def test_hmac(self): assert util.octx_to_num( EVP.hmac('key', 'data') ) == 92800611269186718152770431077867383126636491933, util.octx_to_num( EVP.hmac('key', 'data')) if not fips_mode: # Disabled algorithms assert util.octx_to_num( EVP.hmac('key', 'data', algo='md5') ) == 209168838103121722341657216703105225176, util.octx_to_num( EVP.hmac('key', 'data', algo='md5')) assert util.octx_to_num( EVP.hmac('key', 'data', algo='ripemd160') ) == 1176807136224664126629105846386432860355826868536, util.octx_to_num( EVP.hmac('key', 'data', algo='ripemd160')) if m2.OPENSSL_VERSION_NUMBER >= 0x90800F: assert util.octx_to_num( EVP.hmac('key', 'data', algo='sha224') ) == 2660082265842109788381286338540662430962855478412025487066970872635, util.octx_to_num( EVP.hmac('key', 'data', algo='sha224')) assert util.octx_to_num( EVP.hmac('key', 'data', algo='sha256') ) == 36273358097036101702192658888336808701031275731906771612800928188662823394256, util.octx_to_num( EVP.hmac('key', 'data', algo='sha256')) assert util.octx_to_num( EVP.hmac('key', 'data', algo='sha384') ) == 30471069101236165765942696708481556386452105164815350204559050657318908408184002707969468421951222432574647369766282, util.octx_to_num( EVP.hmac('key', 'data', algo='sha384')) assert util.octx_to_num( EVP.hmac('key', 'data', algo='sha512') ) == 3160730054100700080556942280820129108466291087966635156623014063982211353635774277148932854680195471287740489442390820077884317620321797003323909388868696, util.octx_to_num( EVP.hmac('key', 'data', algo='sha512')) self.assertRaises(ValueError, EVP.hmac, 'key', 'data', algo='sha513')
def __call__(self, peerCert, host=None): if peerCert is None: raise NoCertificate('peer did not return certificate') if host is not None: self.host = host if self.fingerprint: if self.digest not in ('sha1', 'md5'): raise ValueError('unsupported digest "%s"' % (self.digest)) if (self.digest == 'sha1' and len(self.fingerprint) != 40) or \ (self.digest == 'md5' and len(self.fingerprint) != 32): raise WrongCertificate( 'peer certificate fingerprint length does not match') der = peerCert.as_der() md = EVP.MessageDigest(self.digest) md.update(der) digest = md.final() if util.octx_to_num(digest) != int(self.fingerprint, 16): raise WrongCertificate( 'peer certificate fingerprint does not match') if self.host: commonNameValid = False subjectAltNameValid = False # XXX subjectAltName might contain multiple fields # subjectAltName=DNS:somehost, DNS:someotherhost, otherkey:val try: subjectAltName = peerCert.get_ext('subjectAltName').get_value() sanlist = subjectAltName.split(",") for field in sanlist: if self._match(self.host, field, True): subjectAltNameValid = True if not subjectAltNameValid: raise WrongHost(expectedHost=self.host, actualHost=subjectAltName, fieldName='subjectAltName') # Ignore if cert has no subjectAltName extension # But then commonName *must* match for validation except LookupError: pass if not subjectAltNameValid: # commonName=somehost try: commonName = peerCert.get_subject().CN if self._match(self.host, commonName): commonNameValid = True else: raise WrongHost(expectedHost=self.host, actualHost=commonName, fieldName='commonName') except AttributeError: raise WrongCertificate('no commonName in peer certificate') return True
def __init__(self, ctb, body=None): packet.__init__(self, ctb, body) if body is not None: self._version = self.body.read(1) self._keyid = self.body.read(8) self._pkc = ord(self.body.read(1)) deklen = (struct.unpack('>H', self.body.read(2))[0] + 7 ) / 8 self._dek = octx_to_num(self.body.read(deklen))
def __init__(self, ctb, body=None): packet.__init__(self, ctb, body) if body is not None: self._version = self.body.read(1) self._keyid = self.body.read(8) self._pkc = ord(self.body.read(1)) deklen = (struct.unpack('>H', self.body.read(2))[0] + 7) / 8 self._dek = octx_to_num(self.body.read(deklen))
def _get_fingerprint(self, algorithm='sha1'): """ Workaround for RHEL5 with ancient version of M2Crypto """ if LooseVersion(M2Crypto.version) < StrictVersion("0.17"): der = self.openssl_certificate.as_der() md = EVP.MessageDigest(algorithm) md.update(der) digest = md.final() return hex(util.octx_to_num(digest))[2:-1].upper() else: return self.openssl_certificate.get_fingerprint()
def test_MessageDigest(self): with self.assertRaises(ValueError): EVP.MessageDigest('sha513') md = EVP.MessageDigest('sha1') self.assertEqual(md.update('Hello'), 1) self.assertEqual(util.octx_to_num(md.final()), 1415821221623963719413415453263690387336440359920) # temporarily remove sha1 from m2 old_sha1 = m2.sha1 del m2.sha1 # now run the same test again, relying on EVP.MessageDigest() to call # get_digestbyname() under the hood md = EVP.MessageDigest('sha1') self.assertEqual(md.update('Hello'), 1) self.assertEqual(util.octx_to_num(md.final()), 1415821221623963719413415453263690387336440359920) # put sha1 back in place m2.sha1 = old_sha1
def get_fingerprint(self, md='md5'): """ Get the fingerprint of the certificate. @param md: Message digest algorithm to use. @return: String containing the fingerprint in hex format. """ der = self.as_der() md = EVP.MessageDigest(md) md.update(der) digest = md.final() return hex(util.octx_to_num(digest))[2:-1].upper()
def test_MessageDigest(self): # noqa with self.assertRaises(ValueError): EVP.MessageDigest('sha513') md = EVP.MessageDigest('sha1') self.assertEqual(md.update(b'Hello'), 1) self.assertEqual(util.octx_to_num(md.final()), 1415821221623963719413415453263690387336440359920) # temporarily remove sha1 from m2 old_sha1 = m2.sha1 del m2.sha1 # now run the same test again, relying on EVP.MessageDigest() to call # get_digestbyname() under the hood md = EVP.MessageDigest('sha1') self.assertEqual(md.update(b'Hello'), 1) self.assertEqual(util.octx_to_num(md.final()), 1415821221623963719413415453263690387336440359920) # put sha1 back in place m2.sha1 = old_sha1
def test_hmac(self): assert util.octx_to_num(EVP.hmac('key', 'data')) == 92800611269186718152770431077867383126636491933, util.octx_to_num(EVP.hmac('key', 'data')) assert util.octx_to_num(EVP.hmac('key', 'data', algo='md5')) == 209168838103121722341657216703105225176, util.octx_to_num(EVP.hmac('key', 'data', algo='md5')) assert util.octx_to_num(EVP.hmac('key', 'data', algo='ripemd160')) == 1176807136224664126629105846386432860355826868536, util.octx_to_num(EVP.hmac('key', 'data', algo='ripemd160')) if m2.OPENSSL_VERSION_NUMBER >= 0x90800F: assert util.octx_to_num(EVP.hmac('key', 'data', algo='sha224')) == 2660082265842109788381286338540662430962855478412025487066970872635, util.octx_to_num(EVP.hmac('key', 'data', algo='sha224')) assert util.octx_to_num(EVP.hmac('key', 'data', algo='sha256')) == 36273358097036101702192658888336808701031275731906771612800928188662823394256, util.octx_to_num(EVP.hmac('key', 'data', algo='sha256')) assert util.octx_to_num(EVP.hmac('key', 'data', algo='sha384')) == 30471069101236165765942696708481556386452105164815350204559050657318908408184002707969468421951222432574647369766282, util.octx_to_num(EVP.hmac('key', 'data', algo='sha384')) assert util.octx_to_num(EVP.hmac('key', 'data', algo='sha512')) == 3160730054100700080556942280820129108466291087966635156623014063982211353635774277148932854680195471287740489442390820077884317620321797003323909388868696, util.octx_to_num(EVP.hmac('key', 'data', algo='sha512')) self.assertRaises(ValueError, EVP.hmac, 'key', 'data', algo='sha513')
def fingerprint(x509, md='sha1'): """ Return the fingerprint of the X509 certificate. @param x509: X509 object. @type x509: M2Crypto.X509.X509 @param md: The message digest algorithm. @type md: str """ der = x509.as_der() md = EVP.MessageDigest(md) md.update(der) digest = md.final() return hex(util.octx_to_num(digest))
def __call__(self, peerCert, host=None): if peerCert is None: raise NoCertificate('peer did not return certificate') if host is not None: self.host = host if self.fingerprint: if self.digest not in ('sha1', 'md5'): raise ValueError('unsupported digest "%s"' % (self.digest)) if (self.digest == 'sha1' and len(self.fingerprint) != 40) or \ (self.digest == 'md5' and len(self.fingerprint) != 32): raise WrongCertificate( 'peer certificate fingerprint length does not match') der = peerCert.as_der() md = EVP.MessageDigest(self.digest) md.update(der) digest = md.final() if util.octx_to_num(digest) != int(self.fingerprint, 16): raise WrongCertificate( 'peer certificate fingerprint does not match') if self.host: hostValidationPassed = False self.useSubjectAltNameOnly = False # subjectAltName=DNS:somehost[, ...]* try: subjectAltName = peerCert.get_ext('subjectAltName').get_value() if self._splitSubjectAltName(self.host, subjectAltName): hostValidationPassed = True elif self.useSubjectAltNameOnly: raise WrongHost(expectedHost=self.host, actualHost=subjectAltName, fieldName='subjectAltName') except LookupError: pass # commonName=somehost[, ...]* if not hostValidationPassed: hasCommonName = False commonNames = '' for entry in peerCert.get_subject().get_entries_by_nid( m2.NID_commonName): hasCommonName = True commonName = entry.get_data().as_text() if not commonNames: commonNames = commonName else: commonNames += ',' + commonName if self._match(self.host, commonName): hostValidationPassed = True break if not hasCommonName: raise WrongCertificate('no commonName in peer certificate') if not hostValidationPassed: raise WrongHost(expectedHost=self.host, actualHost=commonNames, fieldName='commonName') return True
def test_MessageDigest(self): self.assertRaises(ValueError, EVP.MessageDigest, 'sha513') md = EVP.MessageDigest('sha1') assert md.update('Hello') == 1 assert util.octx_to_num(md.final()) == 1415821221623963719413415453263690387336440359920
def test_MessageDigest(self): self.assertRaises(ValueError, EVP.MessageDigest, 'sha513') md = EVP.MessageDigest('sha1') assert md.update('Hello') == 1 assert util.octx_to_num( md.final()) == 1415821221623963719413415453263690387336440359920
def __call__(self, peerCert, host=None): if peerCert is None: raise NoCertificate('peer did not return certificate') if host is not None: self.host = host if self.fingerprint: if self.digest not in ('sha1', 'md5'): raise ValueError('unsupported digest "%s"' %(self.digest)) if (self.digest == 'sha1' and len(self.fingerprint) != 40) or \ (self.digest == 'md5' and len(self.fingerprint) != 32): raise WrongCertificate('peer certificate fingerprint length does not match') der = peerCert.as_der() md = EVP.MessageDigest(self.digest) md.update(der) digest = md.final() if util.octx_to_num(digest) != int(self.fingerprint, 16): raise WrongCertificate('peer certificate fingerprint does not match') if self.host: hostValidationPassed = False self.useSubjectAltNameOnly = False # subjectAltName=DNS:somehost[, ...]* try: subjectAltName = peerCert.get_ext('subjectAltName').get_value() if self._splitSubjectAltName(self.host, subjectAltName): hostValidationPassed = True elif self.useSubjectAltNameOnly: raise WrongHost(expectedHost=self.host, actualHost=subjectAltName, fieldName='subjectAltName') except LookupError: pass # commonName=somehost[, ...]* if not hostValidationPassed: hasCommonName = False commonNames = '' for entry in peerCert.get_subject().get_entries_by_nid(m2.NID_commonName): hasCommonName = True commonName = entry.get_data().as_text() if not commonNames: commonNames = commonName else: commonNames += ',' + commonName if self._match(self.host, commonName): hostValidationPassed = True break if not hasCommonName: raise WrongCertificate('no commonName in peer certificate') if not hostValidationPassed: raise WrongHost(expectedHost=self.host, actualHost=commonNames, fieldName='commonName') return True
def _fingerprint(x509, md='sha1'): der = x509.as_der() md = EVP.MessageDigest(md) md.update(der) digest = md.final() return hex(util.octx_to_num(digest))
def fingerprint(x509): der = x509.as_der() md = MessageDigest('sha1') md.update(der) digest = md.final() return hex(util.octx_to_num(digest))