def verify_cert(self, domain: str, cert: crypto.X509) -> bool:
"""Verify tls-alpn-01 challenge certificate.
:param str domain: Domain name being validated.
:param OpensSSL.crypto.X509 cert: Challenge certificate.
:returns: Whether the certificate was successfully verified.
:rtype: bool
"""
# pylint: disable=protected-access
names = crypto_util._pyopenssl_cert_or_req_all_names(cert)
# Type ignore needed due to
# https://github.com/pyca/pyopenssl/issues/730.
logger.debug('Certificate %s. SANs: %s', cert.digest('sha256'), names)
if len(names) != 1 or names[0].lower() != domain.lower():
return False
for i in range(cert.get_extension_count()):
ext = cert.get_extension(i)
# FIXME: assume this is the ACME extension. Currently there is no
# way to get full OID of an unknown extension from pyopenssl.
if ext.get_short_name() == b'UNDEF':
data = ext.get_data()
return data == self.h
return False
def get_extension_data(cert: X509) -> Dict[bytes, Union[str, bytes]]:
"""
Returns the extension data of an X509 certificate.
"""
extensions = [
cert.get_extension(i) for i in range(cert.get_extension_count())
]
extension_data = {}
for e in extensions:
short_name = e.get_short_name()
try:
if short_name == b"authorityKeyIdentifier":
prefix = "keyid:"
extension_data[short_name] = e.__str__(
)[e.__str__().startswith(prefix) and len(prefix):].strip()
elif short_name in [
b"subjectKeyIdentifier",
b"extendedKeyUsage",
b"basicConstraints",
b"crlDistributionPoints",
]:
extension_data[short_name] = e.__str__()
else:
extension_data[short_name] = e.get_data()
except Error:
extension_data[short_name] = e.get_data()
return extension_data
def get_subject_alternative_names(self, cert_obj: X509) -> List[str]:
domains_list = []
for i in range(0, cert_obj.get_extension_count()):
ext = cert_obj.get_extension(i)
if "subjectAltName" in str(ext.get_short_name()):
content = ext.__str__()
for d in content.split(","):
domains_list.append(d.strip()[4:])
return domains_list
def _extract_certificate_san(cls, x509cert: X509) -> Optional[List[str]]:
san = []
for i in range(0, x509cert.get_extension_count()):
ext = x509cert.get_extension(i)
if 'subjectAltName' in ext.get_short_name().decode('utf-8'):
for san_item in str(ext).lower().split(', '):
if san_item.startswith('dns:'):
san.append(san_item[4:].strip())
if len(san) > 0:
return san
else:
return None
def get_cert_info(cert: X509) -> CertInfo:
names: Set[str] = set()
key_usage: Set[str] = set()
subj = cert.get_subject()
names.add(subj.commonName)
for i in range(cert.get_extension_count()):
ext = cert.get_extension(i)
if ext.get_short_name() == b'subjectAltName':
for san in str(ext).split(','):
san = san.strip()
if san.startswith('DNS:'):
san = san[4:]
names.add(san)
elif ext.get_short_name() == b'extendedKeyUsage':
key_usage.add(str(ext))
return CertInfo(names=names, key_usage=key_usage)
def verify_sans(amazon_cert: crypto.X509) -> bool:
"""Verifies Subject Alternative Names (SANs) for Amazon certificate.
Args:
amazon_cert: Pycrypto X509 Amazon certificate.
Returns:
result: True if verification was successful, False if not.
"""
cert_extentions = [amazon_cert.get_extension(i) for i in range(amazon_cert.get_extension_count())]
subject_alt_names = ''
for extention in cert_extentions:
if 'subjectAltName' in str(extention.get_short_name()):
subject_alt_names = extention.__str__()
break
result = 'echo-api.amazon.com' in subject_alt_names
return result
def verify_sans(amazon_cert: crypto.X509) -> bool:
"""Verifies Subject Alternative Names (SANs) for Amazon certificate.
Args:
amazon_cert: Pycrypto X509 Amazon certificate.
Returns:
result: True if verification was successful, False if not.
"""
cert_extentions = [amazon_cert.get_extension(i) for i in range(amazon_cert.get_extension_count())]
subject_alt_names = ''
for extention in cert_extentions:
if 'subjectAltName' in str(extention.get_short_name()):
subject_alt_names = extention.__str__()
break
result = 'echo-api.amazon.com' in subject_alt_names
return result
