def test_ordering(self, backend): certs = load_vectors_from_file( os.path.join("pkcs7", "amazon-roots.der"), lambda derfile: pkcs7.load_der_pkcs7_certificates(derfile.read()), mode="rb", ) p7 = pkcs7.serialize_certificates(list(reversed(certs)), serialization.Encoding.DER) certs2 = pkcs7.load_der_pkcs7_certificates(p7) assert certs != certs2
def test_der_matches_vector(self, backend): p7_der = load_vectors_from_file( os.path.join("pkcs7", "amazon-roots.der"), lambda p: p.read(), mode="rb", ) certs = pkcs7.load_der_pkcs7_certificates(p7_der) p7 = pkcs7.serialize_certificates(certs, serialization.Encoding.DER) assert p7 == p7_der
def test_roundtrip(self, encoding, loader, backend): certs = load_vectors_from_file( os.path.join("pkcs7", "amazon-roots.der"), lambda derfile: pkcs7.load_der_pkcs7_certificates(derfile.read()), mode="rb", ) p7 = pkcs7.serialize_certificates(certs, encoding) certs2 = loader(p7) assert certs == certs2
def printData(data, showPub=True): try: xcert = x509.load_der_x509_certificate(data) except: try: xcert = x509.load_pem_x509_certificate(data) except: try: xcert = pkcs7.load_der_pkcs7_certificates(data) except: xcert = pkcs7.load_pem_pkcs7_certificates(data) if len(xcert) > 1: print('// Warning: TODO: pkcs7 has {} entries'.format( len(xcert))) xcert = xcert[0] cn = '' for dn in xcert.subject.rfc4514_string().split(','): keyval = dn.split('=') if keyval[0] == 'CN': cn += keyval[1] name = re.sub('[^a-zA-Z0-9_]', '_', cn) print('// CN: {} => name: {}'.format(cn, name)) print('// not valid before:', xcert.not_valid_before) print('// not valid after: ', xcert.not_valid_after) if showPub: fingerprint = xcert.fingerprint(hashes.SHA1()).hex(':') print('const char fingerprint_{} [] PROGMEM = "{}";'.format( name, fingerprint)) pem = xcert.public_key().public_bytes( Encoding.PEM, PublicFormat.SubjectPublicKeyInfo).decode('utf-8') print('const char pubkey_{} [] PROGMEM = R"PUBKEY('.format(name)) print(pem + ')PUBKEY";') else: cert = xcert.public_bytes(Encoding.PEM).decode('utf-8') print('const char cert_{} [] PROGMEM = R"CERT('.format(name)) print(cert + ')CERT";') cas = [] for ext in xcert.extensions: if ext.oid == x509.ObjectIdentifier("1.3.6.1.5.5.7.1.1"): for desc in ext.value: if desc.access_method == x509.oid.AuthorityInformationAccessOID.CA_ISSUERS: cas.append(desc.access_location.value) for ca in cas: with urllib.request.urlopen(ca) as crt: print() print('// ' + ca) printData(crt.read(), False) print()
def test_load_pkcs7_der(self, backend): certs = load_vectors_from_file( os.path.join("pkcs7", "amazon-roots.p7b"), lambda derfile: pkcs7.load_der_pkcs7_certificates(derfile.read()), mode="rb", ) assert len(certs) == 2 assert certs[0].subject.get_attributes_for_oid( x509.oid.NameOID.COMMON_NAME) == [ x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, "Amazon Root CA 3") ] assert certs[1].subject.get_attributes_for_oid( x509.oid.NameOID.COMMON_NAME) == [ x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, "Amazon Root CA 2") ]
def estissuer_create(spec, patch, body, **_): """validate and mark issuers as ready""" # Secret must exist and be the correct type secret = get_secret_from_resource(body) if secret is None: raise kopf.TemporaryError(f"{spec['secretName']} not found") baseUrl = f"https://{spec['host']}:{spec.get('port', 443)}" path = "/".join( i for i in [WELLKNOWN, spec.get("label"), "cacerts"] if i is not None) # fetch /cacerts using explicit TA cacert = base64.b64decode(spec["cacert"]) with tempfile.NamedTemporaryFile(suffix=".pem") as cafile: cafile.write(cacert) cafile.seek(0) session = requests.Session() session.mount(baseUrl, SSLContextAdapter()) try: response = session.get(baseUrl + path, verify=cafile.name) except ( requests.exceptions.SSLError, requests.exceptions.RequestException, ) as err: patch.metadata.annotations["estoperator-perm-fail"] = "yes" raise kopf.PermanentError(err) from err # 200 OK is good, anything else is an error if response.status_code != 200: raise kopf.TemporaryError( f"Unexpected response: {response.status}, {response.reason}", ) # configured cacert must be in EST portal bundle explicit = pem.parse(cacert) store = X509Store() for cert in explicit: store.add_cert(load_certificate(FILETYPE_PEM, cert.as_text())) try: for leaf in pkcs7.load_der_pkcs7_certificates( base64.b64decode(response.content)): context = X509StoreContext( store, load_certificate(FILETYPE_PEM, leaf.public_bytes(Encoding.PEM)), ) context.verify_certificate() except X509StoreContextError as err: raise kopf.PermanentError( f"Unable to verify /cacerts content: {err}") from err return {"Ready": "True"}
def test_invalid_types(self): certs = load_vectors_from_file( os.path.join("pkcs7", "amazon-roots.der"), lambda derfile: pkcs7.load_der_pkcs7_certificates(derfile.read()), mode="rb", ) with pytest.raises(TypeError): pkcs7.serialize_certificates( "not a list of certs", # type: ignore[arg-type] serialization.Encoding.PEM, ) with pytest.raises(TypeError): pkcs7.serialize_certificates([], serialization.Encoding.PEM) with pytest.raises(TypeError): pkcs7.serialize_certificates( certs, "not an encoding" # type: ignore[arg-type] )
def ProcessPKCS7(msg, from_addr): subjaltnames = None for att in msg.iter_attachments(): if (att.get_content_type() == 'application/pkcs7-signature'): certs = pkcs7.load_der_pkcs7_certificates(att.get_content()) for cert in certs: try: ex = cert.extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS) except x509.ExtensionNotFound: continue if (not ex.value.ca): try: ex = cert.extensions.get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME) except x509.ExtensionNotFound: continue subjaltnames = ex.value.get_values_for_type(x509.RFC822Name) break if (not subjaltnames): raise NoSANFound if (from_addr not in subjaltnames): raise FromAddrNotInSAN()
def test_not_bytes_der(self, backend): with pytest.raises(TypeError): pkcs7.load_der_pkcs7_certificates(38) # type: ignore[arg-type]
def test_load_invalid_der_pkcs7(self, backend): with pytest.raises(ValueError): pkcs7.load_der_pkcs7_certificates(b"nonsense")
def load_key(filename: str, private: bool = False, password: Optional[bytes] = None, extensive: bool = False) -> KEY_ALL_TYPES: key = None if password is None and not extensive: with open(filename, 'r') as f: if 'ENCRYPTED' in f.readline(): password = input("Password: "******"Multiple certificates found, using first entry [%s]" % certs[0].subject, file=sys.stderr) key = certs[0].public_key() # PKCS#12 Certificate (Private and/or Public Key) if not key: try: private_key, cert, more_certs = load_key_and_certificates( data, password=password) if not private and cert: key = cert.public_key() elif private: key = private_key except: pass # X.509 Certificate if not key and not private: cert = None try: cert = load_der_x509_certificate(data) except: try: cert = load_pem_x509_certificate(data) except: pass if cert: key = cert.public_key() if key: if private and is_private_key(key): return key elif not private and is_private_key(key): return key.public_key() elif not private and is_public_key(key): return key raise FileException("Could not read key")
def test_not_bytes_der(self): with pytest.raises(TypeError): pkcs7.load_der_pkcs7_certificates(38)
def load_der_to_x509(bytes_input): try: return x509.load_der_x509_certificate(bytes_input) except ValueError: return load_der_pkcs7_certificates(bytes_input)[0]