def verify_signers(self,signature_place): """ The module will control the signers in the pkcs7 doc 1)If they are valid 2)If they are modified 3)is a valid chain 4)check with db if it is there If all Ok return true else false""" try: if not os.path.exists(signature_place): print "No signature file" return False tempSt=self.get_cert_from_sign(signature_place) if not tempSt: return False #Loading the document in p7 object for upper method self.__p7=SMIME.load_pkcs7(signature_place) #---The OLD Code----- #sk = X509.X509_Stack() #print "The p7 file loaded" #print self.__p7.get0_signers(sk) #del sk except SMIME.SMIME_Error,e: print "Error while setting pkcs7 verification process :",e return False
def test_load_bad(self): s = SMIME.SMIME() with self.assertRaises(EVP.EVPError): s.load_key('tests/signer.pem', 'tests/signer.pem') with self.assertRaises(BIO.BIOError): SMIME.load_pkcs7('nosuchfile-dfg456') with self.assertRaises(SMIME.PKCS7_Error): SMIME.load_pkcs7('tests/signer.pem') with self.assertRaises(SMIME.PKCS7_Error): SMIME.load_pkcs7_bio(BIO.MemoryBuffer(b'no pkcs7')) with self.assertRaises(SMIME.SMIME_Error): SMIME.smime_load_pkcs7('tests/signer.pem') with self.assertRaises(SMIME.SMIME_Error): SMIME.smime_load_pkcs7_bio(BIO.MemoryBuffer(b'no pkcs7'))
def scan(self, data, file, options, expire_at): tmp_directory = options.get('tmp_directory', '/tmp/') self.event['total'] = {'certificates': 0, 'extracted': 0} with tempfile.NamedTemporaryFile(dir=tmp_directory) as tmp_data: tmp_data.write(data) tmp_data.flush() if data[:1] == b'0': pkcs7 = SMIME.load_pkcs7_der(tmp_data.name) else: pkcs7 = SMIME.load_pkcs7(tmp_data.name) certs = pkcs7.get0_signers(X509.X509_Stack()) if certs: self.event['total']['certificates'] = len(certs) for cert in certs: extract_file = strelka.File( name=f'sn_{cert.get_serial_number()}', source=self.name, ) for c in strelka.chunk_string(cert.as_der()): self.upload_to_coordinator( extract_file.pointer, c, expire_at, ) self.files.append(extract_file) self.event['total']['extracted'] += 1
def verify_signers(self, signature_place): """ The module will control the signers in the pkcs7 doc 1)If they are valid 2)If they are modified 3)is a valid chain 4)check with db if it is there If all Ok return true else false""" try: if not os.path.exists(signature_place): print "No signature file" return False tempSt = self.get_cert_from_sign(signature_place) if not tempSt: return False #Loading the document in p7 object for upper method self.__p7 = SMIME.load_pkcs7(signature_place) #---The OLD Code----- #sk = X509.X509_Stack() #print "The p7 file loaded" #print self.__p7.get0_signers(sk) #del sk except SMIME.SMIME_Error, e: print "Error while setting pkcs7 verification process :", e return False
def test_load_bad(self): s = SMIME.SMIME() with self.assertRaises(EVP.EVPError): s.load_key('tests/signer.pem', 'tests/signer.pem') with self.assertRaises(BIO.BIOError): SMIME.load_pkcs7('nosuchfile-dfg456') with self.assertRaises(SMIME.PKCS7_Error): SMIME.load_pkcs7('tests/signer.pem') with self.assertRaises(SMIME.PKCS7_Error): SMIME.load_pkcs7_bio(BIO.MemoryBuffer('no pkcs7')) with self.assertRaises(SMIME.SMIME_Error): SMIME.smime_load_pkcs7('tests/signer.pem') with self.assertRaises(SMIME.SMIME_Error): SMIME.smime_load_pkcs7_bio(BIO.MemoryBuffer('no pkcs7'))
def test_load_pkcs7(self): self.assertEqual( SMIME.load_pkcs7(self.filename).type(), SMIME.PKCS7_SIGNED)
def test_load_pkcs7(self): assert SMIME.load_pkcs7(self.filename).type() == SMIME.PKCS7_SIGNED
def test_write_pkcs7_der(self): buf = BIO.MemoryBuffer() assert SMIME.load_pkcs7(self.filename).write_der(buf) == 1 s = buf.read() assert len(s) in (1188, 1204, 1243, 1678), len(s)
def test_write_pkcs7_der(self): buf = BIO.MemoryBuffer() assert SMIME.load_pkcs7(self.filename).write_der(buf) == 1 s = buf.read() assert len(s) == 1204, len(s)
def test_load_pkcs7(self): self.assertEqual(SMIME.load_pkcs7(self.filename).type(), SMIME.PKCS7_SIGNED)
def test_write_pkcs7_der(self): buf = BIO.MemoryBuffer() self.assertEqual(SMIME.load_pkcs7(self.filename).write_der(buf), 1) s = buf.read() assert len(s) in (1188, 1204, 1433, 1243, 1263, 1148, 1168), len(s)
def read_KAR(teambox_ssl_key, teambox_ssl_cert, kar_file): workdir = Workdir() try: # Decrypt the file. s = SMIME.SMIME() s.set_cipher(SMIME.Cipher('aes_256_cbc')) s.load_key(teambox_ssl_key.as_path(), teambox_ssl_cert.as_path()) pkcs7 = SMIME.load_pkcs7(kar_file) data = s.decrypt(pkcs7) data = write_file(os.path.join(workdir.path(), "signed_kar.tar"), data) kar_tar_file = tarfile.TarFile(os.path.join(workdir.path(), "signed_kar.tar"), "r") # Verify the sanity of KAR level 2 file members. m_tar = tar_getfirstmember(kar_tar_file, ["kar.tar.gz", "./kar.tar.gz"]) if not m_tar: raise KARException("KAR is missing 'kar.tar.gz'.") if not m_tar.isfile() and not m_tar.isdir(): raise KARException("%s is not a regular file or a directory." % (m.name)) m_sig = tar_getfirstmember(kar_tar_file, ["kar_sig", "./kar_sig"]) if not m_sig: raise KARException("KAR is missing 'kar_sig'.") if not m_sig.isfile() and not m_sig.isdir(): raise KARException("%s is not a regular file or a directory." % (m.name)) # Extract the KAR level 2 file members. tar_list = kar_tar_file.getmembers() for i in tar_list: if not i.isfile() and not i.isdir(): raise KARException("%s is not a regular file or directory." % (m.name)) kar_tar_file.extract(i, workdir.path()) # Calculate the hash of the data file to validate the KAR # signature. kar_hasher = hashlib.sha256() kar_hasher.update(kar_tar_file.extractfile(m_tar).read()) write_file(os.path.join(workdir.path(), "kar_hash"), kar_hasher.hexdigest() + "\n") # Extract the KAR data file. tf = tarfile.TarFile(mode = "r", fileobj = gzip.GzipFile(os.path.join(workdir.path(), "kar.tar.gz"), "r")) tf.extractall(path = os.path.join(workdir.path())) # Verify the KAR signature. signverify = Popen(args = ["sslsigntool", "verify", "kar/cert.pem", "kar_hash", "kar_sig"], stdout = PIPE, stderr = PIPE, cwd = workdir.path()) (out_text, err_text) = signverify.communicate() if signverify.returncode != 0: raise KARException("sslsigntool exception: %s" % err_text.strip()); # Extract some informations from the signing certificate. kar = KARData() fn = os.path.join(workdir.path(), "kar", "cert.pem") if os.path.exists(fn): kar.cert = ssl.Cert(cert_data = read_file(fn)) # Read level 1 KAR data fn = os.path.join(workdir.path(), "kar", "product_name") if os.path.exists(fn): kar.product_name = read_file(fn).strip() fn = os.path.join(workdir.path(), "kar", "product_version") if os.path.exists(fn): kar.product_version = read_file(fn).strip() fn = os.path.join(workdir.path(), "kar", "info") if os.path.exists(fn): kar.info = read_file(fn) fn = os.path.join(workdir.path(), "kar", "parent_kdn") if os.path.exists(fn): kar.parent_kdn = read_file(fn).strip() fn = os.path.join(workdir.path(), "kar", "admin") if os.path.exists(fn): kar.admin = read_file(fn).strip() fn = os.path.join(workdir.path(), "kar", "kar.enc.pkey") if os.path.exists(fn): kar.enc_pkey = Key.fromFile(fn) fn = os.path.join(workdir.path(), "kar", "info") if os.path.exists(fn): kar.info = read_file(fn) finally: # Remove the temporaries workdir.close() # Return the KAR data. return kar
def test_write_pkcs7_der(self): buf = BIO.MemoryBuffer() self.assertEqual(SMIME.load_pkcs7(self.filename).write_der(buf), 1) s = buf.read() assert len(s) in (1188, 1204, 1433, 1243, 1263, 1148, 1168), len(s)