def test_non_bytes(self, backend): with pytest.raises(TypeError): load_key_and_certificates( b"irrelevant", object(), backend # type: ignore[arg-type] )
def test_create(self): root = parse_xml("data/free-sample.xml") signature = xmlsig.template.create( xmlsig.constants.TransformInclC14N, xmlsig.constants.TransformRsaSha1, "Signature", ) signature_id = utils.get_unique_id() ref = xmlsig.template.add_reference( signature, xmlsig.constants.TransformSha1, uri="", name="REF" ) xmlsig.template.add_transform(ref, xmlsig.constants.TransformEnveloped) xmlsig.template.add_reference( signature, xmlsig.constants.TransformSha1, uri="#KI" ) xmlsig.template.add_reference( signature, xmlsig.constants.TransformSha1, uri="#" + signature_id ) ki = xmlsig.template.ensure_key_info(signature, name="KI") data = xmlsig.template.add_x509_data(ki) xmlsig.template.x509_data_add_certificate(data) serial = xmlsig.template.x509_data_add_issuer_serial(data) xmlsig.template.x509_issuer_serial_add_issuer_name(serial) xmlsig.template.x509_issuer_serial_add_serial_number(serial) xmlsig.template.add_key_value(ki) qualifying = template.create_qualifying_properties( signature, name=utils.get_unique_id() ) props = template.create_signed_properties(qualifying, name=signature_id) template.add_claimed_role(props, "Supp2") template.add_production_place(props, city="Madrid") template.add_production_place( props, state="BCN", postal_code="08000", country="ES" ) template.add_claimed_role(props, "Supp") policy = GenericPolicyId( "http://www.facturae.es/politica_de_firma_formato_facturae/" "politica_de_firma_formato_facturae_v3_1.pdf", "Politica de Firma FacturaE v3.1", xmlsig.constants.TransformSha1, ) root.append(signature) with open(path.join(BASE_DIR, "data/keyStore.p12"), "rb") as key_file: certificate = pkcs12.load_key_and_certificates(key_file.read(), None) with open(path.join(BASE_DIR, "data/keyStore2.p12"), "rb") as key_file: certificate2 = pkcs12.load_key_and_certificates(key_file.read(), None) ctx = XAdESContext(policy, [certificate2[1], certificate[1]]) ctx.load_pkcs12(certificate) with patch("xades.policy.urllib.urlopen") as mock: mock.return_value = UrllibMock() ctx.sign(signature) ctx.verify(signature)
def _load_key_and_certificates(self): """ :return: """ return load_key_and_certificates(data=self._arquivo, password=self._senha.encode(), backend=default_backend())
def extract_cert_from_pkcs12(acc, device_key): _, cert, _ = pkcs12.load_key_and_certificates(base64.b64decode(acc.pkcs12), device_key) cert_der = cert.public_bytes(crypto_serialization.Encoding.DER) return cert_der
def crypto_sign(certificate_filename, password, pdf_filename): backend = default_backend() with open(certificate_filename, 'rb') as cert_in: cert_data = cert_in.read() cert = load_key_and_certificates(cert_data, password.encode('utf-8'), backend) with open(pdf_filename, 'rb') as decl_file: decl_pdf = decl_file.read() timestamp = datetime.datetime.now().strftime("%Y%m%d%H%M%S+02'00'") dct = { b'sigflags': 3, b'sigpage': 0, b'sigbutton': True, b'contact': b'*****@*****.**', b'location': b'Athens', b'signingdate': timestamp.encode('utf-8'), b'reason': b'GRNET Signing Service', b'signature': f'Verified by GRNET S.A. {timestamp}'.encode('utf-8'), b'signaturebox': (450, 0, 600, 100), } decl_signed = endesivepdf.cms.sign(decl_pdf, dct, cert[0], cert[1], cert[2], 'sha256') filename, file_extension = os.path.splitext(pdf_filename) signed_pdf_filename = f'{filename}-signed{file_extension}' with open(signed_pdf_filename, 'wb') as decl_signed_file: decl_signed_file.write(decl_pdf) decl_signed_file.write(decl_signed)
def _test_load_pkcs12_ec_keys(self, filename, password, backend): cert = load_vectors_from_file( os.path.join("x509", "custom", "ca", "ca.pem"), lambda pemfile: x509.load_pem_x509_certificate( pemfile.read(), backend ), mode="rb", ) key = load_vectors_from_file( os.path.join("x509", "custom", "ca", "ca_key.pem"), lambda pemfile: load_pem_private_key( pemfile.read(), None, backend ), mode="rb", ) assert isinstance(key, ec.EllipticCurvePrivateKey) parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file( os.path.join("pkcs12", filename), lambda derfile: load_key_and_certificates( derfile.read(), password, backend ), mode="rb", ) assert isinstance(parsed_key, ec.EllipticCurvePrivateKey) assert parsed_cert == cert assert parsed_key.private_numbers() == key.private_numbers() assert parsed_more_certs == []
def test_generate_each_supported_keytype(self, backend, kgenerator, ktype, kparam, name, algorithm, password): if ktype == ec.EllipticCurvePrivateKey: _skip_curve_unsupported(backend, *kparam) key = kgenerator(*kparam) assert isinstance(key, ktype) cacert, cakey = _load_ca(backend) now = datetime.utcnow() cert = (x509.CertificateBuilder().subject_name( cacert.subject).issuer_name(cacert.subject).public_key( key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( now).not_valid_after(now).sign(cakey, hashes.SHA256())) assert isinstance(cert, x509.Certificate) p12 = serialize_key_and_certificates(name, key, cert, [cacert], algorithm) parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( p12, password, backend) assert parsed_cert == cert assert isinstance(parsed_key, ktype) assert parsed_key.public_key().public_bytes( Encoding.PEM, PublicFormat.SubjectPublicKeyInfo) == key.public_key( ).public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo) assert parsed_more_certs == [cacert]
def main(): date = datetime.datetime.utcnow() - datetime.timedelta(hours=12) date = date.strftime('%Y%m%d%H%M%S+00\'00\'') dct = { b'sigflags': 3, # b'sigpage': 0, b'sigbutton': True, b'signature_img': b'sign.png', b'contact': b'*****@*****.**', b'location': b'India', b'signingdate': date.encode(), b'reason': b'Verified Document', b'signature': b'Approved By Goverment', b'signaturebox': (470, 0, 570, 100), } with open('Key.p12', 'rb') as fp: p12 = pkcs12.load_key_and_certificates(fp.read(), b'Sky@76445', backends.default_backend()) fname = 'resume.pdf' if len(sys.argv) > 1: fname = sys.argv[1] datau = open(fname, 'rb').read() datas = pdf.cms.sign(datau, dct, p12[0], p12[1], p12[2], 'sha256') fname = fname.replace('.pdf', '-signed-cms.pdf') with open(fname, 'wb') as fp: fp.write(datau) fp.write(datas)
def main(): date = datetime.datetime.utcnow() - datetime.timedelta(hours=12) date = date.strftime('%Y%m%d%H%M%S+00\'00\'') img = Image.open('signature_test.png') dct = { b'sigflags': 3, # b'sigpage': 0, b'sigbutton': True, b'signature_img': img, b'contact': b'*****@*****.**', b'location': b'Szczecin', b'signingdate': date.encode(), b'reason': b'Dokument podpisany cyfrowo', b'signature': b'Dokument podpisany cyfrowo', b'signaturebox': (470, 0, 570, 100), } with open('demo2_user1.p12', 'rb') as fp: p12 = pkcs12.load_key_and_certificates(fp.read(), b'1234', backends.default_backend()) fname = 'pdf.pdf' if len(sys.argv) > 1: fname = sys.argv[1] datau = open(fname, 'rb').read() datas = pdf.cms.sign(datau, dct, p12[0], p12[1], p12[2], 'sha256') fname = fname.replace('.pdf', '-signed-cms-pil.pdf') with open(fname, 'wb') as fp: fp.write(datau) fp.write(datas)
def run_test_add_sign_pil(self): m = MateriaLegislativa.objects.get(pk=17738) print(m.texto_original.original_path) date = timezone.localtime() date = date.strftime('%Y%m%d%H%M%S+00\'00\'') img = Image.open('/home/leandro/Câmara/logo/logo_256.jpg') dct = { b'sigflags': 3, # b'sigpage': 0, b'sigbutton': True, b'signature_img': img, b'contact': b'*****@*****.**', b'location': b'CMJ', b'signingdate': date.encode(), b'reason': b'Certificar Protocolo', b'signature': b'Leandro Roberto da Silva', b'signaturebox': (100, 100, 100, 100), } with open(settings.CERT_PRIVATE_KEY_ID, 'rb') as fp: p12 = pkcs12.load_key_and_certificates( fp.read(), settings.CERT_PRIVATE_KEY_ACCESS.encode(), backends.default_backend()) #fname = m.texto_original.original_path fname = '/home/leandro/Downloads/ed_020_assinado.pdf' datau = open(fname, 'rb').read() datas = pdf.cms.sign(datau, dct, p12[0], p12[1], p12[2], 'sha256') fname = '/home/leandro/TEMP/teste.pdf' with open(fname, 'wb') as fp: fp.write(datau) fp.write(datas)
def test_pdf(self): dct = { b'sigflags': 3, b'contact': b'*****@*****.**', b'location': b'Szczecin', b'signingdate': b'20180731082642+02\'00\'', b'reason': b'Dokument podpisany cyfrowo', } with open(fixture('demo2_user1.p12'), 'rb') as fp: p12 = pkcs12.load_key_and_certificates(fp.read(), b'1234', backends.default_backend()) fname = fixture('pdf.pdf') with open(fname, 'rb') as fh: datau = fh.read() datas = pdf.cms.sign(datau, dct, p12[0], p12[1], p12[2], 'sha256') fname = fname.replace('.pdf', '-signed-cms.pdf') with open(fname, 'wb') as fp: fp.write(datau) fp.write(datas) with open(fixture('demo2_ca.crt.pem'), 'rt') as fh: trusted_cert_pems = (fh.read(), ) with open(fname, 'rb') as fh: data = fh.read() (hashok, signatureok, certok) = pdf.verify(data, trusted_cert_pems) assert signatureok and hashok and certok
def _load_key_and_certificates(self): """ :return: """ return load_key_and_certificates(data=self.abre_arquivo(), password=self.senha, backend=default_backend())
async def _retrieve_credentials(session: aiohttp.ClientSession, arch, cert_label, **kwargs): url = f"{CERTOMANCER_HOST_URL}/_certomancer/pfx-download/{arch}" data = { "cert": cert_label, "passphrase": TEST_PASSPHRASE.decode("ascii") } async with session.post(url=url, data=data, raise_for_status=True, timeout=TIMEOUT) as response: pfx_bytes = await response.read() (private_key, cert, other_certs_pkcs12) \ = pkcs12.load_key_and_certificates(pfx_bytes, TEST_PASSPHRASE) kinfo = _translate_pyca_cryptography_key_to_asn1(private_key) cert = _translate_pyca_cryptography_cert_to_asn1(cert) other_certs_pkcs12 = set(map( _translate_pyca_cryptography_cert_to_asn1, other_certs_pkcs12 )) cs = SimpleCertificateStore() cs.register_multiple(other_certs_pkcs12) return SimpleSigner( signing_key=kinfo, signing_cert=cert, cert_registry=cs, **kwargs )
def load_pkcs12_data(p12_data, input_password) -> (bytes, bytes, bytes): """ loads a key and certificate from a p12 data. Returns: - A tuple of (private_key, certificate, additional_certificates) """ return pkcs12.load_key_and_certificates(p12_data, input_password, default_backend())
def load_pkcs12_certificate(certificate_data, password): # type: (bytes, Optional[bytes]) -> _Cert from cryptography.hazmat.primitives.serialization import Encoding, NoEncryption, pkcs12, PrivateFormat try: private_key, cert, additional_certs = pkcs12.load_key_and_certificates( certificate_data, password, backend=default_backend() ) except ValueError as ex: # mentioning PEM here because we raise this error when certificate_data is garbage six.raise_from(ValueError("Failed to deserialize certificate in PEM or PKCS12 format"), ex) if not private_key: raise ValueError("The certificate must include its private key") if not cert: raise ValueError("Failed to deserialize certificate in PEM or PKCS12 format") # This serializes the private key without any encryption it may have had. Doing so doesn't violate security # boundaries because this representation of the key is kept in memory. We already have the key and its # password, if any, in memory. key_bytes = private_key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption()) pem_sections = [key_bytes] + [c.public_bytes(Encoding.PEM) for c in [cert] + additional_certs] pem_bytes = b"".join(pem_sections) fingerprint = cert.fingerprint(hashes.SHA1()) # nosec return _Cert(pem_bytes, private_key, fingerprint)
def get_p12(self): """ :return: cryptography.pkcs12 """ self.ensure_one() return pkcs12.load_key_and_certificates(self.get_p12_buffer(), self.password.encode())
def _load_certificate_and_key(): """ Extracts the key & certificate from the p12 file specified with CERTIFICATE_PATH & CERTIFICATE_PASSWORD """ return pkcs12.load_key_and_certificates(b64decode(P12_CERTIFICATE), str.encode(CERTIFICATE_PASSWORD), backends.default_backend())
def get_keys(self): record = self.env["l10n.es.aeat.certificate"].browse( self.env.context.get("active_id") ) directory = os.path.join( os.path.abspath(config["data_dir"]), "certificates", release.series, self.env.cr.dbname, record.folder, ) file = base64.decodebytes(record.file) if tuple(map(int, cryptography.__version__.split("."))) < (3, 0): raise exceptions.UserError( _("Cryptography version is not supported. Upgrade to 3.0.0 or greater.") ) try: if directory and not os.path.exists(directory): os.makedirs(directory) pfx_password = self.password if isinstance(pfx_password, str): pfx_password = bytes(pfx_password, "utf-8") p12 = pkcs12.load_key_and_certificates(file, pfx_password) vals = self._process_certificate_vals(record, p12, directory) record.write(vals) except Exception as e: if e.args: args = list(e.args) raise ValidationError(args[-1]) from e
def main(): date = datetime.datetime.utcnow() - datetime.timedelta(hours=12) date = date.strftime('%Y%m%d%H%M%S+00\'00\'') dct = { 'sigflags': 3, 'contact': '*****@*****.**', 'location': 'Szczecin', 'signingdate': date, 'reason': 'Dokument podpisany cyfrowo', } with open('demo2_user1.p12', 'rb') as fp: p12 = pkcs12.load_key_and_certificates(fp.read(), b'1234', backends.default_backend()) doc = pdf.FPDF() doc.pkcs11_setup(dct, p12[0], p12[1], p12[2], 'sha256') for i in range(2): doc.add_page() doc.set_font('helvetica', '', 13.0) doc.cell(w=75.0, h=22.0, align='C', txt='Hello, world page=%d.' % i, border=0, ln=0) doc.output('pdf-signed-fpdf.pdf', "F")
def test_p12(): p12filename = "bin/0xea5d262806c5771ae57e8fe4051c91d62b1d67bf.p12" with open(p12filename, "rb") as f: p12buff = f.read() pwd = b"123456" (key, cert, additional_certificates) = pkcs12.load_key_and_certificates( bytes(p12buff), password=pwd, backend=default_backend()) print("p12 privkey :", key) print("p12 privkey size:", key.key_size) print("p12 public bytes:", key.public_key) # 用crypto加载p12文件,会有warning "PKCS#12 support in pyOpenSSL is deprecated. # You should use the APIs in cryptography." crypto_p12 = crypto.load_pkcs12(p12buff, pwd) print("crypto_p12: ", crypto_p12) print("crypto_p12 privatekey : ", crypto_p12.get_privatekey()) # 用cryto可以导出私钥到pem,但目前不能导出到p12 privatekey = crypto.dump_privatekey(crypto.FILETYPE_PEM, crypto_p12.get_privatekey()) print("private pem :", privatekey) key = SigningKey.from_pem(privatekey) print("privkey : ", encode_hex(key.to_string())) ac2 = Account.from_key(encode_hex(key.to_string())) print("pubkey: ", ac2.publickey) print("address: ", ac2.address) f.close()
def main(): with open('demo2_user1.p12', 'rb') as fp: p12 = pkcs12.load_key_and_certificates(fp.read(), b'1234', backends.default_backend()) datau = open('smime-unsigned.txt', 'rb').read() datas = email.sign(datau, p12[0], p12[1], p12[2], 'sha256', attrs=False) open('smime-signed-noattr.txt', 'wb').write(datas)
def test_plain_signed_noattr(self): with open(fixture('demo2_user1.p12'), 'rb') as fp: p12 = pkcs12.load_key_and_certificates(fp.read(), b'1234', backends.default_backend()) with open(fixture('plain-unsigned.txt'), 'rb') as fh: datau = fh.read() datas = plain.sign(datau, p12[0], p12[1], p12[2], 'sha256', attrs=False) fname = fixture('plain-signed-noattr.txt') with open(fname, 'wb') as fh: fh.write(datas) cmd = [ 'openssl', 'smime', '-verify', '-CAfile', fixture('demo2_ca.crt.pem'), '-content', fixture('plain-unsigned.txt'), '-in', fname, '-inform', 'der', ] process = Popen(cmd, stdout=PIPE, stderr=PIPE) stdout, stderr = process.communicate() assert stderr == b'Verification successful\n' assert datau == stdout
def test_invalid_password(self, backend): with pytest.raises(ValueError): load_vectors_from_file(os.path.join("pkcs12", "cert-key-aes256cbc.p12"), lambda derfile: load_key_and_certificates( derfile.read(), b"invalid", backend), mode="rb")
def main(): date = datetime.datetime.utcnow() - datetime.timedelta(hours=12) date = date.strftime("D:%Y%m%d%H%M%S+00'00'") dct = { "aligned": 0, "sigflags": 3, "sigflagsft": 132, "sigpage": 0, "sigbutton": True, "sigfield": "Signature1", "sigandcertify": True, "signaturebox": (470, 840, 570, 640), "signature": "Dokument podpisany cyfrowo ąćęłńóśżź", # "signature_img": "signature_test.png", "contact": "*****@*****.**", "location": "Szczecin", "signingdate": date, "reason": "Dokument podpisany cyfrowo aą cć eę lł nń oó sś zż zź", "password": "******", } with open("demo2_user1.p12", "rb") as fp: p12 = pkcs12.load_key_and_certificates(fp.read(), b"1234", backends.default_backend()) fname = "pdf.pdf" if len(sys.argv) > 1: fname = sys.argv[1] datau = open(fname, "rb").read() datas = cms.sign(datau, dct, p12[0], p12[1], p12[2], "sha256") fname = fname.replace(".pdf", "-signed-cms.pdf") with open(fname, "wb") as fp: fp.write(datau) fp.write(datas)
def main(): date = datetime.datetime.utcnow() - datetime.timedelta(hours=12) date = date.strftime("D:%Y%m%d%H%M%S+00'00'") dct = { "sigflags": 3, 'signature_img': 'sign.png', "sigbutton": True, "signaturebox": (470, 0, 570, 100), # "signature": "This Document is digitally signed.", # "signature_img": "signature_test.png", "contact": "*****@*****.**", "location": "India", "signingdate": date, "reason": "This Document is digitally signed.", "password": "******", # b'sigpage': 0, } with open("Key.p12", "rb") as fp: p12 = pkcs12.load_key_and_certificates(fp.read(), b"Sky@76445", backends.default_backend()) fname = "combine.pdf" if len(sys.argv) > 1: fname = sys.argv[1] datau = open(fname, "rb").read() datas = cms.sign(datau, dct, p12[0], p12[1], p12[2], "sha256") fname = 'combineupload.pdf' with open(fname, "wb") as fp: fp.write(datau) fp.write(datas)
def main(): with open('demo2_user1.p12', 'rb') as fp: p12pk, p12pc, p12oc = pkcs12.load_key_and_certificates( fp.read(), b'1234', backends.default_backend()) signature = p12pk.sign(b"message", padding.PKCS1v15(), hashes.SHA1()) cert = cert2asn(p12pc) print('issuer', cert.issuer.native) print('subject', cert.subject.native)
def set_sign_certificate(self, certificate, password): certificate_data = certificate.read() self._private_key, self._certificate, self._ca = load_key_and_certificates( certificate_data, password.encode(), backend=default_backend()) self._cert_serial = self._certificate.serial_number self._issuer_name = self._certificate.issuer
def from_string(cls, key_strings, key_id=None): del key_id key_string, password = (_helpers.to_bytes(k) for k in key_strings) from cryptography.hazmat.primitives.serialization import pkcs12 # pylint: disable=g-import-not-at-top from cryptography.hazmat import backends # pylint: disable=g-import-not-at-top key, _, _ = pkcs12.load_key_and_certificates( key_string, password, backend=backends.default_backend()) return cls(key)
def test_generate_no_cert(self, backend): _, key = _load_ca(backend) p12 = serialize_key_and_certificates(None, key, None, None, serialization.NoEncryption()) parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( p12, None, backend) assert parsed_cert is None assert parsed_key.private_numbers() == key.private_numbers() assert parsed_more_certs == []
def test_generate_cas_only(self, encryption_algorithm, password, backend): cert, _ = _load_ca(backend) p12 = serialize_key_and_certificates(None, None, None, [cert], encryption_algorithm) parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( p12, password, backend) assert parsed_cert is None assert parsed_key is None assert parsed_more_certs == [cert]