def load_pkcs7(p7file):
bio = m2.bio_new_file(p7file, 'r')
if bio is None:
raise BIO.BIOError(Err.get_error())
try:
p7_ptr = m2.pkcs7_read_bio(bio)
finally:
m2.bio_free(bio)
if p7_ptr is None:
raise PKCS7_Error(Err.get_error())
return PKCS7(p7_ptr, 1)
def load_session(pemfile):
f = BIO.openfile(pemfile)
cptr = m2.ssl_session_read_pem(f.bio_ptr())
f.close()
if cptr is None:
raise Err.get_error()
return Session(cptr, 1)
def sign(self, data_bio, flags=0):
if not hasattr(self, 'pkey'):
raise SMIME_Error('no private key: use load_key()')
if hasattr(self, 'x509_stack'):
pkcs7 = m2.pkcs7_sign1(self.x509._ptr(), self.pkey._ptr(),
self.x509_stack._ptr(),
data_bio._ptr(), flags)
if pkcs7 is None:
raise SMIME_Error(Err.get_error())
return PKCS7(pkcs7, 1)
else:
pkcs7 = m2.pkcs7_sign0(self.x509._ptr(), self.pkey._ptr(),
data_bio._ptr(), flags)
if pkcs7 is None:
raise SMIME_Error(Err.get_error())
return PKCS7(pkcs7, 1)
def load_session(pemfile):
# type: (AnyStr) -> Session
with BIO.openfile(pemfile) as f:
cptr = m2.ssl_session_read_pem(f.bio_ptr())
if cptr is None:
raise SSLError(Err.get_error())
return Session(cptr, 1)
def _validatepubkeygeneric(self, signing_cert, digest_alg, payload,
enc_digest):
m2_cert = M2_X509.load_cert_der_string(der_encoder.encode(signing_cert))
pubkey = m2_cert.get_pubkey()
pubkey.reset_context(digest_alg().name)
pubkey.verify_init()
pubkey.verify_update(payload)
v = pubkey.verify_final(enc_digest)
if v != 1:
self.openssl_error = M2_Err.get_error()
# Let's try a special case. I have no idea how I would determine when
# to use this instead of the above code, so I'll always try. The
# observed problem was that for one countersignature (RSA on MD5),
# the encrypted digest did not contain an ASN.1 structure, but the
# raw hash value instead.
try:
rsa = pubkey.get_rsa()
except ValueError:
# It's not an RSA key, just fall through...
pass
else:
clear = rsa.public_decrypt(enc_digest, M2_RSA.pkcs1_padding)
if digest_alg(payload).digest() == clear:
return 1
return v
def run(self):
ctx = SSL.Context()
ctx.load_cert_chain("tests/server.pem")
conn = SSL.Connection(ctx)
cipher_list = conn.get_cipher_list()
sslbio = BIO.SSLBio()
readbio = BIO.MemoryBuffer()
writebio = BIO.MemoryBuffer()
sslbio.set_ssl(conn)
conn.set_bio(readbio, writebio)
conn.set_connect_state()
sock = socket.socket()
sock.connect((self.host, self.port))
handshake_complete = False
while not handshake_complete:
ret = sslbio.do_handshake()
if ret <= 0:
if not sslbio.should_retry() or not sslbio.should_read():
err_string = Err.get_error()
print(err_string)
sys.exit("unrecoverable error in handshake - client")
else:
output_token = writebio.read()
if output_token is not None:
sock.sendall(output_token)
else:
input_token = sock.recv(1024)
readbio.write(input_token)
else:
handshake_complete = True
sock.close()
def load_request(file, format=FORMAT_PEM):
"""
Load certificate request from file.
@type file: string
@param file: Name of file containing certificate request in
either PEM or DER format.
@type format: int, either FORMAT_PEM or FORMAT_DER
@param format: Describes the format of the file to be loaded,
either PEM or DER.
@rtype: M2Crypto.X509.Request
@return: M2Crypto.X509.Request object.
"""
f = BIO.openfile(file)
if format == FORMAT_PEM:
cptr = m2.x509_req_read_pem(f.bio_ptr())
elif format == FORMAT_DER:
cptr = m2.d2i_x509_req(f.bio_ptr())
else:
raise ValueError(
"Unknown filetype. Must be either FORMAT_PEM or FORMAT_DER")
f.close()
if cptr is None:
raise X509Error(Err.get_error())
return Request(cptr, 1)
def text_crlf_bio(bio_in):
# type: (BIO.BIO) -> BIO.BIO
bio_out = BIO.MemoryBuffer()
if m2.smime_crlf_copy(bio_in._ptr(), bio_out._ptr()):
return bio_out
else:
raise SMIME_Error(Err.get_error())
def load_cert(file, format=FORMAT_PEM):
"""
Load certificate from file.
@type file: string
@param file: Name of file containing certificate in either DER or
PEM format.
@type format: int, either FORMAT_PEM or FORMAT_DER
@param format: Describes the format of the file to be loaded,
either PEM or DER.
@rtype: M2Crypto.X509.X509
@return: M2Crypto.X509.X509 object.
"""
bio = BIO.openfile(file)
if format == FORMAT_PEM:
return load_cert_bio(bio)
elif format == FORMAT_DER:
cptr = m2.d2i_x509(bio._ptr())
if cptr is None:
raise X509Error(Err.get_error())
return X509(cptr, _pyfree=1)
else:
raise ValueError(
"Unknown format. Must be either FORMAT_DER or FORMAT_PEM")
def smime_load_pkcs7(p7file):
bio = m2.bio_new_file(p7file, 'r')
if bio is None:
raise BIO.BIOError(Err.get_error())
try:
p7_ptr, bio_ptr = m2.smime_read_pkcs7(bio)
finally:
m2.bio_free(bio)
if p7_ptr is None:
raise SMIME_Error(Err.get_error())
if bio_ptr is None:
return PKCS7(p7_ptr, 1), None
else:
return PKCS7(p7_ptr, 1), BIO.BIO(bio_ptr, 1)
def text_crlf(text):
bio_in = BIO.MemoryBuffer(text)
bio_out = BIO.MemoryBuffer()
if m2.smime_crlf_copy(bio_in._ptr(), bio_out._ptr()):
return bio_out.read()
else:
raise SMIME_Error(Err.get_error())
def ctrl_cmd_string(self, cmd, arg, optional=0):
# type: (AnyStr, Optional[AnyStr], int) -> None
"""Call ENGINE_ctrl_cmd_string"""
cmd = six.ensure_str(cmd)
if arg is not None:
arg = six.ensure_str(arg)
if not m2.engine_ctrl_cmd_string(self._ptr, cmd, arg, optional):
raise EngineError(Err.get_error())
def smime_load_pkcs7_bio(p7_bio):
p7_ptr, bio_ptr = m2.smime_read_pkcs7(p7_bio._ptr())
if p7_ptr is None:
raise SMIME_Error(Err.get_error())
if bio_ptr is None:
return PKCS7(p7_ptr, 1), None
else:
return PKCS7(p7_ptr, 1), BIO.BIO(bio_ptr, 1)
def load_session(pemfile):
f = BIO.openfile(pemfile)
cptr = m2.ssl_session_read_pem(f.bio_ptr())
f.close()
if cptr is None:
from M2Crypto.SSL import SSLError
raise SSLError(Err.get_error())
return Session(cptr, 1)
def new_stack_from_der(der_string):
"""
Create a new X509_Stack from DER string.
@return: X509_Stack
"""
stack_ptr = m2.make_stack_from_der_sequence(der_string)
if stack_ptr is None:
raise X509Error(Err.get_error())
return X509_Stack(stack_ptr, 1, 1)
def __init__(self, request=None, path=None, dn=None,
keySize=2048, key=None, extensions=None):
self._signed = False
# Create public key object
if key and not request:
self._key = key
else:
self._key = Key(keySize=keySize)
# Create certificate._request
if request:
self._request = request
if isinstance(request, str):
if request.startswith("-----BEGIN CERTIFICATE REQUEST-----"):
bio = BIO.MemoryBuffer(request)
cptr = m2.x509_req_read_pem(bio._ptr())
if cptr is None:
raise X509.X509Error(Err.get_error())
self._request = X509.Request(cptr, _pyfree=1)
elif ord(request[0]) == 48:
bio = BIO.MemoryBuffer(request)
cptr = m2.d2i_x509_req(bio._ptr())
if cptr is None:
raise X509.X509Error(Err.get_error())
self._request = X509.Request(cptr, _pyfree=1)
elif path.exists(request):
reqfile = open(request)
bio = BIO.File(reqfile)
self._request = X509.load_request_bio(bio)
else:
raise ValueError('WFT')
else:
self._request = X509.Request()
self._request.set_pubkey(self._key)
self._request.set_version(0)
if dn:
self.set_dn(dn)
if extensions:
self.add_extensions(extensions)
def encrypt(self, data_bio, flags=0):
if not hasattr(self, 'cipher'):
raise SMIME_Error('no cipher: use set_cipher()')
if not hasattr(self, 'x509_stack'):
raise SMIME_Error('no recipient certs: use set_x509_stack()')
pkcs7 = m2.pkcs7_encrypt(self.x509_stack._ptr(), data_bio._ptr(),
self.cipher._ptr(), flags)
if pkcs7 is None:
raise SMIME_Error(Err.get_error())
return PKCS7(pkcs7, 1)
def ValidateCertificateSignature(self, signed_cert, signing_cert):
"""Given a cert signed by another cert, validates the signature."""
# First the naive way -- note this does not check expiry / use etc.
signed_m2 = M2_X509.load_cert_der_string(der_encoder.encode(signed_cert))
signing_m2 = M2_X509.load_cert_der_string(der_encoder.encode(signing_cert))
pubkey = signing_m2.get_pubkey()
v = signed_m2.verify(pubkey)
if v != 1:
self.openssl_error = M2_Err.get_error()
raise Asn1Error('1: Validation of cert signature failed.')
def decrypt(self, pkcs7, flags=0):
if not hasattr(self, 'pkey'):
raise SMIME_Error('no private key: use load_key()')
if not hasattr(self, 'x509'):
raise SMIME_Error('no certificate: load_key() used incorrectly?')
blob = m2.pkcs7_decrypt(pkcs7._ptr(), self.pkey._ptr(),
self.x509._ptr(), flags)
if blob is None:
raise SMIME_Error(Err.get_error())
return blob
def load_key(file, callback=util.passphrase_callback):
# type: (AnyStr, Callable) -> PKey
"""
Load an M2Crypto.EVP.PKey from file.
@param file: Name of file containing the key in PEM format.
@param callback: A Python callable object that is invoked
to acquire a passphrase with which to protect the key.
@return: M2Crypto.EVP.PKey object.
"""
bio = m2.bio_new_file(file, 'r')
if bio is None:
raise BIO.BIOError(Err.get_error())
cptr = m2.pkey_read_pem(bio, callback)
m2.bio_free(bio)
if cptr is None:
raise EVPError(Err.get_error())
return PKey(cptr, 1)
def _engine_load_key(self, func, name, pin = None):
"""Helper function for loading keys"""
ui = m2.ui_openssl()
cbd = m2.engine_pkcs11_data_new(pin)
try:
kptr = func(self._ptr, name, ui, cbd)
if not kptr:
raise EngineError(Err.get_error())
key = EVP.PKey(kptr, _pyfree = 1)
finally:
m2.engine_pkcs11_data_free(cbd)
return key
def load_key(file, callback=util.passphrase_callback):
"""
Load an M2Crypto.EVP.PKey from file.
@type file: string
@param file: Name of file containing the key in PEM format.
@type callback: Python callable
@param callback: A Python callable object that is invoked
to acquire a passphrase with which to protect the key.
@rtype: M2Crypto.EVP.PKey
@return: M2Crypto.EVP.PKey object.
"""
bio = m2.bio_new_file(file, "r")
if bio is None:
raise Err.get_error()
cptr = m2.pkey_read_pem(bio, callback)
m2.bio_free(bio)
if cptr is None:
raise Err.get_error()
return PKey(cptr, 1)
def sign(self, data_bio, flags=0, algo='sha1'):
# type: (BIO.BIO, int, Optional[str]) -> PKCS7
if not hasattr(self, 'pkey'):
raise SMIME_Error('no private key: use load_key()')
hash = getattr(m2, algo, None)
if hash is None:
raise SMIME_Error('no such hash algorithm %s' % algo)
if hasattr(self, 'x509_stack'):
pkcs7 = m2.pkcs7_sign1(self.x509._ptr(), self.pkey._ptr(),
self.x509_stack._ptr(), data_bio._ptr(),
hash(), flags)
if pkcs7 is None:
raise SMIME_Error(Err.get_error())
return PKCS7(pkcs7, 1)
else:
pkcs7 = m2.pkcs7_sign0(self.x509._ptr(), self.pkey._ptr(),
data_bio._ptr(), hash(), flags)
if pkcs7 is None:
raise SMIME_Error(Err.get_error())
return PKCS7(pkcs7, 1)
def load_cert_der_string(string):
# type: (AnyStr) -> X509
"""
Load certificate from a string.
@param string: String containing a certificate in DER format.
@return: M2Crypto.X509.X509 object.
"""
string = util.py3bytes(string)
bio = BIO.MemoryBuffer(string)
cptr = m2.d2i_x509(bio._ptr())
if cptr is None:
raise X509Error(Err.get_error())
return X509(cptr, _pyfree=1)
def load_key_bio_pubkey(bio, callback=util.passphrase_callback):
# type: (BIO.BIO, Callable) -> PKey
"""
Load an M2Crypto.EVP.PKey from a public key as a M2Crypto.BIO object.
:param bio: M2Crypto.BIO object containing the key in PEM format.
:param callback: A Python callable object that is invoked
to acquire a passphrase with which to protect the
key.
:return: M2Crypto.EVP.PKey object.
"""
cptr = m2.pkey_read_pem_pubkey(bio._ptr(), callback)
if cptr is None:
raise EVPError(Err.get_error())
return PKey(cptr, 1)
def sign(self, data_bio, flags=0, algo='sha1'):
# type: (BIO.BIO, int, Optional[str]) -> PKCS7
if not hasattr(self, 'pkey'):
raise SMIME_Error('no private key: use load_key()')
hash = getattr(m2, algo, None)
if hash is None:
raise SMIME_Error('no such hash algorithm %s' % algo)
if hasattr(self, 'x509_stack'):
pkcs7 = m2.pkcs7_sign1(self.x509._ptr(), self.pkey._ptr(),
self.x509_stack._ptr(),
data_bio._ptr(), hash(), flags)
if pkcs7 is None:
raise SMIME_Error(Err.get_error())
return PKCS7(pkcs7, 1)
else:
pkcs7 = m2.pkcs7_sign0(self.x509._ptr(), self.pkey._ptr(),
data_bio._ptr(), hash(), flags)
if pkcs7 is None:
raise SMIME_Error(Err.get_error())
return PKCS7(pkcs7, 1)
def load_crl_string(crl_string):
"""
Load CRL from a string.
@type string: string
@param string: String containing a CRL in PEM format.
@rtype: M2Crypto.X509.X509_CRL
@return: M2Crypto.X509.X509_CRL object.
"""
bio = BIO.MemoryBuffer(crl_string)
cptr=m2.x509_crl_read_pem(bio._ptr())
if cptr is None:
raise X509Error(Err.get_error())
return CRL(cptr, 1)
def load_cert_der_string(string):
"""
Load certificate from a string.
@type string: string
@param string: String containing a certificate in DER format.
@rtype: M2Crypto.X509.X509
@return: M2Crypto.X509.X509 object.
"""
bio = BIO.MemoryBuffer(string)
cptr = m2.d2i_x509(bio._ptr())
if cptr is None:
raise X509Error(Err.get_error())
return X509(cptr, _pyfree=1)
def load_cert_der_string(string):
"""
Load certificate from a string.
@type string: string
@param string: String containing a certificate in DER format.
@rtype: M2Crypto.X509.X509
@return: M2Crypto.X509.X509 object.
"""
bio = BIO.MemoryBuffer(string)
cptr = m2.d2i_x509(bio._ptr())
if cptr is None:
raise X509Error(Err.get_error())
return X509(cptr, _pyfree=1)
def load_crl(file):
# type: (AnyStr) -> CRL
"""
Load CRL from file.
:param file: Name of file containing CRL in PEM format.
:return: M2Crypto.X509.CRL object.
"""
with BIO.openfile(file) as f:
cptr = m2.x509_crl_read_pem(f.bio_ptr())
if cptr is None:
raise X509Error(Err.get_error())
return CRL(cptr, 1)
def load_crl(file):
"""
Load CRL from file.
@type file: string
@param file: Name of file containing CRL in PEM format.
@rtype: M2Crypto.X509.CRL
@return: M2Crypto.X509.CRL object.
"""
f=BIO.openfile(file)
cptr=m2.x509_crl_read_pem(f.bio_ptr())
f.close()
if cptr is None:
raise X509Error(Err.get_error())
return CRL(cptr, 1)
def get_signature_serial_number(pkcs7):
"""
Extracts the serial number out of a DER formatted, detached PKCS7
signature buffer
"""
pkcs7_buf = MemoryBuffer(pkcs7)
if pkcs7_buf is None:
raise BIOError(Err.get_error())
p7_ptr = pkcs7_read_bio_der(pkcs7_buf.bio)
p = PKCS7(p7_ptr, 1)
# Fetch the certificate stack that is the list of signers
# Since there should only be one in this use case, take the zeroth
# cert in the stack and return its serial number
return p.get0_signers(X509_Stack())[0].get_serial_number()
def load_request(file):
"""
Load certificate request from file.
@type file: string
@param file: Name of file containing certificate request in PEM format.
@rtype: M2Crypto.X509.Request
@return: M2Crypto.X509.Request object.
"""
f = BIO.openfile(file)
cptr = m2.x509_req_read_pem(f.bio_ptr())
f.close()
if cptr is None:
raise Err.get_error()
return Request(cptr, 1)
def load_crl(file):
"""
Load CRL from file.
@type file: string
@param file: Name of file containing CRL in PEM format.
@rtype: M2Crypto.X509.CRL
@return: M2Crypto.X509.CRL object.
"""
f = BIO.openfile(file)
cptr = m2.x509_crl_read_pem(f.bio_ptr())
f.close()
if cptr is None:
raise X509Error(Err.get_error())
return CRL(cptr, 1)
def load_key_bio_pubkey(bio, callback=util.passphrase_callback):
# type: (BIO.BIO, Callable) -> PKey
"""
Load an M2Crypto.EVP.PKey from a public key as a M2Crypto.BIO object.
@param bio: M2Crypto.BIO object containing the key in PEM format.
@param callback: A Python callable object that is invoked
to acquire a passphrase with which to protect the key.
@return: M2Crypto.EVP.PKey object.
"""
cptr = m2.pkey_read_pem_pubkey(bio._ptr(), callback)
if cptr is None:
raise EVPError(Err.get_error())
return PKey(cptr, 1)
def verify(self, pkcs7, data_bio=None, flags=0):
if not hasattr(self, 'x509_stack'):
raise SMIME_Error('no signer certs: use set_x509_stack()')
if not hasattr(self, 'x509_store'):
raise SMIME_Error('no x509 cert store: use set_x509_store()')
assert isinstance(pkcs7, PKCS7), 'pkcs7 not an instance of PKCS7'
p7 = pkcs7._ptr()
if data_bio is None:
blob = m2.pkcs7_verify0(p7, self.x509_stack._ptr(),
self.x509_store._ptr(), flags)
else:
blob = m2.pkcs7_verify1(p7, self.x509_stack._ptr(),
self.x509_store._ptr(),
data_bio._ptr(), flags)
if blob is None:
raise SMIME_Error(Err.get_error())
return blob
def verify(self, pkcs7, data_bio=None, flags=0):
if not hasattr(self, 'x509_stack'):
raise SMIME_Error('no signer certs: use set_x509_stack()')
if not hasattr(self, 'x509_store'):
raise SMIME_Error('no x509 cert store: use set_x509_store()')
assert isinstance(pkcs7, PKCS7), 'pkcs7 not an instance of PKCS7'
p7 = pkcs7._ptr()
if data_bio is None:
blob = m2.pkcs7_verify0(p7, self.x509_stack._ptr(),
self.x509_store._ptr(), flags)
else:
blob = m2.pkcs7_verify1(p7, self.x509_stack._ptr(),
self.x509_store._ptr(), data_bio._ptr(),
flags)
if blob is None:
raise SMIME_Error(Err.get_error())
return blob
def test_makefile_err(self):
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
s = SSL.Connection(ctx)
try:
s.connect(self.srv_addr)
except SSL.SSLError, e:
assert 0, e
f = s.makefile()
data = self.http_get(s)
s.close()
del f
del s
err_code = Err.peek_error_code()
assert not err_code, 'Unexpected error: %s' % err_code
err = Err.get_error()
assert not err, 'Unexpected error: %s' % err
def test_makefile_err(self):
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
s = SSL.Connection(ctx)
try:
s.connect(self.srv_addr)
except SSL.SSLError, e:
assert 0, e
f = s.makefile()
data = self.http_get(s)
s.close()
del f
del s
err_code = Err.peek_error_code()
assert not err_code, 'Unexpected error: %s' % err_code
err = Err.get_error()
assert not err, 'Unexpected error: %s' % err
def load_key_bio(bio, callback=util.passphrase_callback):
"""
Load an M2Crypto.EVP.PKey from an M2Crypto.BIO object.
@type bio: M2Crypto.BIO
@param bio: M2Crypto.BIO object containing the key in PEM format.
@type callback: Python callable
@param callback: A Python callable object that is invoked
to acquire a passphrase with which to protect the key.
@rtype: M2Crypto.EVP.PKey
@return: M2Crypto.EVP.PKey object.
"""
cptr = m2.pkey_read_pem(bio._ptr(), callback)
if cptr is None:
raise EVPError(Err.get_error())
return PKey(cptr, 1)
def load_key_bio(bio, callback=util.passphrase_callback):
"""
Load an M2Crypto.EVP.PKey from an M2Crypto.BIO object.
@type bio: M2Crypto.BIO
@param bio: M2Crypto.BIO object containing the key in PEM format.
@type callback: Python callable
@param callback: A Python callable object that is invoked
to acquire a passphrase with which to protect the key.
@rtype: M2Crypto.EVP.PKey
@return: M2Crypto.EVP.PKey object.
"""
cptr = m2.pkey_read_pem(bio._ptr(), callback)
if cptr is None:
raise Err.get_error()
return PKey(cptr, 1)
def load_key_pubkey(file, callback=util.passphrase_callback):
# type: (AnyStr, Callable) -> PKey
"""
Load an M2Crypto.EVP.PKey from a public key as a file.
:param file: Name of file containing the key in PEM format.
:param callback: A Python callable object that is invoked
to acquire a passphrase with which to protect the
key.
:return: M2Crypto.EVP.PKey object.
"""
with BIO.openfile(file, 'r') as bio:
cptr = m2.pkey_read_pem_pubkey(bio._ptr(), callback)
if cptr is None:
raise EVPError(Err.get_error())
return PKey(cptr, 1)
def ValidateCertificateSignature(self, signed_cert, signing_cert):
"""Given a cert signed by another cert, validates the signature."""
# First the naive way -- note this does not check expiry / use etc.
signed_m2 = M2_X509.load_cert_der_string(
der_encoder.encode(signed_cert))
signing_cert_text = der_encoder.encode(signing_cert)
signing_m2 = M2_X509.load_cert_der_string(signing_cert_text)
pubkey = signing_m2.get_pubkey()
#XXX: eval! eval!!!
#for openssl doesn't accept md2 as hash method. and such a cert has been used every where.
#will not just trust it
if hashlib.md5(signing_cert_text).hexdigest(
) == '10fc635df6263e0df325be5f79cd6767':
return #10fc635df6263e0df325be5f79cd6767: Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
#Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
v = signed_m2.verify(pubkey)
if v != 1:
self.openssl_error = M2_Err.get_error()
raise Asn1Error('1: Validation of cert signature failed.')
def test_makefile_err(self):
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
s = SSL.Connection(ctx)
try:
s.connect(self.srv_addr)
except SSL.SSLError as e:
self.fail(e)
f = s.makefile()
data = self.http_get(s)
s.close()
del f
del s
err_code = Err.peek_error_code()
self.assertEqual(err_code, 0, 'Unexpected error: %s' % err_code)
err = Err.get_error()
self.assertIsNone(err, 'Unexpected error: %s' % err)
finally:
self.stop_server(pid)
self.assertIn('s_server -quiet -www', data)
def load_request_bio(bio, format=FORMAT_PEM):
# type: (BIO.BIO, int) -> Request
"""
Load certificate request from a bio.
:param bio: BIO pointing at a certificate request in
either DER or PEM format.
:param format: Describes the format of the request to be loaded,
either PEM or DER. (using constants FORMAT_PEM
and FORMAT_DER)
:return: M2Crypto.X509.Request object.
"""
if format == FORMAT_PEM:
cptr = m2.x509_req_read_pem(bio._ptr())
elif format == FORMAT_DER:
cptr = m2.d2i_x509_req(bio._ptr())
else:
raise ValueError(
"Unknown format. Must be either FORMAT_DER or FORMAT_PEM")
if cptr is None:
raise X509Error(Err.get_error())
return Request(cptr, _pyfree=1)
def load_cert_bio(bio, format=FORMAT_PEM):
# type: (BIO.BIO, int) -> X509
"""
Load certificate from a bio.
@param bio: BIO pointing at a certificate in either DER or PEM format.
@param format: Describes the format of the cert to be loaded,
either PEM or DER (via constants FORMAT_PEM
and FORMAT_FORMAT_DER)
@return: M2Crypto.X509.X509 object.
"""
if format == FORMAT_PEM:
cptr = m2.x509_read_pem(bio._ptr())
elif format == FORMAT_DER:
cptr = m2.d2i_x509(bio._ptr())
else:
raise ValueError(
"Unknown format. Must be either FORMAT_DER or FORMAT_PEM")
if cptr is None:
raise X509Error(Err.get_error())
return X509(cptr, _pyfree=1)
def _validateRegistrationSignature(self, applicationParameter,
challengeParameter, keyHandle,
userPublicKey, cert, signature):
"""
Internal helper function to validate the registration signature received after parsing the
token registration data according to the U2F specification
:param applicationParameter: SHA-256 hash of the application identity.
:param challengeParameter: SHA-256 hash of the Client Data, a stringified JSON data
structure prepared by the FIDO Client.
:param keyHandle: The key handle retrieved on parsing the registration data
:param userPublicKey: The user public key retrieved on parsing the registration data
:param cert: X.509 certificate retrieved on parsing the registration data
:param signature: The signature to be verified as retrieved on parsing the
registration data
"""
certPubKey = cert.get_pubkey()
certPubKey.reset_context('sha256')
certPubKey.verify_init()
if certPubKey.verify_update(b'\x00' + applicationParameter +
challengeParameter + keyHandle +
userPublicKey) != 1:
raise Exception("Error on verify_update.")
# Check for OpenSSL version 1.0.0 or higher
if not self._is_supported_openssl_version():
raise Exception(
"This version of OpenSSL is not supported! OpenSSL version 1.0.0 "
"or higher is required for the U2F token.")
if certPubKey.verify_final(signature) != 1:
ssl_error = Err.get_error()
raise Exception(
"Signature verification failed! Maybe someone is doing "
"something nasty! However, this error could possibly also be "
"related to missing ECDSA support for the NIST P-256 curve in "
"OpenSSL.\n\nOpenSSL says:\n{}".format(ssl_error))
def load_cert(file, format=FORMAT_PEM):
# type: (AnyStr, int) -> X509
"""
Load certificate from file.
@param file: Name of file containing certificate in either DER or
PEM format.
@param format: Describes the format of the file to be loaded,
either PEM or DER.
@return: M2Crypto.X509.X509 object.
"""
with BIO.openfile(file) as bio:
if format == FORMAT_PEM:
return load_cert_bio(bio)
elif format == FORMAT_DER:
cptr = m2.d2i_x509(bio._ptr())
if cptr is None:
raise X509Error(Err.get_error())
return X509(cptr, _pyfree=1)
else:
raise ValueError(
"Unknown format. Must be either FORMAT_DER or FORMAT_PEM")
def load_request(file, format=FORMAT_PEM):
"""
Load certificate request from file.
@type file: string
@param file: Name of file containing certificate request in either PEM or DER format.
@type format: int, either FORMAT_PEM or FORMAT_DER
@param format: Describes the format of the file to be loaded, either PEM or DER.
@rtype: M2Crypto.X509.Request
@return: M2Crypto.X509.Request object.
"""
f = BIO.openfile(file)
if format == FORMAT_PEM:
cptr = m2.x509_req_read_pem(f.bio_ptr())
elif format == FORMAT_DER:
cptr = m2.d2i_x509_req(f.bio_ptr())
else:
raise ValueError(
"Unknown filetype. Must be either FORMAT_PEM or FORMAT_DER")
f.close()
if cptr is None:
raise X509Error(Err.get_error())
return Request(cptr, 1)
def load_request(file, format=FORMAT_PEM):
# type: (AnyStr, int) -> Request
"""
Load certificate request from file.
:param file: Name of file containing certificate request in
either PEM or DER format.
:param format: Describes the format of the file to be loaded,
either PEM or DER. (using constants FORMAT_PEM
and FORMAT_DER)
:return: Request object.
"""
with BIO.openfile(file) as f:
if format == FORMAT_PEM:
cptr = m2.x509_req_read_pem(f.bio_ptr())
elif format == FORMAT_DER:
cptr = m2.d2i_x509_req(f.bio_ptr())
else:
raise ValueError(
"Unknown filetype. Must be either FORMAT_PEM or FORMAT_DER")
if cptr is None:
raise X509Error(Err.get_error())
return Request(cptr, 1)
def run(self):
ctx = SSL.Context()
ctx.load_cert_chain("tests/server.pem")
conn = SSL.Connection(ctx)
cipher_list = conn.get_cipher_list()
sslbio = BIO.SSLBio()
readbio = BIO.MemoryBuffer()
writebio = BIO.MemoryBuffer()
sslbio.set_ssl(conn)
conn.set_bio(readbio, writebio)
conn.set_connect_state()
sock = socket.socket()
sock.connect((self.host, self.port))
handshake_complete = False
while not handshake_complete:
ret = sslbio.do_handshake()
if ret <= 0:
if not sslbio.should_retry() or not sslbio.should_read():
err_string = Err.get_error()
print(err_string)
sys.exit("unrecoverable error in handshake - client")
else:
output_token = writebio.read()
if output_token is not None:
sock.sendall(output_token)
else:
input_token = sock.recv(1024)
readbio.write(input_token)
else:
handshake_complete = True
output_token = writebio.read()
if output_token is not None:
sock.sendall(output_token)
sock.close()
def load_pkcs7_bio_der(p7_bio):
# type: (BIO.BIO) -> PKCS7
p7_ptr = m2.pkcs7_read_bio_der(p7_bio._ptr())
if p7_ptr is None:
raise PKCS7_Error(Err.get_error())
return PKCS7(p7_ptr, 1)
def ctrl_cmd_string(self, cmd, arg, optional=0):
"""Call ENGINE_ctrl_cmd_string"""
if not m2.engine_ctrl_cmd_string(self._ptr, cmd, arg, optional):
raise EngineError(Err.get_error())
def load_pkcs7_bio_der(p7_bio):
p7_ptr = m2.pkcs7_read_bio_der(p7_bio._ptr())
if p7_ptr is None:
raise SMIME.PKCS7_Error(Err.get_error())
return SMIME.PKCS7(p7_ptr, 1)
def ctrl_cmd_string(self, cmd, arg, optional=0):
# type: (bytes, Optional[bytes], int) -> int
"""Call ENGINE_ctrl_cmd_string"""
if not m2.engine_ctrl_cmd_string(self._ptr, cmd, arg, optional):
raise EngineError(Err.get_error())
def text_crlf_bio(bio_in):
bio_out = BIO.MemoryBuffer()
if m2.smime_crlf_copy(bio_in._ptr(), bio_out._ptr()):
return bio_out
else:
raise SMIME_Error(Err.get_error())
def handle_error(self, exc_type, exc_value, exc_traceback):
if self.debug:
print 'handle_error()'
#print exc_type, exc_value, exc_traceback
print Err.get_error()
self.handle_close()
def load_info(self, file):
ret = m2.x509_store_load_locations(self.store, file)
if ret < 1:
raise X509Error(Err.get_error())
return ret
