def testDERtoPEM(self):
pem = open(SVN_PYTHON_ORG_ROOT_CERT, 'r').read()
d1 = ssl.PEM_cert_to_DER_cert(pem)
p2 = ssl.DER_cert_to_PEM_cert(d1)
d2 = ssl.PEM_cert_to_DER_cert(p2)
if (d1 != d2):
raise support.TestFailed("PEM-to-DER or DER-to-PEM translation failed")
def create(self, snf_uuid, snf_token, mail, cn, vo, user_dn, cert=None):
"""Add a user in LDAP directory
:param snf_uuid: (str) the Synnefo user UUID, part of LDAP user uid
:param snf_token: (str) the Synnefo user token
:param mail: (str) e-mail
:param cn: (str) Human-readable name of the human
:param vo: (str) Virtual organization this user is affiliated to
:param user_dn: (str) the user DN, e.g. "/C=ORG/C=EXAMPLE/CN=Real name"
:param cert: (str) user PEM certificate
"""
add_record = [
('objectclass', [
'person', 'organizationalperson', 'inetorgperson', 'pkiuser']),
('uid', [str(snf_uuid), ]),
('cn', [str(cn), ]),
('sn', [str(vo), ]),
('userpassword', [str(snf_token), ]),
('mail', [str(mail), ]),
('givenname', str(user_dn)),
('ou', ['users', ])
]
dn = 'uid=%s,%s' % (str(snf_uuid), str(self.base_dn))
self.con.add_s(dn, add_record)
if cert:
cert_der = ssl.PEM_cert_to_DER_cert(cert)
mod_attrs = [(ldap.MOD_ADD, 'userCertificate;binary', cert_der)]
self.con.modify_s(dn, mod_attrs)
def _check_ssl_cert(self):
"""Preflight the SSL certificate presented by the backend.
This isn't 100% bulletproof, in that we're not actually validating the
transport used to communicate with Ping++, merely that the first
attempt to does not use a revoked certificate.
Unfortunately the interface to OpenSSL doesn't make it easy to check
the certificate before sending potentially sensitive data on the wire.
This approach raises the bar for an attacker significantly."""
from pingpp import verify_ssl_certs
if verify_ssl_certs and not self._CERTIFICATE_VERIFIED:
uri = urlparse.urlparse(pingpp.api_base)
try:
certificate = ssl.get_server_certificate(
(uri.hostname, uri.port or 443), ssl_version=3)
der_cert = ssl.PEM_cert_to_DER_cert(certificate)
except socket.error, e:
raise error.APIConnectionError(e)
except TypeError:
# The Google App Engine development server blocks the C socket
# module which causes a type error when using the SSL library
if util.is_appengine_dev():
self._CERTIFICATE_VERIFIED = True
warnings.warn(
'We were unable to verify Ping++\'s SSL certificate '
'due to a bug in the Google App Engine development '
'server. Please alert us immediately at '
'[email protected] if this message appears in your '
'production logs.')
return
else:
raise
def get_cert_info(self, hostname, port=443, cert_file_name='cert.der'):
f = open(str(cert_file_name), 'wb')
certificate = ssl.get_server_certificate((hostname, port))
f.write(ssl.PEM_cert_to_DER_cert(certificate))
with open(str(cert_file_name), "rb") as f:
certificate = Certificate.load(f.read())
modulus = certificate.public_key.native["public_key"]["modulus"]
pub_exp = certificate.public_key.native["public_key"][
"public_exponent"]
sig_algorithm = certificate.signature_algo
try:
cert_issuer_country = certificate.issuer.native["country_name"]
except:
cert_issuer_country = "Empty"
try:
cert_issuer_name = certificate.issuer.native["organization_name"]
except:
cert_issuer_name = "Empty"
try:
cert_issuer_common_name = certificate.issuer.native["common_name"]
except:
cert_issuer_common_name = "Empty"
self_signed = certificate.self_signed
hash_algo = certificate.hash_algo
domains = certificate.valid_domains
return ('{0:02x}'.format(modulus), pub_exp, sig_algorithm,
cert_issuer_country, cert_issuer_name, cert_issuer_common_name,
self_signed, hash_algo, domains)
def getCertNames(ip, port, verbose=False):
setdefaulttimeout(5)
try:
certstring = ssl.get_server_certificate((ip, port))
except (error, timeout) as err:
if verbose:
print("No connection: {0}".format(err))
return None
der_cert = ssl.PEM_cert_to_DER_cert(certstring)
cert = x509.load_der_x509_certificate(der_cert, default_backend())
names = []
cn = cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)[0].value
names.append(cn)
try:
sans = cert.extensions.get_extension_for_oid(
x509.OID_SUBJECT_ALTERNATIVE_NAME).value.get_values_for_type(
x509.DNSName)
except:
sans = None
if sans and len(sans):
for san in sans:
names.append(san)
#print ip, san
return names
def get_public_key_from_pem(self, pem_cert):
der = ssl.PEM_cert_to_DER_cert(pem_cert)
cert = DerSequence()
cert.decode(der)
tbsCertificate = DerSequence()
tbsCertificate.decode(cert[0])
return tbsCertificate[6]
def test_revoked_cert_is_revoked(self):
hostname = "revoked.stripe.com"
cert = ssl.get_server_certificate((hostname, 444))
der_cert = ssl.PEM_cert_to_DER_cert(cert)
self.assertRaises(APIError,
lambda: certificate_blacklist.verify(
hostname, der_cert))
def init():
if os.environ.get('XDG_CONFIG_HOME') is None or os.environ.get('XDG_CONFIG_HOME') == '':
XDG_CONFIG_HOME = os.path.join(os.path.expanduser('~'), '.config')
else:
XDG_CONFIG_HOME = os.environ.get('XDG_CONFIG_HOME')
CONF_DIR_PATH = os.path.join(XDG_CONFIG_HOME, 'an2linux')
CONF_FILE_PATH = os.path.join(CONF_DIR_PATH, 'config')
CERTIFICATE_PATH = os.path.join(CONF_DIR_PATH, 'certificate.pem')
RSA_PRIVATE_KEY_PATH = os.path.join(CONF_DIR_PATH, 'rsakey.pem')
AUTHORIZED_CERTS_PATH = os.path.join(CONF_DIR_PATH, 'authorized_certs')
DHPARAM_PATH = os.path.join(CONF_DIR_PATH, 'dhparam.pem')
if not os.path.exists(CONF_DIR_PATH):
os.makedirs(CONF_DIR_PATH)
if not os.path.isfile(CERTIFICATE_PATH) or not os.path.isfile(RSA_PRIVATE_KEY_PATH):
generate_server_private_key_and_certificate(CERTIFICATE_PATH, RSA_PRIVATE_KEY_PATH)
else:
# test if valid private key / certificate
try:
ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2).load_cert_chain(CERTIFICATE_PATH,
RSA_PRIVATE_KEY_PATH)
ssl.PEM_cert_to_DER_cert(open(CERTIFICATE_PATH, 'r').read())
except (ssl.SSLError, ValueError) as e:
logging.error('Something went wrong trying to load your private key and certificate: {}'.format(e))
logging.error('Will generate new key overwriting old key and certificate')
generate_server_private_key_and_certificate(CERTIFICATE_PATH, RSA_PRIVATE_KEY_PATH)
return CONF_FILE_PATH, CERTIFICATE_PATH, RSA_PRIVATE_KEY_PATH, AUTHORIZED_CERTS_PATH, DHPARAM_PATH
def ssl_invalid_cert(self, raw_cert):
"""Handle an invalid certificate from the Jabber server
This may happen if the domain is using Google Apps
for their XMPP server and the XMPP server."""
hosts = resolver.get_SRV(self.boundjid.server,
5222,
'xmpp-client',
resolver=resolver.default_resolver())
domain_uses_google = False
for host, _ in hosts:
if host.lower()[-10:] == 'google.com':
domain_uses_google = True
if domain_uses_google:
try:
if cert.verify('talk.google.com',
ssl.PEM_cert_to_DER_cert(raw_cert)):
logging.debug('Google certificate found for %s',
self.boundjid.server)
return
except cert.CertificateError:
pass
logging.error("Invalid certificate received for %s",
self.boundjid.server)
self.disconnect()
def cert_PEM_to_hash(cert):
"""Given a certificate in PEM format, return it's hash as string"""
cert_der = ssl.PEM_cert_to_DER_cert(cert)
hash = hashlib.sha1()
hash.update(cert_der)
digest = hash.digest()
digest_string = "".join([binascii.b2a_hex(b) for b in bytes(digest)])
return digest_string
def pemFileHash(fname):
""" Return SHA256 hash of PEM cert in hex """
with file(fname) as certFile:
pemData = certFile.read()
derData = ssl.PEM_cert_to_DER_cert(pemData)
certDigest = sha256(derData).hexdigest()
return certDigest
def invalid_cert(self, pem_cert):
der_cert = ssl.PEM_cert_to_DER_cert(pem_cert)
try:
cert.verify('talk.google.com', der_cert)
print "CERT: Found GTalk certificate"
except cert.CertificateError as err:
print err.message, " : ", traceback.format_exc()
self.disconnect(send_close=False)
def invalid_cert(self, pem_cert):
der_cert = ssl.PEM_cert_to_DER_cert(pem_cert)
try:
cert.verify('talk.google.com', der_cert)
logging.debug("CERT: Found GTalk certificate")
except cert.CertificateError as err:
logging.error(err.message)
self.disconnect()
def load_PEMfile(self, certificate_path):
"""Load a certificate from a file in PEM format
"""
self._init_data()
self._filepath = certificate_path
with open(self._filepath, "r") as inputFile:
PEMdata = inputFile.read()
# convert to binary (DER format)
self._data = ssl.PEM_cert_to_DER_cert(PEMdata)
def cert_to_public_rsa_key(pem):
DER = ssl.PEM_cert_to_DER_cert(pem)
cert = DerSequence()
cert.decode(DER)
tbsCertificate = DerSequence()
tbsCertificate.decode(cert[0])
subjectPublicKeyInfo = tbsCertificate[6]
rsa_key = RSA.importKey(subjectPublicKeyInfo)
return rsa_key
def verify_cert(self, pem_cert):
"""Verify that certificate originates from Google."""
der_cert = ssl.PEM_cert_to_DER_cert(pem_cert)
try:
cert.verify('talk.google.com', der_cert)
logging.debug('Found Hangouts certificate.')
except cert.CertificateError as err:
logging.error(err)
self.disconnect(send_close=False)
def convertPEMcertificateToDER(self, certificate):
''' Converting PEM certificate to DER '''
if certificate is None:
return None
if not self.isPEM(certificate):
return certificate
der = ssl.PEM_cert_to_DER_cert(certificate)
return der
def grab_file(self, mconfig, filepath, filename):
file_mod_time = os.stat(
os.path.join(filepath, filename) +
GlobalLabelParameters.P12_PREFIX).st_mtime
if filename not in self.filecache:
p12 = crypto.load_pkcs12(
open(
os.path.join(filepath, filename) +
GlobalLabelParameters.P12_PREFIX, 'rb').read(),
mconfig.key_password)
cert_str = crypto.dump_certificate(crypto.FILETYPE_PEM,
p12.get_certificate())
der_cert_string = base64.b64encode(
ssl.PEM_cert_to_DER_cert(cert_str.decode("utf-8")))
private_key = crypto.dump_privatekey(
crypto.FILETYPE_PEM, p12.get_privatekey()).decode("utf-8")
self.filecache.setdefault(str(filename),
[]).append(der_cert_string)
self.filecache.setdefault(str(filename), []).append(private_key)
self.filecache.setdefault(str(filename), []).append(file_mod_time)
if file_mod_time != self.filecache[filename][2]:
p12 = crypto.load_pkcs12(
open(
os.path.join(filepath, filename) +
GlobalLabelParameters.P12_PREFIX, 'rb').read(),
mconfig.key_password)
cert_str = crypto.dump_certificate(crypto.FILETYPE_PEM,
p12.get_certificate())
der_cert_string = base64.b64encode(
ssl.PEM_cert_to_DER_cert(cert_str.decode("utf-8")))
private_key = crypto.dump_privatekey(
crypto.FILETYPE_PEM, p12.get_privatekey()).decode("utf-8")
self.filecache.setdefault(str(filename),
[]).append(der_cert_string)
self.filecache.setdefault(str(filename), []).append(private_key)
self.filecache.setdefault(str(filename), []).append(file_mod_time)
return self.filecache[filename]
def __init__(self,addr,cert=None):
self.addr=addr
self.username=None
self.password=None
if cert is None:
self.cert=None
elif type(cert)==bytes:
self.cert=cert
elif type(cert)==str:
if cert.startswith('-----BEGIN CERTIFICATE-----'):
self.cert=ssl.PEM_cert_to_DER_cert(cert)
else:
with open(cert,'rb') as f:
cert=f.read()
if cert.startswith(b'-----BEGIN CERTIFICATE-----'):
cert=ssl.PEM_cert_to_DER_cert(cert.decode('ascii'))
self.cert=cert
else:
raise ValueError('Unknown Certificate type')
def ssl_invalid_cert(self, pem_cert):
# Source: https://github.com/poezio/slixmpp/blob/master/examples/gtalk_custom_domain.py
der_cert = ssl.PEM_cert_to_DER_cert(pem_cert)
try:
cert.verify('talk.google.com', der_cert)
self.logger.info("found GTalk certificate")
except cert.CertificateError as err:
self.logger.error(err.message)
self.disconnect(send_close=False)
def compute_chain_hashes(chainp):
result = []
for p in permutations(chainp):
servercert = ssl.PEM_cert_to_DER_cert(p[0])
serverhash = SHA256.new(servercert).hexdigest()
chainhashes = map(lambda x: MD5.new(x).hexdigest(), p[1:])
concatenated = ''.join(chainhashes).lower()
result.append(SHA256.new(unhexlify(serverhash + concatenated)).digest())
return result
def __init__(self, path):
self.path = path
if os.path.isfile(path):
self.key = xmlsec.Key.from_file(path, xmlsec.KeyFormat.CERT_PEM)
pem_content = open(path, 'rb').read()
else:
self.key = xmlsec.Key.from_memory(path, xmlsec.KeyFormat.CERT_PEM)
pem_content = path
h = hashlib.sha1()
h.update(ssl.PEM_cert_to_DER_cert(pem_content))
self.fingerprint = h.hexdigest().zfill(40)
def get_pubkey(pem):
""" Extracts public key from x08 pem. """
der = ssl.PEM_cert_to_DER_cert(pem)
# Extract subjectPublicKeyInfo field from X.509 certificate (see RFC3280)
cert = DerSequence()
cert.decode(der)
tbsCertificate = DerSequence()
tbsCertificate.decode(cert[0])
subjectPublicKeyInfo = tbsCertificate[6]
return subjectPublicKeyInfo
def get_certificate_from_file(certfile):
cert = open(certfile, 'r').read()
inpemcert = False
prunedcert = ''
for line in cert.split('\n'):
if '-----BEGIN CERTIFICATE-----' in line:
inpemcert = True
if inpemcert:
prunedcert += line
if '-----END CERTIFICATE-----' in line:
break
return ssl.PEM_cert_to_DER_cert(prunedcert)
def proxyConnect(self, host, port, path, cadata=None):
if not cadata:
cadata = self.server_cert
dercert = ssl.PEM_cert_to_DER_cert(cadata)
c = httplib.HTTPSConnection(
self.squid.ip_address,
3128,
context=ssl.create_default_context(cadata=dercert))
c.set_tunnel(host, port)
#c.putheader('Host',"squid-webtest")
c.request("GET", path)
return c.getresponse()
def pair_client(clientsocket, q):
print "wants to pair"
mycert = open(os.path.join(configmanager.keydir, "server.crt"), "r").read()
secure_port = str(configmanager.secure_port)
myder_cert = ssl.PEM_cert_to_DER_cert(mycert)
m = hashlib.sha256(myder_cert)
myfp = m.hexdigest().upper()
myfp = " ".join(myfp[i:i + 4] for i in range(0, len(myfp), 4))
print "\nMy SHA256: " + myfp
#send my certiuficate
clientsocket.sendall(myder_cert.encode('base64'))
#receive client Certificate
clientcert = clientsocket.recv(2048)
m = hashlib.sha256(clientcert)
devicefp = m.hexdigest().upper()
devicefp = " ".join(devicefp[i:i + 4] for i in range(0, len(devicefp), 4))
print "\nClient SHA256: " + devicefp
if (q): #GUI
q.put([myfp, devicefp])
vout = q.get(True)
else: #CMDLine only
vout = raw_input("Do they match?(yes/no)\n")
if (vout.strip().lower() == "yes"):
clientsocket.sendall(secure_port + "\n")
else:
clientsocket.sendall("0\n")
pass
print "wait for Device..."
ack = clientsocket.recv(2)
if (ack == "OK"):
#save pub key
with open(os.path.join(configmanager.keydir, "cas.pem"),
'a') as the_file:
the_file.write(ssl.DER_cert_to_PEM_cert(clientcert))
if (q):
q.put(1)
restart_server()
print "Successfully paired the Device!"
else:
if (q):
q.put(0)
print "Failed to pair Device."
def extract_public_key_from_certificate(x509_certificate):
"""Extracts the PEM public key from an x509 certificate."""
der_certificate_string = ssl.PEM_cert_to_DER_cert(x509_certificate)
# Extract subjectPublicKeyInfo field from X.509 certificate (see RFC3280)
der_certificate = asn1.DerSequence()
der_certificate.decode(der_certificate_string)
tbs_certification = asn1.DerSequence() # To Be Signed certificate
tbs_certification.decode(der_certificate[0])
subject_public_key_info = tbs_certification[6]
return subject_public_key_info
def PEM_to_header(pems, cert_var, cert_length_var, output, full_chain,
keep_dupes):
"""Combine a collection of PEM format certificates into a single C header with the
combined cert data in binary DER format. Pems should be a list of strings with
each cert PEM or chain of PEM certs, cert_var controls the name of the cert data
variable in the output header, cert_length_var controls the name of the cert
data length variable/define, output is the output file (which must be open for
writing), and full_chain is a boolean that indicates if each cert chain should include
the full chain or just the root/last cert. Keep_dupes is a boolean to
indicate if duplicate certificates should be left intact (true) or removed (false).
"""
cert_der = bytearray()
cert_description = ''
processed_certs = set()
for p in pems:
certs = PEM_split(p)
if full_chain:
# Go through each cert in the chain and convert to DER format.
for cert_pem in certs:
# Skip duplicate certs where required.
if not keep_dupes and cert_pem in processed_certs:
continue
processed_certs.add(cert_pem)
cert_description += ' {0}\n'.format(
PEM_description(cert_pem))
cert_der.extend(bytearray(ssl.PEM_cert_to_DER_cert(cert_pem)))
else:
# Otherwise just grab the last cert in the chain (the root) and convert.
cert_pem = certs[-1]
# Skip duplicate certs where required.
if not keep_dupes and cert_pem in processed_certs:
continue
processed_certs.add(cert_pem)
cert_description += ' {0}\n'.format(PEM_description(cert_pem))
cert_der.extend(bytearray(ssl.PEM_cert_to_DER_cert(cert_pem)))
# Save DER cert data as a C style header.
cert_to_header(cert_der, output, cert_var, cert_length_var,
cert_description)
click.echo('Wrote {0}'.format(output.name))
def fetch_certificate_info(self):
filecache = {}
filename = 'testrest'
p12 = crypto.load_pkcs12(open(os.path.join(os.getcwd(), "samples/authentication/Resources", filename) + ".p12", 'rb').read(), self.merchant_id)
cert_str = crypto.dump_certificate(crypto.FILETYPE_PEM, p12.get_certificate())
der_cert_string = base64.b64encode(ssl.PEM_cert_to_DER_cert(cert_str.decode("utf-8")))
private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, p12.get_privatekey()).decode("utf-8")
filecache.setdefault(str(filename), []).append(der_cert_string)
filecache.setdefault(str(filename), []).append(private_key)
return filecache[filename]
def _ValidateCertificateHostname(self, cert, bincert, hostname):
hosts = self._GetValidHostsForCert(cert)
for host in hosts:
host_re = host.replace('.', '\.').replace('*', '[^.]*')
if re.search('^%s$' % (host_re,), hostname, re.I):
return True
# If we cannot validate against the hostname, try against the
# KES certificate.
binary_kes_cert = ssl.PEM_cert_to_DER_cert(_KES_CERT)
if binary_kes_cert == bincert:
return True
return False
