def _download_http_crl(endpoint, key_identifier): """ :param endpoint: url della crl :param key_identifier: chiave identificativa dell'issuer del certificato :return: """ crl_dest = make_crl_store_path(endpoint, key_identifier) + ".crl" crl_meta_dest = make_crl_store_path(endpoint, key_identifier) + ".txt" try: r = requests.get(endpoint) if r.status_code == 200: try: crl = crypto.load_crl(crypto.FILETYPE_PEM, r.content) except: crl_x509 = x509.load_der_x509_crl(r.content, default_backend()) crl = crypto.CRL.from_cryptography(crl_x509) with open(crl_dest, 'w') as f: f.write(crypto.dump_crl(crypto.FILETYPE_PEM, crl).decode()) with open(crl_meta_dest, 'w') as f: f.write(endpoint) else: LOG.error('Errore durante il download della CRL con endpoint = {}'. format(endpoint), extra=set_client_ip()) except Exception as e: LOG.error( 'Eccezione durante il download della CRL con key_identifier = {}'. format(key_identifier), extra=set_client_ip()) LOG.error("Exception: {}".format(str(e)), extra=set_client_ip())
def main(): pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 2048) ca = crypto.X509() ca.set_version(2) ca.set_serial_number(1) ca.get_subject().CN = 'snakeoil' ca.set_notBefore(b'19700101000000Z') ca.set_notAfter(b'20991231235959Z') ca.set_issuer(ca.get_subject()) ca.set_pubkey(pkey) ca.sign(pkey, 'sha256') revoked = crypto.Revoked() revoked.set_serial(b'2a') revoked.set_rev_date(b'19700101000000Z') revoked.set_reason(None) crl = crypto.CRL() crl.set_lastUpdate(b'19700101000000Z') crl.set_nextUpdate(b'20990101000000Z') crl.add_revoked(revoked) crl.sign(issuer_cert=ca, issuer_key=pkey, digest=b'sha256') with open(osp.join(osp.dirname(__file__), 'minimal.crl'), 'wb') as f_crl: f_crl.write(crypto.dump_crl(crypto.FILETYPE_ASN1, crl))
def get_crl_next_update(filename): ''' Read the CRL file and return the next update as datetime ''' crldt = None crl_obj = cpt.load_crl(cpt.FILETYPE_PEM, open(filename).read()) crl_text = cpt.dump_crl(cpt.FILETYPE_TEXT, crl_obj).decode("utf-8") for line in crl_text.split("\n"): if "Next Update: " in line: key, value = line.split(":", 1) date = value.strip() crldt = datetime.strptime(date, "%b %d %X %Y %Z") break return crldt
def RunFakeServer(cbsd_sas_version, sas_sas_version, is_ecc, crl_index): FakeSasHandler.SetVersion(cbsd_sas_version, sas_sas_version) if is_ecc: assert ssl.HAS_ECDH server = HTTPServer((HOST, PORT), FakeSasHandler) ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) ssl_context.options |= ssl.CERT_REQUIRED # If CRLs were provided, then enable revocation checking. if crl_index is not None: ssl_context.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN try: crl_files = ParseCrlIndex(crl_index) except IOError as e: print("Failed to parse CRL index file %r: %s" % (crl_index, e)) # https://tools.ietf.org/html/rfc5280#section-4.2.1.13 specifies that # CRLs MUST be DER-encoded, but SSLContext expects the name of a PEM-encoded # file, so we must convert it first. for f in crl_files: try: with file(f) as handle: der = handle.read() try: crl = crypto.load_crl(crypto.FILETYPE_ASN1, der) except crypto.Error as e: print("Failed to parse CRL file %r as DER format: %s" % (f, e)) return with tempfile.NamedTemporaryFile() as tmp: tmp.write(crypto.dump_crl(crypto.FILETYPE_PEM, crl)) tmp.flush() ssl_context.load_verify_locations(cafile=tmp.name) print("Loaded CRL file: %r" % f) except IOError as e: print("Failed to load CRL file %r: %s" % (f, e)) return ssl_context.load_verify_locations(cafile=CA_CERT) ssl_context.load_cert_chain( certfile=ECC_CERT_FILE if is_ecc else CERT_FILE, keyfile=ECC_KEY_FILE if is_ecc else KEY_FILE, ) ssl_context.set_ciphers(':'.join(ECC_CIPHERS if is_ecc else CIPHERS)) ssl_context.verify_mode = ssl.CERT_REQUIRED server.socket = ssl_context.wrap_socket(server.socket, server_side=True) print('Will start server at %s:%d, use <Ctrl-C> to stop.' % (HOST, PORT)) server.serve_forever()
def issue_crl(new_revoked=None): global certificate, key, crl if not crl: crl = crypto.CRL() crl.set_lastUpdate( b'20191215152933Z' ) # TODO: adjust with real timestamps according to pyOpenSSL documentation crl.set_nextUpdate(b'20191217152933Z') if new_revoked: crl.add_revoked(new_revoked) crl.sign(certificate, key, b"sha256") crl_dump = crypto.dump_crl(crypto.FILETYPE_PEM, crl) open(CRL, "wt").write(crl_dump.decode("utf-8")) return crl_dump
def create_revoke_list(ca_cert: bytes, ca_key: bytes, serials: List[Tuple[int, datetime]]) -> bytes: crl = crypto.CRL() crl.set_lastUpdate(datetime.utcnow().strftime('%Y%m%d%H%M%SZ').encode()) crl.set_nextUpdate( (datetime.utcnow() + timedelta(days=365)).strftime('%Y%m%d%H%M%SZ').encode()) for serial, revoked_at in serials: revoked = crypto.Revoked() revoked.set_serial(hex(serial)[2:].encode()) revoked.set_reason(b'keyCompromise') revoked.set_rev_date(revoked_at.strftime('%Y%m%d%H%M%SZ').encode()) crl.add_revoked(revoked) key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key) cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert) crl.sign(cert, key, digest.encode()) return crypto.dump_crl(crypto.FILETYPE_PEM, crl)
def _get_crl_next_update(filename): """ Read the CRL file and return the next update as datetime :param filename: :return: """ dt = None f = open(filename) crl_buff = f.read() f.close() crl_obj = crypto.load_crl(crypto.FILETYPE_PEM, crl_buff) # Get "Next Update" of CRL # Unfortunately pyOpenSSL does not support this. so we dump the # CRL and parse the text :-/ # We do not want to add dependency to pyasn1 crl_text = to_unicode(crypto.dump_crl(crypto.FILETYPE_TEXT, crl_obj)) for line in crl_text.split("\n"): if "Next Update: " in line: key, value = line.split(":", 1) date = value.strip() dt = datetime.datetime.strptime(date, "%b %d %X %Y %Z") break return dt
def _get_crl_next_update(filename): """ Read the CRL file and return the next update as datetime :param filename: :return: """ dt = None f = open(filename) crl_buff = f.read() f.close() crl_obj = crypto.load_crl(crypto.FILETYPE_PEM, crl_buff) # Get "Next Update" of CRL # Unfortunately pyOpenSSL does not support this. so we dump the # CRL and parse the text :-/ # We do not want to add dependency to pyasn1 crl_text = crypto.dump_crl(crypto.FILETYPE_TEXT, crl_obj) for line in crl_text.split("\n"): if "Next Update: " in line: key, value = line.split(":", 1) date = value.strip() dt = datetime.datetime.strptime(date, "%b %d %X %Y %Z") break return dt
def main(argv): crl_file = sys.argv[1] xlsx_file = tempfile.NamedTemporaryFile(suffix=".xlsx", delete=False) # Create a new Excel file and add a worksheet. workbook = xlsxwriter.Workbook(xlsx_file) worksheet = workbook.add_worksheet() bold = workbook.add_format({'bold': True}) # Expand the columns so that the data is visible. worksheet.set_column('A:A', 39) worksheet.set_column('B:B', 36) worksheet.set_column('C:C', 10) worksheet.set_column('D:D', 13) worksheet.set_column('E:E', 19) # Write the column headers. worksheet.write('A1', 'Serial (int)', bold) worksheet.write('B1', 'Serial (hex)', bold) worksheet.write('C1', 'Date', bold) worksheet.write('D1', 'Time (UTC)', bold) worksheet.write('E1', 'Reason', bold) # Start from first row after headers. row = 1 date_format = workbook.add_format({ 'num_format': 'dd-mm-yyyy', 'align': 'left' }) time_format = workbook.add_format({ 'num_format': 'hh:mm:ss', 'align': 'left' }) text_format = workbook.add_format({'num_format': '@', 'align': 'left'}) with open(crl_file, "rb") as in_file: crl_obj = crypto.load_crl(crypto.FILETYPE_ASN1, in_file.read()) crl_contents = crypto.dump_crl(crypto.FILETYPE_PEM, crl_obj) crl = x509.load_pem_x509_crl(crl_contents, default_backend()) for revoked_cert in crl: serial_int = revoked_cert.serial_number serial_hex = '{:x}'.format(serial_int) revocation_datetime = revoked_cert.revocation_date try: reason_ext = revoked_cert.extensions.get_extension_for_oid( x509.CRLEntryExtensionOID.CRL_REASON) except x509.extensions.ExtensionNotFound: reason = "" else: reason = reason_ext.value.reason.value # Add revocation to worksheet worksheet.write_string(row, 0, str(serial_int), text_format) worksheet.write_string(row, 1, serial_hex, text_format) worksheet.write_datetime(row, 2, revocation_datetime, date_format) worksheet.write_datetime(row, 3, revocation_datetime, time_format) worksheet.write_string(row, 4, reason, text_format) row += 1 worksheet.autofilter('A1:E' + str(row - 1)) # Close Excel workbook workbook.close() os.system('start excel.exe ' + xlsx_file.name)
def start_server(): global crl, certificate, key ''' The CA will be listening on this address for 3 actions: - sign - revoke - getCrl clients will connect and ask for the action they need ''' with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.bind((HOST, PORT)) s.listen() print("listening on port {}".format(PORT)) while True: conn, addr = s.accept() print("connected by", addr) action = conn.recv(1024) if (not action): print("no action provided") exit action = action.decode("utf-8") # sign a certificate if (action == "sign"): conn.sendall( "'sign' action activated. Provide CSR.".encode("utf-8")) correct = True csr = conn.recv(8384) if not csr: print("connection closed by the client") exit csr = csr.decode("utf-8") print(csr) conn.sendall("request received correctly".encode("utf-8")) signed_certificate = sign_certificate(csr) print("certificate ready to be sent") dump_cert = crypto.dump_certificate(crypto.FILETYPE_PEM, signed_certificate) conn.sendall(dump_cert) # revoke a certificate elif (action == "revoke"): conn.sendall( "'revoke' action activated. Provide certificate to revoke". encode("utf-8")) client_certificate_dump = conn.recv(8384) if not client_certificate_dump: print("error receiving the certificate") exit print(client_certificate_dump.decode("utf-8")) conn.sendall("certificate received correctly".encode("utf-8")) client_certificate = crypto.load_certificate( crypto.FILETYPE_PEM, client_certificate_dump) revoked = revoke(client_certificate) crl_dump = issue_crl(revoked) conn.sendall(crl_dump) # get CRL to check revocations elif (action == "getCrl"): conn.sendall( b"'getCRL' action activated. Sending crl after receiving an ack." ) print("received from client: ", conn.recv(128).decode("utf-8")) # crl should be renewed once in a while. In this example I send always the same global crl, only updating it with new revocations if crl: crl_dump = crypto.dump_crl(crypto.FILETYPE_PEM, crl) conn.sendall(crl_dump) else: print("crl has not been created yet, let's create one") crl_dump = issue_crl() conn.sendall(crl_dump)
def save_crl(crl, path): file = '/tmp/%s' % path with open(file, 'w') as f: f.write(dump_crl(FILETYPE_PEM, crl)) print('CRL saved as %s' % file)
def main(argv): parser = argparse.ArgumentParser( prog='crl2xlsx.py', usage='%(prog)s <CRL file (DER)> <name for new .xlsx file> ', description= 'Creates an .xlsx file listing contents of a specified CRL file') parser.add_argument('infile', help='CRL file') parser.add_argument('outfile', help='name for new .xlsx file') args = parser.parse_args() crl_filename = args.infile xlsx_filename = args.outfile # Create a new Excel file and add a worksheet. workbook = xlsxwriter.Workbook(xlsx_filename) worksheet = workbook.add_worksheet() bold = workbook.add_format({'bold': True}) # Expand the columns so that the data is visible. worksheet.set_column('A:B', 20) worksheet.set_column('C:C', 10) worksheet.set_column('D:D', 13) worksheet.set_column('E:E', 19) # Write the column headers. worksheet.write('A1', 'Serial (int)', bold) worksheet.write('B1', 'Serial (hex)', bold) worksheet.write('C1', 'Date', bold) worksheet.write('D1', 'Time (UTC)', bold) worksheet.write('E1', 'Reason', bold) # Start from first row after headers. row = 1 date_format = workbook.add_format({ 'num_format': 'dd-mm-yyyy', 'align': 'left' }) time_format = workbook.add_format({ 'num_format': 'hh:mm:ss', 'align': 'left' }) text_format = workbook.add_format({'num_format': '@', 'align': 'left'}) with open(crl_filename, "rb") as in_file: crl_obj = crypto.load_crl(crypto.FILETYPE_ASN1, in_file.read()) crl_contents = crypto.dump_crl(crypto.FILETYPE_PEM, crl_obj) crl = x509.load_pem_x509_crl(crl_contents, default_backend()) for revoked_cert in crl: serial_int = revoked_cert.serial_number serial_hex = '{:x}'.format(serial_int) revocation_datetime = revoked_cert.revocation_date try: reason_ext = revoked_cert.extensions.get_extension_for_oid( x509.CRLEntryExtensionOID.CRL_REASON) except x509.extensions.ExtensionNotFound: reason = "" else: reason = reason_ext.value.reason.value # Add revocation to worksheet worksheet.write_string(row, 0, str(serial_int), text_format) worksheet.write_string(row, 1, serial_hex, text_format) worksheet.write_datetime(row, 2, revocation_datetime, date_format) worksheet.write_datetime(row, 3, revocation_datetime, time_format) worksheet.write_string(row, 4, reason, text_format) row += 1 worksheet.autofilter('A1:E' + str(row - 1)) # Close Excel workbook workbook.close()