def verify_signers(self,signature_place):
""" The module will control the signers in the pkcs7 doc
1)If they are valid
2)If they are modified
3)is a valid chain
4)check with db if it is there
If all Ok return true else false"""
try:
if not os.path.exists(signature_place):
print "No signature file"
return False
tempSt=self.get_cert_from_sign(signature_place)
if not tempSt:
return False
#Loading the document in p7 object for upper method
self.__p7=SMIME.load_pkcs7(signature_place)
#---The OLD Code-----
#sk = X509.X509_Stack()
#print "The p7 file loaded"
#print self.__p7.get0_signers(sk)
#del sk
except SMIME.SMIME_Error,e:
print "Error while setting pkcs7 verification process :",e
return False
def test_load_bad(self):
s = SMIME.SMIME()
with self.assertRaises(EVP.EVPError):
s.load_key('tests/signer.pem', 'tests/signer.pem')
with self.assertRaises(BIO.BIOError):
SMIME.load_pkcs7('nosuchfile-dfg456')
with self.assertRaises(SMIME.PKCS7_Error):
SMIME.load_pkcs7('tests/signer.pem')
with self.assertRaises(SMIME.PKCS7_Error):
SMIME.load_pkcs7_bio(BIO.MemoryBuffer(b'no pkcs7'))
with self.assertRaises(SMIME.SMIME_Error):
SMIME.smime_load_pkcs7('tests/signer.pem')
with self.assertRaises(SMIME.SMIME_Error):
SMIME.smime_load_pkcs7_bio(BIO.MemoryBuffer(b'no pkcs7'))
def scan(self, data, file, options, expire_at):
tmp_directory = options.get('tmp_directory', '/tmp/')
self.event['total'] = {'certificates': 0, 'extracted': 0}
with tempfile.NamedTemporaryFile(dir=tmp_directory) as tmp_data:
tmp_data.write(data)
tmp_data.flush()
if data[:1] == b'0':
pkcs7 = SMIME.load_pkcs7_der(tmp_data.name)
else:
pkcs7 = SMIME.load_pkcs7(tmp_data.name)
certs = pkcs7.get0_signers(X509.X509_Stack())
if certs:
self.event['total']['certificates'] = len(certs)
for cert in certs:
extract_file = strelka.File(
name=f'sn_{cert.get_serial_number()}',
source=self.name,
)
for c in strelka.chunk_string(cert.as_der()):
self.upload_to_coordinator(
extract_file.pointer,
c,
expire_at,
)
self.files.append(extract_file)
self.event['total']['extracted'] += 1
def verify_signers(self, signature_place):
""" The module will control the signers in the pkcs7 doc
1)If they are valid
2)If they are modified
3)is a valid chain
4)check with db if it is there
If all Ok return true else false"""
try:
if not os.path.exists(signature_place):
print "No signature file"
return False
tempSt = self.get_cert_from_sign(signature_place)
if not tempSt:
return False
#Loading the document in p7 object for upper method
self.__p7 = SMIME.load_pkcs7(signature_place)
#---The OLD Code-----
#sk = X509.X509_Stack()
#print "The p7 file loaded"
#print self.__p7.get0_signers(sk)
#del sk
except SMIME.SMIME_Error, e:
print "Error while setting pkcs7 verification process :", e
return False
def test_load_bad(self):
s = SMIME.SMIME()
with self.assertRaises(EVP.EVPError):
s.load_key('tests/signer.pem',
'tests/signer.pem')
with self.assertRaises(BIO.BIOError):
SMIME.load_pkcs7('nosuchfile-dfg456')
with self.assertRaises(SMIME.PKCS7_Error):
SMIME.load_pkcs7('tests/signer.pem')
with self.assertRaises(SMIME.PKCS7_Error):
SMIME.load_pkcs7_bio(BIO.MemoryBuffer('no pkcs7'))
with self.assertRaises(SMIME.SMIME_Error):
SMIME.smime_load_pkcs7('tests/signer.pem')
with self.assertRaises(SMIME.SMIME_Error):
SMIME.smime_load_pkcs7_bio(BIO.MemoryBuffer('no pkcs7'))
def test_load_pkcs7(self):
self.assertEqual(
SMIME.load_pkcs7(self.filename).type(), SMIME.PKCS7_SIGNED)
def test_load_pkcs7(self):
assert SMIME.load_pkcs7(self.filename).type() == SMIME.PKCS7_SIGNED
def test_write_pkcs7_der(self):
buf = BIO.MemoryBuffer()
assert SMIME.load_pkcs7(self.filename).write_der(buf) == 1
s = buf.read()
assert len(s) in (1188, 1204, 1243, 1678), len(s)
def test_write_pkcs7_der(self):
buf = BIO.MemoryBuffer()
assert SMIME.load_pkcs7(self.filename).write_der(buf) == 1
s = buf.read()
assert len(s) == 1204, len(s)
def test_load_pkcs7(self):
self.assertEqual(SMIME.load_pkcs7(self.filename).type(), SMIME.PKCS7_SIGNED)
def test_write_pkcs7_der(self):
buf = BIO.MemoryBuffer()
self.assertEqual(SMIME.load_pkcs7(self.filename).write_der(buf), 1)
s = buf.read()
assert len(s) in (1188, 1204, 1433, 1243, 1263, 1148, 1168), len(s)
def read_KAR(teambox_ssl_key, teambox_ssl_cert, kar_file):
workdir = Workdir()
try:
# Decrypt the file.
s = SMIME.SMIME()
s.set_cipher(SMIME.Cipher('aes_256_cbc'))
s.load_key(teambox_ssl_key.as_path(), teambox_ssl_cert.as_path())
pkcs7 = SMIME.load_pkcs7(kar_file)
data = s.decrypt(pkcs7)
data = write_file(os.path.join(workdir.path(), "signed_kar.tar"), data)
kar_tar_file = tarfile.TarFile(os.path.join(workdir.path(), "signed_kar.tar"), "r")
# Verify the sanity of KAR level 2 file members.
m_tar = tar_getfirstmember(kar_tar_file, ["kar.tar.gz", "./kar.tar.gz"])
if not m_tar: raise KARException("KAR is missing 'kar.tar.gz'.")
if not m_tar.isfile() and not m_tar.isdir():
raise KARException("%s is not a regular file or a directory." % (m.name))
m_sig = tar_getfirstmember(kar_tar_file, ["kar_sig", "./kar_sig"])
if not m_sig: raise KARException("KAR is missing 'kar_sig'.")
if not m_sig.isfile() and not m_sig.isdir():
raise KARException("%s is not a regular file or a directory." % (m.name))
# Extract the KAR level 2 file members.
tar_list = kar_tar_file.getmembers()
for i in tar_list:
if not i.isfile() and not i.isdir():
raise KARException("%s is not a regular file or directory." % (m.name))
kar_tar_file.extract(i, workdir.path())
# Calculate the hash of the data file to validate the KAR
# signature.
kar_hasher = hashlib.sha256()
kar_hasher.update(kar_tar_file.extractfile(m_tar).read())
write_file(os.path.join(workdir.path(), "kar_hash"), kar_hasher.hexdigest() + "\n")
# Extract the KAR data file.
tf = tarfile.TarFile(mode = "r", fileobj = gzip.GzipFile(os.path.join(workdir.path(), "kar.tar.gz"), "r"))
tf.extractall(path = os.path.join(workdir.path()))
# Verify the KAR signature.
signverify = Popen(args = ["sslsigntool", "verify", "kar/cert.pem", "kar_hash", "kar_sig"],
stdout = PIPE,
stderr = PIPE,
cwd = workdir.path())
(out_text, err_text) = signverify.communicate()
if signverify.returncode != 0:
raise KARException("sslsigntool exception: %s" % err_text.strip());
# Extract some informations from the signing certificate.
kar = KARData()
fn = os.path.join(workdir.path(), "kar", "cert.pem")
if os.path.exists(fn):
kar.cert = ssl.Cert(cert_data = read_file(fn))
# Read level 1 KAR data
fn = os.path.join(workdir.path(), "kar", "product_name")
if os.path.exists(fn):
kar.product_name = read_file(fn).strip()
fn = os.path.join(workdir.path(), "kar", "product_version")
if os.path.exists(fn):
kar.product_version = read_file(fn).strip()
fn = os.path.join(workdir.path(), "kar", "info")
if os.path.exists(fn):
kar.info = read_file(fn)
fn = os.path.join(workdir.path(), "kar", "parent_kdn")
if os.path.exists(fn):
kar.parent_kdn = read_file(fn).strip()
fn = os.path.join(workdir.path(), "kar", "admin")
if os.path.exists(fn):
kar.admin = read_file(fn).strip()
fn = os.path.join(workdir.path(), "kar", "kar.enc.pkey")
if os.path.exists(fn):
kar.enc_pkey = Key.fromFile(fn)
fn = os.path.join(workdir.path(), "kar", "info")
if os.path.exists(fn):
kar.info = read_file(fn)
finally:
# Remove the temporaries
workdir.close()
# Return the KAR data.
return kar
def test_write_pkcs7_der(self):
buf = BIO.MemoryBuffer()
self.assertEqual(SMIME.load_pkcs7(self.filename).write_der(buf), 1)
s = buf.read()
assert len(s) in (1188, 1204, 1433, 1243, 1263, 1148, 1168), len(s)
