def test_verify_final(self): from M2Crypto import X509 pkey = EVP.load_key('tests/signer_key.pem') pkey.sign_init() pkey.sign_update('test message') sig = pkey.sign_final() # OK x509 = X509.load_cert('tests/signer.pem') pubkey = x509.get_pubkey() pubkey.verify_init() pubkey.verify_update('test message') assert pubkey.verify_final(sig) == 1 # wrong cert x509 = X509.load_cert('tests/x509.pem') pubkey = x509.get_pubkey() pubkey.verify_init() pubkey.verify_update('test message') assert pubkey.verify_final(sig) == 0 # wrong message x509 = X509.load_cert('tests/signer.pem') pubkey = x509.get_pubkey() pubkey.verify_init() pubkey.verify_update('test message not') assert pubkey.verify_final(sig) == 0
def test_get_certs_from_string_valid(self): root_ca_path = os.path.join(CA_CHAIN_TEST_DATA, "certs/ROOT_CA/root_ca.pem") sub_ca_path = os.path.join(CA_CHAIN_TEST_DATA, "certs/SUB_CA/sub_ca.pem") ca_chain_path = os.path.join(CA_CHAIN_TEST_DATA, "certs/ca_chain") expected_root_ca_cert = X509.load_cert(root_ca_path) self.assertTrue(expected_root_ca_cert.check_ca()) expected_sub_ca_cert = X509.load_cert(sub_ca_path) self.assertTrue(expected_sub_ca_cert.check_ca()) data = open(ca_chain_path).read() certs = self.utils.get_certs_from_string(data) self.assertEquals(len(certs), 3) self.assertTrue(certs[0].check_ca()) self.assertTrue(expected_root_ca_cert.get_subject().as_hash(), certs[0].get_subject().as_hash()) self.assertTrue(expected_root_ca_cert.get_issuer().as_hash(), certs[0].get_issuer().as_hash()) self.assertTrue(certs[1].check_ca()) self.assertTrue(expected_sub_ca_cert.get_subject().as_hash(), certs[1].get_subject().as_hash()) self.assertTrue(expected_sub_ca_cert.get_issuer().as_hash(), certs[1].get_issuer().as_hash())
def _ok_to_renew_cert(self, pkcs12, name, extract): res = False if os.path.exists(pkcs12): x509 = self._extractPKCS12Certificate(pkcs12) if self._expired(x509): if not extract: res = True else: if x509.verify( X509.load_cert( oenginecons.FileLocations. OVIRT_ENGINE_PKI_ENGINE_CA_CERT ).get_pubkey() ): self.logger.debug( 'certificate is an internal certificate' ) # sanity check, make sure user did not manually # change cert x509x = X509.load_cert( os.path.join( ( oenginecons.FileLocations. OVIRT_ENGINE_PKICERTSDIR ), '%s.cer' % name, ) ) if x509x.as_pem() == x509.as_pem(): self.logger.debug('certificate is sane') res = True return res
def validate_cert(cert_str, subca_str): cert = X509.load_cert_string(cert_str) sub_ca = X509.load_cert_string(subca_str) ecraiz = X509.load_cert(ecraiz_cert) if "001" not in sub_ca.get_issuer().as_text(): cccert = X509.load_cert(cc_cert2, format=0) else: cccert = X509.load_cert(cc_cert1, format=0) if sub_ca.get_subject().as_text() == cert.get_issuer().as_text(): pkey = sub_ca.get_pubkey() if not cert.verify(pkey): return False elif cccert.get_subject().as_text() == sub_ca.get_issuer().as_text(): pkey = cccert.get_pubkey() if not sub_ca.verify(pkey): return False elif ecraiz.get_subject().as_text() == cccert.get_issuer().as_text(): pkey = ecraiz.get_pubkey() if cccert.verify(pkey): if ecraiz.verify(pkey): return True return False
def test_long_serial(self): from M2Crypto import X509 cert = X509.load_cert('tests/long_serial_cert.pem') self.assertEquals(cert.get_serial_number(), 17616841808974579194) cert = X509.load_cert('tests/thawte.pem') self.assertEquals(cert.get_serial_number(), 127614157056681299805556476275995414779)
def test_verify_with_add_crls(self): ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem") valid_cert = X509.load_cert('tests/crl_data/certs/valid_cert.pem') revoked_cert = X509.load_cert('tests/crl_data/certs/revoked_cert.pem') crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem') # Verify that a good cert is verified OK store = X509.X509_Store() store.add_x509(ca) store.set_flags(X509.m2.X509_V_FLAG_CRL_CHECK | X509.m2.X509_V_FLAG_CRL_CHECK_ALL) crl_stack = X509.CRL_Stack() crl_stack.push(crl) store_ctx = X509.X509_Store_Context() store_ctx.init(store, valid_cert) store_ctx.add_crls(crl_stack) self.assertTrue(store_ctx.verify_cert()) # Verify that a revoked cert is not verified store = X509.X509_Store() store.add_x509(ca) store.set_flags(X509.m2.X509_V_FLAG_CRL_CHECK | X509.m2.X509_V_FLAG_CRL_CHECK_ALL) crl_stack = X509.CRL_Stack() crl_stack.push(crl) store_ctx = X509.X509_Store_Context() store_ctx.init(store, revoked_cert) store_ctx.add_crls(crl_stack) self.assertFalse(store_ctx.verify_cert())
def _late_setup(self): if ( X509.load_cert(file=(oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT), format=X509.FORMAT_PEM) .get_pubkey() .get_rsa() .pub() != X509.load_cert(file=oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT, format=X509.FORMAT_PEM) .get_pubkey() .get_rsa() .pub() ): self.logger.warning(_("The CA certificate of Apache is changed")) self.dialog.note( text=_( "{apache_ca} is different from {ca} .\n" "It was probably replaced with a 3rd party certificate.\n" "You might want to replace it again with a certificate\n" "for the new host name.\n" ).format( apache_ca=(oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT), ca=(oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT), ) ) else: self._enabled = True self.environment[osetupcons.RenameEnv.FILES_TO_BE_MODIFIED].extend( ( oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_STORE, oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY, oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT, ) )
def test_load(self): x509 = X509.load_cert('tests/x509.pem') x5092 = X509.load_cert('tests/x509.der', format=X509.FORMAT_DER) self.assertEqual(x509.as_text(), x5092.as_text()) self.assertEqual(x509.as_pem(), x5092.as_pem()) self.assertEqual(x509.as_der(), x5092.as_der()) return
def test_verify(self): ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem") crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem') self.assertTrue(crl.verify(ca.get_pubkey())) wrong_ca = X509.load_cert('tests/ca.pem') self.assertFalse(crl.verify(wrong_ca.get_pubkey()))
def test_easy_rsa_generated(self): """ Test loading a cert generated by easy RSA. https://github.com/fedora-infra/fedmsg/pull/389 """ # Does this raise an exception? X509.load_cert('tests/easy_rsa.pem')
def test_load(self): x509 = X509.load_cert('tests/x509.pem') x5092 = X509.load_cert('tests/x509.der', format=X509.FORMAT_DER) assert x509.as_text() == x5092.as_text() assert x509.as_pem() == x5092.as_pem() assert x509.as_der() == x5092.as_der() return
def test_data_is_valid(self): root_ca = X509.load_cert(ROOT_CA) self.assertTrue(root_ca.check_ca()) sub_ca = X509.load_cert(SUB_CA) self.assertTrue(sub_ca.check_ca()) test_cert = X509.load_cert(TEST_CERT) self.assertFalse(test_cert.check_ca())
def test_verify_with_missing_root_CA(self): sub_ca = X509.load_cert(SUB_CA) test_cert = X509.load_cert(TEST_CERT) store = X509.X509_Store() store.add_x509(sub_ca) store_ctx = X509.X509_Store_Context() store_ctx.init(store, test_cert) self.assertFalse(store_ctx.verify_cert())
def test_get_issuer(self): ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem") crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem') ca_issuer = ca.get_issuer() crl_issuer = crl.get_issuer() self.assertEqual(ca_issuer.as_hash(), crl_issuer.as_hash()) wrong_ca = X509.load_cert('tests/ca.pem') wrong_ca_issuer = wrong_ca.get_issuer() self.assertNotEqual(wrong_ca_issuer.as_hash(), crl_issuer.as_hash())
def load_pub(self): if (self.loaded & 2) == 2: return l = os.listdir(self.ca_path) l.sort() for e in l: if re.match("(part.*)\.pem", e) != None: self.cert.append(X509.load_cert(self.ca_path + e)) self.acert = X509.load_cert(self.ca_path + 'arbiter.pem') self.akey = RSA.load_key(self.ca_path + 'arbiter.key') self.loaded |= 2
def test_verify_with_full_chain(self): root_ca = X509.load_cert(ROOT_CA) sub_ca = X509.load_cert(SUB_CA) test_cert = X509.load_cert(TEST_CERT) store = X509.X509_Store() store.add_x509(root_ca) store.add_x509(sub_ca) store_ctx = X509.X509_Store_Context() store_ctx.init(store, test_cert) self.assertTrue(store_ctx.verify_cert())
def pki_verify_certificate(cert_loc, ca_cert_loc): """ Verifies a certificate by using CA certificate. Parameters: cert_loc = location of file with certificate to verify ca_cert_loc = location of file with CA certificate Return: 1 if client certificate is valid, 0 otherwise. """ cert = X509.load_cert(cert_loc) ca_cert = X509.load_cert(ca_cert_loc) return cert.verify(ca_cert.get_pubkey())
def test_singlehost_rename_old_certs(self): """Test repeated requests for the same host to make sure we aren't overwriting files. https://jira.opensciencegrid.org/browse/OSGPKI-137 https://jira.opensciencegrid.org/browse/OSGPKI-139 """ hostname = 'test.' + DOMAIN initial_req = OIM() rc, _, _, msg = initial_req.gridadmin_request('--hostname', hostname) self.assertEqual(rc, 0, "Failed to request initial certificate\n%s" % msg) # Request another cert that will move the previous cert out of the way rc, stdout, _, msg = OIM().gridadmin_request('--hostname', hostname) self.assertEqual(rc, 0, "Failed to request second certificate\n%s" % msg) # Verify that the moved key/cert pair is the same as in the initial request try: # TODO: The format of the output is not text wrapped like it should be. # When that is fixed, the regex should be updated old_cert_path = re.search(r'Renaming existing file from.*to (.*)', stdout).group(1) old_key_path = re.search(r'Renaming existing key from.*to (.*)', stdout).group(1) except AttributeError: self.fail('Failed to move old cert or key\n' + msg) # Cert objects don't seem to handle equality checks well, compare the pem versions old_cert = X509.load_cert(old_cert_path).as_pem() self.assertEqual(initial_req.certs[0].as_pem(), old_cert, 'Renamed cert is not the same as the initial cert\n' + msg) # Need to grab pem formats without a cipher to compare keys old_key = RSA.load_key(old_key_path, OIM.simple_pass_callback) old_key_pem = old_key.as_pem(cipher=None, callback=OIM.simple_pass_callback) initial_key_pem = initial_req.keys[0].as_pem(cipher=None, callback=OIM.simple_pass_callback) self.assertEqual(initial_key_pem, old_key_pem, 'Renamed key is not the same as the initial key\n' + msg)
def encrypt_block(blob, pubkey): """ Encrypt the given blob of data, given the public key provided. :return The encrypted blob. """ # Make a MemoryBuffer of the message. inbuf = BIO.MemoryBuffer(blob) # Seed the PRNG. Rand.rand_seed(os.urandom(1024)) # Instantiate an SMIME object. s = SMIME.SMIME() # Load target cert to encrypt to. x509 = X509.load_cert(pubkey) sk = X509.X509_Stack() sk.push(x509) s.set_x509_stack(sk) # Set cipher: AES 256 bit in CBC mode. s.set_cipher(SMIME.Cipher('aes_256_cbc')) # Encrypt the buffer. p7 = s.encrypt(inbuf) temp_buff = BIO.MemoryBuffer() s.write(temp_buff, p7) x = temp_buff.read() return x
def test_as_der(self): stack = X509.X509_Stack() cert = X509.load_cert("tests/x509.pem") issuer = X509.load_cert("tests/ca.pem") cert_subject1 = cert.get_subject() issuer_subject1 = issuer.get_subject() stack.push(cert) stack.push(issuer) der_seq = stack.as_der() stack2 = X509.new_stack_from_der(der_seq) issuer_pop = stack2.pop() cert_pop = stack2.pop() cert_subject2 = cert_pop.get_subject() issuer_subject2 = issuer.get_subject() assert str(cert_subject1) == str(cert_subject2) assert str(issuer_subject1) == str(issuer_subject2)
def test_encrypt(self): buf = BIO.MemoryBuffer(self.cleartext) s = SMIME.SMIME() x509 = X509.load_cert('test/recipient.pem') sk = X509.X509_Stack() sk.push(x509) s.set_x509_stack(sk) self.assertRaises(ValueError, SMIME.Cipher, 'nosuchcipher') s.set_cipher(SMIME.Cipher('des_ede3_cbc')) p7 = s.encrypt(buf) assert len(buf) == 0 assert p7.type() == SMIME.PKCS7_ENVELOPED, p7.type() assert isinstance(p7, SMIME.PKCS7), p7 out = BIO.MemoryBuffer() p7.write(out) buf = out.read() assert buf[:len('-----BEGIN PKCS7-----')] == '-----BEGIN PKCS7-----' buf = buf.strip() assert buf[-len('-----END PKCS7-----'):] == '-----END PKCS7-----' assert len(buf) > len('-----END PKCS7-----') + len('-----BEGIN PKCS7-----') s.write(out, p7) return out
def test_save_der_string(self): x509 = X509.load_cert('tests/x509.pem') s = x509.as_der() f = open('tests/x509.der', 'rb') s2 = f.read() f.close() assert s == s2
def store_certificate(certificate, bitcoin_address): # Load ACA cert and public key aca_cert = X509.load_cert(ACA_CERT) pk = RSA.importKey(aca_cert.get_pubkey().as_der()) # Obtain the TBS certificate cert_hash = certificate_hashing(certificate) asn1_cert = decoder.decode(certificate, asn1Spec=Certificate())[0] # Extract the certificate signature signature_bin = asn1_cert.getComponentByName("signatureValue") # Parse the signature signature_str = "" for i in signature_bin: signature_str += str(i) signature = long(signature_str, 2) # Check the parsed signature matches with the signature of the obtained hash if pk.verify(cert_hash, [signature, 0]): utils_store_certificate(certificate, CS_CERTS_PATH + bitcoin_address, '.pem') response = "Certificate correctly stored" else: response = json.dumps({'data': "Bad certificate\n"}), 500 return response
def get_modulus_exponent_from_cert_and_pkey_pemfile(cert_path='/tmp/xmppwebid_cert.pem', key_path='/tmp/xmppwebid_key.key'): """Get the modulus and exponent of RSA key from a PEM Certificate and key files m2.rsa_get_e(rsa.rsa) return something like '\x00\x00\x00\x03\x01\x00\x01' so to get the decimal value (65537), two crufty methods :param cert_path: certificate path :type cert_path: string :param key_path: key path :type key_path: string :return: tuple(modulus, exponent) :rtype: tuple (hex, int) .. TODO:: replace the exponent method with something cleaner """ cert=X509.load_cert(cert_path) pubkey = cert.get_pubkey() modulus = pubkey.get_modulus() pkey_rsa = RSA.load_key(key_path) e = m2.rsa_get_e(pkey_rsa.rsa) # exponent = int(eval(repr(e[-3:]).replace('\\x', '')),16) exponent = int(''.join(["%2.2d" % ord(x) for x in e[-3:]]),16) return modulus, exponent
def __init__(self, pub_key, priv_key, ca_cert, passphrase): """ Create a Certification Subject Object. Arguments: pub_key: file system path of the Subject's Public Key. priv_key: file system path of the Subject's Private Key (encrypted). ca_cert: file system path of the Certification Authority's Certificate. passphrase: Symmetric key for priv_key decryption. """ def getPassphrase(*args): """ Callback for private key decrypting. """ return str(passphrase.encode('utf-8')) self.pub_key = RSA.load_pub_key(pub_key.encode('utf-8')) self.priv_key = RSA.load_key(priv_key.encode('utf-8'), getPassphrase) self.ca_cert = X509.load_cert(ca_cert.decode('utf-8')) # Private key for signing self.signEVP = EVP.PKey() self.signEVP.assign_rsa(self.priv_key) # CA Key for validations self.verifyEVP = EVP.PKey() self.verifyEVP.assign_rsa(self.ca_cert.get_pubkey().get_rsa())
def test_with_incomplete_chain_file(self): test_cert = X509.load_cert(TEST_CERT) store = X509.X509_Store() self.assertEquals(store.load_info(SUB_CA), 1) store_ctx = X509.X509_Store_Context() store_ctx.init(store, test_cert) self.assertFalse(store_ctx.verify_cert())
def cert_fingerprint(cert_location): try: from M2Crypto import X509 cert = X509.load_cert(cert_location) return cert.get_fingerprint('sha1') except ImportError: return cert_fingerprint_via_openssl(cert_location)
def loadCert(name): """Load a cert and its private key and return them both.""" p = name + ".pem" c = X509.load_cert(p) k = EVP.PKey() k.assign_rsa(RSA.load_key(p, callback=pwCb)) return c, k
def verify_pkcs7(pkcs7_sig, document): try: # raw_sig = pkcs7_sig raw_sig = str(pkcs7_sig).encode('ascii') msg = document sm_obj = SMIME.SMIME() x509 = X509.load_cert(os.path.join(config.APP_STATIC, 'AWSpubkey')) # public key cert used by the remote # client when signing the message sk = X509.X509_Stack() sk.push(x509) sm_obj.set_x509_stack(sk) st = X509.X509_Store() st.load_info(os.path.join(config.APP_STATIC, 'AWSpubkey')) # Public cert for the CA which signed # the above certificate sm_obj.set_x509_store(st) # re-wrap signature so that it fits base64 standards cooked_sig = '\n'.join(raw_sig[pos:pos + 76] for pos in xrange(0, len(raw_sig), 76)) # cooked_sig = raw_sig # now, wrap the signature in a PKCS7 block sig = ("-----BEGIN PKCS7-----\n" + cooked_sig + "\n-----END PKCS7-----").encode('ascii') # and load it into an SMIME p7 object through the BIO I/O buffer: buf = BIO.MemoryBuffer(sig) p7 = SMIME.load_pkcs7_bio(buf) # finally, try to verify it: if dict(json.loads(sm_obj.verify(p7))) == dict(json.loads(msg)): return True else: return False except Exception as e: raise Exception("INVALID CLIENT MESSAGE SIGNATURE")
def test_with_single_chain_file(self): test_cert = X509.load_cert(TEST_CERT) store = X509.X509_Store() self.assertEquals(store.load_info(CA_CHAIN), 1) store_ctx = X509.X509_Store_Context() store_ctx.init(store, test_cert) self.assertTrue(store_ctx.verify_cert())
def verify(self): # Instantiate an SMIME object. s = SMIME.SMIME() # Load the signer's cert. x509 = X509.load_cert(signer_cert) sk = X509.X509_Stack() sk.push(x509) s.set_x509_stack(sk) # Load the signer's CA cert. st = X509.X509_Store() st.load_info(ca_cert) s.set_x509_store(st) # Load the data, verify it. p7, data = SMIME.smime_load_pkcs7('smime-m2-sign.txt') v = s.verify(p7) print v print data print data.read()
def _createSignature(self, manifest, certificate, key, wwdr_certificate, password): def passwordCallback(*args, **kwds): return password smime = SMIME.SMIME() # we need to attach wwdr cert as X509 wwdrcert = X509.load_cert(wwdr_certificate) stack = X509_Stack() stack.push(wwdrcert) smime.set_x509_stack(stack) # need to cast to string since load_key doesnt work with unicode paths smime.load_key(str(key), certificate, callback=passwordCallback) pk7 = smime.sign(SMIME.BIO.MemoryBuffer(manifest.encode('utf8')), flags=SMIME.PKCS7_DETACHED | SMIME.PKCS7_BINARY) pem = SMIME.BIO.MemoryBuffer() pk7.write(pem) # convert pem to der der = b''.join(l.strip() for l in pem.read().split(b'-----')[2].splitlines()) der = base64.b64decode(der) return der
def create_endpoints(sysinfo): """Find all the StorageEndpoints on this DPM and return an array of them""" cert_subject = None try: from M2Crypto import X509 x509 = X509.load_cert(sysinfo.cert, X509.FORMAT_PEM) cert_subject = "/%s" % '/'.join( x509.get_issuer().as_text().split(', ')) except: pass ret = [] if 9000 in sysinfo.ports: ret.append( Endpoint("https", sysinfo.host, 9000, "", cert_subject, *sysinfo.getprotinfo("https"))) if 1094 in sysinfo.ports: ret.append( Endpoint("xroot", sysinfo.host, 1094, "/", cert_subject, *sysinfo.getprotinfo("root"))) return ret
def test_save(self): x509 = X509.load_cert('tests/x509.pem') f = open('tests/x509.pem', 'r') lTmp = f.readlines() #x509_pem = ''.join(lTmp[44:60]) # -----BEGIN CERTIFICATE----- : -----END CERTIFICATE----- x509_pem = ''.join(lTmp[lTmp.index('-----BEGIN CERTIFICATE-----\n'):( lTmp.index('-----END CERTIFICATE-----\n') + 1)]) f.close() f = open('tests/x509.der', 'rb') x509_der = f.read() f.close() x509.save('tests/tmpcert.pem') f = open('tests/tmpcert.pem') s = f.read() f.close() self.assertEquals(s, x509_pem) os.remove('tests/tmpcert.pem') x509.save('tests/tmpcert.der', format=X509.FORMAT_DER) f = open('tests/tmpcert.der', 'rb') s = f.read() f.close() self.assertEquals(s, x509_der) os.remove('tests/tmpcert.der')
def _createSignature(self, manifest, certificate, key, wwdr_certificate, password): def passwordCallback(*args, **kwds): return password smime = SMIME.SMIME() #we need to attach wwdr cert as X509 wwdrcert = X509.load_cert(wwdr_certificate) stack = X509_Stack() stack.push(wwdrcert) smime.set_x509_stack(stack) smime.load_key(key, certificate, callback=passwordCallback) pk7 = smime.sign(SMIME.BIO.MemoryBuffer(manifest), flags=SMIME.PKCS7_DETACHED | SMIME.PKCS7_BINARY) pem = SMIME.BIO.MemoryBuffer() pk7.write(pem) # convert pem to der der = ''.join(l.strip() for l in pem.read().split('-----') [2].splitlines()).decode('base64') return der
def mk_temporary_cert(cacert_file, ca_key_file, cn): """ Create a temporary certificate signed by the given CA, and with the given common name. If cacert_file and ca_key_file is None, the certificate will be self-signed. Args: cacert_file -- file containing the CA certificate ca_key_file -- file containing the CA private key cn -- desired common name Returns a namedtemporary file with the certificate and private key """ cert_req, pk2 = mk_request(1024, cn=cn) if cacert_file and ca_key_file: cacert = X509.load_cert(cacert_file) pk1 = EVP.load_key(ca_key_file) else: cacert = None pk1 = None cert = mk_cert() cert.set_subject(cert_req.get_subject()) cert.set_pubkey(cert_req.get_pubkey()) if cacert and pk1: cert.set_issuer(cacert.get_issuer()) cert.sign(pk1, 'sha1') else: cert.set_issuer(cert.get_subject()) cert.sign(pk2, 'sha1') certf = namedtmp() certf.write(cert.as_pem()) certf.write(pk2.as_pem(None)) certf.flush() return certf
def _aia(self): x509 = X509.load_cert( file=oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT, format=X509.FORMAT_PEM, ) try: authorityInfoAccess = x509.get_ext( 'authorityInfoAccess').get_value() self.logger.warning(_('AIA extension found in CA certificate')) self.dialog.note(text=_( 'Please note:\n' 'The certificate for the CA contains the\n' '"Authority Information Access" extension pointing\n' 'to the old hostname:\n' '{aia}' 'Currently this is harmless, but it might affect future\n' 'upgrades. In version 3.3 the default was changed to\n' 'create new CA certificate without this extension. If\n' 'possible, it might be better to not rely on this\n' 'program, and instead backup, cleanup and setup again\n' 'cleanly.\n' '\n' 'More details can be found at the following address:\n' 'http://www.ovirt.org/Changing_Engine_Hostname\n').format( aia=authorityInfoAccess, ), ) if not dialog.queryBoolean( dialog=self.dialog, name='OVESETUP_RENAME_AIA_BYPASS', note=_( 'Do you want to continue? (@VALUES@) [@DEFAULT@]: '), prompt=True, ): raise RuntimeError(_('Aborted by user')) except LookupError: pass
def verify(client: Client, args: Dict): """ Verify the signature Args: client: Client args: Dict """ signed_message = demisto.getFilePath(args.get('signed_message')) x509 = X509.load_cert(client.public_key_file) sk = X509.X509_Stack() sk.push(x509) client.smime.set_x509_stack(sk) st = X509.X509_Store() st.load_info(client.public_key_file) client.smime.set_x509_store(st) p7, data = SMIME.smime_load_pkcs7(signed_message['path']) v = client.smime.verify(p7, data, flags=SMIME.PKCS7_NOVERIFY) human_readable = f'The signature verified\n\n{v}' return human_readable, {}
def encrypt_email_body(client: Client, args: Dict): """ generate an S/MIME-encrypted message Args: client: Client args: Dict """ message_body = args.get('message', '').encode('utf-8') buf = makebuf(message_body) x509 = X509.load_cert(client.public_key_file) sk = X509.X509_Stack() sk.push(x509) client.smime.set_x509_stack(sk) client.smime.set_cipher(SMIME.Cipher('des_ede3_cbc')) p7 = client.smime.encrypt(buf) out = BIO.MemoryBuffer() client.smime.write(out, p7) encrypted_message = out.read().decode('utf-8') message = encrypted_message.split('\n\n') headers = message[0] new_headers = headers.replace(': ', '=').replace('\n', ',') entry_context = { 'SMIME.Encrypted': { 'Message': encrypted_message, 'Headers': new_headers } } return encrypted_message, entry_context
def verify_s(cert_list, signature, data): """returns the subject of the first certificate in <cert_list> that makes the <signature> match the SHA hash of the data. If no certificate does it, return None""" #signature = unhexlify(hexlify(signature)) #data = unhexlify(hexlify(data)) cert_extension = ".crt" cert_dir = './certificates/' certs = [ cert_dir + x for x in os.listdir(cert_dir) if len(x) > 4 and x[-len(cert_extension):] == cert_extension ] for cert_file in certs: try: cert = X509.load_cert(cert_file) pub_k = cert.get_pubkey() pub_k.verify_init() if pub_k.verify_update(data) != 1: raise Exception("error verify update") if pub_k.verify_final(signature) == 1: sub = cert.get_subject() return str(sub) # there is an hidden free() when using the # return value outside this function: str() forces the copy except BaseException as e: print str(e) return None
def updateVdcOptions( self, options, ): for option in options: value = option['value'] if option.get('encrypt', False): x509 = X509.load_cert( file=( osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CERT), format=X509.FORMAT_PEM, ) value = base64.b64encode( x509.get_pubkey().get_rsa().public_encrypt( data=value, padding=RSA.pkcs1_padding, ), ) if isinstance(value, bool): value = 'true' if value else 'false' self.execute( statement=""" update vdc_options set option_value=%(value)s, version=%(version)s where option_name=%(name)s """, args=dict( name=option['name'], value=value, version=option.get('version', 'general'), ), )
def test_save(self): x509 = X509.load_cert('tests/x509.pem') with open('tests/x509.pem', 'r') as f: l_tmp = f.readlines() # -----BEGIN CERTIFICATE----- : -----END CERTIFICATE----- beg_idx = l_tmp.index('-----BEGIN CERTIFICATE-----\n') end_idx = l_tmp.index('-----END CERTIFICATE-----\n') x509_pem = ''.join(l_tmp[beg_idx:end_idx + 1]) with open('tests/x509.der', 'rb') as f: x509_der = f.read() x509.save('tests/tmpcert.pem') with open('tests/tmpcert.pem') as f: s = f.read() self.assertEqual(s, x509_pem) os.remove('tests/tmpcert.pem') x509.save('tests/tmpcert.der', format=X509.FORMAT_DER) with open('tests/tmpcert.der', 'rb') as f: s = f.read() self.assertEqual(s, x509_der) os.remove('tests/tmpcert.der')
def encrypt(self): # Make a MemoryBuffer of the message. buf = makebuf('a sign of our times') # Seed the PRNG. Rand.load_file(randpool, -1) # Instantiate an SMIME object. s = SMIME.SMIME() # Load target cert to encrypt to. x509 = X509.load_cert(recipient_cert) sk = X509.X509_Stack() sk.push(x509) s.set_x509_stack(sk) # Set cipher: 3-key triple-DES in CBC mode. s.set_cipher(SMIME.Cipher('des_ede3_cbc')) # Encrypt the buffer. p7 = s.encrypt(buf) # Output p7 in mail-friendly format. out = BIO.MemoryBuffer() out.write('From: [email protected]\n') out.write('To: [email protected]\n') out.write('Subject: M2Crypto S/MIME testing\n') s.write(out, p7) result = out.read() # Save the PRNG's state. Rand.save_file(randpool) open('smime-m2-encrypt.txt', 'wt').write(result)
def test_fingerprint(self): x509 = X509.load_cert('tests/x509.pem') fp = x509.get_fingerprint('sha1') self.assertEqual(fp, self.expected_hash)
def makebuf(text): return BIO.MemoryBuffer(bytes(text, 'utf-8')) # Make a MemoryBuffer of the message. buf = makebuf(message) # Seed the PRNG. Rand.load_file('randpool.dat', -1) # Instantiate an SMIME object. s = SMIME.SMIME() # Load target cert to encrypt to. x509 = X509.load_cert('sample_keys/recipient.pem') sk = X509.X509_Stack() sk.push(x509) s.set_x509_stack(sk) # Set cipher: 3-key triple-DES in CBC mode. s.set_cipher(SMIME.Cipher('des_ede3_cbc')) # Encrypt the buffer. p7 = s.encrypt(buf) # Output p7 in mail-friendly format. out = BIO.MemoryBuffer() out.write('From: [email protected]\n') out.write('To: [email protected]\n') out.write('Subject: M2Crypto S/MIME testing\n')
# Need to reconstruct a Mail message with content type # as SMIME wants it in that format bio = BIO.MemoryBuffer("Content-Type: ") bio.write(contentType) bio.write("\r\n\r\n") bio.write(data) s = SMIME.SMIME() s.load_key('src/main/resources/private.pem', 'src/main/resources/cert.pem') p7, d = SMIME.smime_load_pkcs7_bio(bio) out = s.decrypt(p7) # Load the signer's cert. x509 = X509.load_cert('src/main/resources/cert.pem') sk = X509.X509_Stack() sk.push(x509) s.set_x509_stack(sk) # Load the signer's CA cert. In this case, because the signer's # cert is self-signed, it is the signer's cert itself. st = X509.X509_Store() st.load_info('src/main/resources/cert.pem') s.set_x509_store(st) # Recall 'out' contains a PKCS #7 blob. # Transform 'out'; verify the resulting PKCS #7 blob. p7_bio = BIO.MemoryBuffer(out) p7, data = SMIME.smime_load_pkcs7_bio(p7_bio) v = s.verify(p7, data)
def __init__(self, ca, eku, peer=None): self._eku = eku if peer is not None: self._peer = X509.load_cert_string(peer) if ca is not None: self._ca = X509.load_cert(ca)
def test_x509_public_encrypt(self): x509 = X509.load_cert("tests/recipient.pem") rsa = x509.get_pubkey().get_rsa() rsa.public_encrypt(b"data", RSA.pkcs1_padding)
from M2Crypto import SMIME, X509 # Instantiate an SMIME object. s = SMIME.SMIME() # Load the signer's cert. x509 = X509.load_cert('signer.pem') sk = X509.X509_Stack() sk.push(x509) s.set_x509_stack(sk) # Load the signer's CA cert. In this case, because the signer's # cert is self-signed, it is the signer's cert itself. st = X509.X509_Store() st.load_info('signer.pem') s.set_x509_store(st) # Load the data, verify it. p7, data = SMIME.smime_load_pkcs7('sign.p7') ''' v = s.verify(p7,data) print v print data print data.read() '''
def generate_manifest(self, path, prefix, parts, parts_digest, file, key, iv, cert_path, ec2cert_path, private_key_path, target_arch, image_size, bundled_size, image_digest, user, kernel, ramdisk, mapping=None, product_codes=None, ancestor_ami_ids=None): user_pub_key = X509.load_cert(cert_path).get_pubkey().get_rsa() cloud_pub_key = \ X509.load_cert(ec2cert_path).get_pubkey().get_rsa() user_encrypted_key = hexlify( user_pub_key.public_encrypt(key, RSA.pkcs1_padding)) user_encrypted_iv = hexlify( user_pub_key.public_encrypt(iv, RSA.pkcs1_padding)) cloud_encrypted_key = hexlify( cloud_pub_key.public_encrypt(key, RSA.pkcs1_padding)) cloud_encrypted_iv = hexlify( cloud_pub_key.public_encrypt(iv, RSA.pkcs1_padding)) user_priv_key = None if private_key_path: user_priv_key = RSA.load_key(private_key_path) manifest_file = '%s.manifest.xml' % os.path.join(path, prefix) if self.euca.debug: print 'Manifest: ', manifest_file print 'Generating manifest %s' % manifest_file manifest_out_file = open(manifest_file, 'wb') doc = Document() manifest_elem = doc.createElement('manifest') doc.appendChild(manifest_elem) # version version_elem = doc.createElement('version') version_value = doc.createTextNode(VERSION) version_elem.appendChild(version_value) manifest_elem.appendChild(version_elem) # bundler info bundler_elem = doc.createElement('bundler') bundler_name_elem = doc.createElement('name') bundler_name_value = doc.createTextNode(BUNDLER_NAME) bundler_name_elem.appendChild(bundler_name_value) bundler_version_elem = doc.createElement('version') bundler_version_value = doc.createTextNode(BUNDLER_VERSION) bundler_version_elem.appendChild(bundler_version_value) bundler_elem.appendChild(bundler_name_elem) bundler_elem.appendChild(bundler_version_elem) # release release_elem = doc.createElement('release') release_value = doc.createTextNode(RELEASE) release_elem.appendChild(release_value) bundler_elem.appendChild(release_elem) manifest_elem.appendChild(bundler_elem) # machine config machine_config_elem = doc.createElement('machine_configuration') manifest_elem.appendChild(machine_config_elem) target_arch_elem = doc.createElement('architecture') target_arch_value = doc.createTextNode(target_arch) target_arch_elem.appendChild(target_arch_value) machine_config_elem.appendChild(target_arch_elem) # block device mapping if mapping: block_dev_mapping_elem = \ doc.createElement('block_device_mapping') for vname, dname in mapping.items(): mapping_elem = doc.createElement('mapping') virtual_elem = doc.createElement('virtual') virtual_value = doc.createTextNode(vname) virtual_elem.appendChild(virtual_value) mapping_elem.appendChild(virtual_elem) device_elem = doc.createElement('device') device_value = doc.createTextNode(dname) device_elem.appendChild(device_value) mapping_elem.appendChild(device_elem) block_dev_mapping_elem.appendChild(mapping_elem) machine_config_elem.appendChild(block_dev_mapping_elem) if product_codes: product_codes_elem = doc.createElement('product_codes') for product_code in product_codes: product_code_elem = doc.createElement('product_code') product_code_value = doc.createTextNode(product_code) product_code_elem.appendChild(product_code_value) product_codes_elem.appendChild(product_code_elem) machine_config_elem.appendChild(product_codes_elem) # kernel and ramdisk if kernel: kernel_id_elem = doc.createElement('kernel_id') kernel_id_value = doc.createTextNode(kernel) kernel_id_elem.appendChild(kernel_id_value) machine_config_elem.appendChild(kernel_id_elem) if ramdisk: ramdisk_id_elem = doc.createElement('ramdisk_id') ramdisk_id_value = doc.createTextNode(ramdisk) ramdisk_id_elem.appendChild(ramdisk_id_value) machine_config_elem.appendChild(ramdisk_id_elem) image_elem = doc.createElement('image') manifest_elem.appendChild(image_elem) # name image_name_elem = doc.createElement('name') image_name_value = \ doc.createTextNode(self.euca.get_relative_filename(file)) image_name_elem.appendChild(image_name_value) image_elem.appendChild(image_name_elem) # user user_elem = doc.createElement('user') user_value = doc.createTextNode('%s' % user) user_elem.appendChild(user_value) image_elem.appendChild(user_elem) # type # TODO: fixme image_type_elem = doc.createElement('type') image_type_value = doc.createTextNode('machine') image_type_elem.appendChild(image_type_value) image_elem.appendChild(image_type_elem) # ancestor ami ids if ancestor_ami_ids: ancestry_elem = doc.createElement('ancestry') for ancestor_ami_id in ancestor_ami_ids: ancestor_id_elem = doc.createElement('ancestor_ami_id') ancestor_id_value = doc.createTextNode(ancestor_ami_id) ancestor_id_elem.appendChild(ancestor_id_value) ancestry_elem.appendChild(ancestor_id_elem) image_elem.appendChild(ancestry_elem) # digest image_digest_elem = doc.createElement('digest') image_digest_elem.setAttribute('algorithm', 'SHA1') image_digest_value = doc.createTextNode('%s' % image_digest) image_digest_elem.appendChild(image_digest_value) image_elem.appendChild(image_digest_elem) # size image_size_elem = doc.createElement('size') image_size_value = doc.createTextNode('%s' % image_size) image_size_elem.appendChild(image_size_value) image_elem.appendChild(image_size_elem) # bundled size bundled_size_elem = doc.createElement('bundled_size') bundled_size_value = doc.createTextNode('%s' % bundled_size) bundled_size_elem.appendChild(bundled_size_value) image_elem.appendChild(bundled_size_elem) # key, iv cloud_encrypted_key_elem = doc.createElement('ec2_encrypted_key') cloud_encrypted_key_value = doc.createTextNode('%s' % cloud_encrypted_key) cloud_encrypted_key_elem.appendChild(cloud_encrypted_key_value) cloud_encrypted_key_elem.setAttribute('algorithm', AES) image_elem.appendChild(cloud_encrypted_key_elem) user_encrypted_key_elem = doc.createElement('user_encrypted_key') user_encrypted_key_value = doc.createTextNode('%s' % user_encrypted_key) user_encrypted_key_elem.appendChild(user_encrypted_key_value) user_encrypted_key_elem.setAttribute('algorithm', AES) image_elem.appendChild(user_encrypted_key_elem) cloud_encrypted_iv_elem = doc.createElement('ec2_encrypted_iv') cloud_encrypted_iv_value = doc.createTextNode('%s' % cloud_encrypted_iv) cloud_encrypted_iv_elem.appendChild(cloud_encrypted_iv_value) image_elem.appendChild(cloud_encrypted_iv_elem) user_encrypted_iv_elem = doc.createElement('user_encrypted_iv') user_encrypted_iv_value = doc.createTextNode('%s' % user_encrypted_iv) user_encrypted_iv_elem.appendChild(user_encrypted_iv_value) image_elem.appendChild(user_encrypted_iv_elem) # parts parts_elem = doc.createElement('parts') parts_elem.setAttribute('count', '%s' % len(parts)) part_number = 0 for part in parts: part_elem = doc.createElement('part') filename_elem = doc.createElement('filename') filename_value = \ doc.createTextNode(self.euca.get_relative_filename(part)) filename_elem.appendChild(filename_value) part_elem.appendChild(filename_elem) # digest part_digest_elem = doc.createElement('digest') part_digest_elem.setAttribute('algorithm', 'SHA1') part_digest_value = \ doc.createTextNode(parts_digest[part_number]) part_digest_elem.appendChild(part_digest_value) part_elem.appendChild(part_digest_elem) part_elem.setAttribute('index', '%s' % part_number) parts_elem.appendChild(part_elem) part_number += 1 image_elem.appendChild(parts_elem) manifest_string = doc.toxml() if user_priv_key: string_to_sign = self.get_verification_string(manifest_string) signature_elem = doc.createElement('signature') sha_manifest = sha() sha_manifest.update(string_to_sign) signature_value = doc.createTextNode( '%s' % hexlify(user_priv_key.sign(sha_manifest.digest()))) signature_elem.appendChild(signature_value) manifest_elem.appendChild(signature_elem) manifest_out_file.write(doc.toxml()) manifest_out_file.close() return manifest_file
else: cert.set_issuer(cert.get_subject()) cert.sign(pk2, 'sha1') certf = namedtmp() certf.write(cert.as_pem()) certf.write(pk2.as_pem(None)) certf.flush() return certf if __name__ == '__main__': cacert, cert, pk = mk_casigned_cert() with open('cacert.crt', 'w') as f: f.write(cacert.as_pem()) with open('cert.crt', 'w') as f: f.write(cert.as_pem()) f.write(pk.as_pem(None)) # Sanity checks... cac = X509.load_cert('cacert.crt') print cac.verify(), cac.check_ca() cc = X509.load_cert('cert.crt') print cc.verify(cac.get_pubkey()) # protips # openssl verify -CAfile cacert.crt cacert.crt cert.crt # openssl x509 -in cert.crt -noout -text # openssl x509 -in cacert.crt -noout -text
def load_ca_cert_file(self, ca_cert_file): """ Load a CA cert from a PEM file, replacing any previous cert. """ cert = X509.load_cert(ca_cert_file) self._load_cert(cert)
def auth(username, password, **kwargs): """ Returns True if the given user cert (password is the cert contents) was issued by the CA and if cert's Common Name is equal to username. Returns False otherwise. ``username``: we need it to run the auth function from CLI/API; it should be in master config auth/acl ``password``: contents of user certificate (pem-encoded user public key); why "password"? For CLI, it's the only available name Configure the CA cert in the master config file: .. code-block:: yaml external_auth: pki: ca_file: /etc/pki/tls/ca_certs/trusted-ca.crt your_user: - .* """ pem = password cacert_file = __salt__["config.get"]("external_auth:pki:ca_file") log.debug("Attempting to authenticate via pki.") log.debug("Using CA file: %s", cacert_file) log.debug("Certificate contents: %s", pem) if HAS_M2: cert = X509.load_cert_string(pem, X509.FORMAT_PEM) cacert = X509.load_cert(cacert_file, X509.FORMAT_PEM) if cert.verify(cacert.get_pubkey()): log.info("Successfully authenticated certificate: %s", pem) return True else: log.info("Failed to authenticate certificate: %s", pem) return False c = OpenSSL.crypto cert = c.load_certificate(c.FILETYPE_PEM, pem) with salt.utils.files.fopen(cacert_file) as f: cacert = c.load_certificate(c.FILETYPE_PEM, f.read()) # Get the signing algorithm algo = cert.get_signature_algorithm() # Get the ASN1 format of the certificate cert_asn1 = c.dump_certificate(c.FILETYPE_ASN1, cert) # Decode the certificate der = asn1.DerSequence() der.decode(cert_asn1) # The certificate has three parts: # - certificate # - signature algorithm # - signature # http://usefulfor.com/nothing/2009/06/10/x509-certificate-basics/ der_cert = der[0] # der_algo = der[1] der_sig = der[2] # The signature is a BIT STRING (Type 3) # Decode that as well der_sig_in = asn1.DerObject() der_sig_in.decode(der_sig) # Get the payload sig0 = der_sig_in.payload # Do the following to see a validation error for tests # der_cert=der_cert[:20]+'1'+der_cert[21:] # First byte is the number of unused bits. This should be 0 # http://msdn.microsoft.com/en-us/library/windows/desktop/bb540792(v=vs.85).aspx if sig0[0] != "\x00": raise Exception("Number of unused bits is strange") # Now get the signature itself sig = sig0[1:] # And verify the certificate try: c.verify(cacert, sig, der_cert, algo) assert (dict(cert.get_subject().get_components())["CN"] == username ), "Certificate's CN should match the username" log.info("Successfully authenticated certificate: %s", pem) return True except (OpenSSL.crypto.Error, AssertionError): log.info("Failed to authenticate certificate: %s", pem) return False
def test_fingerprint(self): x509 = X509.load_cert('tests/x509.pem') fp = x509.get_fingerprint('sha1') expected = 'B2522F9B4F6F2461475D0C6267911537E738494F' self.assertEqual(fp, expected)
def test_date_after_2050_working(self): cert = X509.load_cert('tests/bad_date_cert.crt') self.assertEqual(str(cert.get_not_after()), 'Feb 9 14:57:46 2116 GMT')
def __init__(self, cert, key, lifetime=5): self._lifetime = lifetime self._x509 = X509.load_cert(cert) self._pkey = EVP.load_key(key)
def crt(self): if self._crt is None: self._crt = X509.load_cert(self._public_cert_filename) return self._crt
def updateVdcOptions( self, options, ownConnection=False, ): for option in options: name = option['name'] value = option['value'] version = option.get('version', 'general') if option.get('encrypt', False): x509 = X509.load_cert( file=(oenginecons.FileLocations. OVIRT_ENGINE_PKI_ENGINE_CERT), format=X509.FORMAT_PEM, ) value = base64.b64encode( x509.get_pubkey().get_rsa().public_encrypt( data=value, padding=RSA.pkcs1_padding, ), ) if isinstance(value, bool): value = 'true' if value else 'false' res = self._statement.execute( statement=""" select count(*) as count from vdc_options where option_name=%(name)s and version=%(version)s """, args=dict( name=name, version=version, ), ownConnection=ownConnection, ) if res[0]['count'] == 0: self._statement.execute( statement=""" insert into vdc_options ( option_name, option_value, version ) values ( %(name)s, %(value)s, %(version)s ) """, args=dict( name=name, version=version, value=value, ), ownConnection=ownConnection, ) else: self._statement.execute( statement=""" update vdc_options set option_value=%(value)s where option_name=%(name)s and version=%(version)s """, args=dict( name=name, version=version, value=value, ), ownConnection=ownConnection, )
def generate_json(f_name, share_code, mailid, phone_no): import xml import xml.etree.cElementTree as etree from xml.etree import ElementTree from base64 import b64encode, b64decode from zipfile import ZipFile import os from glob import glob import sys import hashlib from M2Crypto import BIO, RSA, EVP from M2Crypto import X509 #with ZipFile('Offlineaadhaar.zip') as zf: # zf.extractall(path='xml_folder/',pwd=share_code.encode()) try: zipdata = ZipFile('uploads/' + f_name) except: return {"Wrong zip file": 422} zipinfos = zipdata.infolist() for zipinfo in zipinfos: zipinfo.filename = f_name.split('.')[0] + '.xml' try: zipdata.extract(zipinfo, path='uploads/', pwd=share_code.encode()) except RuntimeError: return {"Bad sharecode or Zipfile Given": 422} #import os #from glob import glob #PATH = "uploads/" #EXT = "*.xml" #xml_path = glob(os.path.join(PATH, EXT))[0] import time import datetime import sys #print(xml_path, file=sys.stderr) #print(xml_path, file=sys.stdout) #print(xml_path) xml_path = 'uploads/' + f_name.split('.')[0] + '.xml' xmlDoc = open(xml_path, 'r').read() Tr = etree.XML(xmlDoc) Tr.keys() # Attribute # # * Normal - n(Name), g(Gender), a(Address), d(Date of birth), r(aadhar + timestamp), v(XML version) # * Encrypt - e(Email), m(Mobile no), s(Signeture), i(Image) json_dict = dict() personal_data = dict() # ### Name Tr.get('n') personal_data['name'] = Tr.get('n') # ### Gender Tr.get('g') personal_data['gender'] = Tr.get('g') # ### Date of birth s = Tr.get('d') import time import datetime dob = datetime.datetime.strptime(s, "%d%m%Y").strftime('%d/%m/%Y') personal_data['dob'] = dob # ### Address Tr.get('a') personal_data['address'] = Tr.get('a') # ### Image imagestr = Tr.get('i') imagestr = bytes(imagestr, 'utf-8') personal_data['image'] = Tr.get('i') json_dict['personal_data'] = personal_data # ### Last 4 digit Aadhar last_4_digit = Tr.get('r')[:4] last_4_digit json_dict['Aadhaar_last_4digit'] = 'XXXX-XXXX-' + last_4_digit import time ts = time.time() import datetime st = datetime.datetime.fromtimestamp(ts).strftime('%Y-%m-%d %H:%M:%S') #print(st) json_dict['timestamp'] = st validation_dic = dict() # ### Email # # Logic - Sha256(Sha256(Email+SharePhrase))*number of times last digit of Aadhaar number import hashlib import sys def Secure(value, sharecode, laadhar, string): value = value + sharecode if laadhar == 0: laadhar = 1 for x in range(0, laadhar): value = hashlib.sha256(value.encode('utf-8')).hexdigest() if string == value: return "Valid" else: return "Invalid" mailstr = Tr.get('e') is_valid_mail = Secure(mailid, str(share_code), int(last_4_digit[-1]), mailstr) validation_dic['email'] = is_valid_mail mobile_str = Tr.get('m') is_valid_phone = Secure(phone_no, str(share_code), int(last_4_digit[-1]), mobile_str) validation_dic['phone'] = is_valid_phone # Digital Signature Validation from M2Crypto import BIO, RSA, EVP from M2Crypto import X509 x509 = X509.load_cert('certificate/ekyc_public_key.cer') rsa = x509.get_pubkey().get_rsa() pubkey = EVP.PKey() pubkey.assign_rsa(rsa) import lxml.etree as le with open(xml_path, 'r') as f: doc = le.parse(f) for elem in doc.xpath('//*[attribute::s]'): sign = elem.attrib['s'] elem.attrib.pop('s') data_str = str(le.tostring(doc))[2:][:-1] data = data_str[:-2] + ' />' pubkey.reset_context(md='sha256') pubkey.verify_init() pubkey.verify_update(data.encode()) is_valid_signeture = "" if (pubkey.verify_final(b64decode(sign)) != 1): #print('Digital Signeture not validated') is_valid_signeture = 'Invalid' else: #print('Digital Signeture validated') is_valid_signeture = 'Valid' validation_dic['digital_signeture'] = is_valid_signeture validation_dic['status'] = 'y' validation_dic['Description'] = 'Authenticated Successfully' if (is_valid_mail == 'Invalid' or is_valid_phone == 'Invalid' or is_valid_signeture == 'Invalid'): validation_dic['status'] = 'n' validation_dic['Description'] = 'Authentication Failed' json_dict['validation'] = validation_dic import json json_data = json.dumps(json_dict) return json_dict
def _response_body(self, resource, request, response): from pyspkac.spkac import SPKAC from M2Crypto import EVP, X509 top = resource.top HTTP_Status = top.Status ca_path = top.cert_auth_path if not ca_path: raise HTTP_Status.Not_Found() try: ### Unicode argument to `EVP.load_key` fails [M2Crypto==0.21.1] cert = X509.load_cert(Filename(".crt", ca_path).name) pkey = EVP.load_key(str(Filename(".key", ca_path).name)) except Exception: raise HTTP_Status.Not_Found() req_data = request.req_data spkac = req_data.get("SPKAC", "").replace("\n", "") if not spkac: exc = HTTP_Status.Bad_Request \ ( _T( "The parameter `SPKAC` is missing from the request. " "Normally, the web browser should supply that " "parameter automatically." ) ) resource.send_error_email(request, exc) raise exc challenge = request.session.get("spkac_challenge") desc = req_data.get("desc") email = request.user.name cn = "%s [%s]" % (email, desc) if desc else email ### Unicode arguments to `X509.new_email` fail [M2Crypto==0.21.1] X = X509.new_extension x1 = X(b"basicConstraints", b"CA:FALSE", critical=True) x2 = X \ ( b"keyUsage" , b"digitalSignature, keyEncipherment, keyAgreement" , critical = True ) x3 = X(b"extendedKeyUsage", b"clientAuth, emailProtection, nsSGC") s = SPKAC \ ( spkac, challenge, x1, x2, x3 , CN = cn , Email = email , O = cert.get_subject ().O ) scope = top.scope CTM = scope.Auth.Certificate start = CTM.E_Type.validity.start.now() finis = start + datetime.timedelta(days=365 * 2) c_obj = CTM(email=email, validity=(start, finis), desc=desc) scope.commit() result = c_obj.pem = s.gen_crt \ ( pkey, cert, c_obj.pid , not_before = self._timestamp (start) , not_after = self._timestamp (finis) ).as_pem () response.set_header \ ( "content-disposition", "inline" , filename = "%s.crt" % (email, ) ) scope.commit() return result