pem') os.remove('.crl_file.pem') ''' VERIFY_CRL_CHECK_LEAF means we only check the first CRL We dont go all the way down the chain and check the CRL on each link. Its slow enough with just the leaf. ''' ssl_context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF sock = ssl_context.wrap_socket(socket.socket(), server_hostname=hostname, do_handshake_on_connect=False) sock.connect((hostname, HTTPS_PORT)) try: sock.do_handshake() except ssl.SSLError: return False except ssl.CertificateError: return False return True
def main(): log('Type hostname to scan that hostname (example: goo.gl fb.me etc)') log('Type exit to exit\n') host = str('74.125.24.100') port = int('443') while True: server_name_indications = re.sub(r'\s+', ' ', str(input(':: '))).split(' ') print() if len(server_name_indications) == 1 and app.xstrip( server_name_indications[0]) == '': continue if len(server_name_indications) == 1 and app.xstrip( server_name_indications[0]) == 'exit': break for i in range(len(server_name_indications)): try: server_name_indication = app.xstrip(server_name_indications[i]) if not server_name_indication: continue socket_tunnel = socket.socket(socket.AF_INET, socket.SOCK_STREAM) socket_tunnel.settimeout(3) log('Connecting to {host} port {port}'.format(host=host, port=port)) socket_tunnel.connect((host, port)) log('Server name indication: {server_hostname}'.format( server_hostname=server_name_indication)) socket_tunnel = ssl.SSLContext( ssl.PROTOCOL_TLSv1_2).wrap_socket( socket_tunnel, server_hostname=server_name_indication, do_handshake_on_connect=True) certificate = ssl.DER_cert_to_PEM_cert( socket_tunnel.getpeercert(True)).splitlines() certificate = '\n'.join(certificate[:13] + certificate[-13:]) log('Certificate: \n\n{}\n'.format(certificate)) log('Connection established') log('[Y1]Connected', status_color='[Y1]') except socket.timeout: log('[R1]Connection timeout', status_color='[R1]') except socket.error: log('[R1]Connection closed', status_color='[R1]') finally: socket_tunnel.close() print()
def stream_state_changed(self, state, arg): """This one is called when the state of stream connecting the component to a server changes. This will usually be used to let the user know what is going on.""" if state == 'fully connected': self.disconnect() if state != 'tls connected': return cert = self.stream.tls.getpeercert(True) pem_cert = ssl.DER_cert_to_PEM_cert(cert).strip() if pem_cert[-len(ssl.PEM_FOOTER) - 1:len(ssl.PEM_FOOTER)] != '\n': # Python 2.6.4 but workaround pem_cert = pem_cert[:-len(ssl.PEM_FOOTER)] + "\n" + ssl.PEM_FOOTER print pem_cert
def is_cert_cn_not_equal_to_site(site: str, port: int = PORT) -> bool: """ Check if certificate Common Name (CN) is different from given sitename. Name in certificate should be coherent with organization name, see `REQ. 093 <https://fluidattacks.com/web/rules/093/>`_ :param site: Site address. :param port: Port to connect to. """ result = True try: with connect(site, port=port) as conn: __cert = conn.session.serverCertChain.x509List[0].bytes cert = ssl.DER_cert_to_PEM_cert(__cert) except socket.error: show_unknown('Port closed', details=dict(site=site, port=port)) return False except tlslite.errors.TLSRemoteAlert as exc: show_unknown('Could not connect', details=dict(site=site, port=port, error=str(exc).replace(':', ','))) return False except (tlslite.errors.TLSLocalAlert): show_unknown('Port doesn\'t support SSL', details=dict(site=site, port=port)) return False cert_obj = load_pem_x509_certificate(cert.encode('utf-8'), default_backend()) cert_cn = \ cert_obj.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[ 0].value.lower() wc_cert = '*.' + site.lower() domain = 'NONE' if cert_cn.startswith('*.'): domain = '.' + cert_cn.split('*.')[1].lower() if (site.lower() != cert_cn and wc_cert != cert_cn and not site.endswith(domain)): show_open('{} CN not equals to site'.format(cert_cn), details=dict(site=site, port=port, cn=cert_cn)) result = True else: show_close('{} CN equals to site'.format(cert_cn), details=dict(site=site, port=port, cn=cert_cn)) result = False return result
def ssl_coro(): try: transp, prot = yield from ssl_connect_routine except ssl.SSLError as e: log.debug('SSL: Unable to connect', exc_info=True) log.error('CERT: Invalid certificate trust chain.') if not self.event_handled('ssl_invalid_chain'): self.disconnect() else: self.event('ssl_invalid_chain', e) else: der_cert = transp.get_extra_info("socket").getpeercert(True) pem_cert = ssl.DER_cert_to_PEM_cert(der_cert) self.event('ssl_cert', pem_cert)
def ssl_verify(): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) wrappedSocket = ssl.wrap_socket( sock, cert_reqs=ssl.CERT_REQUIRED, ca_certs='/etc/ssl/certs/ca-certificates.crt') try: wrappedSocket.connect((sys.argv[1], 443)) except: response = False else: pem_cert = ssl.DER_cert_to_PEM_cert(wrappedSocket.getpeercert(True)) wrappedSocket.close() print '-----------------ssl--------------------'
def _process_input(self, address): '''Processing address''' result = { 'address': address, 'cert_pem': None, 'cert_data': None, 'not_after': None, 'errors': [], } try: # Canary request the server certificate in PEM and ensure host is ok # TODO: that will be better to decode the cert and show info for the user # but looks like it's hard without the additional (not-builtin) modules sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssl_sock = self._ctx_canary.wrap_socket(sock, server_hostname=address[0]) ssl_sock.connect(address) # Getting only PEM, because data requires validation of the cert result['cert_pem'] = ssl.DER_cert_to_PEM_cert( ssl_sock.getpeercert(True)) ssl_sock.close() # Connect using socket to validate cert and get parsed cert sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssl_sock = self._ctx.wrap_socket(sock, server_hostname=address[0]) try: ssl_sock.connect(address) result['cert_data'] = ssl_sock.getpeercert() result['not_after'] = datetime.strptime( result['cert_data']['notAfter'], self._dtformat) except ssl.SSLError as e: # In case the certificate is invalid if self._cfg.verbose: eprint('DEBUG: SSL error for address', address, e) result['errors'].append(e) finally: ssl_sock.close() except IOError as e: # Catch timeout or dns resolution error if self._cfg.verbose: eprint('DEBUG: Connection issue to', address, e) result['errors'].append(e) except Exception as e: if self._cfg.verbose: eprint('DEBUG: Unknown exception during connection', address, e) result['errors'].append(e) return result
def validatecertificatesignature(self, signed_cert, signing_cert): """Given a cert signed by another cert, validates the signature.""" # First the naive way -- note this does not check expiry / use etc. cert_signing = x509.load_pem_x509_certificate( ssl.DER_cert_to_PEM_cert( der_encoder.encode(signing_cert)).encode(), default_backend()) public_key = cert_signing.public_key() der_cert = der_encoder.encode(signed_cert) cert_signed = x509.load_pem_x509_certificate( ssl.DER_cert_to_PEM_cert(der_cert).encode(), default_backend()) data = cert_signed.tbs_certificate_bytes signature = cert_signed.signature new_api = hasattr(public_key, "verify") if not new_api: verifier = public_key.verifier( signature, padding.PKCS1v15(), cert_signed.signature_hash_algorithm) try: verifier.update(data) verifier.verify() except: raise Asn1Error('1: Validation of cert signature failed.') else: try: verifier = public_key.verify( signature, data, padding.PKCS1v15(), cert_signed.signature_hash_algorithm) # verifier.update(data) # verifier.verify() except: raise Asn1Error('1: Validation of cert signature failed.')
def authSession(connection, code): cert = str( ssl.DER_cert_to_PEM_cert( connection.handler.socket.getpeercert(True))).rstrip() #Some machines already have the \n.. I can't even...wha?? if '\n-----END CERTIFICATE-----' not in cert: cert = cert.replace('-----END CERTIFICATE-----', '\n-----END CERTIFICATE-----') signature = hmac.new(code, cert, hashlib.sha1).hexdigest() authCommand = "SESSION|AUTH|%s|END" % signature print "SENDING:", authCommand connection.handler.push(authCommand)
def verify(self, der_cert): pem_cert = ssl.DER_cert_to_PEM_cert(der_cert) pk = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, pem_cert).get_pubkey() pk_str = OpenSSL.crypto.dump_publickey(OpenSSL.crypto.FILETYPE_PEM, pk) # pk_str will look like # b'-----BEGIN PUBLIC KEY-----\n # MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWa0bWGpCinC/A7QIh/nF8dTlyL/r\nrmv4mYE8PJu3M8rsmZPzjSburX/I9wRL9rQGqotM9M0nJkjv3pkAVyptuA==\n # -----END PUBLIC KEY-----\n' pk_str_base64 = b''.join(pk_str.splitlines()[1:-1]) pk_bytes = base64.b64decode(pk_str_base64) if self.public_key != pk_bytes: raise SiipCertError( f'Invalid SIIP Certificate {self._pk_str(pk_bytes)}')
def get_server_certificate(addr, ssl_version=ssl.PROTOCOL_SSLv3, ca_certs=None): if (ca_certs is not None): cert_reqs = CERT_REQUIRED else: cert_reqs = CERT_NONE s = wrap_socket(gsock.Socket(), ssl_version=ssl_version, cert_reqs=cert_reqs, ca_certs=ca_certs) s.connect(addr) dercert = s.getpeercert(True) s.close() return ssl.DER_cert_to_PEM_cert(dercert)
def test_wincertstore(self): store = wincertstore.CertSystemStore("ROOT") try: for cert in store.itercerts(): pem = cert.get_pem() enc = cert.get_encoded() name = cert.get_name() trust = cert.enhanced_keyusage_names() self.assertEqual(ssl.DER_cert_to_PEM_cert(enc), pem) self.assertEqual(ssl.PEM_cert_to_DER_cert(pem), enc) for crl in store.itercrls(): pem = cert.get_pem() finally: store.close()
def certificate_expiry(hostname): context = ssl.create_default_context() try: with socket.create_connection((hostname, 443)) as sock: with context.wrap_socket(sock, server_hostname=hostname) as sslsock: der_cert = sslsock.getpeercert(True) pem_cert = ssl.DER_cert_to_PEM_cert(der_cert) x509_cert = OpenSSL.crypto.load_certificate( OpenSSL.crypto.FILETYPE_PEM, pem_cert) notAfter_str = x509_cert.get_notAfter().decode('UTF-8') return datetime.datetime.strptime(notAfter_str, cert_date_fmt) except (OSError, ssl.CertificateError): return None
def is_cert_inactive(site: str, port: int = PORT) -> bool: """ Check if certificate is no longer valid. Fails if end of validity date obtained from certificate is beyond the time of execution. :param site: Site address. :param port: Port to connect to. """ result = True try: with connect(site, port=port) as conn: __cert = conn.session.serverCertChain.x509List[0].bytes cert = ssl.DER_cert_to_PEM_cert(__cert) except socket.error: show_unknown('Port closed', details=dict(site=site, port=port)) return False except tlslite.errors.TLSRemoteAlert as exc: show_unknown('Could not connect', details=dict(site=site, port=port, error=str(exc).replace(':', ','))) return False except (tlslite.errors.TLSLocalAlert): show_unknown('Port doesn\'t support SSL', details=dict(site=site, port=port)) return False cert_obj = load_pem_x509_certificate(cert.encode('utf-8'), default_backend()) if cert_obj.not_valid_after > datetime.datetime.now(): show_close('Certificate is still valid', details=dict( site=site, port=port, not_valid_after=cert_obj.not_valid_after.isoformat(), current_time=datetime.datetime.now().isoformat())) result = False else: show_open('Certificate is expired', details=dict( site=site, port=port, not_valid_after=cert_obj.not_valid_after.isoformat(), current_time=datetime.datetime.now().isoformat())) result = True return result
def cert_lookup(hostname): port = 443 context = ssl.create_default_context() # Used for SNI with socket.create_connection((hostname, port)) as sock: with context.wrap_socket(sock, server_hostname=hostname) as sslsock: der_cert = sslsock.getpeercert(True) cert = ssl.DER_cert_to_PEM_cert(der_cert) x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert) x509info = x509.get_notAfter() ssl_date_fmt = r'%Y%m%d%H%M%SZ' expires = datetime.datetime.strptime(str(x509info)[2:-1], ssl_date_fmt) remaining = (expires - datetime.datetime.utcnow()).days reply = "{} expires in {} days, ({})".format(hostname, remaining, expires) return reply
def get_thumbprint(ip): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) wrappedSocket = ssl.wrap_socket(sock) try: wrappedSocket.connect((ip, 443)) except: response = False else: der_cert_bin = wrappedSocket.getpeercert(True) pem_cert = ssl.DER_cert_to_PEM_cert(wrappedSocket.getpeercert(True)) # Thumbprint thumb_sha256 = hashlib.sha256(der_cert_bin).hexdigest() wrappedSocket.close() return ':'.join(map(''.join, zip(*[iter(thumb_sha256)] * 2)))
def servercert_get(logger, hostname, port=443): """ get server certificate from an ssl connection """ logger.debug('servercert_get({0}:{1})'.format(hostname, port)) pem_cert = None context = ssl.create_default_context() # disable cert validation context.check_hostname = False context.verify_mode = ssl.CERT_NONE with socket.create_connection((hostname, port)) as sock: with context.wrap_socket(sock, server_hostname=hostname) as sslsock: der_cert = sslsock.getpeercert(True) # from binary DER format to PEM pem_cert = ssl.DER_cert_to_PEM_cert(der_cert) return pem_cert
def fetch_certificate(domain): try: # Get the certificate context = ssl._create_unverified_context() sock = socket.socket(socket.AF_INET) sock.settimeout(5) conn = context.wrap_socket(sock, server_hostname=domain) conn.connect((domain, 443)) der_cert = conn.getpeercert(True) # Convert the certificate from DER to PEM raw_data = str(ssl.DER_cert_to_PEM_cert(der_cert)) except Exception as e: raw_data = None return raw_data
def certfetch_into_cache(sitename, force=False): " expects either 'hostname' or 'hostname:portnum' " global CACHEDIR if os.path.sep in sitename: raise TypeError("bad hostname \"{}\"".format(sitename)) if ':' in sitename: hostname, port = sitename.split(':', 1) port = int(port) else: hostname, port = sitename, 443 certname = CACHEDIR + os.path.sep + sitename + '.pem' certname = certname.replace(':', '.') tmpname = certname + ".tmp" cert = None try: # cert = ssl.get_server_certificate((hostname, port)) # doesn't do SNI context = ssl.create_default_context() context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = False conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname=hostname) conn.connect((hostname, port)) cert = conn.getpeercert(binary_form=True) # cert is a DER-encoded blob cert = ssl.DER_cert_to_PEM_cert(cert) # cert is now a PEM-encoded ascii string except Exception as err: print("* {} failed: {}".format(sitename, err), file=sys.stderr) if not cert: # try the method that doesn't do SNI try: cert = ssl.get_server_certificate( (hostname, port)) # doesn't do SNI except Exception as err: print("* {} failed: {}".format(sitename, err), file=sys.stderr) if cert: with open(tmpname, 'wb') as tmpfile: tmpfile.write(bytes(cert, 'ascii')) if force or (not os.path.exists(certname)): bark("... " + site + " updated") os.rename(tmpname, certname) elif filecmp.cmp(certname, tmpname): os.remove(tmpname) else: bark("... " + site + " updated") os.rename(tmpname, certname) return cert
def validate_certificate_chain(self, der_certs): """ Validate a given certificate chain which should be full, as a list of DER (binary) certificates from leaf to root (in this order and including both), raising an ``ssl.SSLError`` when the chain isn't valid. This method requires OpenSSL, which should be available from the command line. """ with ExitStack() as stack: def new_pem_file(data): pf = stack.enter_context( NamedTemporaryFile("wb", suffix=".pem"), ) pf.write(data.encode("ascii")) pf.flush() return pf pem_certs = [ssl.DER_cert_to_PEM_cert(dc) for dc in der_certs] target_pem = new_pem_file(pem_certs[0]) intermediary_pem = new_pem_file("".join(pem_certs[1:-1])) root_pem = new_pem_file(pem_certs[-1]) command_line = [ "openssl", "verify", "-CAfile", root_pem.name, "-untrusted", intermediary_pem.name, target_pem.name, ] openssl_proc = Popen(command_line, stdout=PIPE, stderr=PIPE) openssl_proc.wait() # Logs the OpenSSL results logger.debug("OpenSSL certificate chain validation results:") for stream_name in ["stdout", "stderr"]: msg = getattr(openssl_proc, stream_name).read() if msg.strip(): for line in msg.decode("ascii").splitlines(): logger.debug(f"[{stream_name}] {line}") logger.debug(f"[return code] {openssl_proc.returncode}") if openssl_proc.returncode != 0: raise ssl.SSLError("Certificate chain verification failed")
def checkCertificate(_): domain = re.match(r"https:\/\/(.*)\/", _.TARGET).group(1) query = (domain, 443) try: # SNI traceable here connection = ssl.create_connection(query) context = ssl.SSLContext(ssl.PROTOCOL_TLS) sock = context.wrap_socket(connection, server_hostname=domain) certificate = ssl.DER_cert_to_PEM_cert(sock.getpeercert(True)) except: e = sys.exc_info()[0] certificate = ssl.get_server_certificate(query) x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, certificate) _.NOT_AFTER = datetime.strptime(x509.get_notAfter().decode(), "%Y%m%d%H%M%SZ")
def get_certificate(endpoint: str, port: str) -> str: """Download certificate from remote server. Args: endpoint: url to get certificate from. port: endpoint port. Returns: str: certificate string in PEM format. """ hostname = endpoint conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) sock = context.wrap_socket(conn, server_hostname=hostname) sock.connect((hostname, int(port))) return ssl.DER_cert_to_PEM_cert(sock.getpeercert(True)) # type: ignore
def get_thumb(module): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) wrappedSocket = ssl.wrap_socket(sock) try: wrappedSocket.connect((module.params['server'], 443)) except: module.fail_json(msg='Connection error while fatching thumbprint for server [%s].' % module.params['server']) else: der_cert_bin = wrappedSocket.getpeercert(True) pem_cert = ssl.DER_cert_to_PEM_cert(wrappedSocket.getpeercert(True)) print(pem_cert) #Thumbprint thumb_sha256 = hashlib.sha256(der_cert_bin).hexdigest() wrappedSocket.close() return ':'.join(a+b for a,b in zip(thumb_sha256[::2], thumb_sha256[1::2]))
async def _cert_values(ip: str, port: int) -> Dict[str, str]: reader, writer = await asyncio.open_connection(ip, port, ssl=TLS) der_cert = writer.transport._ssl_protocol._sslpipe.ssl_object.getpeercert(True) writer.close() await writer.wait_closed() pem_cert = ssl.DER_cert_to_PEM_cert(der_cert).encode("ascii") cert = x509.load_pem_x509_certificate(pem_cert, default_backend()) values: Dict[str, str] = {} cns = cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME) if cns: values["cn"] = cns[0].value ons = cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME) if ons: values["on"] = ons[0].value return values