def verify_valid_intermediates(self, secret_ref):
secret_resp = self.secret_behaviors.get_secret(
secret_ref, "application/octet-stream")
self.assertIsNotNone(secret_resp)
self.assertIsNotNone(secret_resp.content)
cert_chain = secret_resp.content
crypto.load_pkcs7_data(crypto.FILETYPE_PEM, cert_chain)
def test_p7s(self):
with open('clientcert.crt') as cert_file:
cert_buf = cert_file.read()
with open('clientkey.key') as key_file:
key_buf = key_file.read()
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_buf,
'12345678'.encode())
signcert = crypto.load_certificate(crypto.FILETYPE_PEM,
cert_buf.encode())
text = "Test text"
# bio_in = crypto._new_mem_buf(text.encode())
# PKCS7_NOSIGS = 0x4 # defined in pkcs7.h
# pkcs7 = crypto._lib.PKCS7_sign(signcert._x509, pkey._pkey, crypto._ffi.NULL, bio_in, PKCS7_NOSIGS) # noqa
# bio_out = crypto._new_mem_buf()
# crypto._lib.i2d_PKCS7_bio(bio_out, pkcs7)
# sigbytes = crypto._bio_to_string(bio_out)
crypto.load_pkcs7_data()
crypto.to
with open('test.p7s', 'w') as tst:
tst.write(str(pkcs7))
def verify_valid_intermediates(self, secret_ref):
secret_resp = self.secret_behaviors.get_secret(
secret_ref,
"application/pkix-cert")
self.assertIsNotNone(secret_resp)
self.assertIsNotNone(secret_resp.content)
cert_chain = secret_resp.content
crypto.load_pkcs7_data(crypto.FILETYPE_PEM, cert_chain)
def decode_certificate_data(data):
"""
Decodes a blob containing encoded X.509 certificates (can be DER/PEM encoded or a PKCS7 bundle).
Args:
data (bytes) : Buffer containing the encoded certificate(s).
Returns:
A list with cryptography X.509 certificates (not OpenSSL X.509 certificates!)
"""
# PEM encoded?
try:
# try to decode the first certificate directly (fails, if not PEM encoded)
x509.load_pem_x509_certificate(data, default_backend())
# ok, it's PEM encoded... but it may contain multiple certificates, try to unpack!
certificates = [ x509.load_pem_x509_certificate(x.as_bytes(), default_backend()) for x in pem.parse(data) ]
log_debug("Successfully decoded {0} PEM encoded certificate(s):".format(len(certificates)))
for x in certificates: log_debug("- subject: {0}".format(x.subject))
return certificates
except ValueError:
pass
# DER encoded?
try:
certificate = x509.load_der_x509_certificate(data, default_backend())
log_debug("Successfully decoded a DER encoded certificate:")
log_debug("- subject: {0}".format(certificate.subject))
return [ certificate ]
except ValueError:
pass
# PKCS7, PEM encoded
try:
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, data)
certificates = get_pkcs7_certificates(pkcs7)
log_debug("Successfully decoded PEM encoded PKCS#7 bundle, extracted {0} certificate(s):".format(len(certificates)))
for x in certificates: log_debug("- subject: {0}".format(x.subject))
return list(certificates)
except crypto.Error:
pass
# PKCS7, DER encoded
try:
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, data)
certificates = get_pkcs7_certificates(pkcs7)
log_debug("Successfully decoded DER encoded PKCS#7 bundle, extracted {0} certificate(s):".format(len(certificates)))
for x in certificates: log_debug("- subject: {0}".format(x.subject))
return list(certificates)
except crypto.Error:
pass
raise ValueError("Decoding certificates failed.")
def _pkcs7_to_pem(self, pkcs7_content, outform='string'):
""" convert pkcs7 to pem """
self.logger.debug('CAhandler._pkcs7_to_pem()')
for filetype in (crypto.FILETYPE_PEM, crypto.FILETYPE_ASN1):
try:
pkcs7 = crypto.load_pkcs7_data(filetype, pkcs7_content)
break
except crypto.Error as _err:
pkcs7 = None
# print(err)
cert_pem_list = []
if pkcs7:
# convert cert pkcs#7 to pem
cert_list = _get_certificates(pkcs7)
for cert in cert_list:
cert_pem_list.append(convert_byte_to_string(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)))
# define output format
if outform == 'string':
result = ''.join(cert_pem_list)
elif outform == 'list':
result = cert_pem_list
else:
result = None
self.logger.debug('Certificate._pkcs7_to_pem() ended')
return result
def scan(self, file_object, options):
self.metadata["total"] = {"certificates": 0, "extracted": 0}
if file_object.data[:1] == b"0":
crypto_file_type = crypto.FILETYPE_ASN1
self.metadata["cryptoType"] = "der"
else:
crypto_file_type = crypto.FILETYPE_PEM
self.metadata["cryptoType"] = "pem"
try:
pkcs7 = crypto.load_pkcs7_data(crypto_file_type, file_object.data)
pkcs7_certificates = pkcs7.get_certificates()
if pkcs7_certificates is not None:
self.metadata["total"]["certificates"] = len(pkcs7_certificates)
for certificate in pkcs7_certificates:
child_file = crypto.dump_certificate(crypto_file_type,
certificate)
child_filename = f"{self.scanner_name}::serial_number_{certificate.get_serial_number()}"
child_fo = objects.StrelkaFile(data=child_file,
filename=child_filename,
depth=file_object.depth + 1,
parent_uid=file_object.uid,
root_uid=file_object.root_uid,
parent_hash=file_object.hash,
root_hash=file_object.root_hash,
source=self.scanner_name)
self.children.append(child_fo)
self.metadata["total"]["extracted"] += 1
except crypto.Error:
file_object.flags.append(f"{self.scanner_name}::load_pkcs7_error")
def remove_signature(content):
""" Remove the PKCS#7 envelope from given content, making a '.xml.p7m' file content readable as it was '.xml'.
As OpenSSL may not be installed, in that case a warning is issued and None is returned. """
# Prevent using the library if it had import errors
if not ssl_crypto:
_logger.warning(
"Error reading the content, check if the OpenSSL library is installed for for PKCS#7 envelope extraction."
)
return None
# Load some tools from the library
null = ssl_util.ffi.NULL
verify = ssl_util.lib.PKCS7_verify
# By default ignore the validity of the certificates, just validate the structure
flags = ssl_util.lib.PKCS7_NOVERIFY | ssl_util.lib.PKCS7_NOSIGS
# Read the signed data fron the content
out_buffer = ssl_crypto._new_mem_buf()
# This method is deprecated, but there are actually no alternatives
with warnings.catch_warnings():
warnings.filterwarnings("ignore", category=DeprecationWarning)
loaded_data = ssl_crypto.load_pkcs7_data(ssl_crypto.FILETYPE_ASN1,
content)
# Verify the signature
if verify(loaded_data._pkcs7, null, null, null, out_buffer, flags) != 1:
ssl_crypto._raise_current_error()
# Get the content as a byte-string
decoded_content = ssl_crypto._bio_to_string(out_buffer)
return decoded_content
def __init__(self, cert, content_type=None):
try:
if cert.startswith("-----BEGIN CERTIFICATE-----"):
log.debug("Loading file with content_type pem")
self.cert = x509.load_pem_x509_certificate(
bytes(cert), OpenSSLBackend)
elif content_type == 'pkcs7-mime':
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, cert)
certs = pkcs7_get_certs(pkcs7)
if not len(certs):
raise ValueError('No certs in pkcs7')
elif len(certs) > 1:
log.warning(
'Multiple certs found but only processing the first one'
)
self.cert = certs[0]
else:
log.debug(
"Loading file with content_type {0}".format(content_type))
self.cert = x509.load_der_x509_certificate(
bytes(cert), OpenSSLBackend)
except ValueError:
raise UnsuportedCertificateType(
"Failed to load cert with content_type={0}".format(
content_type))
def _parse(self, buff, digestalgo):
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, buff)
certs_stack = _ffi.NULL
if pkcs7.type_is_signed():
certs_stack = pkcs7._pkcs7.d.sign.cert
elif pkcs7.type_is_signedAndEnveloped():
certs_stack = pkcs7._pkcs7.d.signed_and_enveloped.cert
pycerts = []
for i in range(_lib.sk_X509_num(certs_stack)):
tmp = _lib.X509_dup(_lib.sk_X509_value(certs_stack, i))
pycert = X509._from_raw_x509_ptr(tmp)
pycerts.append(pycert)
if not pycerts:
return None
for cert in pycerts:
sbj = cert.get_subject()
name = 'C={}, ST={}, L={}, O={}, CN={}'.format(
sbj.C, sbj.ST, sbj.L, sbj.O, sbj.CN)
checksum = cert.digest(digestalgo).decode().replace(':', '')
self.content.append((name, checksum))
def load_pkcs7_bio_der(p7_der):
"""
Load a PKCS7 object from a PKCS7 DER blob.
Return PKCS7 object.
"""
try:
return crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7_der)
except crypto.Error as ex:
raise PKCS7VerifyError(ex)
def load_pkcs7_bio_der(p7_der):
"""
Load a PKCS7 object from a PKCS7 DER blob.
Return PKCS7 object.
"""
try:
return crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7_der)
except crypto.Error as ex:
raise PKCS7VerifyError(ex)
def decrypt_p7s(data: bytes) -> str:
"""
openssl cms -verify -in xxx.p7s -inform DER -noverify -outform DER -signer cert.pem -print
"""
p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, BytesIO(data).getvalue())
bio_out = crypto._new_mem_buf()
_lib.PKCS7_verify(p7._pkcs7, _ffi.NULL, _ffi.NULL, _ffi.NULL, bio_out,
_lib.PKCS7_NOVERIFY)
return crypto._bio_to_string(bio_out)
def _cert_object(self):
"""
Returns a CSR object
"""
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, self._read_cert())
certs = self._get_certificates(pkcs7)
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, certs[0])
a = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.log_debug('')
return a
def test_002_get_certificates(self):
""" test pkcs7 convrt to pem """
cert_pem_list = []
with open(self.dir_path + '/ca/certs.p7b', 'r') as fso:
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, fso.read())
cert_list = self._get_certificates(pkcs7)
for cert in cert_list:
cert_pem_list.append(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
result = [b'-----BEGIN CERTIFICATE-----\nMIIFTzCCAzegAwIBAgIIAzHyhSyrXfMwDQYJKoZIhvcNAQELBQAwKzEXMBUGA1UE\nCxMOYWNtZTJjZXJ0aWZpZXIxEDAOBgNVBAMTB3Jvb3QtY2EwHhcNMjAwNTI3MTM1\nNDAwWhcNMzAwNTI2MjM1OTAwWjAqMRcwFQYDVQQLEw5hY21lMmNlcnRpZmllcjEP\nMA0GA1UEAxMGc3ViLWNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA\nxXHaGZsolXe+PBdUryngHP9VbBC1mehqeTtYI+hqsqGNH7q9a7bSrxMwFuF1kYL8\njqqxkJdtl0L94xcxJg/ZdMx7Nt0vGI+BaAuTpEpUEHeN4tqS6NhB/m/0LGkAELc/\nqkzmoO4B1FDwEEj/3IXtZcupqG80oDt7jWSGXdtF7NTjzcumznMeRXidCdhxRxT/\n/WrsChaytXo0xWZ56oeNwd6x6Dr8/39PBOWtj4fldyDcg+Q+alci2tx9pxmu2bCV\nXcB9ftCLKhDk2WEHE88bgKSp7fV2RCmq9po+Tx8JJ7qecLunUsK/F0XN4kpoQLm9\nhcymqchnMSncSiyin1dQHGHWgXDtBDdq6A2Z6rx26Qk5H9HTYvcNSe1YwFEDoGLB\nZQjbCPWiaqoaH4agBQTclPvrrSCRaVmhUSO+pBtSXDkmN4t3MDZxfgRkp8ixwkB1\n5Y5f0LTpCyAJsdQDw8+Ea0aDqO30eskh4CErnm9+Fejd9Ew2cwpdwfBXzVSbYilM\nGueQihZHvJmVRxAwU69aO2Qs8B0tQ60CfWKVlmWPiakrvYYlPp0FBsM61G6LZEN8\nhH2CKnS8hHv5IWEXZvp0Pk8V3P5h6bWN0Tl+x/V1Prt7Wp8NoiPETE8XyDDxe6dm\nKxztWBH/mTsJyMGb6ZiUoXdPU9TFUKqHxTRLHaxfsPsCAwEAAaN4MHYwEgYDVR0T\nAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUv96OjgYiIqutQ8jd1E+oq0hBPtUwDgYD\nVR0PAQH/BAQDAgGGMBEGCWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhCAQ0EERYP\neGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBCwUAA4ICAQBbHLEVyg4f9uEujroc\n31UVyDRLMdPgEPLjOenSBCBmH0N81whDmxNI/7JAAB6J14WMX8OLF0HkZnb7G77W\nvDhy1aFvQFbXHBz3/zUO9Mw9J4L2XEW6ond3Nsh1m2oXeBde3R3ANxuIzHqZDlP9\n6YrRcHjnf4+1/5AKDJAvJD+gFb5YnYUKH2iSvHUvG17xcZx98Rf2eo8LealG4JqH\nJh4sKRy0VjDQD7jXSCbweTHEb8wz+6OfNGrIo+BhTFP5vPcwE4nlJwYBoaOJ5cVa\n7gdQJ7WkLSxvwHxuxzvSVK73u3jl3I9SqTrbMLG/jeJyV0P8EvdljOaGnCtQVRwC\nzM4ptXUvKhKOHy7/nyTF/Bc35ZwwL/2xWvNK1+NibgE/6CFxupwWpdmxQbVVuoQ3\n2tUil9ty0yC6m5GKE8+t1lrZuxyA+b/TBnYNO5xo8UEMbkpxaNYSwmw+f/loxXP/\nM7sIBcLvy2ugHEBxwd9o/kLXeXT2DaRvxPjp4yk8MpJRpNmz3aB5HJwaUnaRLVo5\nZ3XWWXmjMGZ6/m0AAoDbDz/pXtOoJZT8BJdD1DuDdszVsQnLVn4B/LtIXL6FbXsF\nzfv6ERP9a5gpKUZ+4NjgrnlGtdccNZpwyWF0IXcvaq3b8hXIRO4hMjzHeHfzJN4t\njX1vlY35Ofonc4+6dRVamBiF9A==\n-----END CERTIFICATE-----\n', b'-----BEGIN CERTIFICATE-----\nMIIFcDCCA1igAwIBAgIIevLTTxOMoZgwDQYJKoZIhvcNAQELBQAwKzEXMBUGA1UE\nCxMOYWNtZTJjZXJ0aWZpZXIxEDAOBgNVBAMTB3Jvb3QtY2EwHhcNMjAwNTI3MDAw\nMDAwWhcNMzAwNTI2MjM1OTU5WjArMRcwFQYDVQQLEw5hY21lMmNlcnRpZmllcjEQ\nMA4GA1UEAxMHcm9vdC1jYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB\nAJy4UZHdZgYt64k/rFamoC676tYvtabeuiqVw1c6oVZI897cFLG6BYwyr2Eaj7tF\nrqTJDeMN4vZSudLsmLDq6m8KwX/riPzUTIlcjM5aIMANZr9rLEs3NWtcivolB5aQ\n1slhdVitUPLuxsFnYeQTyxFyP7lng9M/Z403KLG8phdmKjM0vJkaj4OuKOXf3UsW\nqWQYyRl/ms07xVj02uq08LkoeO+jtQisvyVXURdaCceZtyK/ZBQ7NFCsbK112cVR\n1e2aJol7NJAA6Wm6iBzAdkAA2l3kh40SLoEbaiaVMixLN2vilIZOOAoDXX4+T6ir\n+KnDVSJ2yu5c/OJMwuXwHrh7Lgg1vsFR5TNehknhjUuWOUO+0TkKPg2A7KTg72OZ\n2mOcLZIbxzr1P5RRvdmLQLPrTF2EJvpQPNmbXqN3ZVWEvfHTjkkTFY/dsOTvFTgS\nri15zYKch8votcU7z+BQhgmMtwO2JhPMmZ6ABd9skI7ijWpwOltAhxtdoBO6T6CB\nCrE2yXc6V/PyyAKcFglNmIght5oXsnE+ub/dtx8f9Iea/xNPdo5aGy8fdaitolDK\n16kd3Kb7OE4HMHIwOxxF1BEAqerxxhbLMRBr8hRSZI5cvLzWLvpAQ5zuhjD6V3b9\nBYFd4ujAu3zl3mbzdbYjFoGOX6aBZaGDxlc4O2W7HxntAgMBAAGjgZcwgZQwDwYD\nVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUDGVvuTFYZtEAkz3af9wRKDDvAswwHwYD\nVR0jBBgwFoAUDGVvuTFYZtEAkz3af9wRKDDvAswwDgYDVR0PAQH/BAQDAgGGMBEG\nCWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhCAQ0EERYPeGNhIGNlcnRpZmljYXRl\nMA0GCSqGSIb3DQEBCwUAA4ICAQAjko7dX+iCgT+m3Iy1Vg6j7MRevPAzq1lqHRRN\nNdt2ct530pIut7Fv5V2xYk35ka+i/G+XyOvTXa9vAUKiBtiRnUPsXu4UcS7CcrCX\nEzHx4eOtHnp5wDhO0Fx5/OUZTaP+L7Pd1GD/j953ibx5bMa/M9Rj+S486nst57tu\nDRmEAavFDiMd6L3jH4YSckjmIH2uSeDIaRa9k6ag077XmWhvVYQ9tuR7RGbSuuV3\nFc6pqcFbbWpoLhNRcFc+hbUKOsKl2cP+QEKP/H2s3WMllqgAKKZeO+1KOsGo1CDs\n475bIXyCBpFbH2HOPatmu3yZRQ9fj9ta9EW46n33DFRNLinFWa4WJs4yLVP1juge\n2TCOyA1t61iy++RRXSG3e7NFYrEZuCht1EdDAdzIUY89m9NCPwoDYS4CahgnfkkO\n7YQe6f6yqK6isyf8ZFcp1uF58eERDiF/FDqS8nLmCdURuI56DDoNvDpig5J/9RNW\nG8vEvt2p7QrjeZ3EAatx5JuYty/NKTHZwJWk51CgzEgzDwzE2JIiqeldtL5d0Sl6\neVuv0G04BEyuXxEWpgVVzBS4qEFIBSnTJzgu1PXmId3yLvg2Nr8NKvwyZmN5xKFp\n0A9BWo15zW1PXDaD+l39oTYD7agjXkzTAjYIcfNJ7ATIYFD0xAvNAOf70s7aNupF\nfvkG2Q==\n-----END CERTIFICATE-----\n']
self.assertEqual(result, cert_pem_list)
def verify_pkcs7_data(data):
pdata = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, data)
bio_out = crypto._new_mem_buf()
crypto._lib.PKCS7_verify(
pdata._pkcs7,
crypto._ffi.NULL,
crypto._ffi.NULL,
crypto._ffi.NULL,
bio_out,
crypto._lib.PKCS7_NOVERIFY
)
return crypto._bio_to_string(bio_out)
def decode_cert(cert_path):
# Open certificate and deserialize
with open(str(cert_path),'rb') as rf:
pem_obj = rf.read()
if pem.detect(pem_obj):
type, _, _ = pem.unarmor(pem_obj)
# Determine type of certificate
if type == "PKCS7":
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM,pem_obj)
certs = get_certificates(pkcs7)
count = 0
for cert in certs:
pem_cert = x509.load_pem_x509_certificate(cert, default_backend())
# Print cert issued to
colorize('green')
print('Issued to: (Chain ' + str(count) + ')')
count += 1
colorize_edit('reset')
print(pem_cert.subject.rfc4514_string())
print("Serial No: " + str(pem_cert.serial_number))
print("Fingerprint: " + str(base64.b64encode(pem_cert.fingerprint(hashes.SHA256())), 'utf-8'))
print("Valid from: " + str(pem_cert.not_valid_before))
print("Valid to: " + str(pem_cert.not_valid_after))
print("Signature hash algorithm: " + pem_cert.signature_hash_algorithm.name)
# Print issued by
colorize('green')
print('Issued by: ')
colorize_edit('reset')
print(pem_cert.issuer.rfc4514_string())
print('\n')
elif type == "CERTIFICATE":
cert = x509.load_pem_x509_certificate(pem_obj, default_backend())
# Print cert issued to
colorize('green')
print('Issued to: ')
colorize_edit('reset')
print(cert.subject.rfc4514_string())
print("Serial No: " + str(cert.serial_number))
print("Fingerprint: " + str(base64.b64encode(cert.fingerprint(hashes.SHA256())), 'utf-8'))
print("Valid from: " + str(cert.not_valid_before))
print("Valid to: " + str(cert.not_valid_after))
print("Signature hash algorithm: " + cert.signature_hash_algorithm.name)
# Print issued by
colorize('green')
print('Issued by: ')
colorize_edit('reset')
print(cert.issuer.rfc4514_string())
else:
raise TypeError('Not a PEM or PKCS7 file.')
def test_create_ca(self):
subca_dict = self._create_subca()
self.assertEqual("sub ca1", subca_dict.get(cm.INFO_NAME))
self.assertIsNotNone(subca_dict.get(cm.INFO_EXPIRATION))
self.assertIsNotNone(subca_dict.get(cm.PLUGIN_CA_ID))
ca_cert = subca_dict.get(cm.INFO_CA_SIGNING_CERT)
self.assertIsNotNone(ca_cert)
intermediates = subca_dict.get(cm.INFO_INTERMEDIATES)
self.assertIsNotNone(intermediates)
cacert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert)
subject = cacert.get_subject()
self.assertEqual("subordinate ca signing cert", subject.CN)
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, intermediates)
self.assertTrue(pkcs7.type_is_signed())
def get_decrypt_keys(apk: APK, certificate_files: list):
# https://stackoverflow.com/questions/45104923/pyopenssls-pkcs7-object-provide-very-little-information-how-can-i-get-the-sha1
def get_certificates(self):
from OpenSSL.crypto import _lib, _ffi, X509
"""
https://github.com/pyca/pyopenssl/pull/367/files#r67300900
Returns all certificates for the PKCS7 structure, if present. Only
objects of type ``signedData`` or ``signedAndEnvelopedData`` can embed
certificates.
:return: The certificates in the PKCS7, or :const:`None` if
there are none.
:rtype: :class:`tuple` of :class:`X509` or :const:`None`
"""
certs = _ffi.NULL
if self.type_is_signed():
certs = self._pkcs7.d.sign.cert
elif self.type_is_signedAndEnveloped():
certs = self._pkcs7.d.signed_and_enveloped.cert
#
pycerts = []
for i in range(_lib.sk_X509_num(certs)):
pycert = X509.__new__(X509)
pycert._x509 = _lib.sk_X509_value(certs, i)
pycerts.append(pycert)
#
if not pycerts:
return None
return tuple(pycerts)
sha1hashes = []
# assume there are more than one certificate file
for certificate_file in certificate_files:
certificate_bytes = apk.zip.read(certificate_file)
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, certificate_bytes)
# assume there are more than one certificate
certs = get_certificates(pkcs7)
hashes = [cert.digest('sha1').decode() for cert in certs]
sha1hashes.extend(hashes)
keys = []
for hash in sha1hashes:
keys.append(generate_key(hash))
return keys
def get_pem_data_from_pkcs7(data: bytes) -> bytes:
"""Extracts certificate from pkcs7 data and convert it to PEM data"""
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, data)
certs = _ffi.NULL
if pkcs7.type_is_signed():
certs = pkcs7._pkcs7.d.sign.cert
elif pkcs7.type_is_signedAndEnveloped():
certs = pkcs7._pkcs7.d.signed_and_enveloped.cert
if _lib.sk_X509_num(certs) > 1:
raise Exception('Too many certificates')
pycert = X509.__new__(X509)
pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, 0))
return bytes(crypto.dump_certificate(crypto.FILETYPE_PEM, pycert))
def extract_smime_signature(payload, trusted, logger):
"""
:param payload: bytes
:param trusted: list of cryptography.x509.Certificate
:param logger: logger
:return: bytes or None
Extract public certificates from the PKCS7 binary payload. Logs human-readable info about each cert found.
Identifies which are intermediates and which is the sender's public-key cert.
Verifies against provided list of trusted certs.
If valid, returns the PEM-serialized contents of the sender's public-key certificate.
If invalid, returns None.
"""
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, payload)
certs = get_certificates(pkcs7)
cert, intermediates = None, []
for c in certs:
# Log some human-readable info about each cert
c_email_addrs = []
c_issuer_info = {}
for i in c.subject.get_attributes_for_oid(
cryptography.x509.NameOID.EMAIL_ADDRESS):
c_email_addrs.append(i.value)
for i in c.issuer:
c_issuer_info.update({i.oid._name: i.value})
logger.info(
'| Certificate: subject email_address={},not_valid_before={},not_valid_after={},hash_algorithm={},key_size={} bytes, issuer={}'
.format(c_email_addrs, c.not_valid_before, c.not_valid_after,
c.signature_hash_algorithm.name,
c.public_key().key_size, c_issuer_info))
# Check if this is an email user certificate, or an intermediate
if c_email_addrs:
cert = c
else:
intermediates.append(c)
if verify_certificate_chain(cert, intermediates, trusted, logger):
pem_bytes = cert.public_bytes(serialization.Encoding.PEM)
return pem_bytes
else:
return None
def test_create_ca(self):
subca_dict = self._create_subca()
self.assertEqual("sub ca1", subca_dict.get(cm.INFO_NAME))
self.assertIsNotNone(subca_dict.get(cm.INFO_EXPIRATION))
self.assertIsNotNone(subca_dict.get(cm.PLUGIN_CA_ID))
ca_cert = subca_dict.get(cm.INFO_CA_SIGNING_CERT)
self.assertIsNotNone(ca_cert)
intermediates = subca_dict.get(cm.INFO_INTERMEDIATES)
self.assertIsNotNone(intermediates)
cacert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert)
subject = cacert.get_subject()
self.assertEqual(
"subordinate ca signing cert",
subject.CN)
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, intermediates)
self.assertTrue(pkcs7.type_is_signed())
def load_certificates_from_signature(signature):
signature = base64.b64decode(signature)
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, signature)
raw_certificates = ffi.NULL
if pkcs7.type_is_signed():
raw_certificates = pkcs7._pkcs7.d.sign.cert
elif pkcs7.type_is_signedAndEnveloped():
raw_certificates = pkcs7._pkcs7.d.signed_and_enveloped.cert
certificates = []
for x in range(lib.sk_X509_num(raw_certificates)):
certificate = lib.X509_dup(lib.sk_X509_value(raw_certificates, x))
certificate = crypto.X509._from_raw_x509_ptr(certificate)
certificate = ApplePieCertificate(certificate)
certificates.append(certificate)
return certificates
def cert_certificate(self) -> GreppedOut:
"""
Returns a PEM encoded certificate
Returns
-------
GreppedOut : object
GreppedOut object
Examples
--------
>>> from glorifiedgrep import GlorifiedAndroid
>>> a = GlorifiedAndroid('/path/to/apk')
>>> a.cert_certificate()
"""
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, self._read_cert())
certs = self._get_certificates(pkcs7)
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, certs[0])
self._cert_analysis['certificate'] = [certificate]
self.log_debug('')
return GreppedOut([certificate])
def getXMLfromP7m(filename):
from OpenSSL import crypto
from OpenSSL._util import (
ffi as _ffi,
lib as _lib,
)
# Or, alternatively:
# from cryptography.hazmat.bindings.openssl.binding import Binding
# _lib = Binding.lib
# _ffi = Binding.ffi
with open(filename, 'rb') as f:
p7data = f.read()
#p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data)
p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data)
bio_out = crypto._new_mem_buf()
res = _lib.PKCS7_verify(p7._pkcs7, _ffi.NULL, _ffi.NULL, _ffi.NULL,
bio_out, _lib.PKCS7_NOVERIFY)
'''
if res == 1:
databytes = crypto._bio_to_string(bio_out)
databytes = databytes.decode('utf8')
databytes = databytes.replace('\ufeff', "")
print(databytes)
else:
errno = _lib.ERR_get_error()
errstrlib = _ffi.string(_lib.ERR_lib_error_string(errno))
errstrfunc = _ffi.string(_lib.ERR_func_error_string(errno))
errstrreason = _ffi.string(_lib.ERR_reason_error_string(errno))
'''
databytes = crypto._bio_to_string(bio_out)
xmlFileName = getTempDir() + 'tmpFatt.xml'
open(xmlFileName, 'wb').write(databytes)
return xmlFileName
def scan(self, data, file, options, expire_at):
self.event['total'] = {'certificates': 0, 'extracted': 0}
if data[:1] == b'0':
crypto_file_type = crypto.FILETYPE_ASN1
self.event['cryptoType'] = 'der'
else:
crypto_file_type = crypto.FILETYPE_PEM
self.event['cryptoType'] = 'pem'
try:
pkcs7 = crypto.load_pkcs7_data(crypto_file_type, data)
pkcs7_certificates = pkcs7.get_certificates()
if pkcs7_certificates is not None:
self.event['total']['certificates'] = len(pkcs7_certificates)
for certificate in pkcs7_certificates:
extract_file = strelka.File(
name=f'sn_{certificate.get_serial_number()}',
source=self.name,
)
extract_data = crypto.dump_certificate(
crypto_file_type,
certificate,
)
for c in strelka.chunk_string(extract_data):
self.upload_to_cache(
extract_file.pointer,
c,
expire_at,
)
self.files.append(extract_file)
self.event['total']['extracted'] += 1
except crypto.Error:
self.flags.append('load_pkcs7_error')
def _parse(self, buff):
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, buff)
certs_stack = _ffi.NULL
if pkcs7.type_is_signed():
certs_stack = pkcs7._pkcs7.d.sign.cert
elif pkcs7.type_is_signedAndEnveloped():
certs_stack = pkcs7._pkcs7.d.signed_and_enveloped.cert
pycerts = []
for i in range(_lib.sk_X509_num(certs_stack)):
tmp = _lib.X509_dup(_lib.sk_X509_value(certs_stack, i))
pycert = X509._from_raw_x509_ptr(tmp)
pycerts.append(pycert)
if not pycerts:
return None
for cert in pycerts:
name = str(cert.get_subject())[19:-2].replace('/', ', ')
md5 = cert.digest('md5').decode().replace(':', '')
self.content.append((name, md5))
def cert_public_key(self) -> GreppedOut:
"""
Get the public key from CERT.RSA
Returns
-------
GreppedOut : object
GreppedOut object
Examples
--------
>>> from glorifiedgrep import GlorifiedAndroid
>>> a = GlorifiedAndroid('/path/to/apk')
>>> a.cert_public_key()
"""
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, self._read_cert())
certs = self._get_certificates(pkcs7)
p = certs[0].get_pubkey()
bio = crypto._new_mem_buf()
cryptolib.PEM_write_bio_PUBKEY(bio, p._pkey)
key = crypto._bio_to_string(bio)
self._cert_analysis['public_key'] = [key]
self.log_debug('')
return GreppedOut([key])
signatureStart = (footer[0] & 255) | ((footer[1] & 255) << 8)
f.seek(file_size - (commentSize + 22))
eocd = bytearray(f.read())
if eocd[0] != ord(b'\x50') or eocd[1] != ord(b'\x4b') or eocd[2] != ord(
b'\x05') or eocd[3] != ord(b'\x06'):
print("no signature in file (bad eocd)")
sys.exit(-1)
for i in range(5, len(eocd) - 4):
if eocd[i] == ord(b'\x50') and eocd[i + 1] == ord(b'\x4b') and eocd[
i + 2] == ord(b'\x05') and eocd[i + 3] == ord(b'\x06'):
print("EOCD marker found after start of EOCD")
sys.exit(-1)
block = eocd[commentSize + 22 - signatureStart:commentSize + 22]
decoded = "-----BEGIN CERTIFICATE-----\n" + base64.b64encode(block).decode(
'ascii') + "\n-----END CERTIFICATE-----"
PKCS7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, decoded)
cert = PKCS7.get_certificates()[0]
print("Certificate Fingerprints:")
print("\tMD5: {}".format(cert.digest('md5').decode("utf-8")))
print("\tSHA1: {}".format(cert.digest("sha1").decode("utf-8")))
print("\tSHA256: {}".format(cert.digest("sha256").decode("utf-8")))
def download_certificates_and_create_PEM(cert_type, url):
"""
Download cert_type certificate bundle from url and extract the files from it and create PEM
"""
pem_file = "{}/{}_CABundle.pem".format(cache_dir, cert_type)
if os.path.exists(pem_file) is False:
filename = None
parts = url.split('.')
extension = parts[(len(parts) - 1)].lower()
zip_type = False
if (extension == "zip"):
zip_type = True
filename = "{}/{}.{}".format(cache_dir, cert_type, extension)
if os.path.exists(filename) is False:
if ("http://" in url or "https://" in url):
# Download CA certs
# todo: in the future could parse PKI-PKE page in IASE to get latest version, but for now just direct download
print("Downloading {} CA certs...".format(cert_type))
try:
r = requests.get(url, verify=False)
except Exception as err:
print("Error downloading {} CA certs: {}".format(
cert_type, err))
return None
with open(filename, 'wb') as dl_file:
dl_file.write(r.content)
print("Finished downloading {} CA certs.".format(cert_type))
elif (os.path.exists(url) is True):
with open(url, 'rb') as sourcefile:
with open(filename, 'wb') as destfile:
destfile.write(sourcefile.read())
print("Finished copying {} CA certs.".format(cert_type))
else:
print("Error: Unable to get {} CA certs.".format(cert_type))
return
else:
print("Already downloaded {} CA certs.".format(cert_type))
if (zip_type is True):
print("Unzipping {} CA certs...".format(cert_type))
zip_file = zipfile.ZipFile(filename, 'r')
cert_directory = "./{}/{}_Certs/".format(cache_dir, cert_type)
zip_file.extractall(cert_directory)
zip_file.close()
print("Finished unzipping {} CA certs.".format(cert_type))
# find P7B
p7b_file = None
for (dirpath, dirnames, filenames) in os.walk(cert_directory):
for filename in filenames:
if filename.lower().endswith(".pem.p7b"):
p7b_file = os.path.join(dirpath, filename)
if p7b_file is None:
print("Unable to find {} p7b file.".format(cert_type))
return None
filename = p7b_file
extension = "p7b"
print("Loading {} cert data...".format(cert_type))
with open(filename, 'rb') as cert_file:
if (extension == "p7b"):
cert_data = crypto.load_pkcs7_data(crypto.FILETYPE_PEM,
cert_file.read())
certs = get_certificates(cert_data)
print("Found {} certs.".format(len(certs)))
elif (extension == "p7c"):
cert_data = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1,
cert_file.read())
certs = get_certificates(cert_data)
print("Found {} certs.".format(len(certs)))
else:
cert_data = crypto.load_certificate(crypto.FILETYPE_ASN1,
cert_file.read())
certs = [cert_data]
print("Writing {} Certs to PEM file...".format(cert_type))
with open(pem_file, 'ab') as pem:
for cert in certs:
certPEM = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
pem.write(certPEM)
print("Finished writing {} Certs to PEM file.".format(cert_type))
return pem_file
else:
print("Already created {} CA PEM file.".format(cert_type))
return pem_file
print hex(IMAGE_DIRECTORY_ENTRY_SECURITY.VirtualAddress)
print hex(IMAGE_DIRECTORY_ENTRY_SECURITY.Size)
signature_address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[
pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
signature_size = pe.OPTIONAL_HEADER.DATA_DIRECTORY[
pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size
print signature_size
print hex(signature_size)
signature = pe.write()[signature_address + 8:signature_address + 8 +
signature_size]
key = crypto.PKey()
cert = DerSequence()
pkcs7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, signature)
print pkcs7.get_type_name()
print pkcs7.type_is_signed()
print pkcs7.type_is_data()
print pkcs7.type_is_enveloped()
der = ssl.DER_cert_to_PEM_cert(signature)
# be = X509Backend()
# c = be.load_der_x509_certificate(signature)
#
# cert = x509.load_der_x509_certificate(signature, default_backend())
with open('sig.p7', 'wb') as f:
f.write(signature)
import sys from OpenSSL import crypto from OpenSSL._util import ( ffi as _ffi, lib as _lib, ) with open(sys.argv[1], 'rb') as f: p7data = f.read() p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data) bio_out =crypto._new_mem_buf() res = _lib.PKCS7_verify(p7._pkcs7, _ffi.NULL, _ffi.NULL, _ffi.NULL, bio_out, _lib.PKCS7_NOVERIFY|_lib.PKCS7_NOSIGS) if res == 1: databytes = crypto._bio_to_string(bio_out) print(databytes) else: errno = _lib.ERR_get_error() errstrlib = _ffi.string(_lib.ERR_lib_error_string(errno)) errstrfunc = _ffi.string(_lib.ERR_func_error_string(errno)) errstrreason = _ffi.string(_lib.ERR_reason_error_string(errno)) print(errstrreason)
# pycert._x509 = _lib.sk_X509_value(certs, i)
# According to comment from @ Jari Turkia
# to prevent segfaults use '_lib.X509_dup('
pycert._x509 = _lib.X509_dup(_lib.sk_X509_value(certs, i))
pycerts.append(pycert)
if not pycerts:
return None
return tuple(pycerts)
app = Flask(__name__)
app.app_context().push()
with open("/var/run/secrets/tls/0", "rb") as file:
p7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, file.read())
certs = get_certificates(p7)
cafile = open("/app/cacerts/cafile", "wb")
for cert in certs:
print('digest:{}'.format(cert.digest('sha256')))
cafile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
cafile.close()
app.config['LDAP_BASE_DN'] = os.environ["LDAP_BASE_DN"]
app.config['LDAP_USERNAME'] = ldap_username
app.config['LDAP_PASSWORD'] = ldap_password
app.config['LDAP_HOST'] = ldap_host
app.config['LDAP_SCHEMA'] = "ldaps"
app.config['LDAP_PORT'] = 636
app.config['LDAP_USE_SSL'] = True
app.config['LDAP_USE_TLS'] = True
sys.exit(-1)
commentSize = (footer[4] & 255) | ((footer[5] & 255) <<8)
signatureStart = (footer[0] & 255) | ((footer[1] & 255) << 8)
f.seek(file_size - (commentSize + 22));
eocd = bytearray(f.read())
if eocd[0] != ord(b'\x50') or eocd[1] != ord(b'\x4b') or eocd[2] != ord(b'\x05') or eocd[3] != ord(b'\x06'):
print("no signature in file (bad eocd)")
sys.exit(-1)
for i in range(5, len(eocd)-4):
if eocd[i] == ord(b'\x50') and eocd[i+1] == ord(b'\x4b') and eocd[i+2] == ord(b'\x05') and eocd[i+3] == ord(b'\x06'):
print("EOCD marker found after start of EOCD")
sys.exit(-1)
block = eocd[commentSize+22-signatureStart:commentSize+22]
decoded = "-----BEGIN CERTIFICATE-----\n" + base64.b64encode(block).decode('ascii') + "\n-----END CERTIFICATE-----"
PKCS7 = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, decoded)
cert = PKCS7.get_certificates()[0]
print("Certificate Fingerprints:")
print("\tMD5: {}".format(cert.digest('md5').decode("utf-8")))
print("\tSHA1: {}".format(cert.digest("sha1").decode("utf-8")))
print("\tSHA256: {}".format(cert.digest("sha256").decode("utf-8")))
def pe_get_certificates(self):
"""Get certificates used to sign pe file
Returns:
Chepy: The Chepy object.
Examples:
>>> Chepy("tests/files/ff.exe).read_file().pe_get_certificates().o
[
{
'version': 2,
'serial': 17154717934120587862167794914071425081,
'algo': b'sha1WithRSAEncryption',
'before': b'20061110000000Z',
'after': b'20311110000000Z',
'issuer': {
'C': 'US',
'ST': None,
'L': None,
'O': 'DigiCert Inc',
'OU': 'www.digicert.com',
'CN': 'DigiCert Assured ID Root CA',
'email': None
},
...
...
}
"""
def get_certificates(self): # pragma: no cover
certs = _ffi.NULL
if self.type_is_signed():
certs = self._pkcs7.d.sign.cert
elif self.type_is_signedAndEnveloped():
certs = self._pkcs7.d.signed_and_enveloped.cert
pycerts = []
for i in range(_lib.sk_X509_num(certs)):
pycert = X509.__new__(X509)
pycert._x509 = _lib.sk_X509_value(certs, i)
pycerts.append(pycert)
if not pycerts:
return None
return tuple(pycerts)
pe = self._pe_object()
address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY[
"IMAGE_DIRECTORY_ENTRY_SECURITY"]].VirtualAddress
hold = []
if address == 0: # pragma: no cover
self._warning_logger("PE file is not signed")
self.state = None
else:
signature = pe.write()[address + 8:]
pkcs = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1,
bytes(signature))
certs = get_certificates(pkcs)
for c in certs:
dump_c = crypto.dump_certificate(crypto.FILETYPE_PEM, c)
cert = crypto.load_certificate(crypto.FILETYPE_PEM, dump_c)
issuer = cert.get_issuer()
subject = cert.get_subject()
pubkey = cert.get_pubkey()
info = {
"version": cert.get_version(),
"serial": cert.get_serial_number(),
"algo": cert.get_signature_algorithm(),
"before": cert.get_notBefore(),
"after": cert.get_notAfter(),
"issuer": {
"C": issuer.C,
"ST": issuer.ST,
"L": issuer.L,
"O": issuer.O,
"OU": issuer.OU,
"CN": issuer.CN,
"email": issuer.emailAddress,
},
"subject": {
"C": subject.C,
"ST": subject.ST,
"L": subject.L,
"O": subject.O,
"OU": subject.OU,
"CN": subject.CN,
"email": subject.emailAddress,
},
"pubkey": {
"bits": pubkey.bits()
},
}
hold.append(info)
self.state = hold
return self
