def _load(self):
if self._loaded:
return
self._loaded = True
if self.location.is_dir():
for file in self.location.glob("*"):
with open(str(file), "rb") as f:
self.extend(Certificate.from_pems(f.read()))
else:
with open(str(self.location), "rb") as f:
self.extend(Certificate.from_pems(f.read()))
def _load(self):
if self._loaded:
return
self._loaded = True
for file in self.location.glob("*"):
with open(str(file), "rb") as f:
self.append(Certificate.from_pem(f.read()))
def test_to_string_with_commas(self):
with open(
str(CERTIFICATE_LOCATION /
"Verisign Time Stamping Service Root.pem"), "rb") as f:
certificate = Certificate.from_pem(f.read())
self.assertEqual(
certificate.issuer.dn,
r"OU=NO LIABILITY ACCEPTED\, (c)97 VeriSign\, Inc., OU=VeriSign Time Stamping Service Root, "
r"OU=VeriSign\, Inc., O=VeriSign Trust Network")
def test_to_string(self):
with open(
str(CERTIFICATE_LOCATION /
"Microsoft Root Certificate Authority 2010.pem"),
"rb") as f:
certificate = Certificate.from_pem(f.read())
self.assertEqual(
certificate.issuer.dn,
"CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, "
"L=Redmond, ST=Washington, C=US")
def _parse(self):
# digestAlgorithms
if len(self.data['digestAlgorithms']) != 1:
raise ParseError(
"SignedData.digestAlgorithms must contain exactly 1 algorithm, not %d"
% len(self.data['digestAlgorithms']))
self.digest_algorithm = _get_digest_algorithm(
self.data['digestAlgorithms'][0], "SignedData.digestAlgorithm")
# contentType
if isinstance(self.data, rfc2315.SignedData):
self.content_type = asn1.oids.get(
self.data['contentInfo']['contentType'])
content = self.data['contentInfo']['content']
elif isinstance(self.data, rfc5652.SignedData):
self.content_type = asn1.oids.get(
self.data['encapContentInfo']['eContentType'])
content = self.data['encapContentInfo']['eContent']
else:
raise ParseError("Unknown SignedData data type {}".format(
_print_type(self.data)))
if self.content_type is not self._expected_content_type:
raise ParseError("SignedData.contentInfo does not contain %s" %
_print_type(self._expected_content_type))
# Content
self.content = guarded_ber_decode(
content, asn1_spec=self._expected_content_type())
# Certificates
self.certificates = CertificateStore([
Certificate(cert) for cert in self.data['certificates']
if Certificate.is_certificate(cert)
])
# SignerInfo
if self._signerinfo_class is not None:
self.signer_infos = [
self._signerinfo_class(si) for si in self.data['signerInfos']
]
def test_get_components(self):
with open(
str(CERTIFICATE_LOCATION /
"Verisign Time Stamping Service Root.pem"), "rb") as f:
certificate = Certificate.from_pem(f.read())
result = list(certificate.issuer.get_components("OU"))
self.assertEqual(result, [
"NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.",
"VeriSign Time Stamping Service Root", "VeriSign, Inc."
])
self.assertEqual(list(certificate.issuer.get_components("CN")), [])
def test_get_components_none(self):
with open(
str(CERTIFICATE_LOCATION /
"Verisign Time Stamping Service Root.pem"), "rb") as f:
certificate = Certificate.from_pem(f.read())
result = certificate.issuer.rdns
self.assertEqual(
result, [('OU', 'NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.'),
('OU', 'VeriSign Time Stamping Service Root'),
('OU', 'VeriSign, Inc.'),
('O', 'VeriSign Trust Network')])
def _parse(self):
# digestAlgorithms
if len(self.data['digestAlgorithms']) != 1:
raise AuthenticodeParseError(
"RFC3161 SignedData.digestAlgorithms must contain exactly 1 algorithm, not "
"%d" % len(self.data['digestAlgorithms']))
self.digest_algorithm = _get_digest_algorithm(
self.data['digestAlgorithms'][0], "SignedData.digestAlgorithm")
# Get the tst_info
self.content_type = asn1.oids.get(
self.data['encapContentInfo']['eContentType'])
if self.content_type is not rfc3161.TSTInfo:
raise AuthenticodeParseError(
"RFC3161 SignedData.contentInfo does not contain TSTInfo")
self.tst_info = guarded_der_decode(
self.data['encapContentInfo']['eContent'],
asn1_spec=rfc3161.TSTInfo())
if self.tst_info['version'] != 1:
raise AuthenticodeParseError("TSTInfo.version must be 1, not %d" %
self.data['version'])
self.policy = self.tst_info['policy'] # TODO
self.hash_algorithm = _get_digest_algorithm(
self.tst_info['messageImprint']['hashAlgorithm'],
location="TSTInfo.messageImprint.hashAlgorithm")
self.message_digest = bytes(
self.tst_info['messageImprint']['hashedMessage'])
self.serial_number = self.tst_info['serialNumber']
self.signing_time = self.tst_info['genTime'].asDateTime
self.signing_time_accuracy = accuracy_to_python(
self.tst_info['accuracy'])
# TODO handle case where directoryName is not a rdnSequence
self.signing_authority = CertificateName(
self.tst_info['tsa']['directoryName']['rdnSequence'])
# Certificates
self.certificates = CertificateStore(
[Certificate(cert) for cert in self.data['certificates']])
# signerInfos
if len(self.data['signerInfos']) != 1:
raise AuthenticodeParseError(
"RFC3161 SignedData.signerInfos must contain exactly 1 signer, not %d"
% len(self.data['signerInfos']))
self.signer_info = RFC3161SignerInfo(self.data['signerInfos'][0])
def _parse(self):
# Parse the fields of the SignedData structure
if self.data['version'] != 1:
raise AuthenticodeParseError(
"SignedData.version must be 1, not %d" % self.data['version'])
# digestAlgorithms
if len(self.data['digestAlgorithms']) != 1:
raise AuthenticodeParseError(
"SignedData.digestAlgorithms must contain exactly 1 algorithm, not %d"
% len(self.data['digestAlgorithms']))
self.digest_algorithm = _get_digest_algorithm(
self.data['digestAlgorithms'][0], "SignedData.digestAlgorithm")
# SpcIndirectDataContent
self.content_type = asn1.oids.get(
self.data['contentInfo']['contentType'])
if self.content_type is not asn1.spc.SpcIndirectDataContent:
raise AuthenticodeParseError(
"SignedData.contentInfo does not contain SpcIndirectDataContent"
)
spc_info = guarded_ber_decode(
self.data['contentInfo']['content'],
asn1_spec=asn1.spc.SpcIndirectDataContent())
self.spc_info = SpcInfo(spc_info)
# Certificates
self.certificates = CertificateStore(
[Certificate(cert) for cert in self.data['certificates']])
# signerInfos
if len(self.data['signerInfos']) != 1:
raise AuthenticodeParseError(
"SignedData.signerInfos must contain exactly 1 signer, not %d"
% len(self.data['signerInfos']))
self.signer_info = AuthenticodeSignerInfo(self.data['signerInfos'][0])
# CRLs
if 'crls' in self.data and self.data['crls'].isValue:
raise AuthenticodeParseError(
"SignedData.crls is present, but that is unexpected.")
def test_revoked_certificate(self):
root = FileSystemCertificateStore(root_dir / "certs" /
'digicert-global-root-ca.pem',
trusted=True)
intermediate = FileSystemCertificateStore(
root_dir / "certs" / 'digicert-sha2-secure-server-ca.pem')
with open(str(root_dir / "certs" / 'revoked.badssl.com.pem'),
"rb") as f:
cert = Certificate.from_pem(f.read())
# check that when we do not verify the CRL it does not fail
context = VerificationContext(root, intermediate)
context.verify(cert)
context = VerificationContext(root,
intermediate,
allow_fetching=True,
revocation_mode='hard-fail')
with self.assertRaises(VerificationError):
context.verify(cert)