예제 #1
0
def remove_signature(content):
    """ Remove the PKCS#7 envelope from given content, making a '.xml.p7m' file content readable as it was '.xml'.
        As OpenSSL may not be installed, in that case a warning is issued and None is returned. """

    # Prevent using the library if it had import errors
    if not ssl_crypto:
        _logger.warning(
            "Error reading the content, check if the OpenSSL library is installed for for PKCS#7 envelope extraction."
        )
        return None

    # Load some tools from the library
    null = ssl_util.ffi.NULL
    verify = ssl_util.lib.PKCS7_verify

    # By default ignore the validity of the certificates, just validate the structure
    flags = ssl_util.lib.PKCS7_NOVERIFY | ssl_util.lib.PKCS7_NOSIGS

    # Read the signed data fron the content
    out_buffer = ssl_crypto._new_mem_buf()

    # This method is deprecated, but there are actually no alternatives
    with warnings.catch_warnings():
        warnings.filterwarnings("ignore", category=DeprecationWarning)
        loaded_data = ssl_crypto.load_pkcs7_data(ssl_crypto.FILETYPE_ASN1,
                                                 content)

    # Verify the signature
    if verify(loaded_data._pkcs7, null, null, null, out_buffer, flags) != 1:
        ssl_crypto._raise_current_error()

    # Get the content as a byte-string
    decoded_content = ssl_crypto._bio_to_string(out_buffer)
    return decoded_content
예제 #2
0
 def _get_public_key(self, binary):
     try:
         return crypto.dump_publickey(
             crypto.FILETYPE_ASN1 if binary else crypto.FILETYPE_PEM,
             self.cert.get_pubkey())
     except AttributeError:
         try:
             # pyOpenSSL < 16.0:
             bio = crypto._new_mem_buf()
             if binary:
                 rc = crypto._lib.i2d_PUBKEY_bio(
                     bio,
                     self.cert.get_pubkey()._pkey)
             else:
                 rc = crypto._lib.PEM_write_bio_PUBKEY(
                     bio,
                     self.cert.get_pubkey()._pkey)
             if rc != 1:
                 crypto._raise_current_error()
             return crypto._bio_to_string(bio)
         except AttributeError:
             self.module.warn(
                 'Your pyOpenSSL version does not support dumping public keys. '
                 'Please upgrade to version 16.0 or newer, or use the cryptography backend.'
             )
예제 #3
0
def get_fingerprint(path, passphrase=None, content=None, backend='pyopenssl'):
    """Generate the fingerprint of the public key. """

    privatekey = load_privatekey(path,
                                 passphrase=passphrase,
                                 content=content,
                                 check_passphrase=False,
                                 backend=backend)

    if backend == 'pyopenssl':
        try:
            publickey = crypto.dump_publickey(crypto.FILETYPE_ASN1, privatekey)
        except AttributeError:
            # If PyOpenSSL < 16.0 crypto.dump_publickey() will fail.
            try:
                bio = crypto._new_mem_buf()
                rc = crypto._lib.i2d_PUBKEY_bio(bio, privatekey._pkey)
                if rc != 1:
                    crypto._raise_current_error()
                publickey = crypto._bio_to_string(bio)
            except AttributeError:
                # By doing this we prevent the code from raising an error
                # yet we return no value in the fingerprint hash.
                return None
    elif backend == 'cryptography':
        publickey = privatekey.public_key().public_bytes(
            serialization.Encoding.DER,
            serialization.PublicFormat.SubjectPublicKeyInfo)

    return get_fingerprint_of_bytes(publickey)
예제 #4
0
def get_fingerprint(path, passphrase=None):
    """Generate the fingerprint of the public key. """

    privatekey = load_privatekey(path, passphrase, check_passphrase=False)
    try:
        publickey = crypto.dump_publickey(crypto.FILETYPE_ASN1, privatekey)
    except AttributeError:
        # If PyOpenSSL < 16.0 crypto.dump_publickey() will fail.
        try:
            bio = crypto._new_mem_buf()
            rc = crypto._lib.i2d_PUBKEY_bio(bio, privatekey._pkey)
            if rc != 1:
                crypto._raise_current_error()
            publickey = crypto._bio_to_string(bio)
        except AttributeError:
            # By doing this we prevent the code from raising an error
            # yet we return no value in the fingerprint hash.
            return None
    return get_fingerprint_of_bytes(publickey)
예제 #5
0
    def load_tmp_dh(self, dhfile):
        """
        Function overridden in order to enforce ECDH/PFS
        """

        from OpenSSL._util import (ffi as _ffi, lib as _lib)

        if not isinstance(dhfile, bytes):
            raise TypeError("dhfile must be a byte string")

        bio = _lib.BIO_new_file(dhfile, b"r")
        if bio == _ffi.NULL:
            _raise_current_error()
        bio = _ffi.gc(bio, _lib.BIO_free)

        dh = _lib.PEM_read_bio_DHparams(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
        dh = _ffi.gc(dh, _lib.DH_free)
        _lib.SSL_CTX_set_tmp_dh(self._context, dh)

        ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1)
        ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free)
        _lib.SSL_CTX_set_tmp_ecdh(self._context, ecdh)
예제 #6
0
파일: ssl.py 프로젝트: az0ne/Tor2web
    def load_tmp_dh(self, dhfile):
        """
        Function overridden in order to enforce ECDH/PFS
        """

        from OpenSSL._util import (ffi as _ffi,
                                   lib as _lib)

        if not isinstance(dhfile, bytes):
            raise TypeError("dhfile must be a byte string")

        bio = _lib.BIO_new_file(dhfile, b"r")
        if bio == _ffi.NULL:
            _raise_current_error()
        bio = _ffi.gc(bio, _lib.BIO_free)

        dh = _lib.PEM_read_bio_DHparams(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
        dh = _ffi.gc(dh, _lib.DH_free)
        _lib.SSL_CTX_set_tmp_dh(self._context, dh)

        ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1)
        ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free)
        _lib.SSL_CTX_set_tmp_ecdh(self._context, ecdh)