def ccm_decrypt_binary(encrypted_blob, hex_preexisting_128_bit_key, hex_preexisting_104_bit_iv, hex_preexisting_aad):
""" Function to decrypt a CCM encrypted binary.
input:
encrypted_blob: Encrypted Binary blob to decrypt
hex_preexisting_128_bit_key: hex representarion of 128bit key
hex_preexisting_iv: hex representarion of image IV
hex_preexisting_aad: hex representation of Additional Authentication data needed by the algorithm
output:
plaintext_binary: Decrypted plaintext binary
"""
if hex_preexisting_aad == None:
raise RuntimeError('AAD must be supplied')
if hex_preexisting_128_bit_key==None:
raise RuntimeError('Key must be supplied')
else:
encryption_key=hex_preexisting_128_bit_key
if hex_preexisting_104_bit_iv == None:
raise RuntimeError('IV must be supplied')
else:
image_iv=hex_preexisting_104_bit_iv
encrypted_blob_file=utility_functions.store_data_to_temp_file(encrypted_blob)
plaintext_binary_file_name=utility_functions.store_data_to_temp_file('')
command_list=[ccm_crypto_path, "--input-file", encrypted_blob_file, '--key', encryption_key, '--iv', image_iv, '--output', plaintext_binary_file_name, '--operation=decrypt', '--aad', hex_preexisting_aad]
utility_functions.system_command_logged(command_list)
with open(plaintext_binary_file_name,'rb') as plaintext_output_file:
plaintext_binary=plaintext_output_file.read()
os.unlink(plaintext_binary_file_name)
return plaintext_binary
def cbc_decrypt_binary(encrypted_blob, hex_preexisting_128_bit_key, hex_preexisting_iv):
""" Function to decrypt a CBC encrypted binary.
input:
encrypted_blob: Encrypted Binary blob to decrypt
hex_preexisting_128_bit_key: hex representarion of 128bit key
hex_preexisting_iv: hex representarion of image IV
output:
plaintext_binary: Decrypted plaintext binary
"""
if hex_preexisting_128_bit_key==None:
raise RuntimeError('Key must be supplied')
else:
encryption_key=hex_preexisting_128_bit_key
if hex_preexisting_iv == None:
raise RuntimeError('IV must be supplied')
else:
image_iv=hex_preexisting_iv
encrypted_blob_file=utility_functions.store_data_to_temp_file(encrypted_blob)
plaintext_binary_file_name=utility_functions.store_data_to_temp_file('')
command_list=[openssl_binary_path,"enc", "-aes-128-cbc", "-d", "-in", encrypted_blob_file, "-K", encryption_key, "-iv", image_iv, "-out", plaintext_binary_file_name, "-nopad"]
utility_functions.system_command_logged(command_list)
with open(plaintext_binary_file_name,'rb') as plaintext_output_file:
plaintext_binary=plaintext_output_file.read()
os.unlink(plaintext_binary_file_name)
return plaintext_binary
def ccm_encrypt_binary(binary_blob, hex_preexisting_128_bit_key,
hex_preexisting_104_bit_iv, hex_preexisting_aad):
""" Function to encrypt binary with a CCM 128 bit cipher.
input:
binary_blob: Binary blob to encrypt
hex_preexisting_128_bit_key: hex representarion of 128bit key | None,
if None, the key is generated
hex_preexisting_iv: hex representarion of image IV | None,
if None, the IV is generated
hex_preexisting_aad: hex representation of Additional Authentication data needed by the algorithm
output:
(encrypted_binary, encryption_key, image_iv, hex_preexisting_aad): Tuple with the encrypted binary, the key, the IV, and the AAD
"""
if hex_preexisting_aad == None:
raise RuntimeError('AAD must be supplied')
if hex_preexisting_128_bit_key == None:
encryption_key = os.urandom(16)
encryption_key = binascii.hexlify(encryption_key)
else:
encryption_key = hex_preexisting_128_bit_key
if hex_preexisting_104_bit_iv == None:
image_iv = os.urandom(13)
image_iv = binascii.hexlify(image_iv)
else:
image_iv = hex_preexisting_104_bit_iv
binary_blob_file = utility_functions.store_data_to_temp_file(binary_blob)
encrypted_image_file_name = utility_functions.store_data_to_temp_file('')
command_list = [
ccm_crypto_path, "--input-file", binary_blob_file, '--key',
encryption_key, '--iv', image_iv, '--output',
encrypted_image_file_name, '--operation=encrypt', '--aad',
hex_preexisting_aad
]
utility_functions.system_command_logged(command_list)
with open(encrypted_image_file_name, 'rb') as encrypted_output_file:
encrypted_binary = encrypted_output_file.read()
os.unlink(binary_blob_file)
os.unlink(encrypted_image_file_name)
return (encrypted_binary, encryption_key, image_iv, hex_preexisting_aad)
def _execute_openssl_certificate_command(command_list, key_pair, key_tempfile_name, shell=False):
try:
certificate_request = utility_functions.system_command_logged(command_list, stderr_to_temp=True, shell=shell)
except subprocess.CalledProcessError, e:
logger.critical("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) +
" \nCommand = " + ' '.join(e.cmd))
def verify_certificate_chain(certificate_chain):
""" Verify the certificate chain to be valid
input:
certificate_chain: [cert1,cert2,cert3]
List of certificates (*in PEM FORMAT*) in the certificate chain. It assumes that the last certificate is the Root CA certificate.
output:
[True|False]
Boolean value
"""
CAfile_contents = _create_CAfile_contents_from_cert_chain(certificate_chain)
CAfile_tempfile_name=utility_functions.store_data_to_temp_file(CAfile_contents)
level1_cert_to_verify_contents = certificate_chain[0]
level1_cert_to_verify_tempfile_name=utility_functions.store_data_to_temp_file(level1_cert_to_verify_contents)
try:
verify_level1_cert_command_out = utility_functions.system_command_logged([openssl_binary_path, 'verify', '-CAfile', CAfile_tempfile_name, level1_cert_to_verify_tempfile_name])
except:
logger.critical("verify_certificate_chain: OPENSSL could not verify cert chain")
logger.debug("OpenSSL verify command output: " + verify_level1_cert_command_out)
logger.debug("Deleting temporary files: " + CAfile_tempfile_name +", " + level1_cert_to_verify_tempfile_name)
os.unlink(CAfile_tempfile_name)
os.unlink(level1_cert_to_verify_tempfile_name)
if verify_level1_cert_command_out.rstrip() == level1_cert_to_verify_tempfile_name + ": OK":
logger.debug("The certificate chain is verified")
return True
else:
logger.debug("The certificate chain is not verified")
return False
def privkey_der_to_pem(der_privkey):
""" Convert binary DER format PRIVATE key into base64 coded ASCII PEM format
input:
der_privkey: String containing binary PRIVATE KEY
output
pem_privkey: String containing base64 PEM PRIVATE KEY
"""
pem_privkey = ''
der_tempfile_name = utility_functions.store_data_to_temp_file(der_privkey)
try:
pem_privkey = utility_functions.system_command_logged(
[
openssl_binary_path, 'rsa', '-in', der_tempfile_name,
'-inform', 'DER', '-outform', 'PEM'
],
stderr_to_temp=True)
logger.debug2("PEM Format Private Key: " + pem_privkey)
except:
logger.critical(
"privkey_der_to_pem: OPENSSL Could not convert DER key to PEM")
finally:
os.unlink(der_tempfile_name)
logger.debug("Deleting temporary file: " + der_tempfile_name)
return pem_privkey
def privkey_pem_to_der(pem_privkey):
""" Convert PEM format PRIVATE key into DER format
input:
pem_privkey: String containing base64 PEM Private key
output
der_privkey: String containing binary Private key
"""
der_privkey = ''
pem_tempfile_name = utility_functions.store_data_to_temp_file(pem_privkey)
try:
der_privkey = utility_functions.system_command_logged(
[
openssl_binary_path, 'rsa', '-in', pem_tempfile_name,
'-inform', 'PEM', '-outform', 'DER'
],
stderr_to_temp=True)
logger.debug2("PEM Format private key: " + hexdump(der_privkey))
except:
logger.critical(
"privkey_pem_to_der: OPENSSL Could not convert PEM key to DER key")
finally:
os.unlink(pem_tempfile_name)
logger.debug("Deleting temporary file: " + pem_tempfile_name)
return der_privkey
def cert_der_to_pem(der_certificate):
""" Convert binary DER format certificate into base64 coded ASCII PEM format
input:
der_certificate: String containing binary certificate
output
pem_certificate: String containing base64 PEM certificate
"""
der_tempfile_name = utility_functions.store_data_to_temp_file(
der_certificate)
try:
pem_certificate = utility_functions.system_command_logged(
[
openssl_binary_path, 'x509', '-in', der_tempfile_name,
'-inform', 'DER', '-outform', 'PEM'
],
stderr_to_temp=True)
except:
logger.critical(
"cert_der_to_pem: OPENSSL could not convert DER cert to PEM")
logger.debug2("PEM Format certificate: " + pem_certificate)
logger.debug("Deleting temporary file: " + der_tempfile_name)
os.unlink(der_tempfile_name)
return pem_certificate
def cert_pem_to_der(pem_certificate):
""" Convert PEM format certificate into DER format
input:
pem_certificate: String containing base64 PEM certificate
output
der_certificate: String containing binary certificate
"""
pem_tempfile_name = utility_functions.store_data_to_temp_file(
pem_certificate)
try:
der_certificate = utility_functions.system_command_logged(
[
openssl_binary_path, 'x509', '-in', pem_tempfile_name,
'-inform', 'PEM', '-outform', 'DER'
],
stderr_to_temp=True)
except:
logger.critical(
"cert_pem_to_der: OPENSSL could not convert PEM cert to DER")
logger.debug2("PEM Format certificate: " + hexdump(der_certificate))
logger.debug("Deleting temporary file: " + pem_tempfile_name)
os.unlink(pem_tempfile_name)
return der_certificate
def encrypt_with_private_key(message, private_key):
""" Encrypt a message with a private key
input:
message: String representing message
private_key: String representing the private key
output:
signature: String representing encrypted message
"""
private_key_tempfile_name = utility_functions.store_data_to_temp_file(
private_key)
message_tempfile_name = utility_functions.store_data_to_temp_file(message)
command_list = [
openssl_binary_path, "rsautl", "-sign", "-pkcs", "-inkey",
private_key_tempfile_name, '-in', message_tempfile_name
]
try:
encrypted_message = utility_functions.system_command_logged(
command_list, stderr_to_temp=True)
except:
logger.critical(
"encrypt_with_private_key: OPENSSL could not perform RSA sign operation"
)
return encrypted_message
def decrypt_with_public_key(encrypted_message, public_key):
""" Decrypt an encrypted message with a public key
input:
encrypted_message = String representation of encrypted message
public_key = String representation of public key
output:
message = String representing decrypted message
"""
public_key_tempfile_name = utility_functions.store_data_to_temp_file(
public_key)
encrypted_message_tempfile_name = utility_functions.store_data_to_temp_file(
encrypted_message)
command_list = [
openssl_binary_path, 'rsautl', '-inkey', public_key_tempfile_name,
'-pubin', '-in', encrypted_message_tempfile_name
]
try:
message = utility_functions.system_command_logged(command_list,
stderr_to_temp=True)
except:
logger.critical(
"decrypt_with_public_key: OPENSSL could not decrypt with public key"
)
return message
def decrypt_with_private_der_key(encrypted_message, private_key):
""" Decrypt an encrypted message with a private key
input:
encrypted_message = String representation of encrypted message
private_key = String representation of private key
output:
message = String representing decrypted message
"""
private_key_tempfile_name = utility_functions.store_data_to_temp_file(
private_key)
encrypted_message_tempfile_name = utility_functions.store_data_to_temp_file(
encrypted_message)
pt_tempfile_name = utility_functions.store_data_to_temp_file('')
command_list = [
openssl_binary_path, 'rsautl', '-decrypt', '-inkey',
private_key_tempfile_name, '-in', encrypted_message_tempfile_name,
'-keyform', 'DER'
]
try:
message = utility_functions.system_command_logged(command_list,
stderr_to_temp=True)
return message
except:
logger.debug2(
"decrypt_with_private_der_key: OPENSSL could not decrypt with private key"
)
def cbc_encrypt_binary(binary_blob, hex_preexisting_128_bit_key,
hex_preexisting_iv):
""" Function to encrypt binary with a CBC 128 bit cipher.
input:
binary_blob: Binary blob to encrypt
hex_preexisting_128_bit_key: hex representarion of 128bit key | None,
if None, the key is generated
hex_preexisting_iv: hex representarion of image IV | None,
if None, the IV is generated
output:
(encrypted_binary, encryption_key, image_iv): Tuple with the encrypted binary, the key, and the IV
"""
if hex_preexisting_128_bit_key == None:
encryption_key = os.urandom(16)
encryption_key = binascii.hexlify(encryption_key)
else:
encryption_key = hex_preexisting_128_bit_key
if hex_preexisting_iv == None:
image_iv = os.urandom(16)
image_iv = binascii.hexlify(image_iv)
else:
image_iv = hex_preexisting_iv
binary_blob_file = utility_functions.store_data_to_temp_file(binary_blob)
encrypted_image_file_name = utility_functions.store_data_to_temp_file('')
command_list = [
openssl_binary_path, "enc", "-aes-128-cbc", "-in", binary_blob_file,
"-K", encryption_key, "-iv", image_iv, "-out",
encrypted_image_file_name, "-nopad"
]
utility_functions.system_command_logged(command_list)
with open(encrypted_image_file_name, 'rb') as encrypted_output_file:
encrypted_binary = encrypted_output_file.read()
os.unlink(binary_blob_file)
os.unlink(encrypted_image_file_name)
return (encrypted_binary, encryption_key, image_iv)
def ccm_encrypt_binary(binary_blob, hex_preexisting_128_bit_key, hex_preexisting_104_bit_iv, hex_preexisting_aad):
""" Function to encrypt binary with a CCM 128 bit cipher.
input:
binary_blob: Binary blob to encrypt
hex_preexisting_128_bit_key: hex representarion of 128bit key | None,
if None, the key is generated
hex_preexisting_iv: hex representarion of image IV | None,
if None, the IV is generated
hex_preexisting_aad: hex representation of Additional Authentication data needed by the algorithm
output:
(encrypted_binary, encryption_key, image_iv, hex_preexisting_aad): Tuple with the encrypted binary, the key, the IV, and the AAD
"""
if hex_preexisting_aad == None:
raise RuntimeError('AAD must be supplied')
if hex_preexisting_128_bit_key==None:
encryption_key = os.urandom(16)
encryption_key = binascii.hexlify(encryption_key)
else:
encryption_key=hex_preexisting_128_bit_key
if hex_preexisting_104_bit_iv == None:
image_iv=os.urandom(13)
image_iv=binascii.hexlify(image_iv)
else:
image_iv=hex_preexisting_104_bit_iv
binary_blob_file=utility_functions.store_data_to_temp_file(binary_blob)
encrypted_image_file_name=utility_functions.store_data_to_temp_file('')
command_list=[ccm_crypto_path, "--input-file", binary_blob_file, '--key', encryption_key, '--iv', image_iv, '--output', encrypted_image_file_name, '--operation=encrypt', '--aad', hex_preexisting_aad]
utility_functions.system_command_logged(command_list)
with open(encrypted_image_file_name,'rb') as encrypted_output_file:
encrypted_binary=encrypted_output_file.read()
os.unlink(encrypted_image_file_name)
return (encrypted_binary, encryption_key, image_iv, hex_preexisting_aad)
def gen_rsa_key_pair(key_size_in_bits, key_exponent, priv_key_output_file,
pub_key_output_file):
""" Generate RSA Key pair
input:
key_size_in_bits: Size of the key in bits.
key_exponent: [3, 65537]
Exponent used in key calculation.
priv_key_output_file: File name for storing private key
pub_key_output_file: File name for storing public key
output:
returned value: {"public_key": [Generated public key],
"private_key": [Generated private key] }
Dictionary holding the values of public and private keys
"""
logger.debug("the openssl_binary is:{0}".format(openssl_binary_path))
if key_exponent == 3:
exponent_str = "-3"
elif key_exponent == 65537:
exponent_str = "-f4"
else:
logger.warning(
"Exponent value supplied is INVALID! going with default exponent of 65537."
)
exponent_str = "-f4"
key_size_str = str(key_size_in_bits)
if priv_key_output_file is not None:
pk_file = open(priv_key_output_file, "wb")
else:
pk_file = tempfile.NamedTemporaryFile(delete=False)
logger.debug(
"No output file specified for private key storage, so creating temp file: "
+ pk_file.name)
try:
private_key = utility_functions.system_command_logged(
[openssl_binary_path, "genrsa", exponent_str, key_size_str],
stderr_to_temp=True)
except subprocess.CalledProcessError, e:
os.unlink(pk_file.name)
logger.critical(
"gen_rsa_key_pair: OPENSSL Errored out on generation of RSA key.")
logger.critical(
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError(
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
def cbc_cts_encrypt_binary(binary_blob, hex_preexisting_128_bit_key, hex_preexisting_iv):
""" Function to encrypt binary with a CBC 128 bit cipher.
input:
binary_blob: Binary blob to encrypt
hex_preexisting_128_bit_key: hex representarion of 128bit key | None,
if None, the key is generated
hex_preexisting_iv: hex representarion of image IV | None,
if None, the IV is generated
output:
(encrypted_binary, encryption_key, image_iv): Tuple with the encrypted binary, the key, and the IV
"""
if hex_preexisting_128_bit_key==None:
encryption_key = os.urandom(16)
encryption_key = binascii.hexlify(encryption_key)
else:
encryption_key=hex_preexisting_128_bit_key
if hex_preexisting_iv == None:
image_iv=os.urandom(16)
image_iv=binascii.hexlify(image_iv)
else:
image_iv=hex_preexisting_iv
binary_blob_file=utility_functions.store_data_to_temp_file(binary_blob)
encrypted_image_file_name=utility_functions.store_data_to_temp_file('')
command_list=[cbc_crypto_path, "--input-file", binary_blob_file, '--key', encryption_key, '--iv', image_iv, '--output', encrypted_image_file_name, '--operation=encrypt']
utility_functions.system_command_logged(command_list)
with open(encrypted_image_file_name,'rb') as encrypted_output_file:
encrypted_binary=encrypted_output_file.read()
os.unlink(encrypted_image_file_name)
return (encrypted_binary, encryption_key, image_iv)
def cbc_cts_decrypt_binary(encrypted_blob, hex_preexisting_128_bit_key,
hex_preexisting_iv):
""" Function to decrypt a CBC encrypted binary.
input:
encrypted_blob: Encrypted Binary blob to decrypt
hex_preexisting_128_bit_key: hex representarion of 128bit key
hex_preexisting_iv: hex representarion of image IV
output:
plaintext_binary: Decrypted plaintext binary
"""
if hex_preexisting_128_bit_key == None:
raise RuntimeError('Key must be supplied')
else:
encryption_key = hex_preexisting_128_bit_key
if hex_preexisting_iv == None:
raise RuntimeError('IV must be supplied')
else:
image_iv = hex_preexisting_iv
encrypted_blob_file = utility_functions.store_data_to_temp_file(
encrypted_blob)
plaintext_binary_file_name = "plaintext_binary.bin"
command_list = [
cbc_crypto_path, "--input-file", encrypted_blob_file, '--key',
encryption_key, '--iv', image_iv, '--output',
plaintext_binary_file_name, '--operation=decrypt'
]
utility_functions.system_command_logged(command_list)
with open(plaintext_binary_file_name, 'rb') as plaintext_output_file:
plaintext_binary = plaintext_output_file.read()
os.unlink(plaintext_binary_file_name)
return plaintext_binary
def _sign_csr_with_CA_certificate(certificate_signing_request, CA_certificate,
CA_key_pair, days, serial_num, extfile_name):
""" Sign a Certificate signing request with a higher level CA certificate
input:
certificate_signing_request: String form of CSR
CA_certificate: String representation of a higher level CA certificate
CA_key_pair : {"public_key": [Generated public key],
"private_key": [Generated private key] }
The key pair of the CA_certificate
days = validity period of certificate in days
serial_num = Serial number of certificate
extfile_name = Name of the extensions file to be used by openssl
output:
CA_signed_certificate: String representation of CA Signed certificate (PEM)
CA_key_pair: {"public_key": CA public key,
"private_key": CA private key }
"""
CA_certificate_tempfile_name = utility_functions.store_data_to_temp_file(
CA_certificate)
CA_privkey_tempfile_name = utility_functions.store_data_to_temp_file(
CA_key_pair['private_key'])
certificate_signing_request_tempfile_name = utility_functions.store_data_to_temp_file(
certificate_signing_request)
command_list = [
openssl_binary_path, "x509", "-req", "-in",
certificate_signing_request_tempfile_name, "-CAkey",
CA_privkey_tempfile_name, "-CA", CA_certificate_tempfile_name, "-days",
str(days), "-set_serial",
str(serial_num), "-extfile", extfile_name, "-sha256"
]
logger.debug("Command_list = " + repr(command_list))
CA_signed_certificate = utility_functions.system_command_logged(
command_list, stderr_to_temp=True)
logger.debug("Generated Output of openssl certificate command: " +
CA_signed_certificate)
os.unlink(CA_certificate_tempfile_name)
os.unlink(CA_privkey_tempfile_name)
os.unlink(certificate_signing_request_tempfile_name)
return (CA_signed_certificate, CA_key_pair)
def get_public_key_from_private_key(private_key):
""" Extracts public key from provided private key
input:
private_key: String representation of private key
output:
public key: String representation of public key
"""
privkey_tempfile = utility_functions.store_data_to_temp_file(private_key)
try:
public_key = utility_functions.system_command_logged([openssl_binary_path, "rsa", "-in", privkey_tempfile, "-pubout"], stderr_to_temp=True)
except subprocess.CalledProcessError, e:
logger.critical("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
def get_public_key_from_certificate(certificate):
if 'BEGIN CERTIFICATE' not in certificate:
certificate = cert_der_to_pem(certificate)
pubkey=_extract_public_key_from_certificate(certificate)
pubkey_file_name=utility_functions.store_data_to_temp_file(pubkey)
command_list=[openssl_binary_path,'rsa','-pubin','-inform','PEM','-text','-noout','<',pubkey_file_name]
logger.debug("Command_list = " + repr(command_list))
pubkey_text = utility_functions.system_command_logged(command_list, stderr_to_temp=True)
logger.debug2("Pubkey text: " + pubkey_text)
os.unlink(pubkey_file_name)
def privkey_der_to_pem(der_privkey):
""" Convert binary DER format PRIVATE key into base64 coded ASCII PEM format
input:
der_privkey: String containing binary PRIVATE KEY
output
pem_privkey: String containing base64 PEM PRIVATE KEY
"""
der_tempfile_name = utility_functions.store_data_to_temp_file(der_privkey)
try:
pem_privkey = utility_functions.system_command_logged([openssl_binary_path, 'rsa', '-in', der_tempfile_name, '-inform', 'DER', '-outform', 'PEM'], stderr_to_temp=True)
except:
logger.critical("privkey_der_to_pem: OPENSSL Could not convert DER key to PEM")
logger.debug2("PEM Format Private Key: " + pem_privkey)
logger.debug("Deleting temporary file: " + der_tempfile_name)
os.unlink(der_tempfile_name)
return pem_privkey
def privkey_pem_to_der(pem_privkey):
""" Convert PEM format PRIVATE key into DER format
input:
pem_privkey: String containing base64 PEM Private key
output
der_privkey: String containing binary Private key
"""
pem_tempfile_name = utility_functions.store_data_to_temp_file(pem_privkey)
try:
der_privkey = utility_functions.system_command_logged([openssl_binary_path, 'rsa', '-in', pem_tempfile_name, '-inform', 'PEM', '-outform', 'DER'], stderr_to_temp=True)
except:
logger.critical("privkey_pem_to_der: OPENSSL Could not convert PEM key to DER key")
logger.debug2("PEM Format private key: " + hexdump(der_privkey))
logger.debug("Deleting temporary file: " + pem_tempfile_name)
os.unlink(pem_tempfile_name)
return der_privkey
def _extract_public_key_from_certificate(certificate):
""" Pulls out public key stored in certificate.
input:
certificate = String representation of PEM certificate
output:
public_key = String representation of public key in certificate
"""
certificate_tempfile_name=utility_functions.store_data_to_temp_file(certificate)
command_list = [openssl_binary_path, 'x509', '-in', certificate_tempfile_name, '-pubkey', '-noout', '-inform', 'PEM']
try:
public_key = utility_functions.system_command_logged(command_list)
except:
logger.critical("_extract_public_key_from_certificate: OPENSSL could not extract public key from cert")
return public_key
def cert_der_to_pem(der_certificate):
""" Convert binary DER format certificate into base64 coded ASCII PEM format
input:
der_certificate: String containing binary certificate
output
pem_certificate: String containing base64 PEM certificate
"""
der_tempfile_name = utility_functions.store_data_to_temp_file(der_certificate)
try:
pem_certificate = utility_functions.system_command_logged([openssl_binary_path, 'x509', '-in', der_tempfile_name, '-inform', 'DER', '-outform', 'PEM'], stderr_to_temp=True)
except:
logger.critical("cert_der_to_pem: OPENSSL could not convert DER cert to PEM")
logger.debug2("PEM Format certificate: " + pem_certificate)
logger.debug("Deleting temporary file: " + der_tempfile_name)
os.unlink(der_tempfile_name)
return pem_certificate
def cert_pem_to_der(pem_certificate):
""" Convert PEM format certificate into DER format
input:
pem_certificate: String containing base64 PEM certificate
output
der_certificate: String containing binary certificate
"""
pem_tempfile_name = utility_functions.store_data_to_temp_file(pem_certificate)
try:
der_certificate = utility_functions.system_command_logged([openssl_binary_path, 'x509', '-in', pem_tempfile_name, '-inform', 'PEM', '-outform', 'DER'], stderr_to_temp=True)
except:
logger.critical("cert_pem_to_der: OPENSSL could not convert PEM cert to DER")
logger.debug2("PEM Format certificate: " + hexdump(der_certificate))
logger.debug("Deleting temporary file: " + pem_tempfile_name)
os.unlink(pem_tempfile_name)
return der_certificate
def decrypt_with_public_key(encrypted_message, public_key):
""" Decrypt an encrypted message with a public key
input:
encrypted_message = String representation of encrypted message
public_key = String representation of public key
output:
message = String representing decrypted message
"""
public_key_tempfile_name =utility_functions.store_data_to_temp_file(public_key)
encrypted_message_tempfile_name = utility_functions.store_data_to_temp_file(encrypted_message)
command_list=[openssl_binary_path, 'rsautl', '-inkey', public_key_tempfile_name, '-pubin', '-in', encrypted_message_tempfile_name]
try:
message = utility_functions.system_command_logged(command_list, stderr_to_temp=True)
except:
logger.critical("decrypt_with_public_key: OPENSSL could not decrypt with public key")
return message
def decrypt_with_private_der_key(encrypted_message, private_key):
""" Decrypt an encrypted message with a private key
input:
encrypted_message = String representation of encrypted message
private_key = String representation of private key
output:
message = String representing decrypted message
"""
private_key_tempfile_name =utility_functions.store_data_to_temp_file(private_key)
encrypted_message_tempfile_name = utility_functions.store_data_to_temp_file(encrypted_message)
pt_tempfile_name=utility_functions.store_data_to_temp_file('')
command_list=[openssl_binary_path, 'rsautl', '-decrypt', '-inkey', private_key_tempfile_name, '-in', encrypted_message_tempfile_name, '-keyform','DER']
try:
message = utility_functions.system_command_logged(command_list, stderr_to_temp=True)
return message
except:
logger.debug2("decrypt_with_private_der_key: OPENSSL could not decrypt with private key")
def encrypt_with_private_key(message, private_key):
""" Encrypt a message with a private key
input:
message: String representing message
private_key: String representing the private key
output:
signature: String representing encrypted message
"""
private_key_tempfile_name =utility_functions.store_data_to_temp_file(private_key)
message_tempfile_name = utility_functions.store_data_to_temp_file(message)
command_list = [openssl_binary_path, "rsautl", "-sign", "-pkcs", "-inkey", private_key_tempfile_name, '-in', message_tempfile_name]
try:
encrypted_message = utility_functions.system_command_logged(command_list, stderr_to_temp=True)
except:
logger.critical("encrypt_with_private_key: OPENSSL could not perform RSA sign operation")
return encrypted_message
def generate_hash(hashing_algorithm, file_to_hash):
""" Function to generate hashes of input file using the standard hashing algoritm specified
input: hashing_algorithm: ["SHA1"|"SHA256"]
file_to_hash: The file to calculate the hash of.
output: string representing hash of file_to_hash
"""
if hashing_algorithm.lower() not in ["sha1", "sha256"]:
logger.warning("The algorithm specified is invalid! Using SHA256 as default.")
hashing_algorithm="-sha256"
else:
hashing_algorithm = "-" + hashing_algorithm
try:
generated_hash = utility_functions.system_command_logged([openssl_binary_path, "dgst", hashing_algorithm, file_to_hash]).rstrip().split("= ")[1]
except:
logger.critical("generate_hash: OPENSSL Hash generation failed")
return generated_hash
def gen_rsa_key_pair(key_size_in_bits, key_exponent, priv_key_output_file, pub_key_output_file):
""" Generate RSA Key pair
input:
key_size_in_bits: Size of the key in bits.
key_exponent: [3, 65537]
Exponent used in key calculation.
priv_key_output_file: File name for storing private key
pub_key_output_file: File name for storing public key
output:
returned value: {"public_key": [Generated public key],
"private_key": [Generated private key] }
Dictionary holding the values of public and private keys
"""
logger.debug("the openssl_binary is:{0}".format(openssl_binary_path))
if key_exponent==3:
exponent_str="-3"
elif key_exponent == 65537:
exponent_str="-f4"
else:
logger.warning("Exponent value supplied is INVALID! going with default exponent of 65537.")
exponent_str="-f4"
key_size_str=str(key_size_in_bits)
if priv_key_output_file is not None:
pk_file=open(priv_key_output_file,"wb")
else:
pk_file=tempfile.NamedTemporaryFile(delete=False)
logger.debug("No output file specified for private key storage, so creating temp file: " + pk_file.name)
try:
private_key = utility_functions.system_command_logged([openssl_binary_path, "genrsa", exponent_str, key_size_str], stderr_to_temp=True)
except subprocess.CalledProcessError, e:
logger.critical("gen_rsa_key_pair: OPENSSL Errored out on generation of RSA key.")
logger.critical("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
def _sign_csr_with_CA_certificate(certificate_signing_request, CA_certificate, CA_key_pair, days, serial_num, extfile_name):
""" Sign a Certificate signing request with a higher level CA certificate
input:
certificate_signing_request: String form of CSR
CA_certificate: String representation of a higher level CA certificate
CA_key_pair : {"public_key": [Generated public key],
"private_key": [Generated private key] }
The key pair of the CA_certificate
days = validity period of certificate in days
serial_num = Serial number of certificate
extfile_name = Name of the extensions file to be used by openssl
output:
CA_signed_certificate: String representation of CA Signed certificate (PEM)
CA_key_pair: {"public_key": CA public key,
"private_key": CA private key }
"""
CA_certificate_tempfile_name =utility_functions.store_data_to_temp_file(CA_certificate)
CA_privkey_tempfile_name = utility_functions.store_data_to_temp_file(CA_key_pair['private_key'])
certificate_signing_request_tempfile_name = utility_functions.store_data_to_temp_file(certificate_signing_request)
command_list=[openssl_binary_path, "x509", "-req", "-in", certificate_signing_request_tempfile_name, "-CAkey",
CA_privkey_tempfile_name, "-CA", CA_certificate_tempfile_name, "-days", str(days),
"-set_serial", str(serial_num), "-extfile", extfile_name, "-sha256"]
logger.debug("Command_list = " + repr(command_list))
CA_signed_certificate = utility_functions.system_command_logged(command_list, stderr_to_temp=True)
logger.debug("Generated Output of openssl certificate command: " + CA_signed_certificate)
os.unlink(CA_certificate_tempfile_name)
os.unlink(CA_privkey_tempfile_name)
os.unlink(certificate_signing_request_tempfile_name)
return (CA_signed_certificate, CA_key_pair)
logger.critical(
"gen_rsa_key_pair: OPENSSL Errored out on generation of RSA key.")
logger.critical(
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError(
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
logger.debug("Writing generated private key to PEM file:" + pk_file.name)
pk_file.write(private_key)
pk_file.close()
try:
public_key = utility_functions.system_command_logged(
[openssl_binary_path, "rsa", "-in", pk_file.name, "-pubout"],
stderr_to_temp=True)
except subprocess.CalledProcessError, e:
logger.critical("gen_rsa_key_pair: OPENSSL could not get public key")
logger.critical(
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError(
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
if pub_key_output_file is not None:
logger.debug("Writing public key to file: " + pub_key_output_file)
pubk_file = open(pub_key_output_file, "wb")
pubk_file.write(public_key)
pubk_file.close()
pk_file=tempfile.NamedTemporaryFile(delete=False)
logger.debug("No output file specified for private key storage, so creating temp file: " + pk_file.name)
try:
private_key = utility_functions.system_command_logged([openssl_binary_path, "genrsa", exponent_str, key_size_str], stderr_to_temp=True)
except subprocess.CalledProcessError, e:
logger.critical("gen_rsa_key_pair: OPENSSL Errored out on generation of RSA key.")
logger.critical("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
logger.debug("Writing generated private key to PEM file:" + pk_file.name)
pk_file.write(private_key)
pk_file.close()
try:
public_key = utility_functions.system_command_logged([openssl_binary_path, "rsa", "-in", pk_file.name, "-pubout"], stderr_to_temp=True)
except subprocess.CalledProcessError, e:
logger.critical("gen_rsa_key_pair: OPENSSL could not get public key")
logger.critical("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
if pub_key_output_file is not None:
logger.debug("Writing public key to file: " + pub_key_output_file)
pubk_file=open(pub_key_output_file,"wb")
pubk_file.write(public_key)
pubk_file.close()
if priv_key_output_file is None:
logger.debug("Since private key file is temporary, deleting: " + pk_file.name)
os.unlink(pk_file.name)
