def test_insufficient_memory(self):
"""
`OpenSSL.rand.bytes` raises `MemoryError` if more bytes are requested
than will fit in memory.
"""
with pytest.raises(MemoryError):
rand.bytes(sys.maxsize)
def test_bytes_wrong_args(self, args):
"""
`OpenSSL.rand.bytes` raises `TypeError` if called with a non-`int`
argument.
"""
with pytest.raises(TypeError):
rand.bytes(*args)
def test_insufficient_memory(self):
"""
`OpenSSL.rand.bytes` raises `MemoryError` if more bytes are requested
than will fit in memory.
"""
with pytest.raises(MemoryError):
rand.bytes(sys.maxsize)
def test_bytes_wrong_args(self, args):
"""
`OpenSSL.rand.bytes` raises `TypeError` if called with a non-`int`
argument.
"""
with pytest.raises(TypeError):
rand.bytes(*args)
def test_bytes(self):
"""
Verify that we can obtain bytes from rand_bytes() and
that they are different each time. Test the parameter
of rand_bytes() for bad values.
"""
b1 = rand.bytes(50)
self.assertEqual(len(b1), 50)
b2 = rand.bytes(num_bytes=50) # parameter by name
self.assertNotEqual(b1, b2) # Hip, Hip, Horay! FIPS complaince
b3 = rand.bytes(num_bytes=0)
self.assertEqual(len(b3), 0)
exc = self.assertRaises(ValueError, rand.bytes, -1)
self.assertEqual(str(exc), "num_bytes must not be negative")
def test_bytes(self):
"""
Verify that we can obtain bytes from rand_bytes() and
that they are different each time. Test the parameter
of rand_bytes() for bad values.
"""
b1 = rand.bytes(50)
self.assertEqual(len(b1), 50)
b2 = rand.bytes(num_bytes=50) # parameter by name
self.assertNotEqual(b1, b2) # Hip, Hip, Horay! FIPS complaince
b3 = rand.bytes(num_bytes=0)
self.assertEqual(len(b3), 0)
exc = self.assertRaises(ValueError, rand.bytes, -1)
self.assertEqual(str(exc), "num_bytes must not be negative")
def test_bytes(self):
"""
Verify that we can obtain bytes from rand_bytes() and that they are
different each time. Test the parameter of rand_bytes() for
bad values.
"""
b1 = rand.bytes(50)
assert len(b1) == 50
b2 = rand.bytes(num_bytes=50) # parameter by name
assert b1 != b2 # Hip, Hip, Horay! FIPS complaince
b3 = rand.bytes(num_bytes=0)
assert len(b3) == 0
with pytest.raises(ValueError) as exc:
rand.bytes(-1)
assert str(exc.value) == "num_bytes must not be negative"
def test_bytes(self):
"""
Verify that we can obtain bytes from rand_bytes() and that they are
different each time. Test the parameter of rand_bytes() for
bad values.
"""
b1 = rand.bytes(50)
assert len(b1) == 50
b2 = rand.bytes(num_bytes=50) # parameter by name
assert b1 != b2 # Hip, Hip, Horay! FIPS complaince
b3 = rand.bytes(num_bytes=0)
assert len(b3) == 0
with pytest.raises(ValueError) as exc:
rand.bytes(-1)
assert str(exc.value) == "num_bytes must not be negative"
def privatekey():
# See https://en.bitcoin.it/wiki/Private_key
int_pk = 0
while not (int_pk > 0 and int_pk <= MAX_KEY): # :)
pk = hashlib.sha256(rand.bytes(32))
int_pk = int(pk.hexdigest(), 16)
return int_pk, wif(pk.digest())
def privatekey():
# See https://en.bitcoin.it/wiki/Private_key
int_pk = 0
while not (int_pk > 0 and int_pk <= MAX_KEY): # :)
pk = hashlib.sha256(rand.bytes(32))
int_pk = int(pk.hexdigest(), 16)
return int_pk, wif(pk.digest())
def generateKey(self,keyFilepath):
b1 = rand.bytes(16)
self.hexKey = binascii.hexlify(b1)
try:
keyFile = open(keyFilepath,"wb");
except:
print "can't open "+keyFilepath;
raise
keyFile.write(b1)
keyFile.close();
def create_self_signed_cert(cert_file_path):
private_key_path = re.sub(r".(pem|crt)$",
".key",
cert_file_path,
flags=re.IGNORECASE)
# create public/private key
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Self-signed cert
cert = X509()
#subject = X509Name(cert.get_subject())
subject = cert.get_subject()
subject.CN = 'localhost'
subject.O = 'XYZ Widgets Inc'
subject.OU = 'IT Department'
subject.L = 'Seattle'
subject.ST = 'Washington'
subject.C = 'US'
subject.emailAddress = '*****@*****.**'
cert.set_version(2)
cert.set_issuer(subject)
cert.set_subject(subject)
#cert.set_serial_number(int(os.urandom(16).encode('hex'),16))
cert.set_serial_number(int(rand.bytes(16).encode('hex'), 16))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_pubkey(key)
cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier", False, "hash", subject=cert),
])
cert.sign(key, 'sha256')
with open(cert_file_path, 'wb+') as f:
f.write(dump_certificate(FILETYPE_PEM, cert))
with open(private_key_path, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
def create (self, name):
if self.state != "none":
raise IllegalStateError ()
# sanity check
if self.client.exists (self.path):
raise AlreadyExistsError ()
# create key
self.root_key = crypto.PKey ()
self.root_key.generate_key (crypto.TYPE_RSA, 2048)
# create certificate
self.root_cert = crypto.X509 ()
self.root_cert.set_pubkey (self.root_key)
self.root_cert.set_version (2)
self.root_cert.set_serial_number (
struct.unpack ("Q", rand.bytes (8)) [0])
self.root_cert.get_subject ().C = self.certificate_data ["country"]
self.root_cert.get_subject ().L = self.certificate_data ["locality"]
self.root_cert.get_subject ().O = self.certificate_data ["organization"]
self.root_cert.get_subject ().CN = name
self.root_cert.gmtime_adj_notBefore (0)
self.root_cert.gmtime_adj_notAfter (315360000)
self.root_cert.set_issuer (
self.root_cert.get_subject ())
self.root_cert.add_extensions ([
crypto.X509Extension (
str ("basicConstraints"),
True,
str ("CA:TRUE, pathlen:0")),
crypto.X509Extension (
str ("keyUsage"),
True,
str ("keyCertSign, cRLSign")),
crypto.X509Extension (
str ("subjectKeyIdentifier"),
False,
str ("hash"),
subject = self.root_cert),
])
self.root_cert.add_extensions ([
crypto.X509Extension (
str ("authorityKeyIdentifier"),
False,
str ("keyid,issuer:always"),
issuer = self.root_cert)
])
# sign certificate
self.root_cert.sign (
self.root_key,
str ("sha256"))
# dump to pem
self.root_cert_string = crypto.dump_certificate (
crypto.FILETYPE_PEM,
self.root_cert)
self.root_key_string = crypto.dump_privatekey (
crypto.FILETYPE_PEM,
self.root_key)
# write data in "creating" state
self.data = {
"authority_state":
"creating",
"subject_country":
self.root_cert.get_subject ().C,
"subject_locality":
self.root_cert.get_subject ().L,
"subject_organization":
self.root_cert.get_subject ().O,
"subject_common_name":
self.root_cert.get_subject ().CN,
}
self.client.set_yaml (
self.path + "/data",
self.data,
self.schemas ["certificate-authority"])
# write other data
self.client.set_raw (
self.path + "/certificate",
self.root_cert_string)
self.client.set_raw (
self.path + "/key",
self.root_key_string)
self.client.set_raw (
self.path + "/serial",
"0")
# write data in "active" state
self.data ["authority_state"] = "active"
self.client.set_yaml (
self.path + "/data",
self.data,
self.schemas ["certificate-authority"])
else:
return True
def encodeInput(html):
"""Encode evil chars..."""
result = re.sub('"', """, html)
result = re.sub("'", "'", result)
result = re.sub("&", "&", result)
result = re.sub("<", "<", result)
result = re.sub(">", ">", result)
log("User supplied input was encoded", "SUCCESS", "NULL")
blockUsers()
return result
#secret key for flask internal session use
secret_key = rand.bytes(512)
password = generate_pass()
csrf_token_raw = rand.bytes(128)
csrf_token = base64.b64encode(csrf_token_raw)
mimetypes.add_type('image/svg+xml', '.svg')
bindaddr = '127.0.0.1';
# Load default config and override config from an environment variable
# You can also replace password with static password: PASSWORD='******'
app.config.update(dict(
DATABASE=os.path.join(app.root_path, 'skf.db'),
DEBUG=True,
SECRET_KEY=secret_key,
SESSION_COOKIE_SECURE=True,
SESSION_COOKIE_HTTPONLY = True
))
def getNonce(self):
return rand.bytes(self.DEFAULT_NONCE_SIZE)
def getNonce(self):
return rand.bytes(self.DEFAULT_NONCE_SIZE)
def getNonce(cls):
return rand.bytes(BootstrapHelper.DEFAULT_NONCE_SIZE)
def main():
res = set()
while len(res) <= 200:
_d = base64.urlsafe_b64encode(rand.bytes(20))
print _d
res.add(_d)
def getNonce(cls):
return rand.bytes(BootstrapHelper.DEFAULT_NONCE_SIZE)
def create(self, name):
if self.state != "none":
raise IllegalStateError()
# sanity check
if self.client.exists(self.path):
raise AlreadyExistsError()
# create key
self.root_key = crypto.PKey()
self.root_key.generate_key(crypto.TYPE_RSA, 2048)
# create certificate
self.root_cert = crypto.X509()
self.root_cert.set_pubkey(self.root_key)
self.root_cert.set_version(2)
self.root_cert.set_serial_number(struct.unpack("Q", rand.bytes(8))[0])
self.root_cert.get_subject().C = self.certificate_data["country"]
self.root_cert.get_subject().L = self.certificate_data["locality"]
self.root_cert.get_subject().O = self.certificate_data["organization"]
self.root_cert.get_subject().CN = name
self.root_cert.gmtime_adj_notBefore(0)
self.root_cert.gmtime_adj_notAfter(315360000)
self.root_cert.set_issuer(self.root_cert.get_subject())
self.root_cert.add_extensions([
crypto.X509Extension(str("basicConstraints"), True,
str("CA:TRUE, pathlen:0")),
crypto.X509Extension(str("keyUsage"), True,
str("keyCertSign, cRLSign")),
crypto.X509Extension(str("subjectKeyIdentifier"),
False,
str("hash"),
subject=self.root_cert),
])
self.root_cert.add_extensions([
crypto.X509Extension(str("authorityKeyIdentifier"),
False,
str("keyid,issuer:always"),
issuer=self.root_cert)
])
# sign certificate
self.root_cert.sign(self.root_key, str("sha256"))
# dump to pem
self.root_cert_string = crypto.dump_certificate(
crypto.FILETYPE_PEM, self.root_cert)
self.root_key_string = crypto.dump_privatekey(crypto.FILETYPE_PEM,
self.root_key)
# write data in "creating" state
self.data = {
"authority_state": "creating",
"subject_country": self.root_cert.get_subject().C,
"subject_locality": self.root_cert.get_subject().L,
"subject_organization": self.root_cert.get_subject().O,
"subject_common_name": self.root_cert.get_subject().CN,
}
self.client.set_yaml(self.path + "/data", self.data,
self.schemas["certificate-authority"])
# write other data
self.client.set_raw(self.path + "/certificate", self.root_cert_string)
self.client.set_raw(self.path + "/key", self.root_key_string)
self.client.set_raw(self.path + "/serial", "0")
# write data in "active" state
self.data["authority_state"] = "active"
self.client.set_yaml(self.path + "/data", self.data,
self.schemas["certificate-authority"])
def getrandom(keylen=8): return rand.bytes(keylen)
def generate_ephemeral_certificate(return_as_strings=False):
""" Create ephemeral self-signed certificate and return it with key.
Based on http://www.web2pyslices.com/slice/show/1507/generate-ssl-self-signed-certificate-and-key-enable-https-encryption-in-web2py
Args:
return_as_strings - Boolean. If True, will return strings containing file content. If False, will
return path to each file
Returns:
tuple of str - either path_to_certfile, path_to_keyfile or certfile_content, keyfile_content
"""
from OpenSSL import crypto, rand
from socket import gethostname
from tempfile import mkstemp
from os import write as os_write, unlink
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 4096)
# poor effort at providing a random serial number for the cert
randbytes = rand.bytes(4)
cert_serial = ord(randbytes[0])
for c in randbytes[1:]:
cert_serial = cert_serial * ord(c)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "GB"
cert.get_subject().ST = "State"
cert.get_subject().L = "City"
cert.get_subject().O = "Company"
cert.get_subject().OU = "Organization"
cert.get_subject().CN = gethostname()
cert.set_serial_number(cert_serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
# we have to write a file to disk as Python's ssl implementation calls C code that expects an actual file
cfile, cfile_path = mkstemp()
kfile, kfile_path = mkstemp()
os_write(cfile, crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
os_write(kfile, crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
if return_as_strings:
cert_data = ''.join(open(cfile_path, 'r').readlines())
key_data = ''.join(open(kfile_path, 'r').readlines())
try:
unlink(cfile_path)
unlink(kfile_path)
except:
pass
return cert_data, key_data
else:
return cfile_path, kfile_path
