def certificate_request(self, csr_der, key):
logger.info("Preparing and sending CSR..")
return {
"type": "certificateRequest",
"csr": jose.b64encode_url(csr_der),
"signature": crypto_util.create_sig(csr_der, self.key_file)
}
def test_b64encode_url(self):
istr = '{"alg": "RSA-OAEP", "enc": "A128CBC-HS256"}'
# sanity check
self.assertEqual(b64encode(istr)[-1], '=')
# actual test
self.assertNotEqual(jose.b64encode_url(istr), '=')
def test_b64encode_url(self):
istr = '{"alg": "RSA-OAEP", "enc": "A128CBC-HS256"}'
# sanity check
self.assertEqual(b64encode(istr)[-1], '=')
# actual test
self.assertNotEqual(jose.b64encode_url(istr), '=')
def main():
key = path.abspath("/home/ubuntu/key.pem")
csr = path.abspath("/home/ubuntu/req.pem")
logger.setLogger(logger.FileLogger(sys.stdout))
logger.setLogLevel(logger.INFO)
testkey = M2Crypto.RSA.load_key(key)
#r = Random.get_random_bytes(S_SIZE)
r = "testValueForR"
#nonce = Random.get_random_bytes(NONCE_SIZE)
nonce = "nonce"
r2 = "testValueForR2"
nonce2 = "nonce2"
r = jose.b64encode_url(r)
r2 = jose.b64encode_url(r2)
#ans = dns.resolver.query("google.com")
#print ans.rrset
#return
#the second parameter is ignored
#https://www.dlitz.net/software/pycrypto/api/current/
#y = testkey.public_encrypt(r, M2Crypto.RSA.pkcs1_oaep_padding)
#y2 = testkey.public_encrypt(r2, M2Crypto.RSA.pkcs1_oaep_padding)
nonce = binascii.hexlify(nonce)
nonce2 = binascii.hexlify(nonce2)
config = configurator.Configurator()
challenges = [("client.theobroma.info", r, nonce), ("foo.theobroma.info",r2, nonce2)]
#challenges = [("127.0.0.1", y, nonce, "1.3.3.7"), ("localhost", y2, nonce2, "1.3.3.7")]
sni_chall = SNI_Challenge(challenges, key, config)
if sni_chall.perform():
# Waste some time without importing time module... just for testing
for i in range(0, 12000):
if i % 2000 == 0:
print "Waiting:", i
#print "Cleaning up"
#sni_chall.cleanup()
else:
print "Failed SNI challenge..."
def test_decrypt_invalid_compression_error(self):
jwe = jose.encrypt(claims, rsa_pub_key, compression='DEF')
header = jose.b64encode_url('{"alg": "RSA-OAEP", '
'"enc": "A128CBC-HS256", "zip": "BAD"}')
try:
jose.decrypt(jose.JWE(*((header,) + (jwe[1:]))), rsa_priv_key)
self.fail()
except ValueError as e:
self.assertEqual(e.message,
'Unsupported compression algorithm: BAD')
def perform(self, quiet=False):
"""
Sets up and reloads Apache server to handle SNI challenges
listSNITuple: List of tuples with form (addr, r, nonce)
addr (string), r (base64 string), nonce (hex string)
key: string - File path to key
configurator: Configurator obj
"""
# Save any changes to the configuration as a precaution
# About to make temporary changes to the config
self.configurator.save()
addresses = []
default_addr = "*:443"
for tup in self.listSNITuple:
vhost = self.configurator.choose_virtual_host(tup[0])
if vhost is None:
print "No vhost exists with servername or alias of:", tup[0]
print "No _default_:443 vhost exists"
print "Please specify servernames in the Apache config"
return None
if not self.configurator.make_server_sni_ready(vhost, default_addr):
return None
for a in vhost.addrs:
if "_default_" in a:
addresses.append([default_addr])
break
else:
addresses.append(vhost.addrs)
# Generate S
s = Random.get_random_bytes(S_SIZE)
# Create all of the challenge certs
for tup in self.listSNITuple:
# Need to decode from base64
r = jose.b64decode_url(tup[1])
ext = self.generateExtension(r, s)
self.createChallengeCert(tup[0], ext, tup[2], self.key)
self.modifyApacheConfig(self.configurator.user_config_file, addresses)
# Save reversible changes and restart the server
self.configurator.save("SNI Challenge", True)
self.configurator.restart(quiet)
self.s = jose.b64encode_url(s)
return self.s
def create_sig(msg, key_file, signer_nonce = None, signer_nonce_len = NONCE_SIZE):
# DOES prepend signer_nonce to message
# TODO: Change this over to M2Crypto... PKey
# Protect against crypto unicode errors... is this sufficient? Do I need to escape?
msg = str(msg)
key = RSA.importKey(open(key_file).read())
if signer_nonce is None:
signer_nonce = get_random_bytes(signer_nonce_len)
h = SHA256.new(signer_nonce + msg)
signer = PKCS1_v1_5.new(key)
signature = signer.sign(h)
#print "signing:", signer_nonce + msg
#print "signature:", signature
n, e = key.n, key.e
n_bytes = binascii.unhexlify(leading_zeros(hex(n)[2:].replace("L", "")))
e_bytes = binascii.unhexlify(leading_zeros(hex(e)[2:].replace("L", "")))
n_encoded = jose.b64encode_url(n_bytes)
e_encoded = jose.b64encode_url(e_bytes)
signer_nonce_encoded = jose.b64encode_url(signer_nonce)
sig_encoded = jose.b64encode_url(signature)
jwk = { "kty": "RSA", "n": n_encoded, "e": e_encoded }
signature = { "nonce": signer_nonce_encoded, "alg": "RS256", "jwk": jwk, "sig": sig_encoded }
# return json.dumps(signature)
return (signature)
def create_sig(msg, key_file, signer_nonce = None, signer_nonce_len = NONCE_SIZE):
# DOES prepend signer_nonce to message
# TODO: Change this over to M2Crypto... PKey
# Protect against crypto unicode errors... is this sufficient? Do I need to escape?
msg = str(msg)
key = RSA.importKey(open(key_file).read())
if signer_nonce is None:
signer_nonce = get_random_bytes(signer_nonce_len)
h = SHA256.new(signer_nonce + msg)
signer = PKCS1_v1_5.new(key)
signature = signer.sign(h)
#print "signing:", signer_nonce + msg
#print "signature:", signature
n, e = key.n, key.e
n_bytes = binascii.unhexlify(leading_zeros(hex(n)[2:].replace("L", "")))
e_bytes = binascii.unhexlify(leading_zeros(hex(e)[2:].replace("L", "")))
n_encoded = jose.b64encode_url(n_bytes)
e_encoded = jose.b64encode_url(e_bytes)
signer_nonce_encoded = jose.b64encode_url(signer_nonce)
sig_encoded = jose.b64encode_url(signature)
jwk = { "kty": "RSA", "n": n_encoded, "e": e_encoded }
signature = { "nonce": signer_nonce_encoded, "alg": "RS256", "jwk": jwk, "sig": sig_encoded }
# return json.dumps(signature)
return (signature)
def test_b64encode_url_ascii(self):
istr = 'eric idle'
encoded = jose.b64encode_url(istr)
self.assertEqual(jose.b64decode_url(encoded), istr)
def test_b64encode_url_utf8(self):
istr = 'eric idle'.encode('utf8')
encoded = jose.b64encode_url(istr)
self.assertEqual(jose.b64decode_url(encoded), istr)
def test_b64encode_url_ascii(self):
istr = 'eric idle'
encoded = jose.b64encode_url(istr)
self.assertEqual(jose.b64decode_url(encoded), istr)
def test_b64encode_url_utf8(self):
istr = 'eric idle'.encode('utf8')
encoded = jose.b64encode_url(istr)
self.assertEqual(jose.b64decode_url(encoded), istr)
def certificate_request(self, csr_der, key):
logger.info("Preparing and sending CSR..")
return {"type":"certificateRequest",
"csr":jose.b64encode_url(csr_der),
"signature":crypto_util.create_sig(csr_der, self.key_file)}
def revocation_request(self, key_file, cert_der):
return {"type":"revocationRequest",
"certificate":jose.b64encode_url(cert_der),
"signature":crypto_util.create_sig(cert_der, key_file)}
def revocation_request(self, key_file, cert_der):
return {
"type": "revocationRequest",
"certificate": jose.b64encode_url(cert_der),
"signature": crypto_util.create_sig(cert_der, key_file)
}
