def _get_sans_from_cert_or_req(cert_or_req_str: bytes, load_func: Callable[[int, bytes], Union[crypto.X509, crypto.X509Req]], typ: int = crypto.FILETYPE_PEM) -> List[str]: # pylint: disable=protected-access return acme_crypto_util._pyopenssl_cert_or_req_san(_load_cert_or_req( cert_or_req_str, load_func, typ))
def _get_sans_from_cert_or_req(cert_or_req_str, load_func, typ=OpenSSL.crypto.FILETYPE_PEM): try: cert_or_req = load_func(typ, cert_or_req_str) except OpenSSL.crypto.Error as error: logger.exception(error) raise # pylint: disable=protected-access return acme_crypto_util._pyopenssl_cert_or_req_san(cert_or_req)
def _get_names_from_loaded_cert_or_req(loaded_cert_or_req): common_name = loaded_cert_or_req.get_subject().CN # pylint: disable=protected-access sans = acme_crypto_util._pyopenssl_cert_or_req_san(loaded_cert_or_req) if common_name is None: return sans else: return [common_name] + [d for d in sans if d != common_name]
def test_gen_cert_and_response(self): cert_pem, _ = self.achall.gen_cert_and_response(s=self.response.s) cert = OpenSSL.crypto.load_certificate( OpenSSL.crypto.FILETYPE_PEM, cert_pem) self.assertEqual(cert.get_subject().CN, "example.com") # pylint: disable=protected-access self.assertEqual(acme_crypto_util._pyopenssl_cert_or_req_san(cert), [ "example.com", self.chall.nonce_domain, self.response.z_domain(self.chall)])
def verify_cert(self, cert): """Verify tls-sni-01 challenge certificate. :param OpensSSL.crypto.X509 cert: Challenge certificate. :returns: Whether the certificate was successfully verified. :rtype: bool """ # pylint: disable=protected-access sans = crypto_util._pyopenssl_cert_or_req_san(cert) logging.debug('Certificate %s. SANs: %s', cert.digest('sha1'), sans) return self.z_domain.decode() in sans
def verify_cert(self, cert): """Verify tls-sni-01 challenge certificate. :param OpensSSL.crypto.X509 cert: Challenge certificate. :returns: Whether the certificate was successfully verified. :rtype: bool """ # pylint: disable=protected-access sans = crypto_util._pyopenssl_cert_or_req_san(cert) logger.debug('Certificate %s. SANs: %s', cert.digest('sha256'), sans) return self.z_domain.decode() in sans
def get_names_from_csr(csr, typ=OpenSSL.crypto.FILETYPE_PEM): """Get a list of domains from a CSR, including the CN if it is set. :param str csr: CSR (encoded). :param typ: `OpenSSL.crypto.FILETYPE_PEM` or `OpenSSL.crypto.FILETYPE_ASN1` :returns: A list of domain names. :rtype: list """ loaded_csr = _load_cert_or_req( csr, OpenSSL.crypto.load_certificate_request, typ) # Use a set to avoid duplication with CN and Subject Alt Names domains = set(d for d in (loaded_csr.get_subject().CN,) if d is not None) # pylint: disable=protected-access domains.update(acme_crypto_util._pyopenssl_cert_or_req_san(loaded_csr)) return list(domains)
def _valid_existing_data(ioplugins, vhosts, valid_min): """Is the existing cert data valid for enough time?""" existing = _load_existing_data(ioplugins) # All or nothing! assert existing == IOPlugin.EMPTY_DATA or None not in existing if existing != IOPlugin.EMPTY_DATA: # pylint: disable=protected-access existing_sans = crypto_util._pyopenssl_cert_or_req_san(existing.cert) logger.debug('Existing SANs: %r', existing_sans) assert set(existing_sans) == set(vhost.name for vhost in vhosts) # Renew? if not renewal_necessary(existing.cert, valid_min): return True else: return False
def verify_cert(self, chall, domain, public_key, cert): """Verify DVSNI certificate. :param .challenges.DVSNI chall: Corresponding challenge. :param str domain: Domain name being validated. :param public_key: Public key for the key pair being authorized. If ``None`` key verification is not performed! :type public_key: `~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or `~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or `~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` wrapped in `.ComparableKey :param OpenSSL.crypto.X509 cert: :returns: ``True`` iff client's control of the domain has been verified, ``False`` otherwise. :rtype: bool """ # TODO: check "It is a valid self-signed certificate" and # return False if not # pylint: disable=protected-access sans = crypto_util._pyopenssl_cert_or_req_san(cert) logging.debug('Certificate %s. SANs: %s', cert.digest('sha1'), sans) cert = x509.load_der_x509_certificate( OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, cert), default_backend()) if public_key is None: logging.warn('No key verification is performed') elif public_key != jose.ComparableKey(cert.public_key()): return False return domain in sans and self.z_domain(chall).decode() in sans
def pyopenssl_cert_or_req_san(cert): """SANs from cert or csr.""" # This function is not inlined mainly because pylint is bugged # when it comes to locally disabling protected access... # pylint: disable=protected-access return crypto_util._pyopenssl_cert_or_req_san(cert)
def get_san(cert_pem): cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_pem) return ', '.join(acme_crypto_util._pyopenssl_cert_or_req_san(cert))
def verify_cert(self, cert): """Verify DVSNI challenge certificate.""" # pylint: disable=protected-access sans = crypto_util._pyopenssl_cert_or_req_san(cert) logging.debug('Certificate %s. SANs: %s', cert.digest('sha1'), sans) return self.z_domain.decode() in sans
def _call(cls, loader, name): # pylint: disable=protected-access from acme.crypto_util import _pyopenssl_cert_or_req_san return _pyopenssl_cert_or_req_san(loader(name))
def _get_sans_from_cert_or_req(cert_or_req_str, load_func, typ=crypto.FILETYPE_PEM): # pylint: disable=protected-access return acme_crypto_util._pyopenssl_cert_or_req_san( _load_cert_or_req(cert_or_req_str, load_func, typ))
def _get_sans_from_cert_or_req(cert_or_req_str, load_func, typ=OpenSSL.crypto.FILETYPE_PEM): # pylint: disable=protected-access return acme_crypto_util._pyopenssl_cert_or_req_san(_load_cert_or_req( cert_or_req_str, load_func, typ))
def get_san(self): """Get subject alternative name if available.""" # pylint: disable=protected-access return ", ".join(acme_crypto_util._pyopenssl_cert_or_req_san(self._cert))
def get_san(self): """Get subject alternative name if available.""" # pylint: disable=protected-access return ", ".join( acme_crypto_util._pyopenssl_cert_or_req_san(self._cert))