def verify_cert(self, domain: str, cert: crypto.X509) -> bool: """Verify tls-alpn-01 challenge certificate. :param str domain: Domain name being validated. :param OpensSSL.crypto.X509 cert: Challenge certificate. :returns: Whether the certificate was successfully verified. :rtype: bool """ # pylint: disable=protected-access names = crypto_util._pyopenssl_cert_or_req_all_names(cert) # Type ignore needed due to # https://github.com/pyca/pyopenssl/issues/730. logger.debug('Certificate %s. SANs: %s', cert.digest('sha256'), names) if len(names) != 1 or names[0].lower() != domain.lower(): return False for i in range(cert.get_extension_count()): ext = cert.get_extension(i) # FIXME: assume this is the ACME extension. Currently there is no # way to get full OID of an unknown extension from pyopenssl. if ext.get_short_name() == b'UNDEF': data = ext.get_data() return data == self.h return False
def unique_hash(cert: X509) -> bool: """ Save unique fingerprints of the CSCA certificates seen. """ if "fingerprints" not in unique_hash.__dict__: unique_hash.fingerprints = [] fingerprint = cert.digest("sha256") if fingerprint not in unique_hash.fingerprints: unique_hash.fingerprints.append(fingerprint) return True return False
def get_username_from_certificate(cert: X509) -> str: md5 = cert.digest('md5').decode('utf8') md5_arr = md5.split(':') ret_str_arr = [] new_octet_size = 4 idx = 0 new_end = 0 while new_end < len(md5_arr): new_start = idx * new_octet_size new_end = new_start + new_octet_size ret_str_arr.append(''.join(md5_arr[new_start:new_end])) idx += 1 return ':'.join(ret_str_arr)
def certificate(self, cert: crypto.X509, name: Union[str, bytes], alt_host: Optional[str] = None, port: int = 443) -> bool: """Verifies the certificate presented at name is cert""" if alt_host is None: # In fact, socket.gethostbyname accepts both bytes and str, but types do not know that. host = socket.gethostbyname(cast(str, name)).encode() elif isinstance(alt_host, bytes): host = alt_host else: host = alt_host.encode() name = name if isinstance(name, bytes) else name.encode() try: presented_cert = crypto_util.probe_sni(name, host, port) except acme_errors.Error as error: logger.exception(str(error)) return False return presented_cert.digest("sha256") == cert.digest("sha256")