Esempio n. 1
0
    def verify_cert(self, domain: str, cert: crypto.X509) -> bool:
        """Verify tls-alpn-01 challenge certificate.

        :param str domain: Domain name being validated.
        :param OpensSSL.crypto.X509 cert: Challenge certificate.

        :returns: Whether the certificate was successfully verified.
        :rtype: bool

        """
        # pylint: disable=protected-access
        names = crypto_util._pyopenssl_cert_or_req_all_names(cert)
        # Type ignore needed due to
        # https://github.com/pyca/pyopenssl/issues/730.
        logger.debug('Certificate %s. SANs: %s', cert.digest('sha256'), names)
        if len(names) != 1 or names[0].lower() != domain.lower():
            return False

        for i in range(cert.get_extension_count()):
            ext = cert.get_extension(i)
            # FIXME: assume this is the ACME extension. Currently there is no
            # way to get full OID of an unknown extension from pyopenssl.
            if ext.get_short_name() == b'UNDEF':
                data = ext.get_data()
                return data == self.h

        return False
Esempio n. 2
0
def unique_hash(cert: X509) -> bool:
    """
    Save unique fingerprints of the CSCA certificates seen.
    """
    if "fingerprints" not in unique_hash.__dict__:
        unique_hash.fingerprints = []

    fingerprint = cert.digest("sha256")
    if fingerprint not in unique_hash.fingerprints:
        unique_hash.fingerprints.append(fingerprint)
        return True

    return False
Esempio n. 3
0
def get_username_from_certificate(cert: X509) -> str:
    md5 = cert.digest('md5').decode('utf8')
    md5_arr = md5.split(':')
    ret_str_arr = []
    new_octet_size = 4
    idx = 0
    new_end = 0
    while new_end < len(md5_arr):
        new_start = idx * new_octet_size
        new_end = new_start + new_octet_size
        ret_str_arr.append(''.join(md5_arr[new_start:new_end]))
        idx += 1
    return ':'.join(ret_str_arr)
Esempio n. 4
0
    def certificate(self, cert: crypto.X509, name: Union[str, bytes],
                    alt_host: Optional[str] = None, port: int = 443) -> bool:
        """Verifies the certificate presented at name is cert"""
        if alt_host is None:
            # In fact, socket.gethostbyname accepts both bytes and str, but types do not know that.
            host = socket.gethostbyname(cast(str, name)).encode()
        elif isinstance(alt_host, bytes):
            host = alt_host
        else:
            host = alt_host.encode()
        name = name if isinstance(name, bytes) else name.encode()

        try:
            presented_cert = crypto_util.probe_sni(name, host, port)
        except acme_errors.Error as error:
            logger.exception(str(error))
            return False

        return presented_cert.digest("sha256") == cert.digest("sha256")