def elevate(cmd):
# use this if need admin
import win32elevate
try:
win32elevate.elevateAdminRun(cmd)
except Exception as e:
xlog.warning('elevate e:%r', e)
def import_windows_ca(common_name, certfile):
import ctypes
with open(certfile, 'rb') as fp:
certdata = fp.read()
if certdata.startswith(b'-----'):
begin = b'-----BEGIN CERTIFICATE-----'
end = b'-----END CERTIFICATE-----'
certdata = base64.b64decode(b''.join(
certdata[certdata.find(begin) + len(begin):certdata.
find(end)].strip().splitlines()))
crypt32 = ctypes.WinDLL(b'crypt32.dll'.decode())
store_handle = crypt32.CertOpenStore(10, 0, 0, 0x4000 | 0x20000,
b'ROOT'.decode())
if not store_handle:
return False
CERT_FIND_SUBJECT_STR = 0x00080007
CERT_FIND_HASH = 0x10000
X509_ASN_ENCODING = 0x00000001
class CRYPT_HASH_BLOB(ctypes.Structure):
_fields_ = [('cbData', ctypes.c_ulong),
('pbData', ctypes.c_char_p)]
assert CertUtil.ca_thumbprint
crypt_hash = CRYPT_HASH_BLOB(
20, binascii.a2b_hex(CertUtil.ca_thumbprint.replace(':', '')))
crypt_handle = crypt32.CertFindCertificateInStore(
store_handle, X509_ASN_ENCODING, 0, CERT_FIND_HASH,
ctypes.byref(crypt_hash), None)
if crypt_handle:
crypt32.CertFreeCertificateContext(crypt_handle)
return True
ret = crypt32.CertAddEncodedCertificateToStore(
store_handle, 0x1, certdata, len(certdata), 4, None)
crypt32.CertCloseStore(store_handle, 0)
del crypt32
if not ret and __name__ != "__main__":
#res = CertUtil.win32_notify(msg=u'Import GoAgent Ca?', title=u'Authority need')
#if res == 2:
# return -1
import win32elevate
try:
win32elevate.elevateAdminRun(os.path.abspath(__file__))
except Exception as e:
xlog.warning('CertUtil.import_windows_ca failed: %r', e)
return True
else:
CertUtil.win32_notify(
msg=u'已经导入GoAgent证书,请重启浏览器.',
title=u'Restart browser need.')
return True if ret else False
def import_windows_ca(common_name, certfile):
import ctypes
with open(certfile, "rb") as fp:
certdata = fp.read()
if certdata.startswith(b"-----"):
begin = b"-----BEGIN CERTIFICATE-----"
end = b"-----END CERTIFICATE-----"
certdata = base64.b64decode(
b"".join(certdata[certdata.find(begin) + len(begin) : certdata.find(end)].strip().splitlines())
)
crypt32 = ctypes.WinDLL(b"crypt32.dll".decode())
store_handle = crypt32.CertOpenStore(10, 0, 0, 0x4000 | 0x20000, b"ROOT".decode())
if not store_handle:
return False
CERT_FIND_SUBJECT_STR = 0x00080007
CERT_FIND_HASH = 0x10000
X509_ASN_ENCODING = 0x00000001
class CRYPT_HASH_BLOB(ctypes.Structure):
_fields_ = [("cbData", ctypes.c_ulong), ("pbData", ctypes.c_char_p)]
assert CertUtil.ca_thumbprint
crypt_hash = CRYPT_HASH_BLOB(20, binascii.a2b_hex(CertUtil.ca_thumbprint.replace(":", "")))
crypt_handle = crypt32.CertFindCertificateInStore(
store_handle, X509_ASN_ENCODING, 0, CERT_FIND_HASH, ctypes.byref(crypt_hash), None
)
if crypt_handle:
crypt32.CertFreeCertificateContext(crypt_handle)
return True
ret = crypt32.CertAddEncodedCertificateToStore(store_handle, 0x1, certdata, len(certdata), 4, None)
crypt32.CertCloseStore(store_handle, 0)
del crypt32
if not ret and __name__ != "__main__":
# res = CertUtil.win32_notify(msg=u'Import GoAgent Ca?', title=u'Authority need')
# if res == 2:
# return -1
import win32elevate
win32elevate.elevateAdminRun(os.path.abspath(__file__))
return True
# else:
# CertUtil.win32_notify(msg=u'Import GoAgent Ca finished, please restart browser.', title=u'Restart browser need.')
return True if ret else False
def elevate(script_path, clear_log=True):
global script_is_running
if not script_is_running:
script_is_running = True
if clear_log and os.path.isfile(log_file):
try:
os.remove(log_file)
except Exception as e:
xlog.warn("remove %s fail:%r", log_file, e)
try:
win32elevate.elevateAdminRun(None, script_path, True, False)
return True
except Exception as e:
xlog.warning('elevate e:%r', e)
finally:
script_is_running = False
def import_windows_ca(certfile):
xlog.debug("Begin to import Windows CA")
with open(certfile, 'rb') as fp:
certdata = fp.read()
if certdata.startswith(b'-----'):
begin = b'-----BEGIN CERTIFICATE-----'
end = b'-----END CERTIFICATE-----'
certdata = base64.b64decode(b''.join(
certdata[certdata.find(begin) + len(begin):certdata.
find(end)].strip().splitlines()))
try:
common_name = OpenSSL.crypto.load_certificate(
OpenSSL.crypto.FILETYPE_ASN1, certdata).get_subject().CN
except Exception as e:
#logging.error('load_certificate(certfile=%r) 失败:%s', certfile, e)
return -1
assert certdata, 'cert file %r is broken' % certfile
import ctypes.wintypes
class CERT_CONTEXT(ctypes.Structure):
_fields_ = [
('dwCertEncodingType', ctypes.wintypes.DWORD),
('pbCertEncoded', ctypes.POINTER(ctypes.wintypes.BYTE)),
('cbCertEncoded', ctypes.wintypes.DWORD),
('pCertInfo', ctypes.c_void_p),
('hCertStore', ctypes.c_void_p),
]
X509_ASN_ENCODING = 0x1
CERT_STORE_ADD_ALWAYS = 4
CERT_STORE_PROV_SYSTEM = 10
CERT_STORE_OPEN_EXISTING_FLAG = 0x4000
CERT_SYSTEM_STORE_CURRENT_USER = 1 << 16
CERT_SYSTEM_STORE_LOCAL_MACHINE = 2 << 16
CERT_FIND_SUBJECT_STR = 8 << 16 | 7
crypt32 = ctypes.windll.crypt32
ca_exists = False
store_handle = None
pCertCtx = None
ret = 0
for store in (CERT_SYSTEM_STORE_LOCAL_MACHINE,
CERT_SYSTEM_STORE_CURRENT_USER):
try:
store_handle = crypt32.CertOpenStore(
CERT_STORE_PROV_SYSTEM, 0, None,
CERT_STORE_OPEN_EXISTING_FLAG | store, 'root')
if not store_handle:
if store == CERT_SYSTEM_STORE_CURRENT_USER and not ca_exists:
xlog.warning(
'CertUtil.import_windows_ca failed: could not open system cert store'
)
return False
else:
continue
pCertCtx = crypt32.CertFindCertificateInStore(
store_handle, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR,
common_name, None)
while pCertCtx:
certCtx = CERT_CONTEXT.from_address(pCertCtx)
_certdata = ctypes.string_at(certCtx.pbCertEncoded,
certCtx.cbCertEncoded)
if _certdata == certdata:
ca_exists = True
xlog.debug("XX-Net CA already exists")
else:
cert = OpenSSL.crypto.load_certificate(
OpenSSL.crypto.FILETYPE_ASN1, _certdata)
if hasattr(cert, 'get_subject'):
cert = cert.get_subject()
cert_name = next(
(v for k, v in cert.get_components() if k == 'CN'),
'')
if cert_name == common_name:
ret = crypt32.CertDeleteCertificateFromStore(
crypt32.CertDuplicateCertificateContext(
pCertCtx))
if ret == 1:
xlog.debug(
"Invalid Windows CA %r has been removed",
common_name)
elif ret == 0 and store == CERT_SYSTEM_STORE_LOCAL_MACHINE:
# to elevate
break
pCertCtx = crypt32.CertFindCertificateInStore(
store_handle, X509_ASN_ENCODING, 0,
CERT_FIND_SUBJECT_STR, common_name, pCertCtx)
# Only add to current user
if store == CERT_SYSTEM_STORE_CURRENT_USER and not ca_exists:
ret = crypt32.CertAddEncodedCertificateToStore(
store_handle, X509_ASN_ENCODING, certdata,
len(certdata), CERT_STORE_ADD_ALWAYS, None)
except Exception as e:
xlog.warning('CertUtil.import_windows_ca failed: %r', e)
if isinstance(e, OSError):
store_handle = None
continue
return False
finally:
if pCertCtx:
crypt32.CertFreeCertificateContext(pCertCtx)
pCertCtx = None
if store_handle:
crypt32.CertCloseStore(store_handle, 0)
store_handle = None
if ca_exists:
return True
if ret == 0 and __name__ != "__main__":
#res = CertUtil.win32_notify(msg=u'Import GoAgent Ca?', title=u'Authority need')
#if res == 2:
# return -1
import win32elevate
try:
win32elevate.elevateAdminRun(os.path.abspath(__file__))
except Exception as e:
xlog.warning('CertUtil.import_windows_ca failed: %r', e)
return True
elif ret == 1:
CertUtil.win32_notify(msg='已经导入GoAgent证书,请重启浏览器.',
title='Restart browser need.')
return ret == 1
def import_ca(certfile):
commonname = os.path.splitext(os.path.basename(certfile))[0]
if sys.platform.startswith('win'):
import ctypes
with open(certfile, 'rb') as fp:
certdata = fp.read()
if certdata.startswith(b'-----'):
begin = b'-----BEGIN CERTIFICATE-----'
end = b'-----END CERTIFICATE-----'
certdata = base64.b64decode(b''.join(
certdata[certdata.find(begin) + len(begin):certdata.
find(end)].strip().splitlines()))
crypt32 = ctypes.WinDLL(b'crypt32.dll'.decode())
store_handle = crypt32.CertOpenStore(10, 0, 0,
0x4000 | 0x20000,
b'ROOT'.decode())
if not store_handle:
return -1
CERT_FIND_SUBJECT_STR = 0x00080007
CERT_FIND_HASH = 0x10000
X509_ASN_ENCODING = 0x00000001
class CRYPT_HASH_BLOB(ctypes.Structure):
_fields_ = [('cbData', ctypes.c_ulong),
('pbData', ctypes.c_char_p)]
assert CertUtil.ca_thumbprint
crypt_hash = CRYPT_HASH_BLOB(
20,
binascii.a2b_hex(CertUtil.ca_thumbprint.replace(':', '')))
crypt_handle = crypt32.CertFindCertificateInStore(
store_handle, X509_ASN_ENCODING, 0, CERT_FIND_HASH,
ctypes.byref(crypt_hash), None)
if crypt_handle:
crypt32.CertFreeCertificateContext(crypt_handle)
return 0
ret = crypt32.CertAddEncodedCertificateToStore(
store_handle, 0x1, certdata, len(certdata), 4, None)
crypt32.CertCloseStore(store_handle, 0)
del crypt32
if not ret and __name__ != "__main__":
#res = CertUtil.win32_notify(msg=u'Import GoAgent Ca?', title=u'Authority need')
#if res == 2:
# return -1
import win32elevate
win32elevate.elevateAdminRun(os.path.abspath(__file__))
return 0
return 0 if ret else -1
elif sys.platform == 'darwin':
return os.system((
'security find-certificate -a -c "%s" | grep "%s" >/dev/null || security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "%s"'
% (commonname, commonname,
certfile.decode('utf-8'))).encode('utf-8'))
elif sys.platform.startswith('linux'):
import platform
platform_distname = platform.dist()[0]
if platform_distname == 'Ubuntu':
pemfile = "/etc/ssl/certs/%s.pem" % commonname
new_certfile = "/usr/local/share/ca-certificates/%s.crt" % commonname
if not os.path.exists(pemfile):
return os.system('cp "%s" "%s" && update-ca-certificates' %
(certfile, new_certfile))
elif any(
os.path.isfile('%s/certutil' % x)
for x in os.environ['PATH'].split(os.pathsep)):
return os.system(
'certutil -L -d sql:$HOME/.pki/nssdb | grep "%s" || certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "%s" -i "%s"'
% (commonname, commonname, certfile))
else:
logging.warning(
'please install *libnss3-tools* package to import GoAgent root ca'
)
return 0
def change_reserved_port_range():
exec = b"netsh"
args = b"int ipv4 set dynamic tcp start=49152 num=16384"
import win32elevate
win32elevate.elevateAdminRun(args, exec)
def import_windows_ca(common_name, certfile):
xlog.debug("Begin to import Windows CA")
with open(certfile, 'rb') as fp:
certdata = fp.read()
if certdata.startswith(b'-----'):
begin = b'-----BEGIN CERTIFICATE-----'
end = b'-----END CERTIFICATE-----'
certdata = base64.b64decode(b''.join(certdata[certdata.find(begin)+len(begin):certdata.find(end)].strip().splitlines()))
assert certdata, 'cert file %r is broken' % certfile
import ctypes
import ctypes.wintypes
class CERT_CONTEXT(ctypes.Structure):
_fields_ = [
('dwCertEncodingType', ctypes.wintypes.DWORD),
('pbCertEncoded', ctypes.POINTER(ctypes.wintypes.BYTE)),
('cbCertEncoded', ctypes.wintypes.DWORD),
('pCertInfo', ctypes.c_void_p),
('hCertStore', ctypes.c_void_p),]
CERT_STORE_PROV_SYSTEM = 10
CERT_STORE_OPEN_EXISTING_FLAG = 0x4000
CERT_SYSTEM_STORE_CURRENT_USER = 1 << 16
CERT_SYSTEM_STORE_LOCAL_MACHINE = 2 << 16
crypt32 = ctypes.windll.crypt32
ca_exists = False
for store in (CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_CURRENT_USER):
try:
store_handle = crypt32.CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, None, CERT_STORE_OPEN_EXISTING_FLAG | store, u'root')
if not store_handle:
if store == CERT_SYSTEM_STORE_CURRENT_USER and not ca_exists:
xlog.warning('CertUtil.import_windows_ca failed: could not open system cert store')
return False
else:
continue
pCertCtx = crypt32.CertEnumCertificatesInStore(store_handle, None)
while pCertCtx:
certCtx = CERT_CONTEXT.from_address(pCertCtx)
_certdata = ctypes.string_at(certCtx.pbCertEncoded, certCtx.cbCertEncoded)
if _certdata == certdata:
ca_exists = True
xlog.debug("XX-Net CA already exists")
else:
cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, _certdata)
if hasattr(cert, 'get_subject'):
cert = cert.get_subject()
cert_name = next((v for k, v in cert.get_components() if k == 'CN'), '')
if cert_name == common_name:
ret = crypt32.CertDeleteCertificateFromStore(crypt32.CertDuplicateCertificateContext(pCertCtx))
if ret == 1:
xlog.debug("Invalid Windows CA %r has been removed", common_name)
elif ret == 0 and store == CERT_SYSTEM_STORE_LOCAL_MACHINE:
# to elevate
break
pCertCtx = crypt32.CertEnumCertificatesInStore(store_handle, pCertCtx)
# Only add to current user
if store == CERT_SYSTEM_STORE_CURRENT_USER and not ca_exists:
ret = crypt32.CertAddEncodedCertificateToStore(store_handle, 0x1, certdata, len(certdata), 4, None)
except Exception as e:
xlog.warning('CertUtil.import_windows_ca failed: %r', e)
return False
finally:
if pCertCtx:
crypt32.CertFreeCertificateContext(pCertCtx)
if store_handle:
crypt32.CertCloseStore(store_handle, 0)
if ca_exists:
return True
if ret == 0 and __name__ != "__main__":
#res = CertUtil.win32_notify(msg=u'Import GoAgent Ca?', title=u'Authority need')
#if res == 2:
# return -1
import win32elevate
try:
win32elevate.elevateAdminRun(os.path.abspath(__file__))
except Exception as e:
xlog.warning('CertUtil.import_windows_ca failed: %r', e)
return True
elif ret == 1:
CertUtil.win32_notify(msg=u'已经导入GoAgent证书,请重启浏览器.', title=u'Restart browser need.')
return ret == 1