def _check_privatekey():
if not os.path.exists(self.privatekey_path):
return False
try:
with open(self.path, 'rb') as public_key_fh:
publickey_content = public_key_fh.read()
if self.format == 'OpenSSH':
current_publickey = crypto_serialization.load_ssh_public_key(
publickey_content, backend=default_backend())
publickey_content = current_publickey.public_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.SubjectPublicKeyInfo)
current_publickey = crypto.dump_publickey(
crypto.FILETYPE_ASN1,
crypto.load_publickey(crypto.FILETYPE_PEM,
publickey_content))
except Exception as dummy:
return False
try:
desired_publickey = crypto.dump_publickey(
crypto.FILETYPE_ASN1,
crypto_utils.load_privatekey(self.privatekey_path,
self.privatekey_passphrase))
except crypto_utils.OpenSSLBadPassphraseError as exc:
raise PublicKeyError(exc)
return current_publickey == desired_publickey
def check_ca():
#检查文件夹
for dir in (cert_dir, sub_certdir):
if os.path.exists(dir):
if not os.path.isdir(dir):
os.remove(dir)
os.mkdir(dir)
else:
os.mkdir(dir)
#检查 CA 证书
if not os.path.exists(ca_keyfile):
if not OpenSSL:
logging.critical('CAkey.pem is not exist and OpenSSL is disabled, ABORT!')
sys.exit(-1)
logging.error('CAkey.pem 不存在,清空 certs 文件夹。')
any(os.remove(x) for x in glob.glob(os.path.join(sub_certdir, '*.crt')))
if GC.LISTEN_CHECKSYSCA and sys.platform.startswith('win'):
logging.warning('CAkey.pem 不存在,将从系统证书中删除无效的 CA 证书')
else:
logging.warning('删除功能未启用或未支持,请自行删除 [%s CA] 证书' % ca_vendor)
dump_ca()
global ca_privatekey, ca_subject, sub_publickey, ca_thumbprint
with open(ca_keyfile, 'rb') as fp:
content = fp.read()
ca = crypto.load_certificate(crypto.FILETYPE_PEM, content)
ca_privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, content)
ca_subject = ca.get_subject()
ca_thumbprint = ca.digest('sha1')
ca_certerror = True
if os.path.exists(ca_certfile):
with open(ca_certfile, 'rb') as fp:
if fp.read() in content:
ca_certerror = False
if ca_certerror:
with open(ca_certfile, 'wb') as fp:
fp.write(crypto.dump_certificate(crypto.FILETYPE_PEM, ca))
#检查系统 CA 证书
if GC.LISTEN_CHECKSYSCA and import_ca() != 0:
logging.warning('install root certificate failed, Please run as administrator/root/sudo')
#检查伪造网站密钥
if os.path.exists(sub_keyfile):
with open(sub_keyfile, 'rb') as fp:
content = fp.read()
sub_publickey = crypto.load_publickey(crypto.FILETYPE_PEM, content)
else:
dump_subkey()
sub_publickey_str = crypto.dump_publickey(crypto.FILETYPE_PEM, sub_publickey)
#检查伪造网站证书
certfiles = glob.glob(os.path.join(sub_certdir, '*.crt'))
if certfiles:
filename = random.choice(certfiles)
with open(filename, 'rb') as fp:
content = fp.read()
cert = crypto.load_certificate(crypto.FILETYPE_PEM, content)
if not verify_certificate(ca, cert) or (sub_publickey_str !=
crypto.dump_publickey(crypto.FILETYPE_PEM, cert.get_pubkey())):
logging.error('Certs mismatch, delete Certs.')
any(os.remove(x) for x in certfiles)
def test_generator():
certificate, fingerprint, private_key = generate_key_pair()
x509 = crypto.load_certificate(crypto.FILETYPE_ASN1,
base64.b64decode(certificate))
pkcs8 = crypto.load_privatekey(crypto.FILETYPE_ASN1,
base64.b64decode(private_key))
assert len(fingerprint) == 40
assert x509.digest("sha1").decode("utf-8").replace(
":", "").lower() == fingerprint
assert crypto.dump_publickey(crypto.FILETYPE_PEM,
x509.get_pubkey()) == crypto.dump_publickey(
crypto.FILETYPE_PEM, pkcs8)
def test_generate_certificate(self):
cert = generate_certificate("maas")
self.assertIsInstance(cert.cert, crypto.X509)
self.assertIsInstance(cert.key, crypto.PKey)
self.assertEqual(cert.cert.get_subject().CN, "maas")
self.assertEqual(
crypto.dump_publickey(crypto.FILETYPE_PEM, cert.cert.get_pubkey()),
crypto.dump_publickey(crypto.FILETYPE_PEM, cert.key),
)
self.assertEqual(cert.key.bits(), 4096)
self.assertEqual(cert.key.type(), crypto.TYPE_RSA)
self.assertGreaterEqual(
datetime.utcnow() + timedelta(days=3650),
cert.expiration(),
)
def _check_privatekey():
if not os.path.exists(self.privatekey_path):
return False
current_publickey = crypto.dump_publickey(
crypto.FILETYPE_ASN1,
crypto.load_publickey(crypto.FILETYPE_PEM, open(self.path, 'rb').read())
)
desired_publickey = crypto.dump_publickey(
crypto.FILETYPE_ASN1,
crypto_utils.load_privatekey(self.privatekey_path, self.privatekey_passphrase)
)
return hashlib.md5(current_publickey).hexdigest() == hashlib.md5(desired_publickey).hexdigest()
def get_pub_key_certificate(self, certificate):
try:
pub = certificate.get_pubkey()
# DER FORMAT
pub_key_der = crypto.dump_publickey(crypto.FILETYPE_ASN1, pub)
# PEM FORMAT
pub_key_pem = crypto.dump_publickey(crypto.FILETYPE_PEM, pub)
return pub_key_der, pub_key_pem
except Exception as e:
print(e)
return False
def get_installation_token():
delete_old(installation_token_file, [api_token_file, private_key_file])
token = read_file(installation_token_file)
if token:
return token.rstrip("\r\n")
print("Requesting installation token...")
public_key = get_public_key()
pem = crypto.dump_publickey(crypto.FILETYPE_PEM, public_key)
method = "v1/installation"
data = {"client_public_key": pem.decode("utf-8")}
reply = post(method, data)
installation_token = server_public = None
for row in reply:
if "Token" in row:
installation_token = row["Token"]["token"]
elif "ServerPublicKey" in row:
server_public = row["ServerPublicKey"]["server_public_key"]
if not installation_token:
raise Exception("No token returned by installation")
if not server_public:
raise Exception("No server public key returned by installation")
write_file(installation_token_file, installation_token)
write_file(server_public_file, server_public)
register_device()
return installation_token
def get_fingerprint(path, passphrase=None, content=None, backend='pyopenssl'):
"""Generate the fingerprint of the public key. """
privatekey = load_privatekey(path,
passphrase=passphrase,
content=content,
check_passphrase=False,
backend=backend)
if backend == 'pyopenssl':
try:
publickey = crypto.dump_publickey(crypto.FILETYPE_ASN1, privatekey)
except AttributeError:
# If PyOpenSSL < 16.0 crypto.dump_publickey() will fail.
try:
bio = crypto._new_mem_buf()
rc = crypto._lib.i2d_PUBKEY_bio(bio, privatekey._pkey)
if rc != 1:
crypto._raise_current_error()
publickey = crypto._bio_to_string(bio)
except AttributeError:
# By doing this we prevent the code from raising an error
# yet we return no value in the fingerprint hash.
return None
elif backend == 'cryptography':
publickey = privatekey.public_key().public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo)
return get_fingerprint_of_bytes(publickey)
def strip_key(pem):
""" Return only the b64 part of the ASCII armored PEM.
"""
key = crypto.load_privatekey(crypto.FILETYPE_PEM, pem)
public_pem = crypto.dump_publickey(crypto.FILETYPE_PEM, key)
return public_pem.replace(b"\n", b"").split(b"-----")[2]
def generate_keypair():
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "DE"
cert.get_subject().ST = "Mecklenburg Vorpommern"
cert.get_subject().L = "Greifswald"
cert.get_subject().O = "MCWeb Server"
cert.get_subject().OU = "DSM-Server"
cert.get_subject().CN = "MCWeb DSM Server"
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
public_key = cert.get_pubkey()
# public_key, private_key
return crypto.dump_publickey(crypto.FILETYPE_ASN1,
public_key), crypto.dump_privatekey(
crypto.FILETYPE_ASN1, k)
def __init__(self, keylen=1024):
self._pk=crypto.PKey()
self._key=self._pk.generate_key(crypto.TYPE_RSA, keylen)
self._prikey=crypto.dump_privatekey(crypto.FILETYPE_PEM,self._pk)
self._pubkey=crypto.dump_publickey(crypto.FILETYPE_PEM,self._pk)
self._KeyLen=self._pk.bits()//8
return
def findOrCreateSystem(param, pubkey):
pubkey = crypto.dump_publickey(crypto.FILETYPE_PEM, pubkey)
# ensure cache directory exists
if not os.path.exists(param.cacheDir):
os.makedirs(param.cacheDir)
# find system
for oldUuid in os.listdir(param.cacheDir):
with open(_ssh_pubkey_file(param, oldUuid), "rb") as f:
if pubkey == f.read():
return oldUuid
# create new system
newUuid = uuid.uuid4().hex
dirname = os.path.join(param.cacheDir, newUuid)
os.makedirs(dirname)
# record public key
with open(_ssh_pubkey_file(param, newUuid), "wb") as f:
f.write(pubkey)
# generate disk image
fn = _image_file(param, newUuid)
# GbsUtil.shell("/bin/dd if=/dev/zero of=%s bs=%d count=%s conv=sparse" % (fn, _gb(), param.imageSizeStep), "stdout")
GbsUtil.shell("/bin/dd if=/dev/zero of=%s bs=%d count=%s conv=sparse" % (fn, _gb(), 40), "stdout") # fixme, on-line enlarg don't work
GbsUtil.shell("/sbin/mkfs.ext4 -O ^has_journal %s" % (fn), "stdout")
return newUuid
def generate_rsa_keys_if_needed():
"""Generate RSA keys for MAAS.
Returns True if a new RSA key was generated.
"""
if os.path.isfile(MAAS_PRIVATE_KEY):
return False
try:
with NamedLock("RSA"):
os.makedirs(os.path.dirname(MAAS_PRIVATE_KEY), exist_ok=True)
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 4096)
with open(MAAS_PRIVATE_KEY, "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))
os.chmod(MAAS_PRIVATE_KEY, 0o600)
with open(MAAS_PUBLIC_KEY, "wb") as f:
f.write(crypto.dump_publickey(crypto.FILETYPE_PEM, pkey))
except NamedLock.NotAvailable:
# System is running a region and rack. The other process
# is generating the key, wait up to 60s for it.
waits = 0
while not os.path.isfile(MAAS_PRIVATE_KEY) and waits < 600:
sleep(0.1)
waits += 1
assert os.path.isfile(
MAAS_PRIVATE_KEY), "Unable to generate MAAS RSA keys!"
return True
def _get_public_key(self, binary):
try:
return crypto.dump_publickey(
crypto.FILETYPE_ASN1 if binary else crypto.FILETYPE_PEM,
self.cert.get_pubkey())
except AttributeError:
try:
# pyOpenSSL < 16.0:
bio = crypto._new_mem_buf()
if binary:
rc = crypto._lib.i2d_PUBKEY_bio(
bio,
self.cert.get_pubkey()._pkey)
else:
rc = crypto._lib.PEM_write_bio_PUBKEY(
bio,
self.cert.get_pubkey()._pkey)
if rc != 1:
crypto._raise_current_error()
return crypto._bio_to_string(bio)
except AttributeError:
self.module.warn(
'Your pyOpenSSL version does not support dumping public keys. '
'Please upgrade to version 16.0 or newer, or use the cryptography backend.'
)
def cert_to_jwk(certificates: str, public_key: str) -> str:
"""
coverts a pem public key and a pem certificate chain to a jwk with a x5c element
:param certificates: the certificates for the x5c as pem key list
:param public_key: the pem public key as string
:return: the jwk as string
"""
# convert public key to jwk
public_key = crypto.load_publickey(crypto.FILETYPE_PEM, public_key)
jwk = JWK.load(crypto.dump_publickey(crypto.FILETYPE_PEM, public_key))
# covert cert chain to base64 encoded ASN1 according to https://tools.ietf.org/html/rfc7517#section-4.7
x5c = []
for cert in pem.parse(str.encode(certificates)):
cert_pem = crypto.load_certificate(crypto.FILETYPE_PEM,
cert.as_bytes())
x5c.append(
base64.b64encode(
crypto.dump_certificate(crypto.FILETYPE_ASN1,
cert_pem)).decode())
# dump jwk obj to json and add x5c cer chain
jwk_j = jwk.to_json()
jwk_j["x5c"] = x5c
return json.dumps(jwk_j)
def create_group_cert(cli):
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048) # generate RSA key-pair
cert = crypto.X509()
cert.get_subject().countryName = "US"
cert.get_subject().stateOrProvinceName = "CA"
cert.get_subject().organizationName = "mini-fulfillment"
cert.get_subject().organizationalUnitName = "demo"
cert.get_subject().commonName = "mini-fulfillment"
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60) # 5 year expiry date
cert.set_issuer(cert.get_subject()) # self-sign this certificate
cert.set_pubkey(k)
san_list = ["IP:{0}".format(cli.ip_address)]
extension_list = [
crypto.X509Extension(type_name=b"basicConstraints",
critical=False, value=b"CA:false"),
crypto.X509Extension(type_name=b"subjectAltName",
critical=True, value=", ".join(san_list)),
# crypto.X509Extension(type_name=b"subjectKeyIdentifier",
# critical=True, value=b"hash")
]
cert.add_extensions(extension_list)
cert.sign(k, 'sha256')
prefix = str(cli.out_dir) + '/' + cli.group_name
open("{0}-server.crt".format(prefix), 'wt').write(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open("{0}-server-private.key".format(prefix), 'wt').write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey=k))
open("{0}-server-public.key".format(prefix), 'wt').write(
crypto.dump_publickey(crypto.FILETYPE_PEM, pkey=k))
def generate_keys():
if request.method == "POST":
# Sets the size of the RSA Key
size = request.form.get("size", type=int)
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, size)
private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
# Auto selects the private key filename accordingly to not overwrite
existing_files = fnmatch.filter((f for f in os.listdir(path_to_keys)),
"private_*.pem")
path_pvt = path_to_keys + "/private_key_%d.pem" % (
len(existing_files) + 1)
file_out = open(path_pvt, "wb")
file_out.write(private_key)
file_out.close()
# Auto selects the public key filename accordingly to not overwrite
public_key = crypto.dump_publickey(crypto.FILETYPE_PEM, key)
existing_files = fnmatch.filter((f for f in os.listdir(path_to_keys)),
"public_*.pem")
path_pub = path_to_keys + "/public_key_%d.pem" % (len(existing_files) +
1)
file_out = open(path_pub, "wb")
file_out.write(public_key)
file_out.close()
return render_template("keys_generated.html",
path_pub=path_pub,
path_pvt=path_pvt)
else:
return render_template("generate_keys.html")
def _check_privatekey():
if not os.path.exists(self.privatekey_path):
return False
current_publickey = crypto.dump_publickey(
crypto.FILETYPE_ASN1,
crypto.load_publickey(crypto.FILETYPE_PEM,
open(self.path, 'rb').read()))
desired_publickey = crypto.dump_publickey(
crypto.FILETYPE_ASN1,
crypto_utils.load_privatekey(self.privatekey_path,
self.privatekey_passphrase))
return hashlib.md5(current_publickey).hexdigest() == hashlib.md5(
desired_publickey).hexdigest()
def create_self_signed_cert(name, surname):
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "PL"
cert.get_subject().ST = "Poznan"
cert.get_subject().L = "Poznan"
cert.get_subject().O = str(name)+" "+str(surname)
cert.get_subject().OU = "Politechnika Poznanska"
cert.get_subject().CN = str(name).lower()+".pki.put.poznan.pl"
#cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31556952) # in seconds = 1 year
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8')
private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode('utf-8')
public_key = crypto.dump_publickey(crypto.FILETYPE_PEM, k).decode('utf-8')
not_before = cert.get_notBefore()
not_after = cert.get_notAfter()
return certificate, private_key, public_key, not_before, not_after
def generate_key(
prefix: str,
path: typing.Union[str, Path],
type: str = crypto.TYPE_RSA,
bits: int = 4096,
):
if not isinstance(path, Path):
path = Path(path).resolve().expanduser()
assert (path.exists()
and path.is_dir()), f'invalid key storage path {path!s}'
pubfile = path / f'{prefix}.pub'
keyfile = path / f'{prefix}.key'
if pubfile.exists():
raise FileExistsError(f'{pubfile!s}')
if keyfile.exists():
raise FileExistsError(f'{keyfile!s}')
key = crypto.PKey()
key.generate_key(type, bits)
with open(keyfile, 'wb') as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
with open(pubfile, 'wb') as f:
f.write(crypto.dump_publickey(crypto.FILETYPE_PEM, key))
def enc_prekey(self):
crtObj = crypto.load_certificate(crypto.FILETYPE_PEM, self.C_Certs[0])
pubKeyObject = crtObj.get_pubkey()
pubKeyString = crypto.dump_publickey(crypto.FILETYPE_PEM, pubKeyObject)
key = RSA.importKey(pubKeyString)
Encrypter = PKCS1OAEP_Cipher(key, None, None, None)
return Encrypter.encrypt(self.PKs)
def rsa_cert_to_key(path):
with open(path) as f:
cert = f.read()
crtObj = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
pubKeyObject = crtObj.get_pubkey()
pubKeyString = crypto.dump_publickey(crypto.FILETYPE_PEM, pubKeyObject)
return pubKeyString
def generate(self, module):
"""Generate the public key.."""
if not os.path.exists(self.path) or self.force:
try:
privatekey_content = open(self.privatekey_path, 'r').read()
privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM,
privatekey_content)
publickey_file = open(self.path, 'w')
publickey_file.write(
crypto.dump_publickey(crypto.FILETYPE_PEM, privatekey))
publickey_file.close()
except (IOError, OSError):
e = get_exception()
raise PublicKeyError(e)
except AttributeError:
self.remove()
raise PublicKeyError(
'You need to have PyOpenSSL>=16.0.0 to generate public keys'
)
else:
self.changed = False
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def __init__(self, *args, **kwargs):
signature = kwargs.get('signature')
public_key = kwargs.get('public_key')
private_key = kwargs.get('private_key')
if not signature:
raise Exception('Missing signature argument')
if not public_key:
raise Exception('Missing public_key argument')
if not private_key:
raise Exception('Missing private_key argument')
# read public key
# parse the public key and save it as a string
with open(public_key, "r") as file:
pub_key = crypto.load_certificate(crypto.FILETYPE_PEM,
file.read()).get_pubkey()
public_key_string = crypto.dump_publickey(crypto.FILETYPE_PEM,
pub_key)
# read private key
with open(private_key, "r") as file:
private_key_string = file.read()
self.signature = signature
self.public_key = public_key_string
self.private_key = private_key_string
# a flag to keep track if we are in developement mode
# if True => more logging
self.developement = kwargs.get('developement', False)
def get_public_key(self):
"""
Get Raw PEM Signatura Public Key from Citizen Card Certificate
"""
cert = self.get_certificate()
public_key_string = crypto.dump_publickey(crypto.FILETYPE_PEM, cert.get_pubkey())
return public_key_string
def part6():
print("6th part:")
file_subject = open(sys.argv[3], 'rt')
cert_subject = crypto.load_certificate(crypto.FILETYPE_PEM,file_subject.read())
key_encoded = crypto.dump_publickey(crypto.FILETYPE_PEM,cert_subject.get_pubkey())
pubkey2 = serialization.load_pem_public_key(
key_encoded,
backend=default_backend())
message = b"Hello world"
ciphertext = pubkey2.encrypt(
message,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None
)
)
p12 = crypto.load_pkcs12(open(sys.argv[1], 'rb').read(), sys.argv[4].encode())
key_encoded = crypto.dump_privatekey(crypto.FILETYPE_PEM,p12.get_privatekey(),None,sys.argv[4].encode())
prikey2 = serialization.load_pem_private_key(
key_encoded,password=None,
backend=default_backend())
plaintext = prikey2.decrypt(
ciphertext,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None
)
)
print("Ciphertext: %s" %ciphertext.hex())
print("Plaintext: %s" %plaintext)
print("\n\n")
def get_installation_token():
token = os.getenv('BUNQ_INSTALLATION_TOKEN')
if token:
return token.rstrip("\r\n")
print("Requesting installation token...")
public_key = get_public_key()
pem = crypto.dump_publickey(crypto.FILETYPE_PEM, public_key)
method = "v1/installation"
data = {"client_public_key": pem.decode("utf-8")}
reply = post(method, data)
installation_token = server_public = None
for row in reply:
if "Token" in row:
installation_token = row["Token"]["token"]
elif "ServerPublicKey" in row:
server_public = base64.b64encode(
row["ServerPublicKey"]["server_public_key"].encode('utf-8'))
if not installation_token:
raise Exception("No token returned by installation")
else:
print("Set BUNQ_INSTALLATION_TOKEN to '%s'." % installation_token)
if not server_public:
raise Exception("No server public key returned by installation")
else:
print("Set BUNQ_SERVER_PUBLIC_KEY to '%s'." %
str(server_public.decode('utf-8')))
os.environ['BUNQ_INSTALLATION_TOKEN'] = installation_token
os.environ['BUNQ_SERVER_PUBLIC_KEY'] = str(server_public.decode('utf-8'))
register_device()
return installation_token
def _get_instance_ssl_context(self):
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
public_key = crypto.dump_publickey(crypto.FILETYPE_PEM, key)
private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
request = self._api_client().sslCerts().createEphemeral(
project=self._project,
instance=self._instance,
body={'public_key': public_key})
ephemeral = request.execute()
client_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
ephemeral['cert'])
ca_cert = crypto.load_certificate(
crypto.FILETYPE_PEM, self._metadata['serverCaCert']['cert'])
context = SSL.Context(SSL.TLSv1_2_METHOD)
context.set_verify(SSL.VERIFY_PEER, self._verify_cert)
context.use_privatekey(key)
context.use_certificate(client_cert)
context.get_cert_store().add_cert(ca_cert)
return context
def generate_offline_keyandcsr(id,
password,
outputdir,
digest="sha256",
**name):
"""
Generates a private key and csr and outputs to file.
Arguments: id - unique identifier to identify key and csr. These will be out to files based on the id
digest - The hashing algo to use to create the csr
**name - The name of the subject of the request, possible
arguments are:
C - Country name
ST - State or province name
L - Locality name
O - Organization name
OU - Organizational unit name
CN - Common name
emailAddress - E-mail address
eg = CN='FA10234587B',OU='OEM 5G ICL',O='Verizon', C='US',
Returns: True or False
:type password: object
"""
logger.info('Start key/csr generation for id %s', id)
pkey = create_key_pair(keytype, keysize, keygen, id)
publickey = crypto.dump_publickey(OpenSSL.crypto.FILETYPE_PEM, pkey)
privatekey = crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, pkey)
logger.info('SHA256 hash of Public Key Object for id:%s is %s', id,
hashlib.sha256(publickey).hexdigest())
logger.info('SHA256 hash of Private Key Object for id:%s is %s', id,
hashlib.sha256(privatekey).hexdigest())
# 1. Generate key pair using create_key_pair and output to temp file - id.pkey
'''keyfile = os.path.join(batchdir, id + '.pkey')
if os.path.exists(keyfile):
# Identified duplicate key identifier - needs further investigation.
logger.error('Private Key file for %s exists at %s aborting', id, keyfile)
sys.exit(1)
else:
pkey = create_key_pair(keytype, keysize, keygen, id)
open(keyfile, "wb").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey, str(keycipher), b'password'))
logger.info('Private Key generated for %s and written to %s', id, keyfile)'''
# 2. Generate CSR output to temp file - id.csr
csrfile = os.path.join(outputdir, id + '.csr')
if os.path.exists(csrfile):
logger.error('CSR file for %s exists at %s aborting', id, csrfile)
sys.exit(1)
else:
csr = create_cert_request(pkey, digest="sha256", **name)
f = open(csrfile, "wb")
f.write(
OpenSSL.crypto.dump_certificate_request(
OpenSSL.crypto.FILETYPE_PEM, csr))
f.close()
logger.info('CSR file created for %s and written to %s', id, csrfile)
# 3. Generate P12 and output to file id.p12
create_pkcs12(id, pkey, cacert, outputdir, password)
def get_subject(self):
crt_obj = crypto.load_certificate(
crypto.FILETYPE_PEM,
open("temp/certificate.crt", 'rb').read())
pub_key_object = crt_obj.get_pubkey()
pub_key_string = crypto.dump_publickey(crypto.FILETYPE_PEM,
pub_key_object)
return (crt_obj.get_subject().CN, crt_obj.get_issuer().CN)
def extract_public_key_from_crt(cert_path=cert_path):
## get public key with openssl
## openssl x509 -pubkey -noout -in ChaveCifraPublicaAT2020.cer >public_key.pem
f = open(cert_path, 'rt')
crtObj = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
pubKeyObject = crtObj.get_pubkey()
pubKeyString = crypto.dump_publickey(crypto.FILETYPE_PEM, pubKeyObject)
return pubKeyString
def hpkp_pin(self):
# taken from
# https://github.com/shazow/urllib3/pull/607/files#diff-f86c7f2eb1a0a2deadac493decdd0b7eR337
key = self.x509.get_pubkey()
public_key_raw = crypto.dump_publickey(crypto.FILETYPE_ASN1, key)
public_key_hash = hashlib.sha256(public_key_raw).digest()
return base64.b64encode(public_key_hash).decode('utf-8')
def __init__(self, bits):
self.check = True
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, bits)
open('PrivateKey.pem', 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM,pkey))
open('PublicKey.pem', 'w').write(crypto.dump_publickey(crypto.FILETYPE_PEM, pkey))
self.priKey = RSA.importKey(open('PublicKey.pem').read())
self.pubKey = RSA.importKey(open('PrivateKey.pem').read())
def dump_subkey():
global sub_publickey
sub_key = crypto.PKey()
sub_key.generate_key(crypto.TYPE_RSA, 2048)
with open(sub_keyfile, 'wb') as fp:
fp.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, sub_key))
fp.write(crypto.dump_publickey(crypto.FILETYPE_PEM, sub_key))
sub_publickey = sub_key
def get_pub_key(self):
crt_obj = crypto.load_certificate(
crypto.FILETYPE_PEM,
open("cert/certificate.crt", 'rb').read())
pub_key_object = crt_obj.get_pubkey()
pub_key_string = crypto.dump_publickey(crypto.FILETYPE_PEM,
pub_key_object)
return pub_key_string
def fingerprint(cert):
if isinstance(cert, X509):
return cert.digest("sha1").decode()
elif isinstance(cert, X509Req):
req = cert
pub_key = req.get_pubkey()
data = "".join(crypto.dump_publickey(crypto.FILETYPE_PEM, pub_key).split("\n")[1:-2])
digest = hashlib.sha1(data).hexdigest()
return ':'.join(a+b for a,b in zip(digest[::2], digest[1::2]))
def generate_rsa_key_pair(self, bits):
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, bits)
public_key = crypto.dump_publickey(crypto.FILETYPE_PEM, key).decode()
private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode()
public_key = public_key.replace("-----BEGIN PUBLIC KEY-----", "")
public_key = public_key.replace("-----END PUBLIC KEY-----", "")
public_key = public_key.replace("\n", "")
private_key = private_key.replace("-----BEGIN PRIVATE KEY-----", "")
private_key = private_key.replace("-----END PRIVATE KEY-----", "")
private_key = private_key.replace("\n", "")
return public_key, private_key
def createDGPairs(username):
private_path = 'private/'
public_path = 'public/'
private_path += username
public_path += username
P = PKey()
P.generate_key(TYPE_RSA, 1024)
#写入
with open(public_path,'w') as f:
f.write(dump_publickey(FILETYPE_PEM, P).decode('utf-8'))
with open(private_path,'w') as f:
f.write(dump_privatekey(FILETYPE_PEM, P).decode('utf-8'))
def main(dir, *, synctree=False, name:'n'=None):
if dir: os.chdir(dir or '.')
try: store, sub = Store.find()
except StoreNotFound: pass
else: err('Directory %s already in a Filoco store (%s).' % (os.getcwd(), store.root_path))
try:
if os.path.exists('.filoco.tmp'): shutil.rmtree('.filoco.tmp')
os.mkdir('.filoco.tmp')
spurt('.filoco.tmp/version', "1")
spurt('.filoco.tmp/type', "fs")
db = SqliteWrapper('.filoco.tmp/meta.sqlite', wal=True)
sync_mode = 'synctree' if synctree else 'serial'
spurt('.filoco.tmp/sync_mode', sync_mode)
tpl = jinja2.Template(slurp(SCHEMA_FILE), line_statement_prefix='#')
schema = tpl.render(sync_mode=sync_mode)
db.execute(schema)
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, RSA_KEY_SIZE)
priv_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
pub_key = crypto.dump_publickey(crypto.FILETYPE_PEM, key)
cert = crypto.X509()
cert.get_subject().CN = name or 'unnamed'
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.sign(key, 'sha256')
store_id = cert.digest('sha256').decode('ascii').replace(':','').lower()
spurt('.filoco.tmp/store_id', store_id)
db.insert('stores', idx=0, id=store_id)
spurt('.filoco.tmp/store_cert', crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('ascii'))
with open('.filoco.tmp/store_key', 'wb') as file:
os.chmod('.filoco.tmp/store_key', 0o600)
file.write(priv_key)
st = os.lstat('.')
handle = butter.fhandle.name_to_handle_at(butter.fhandle.AT_FDCWD, '.')[0]
db.insert('inodes', iid='ROOT', ino=st.st_ino, handle_type=handle.type, handle=handle.handle,
size=st.st_size, mtime=st.st_mtime, type='d')
os.rename('.filoco.tmp', '.filoco')
except:
try: shutil.rmtree('.filoco.tmp')
except OSError: pass
raise
def _check_privatekey():
if not os.path.exists(self.privatekey_path):
return False
try:
publickey_content = open(self.path, 'rb').read()
if self.format == 'OpenSSH':
current_publickey = crypto_serialization.load_ssh_public_key(publickey_content, backend=default_backend())
publickey_content = current_publickey.public_bytes(crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.SubjectPublicKeyInfo)
current_publickey = crypto.dump_publickey(
crypto.FILETYPE_ASN1,
crypto.load_publickey(crypto.FILETYPE_PEM, publickey_content)
)
except (crypto.Error, ValueError):
return False
desired_publickey = crypto.dump_publickey(
crypto.FILETYPE_ASN1,
crypto_utils.load_privatekey(self.privatekey_path, self.privatekey_passphrase)
)
return current_publickey == desired_publickey
def get_fingerprint(path, passphrase=None):
"""Generate the fingerprint of the public key. """
fingerprint = {}
privatekey = load_privatekey(path, passphrase)
try:
publickey = crypto.dump_publickey(crypto.FILETYPE_ASN1, privatekey)
for algo in hashlib.algorithms:
f = getattr(hashlib, algo)
pubkey_digest = f(publickey).hexdigest()
fingerprint[algo] = ':'.join(pubkey_digest[i:i + 2] for i in range(0, len(pubkey_digest), 2))
except AttributeError:
# If PyOpenSSL < 16.0 crypto.dump_publickey() will fail.
# By doing this we prevent the code from raising an error
# yet we return no value in the fingerprint hash.
pass
return fingerprint
def generate(self, module):
"""Generate the public key."""
if not os.path.exists(self.privatekey_path):
raise PublicKeyError(
'The private key %s does not exist' % self.privatekey_path
)
if not self.check(module, perms_required=False) or self.force:
try:
if self.format == 'OpenSSH':
privatekey_content = open(self.privatekey_path, 'rb').read()
key = crypto_serialization.load_pem_private_key(privatekey_content,
password=self.privatekey_passphrase,
backend=default_backend())
publickey_content = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH
)
else:
self.privatekey = crypto_utils.load_privatekey(
self.privatekey_path, self.privatekey_passphrase
)
publickey_content = crypto.dump_publickey(crypto.FILETYPE_PEM, self.privatekey)
with open(self.path, 'wb') as publickey_file:
publickey_file.write(publickey_content)
self.changed = True
except (IOError, OSError) as exc:
raise PublicKeyError(exc)
except AttributeError as exc:
self.remove()
raise PublicKeyError('You need to have PyOpenSSL>=16.0.0 to generate public keys')
self.fingerprint = crypto_utils.get_fingerprint(
self.privatekey_path,
self.privatekey_passphrase
)
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def generate(self, module):
"""Generate the public key.."""
if not os.path.exists(self.path) or self.force:
try:
privatekey_content = open(self.privatekey_path, 'r').read()
privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, privatekey_content)
publickey_file = open(self.path, 'w')
publickey_file.write(crypto.dump_publickey(crypto.FILETYPE_PEM, privatekey))
publickey_file.close()
except (IOError, OSError):
e = get_exception()
raise PublicKeyError(e)
except AttributeError:
self.remove()
raise PublicKeyError('You need to have PyOpenSSL>=16.0.0 to generate public keys')
else:
self.changed = False
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def strip_key(pem):
""" Return only the b64 part of the ASCII armored PEM.
"""
key = crypto.load_privatekey(crypto.FILETYPE_PEM, pem)
public_pem = crypto.dump_publickey(crypto.FILETYPE_PEM, key)
return public_pem.replace(b"\n", b"").split(b"-----")[2]
def main():
""" Main function"""
parser = argparse.ArgumentParser(description='csr2dnskey')
parser.add_argument("--csr",
dest='csr',
metavar='filename',
help='CSR anchor file (root-anchors.xml)',
required=True)
parser.add_argument("--output",
dest='output',
metavar='filename',
help='output file (stdout)')
parser.add_argument('--debug',
dest='debug',
action='store_true',
help="Enable debugging")
group_dnskey = parser.add_mutually_exclusive_group()
group_dnskey.add_argument('--dnskey',
dest='output_dnskey',
action='store_true',
default=True,
help="Output DNSKEY RR")
group_dnskey.add_argument('--no-dnskey',
dest='output_dnskey',
action='store_false',
help="Don't output DNSKEY RR")
group_ds = parser.add_mutually_exclusive_group()
group_ds.add_argument('--ds',
dest='output_ds',
action='store_true',
default=False,
help="Output DS RR")
group_ds.add_argument('--no-ds',
dest='output_ds',
action='store_false',
help="Don't output DS RR")
args = parser.parse_args()
if args.debug:
logging.basicConfig(level=logging.DEBUG)
with open(args.csr, "rb") as csr_fd:
csr = csr_fd.read()
req = load_certificate_request(FILETYPE_ASN1, csr)
subject = req.get_subject()
logging.info("CSR Subject: %s", subject)
(ds_origin, ds_rdata) = get_ds_rdata(subject)
logging.debug("CSR DS Origin: %s", ds_origin)
logging.debug("CSR DS RDATA: %s", ds_rdata)
public_key_der = dump_publickey(FILETYPE_ASN1, req.get_pubkey())
debug_hexlify("CSR Public Key", public_key_der)
if get_algo_class_from_ds(ds_rdata) == 'RSA':
b64 = get_rsa_b64_from_der(public_key_der).decode()
logging.debug("CSR Public RSA Key (Base64): %s", b64)
rdata_str = '257 3 {} {}'.format(ds_rdata.algorithm, b64)
dnskey_rdata = dns.rdata.from_text(rdclass=dns.rdataclass.IN,
rdtype=dns.rdatatype.DNSKEY,
tok=rdata_str)
logging.debug("DNSKEY RDATA: %s", dnskey_rdata)
dnskey_as_ds = dns.dnssec.make_ds(name=ds_origin,
key=dnskey_rdata,
algorithm=ds_digest_type_as_text(ds_rdata.digest_type))
logging.debug("DNSKEY as DS RDATA: %s", dnskey_as_ds)
else:
raise Exception('Unsupported public key algorithm')
if ds_rdata != dnskey_as_ds:
raise Exception('DNSKEY/DS mismatch')
if args.output:
output_fd = open(args.output, 'w')
old_stdout = sys.stdout
sys.stdout = output_fd
if args.output_ds:
print('{} IN DS {}'.format(ds_origin, ds_rdata))
if args.output_dnskey:
print('{} IN DNSKEY {}'.format(ds_origin, dnskey_rdata))
if args.output:
sys.stdout = old_stdout
output_fd.close()
def verifySignature(self, signature, signersCert, data):
'Will verify the signature of an entity based upon public cert'
vk = ecdsa.VerifyingKey.from_der(crypto.dump_publickey(crypto.FILETYPE_ASN1, signersCert.get_pubkey()))
assert vk.verify(signature, data, hashfunc=self.hashfunc, sigdecode=self.sigdecode), "Invalid signature!!"
import M2Crypto
#following data are in 9th packet
#subjectPublicKeyInfo of the 2nd certificate which is used to sign the 1st
key = '30820122300d06092a864886f70d01010105000382010f003082010a0282010100b2d805ca1c742db5175639c54a520996e84bd80cf1689f9a422862c3a530537e5511825b037a0d2fe17904c9b496771981019459f9bcf77a9927822db783dd5a277fb2037a9c5325e9481f464fc89d29f8be7956f6f7fdd93a68da8b4b82334112c3c83cccd6967a84211a22040327178b1c6861930f0e5180331db4b5ceeb7ed062aceeb37b0174ef6935ebcad53da9ee9798ca8daa440e25994a1596a4ce6d02541f2a6a26e2063a6348acb44cd1759350ff132fd6dae1c618f59fc9255df3003ade264db42909cd0f3d236f164a8116fbf28310c3b8d6d855323df1bd0fbd8c52954a16977a522163752f16f9c466bef5b509d8ff2700cd447c6f4b3fb0f70203010001'.decode('hex')
#encrypted hash of the 1st certificate
encHash = '01b9a2f6b47996333035fa09a9fbf7a9937afe51ce0f95a3fb9f80037e1d63a6d0f7044b7198e2f07e104768545b4a5d43c19240ec911a7f90208d6886df74db949bb615e8e10118d41333c119e61e00702ad00ada8758bf70bd641fed22ee59816f8f2a1ddc728d5c37c03faaa6b225ee8ff0872242dfb2f1dccb7e4c66b63f24cf117bfe2ab1edd111aa959ae0d198bfa52723782e22484e065b6ed1b0870af9f6ab31df75cc6e75f3196a951aedf3d8dee807e9eb7ff61f0cfef5cf39729bb8e3fab966b95ef4c0dfb3f327dc327e07ab3b4c3bdb1b91787302cc4272890086dc9b5cef0acc4886a84ccd073e768b38d4c80f51e2da12c343f2893f9a84f3'.decode('hex')
#content of 1st certificate
cert = '308207b8a00302010202105f4572da7b32a3d03c7666978b37fc25300d06092a864886f70d01010b0500307e310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b312f302d0603550403132653796d616e74656320436c61737320332053656375726520536572766572204341202d204734301e170d3135303932333030303030305a170d3137303932333233353935395a307d310b30090603550406130255533113301106035504080c0a43616c69666f726e69613111300f06035504070c0853616e204a6f736531133011060355040a0c0a654261792c20496e632e31183016060355040b0c0f53697465204f7065726174696f6e733117301506035504030c0e70616765732e656261792e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b21aea816c8a5a2e2203eeba246e1656c89fa7fdbcf4cfe293db92713292b93526118c48da91297574fd7942674a0c1e9b5e1b80450590a446a9baca472f9c0abe468afaa863f74330472f75a7024046da171248769d4989173ccd7e7bfca6028054655cf31110fc69db59ee97b1390142f7cdd9a12f5edd605552c5dc2371ea9a6d6ed7ab2677147404cf7754d541ddf5298b184c9d495b955927b6989b2d798be29cc936b50412d9fe7f0e25b9890d53d76051c012eb7a1d8b1ace7abce23420fbca5bdba4130af0454af4fbc2d660562fd4e658115900b727f38cfdb96702a3a121c0ba8a707644ab91e53f08568f86b6cd54ead564d993e47b388f15d0e50203010001a3820549308205453082027b0603551d11048202723082026e820c626566722e656261792e6265820c62656e6c2e656261792e6265820c636166722e656261792e63618207656261792e61748207656261792e62658207656261792e63618207656261792e6368820a656261792e636f2e756b8208656261792e636f6d820b656261792e636f6d2e6175820b656261792e636f6d2e686b820b656261792e636f6d2e6d79820b656261792e636f6d2e73678207656261792e64658207656261792e65738207656261792e66728207656261792e69658207656261792e696e8207656261792e69748207656261792e6e6c8207656261792e70688207656261792e706c8207656261792e7275821270616765732e626566722e656261792e6265821270616765732e62656e6c2e656261792e6265821270616765732e636166722e656261792e6361820d70616765732e656261792e6174820d70616765732e656261792e6265820d70616765732e656261792e6361820d70616765732e656261792e6368821070616765732e656261792e636f2e756b820e70616765732e656261792e636f6d821170616765732e656261792e636f6d2e6175821170616765732e656261792e636f6d2e686b821170616765732e656261792e636f6d2e6d79821170616765732e656261792e636f6d2e7367820d70616765732e656261792e6465820d70616765732e656261792e6573820d70616765732e656261792e6672820d70616765732e656261792e6965820d70616765732e656261792e696e820d70616765732e656261792e6974820d70616765732e656261792e6e6c820d70616765732e656261792e7068820d70616765732e656261792e706c820d70616765732e656261792e727530090603551d1304023000300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b0601050507030230610603551d20045a30583056060667810c010202304c302306082b06010505070201161768747470733a2f2f642e73796d63622e636f6d2f637073302506082b0601050507020230191a1768747470733a2f2f642e73796d63622e636f6d2f727061301f0603551d230418301680145f60cf619055df8443148a602ab2f57af44318ef302b0603551d1f042430223020a01ea01c861a687474703a2f2f73732e73796d63622e636f6d2f73732e63726c305706082b06010505070101044b3049301f06082b060105050730018613687474703a2f2f73732e73796d63642e636f6d302606082b06010505073002861a687474703a2f2f73732e73796d63622e636f6d2f73732e6372743082017e060a2b06010401d6790204020482016e0482016a0168007700ddeb1d2b7a0d4fa6208b81ad8168707e2e8e9d01d55c888d3d11c4cdb6ecbecc0000014ff9542aaa00000403004830460221008c579fb270d2d17227517161a3e1bd08235f7357912f0509e781abc233100247022100a5e7dfaa35ffd47e06f6d3a241eaeba3d7aabbd2e30cc6990e0cd521a48248fa007500a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8e377cd0ec80ddc100000014ff9542aed000004030046304402205de0ace4e55e1a4130fdef4406f7d48c41aed0f89a7109aa7d3848511551785b02203a0607ac8597ead7a05ba4014f0fcdcbf8e6841981ad06d1fcbfa3971863172000760068f698f81f6482be3a8ceeb9281d4cfc71515d6793d444d10a67acbb4f4ffbc40000014ff9542af50000040300473045022100ff2be0f169e5cfefe582ab4f486e882e3ee63e6e4564657d23f1cfc98212ecab02207020d4cd3ed99efd718414b9deba4654a3d8d2c179d906b21ea792390151033e'.decode('hex')
#calculate the SHA256 for later comparison
print SHA256.new(cert).hexdigest()
pubkey = load_publickey(FILETYPE_ASN1,key)
f = open("pub.pem","wb+")
f.write(dump_publickey(FILETYPE_PEM, pubkey))
f.close()
print "Pubkey: " + str(pubkey.bits()) + " bits,",
rsa = _lib.EVP_PKEY_get1_RSA(pubkey._pkey)
print str(_lib.RSA_size(rsa)) + " bytes."
#Got problem with pyOpenSSL to decrypt so use M2Crypto instead
#result = _lib.RSA_public_decrypt(len(encHash),encHash,decHash,rsa,_lib.RSA_PKCS1_PADDING)
rsa = M2Crypto.RSA.load_pub_key('pub.pem')
decHash = rsa.public_decrypt(encHash,M2Crypto.RSA.no_padding)
print "PKCS #1 data of signature\n", decHash.encode('hex')
#see rfc 3447 9.2 EMSA-PKCS1-v1_5
nextZero = decHash[2:].find("\x00") + 2
decHash = decHash[nextZero+1:] #asn.1 DER-encoded
#extract actual data in asn.1 using Crypto.Util.asn1
der = asn1.DerSequence()
