def auth_certificate_callback(sock, check_sig, is_server, certdb): cert_is_valid = False cert = sock.get_peer_certificate() pin_args = sock.get_pkcs11_pin_arg() if pin_args is None: pin_args = () # Define how the cert is being used based upon the is_server flag. This may # seem backwards, but isn't. If we're a server we're trying to validate a # client cert. If we're a client we're trying to validate a server cert. if is_server: intended_usage = nss.certificateUsageSSLClient else: intended_usage = nss.certificateUsageSSLServer try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) except Exception as e: root_logger.error('cert validation failed for "%s" (%s)', cert.subject, e.strerror) # pylint: disable=no-member cert_is_valid = False return cert_is_valid root_logger.debug("approved_usage = %s intended_usage = %s", ', '.join(nss.cert_usage_flags(approved_usage)), ', '.join(nss.cert_usage_flags(intended_usage))) # Is the intended usage a proper subset of the approved usage cert_is_valid = bool(approved_usage & intended_usage) # If this is a server, we're finished if is_server or not cert_is_valid: root_logger.debug('cert valid %s for "%s"', cert_is_valid, cert.subject) return cert_is_valid # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert # matches the desired hostname. This is our defense against # man-in-the-middle attacks. hostname = sock.get_hostname() try: # If the cert fails validation it will raise an exception cert_is_valid = cert.verify_hostname(hostname) except Exception as e: root_logger.error( 'failed verifying socket hostname "%s" matches cert subject "%s" (%s)', hostname, cert.subject, e.strerror) # pylint: disable=no-member cert_is_valid = False return cert_is_valid root_logger.debug('cert valid %s for "%s"', cert_is_valid, cert.subject) return cert_is_valid
def auth_certificate_callback(sock, check_sig, is_server, certdb): cert_is_valid = False cert = sock.get_peer_certificate() pin_args = sock.get_pkcs11_pin_arg() if pin_args is None: pin_args = () # Define how the cert is being used based upon the is_server flag. This may # seem backwards, but isn't. If we're a server we're trying to validate a # client cert. If we're a client we're trying to validate a server cert. if is_server: intended_usage = nss.certificateUsageSSLClient else: intended_usage = nss.certificateUsageSSLServer try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) except Exception as e: root_logger.error('cert validation failed for "%s" (%s)', cert.subject, e.strerror) # pylint: disable=no-member cert_is_valid = False return cert_is_valid root_logger.debug( "approved_usage = %s intended_usage = %s", ", ".join(nss.cert_usage_flags(approved_usage)), ", ".join(nss.cert_usage_flags(intended_usage)), ) # Is the intended usage a proper subset of the approved usage cert_is_valid = bool(approved_usage & intended_usage) # If this is a server, we're finished if is_server or not cert_is_valid: root_logger.debug('cert valid %s for "%s"', cert_is_valid, cert.subject) return cert_is_valid # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert # matches the desired hostname. This is our defense against # man-in-the-middle attacks. hostname = sock.get_hostname() try: # If the cert fails validation it will raise an exception cert_is_valid = cert.verify_hostname(hostname) except Exception as e: root_logger.error( 'failed verifying socket hostname "%s" matches cert subject "%s" (%s)', hostname, cert.subject, e.strerror ) # pylint: disable=no-member cert_is_valid = False return cert_is_valid root_logger.debug('cert valid %s for "%s"', cert_is_valid, cert.subject) return cert_is_valid
def _auth_certificate_callback(self, sock, check_sig, is_server, certdb): cert = sock.get_peer_certificate() intended_usage = nss.certificateUsageSSLServer try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. # XXX: After python3 migration, this is not working properly. Assume that # the intented usage is valid for now. #pin_args = sock.get_pkcs11_pin_arg() or () #approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) approved_usage = intended_usage except Exception as e: # XXX: Why isn't the certificate valid? logging.info('cert validation failed for "%s" (%s)', cert.subject, e.strerror) approved_usage = intended_usage logging.debug("approved_usage = %s intended_usage = %s", ', '.join(nss.cert_usage_flags(approved_usage)), ', '.join(nss.cert_usage_flags(intended_usage))) if not bool(approved_usage & intended_usage): logging.debug('cert not valid for "%s"', cert.subject) return False # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert # matches the desired hostname. This is our defense against # man-in-the-middle attacks. hostname = sock.get_hostname() try: # If the cert fails validation it will raise an exception cert_is_valid = cert.verify_hostname(hostname) except Exception as e: logging.error( 'failed verifying socket hostname "%s" matches cert subject "%s" (%s)', hostname, cert.subject, e.strerror) return False logging.debug('cert valid %s for "%s"', cert_is_valid, cert.subject) return cert_is_valid
def _auth_certificate_callback(self, sock, check_sig, is_server, certdb): cert = sock.get_peer_certificate() intended_usage = nss.certificateUsageSSLServer try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. # XXX: After python3 migration, this is not working properly. Assume that # the intented usage is valid for now. #pin_args = sock.get_pkcs11_pin_arg() or () #approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) approved_usage = intended_usage except Exception as e: # XXX: Why isn't the certificate valid? logging.info('cert validation failed for "%s" (%s)', cert.subject, e.strerror) approved_usage = intended_usage logging.debug("approved_usage = %s intended_usage = %s", ', '.join(nss.cert_usage_flags(approved_usage)), ', '.join(nss.cert_usage_flags(intended_usage))) if not bool(approved_usage & intended_usage): logging.debug('cert not valid for "%s"', cert.subject) return False # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert # matches the desired hostname. This is our defense against # man-in-the-middle attacks. hostname = sock.get_hostname() try: # If the cert fails validation it will raise an exception cert_is_valid = cert.verify_hostname(hostname) except Exception as e: logging.error('failed verifying socket hostname "%s" matches cert subject "%s" (%s)', hostname, cert.subject, e.strerror) return False logging.debug('cert valid %s for "%s"', cert_is_valid, cert.subject) return cert_is_valid
def main(): global options parser = argparse.ArgumentParser( description='certificate validation example') # === NSS Database Group === group = parser.add_argument_group('NSS Database', 'Specify & control the NSS Database') group.add_argument('-d', '--db-name', help='NSS database name (e.g. "sql:pki")') group.add_argument('-P', '--db-passwd', help='NSS database password') # === Certificate Group === group = parser.add_argument_group('Certificate', 'Specify how the certificate is loaded') group.add_argument('-f', '--file', dest='cert_filename', help='read cert from file') group.add_argument('-F', '--input-format', choices=['pem', 'der'], help='format of input cert') group.add_argument( '-n', '--nickname', dest='cert_nickname', help='load cert from NSS database by looking it up under this nickname' ) # === Validation Group === group = parser.add_argument_group('Validation', 'Control the validation') group.add_argument( '-u', '--usage', dest='cert_usage', action='append', choices=list(cert_usage_map.keys()), help='certificate usage flags, may be specified multiple times') group.add_argument('-c', '--check-sig', action='store_true', dest='check_sig', help='check signature') group.add_argument('-C', '--no-check-sig', action='store_false', dest='check_sig', help='do not check signature') group.add_argument('-l', '--log', action='store_true', dest='with_log', help='use verify log') group.add_argument('-L', '--no-log', action='store_false', dest='with_log', help='do not use verify log') group.add_argument('-a', '--check-ca', action='store_true', dest='check_ca', help='check if cert is CA') group.add_argument('-A', '--no-check-ca', action='store_false', dest='check_ca', help='do not check if cert is CA') # === Miscellaneous Group === group = parser.add_argument_group('Miscellaneous', 'Miscellaneous options') group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert', help='print the certificate in a friendly fashion') parser.set_defaults( db_name='sql:pki', db_passwd='db_passwd', input_format='pem', check_sig=True, with_log=True, check_ca=True, print_cert=False, ) options = parser.parse_args() # Process the command line arguments # Get usage bitmask if options.cert_usage: intended_usage = 0 for usage in options.cert_usage: try: flag = cert_usage_map[usage] except KeyError: print("Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys())))) return 1 else: intended_usage |= flag else: # We can't use nss.certificateUsageCheckAllUsages here because # it's a special value of zero instead of being the bitwise OR # of all the certificateUsage* flags (go figure!) intended_usage = 0 for usage in list(cert_usage_map.values()): intended_usage |= usage if options.cert_filename and options.cert_nickname: print( "You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr) return 1 if not options.cert_filename and not options.cert_nickname: print("You must specify either a cert filename or a nickname to load", file=sys.stderr) return 1 # Initialize NSS. print(indented_output('NSS Database', options.db_name)) print() nss.nss_init(options.db_name) certdb = nss.get_default_certdb() nss.set_password_callback(password_callback) # Load the cert if options.cert_filename: # Read the certificate as DER encoded data then initialize a Certificate from the DER data filename = options.cert_filename si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem') # Parse the DER encoded data returning a Certificate object cert = nss.Certificate(si) else: try: cert = nss.find_cert_from_nickname(options.cert_nickname) except Exception as e: print(e) print('Unable to load cert nickname "%s" from database "%s"' % \ (options.cert_nickname, options.db_name), file=sys.stderr) return 1 # Dump the cert if the user wants to see it if options.print_cert: print(cert) else: print(indented_output('cert subject', cert.subject)) print() # Dump the usages attached to the cert print( indented_output('cert has these usages', nss.cert_type_flags(cert.cert_type))) # Should we check if the cert is a CA cert? if options.check_ca: # CA Cert? is_ca, cert_type = cert.is_ca_cert(True) print() print(indented_output('is CA cert boolean', is_ca)) print( indented_output('is CA cert returned usages', nss.cert_type_flags(cert_type))) print() print( indented_output('verifying usages for', nss.cert_usage_flags(intended_usage))) print() # Use the log or non-log variant to verify the cert # # Note: Anytime a NSPR or NSS function returns an error in python-nss it # raises a NSPRError exception. When an exception is raised the normal # return values are discarded because the flow of control continues at # the first except block prepared to catch the exception. Normally this # is what is desired because the return values would be invalid due to # the error. However the certificate verification functions are an # exception (no pun intended). An error might be returned indicating the # cert failed verification but you may still need access to the returned # usage bitmask and the log (if using the log variant). To handle this a # special error exception `CertVerifyError` (derived from `NSPRError`) # is defined which in addition to the normal NSPRError fields will also # contain the returned usages and optionally the CertVerifyLog # object. If no exception is raised these are returned as normal return # values. approved_usage = 0 if options.with_log: try: approved_usage, log = cert.verify_with_log(certdb, options.check_sig, intended_usage, None) except nss_error.CertVerifyError as e: # approved_usage and log available in CertVerifyError exception on failure. print(e) print() print(indented_obj('log', e.log)) print() print( indented_output('approved usages from exception', nss.cert_usage_flags(e.usages))) approved_usage = e.usages # Get the returned usage bitmask from the exception except Exception as e: print(e) else: print( indented_output('approved usages', nss.cert_usage_flags(approved_usage))) if log.count: print() print(indented_obj('log', log)) else: try: approved_usage = cert.verify(certdb, options.check_sig, intended_usage, None) except nss_error.CertVerifyError as e: # approved_usage available in CertVerifyError exception on failure. print(e) print( indented_output('approved usages from exception', nss.cert_usage_flags(e.usages))) approved_usage = e.usages # Get the returned usage bitmask from the exception except Exception as e: print(e) else: print( indented_output('approved usages', nss.cert_usage_flags(approved_usage))) # The cert is valid if all the intended usages are in the approved usages valid = (intended_usage & approved_usage) == intended_usage print() if valid: print( indented_output('SUCCESS: cert is approved for', nss.cert_usage_flags(intended_usage))) return 0 else: print( indented_output( 'FAIL: cert not approved for', nss.cert_usage_flags(intended_usage ^ approved_usage))) return 1
def main(): global options parser = argparse.ArgumentParser(description='certificate validation example') # === NSS Database Group === group = parser.add_argument_group('NSS Database', 'Specify & control the NSS Database') group.add_argument('-d', '--db-name', help='NSS database name (e.g. "sql:pki")') group.add_argument('-P', '--db-passwd', help='NSS database password') # === Certificate Group === group = parser.add_argument_group('Certificate', 'Specify how the certificate is loaded') group.add_argument('-f', '--file', dest='cert_filename', help='read cert from file') group.add_argument('-F', '--input-format', choices=['pem', 'der'], help='format of input cert') group.add_argument('-n', '--nickname', dest='cert_nickname', help='load cert from NSS database by looking it up under this nickname') # === Validation Group === group = parser.add_argument_group('Validation', 'Control the validation') group.add_argument('-u', '--usage', dest='cert_usage', action='append', choices=list(cert_usage_map.keys()), help='certificate usage flags, may be specified multiple times') group.add_argument('-c', '--check-sig', action='store_true', dest='check_sig', help='check signature') group.add_argument('-C', '--no-check-sig', action='store_false', dest='check_sig', help='do not check signature') group.add_argument('-l', '--log', action='store_true', dest='with_log', help='use verify log') group.add_argument('-L', '--no-log', action='store_false', dest='with_log', help='do not use verify log') group.add_argument('-a', '--check-ca', action='store_true', dest='check_ca', help='check if cert is CA') group.add_argument('-A', '--no-check-ca', action='store_false', dest='check_ca', help='do not check if cert is CA') # === Miscellaneous Group === group = parser.add_argument_group('Miscellaneous', 'Miscellaneous options') group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert', help='print the certificate in a friendly fashion') parser.set_defaults(db_name = 'sql:pki', db_passwd = 'db_passwd', input_format = 'pem', check_sig = True, with_log = True, check_ca = True, print_cert = False, ) options = parser.parse_args() # Process the command line arguments # Get usage bitmask if options.cert_usage: intended_usage = 0 for usage in options.cert_usage: try: flag = cert_usage_map[usage] except KeyError: print("Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys())))) return 1 else: intended_usage |= flag else: # We can't use nss.certificateUsageCheckAllUsages here because # it's a special value of zero instead of being the bitwise OR # of all the certificateUsage* flags (go figure!) intended_usage = 0 for usage in list(cert_usage_map.values()): intended_usage |= usage if options.cert_filename and options.cert_nickname: print("You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr) return 1 if not options.cert_filename and not options.cert_nickname: print("You must specify either a cert filename or a nickname to load", file=sys.stderr) return 1 # Initialize NSS. print(indented_output('NSS Database', options.db_name)) print() nss.nss_init(options.db_name) certdb = nss.get_default_certdb() nss.set_password_callback(password_callback) # Load the cert if options.cert_filename: # Read the certificate as DER encoded data then initialize a Certificate from the DER data filename = options.cert_filename si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem') # Parse the DER encoded data returning a Certificate object cert = nss.Certificate(si) else: try: cert = nss.find_cert_from_nickname(options.cert_nickname) except Exception as e: print(e) print('Unable to load cert nickname "%s" from database "%s"' % \ (options.cert_nickname, options.db_name), file=sys.stderr) return 1 # Dump the cert if the user wants to see it if options.print_cert: print(cert) else: print(indented_output('cert subject', cert.subject)) print() # Dump the usages attached to the cert print(indented_output('cert has these usages', nss.cert_type_flags(cert.cert_type))) # Should we check if the cert is a CA cert? if options.check_ca: # CA Cert? is_ca, cert_type = cert.is_ca_cert(True) print() print(indented_output('is CA cert boolean', is_ca)) print(indented_output('is CA cert returned usages', nss.cert_type_flags(cert_type))) print() print(indented_output('verifying usages for', nss.cert_usage_flags(intended_usage))) print() # Use the log or non-log variant to verify the cert # # Note: Anytime a NSPR or NSS function returns an error in python-nss it # raises a NSPRError exception. When an exception is raised the normal # return values are discarded because the flow of control continues at # the first except block prepared to catch the exception. Normally this # is what is desired because the return values would be invalid due to # the error. However the certificate verification functions are an # exception (no pun intended). An error might be returned indicating the # cert failed verification but you may still need access to the returned # usage bitmask and the log (if using the log variant). To handle this a # special error exception `CertVerifyError` (derived from `NSPRError`) # is defined which in addition to the normal NSPRError fields will also # contain the returned usages and optionally the CertVerifyLog # object. If no exception is raised these are returned as normal return # values. approved_usage = 0 if options.with_log: try: approved_usage, log = cert.verify_with_log(certdb, options.check_sig, intended_usage, None) except nss_error.CertVerifyError as e: # approved_usage and log available in CertVerifyError exception on failure. print(e) print() print(indented_obj('log', e.log)) print() print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages))) approved_usage = e.usages # Get the returned usage bitmask from the exception except Exception as e: print(e) else: print(indented_output('approved usages', nss.cert_usage_flags(approved_usage))) if log.count: print() print(indented_obj('log', log)) else: try: approved_usage = cert.verify(certdb, options.check_sig, intended_usage, None) except nss_error.CertVerifyError as e: # approved_usage available in CertVerifyError exception on failure. print(e) print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages))) approved_usage = e.usages # Get the returned usage bitmask from the exception except Exception as e: print(e) else: print(indented_output('approved usages', nss.cert_usage_flags(approved_usage))) # The cert is valid if all the intended usages are in the approved usages valid = (intended_usage & approved_usage) == intended_usage print() if valid: print(indented_output('SUCCESS: cert is approved for', nss.cert_usage_flags(intended_usage))) return 0 else: print(indented_output('FAIL: cert not approved for', nss.cert_usage_flags(intended_usage ^ approved_usage))) return 1
intended_usage = nss.certificateUsageSSLClient else: intended_usage = nss.certificateUsageSSLServer try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) except Exception, e: print >>sys.stderr, "auth_certificate_callback: %s" % e cert_is_valid = False if verbose: print "Returning cert_is_valid = %s" % cert_is_valid return cert_is_valid if verbose: print "approved_usage = %s" % ', '.join(nss.cert_usage_flags(approved_usage)) # Is the intended usage a proper subset of the approved usage if approved_usage & intended_usage: cert_is_valid = True else: cert_is_valid = False # If this is a server, we're finished if is_server or not cert_is_valid: if verbose: print "Returning cert_is_valid = %s" % cert_is_valid return cert_is_valid # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert # matches the desired hostname. This is our defense against
else: intended_usage = nss.certificateUsageSSLServer try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) except Exception, e: print e.strerror cert_is_valid = False print "Returning cert_is_valid = %s" % cert_is_valid return cert_is_valid print "approved_usage = %s" % nss.cert_usage_flags(approved_usage) # Is the intended usage a proper subset of the approved usage if approved_usage & intended_usage: cert_is_valid = True else: cert_is_valid = False # If this is a server, we're finished if is_server or not cert_is_valid: print "Returning cert_is_valid = %s" % cert_is_valid return cert_is_valid # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert # matches the desired hostname. This is our defense against
print indented_output('cert subject', cert.subject) print # Dump the usages attached to the cert print indented_output('cert has these usages', nss.cert_type_flags(cert.cert_type)) # Should we check if the cert is a CA cert? if options.check_ca: # CA Cert? is_ca, cert_type = cert.is_ca_cert(True) print print indented_output('is CA cert boolean', is_ca) print indented_output('is CA cert returned usages', nss.cert_type_flags(cert_type)) print print indented_output('verifying usages for', nss.cert_usage_flags(intended_usage)) print # Use the log or non-log variant to verify the cert # # Note: Anytime a NSPR or NSS function returns an error in python-nss it # raises a NSPRError exception. When an exception is raised the normal # return values are discarded because the flow of control continues at # the first except block prepared to catch the exception. Normally this # is what is desired because the return values would be invalid due to # the error. However the certificate verification functions are an # exception (no pun intended). An error might be returned indicating the # cert failed verification but you may still need access to the returned # usage bitmask and the log (if using the log variant). To handle this a # special error exception `CertVerifyError` (derived from `NSPRError`) # is defined which in addition to the normal NSPRError fields will also
intended_usage = nss.certificateUsageSSLClient else: intended_usage = nss.certificateUsageSSLServer try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) except Exception, e: root_logger.error('cert validation failed for "%s" (%s)', cert.subject, e.strerror) cert_is_valid = False return cert_is_valid root_logger.debug("approved_usage = %s intended_usage = %s", ', '.join(nss.cert_usage_flags(approved_usage)), ', '.join(nss.cert_usage_flags(intended_usage))) # Is the intended usage a proper subset of the approved usage if approved_usage & intended_usage: cert_is_valid = True else: cert_is_valid = False # If this is a server, we're finished if is_server or not cert_is_valid: root_logger.debug('cert valid %s for "%s"', cert_is_valid, cert.subject) return cert_is_valid # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert
def auth_certificate_callback(sock, check_sig, is_server, certdb): if verbose: print("auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server)) cert_is_valid = False cert = sock.get_peer_certificate() pin_args = sock.get_pkcs11_pin_arg() if pin_args is None: pin_args = () #if verbose: # print("cert:\n%s" % cert) # Define how the cert is being used based upon the is_server flag. This may # seem backwards, but isn't. If we're a server we're trying to validate a # client cert. If we're a client we're trying to validate a server cert. if is_server: intended_usage = nss.certificateUsageSSLClient else: intended_usage = nss.certificateUsageSSLServer try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) except Exception as e: print("auth_certificate_callback: %s" % e, file=sys.stderr) cert_is_valid = False if verbose: print("Returning cert_is_valid = %s" % cert_is_valid) return cert_is_valid if verbose: print("approved_usage = %s" % ', '.join(nss.cert_usage_flags(approved_usage))) # Is the intended usage a proper subset of the approved usage if approved_usage & intended_usage: cert_is_valid = True else: cert_is_valid = False # If this is a server, we're finished if is_server or not cert_is_valid: if verbose: print("Returning cert_is_valid = %s" % cert_is_valid) return cert_is_valid # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert # matches the desired hostname. This is our defense against # man-in-the-middle attacks. hostname = sock.get_hostname() if verbose: print("verifying socket hostname (%s) matches cert subject (%s)" % (hostname, cert.subject)) try: # If the cert fails validation it will raise an exception cert_is_valid = cert.verify_hostname(hostname) except Exception as e: print("auth_certificate_callback: %s" % e, file=sys.stderr) cert_is_valid = False if verbose: print("Returning cert_is_valid = %s" % cert_is_valid) return cert_is_valid if verbose: print("Returning cert_is_valid = %s" % cert_is_valid) return cert_is_valid
try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) except Exception, e: print >> sys.stderr, "auth_certificate_callback: %s" % e cert_is_valid = False if verbose: print "Returning cert_is_valid = %s" % cert_is_valid return cert_is_valid if verbose: print "approved_usage = %s" % ', '.join( nss.cert_usage_flags(approved_usage)) # Is the intended usage a proper subset of the approved usage if approved_usage & intended_usage: cert_is_valid = True else: cert_is_valid = False # If this is a server, we're finished if is_server or not cert_is_valid: if verbose: print "Returning cert_is_valid = %s" % cert_is_valid return cert_is_valid # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert # matches the desired hostname. This is our defense against
def auth_certificate_callback(sock, check_sig, is_server, certdb): print("auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server)) cert_is_valid = False cert = sock.get_peer_certificate() pin_args = sock.get_pkcs11_pin_arg() if pin_args is None: pin_args = () print("peer cert:\n%s" % cert) # Define how the cert is being used based upon the is_server flag. This may # seem backwards, but isn't. If we're a server we're trying to validate a # client cert. If we're a client we're trying to validate a server cert. if is_server: intended_usage = nss.certificateUsageSSLClient else: intended_usage = nss.certificateUsageSSLServer try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) except Exception as e: print(e) cert_is_valid = False print("Returning cert_is_valid = %s" % cert_is_valid) return cert_is_valid print("approved_usage = %s" % ', '.join(nss.cert_usage_flags(approved_usage))) # Is the intended usage a proper subset of the approved usage if approved_usage & intended_usage: cert_is_valid = True else: cert_is_valid = False # If this is a server, we're finished if is_server or not cert_is_valid: print("Returning cert_is_valid = %s" % cert_is_valid) return cert_is_valid # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert # matches the desired hostname. This is our defense against # man-in-the-middle attacks. hostname = sock.get_hostname() print("verifying socket hostname (%s) matches cert subject (%s)" % (hostname, cert.subject)) try: # If the cert fails validation it will raise an exception cert_is_valid = cert.verify_hostname(hostname) except Exception as e: print(e) cert_is_valid = False print("Returning cert_is_valid = %s" % cert_is_valid) return cert_is_valid print("Returning cert_is_valid = %s" % cert_is_valid) return cert_is_valid
intended_usage = nss.certificateUsageSSLClient else: intended_usage = nss.certificateUsageSSLServer try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) except Exception, e: print e.strerror cert_is_valid = False print "Returning cert_is_valid = %s" % cert_is_valid return cert_is_valid print "approved_usage = %s" % nss.cert_usage_flags(approved_usage) # Is the intended usage a proper subset of the approved usage if approved_usage & intended_usage: cert_is_valid = True else: cert_is_valid = False # If this is a server, we're finished if is_server or not cert_is_valid: print "Returning cert_is_valid = %s" % cert_is_valid return cert_is_valid # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert # matches the desired hostname. This is our defense against
intended_usage = nss.certificateUsageSSLClient else: intended_usage = nss.certificateUsageSSLServer try: # If the cert fails validation it will raise an exception, the errno attribute # will be set to the error code matching the reason why the validation failed # and the strerror attribute will contain a string describing the reason. approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args) except Exception, e: print e.strerror cert_is_valid = False print "Returning cert_is_valid = %s" % cert_is_valid return cert_is_valid print "approved_usage = %s" % ', '.join(nss.cert_usage_flags(approved_usage)) # Is the intended usage a proper subset of the approved usage if approved_usage & intended_usage: cert_is_valid = True else: cert_is_valid = False # If this is a server, we're finished if is_server or not cert_is_valid: print "Returning cert_is_valid = %s" % cert_is_valid return cert_is_valid # Certificate is OK. Since this is the client side of an SSL # connection, we need to verify that the name field in the cert # matches the desired hostname. This is our defense against