def test_build_basic_request(self):
issuer_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test.crt'))
subject_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test-inter.crt'))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request = builder.build()
der_bytes = ocsp_request.dump()
new_request = asn1crypto.ocsp.OCSPRequest.load(der_bytes)
tbs_request = new_request['tbs_request']
self.assertEqual(None, new_request['optional_signature'].native)
self.assertEqual('v1', tbs_request['version'].native)
self.assertEqual(None, tbs_request['requestor_name'].native)
self.assertEqual(1, len(tbs_request['request_list']))
request = tbs_request['request_list'][0]
self.assertEqual(
'sha1', request['req_cert']['hash_algorithm']['algorithm'].native)
self.assertEqual(issuer_cert.asn1.subject.sha1,
request['req_cert']['issuer_name_hash'].native)
self.assertEqual(issuer_cert.asn1.public_key.sha1,
request['req_cert']['issuer_key_hash'].native)
self.assertEqual(subject_cert.asn1.serial_number,
request['req_cert']['serial_number'].native)
self.assertEqual(0, len(request['single_request_extensions']))
self.assertEqual(1, len(tbs_request['request_extensions']))
extn = tbs_request['request_extensions'][0]
self.assertEqual('nonce', extn['extn_id'].native)
self.assertEqual(16, len(extn['extn_value'].parsed.native))
def ocsp_validation(self, subject_cert, issuer_cert):
ocsp_link = self.get_ocsp_link(subject_cert)
subject_cert = asymmetric.load_certificate(
crypto.dump_certificate(
crypto.FILETYPE_ASN1,
subject_cert
)
)
issuer_cert = asymmetric.load_certificate(
crypto.dump_certificate(
crypto.FILETYPE_ASN1,
issuer_cert
))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request = builder.build()
flag = False
for x in range(1,3):
try:
r = requests.post(
ocsp_link,
data = ocsp_request.dump(),
headers={"Content-Type": "application/ocsp-request"}
)
resposta = asn1crypto.ocsp.OCSPResponse.load(r.content)
break
except Exception as e:
print("failed OCSP {0} times".format(x))
return "good" == resposta['response_bytes']['response'].parsed['tbs_response_data']["responses"][0]["cert_status"].name
def test_build_signed_request(self):
issuer_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, "test.crt"))
subject_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, "test-inter.crt"))
requestor_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, "test-third.crt"))
requestor_key = asymmetric.load_private_key(os.path.join(fixtures_dir, "test-third.key"))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request = builder.build(requestor_key, requestor_cert, [subject_cert, issuer_cert])
der_bytes = ocsp_request.dump()
new_request = asn1crypto.ocsp.OCSPRequest.load(der_bytes)
tbs_request = new_request["tbs_request"]
signature = new_request["optional_signature"]
self.assertEqual("sha256", signature["signature_algorithm"].hash_algo)
self.assertEqual("rsassa_pkcs1v15", signature["signature_algorithm"].signature_algo)
self.assertEqual(3, len(signature["certs"]))
self.assertEqual("v1", tbs_request["version"].native)
self.assertEqual(requestor_cert.asn1.subject, tbs_request["requestor_name"].chosen)
self.assertEqual(1, len(tbs_request["request_list"]))
request = tbs_request["request_list"][0]
self.assertEqual("sha1", request["req_cert"]["hash_algorithm"]["algorithm"].native)
self.assertEqual(issuer_cert.asn1.subject.sha1, request["req_cert"]["issuer_name_hash"].native)
self.assertEqual(issuer_cert.asn1.public_key.sha1, request["req_cert"]["issuer_key_hash"].native)
self.assertEqual(subject_cert.asn1.serial_number, request["req_cert"]["serial_number"].native)
self.assertEqual(0, len(request["single_request_extensions"]))
self.assertEqual(1, len(tbs_request["request_extensions"]))
extn = tbs_request["request_extensions"][0]
self.assertEqual("nonce", extn["extn_id"].native)
self.assertEqual(16, len(extn["extn_value"].parsed.native))
def test_build_basic_request(self):
issuer_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, "test.crt"))
subject_cert = asymmetric.load_certificate(os.path.join(fixtures_dir, "test-inter.crt"))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request = builder.build()
der_bytes = ocsp_request.dump()
new_request = asn1crypto.ocsp.OCSPRequest.load(der_bytes)
tbs_request = new_request["tbs_request"]
self.assertEqual(None, new_request["optional_signature"].native)
self.assertEqual("v1", tbs_request["version"].native)
self.assertEqual(None, tbs_request["requestor_name"].native)
self.assertEqual(1, len(tbs_request["request_list"]))
request = tbs_request["request_list"][0]
self.assertEqual("sha1", request["req_cert"]["hash_algorithm"]["algorithm"].native)
self.assertEqual(issuer_cert.asn1.subject.sha1, request["req_cert"]["issuer_name_hash"].native)
self.assertEqual(issuer_cert.asn1.public_key.sha1, request["req_cert"]["issuer_key_hash"].native)
self.assertEqual(subject_cert.asn1.serial_number, request["req_cert"]["serial_number"].native)
self.assertEqual(0, len(request["single_request_extensions"]))
self.assertEqual(1, len(tbs_request["request_extensions"]))
extn = tbs_request["request_extensions"][0]
self.assertEqual("nonce", extn["extn_id"].native)
self.assertEqual(16, len(extn["extn_value"].parsed.native))
def get_ocsp_status(self,cert,is_cert,cert_url,is_cert_url):
t0 = time.clock()
#print "Issuer Certificate is >> %s" %(is_cert_name)
c = OpenSSL.crypto
if not isinstance(cert, c.X509) or not isinstance(is_cert, c.X509):
return False
id_cert_buf = c.dump_certificate(c.FILETYPE_PEM, cert)
issuer_cert_buf = c.dump_certificate(c.FILETYPE_PEM, is_cert)
# with open(cert_name,"rb") as f:
# id_cert_buf = f.read()
# with open(is_cert_name,"rb") as f:
# issuer_cert_buf = f.read()
id_cert = asymmetric.load_certificate(id_cert_buf)
issuer_cert = asymmetric.load_certificate(issuer_cert_buf)
builder = OCSPRequestBuilder(id_cert, issuer_cert)
ocsp_request = builder.build()
ocsp_req_dump = ocsp_request.dump()
cert_ocsp_url = cert_url
is_ocsp_url = is_cert_url
resp = requests.post(cert_ocsp_url, ocsp_req_dump)
ocsp_response = resp.content
ocspResponse = OCSPResponse()
basicOcspResponse = BasicOCSPResponse()
decoded_resp = der_decoder.decode(ocsp_response, asn1Spec=ocspResponse)
for resp in decoded_resp:
if isinstance(resp, OCSPResponse):
ocsp_response_status = resp.getComponentByName('responseStatus')
ocsp_resp_bytes = resp.getComponentByName('responseBytes')
ocsp_resp = ocsp_resp_bytes.getComponentByName('response')
basic_ocsp_response, _ = der_decoder.decode(ocsp_resp, asn1Spec=basicOcspResponse)
tbs_response_data = basic_ocsp_response.getComponentByName('tbsResponseData')
responses = tbs_response_data.getComponentByName('responses')
for response in responses:
serial_no = response.getComponentByName('certID').getComponentByName('serialNumber')
#print str(serial_no)
#print response.getComponentByName('certStatus').getName()
print time.clock() - t0
if response.getComponentByName('certStatus').getName() == "good":
return True
else:
return False
def isRevoked(url, rawCert):
subject_cert = asymmetric.load_certificate(base64.b64decode(rawCert))
builder = OCSPRequestBuilder(subject_cert, issuerCerts[url])
ocsp_request = builder.build()
url = urlparse(url)
headers = {}
conn = httplib.HTTPConnection(url.netloc)
conn.request("POST", url.path, ocsp_request.dump(), headers)
res = conn.getresponse().read()
ocspResponseClass = ocsp.OCSPResponse.load(res)
return (ocspResponseClass.response_data['responses'][0]['cert_status'].name != 'good')
def verifycert(certificate,store,server=False):
# Load do cert ja feito
# DO OCSP para ver as crl
if server == False:
cert = oscrypto.load_certificate(openssl.dump_certificate(openssl.FILETYPE_ASN1, certificate))
issuer_cert = oscrypto.load_certificate(getIssuer(certificate))
ocsp_builder = OCSPRequestBuilder(cert, issuer_cert)
ocsp_request = ocsp_builder.build().dump()
CN = certificate.get_subject().commonName
if CN in ('Baltimore CyberTrust Root', 'ECRaizEstado'):
url = 'http://ocsp.omniroot.com/baltimoreroot/'
elif CN[:-4] == 'Cartao de Cidadao':
url = 'http://ocsp.ecee.gov.pt/'
elif CN[:-5] == 'EC de Autenticacao do Cartao de Cidadao':
url = 'http://ocsp.root.cartaodecidadao.pt/publico/ocsp'
else:
url = 'http://ocsp.auc.cartaodecidadao.pt/publico/ocsp'
http_req = urllib2.Request(
url,
data=ocsp_request,
headers={'Content-Type': 'application/ocsp-request'}
)
http = urllib2.urlopen(http_req)
ocsp_response = http.read()
ocsp_response = asn1crypto.ocsp.OCSPResponse.load(ocsp_response)
response_data = ocsp_response.basic_ocsp_response['tbs_response_data']
cert_response = response_data['responses'][0]
#print cert_response['cert_status'].name
if cert_response['cert_status'].name != 'good':
return False
try:
certV = openssl.X509StoreContext(store, certificate)
certV.verify_certificate()
except:
return False
return True
def test_build_signed_request(self):
issuer_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test.crt'))
subject_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test-inter.crt'))
requestor_cert = asymmetric.load_certificate(
os.path.join(fixtures_dir, 'test-third.crt'))
requestor_key = asymmetric.load_private_key(
os.path.join(fixtures_dir, 'test-third.key'))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request = builder.build(requestor_key, requestor_cert,
[subject_cert, issuer_cert])
der_bytes = ocsp_request.dump()
new_request = asn1crypto.ocsp.OCSPRequest.load(der_bytes)
tbs_request = new_request['tbs_request']
signature = new_request['optional_signature']
self.assertEqual('sha256', signature['signature_algorithm'].hash_algo)
self.assertEqual('rsassa_pkcs1v15',
signature['signature_algorithm'].signature_algo)
self.assertEqual(3, len(signature['certs']))
self.assertEqual('v1', tbs_request['version'].native)
self.assertEqual(requestor_cert.asn1.subject,
tbs_request['requestor_name'].chosen)
self.assertEqual(1, len(tbs_request['request_list']))
request = tbs_request['request_list'][0]
self.assertEqual(
'sha1', request['req_cert']['hash_algorithm']['algorithm'].native)
self.assertEqual(issuer_cert.asn1.subject.sha1,
request['req_cert']['issuer_name_hash'].native)
self.assertEqual(issuer_cert.asn1.public_key.sha1,
request['req_cert']['issuer_key_hash'].native)
self.assertEqual(subject_cert.asn1.serial_number,
request['req_cert']['serial_number'].native)
self.assertEqual(0, len(request['single_request_extensions']))
self.assertEqual(1, len(tbs_request['request_extensions']))
extn = tbs_request['request_extensions'][0]
self.assertEqual('nonce', extn['extn_id'].native)
self.assertEqual(16, len(extn['extn_value'].parsed.native))
def validateCert(store, cert, server=False):
if not server:
issuer = getIssuerCertificate(cert)
subject_cert = asymmetric.load_certificate(dumpCertificate(
cert, False))
issuer_cert = asymmetric.load_certificate(
dumpCertificate(issuer, False))
builder = OCSPRequestBuilder(subject_cert, issuer_cert)
ocsp_request_der = builder.build().dump()
cert_name = cert.get_subject().commonName
if cert_name in ('Baltimore CyberTrust Root', 'ECRaizEstado'):
ocsp_url = 'http://ocsp.omniroot.com/baltimoreroot/'
elif cert_name[:-4] == 'Cartao de Cidadao':
ocsp_url = 'http://ocsp.ecee.gov.pt/'
elif cert_name[:-5] == 'EC de Autenticacao do Cartao de Cidadao':
ocsp_url = 'http://ocsp.root.cartaodecidadao.pt/publico/ocsp'
else:
ocsp_url = 'http://ocsp.auc.cartaodecidadao.pt/publico/ocsp'
http_req = urllib2.Request(
ocsp_url,
data=ocsp_request_der,
headers={'Content-Type': 'application/ocsp-request'})
http = urllib2.urlopen(http_req)
ocsp_response_der = http.read()
ocsp_response = asn1crypto.ocsp.OCSPResponse.load(ocsp_response_der)
response_data = ocsp_response.basic_ocsp_response['tbs_response_data']
cert_response = response_data['responses'][0]
if cert_response['cert_status'].name != 'good':
return False
context_store = openssl.X509StoreContext(store, cert)
try:
context_store.verify_certificate()
return True
except:
return False
def create_ocsp_request(cert, issuer):
"""Takes a certificate and the issuing certificate in oscrypto._openssl.asymmetric.Certificate format and creates
an OCSP request body. """
builder = OCSPRequestBuilder(cert, issuer)
return builder.build().dump()
id_cert_buf = open(id_cert_path, 'r').read()
issuer_cert_buf = open(issuer_cert_path, 'r').read()
id_cert = asymmetric.load_certificate(id_cert_buf)
issuer_cert = asymmetric.load_certificate(issuer_cert_buf)
id_cert_filebuf = open(id_cert_path, 'r').read()
id_cert_x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, id_cert_filebuf)
#print dir(id_cert_x509)
#print id_cert_x509.get_serial_number()
id_cert_serial_number = format(id_cert_x509.get_serial_number(), 'x')
print "Checking OCSP status for cert : " + id_cert_serial_number
print '\n'
builder = OCSPRequestBuilder(id_cert, issuer_cert)
ocsp_request = builder.build()
#print type(ocsp_request)
ocsp_req_dump = ocsp_request.dump()
with open('ocsp_request_citi.der', 'wb') as f:
f.write(ocsp_request.dump())
ocsp_request_file_contents = open('ocsp_request.der', 'r').read()
#import httplib
ocsp_url = 'http://clients1.google.com/ocsp'
ocsp_url_citi = 'http://sr.symcd.com'
