def get_certificates(pkcs7): from OpenSSL.crypto import _lib, _ffi, X509 """ https://github.com/pyca/pyopenssl/pull/367/files#r67300900 Returns all certificates for the PKCS7 structure, if present. Only objects of type ``signedData`` or ``signedAndEnvelopedData`` can embed certificates. :return: The certificates in the PKCS7, or :const:`None` if there are none. :rtype: :class:`tuple` of :class:`X509` or :const:`None` """ certs = pkcs7._pkcs7.d.sign.b_sod_cert pycerts = [] for i in range(_lib.sk_X509_num(certs)): pycert = X509.__new__(X509) # pycert._x509 = _lib.sk_X509_value(certs, i) # According to comment from @ Jari Turkia # to prevent segfaults use '_lib.X509_dup(' pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, i)) pycerts.append(pycert) if not pycerts: return None return tuple(pycerts)
def get_pkcs7_certificates(bundle): """ Extracts X.509 certificates from an OpenSSL PKCS7 object. Args: bundle (OpenSSL PKCS7 object) : PKCS7 object to extract the certificates from. Returns: A tuple containing the extracted certificates (cryptography X.509 certificates, not OpenSSL X.509 certificates!) """ from OpenSSL._util import (ffi as _ffi, lib as _lib) from OpenSSL.crypto import X509 pkcs7_certs = _ffi.NULL if bundle.type_is_signed(): pkcs7_certs = bundle._pkcs7.d.sign.cert elif bundle.type_is_signedAndEnveloped(): pkcs7_certs = bundle._pkcs7.d.signed_and_enveloped.cert certificates = [] for i in range(_lib.sk_X509_num(pkcs7_certs)): certificate = X509.__new__(X509) certificate._x509 = _ffi.gc( _lib.X509_dup(_lib.sk_X509_value(pkcs7_certs, i)), _lib.X509_free) certificates.append(certificate.to_cryptography()) if not certificates: return tuple() return tuple(certificates)
def _get_certificates(self): """ https://github.com/pyca/pyopenssl/pull/367/files#r67300900 Returns all certificates for the PKCS7 structure, if present. Only objects of type ``signedData`` or ``signedAndEnvelopedData`` can embed certificates. :return: The certificates in the PKCS7, or :const:`None` if there are none. :rtype: :class:`tuple` of :class:`X509` or :const:`None` """ certs = _ffi.NULL if self.type_is_signed(): # pylint: disable=W0212 certs = self._pkcs7.d.sign.cert elif self.type_is_signedAndEnveloped(): # pylint: disable=W0212 certs = self._pkcs7.d.signed_and_enveloped.cert pycerts = [] for i in range(_lib.sk_X509_num(certs)): pycert = X509.__new__(X509) # pylint: disable=W0212 pycert._x509 = _lib.sk_X509_value(certs, i) pycerts.append(pycert) if not pycerts: return None return tuple(pycerts)
def get_peer_certificate(self): """ Retrieve the other side's certificate (if any) :return: The peer's certificate """ cert = _lib.SSL_get_peer_certificate(self._ssl) if cert != _ffi.NULL: pycert = X509.__new__(X509) pycert._x509 = _ffi.gc(cert, _lib.X509_free) return pycert return None
def get_certificates(self): # pragma: no cover certs = _ffi.NULL if self.type_is_signed(): certs = self._pkcs7.d.sign.cert elif self.type_is_signedAndEnveloped(): certs = self._pkcs7.d.signed_and_enveloped.cert pycerts = [] for i in range(_lib.sk_X509_num(certs)): pycert = X509.__new__(X509) pycert._x509 = _lib.sk_X509_value(certs, i) pycerts.append(pycert) if not pycerts: return None return tuple(pycerts)
def get_certificates(self): from OpenSSL.crypto import X509 from OpenSSL._util import ffi as _ffi, lib as _lib certs = _ffi.NULL if self.type_is_signed(): certs = self._pkcs7.d.sign.cert elif self.type_is_signedAndEnveloped(): certs = self._pkcs7.d.signed_and_enveloped.cert pycerts = [] for i in range(_lib.sk_X509_num(certs)): pycert = X509.__new__(X509) pycert._x509 = _lib.sk_X509_value(certs, i) pycerts.append(pycert) if not pycerts: return None return tuple(pycerts)
def get_pem_data_from_pkcs7(data: bytes) -> bytes: """Extracts certificate from pkcs7 data and convert it to PEM data""" pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, data) certs = _ffi.NULL if pkcs7.type_is_signed(): certs = pkcs7._pkcs7.d.sign.cert elif pkcs7.type_is_signedAndEnveloped(): certs = pkcs7._pkcs7.d.signed_and_enveloped.cert if _lib.sk_X509_num(certs) > 1: raise Exception('Too many certificates') pycert = X509.__new__(X509) pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, 0)) return bytes(crypto.dump_certificate(crypto.FILETYPE_PEM, pycert))
def wrapper(ok, store_ctx): cert = X509.__new__(X509) cert._x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx) error_number = _lib.X509_STORE_CTX_get_error(store_ctx) error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx) try: result = callback(connection, cert, error_number, error_depth, ok) except Exception as e: self._problems.append(e) return 0 else: if result: _lib.X509_STORE_CTX_set_error(store_ctx, _lib.X509_V_OK) return 1 else: return 0
def get_peer_cert_chain(self): """ Retrieve the other side's certificate (if any) :return: A list of X509 instances giving the peer's certificate chain, or None if it does not have one. """ cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl) if cert_stack == _ffi.NULL: return None result = [] for i in range(_lib.sk_X509_num(cert_stack)): # TODO could incref instead of dup here cert = _lib.X509_dup(_lib.sk_X509_value(cert_stack, i)) pycert = X509.__new__(X509) pycert._x509 = _ffi.gc(cert, _lib.X509_free) result.append(pycert) return result
def _get_certificates(self, o): # https://stackoverflow.com/a/45111623/7402287 certs = _ffi.NULL if o.type_is_signed(): certs = o._pkcs7.d.sign.cert elif o.type_is_signedAndEnveloped(): certs = o._pkcs7.d.signed_and_enveloped.cert pycerts = [] for i in range(_lib.sk_X509_num(certs)): pycert = X509.__new__(X509) pycert._x509 = _lib.sk_X509_value(certs, i) pycerts.append(pycert) if not pycerts: self.log_debug('') return [] self.log_debug('') return tuple(pycerts)
def get_certificates(self): certs = _ffi.NULL if self.type_is_signed(): certs = self._pkcs7.d.sign.cert elif self.type_is_signedAndEnveloped(): certs = self._pkcs7.d.signed_and_enveloped.cert pycerts = [] for i in range(_lib.sk_X509_num(certs)): pycert = X509.__new__(X509) # pycert._x509 = _lib.sk_X509_value(certs, i) # According to comment from @ Jari Turkia # to prevent segfaults use '_lib.X509_dup(' pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, i)) pycerts.append(pycert) if not pycerts: return None return tuple(pycerts)
def wrapper(ok, store_ctx): cert = X509.__new__(X509) cert._x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx) error_number = _lib.X509_STORE_CTX_get_error(store_ctx) error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx) index = _lib.SSL_get_ex_data_X509_STORE_CTX_idx() ssl = _lib.X509_STORE_CTX_get_ex_data(store_ctx, index) connection = Connection._reverse_mapping[ssl] try: result = callback(connection, cert, error_number, error_depth, ok) except Exception as e: self._problems.append(e) return 0 else: if result: _lib.X509_STORE_CTX_set_error(store_ctx, _lib.X509_V_OK) return 1 else: return 0