class X509_Validity(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_SEQUENCE( ASN1F_CHOICE("not_before", ASN1_UTC_TIME(str(ZuluTime(-600))), ASN1F_UTC_TIME, ASN1F_GENERALIZED_TIME), ASN1F_CHOICE("not_after", ASN1_UTC_TIME(str(ZuluTime(+86400))), ASN1F_UTC_TIME, ASN1F_GENERALIZED_TIME))
class LDAP_Filter(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_CHOICE( "filter", LDAP_FilterPresent(), ASN1F_PACKET("and", None, LDAP_FilterAnd, implicit_tag=0x80), ASN1F_PACKET("or", None, LDAP_FilterOr, implicit_tag=0x81), ASN1F_PACKET("not", None, _LDAP_Filter, implicit_tag=0x82), ASN1F_PACKET("equalityMatch", AttributeValueAssertion(), AttributeValueAssertion, implicit_tag=0x83), ASN1F_PACKET("substrings", LDAP_SubstringFilter(), LDAP_SubstringFilter, implicit_tag=0x84), ASN1F_PACKET("greaterOrEqual", AttributeValueAssertion(), AttributeValueAssertion, implicit_tag=0x85), ASN1F_PACKET("lessOrEqual", AttributeValueAssertion(), AttributeValueAssertion, implicit_tag=0x86), ASN1F_PACKET("present", LDAP_FilterPresent(), LDAP_FilterPresent, implicit_tag=0x87), ASN1F_PACKET("approxMatch", None, AttributeValueAssertion, implicit_tag=0x88), )
class X509_GeneralName(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_CHOICE( "generalName", X509_DirectoryName(), ASN1F_PACKET("otherName", None, X509_OtherName, implicit_tag=0xa0), ASN1F_PACKET("rfc822Name", None, X509_RFC822Name, implicit_tag=0x81), ASN1F_PACKET("dNSName", None, X509_DNSName, implicit_tag=0x82), ASN1F_PACKET( "x400Address", None, X509_X400Address, # noqa: E501 explicit_tag=0xa3), ASN1F_PACKET( "directoryName", None, X509_DirectoryName, # noqa: E501 explicit_tag=0xa4), ASN1F_PACKET( "ediPartyName", None, X509_EDIPartyName, # noqa: E501 explicit_tag=0xa5), ASN1F_PACKET( "uniformResourceIdentifier", None, X509_URI, # noqa: E501 implicit_tag=0x86), ASN1F_PACKET("ipAddress", None, X509_IPAddress, implicit_tag=0x87), ASN1F_PACKET( "registeredID", None, X509_RegisteredID, # noqa: E501 implicit_tag=0x88))
class X509_ExtNoticeReference(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_SEQUENCE( ASN1F_CHOICE("organization", ASN1_UTF8_STRING("Dummy Organization"), ASN1F_IA5_STRING, ASN1F_ISO646_STRING, ASN1F_BMP_STRING, ASN1F_UTF8_STRING), ASN1F_SEQUENCE_OF("noticeNumbers", [], ASN1P_INTEGER))
class X509_AlgorithmIdentifier(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_SEQUENCE( ASN1F_OID("algorithm", "1.2.840.113549.1.1.11"), ASN1F_optional( ASN1F_CHOICE("parameters", ASN1_NULL(0), ASN1F_NULL, ECParameters)))
class OCSP_ResponderID(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_CHOICE("responderID", None, ASN1F_PACKET("byName", OCSP_ByName(), OCSP_ByName, explicit_tag=0xa1), ASN1F_PACKET("byKey", OCSP_ByKey(), OCSP_ByKey, explicit_tag=0xa2))
class ECParameters(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_CHOICE( "curve", ASN1_OID("ansip384r1"), ASN1F_OID, # for named curves ASN1F_NULL, # for implicit curves ECSpecifiedDomain)
class X509_OtherName(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_SEQUENCE( ASN1F_OID("type_id", "0"), ASN1F_CHOICE("value", None, ASN1F_IA5_STRING, ASN1F_ISO646_STRING, ASN1F_BMP_STRING, ASN1F_UTF8_STRING, explicit_tag=0xa0))
class OCSP_CertStatus(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_CHOICE("certStatus", None, ASN1F_PACKET("good", OCSP_GoodInfo(), OCSP_GoodInfo, implicit_tag=0x80), ASN1F_PACKET("revoked", OCSP_RevokedInfo(), OCSP_RevokedInfo, implicit_tag=0xa1), ASN1F_PACKET("unknown", OCSP_UnknownInfo(), OCSP_UnknownInfo, implicit_tag=0x82))
class X509_ExtUserNotice(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_SEQUENCE( ASN1F_optional(ASN1F_PACKET("noticeRef", None, X509_ExtNoticeReference)), ASN1F_optional( ASN1F_CHOICE("explicitText", ASN1_UTF8_STRING("Dummy ExplicitText"), ASN1F_IA5_STRING, ASN1F_ISO646_STRING, ASN1F_BMP_STRING, ASN1F_UTF8_STRING)))
class PKCS5_Algorithm_Identifier(ASN1_Packet): """PKCS5 Algorithm Identifier""" ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_SEQUENCE( ASN1F_OID("alg_id", PKCS12_ALGORITHM_PBE1_SHA_3DES_CBC), ASN1F_optional( ASN1F_CHOICE( "parameters", PKCS12_PBE1_Parameters(), PKCS12_PBE1_Parameters, PKCS5_Salt_Parameter, )))
class SPNEGO_negToken(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_CHOICE( "token", SPNEGO_negTokenInit(), ASN1F_PACKET("negTokenInit", SPNEGO_negTokenInit(), SPNEGO_negTokenInit, implicit_tag=0xa0), ASN1F_PACKET("negTokenResp", SPNEGO_negTokenResp(), SPNEGO_negTokenResp, implicit_tag=0xa1))
class SNMP(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_SEQUENCE( ASN1F_enum_INTEGER("version", 1, {0: "v1", 1: "v2c", 2: "v2", 3: "v3"}), # noqa: E501 ASN1F_STRING("community", "public"), ASN1F_CHOICE("PDU", SNMPget(), SNMPget, SNMPnext, SNMPresponse, SNMPset, SNMPtrapv1, SNMPbulk, SNMPinform, SNMPtrapv2) ) def answers(self, other): return (isinstance(self.PDU, SNMPresponse) and isinstance(other.PDU, (SNMPget, SNMPnext, SNMPset)) and self.PDU.id == other.PDU.id)
class LDAP_BindRequest(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_SEQUENCE( ASN1F_INTEGER("version", 2), LDAPDN("bind_name", ""), ASN1F_CHOICE( "authentication", None, ASN1F_LDAP_Authentication_simple, ASN1F_LDAP_Authentication_krbv42LDAP, ASN1F_LDAP_Authentication_krbv42DSA, ASN1F_PACKET("sasl", LDAP_SaslCredentials(), LDAP_SaslCredentials, implicit_tag=0xa3), ))
class LDAP_SubstringFilterStr(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_CHOICE( "str", ASN1_STRING(""), ASN1F_PACKET("initial", LDAP_SubstringFilterInitial(), LDAP_SubstringFilterInitial, implicit_tag=0x0), ASN1F_PACKET("any", LDAP_SubstringFilterAny(), LDAP_SubstringFilterAny, implicit_tag=0x1), ASN1F_PACKET("final", LDAP_SubstringFilterFinal(), LDAP_SubstringFilterFinal, implicit_tag=0x2), )
class LDAP(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_SEQUENCE( ASN1F_INTEGER("messageID", 0), ASN1F_CHOICE( "protocolOp", LDAP_SearchRequest(), ASN1F_PACKET("bindRequest", LDAP_BindRequest(), LDAP_BindRequest, implicit_tag=0x60), ASN1F_PACKET("bindResponse", LDAP_BindResponse(), LDAP_BindResponse, implicit_tag=0x61), ASN1F_PACKET("unbindRequest", LDAP_UnbindRequest(), LDAP_UnbindRequest, implicit_tag=0x42), ASN1F_PACKET("searchRequest", LDAP_SearchRequest(), LDAP_SearchRequest, implicit_tag=0x63), ASN1F_PACKET("searchResponse", LDAP_SearchResponseEntry(), LDAP_SearchResponseEntry, implicit_tag=0x64), ASN1F_PACKET("searchResponse", LDAP_SearchResponseResultCode(), LDAP_SearchResponseResultCode, implicit_tag=0x65), ASN1F_PACKET("abandonRequest", LDAP_AbandonRequest(), LDAP_AbandonRequest, implicit_tag=0x70)), # LDAP v3 only ASN1F_optional( ASN1F_SEQUENCE_OF("Controls", [], LDAP_Control, implicit_tag=0x0))) def mysummary(self): return (self.protocolOp.__class__.__name__.replace("_", " "), [LDAP])
def __init__(self, name, default, **kwargs): ASN1F_CHOICE.__init__(self, name, default, ASN1F_PRINTABLE_STRING, ASN1F_UTF8_STRING, ASN1F_IA5_STRING, ASN1F_T61_STRING, ASN1F_UNIVERSAL_STRING, ASN1F_BIT_STRING, **kwargs)
class X509_ExtComment(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_CHOICE("comment", ASN1_UTF8_STRING("Dummy comment."), ASN1F_IA5_STRING, ASN1F_ISO646_STRING, ASN1F_BMP_STRING, ASN1F_UTF8_STRING)
class X509_ExtPolicyQualifierInfo(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_SEQUENCE( ASN1F_OID("policyQualifierId", "1.3.6.1.5.5.7.2.1"), ASN1F_CHOICE("qualifier", ASN1_IA5_STRING("cps_str"), ASN1F_IA5_STRING, X509_ExtUserNotice))
class X509_ExtDistributionPointName(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_CHOICE("distributionPointName", None, X509_ExtFullName, X509_ExtNameRelativeToCRLIssuer)
class X509_AttributeValue(ASN1_Packet): ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_CHOICE("value", ASN1_PRINTABLE_STRING("FR"), ASN1F_PRINTABLE_STRING, ASN1F_UTF8_STRING, ASN1F_IA5_STRING, ASN1F_T61_STRING, ASN1F_UNIVERSAL_STRING)
class SAPPSEFile(ASN1_Packet): """SAP PSE definition""" ASN1_codec = ASN1_Codecs.BER ASN1_root = ASN1F_SEQUENCE( ASN1F_INTEGER("version", 2), ASN1F_CHOICE( "enc_cont", SAPPSEv2_Enc_Cont(), SAPPSEv2_Enc_Cont, SAPPSEv4_Enc_Cont, )) def decrypt(self, pin): """Decrypts a PSE file given a provided PIN. Calls the respective decryption function based on the PSE version. """ if self.version == 2: return self.decrypt_non_lps(pin) elif self.version == 256: return self.decrypt_lps(pin) else: raise ValueError("Unsupported or invalid PSE version") def decrypt_lps(self, pin): """Decrypts an LPS encrypted PSE file given a provided PIN. :param pin: :type pin: string :return: decrypted object :rtype: SAPPSE_Cont :raise ValueError: if the provided PIN doesn't match with the one used for encryption :raise NotImplementedError: if the algorithm specified is not supported :raise Exception: if the algorithm specified is not valid """ # Decrypt the encryption key using the LPS method cipher = SAP_LPS_Cipher(self.enc_cont.encrypted_pin.val) log_pse.debug("Obtained LPS cipher object (version={}, lps={})".format( cipher.version, cipher.lps_type)) key = cipher.decrypt() # Choose the proper algorithms and values according to the algorithm ID if self.enc_cont.algorithm_identifier.alg_id == NIST_ALGORITHM_AES_256_CBC: salt = self.enc_cont.algorithm_identifier.parameters.salt.val algorithm = algorithms.AES mode = modes.CBC key, iv = key[:32], key[32:] else: raise Exception("Invalid PBE algorithm") # Decrypt the cipher text with the derived key and IV decryptor = Cipher(algorithm(key), mode(iv), backend=default_backend()).decryptor() plain = decryptor.update( self.enc_cont.cipher_text.val) + decryptor.finalize() return plain def decrypt_non_lps(self, pin): """Decrypts a non-LPS encrypted PSE file given a provided PIN. Implements PKCS12 PBE1 based encryption for v2 PSE files. :param pin: :type pin: string :return: decrypted object :rtype: SAPPSE_Cont :raise ValueError: if the provided PIN doesn't match with the one used for encryption :raise NotImplementedError: if the algorithm specified is not supported :raise Exception: if the algorithm specified is not valid """ cipher_text = self.enc_cont.cipher_text.val # Choose the proper algorithms and values according to the algorithm ID if self.enc_cont.algorithm_identifier.alg_id == PKCS12_ALGORITHM_PBE1_SHA_3DES_CBC: salt = self.enc_cont.algorithm_identifier.parameters.salt.val iterations = self.enc_cont.algorithm_identifier.parameters.iterations.val hash_algorithm = SHA1 enc_algorithm = algorithms.TripleDES enc_mode = modes.CBC iv = None pbes_cls = PKCS12_PBES1 elif self.enc_cont.algorithm_identifier.alg_id == PKCS5_ALGORITHM_PBES2: raise NotImplementedError("PBE algorithm not implemented") else: raise Exception("Invalid PBE algorithm") # Build the PBE class pbes = pbes_cls(salt, iterations, iv, pin, hash_algorithm, enc_algorithm, enc_mode, default_backend()) # On version 2, we can check that the PIN was valid before decrypting the whole # cipher text if self.version == 2: encrypted_pin = pbes.encrypt(pin) if encrypted_pin != self.enc_cont.encrypted_pin.val: raise ValueError("Invalid PIN supplied") # Decrypt and parse the cipher text plain_text = pbes.decrypt(cipher_text) return plain_text