def test_verify_with_add_crls(self):
ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem")
valid_cert = X509.load_cert('tests/crl_data/certs/valid_cert.pem')
revoked_cert = X509.load_cert('tests/crl_data/certs/revoked_cert.pem')
crl = X509.load_crl('tests/crl_data/certs/revoking_crl.pem')
# Verify that a good cert is verified OK
store = X509.X509_Store()
store.add_x509(ca)
store.set_flags(X509.m2.X509_V_FLAG_CRL_CHECK |
X509.m2.X509_V_FLAG_CRL_CHECK_ALL)
crl_stack = X509.CRL_Stack()
crl_stack.push(crl)
store_ctx = X509.X509_Store_Context()
store_ctx.init(store, valid_cert)
store_ctx.add_crls(crl_stack)
self.assertTrue(store_ctx.verify_cert())
# Verify that a revoked cert is not verified
store = X509.X509_Store()
store.add_x509(ca)
store.set_flags(X509.m2.X509_V_FLAG_CRL_CHECK |
X509.m2.X509_V_FLAG_CRL_CHECK_ALL)
crl_stack = X509.CRL_Stack()
crl_stack.push(crl)
store_ctx = X509.X509_Store_Context()
store_ctx.init(store, revoked_cert)
store_ctx.add_crls(crl_stack)
self.assertFalse(store_ctx.verify_cert())
def test_with_incomplete_chain_file(self):
test_cert = X509.load_cert(TEST_CERT)
store = X509.X509_Store()
self.assertEquals(store.load_info(SUB_CA), 1)
store_ctx = X509.X509_Store_Context()
store_ctx.init(store, test_cert)
self.assertFalse(store_ctx.verify_cert())
def verify_signature_block(certificate_file, content, signature):
"""
Verifies the 'signature' over the 'content', trusting the
'certificate'.
:param certificate_file: the trusted certificate (PEM format)
:type certificate_file: str
:param content: The signature should match this content
:type content: str
:param signature: data (DER format) subject to check
:type signature: str
:return None if the signature validates.
:exception SignatureBlockVerificationError
"""
sig_bio = BIO.MemoryBuffer(signature)
pkcs7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(sig_bio._ptr()), 1)
signers_cert_stack = pkcs7.get0_signers(X509.X509_Stack())
trusted_cert_store = X509.X509_Store()
trusted_cert_store.set_verify_cb(ignore_missing_email_protection_eku_cb)
trusted_cert_store.load_info(certificate_file)
smime = SMIME.SMIME()
smime.set_x509_stack(signers_cert_stack)
smime.set_x509_store(trusted_cert_store)
data_bio = BIO.MemoryBuffer(content)
try:
smime.verify(pkcs7, data_bio)
except SMIME.PKCS7_Error as message:
raise SignatureBlockVerificationError(message)
else:
return None
def verify_payload(msg, raw_sig, cert, ca_cert, verify_cert):
# Load the public certificate of the signer
signer = SMIME.SMIME()
signer_key = X509.X509_Stack()
signer_key.push(X509.load_cert(cert))
signer.set_x509_stack(signer_key)
signer_store = X509.X509_Store()
signer_store.load_info(ca_cert)
signer.set_x509_store(signer_store)
# Extract the pkcs7 signature and the data
if raw_sig:
raw_sig.strip()
sig = "-----BEGIN PKCS7-----\n%s\n-----END PKCS7-----\n" % raw_sig.replace('\r\n', '\n')
p7 = SMIME.load_pkcs7_bio(BIO.MemoryBuffer(sig))
data_bio = BIO.MemoryBuffer(msg)
else:
p7, data_bio = SMIME.smime_load_pkcs7_bio(BIO.MemoryBuffer(msg))
# Verify the signature against the message
if verify_cert:
signer.verify(p7, data_bio)
else:
# Don't verify the signer certificate if this flag is set
signer.verify(p7, data_bio, SMIME.PKCS7_NOVERIFY)
def decrypt_verify(p7file, recip_key, signer_cert, ca_cert):
s = SMIME.SMIME()
# Load decryption private key.
s.load_key(recip_key)
# Extract PKCS#7 blob from input.
p7, bio = SMIME.smime_load_pkcs7_bio(p7file)
# Decrypt.
data = s.decrypt(p7)
# Because we passed in a SignAndEnveloped blob, the output
# of our decryption is a Signed blob. We now verify it.
# Load the signer's cert.
sk = X509.X509_Stack()
s.set_x509_stack(sk)
# Load the CA cert.
st = X509.X509_Store()
st.load_info(ca_cert)
s.set_x509_store(st)
# Verify.
p7, bio = SMIME.smime_load_pkcs7_bio(BIO.MemoryBuffer(data))
if bio is not None:
# Netscape Messenger clear-signs, when also encrypting.
data = s.verify(p7, bio)
else:
# M2Crypto's sendsmime.py opaque-signs, when also encrypting.
data = s.verify(p7)
print data
def test_verify_with_static_callback(self):
s = SMIME.SMIME()
x509 = X509.load_cert('tests/signer.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
st = X509.X509_Store()
st.load_info('tests/ca.pem')
st.set_verify_cb(verify_cb_rejects_cert_from_heikki_toivonen)
s.set_x509_store(st)
p7, data = SMIME.smime_load_pkcs7_bio(self.signed)
self.assertIsInstance(p7, SMIME.PKCS7, p7)
# Should reject certificate issued by Heikki Toivonen:
with self.assertRaises(SMIME.PKCS7_Error):
s.verify(p7, data)
st.set_verify_cb(verify_cb_dummy_function)
v = s.verify(p7, data)
self.assertEqual(v, self.cleartext)
st.set_verify_cb()
v = s.verify(p7, data)
self.assertEqual(v, self.cleartext)
def plist_from_pkcs7(pkcs7):
"""Extract a plist from PKCS7 encoded data."""
# DEP request
# base64 encode the DER data, and wrap in a PEM-ish format for SMIME.load_pkcs7_bio()
req_data = base64_to_pem('PKCS7', pkcs7)
p7_bio = BIO.MemoryBuffer(str(req_data))
pkcs7 = SMIME.load_pkcs7_bio(p7_bio)
p7_signers = pkcs7.get0_signers(X509.X509_Stack())
signer = SMIME.SMIME()
signer.set_x509_store(X509.X509_Store())
signer.set_x509_stack(p7_signers)
# TODO/XXX: not verifying ANY certificates!
#
# spec says we should verify against the "Apple Root CA" and that this
# CMS message contains all intermediates to do that verification.
# M2Crypto has no way to get at all the intermediate certificates to
# do this manually we'd need to extract all of the certificates and
# verify the chain aginst it. Note as of 2016-03-14 on a brand new
# iPad Apple was including an expired certificate in this chain. Note
# also that at least one of the intermediate certificates had a
# certificate purpose apparently not appropraite for CMS/SMIME
# verification. For now just verify with no CA and skip any
# verification.
plist_text = signer.verify(pkcs7, None, flags=SMIME.PKCS7_NOVERIFY)
plist = plistlib.readPlistFromString(plist_text)
return plist
def verify_signature_block(certificate_file, content_file, signature):
"""Verifies the 'signature' over the 'content', trusting the 'certificate'.
:param certificate_file: the trusted certificate (PEM format)
:type certificate_file: str
:param content_file: The signature should match this content
:type content_file: str
:param signature: data (DER format) subject to check
:type signature: str
:return: Error message, or None if the signature validates.
:rtype: str
"""
sig_bio = BIO.MemoryBuffer(signature)
pkcs7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(sig_bio._ptr()), 1)
signers_cert_stack = pkcs7.get0_signers(X509.X509_Stack())
trusted_cert_store = X509.X509_Store()
trusted_cert_store.load_info(certificate_file)
smime = SMIME.SMIME()
smime.set_x509_stack(signers_cert_stack)
smime.set_x509_store(trusted_cert_store)
data_bio = BIO.openfile(content_file)
try:
smime.verify(pkcs7, data_bio)
except SMIME.PKCS7_Error, message:
return "Signature verification error: %s" % message
def decrypt_and_verify(self):
# Instantiate an SMIME object.
s = SMIME.SMIME()
# Load private key and cert.
s.load_key(recipient_key, recipient_cert)
# Load the signed/encrypted data.
p7, data = SMIME.smime_load_pkcs7('smime-m2-sign-encrypt.txt')
# After the above step, 'data' == None.
# Decrypt p7. 'out' now contains a PKCS #7 signed blob.
out = s.decrypt(p7)
# Load the signer's cert.
x509 = X509.load_cert(signer_cert)
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
# Load the signer's CA cert.
st = X509.X509_Store()
st.load_info(ca_cert)
s.set_x509_store(st)
# Recall 'out' contains a PKCS #7 blob.
# Transform 'out'; verify the resulting PKCS #7 blob.
p7_bio = BIO.MemoryBuffer(out)
p7, data = SMIME.smime_load_pkcs7_bio(p7_bio)
v = s.verify(p7)
print v
def verify_mdm_signature(mdm_sig, req_data):
'''Verify the client's supplied MDM signature and return the client certificate included in the signature.'''
p7_bio = BIO.MemoryBuffer(str(mdm_sig))
p7 = SMIME.load_pkcs7_bio(p7_bio)
p7_signers = p7.get0_signers(X509.X509_Stack())
mdm_ca = get_ca()
# can probably directly use m2 certificate here
ca_x509_bio = BIO.MemoryBuffer(mdm_ca.get_cacert().to_pem())
ca_x509 = X509.load_cert_bio(ca_x509_bio)
cert_store = X509.X509_Store()
cert_store.add_x509(ca_x509)
signer = SMIME.SMIME()
signer.set_x509_store(cert_store)
signer.set_x509_stack(p7_signers)
# NOTE: may need to do something special if we can't cleanly convert
# to string from Unicode. must be byte-accurate as the signature won't
# match otherwise
data_bio = BIO.MemoryBuffer(req_data)
# will raise an exception if verification fails
# if no CA certificate we get an:
# PKCS7_Error: certificate verify error
signer.verify(p7, data_bio)
return p7_signers[0].as_pem()
def sv():
print 'test sign/verify...',
buf = makebuf()
s = SMIME.SMIME()
# Load a private key.
s.load_key('client.pem')
# Sign.
p7 = s.sign(buf, SMIME.PKCS7_DETACHED)
# Output the stuff.
buf = makebuf() # Recreate buf, because sign() has consumed it.
bio = BIO.MemoryBuffer()
s.write(bio, p7, buf)
# Plumbing for verification: CA's cert.
st = X509.X509_Store()
st.load_info('ca.pem')
s.set_x509_store(st)
# Plumbing for verification: Signer's cert.
x509 = X509.load_cert('client.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
# Verify.
p7, buf = SMIME.smime_load_pkcs7_bio(bio)
v = s.verify(p7, buf, flags=SMIME.PKCS7_DETACHED)
if v:
print 'ok'
else:
print 'not ok'
def verify(certificate_path, ca_certificate_path, sign_request_path, output):
certificate = None
try:
certificate = X509.load_cert(certificate_path)
except (X509.X509Error, IOError):
print('ERROR verify: Could not load certificate for verifying')
exit(1)
smime = SMIME.SMIME()
stack = X509.X509_Stack()
stack.push(certificate)
smime.set_x509_stack(stack)
store = X509.X509_Store()
store.load_info(ca_certificate_path)
smime.set_x509_store(store)
pks7, data = SMIME.smime_load_pkcs7(sign_request_path)
clear_text = smime.verify(pks7, data)
if not output:
output = path.abspath(path.curdir) + '/%s.csr' % DEFAULT_FIELDS['CN']
if clear_text:
request = X509.load_request_string(clear_text)
request.save(output)
print('Verification OK')
print('Request file was saved to %s' % output)
else:
print('Verification failed')
def test_with_single_chain_file(self):
test_cert = X509.load_cert(TEST_CERT)
store = X509.X509_Store()
self.assertEquals(store.load_info(CA_CHAIN), 1)
store_ctx = X509.X509_Store_Context()
store_ctx.init(store, test_cert)
self.assertTrue(store_ctx.verify_cert())
def get_cert_store(self):
"""
Get the certificate store associated with this context.
@warning: The store is NOT refcounted, and as such can not be relied
to be valid once the context goes away or is changed.
"""
return X509.X509_Store(m2.ssl_ctx_get_cert_store(self.ctx))
def is_certificate_descended_from(self, user_cert, ca_file_name):
"""
tests if the certificate was issued by the passed in certificate authority
"""
store = X509.X509_Store()
store.add_x509(X509.load_cert(CERTIFICATE_PATH + ca_file_name))
x509 = X509.load_cert_string(user_cert)
return store.verify_cert(x509)
def test_verify_cert(self):
# Test with the CA that signed tests/x509.pem
ca = X509.load_cert('tests/ca.pem')
cert = X509.load_cert('tests/x509.pem')
store = X509.X509_Store()
store.add_x509(ca)
store_ctx = X509.X509_Store_Context()
store_ctx.init(store, cert)
self.assertTrue(store_ctx.verify_cert())
# Test with the wrong CA, this CA did not sign tests/x509.pem
wrong_ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem")
cert = X509.load_cert('tests/x509.pem')
store = X509.X509_Store()
store.add_x509(wrong_ca)
store_ctx = X509.X509_Store_Context()
store_ctx.init(store, cert)
self.assertFalse(store_ctx.verify_cert())
def test_verify_with_missing_root_CA(self):
sub_ca = X509.load_cert(SUB_CA)
test_cert = X509.load_cert(TEST_CERT)
store = X509.X509_Store()
store.add_x509(sub_ca)
store_ctx = X509.X509_Store_Context()
store_ctx.init(store, test_cert)
self.assertFalse(store_ctx.verify_cert())
def test_verify_with_full_chain(self):
root_ca = X509.load_cert(ROOT_CA)
sub_ca = X509.load_cert(SUB_CA)
test_cert = X509.load_cert(TEST_CERT)
store = X509.X509_Store()
store.add_x509(root_ca)
store.add_x509(sub_ca)
store_ctx = X509.X509_Store_Context()
store_ctx.init(store, test_cert)
self.assertTrue(store_ctx.verify_cert())
def test_incomplete_chain_verify_from_string(self):
data = open(SUB_CA).read()
ca_chain = self.load_chain_from_string(data)
test_cert = X509.load_cert(TEST_CERT)
store = X509.X509_Store()
for ca in ca_chain:
store.add_x509(ca)
store_ctx = X509.X509_Store_Context()
store_ctx.init(store, test_cert)
self.assertFalse(store_ctx.verify_cert())
def _setup(self):
"""
sets up the SMIME.SMIME instance
and loads the CA certificates store
"""
smime = SMIME.SMIME()
st = X509.X509_Store()
if not os.access(self._certstore, os.R_OK):
raise VerifierError, "cannot access %s" % self._certstore
st.load_info(self._certstore)
smime.set_x509_store(st)
self._smime = smime
def processSignedPlist(infile):
certstore_path = "/etc/ssl/certs/ca-certificates.crt"
file_descriptor = infile
input_bio = BIO.MemoryBuffer(file_descriptor)
signer = SMIME.SMIME()
cert_store = X509.X509_Store()
cert_store.load_info(certstore_path)
signer.set_x509_store(cert_store)
try:
p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(input_bio._ptr()), 1)
except SMIME.SMIME_Error, e:
logging.error('load pkcs7 error: ' + str(e))
def verify_netscape():
print 'test load & verify netscape messager output...',
s = SMIME.SMIME()
#x509 = X509.load_cert('client.pem')
sk = X509.X509_Stack()
#sk.push(x509)
s.set_x509_stack(sk)
st = X509.X509_Store()
st.load_info('ca.pem')
s.set_x509_store(st)
p7, data = SMIME.smime_load_pkcs7('ns.p7')
v = s.verify(p7, data)
print '\n', v, '\n...ok'
def test_signing():
"""
This test can only run locally if you provide your personal Apple Wallet
certificates, private key and password. It would not be wise to add
them to git. Store them in the files indicated below, they are ignored
by git.
"""
try:
with open(password_file) as file_:
password = file_.read().strip()
except IOError:
password = ''
passfile = create_shell_pass()
manifest_json = passfile._createManifest(passfile._createPassJson())
signature = passfile._sign_manifest(
manifest_json,
certificate,
key,
wwdr_certificate,
password,
)
smime = passfile._get_smime(
certificate,
key,
wwdr_certificate,
password,
)
store = X509.X509_Store()
try:
store.load_info(bytes(wwdr_certificate, encoding='utf8'))
except TypeError:
store.load_info(str(wwdr_certificate))
smime.set_x509_store(store)
data_bio = BIO.MemoryBuffer(bytes(manifest_json, encoding='utf8'))
# PKCS7_NOVERIFY = do not verify the signers certificate of a signed message.
assert smime.verify(signature, data_bio,
flags=SMIME.PKCS7_NOVERIFY) == bytes(manifest_json,
encoding='utf8')
tampered_manifest = bytes('{"pass.json": "foobar"}', encoding='utf8')
data_bio = BIO.MemoryBuffer(tampered_manifest)
# Verification MUST fail!
with pytest.raises(SMIME.PKCS7_Error):
smime.verify(signature, data_bio, flags=SMIME.PKCS7_NOVERIFY)
def test_verifyBad(self):
s = SMIME.SMIME()
x509 = X509.load_cert('test/recipient.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
st = X509.X509_Store()
st.load_info('test/recipient.pem')
s.set_x509_store(st)
p7, data = SMIME.smime_load_pkcs7_bio(self.signed)
assert isinstance(p7, SMIME.PKCS7), p7
self.assertRaises(SMIME.PKCS7_Error, s.verify, p7) # Bad signer
def verify_sign(self, data, signature_place):
""" Verifies the signature against the data"""
#create a BIO.Memory object
dg = DigestMan()
data = dg.gen_buf_hash(data)
if not self.verify_signers(signature_place):
return False
#pass
self.dataBuf = self.makebuf(data)
if not data:
print "Supply data to verify with"
return False
#print self.dataBuf.read()
#Load the pkcs7 document
try:
#Make a stote and stack object just for argument list
#we dont need them actually
#xStore=self.create_store(["chain/cacert.pem"])
xStore = X509.X509_Store()
#stW=stackWork()
#sk=stW.add_chain(["chain/cacert.pem"])
sk = X509.X509_Stack()
self.sm.set_x509_stack(sk)
self.sm.set_x509_store(xStore)
#Sets the flags to noverify which means that the verification of
#the signers was made above
flagset = SMIME.PKCS7_NOVERIFY
#verify the signature it is a M2Crypto openssl method
res = self.sm.verify(self.__p7, self.dataBuf, flags=flagset)
#print res
if not res:
return False
else:
return True
except SMIME.SMIME_Error, e:
print "Error while setting pkcs7 verification process :", e
return False
def create_store(self, fname=None):
""" Returns a store object according to its content"""
#get it only from a file
stor = X509.X509_Store()
if fname:
if len(fname) == 1:
stor.load_info(fname[0])
#if we entered a list of files
else:
for f in fname:
x = X509.load_cert(f)
stor.add_x509(x)
return stor
def verify_opaque():
print 'test load & verify opaque...',
s = SMIME.SMIME()
x509 = X509.load_cert('client.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
st = X509.X509_Store()
st.load_info('ca.pem')
s.set_x509_store(st)
p7, data = SMIME.smime_load_pkcs7('opaque.p7')
v = s.verify(p7, data)
if v:
print 'ok'
else:
print 'not ok'
def test_signing():
"""
This test can only run locally if you provide your personal Apple Wallet
certificates, private key and password. It would not be wise to add
them to git. Store them in the files indicated below, they are ignored
by git.
"""
try:
with open(password_file) as file_:
password = file_.read().strip()
except IOError:
password = ''
passfile = create_shell_pass()
manifest_json = passfile._createManifest(passfile._createPassJson())
signature = passfile._createSignature(
manifest_json,
certificate,
key,
wwdr_certificate,
password,
)
smime_obj = SMIME.SMIME()
store = X509.X509_Store()
store.load_info(str(wwdr_certificate))
smime_obj.set_x509_store(store)
signature_bio = BIO.MemoryBuffer(signature)
signature_p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(signature_bio._ptr()), 1)
stack = signature_p7.get0_signers(X509.X509_Stack())
smime_obj.set_x509_stack(stack)
data_bio = BIO.MemoryBuffer(manifest_json)
# PKCS7_NOVERIFY = do not verify the signers certificate of a signed message.
assert smime_obj.verify(
signature_p7, data_bio, flags=SMIME.PKCS7_NOVERIFY
) == manifest_json
tampered_manifest = '{"pass.json": "foobar"}'
data_bio = BIO.MemoryBuffer(tampered_manifest)
# Verification MUST fail!
with pytest.raises(SMIME.PKCS7_Error):
smime_obj.verify(signature_p7, data_bio, flags=SMIME.PKCS7_NOVERIFY)
def test_signEncryptDecryptVerify(self):
# sign
buf = BIO.MemoryBuffer(self.cleartext)
s = SMIME.SMIME()
s.load_key('tests/signer_key.pem', 'tests/signer.pem')
p7 = s.sign(buf)
# encrypt
x509 = X509.load_cert('tests/recipient.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
s.set_cipher(SMIME.Cipher('des_ede3_cbc'))
tmp = BIO.MemoryBuffer()
s.write(tmp, p7)
p7 = s.encrypt(tmp)
signedEncrypted = BIO.MemoryBuffer()
s.write(signedEncrypted, p7)
# decrypt
s = SMIME.SMIME()
s.load_key('tests/recipient_key.pem', 'tests/recipient.pem')
p7, data = SMIME.smime_load_pkcs7_bio(signedEncrypted)
out = s.decrypt(p7)
# verify
x509 = X509.load_cert('tests/signer.pem')
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
st = X509.X509_Store()
st.load_info('tests/ca.pem')
s.set_x509_store(st)
p7_bio = BIO.MemoryBuffer(out)
p7, data = SMIME.smime_load_pkcs7_bio(p7_bio)
v = s.verify(p7)
self.assertEqual(v, self.cleartext)
def extract(self):
smime = SMIME.SMIME()
smime.set_x509_store(X509.X509_Store())
smime.set_x509_stack(X509.X509_Stack())
try:
original_file_content = smime.verify(SMIME.load_pkcs7_der(
self.temppath),
flags=SMIME.PKCS7_NOVERIFY)
except SMIME.PKCS7_Error as e:
logger.debug("{} importer: not a PKCS7 file.".format(
self.processor))
raise e
temp = NamedTemporaryFile()
temp.write(original_file_content)
temp.flush()
return temp