def urandom(n): global urandom_source if urandom_source is None: urandom_source = SecureRandom() buffer = jarray.zeros(n, 'b') urandom_source.nextBytes(buffer) return buffer.tostring()
class _UserFriendlyRNG(object): def __init__(self): self.closed = False self.__securerandom = None self.reinit() def reinit(self): self.__securerandom = SecureRandom() def close(self): self.closed = True self.__securerandom = None def flush(self): pass def read(self, N): if self.closed: raise ValueError("I/O operation on closed file") if not isinstance(N, (long, int)): raise TypeError("an integer is required") if N < 0: raise ValueError("cannot read to end of infinite stream") result = jarray.zeros(N, 'b') self.__securerandom.nextBytes(result) return result.tostring()
def ignoreJavaSSL(): """ Creates a dummy socket factory that doesn't verify connections. HttpsURLConnection.setDefaultSSLSocketFactory(...) This code was taken from multiple sources. Only makes since in jython (java). otherwise, just use verify=False! """ import sys if not 'java' in sys.platform: raise RuntimeError('only use if platform (sys.platform) is java!') else: #=================================================================== # set default SSL socket to ignore verification #=================================================================== import javax.net.ssl.X509TrustManager as X509TrustManager # @UnresolvedImport class MyTrustManager(X509TrustManager): def getAcceptedIssuers(self,*args,**keys): return None def checkServerTrusted(self,*args,**keys): pass def checkClientTrusted(self,*args,**keys): pass import com.sun.net.ssl.internal.ssl.Provider # @UnresolvedImport from java.security import Security # @UnresolvedImport Security.addProvider(com.sun.net.ssl.internal.ssl.Provider()) trustAllCerts = [MyTrustManager()] import javax.net.ssl.SSLContext as SSLContext # @UnresolvedImport sc = SSLContext.getInstance("SSL"); import java.security.SecureRandom as SecureRandom # @UnresolvedImport sc.init(None, trustAllCerts,SecureRandom()) import javax.net.ssl.HttpsURLConnection as HttpsURLConnection # @UnresolvedImport HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()) #=================================================================== # Do a test! #=================================================================== ''' # setup proxy import java.net.Proxy as Proxy import java.net.InetSocketAddress as InetSocketAddress p = Proxy(Proxy.Type.HTTP,InetSocketAddress("host",port)) import java.net.URL as URL u = URL("https://www.google.com/") conn = u.openConnection(p) print 'server response: %r',conn.getResponseCode() ''' #=================================================================== # ignore requests's error logging - this is for dev #=================================================================== try: import requests.packages.urllib3 as urllib3 urllib3.disable_warnings() except: pass return 'SSL verification in Java is disabled!'
def use_secure_ssl(client, protocols): context = SSLContext.getInstance('SSL') context.init(None, [DefaultTrustManager], SecureRandom()) factory = SSLSocketFactory(protocols)(context) https = Scheme('https', factory, 443) schemeRegistry = client.getWebConnection().getHttpClient( ).getConnectionManager().getSchemeRegistry() schemeRegistry.register(https)
def use_insecure_ssl(client, protocols): """Installs a fake trust manager and hostname verifier on an HTMLUnit WebClient, ensuring that it will never balk at poorly set up SSL servers. """ context = SSLContext.getInstance('SSL') context.init(None, [FakeX509TrustManager()], SecureRandom()) # Normal factory with SSLv2Hello, SSLv3, TLSv1 enabled factory = SSLSocketFactory(protocols)(context) factory.setHostnameVerifier( org.apache.http.conn.ssl.AllowAllHostnameVerifier()) https = Scheme('https', factory, 443) schemeRegistry = client.getWebConnection().getHttpClient( ).getConnectionManager().getSchemeRegistry() schemeRegistry.register(https)
def testPage(self, page): class MyTrustManager(X509TrustManager): def getAcceptedIssuers(self): return None def checkClientTrusted(self, certs, auth): pass def checkServerTrusted(self, certs, auth): pass trustAllCerts = [MyTrustManager()] sc = SSLContext.getInstance("SSL") sc.init(None, trustAllCerts, SecureRandom()) HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()) class MyHostnameVerifier(HostnameVerifier): def verify(self, host, sess): return True HttpsURLConnection.setDefaultHostnameVerifier(MyHostnameVerifier()) try: httpsURL = 'https://%s:%s/%s' % (self._host, self._port, page) url = URL(httpsURL) conn = url.openConnection() conn.setConnectTimeout(5000) conn.setRequestProperty("Accept-encoding", 'gzip,deflate,compress') conn.setRequestProperty( "User-agent", 'https://google.com/' if 'google' not in self._host else 'https://yandex.ru/') # Use foreign referer #ist = conn.getInputStream() #isr = InputStreamReader(ist) #br = BufferedReader(isr) print("[BREACH] Received response: %d" % conn.getResponseCode()) if conn.getContentEncoding() != None: print("[BREACH] Received Content-encoding: %s" % (conn.getContentEncoding())) return True except: print("[BREACH] Socket timeout or an error occurred") return False
def createSSLSocket(host, port): ''' Creates SSL Socket @types: str, int -> javax.net.ssl.SSLSocket ''' # Create own TrustManager to be able to accept all certificates (even invalid) # configure the SSLContext with a TrustManager ctx = SSLContext.getInstance("TLS") keyManagers = jarray(KeyManager) trustManagers = jarray(TrustManager) trustManagers.append(DefaultTrustManager()) ctx.init(keyManagers, trustManagers, SecureRandom()) # Gets the default static SSLSocketFactory that is inherited by new instances of this class. # The socket factories are used when creating sockets for secure https URL connections. factory = ctx.getSocketFactory() # Creates a socket and connects it to the specified remote host at the specified remote # port. This socket is configured using the socket options established for this # factory. return factory.createSocket(host, int(port))
def __activate__(self, context): self.velocityContext = context self.log = self.vc("log") self.systemConfig = self.vc("systemConfig") self.session = self.vc("sessionState") self.response = self.vc("response") self.request = self.vc("request") self.msg = "" self.appId = None uri = URLDecoder.decode(self.request.getAttribute("RequestURI")) matches = re.match("^(.*?)/(.*?)/(.*?)/(.*?)/(.*?)$", uri) if matches and matches.group(5): self.appId = matches.group(5) if not self.appId: self.msg = "No appId specified" self.log.error(self.msg) return self.log.debug("Getting configuration for: " + self.appId) self.consumerName = self.systemConfig.getString( None, "authserver", self.appId, "name") self.sharedKey = self.systemConfig.getString(None, "authserver", self.appId, "sharedKey") self.aud = self.systemConfig.getString(None, "authserver", self.appId, "aud") self.iss = self.systemConfig.getString(None, "authserver", self.appId, "iss") self.expiry = self.systemConfig.getInteger(None, "authserver", self.appId, "expiry") self.logoutUrl = self.systemConfig.getString(None, "authserver", self.appId, "logoutUrl") logout = self.request.getParameter("logout") if logout == "1": self.session.invalidate() self.response.sendRedirect(self.logoutUrl) return if not self.consumerName: self.msg = "Invalid configuration, no app name" self.log.error(self.msg) return if not self.sharedKey: self.msg = "Invalid shared Key" self.log.error(self.msg) return if not self.aud: self.msg = "Invalid aud" self.log.error(self.msg) return if not self.iss: self.msg = "Invalid iss" self.log.error(self.msg) return if not self.expiry: self.msg = "Invalid expiry" self.log.error(self.msg) return # Because we don't trust the configuration current_user = self.vc("page").authentication.get_username() isAdmin = self.vc("page").authentication.is_admin() # Admin only... if not isAdmin: self.msg = "Sorry, this page is only for administrators." self.log.error(self.msg) return # Get the roles... typ = "[\"" + "\",\"".join( self.vc("page").authentication.get_roles_list()) + "\"]" # Generating signature... dtNow = Date().getTime() now = dtNow / 1000 iat = now nbf = now - 1 exp = now + self.expiry secRandom = SecureRandom() jti = Long.toString(dtNow) + "_" + Integer.toString( secRandom.nextInt()) payload = Payload( '{"iss":"%s", "sub":"%s", "aud":"%s", "iat":"%s", "nbf":"%s", "exp":"%s", "jti":"%s", "typ":%s}' % (self.iss, current_user, self.aud, iat, nbf, exp, jti, typ)) jwsHeader = JWSHeader(JWSAlgorithm.HS256) macSigner = MACSigner(self.sharedKey) jwsObject = JWSObject(jwsHeader, payload) jwsObject.sign(macSigner) self.jws = jwsObject.serialize()
def generateSecretKey(self, keyLength): bytes = jarray.zeros(keyLength, "b") secureRandom = SecureRandom() secureRandom.nextBytes(bytes) return bytes
def generateNonce(keyLength): bytes = jarray.zeros(keyLength, "b") secureRandom = SecureRandom() secureRandom.nextBytes(bytes) return BaseEncoding.base64().omitPadding().encode(bytes)
def reinit(self): self.__securerandom = SecureRandom()
def __activate__(self, context): self.velocityContext = context self.log = self.vc("log") self.systemConfig = self.vc("systemConfig") self.session = self.vc("sessionState") self.response = self.vc("response") self.request = self.vc("request") self.msg = "" self.appId = None uri = URLDecoder.decode(self.request.getAttribute("RequestURI")) matches = re.match("^(.*?)/(.*?)/(.*?)/(.*?)/(.*?)$", uri) if matches and matches.group(5): self.appId = matches.group(5) if not self.appId: self.msg = "No appId specified" self.log.error(self.msg) return self.log.debug("Getting configuration for: " + self.appId) self.consumerName = self.systemConfig.getString(None, "authserver", self.appId, "name") self.sharedKey = self.systemConfig.getString(None, "authserver", self.appId, "sharedKey") self.aud = self.systemConfig.getString(None, "authserver", self.appId, "aud") self.iss = self.systemConfig.getString(None, "authserver", self.appId, "iss") self.expiry = self.systemConfig.getInteger(None, "authserver", self.appId, "expiry") self.logoutUrl = self.systemConfig.getString(None, "authserver", self.appId, "logoutUrl") logout = self.request.getParameter("logout") if logout == "1": self.session.invalidate() self.response.sendRedirect(self.logoutUrl) return if not self.consumerName: self.msg = "Invalid configuration, no app name" self.log.error(self.msg) return if not self.sharedKey: self.msg = "Invalid shared Key" self.log.error(self.msg) return if not self.aud: self.msg = "Invalid aud" self.log.error(self.msg) return if not self.iss: self.msg = "Invalid iss" self.log.error(self.msg) return if not self.expiry: self.msg = "Invalid expiry" self.log.error(self.msg) return # Because we don't trust the configuration current_user = self.vc("page").authentication.get_username() isAdmin = self.vc("page").authentication.is_admin() # Admin only... if not isAdmin: self.msg = "Sorry, this page is only for administrators." self.log.error(self.msg) return # Get the roles... typ = "[\"" + "\",\"".join(self.vc("page").authentication.get_roles_list()) + "\"]" # Generating signature... dtNow = Date().getTime() now = dtNow / 1000 iat = now nbf = now - 1 exp = now + self.expiry secRandom = SecureRandom() jti = Long.toString(dtNow) + "_" + Integer.toString(secRandom.nextInt()) payload = Payload('{"iss":"%s", "sub":"%s", "aud":"%s", "iat":"%s", "nbf":"%s", "exp":"%s", "jti":"%s", "typ":%s}' % (self.iss, current_user, self.aud, iat, nbf, exp, jti, typ)) jwsHeader = JWSHeader(JWSAlgorithm.HS256) macSigner = MACSigner(self.sharedKey) jwsObject = JWSObject(jwsHeader, payload) jwsObject.sign(macSigner) self.jws = jwsObject.serialize()