def certificate_request(self, csr_der, key): logger.info("Preparing and sending CSR..") return { "type": "certificateRequest", "csr": jose.b64encode_url(csr_der), "signature": crypto_util.create_sig(csr_der, self.key_file) }
def test_b64encode_url(self): istr = '{"alg": "RSA-OAEP", "enc": "A128CBC-HS256"}' # sanity check self.assertEqual(b64encode(istr)[-1], '=') # actual test self.assertNotEqual(jose.b64encode_url(istr), '=')
def main(): key = path.abspath("/home/ubuntu/key.pem") csr = path.abspath("/home/ubuntu/req.pem") logger.setLogger(logger.FileLogger(sys.stdout)) logger.setLogLevel(logger.INFO) testkey = M2Crypto.RSA.load_key(key) #r = Random.get_random_bytes(S_SIZE) r = "testValueForR" #nonce = Random.get_random_bytes(NONCE_SIZE) nonce = "nonce" r2 = "testValueForR2" nonce2 = "nonce2" r = jose.b64encode_url(r) r2 = jose.b64encode_url(r2) #ans = dns.resolver.query("google.com") #print ans.rrset #return #the second parameter is ignored #https://www.dlitz.net/software/pycrypto/api/current/ #y = testkey.public_encrypt(r, M2Crypto.RSA.pkcs1_oaep_padding) #y2 = testkey.public_encrypt(r2, M2Crypto.RSA.pkcs1_oaep_padding) nonce = binascii.hexlify(nonce) nonce2 = binascii.hexlify(nonce2) config = configurator.Configurator() challenges = [("client.theobroma.info", r, nonce), ("foo.theobroma.info",r2, nonce2)] #challenges = [("127.0.0.1", y, nonce, "1.3.3.7"), ("localhost", y2, nonce2, "1.3.3.7")] sni_chall = SNI_Challenge(challenges, key, config) if sni_chall.perform(): # Waste some time without importing time module... just for testing for i in range(0, 12000): if i % 2000 == 0: print "Waiting:", i #print "Cleaning up" #sni_chall.cleanup() else: print "Failed SNI challenge..."
def test_decrypt_invalid_compression_error(self): jwe = jose.encrypt(claims, rsa_pub_key, compression='DEF') header = jose.b64encode_url('{"alg": "RSA-OAEP", ' '"enc": "A128CBC-HS256", "zip": "BAD"}') try: jose.decrypt(jose.JWE(*((header,) + (jwe[1:]))), rsa_priv_key) self.fail() except ValueError as e: self.assertEqual(e.message, 'Unsupported compression algorithm: BAD')
def perform(self, quiet=False): """ Sets up and reloads Apache server to handle SNI challenges listSNITuple: List of tuples with form (addr, r, nonce) addr (string), r (base64 string), nonce (hex string) key: string - File path to key configurator: Configurator obj """ # Save any changes to the configuration as a precaution # About to make temporary changes to the config self.configurator.save() addresses = [] default_addr = "*:443" for tup in self.listSNITuple: vhost = self.configurator.choose_virtual_host(tup[0]) if vhost is None: print "No vhost exists with servername or alias of:", tup[0] print "No _default_:443 vhost exists" print "Please specify servernames in the Apache config" return None if not self.configurator.make_server_sni_ready(vhost, default_addr): return None for a in vhost.addrs: if "_default_" in a: addresses.append([default_addr]) break else: addresses.append(vhost.addrs) # Generate S s = Random.get_random_bytes(S_SIZE) # Create all of the challenge certs for tup in self.listSNITuple: # Need to decode from base64 r = jose.b64decode_url(tup[1]) ext = self.generateExtension(r, s) self.createChallengeCert(tup[0], ext, tup[2], self.key) self.modifyApacheConfig(self.configurator.user_config_file, addresses) # Save reversible changes and restart the server self.configurator.save("SNI Challenge", True) self.configurator.restart(quiet) self.s = jose.b64encode_url(s) return self.s
def create_sig(msg, key_file, signer_nonce = None, signer_nonce_len = NONCE_SIZE): # DOES prepend signer_nonce to message # TODO: Change this over to M2Crypto... PKey # Protect against crypto unicode errors... is this sufficient? Do I need to escape? msg = str(msg) key = RSA.importKey(open(key_file).read()) if signer_nonce is None: signer_nonce = get_random_bytes(signer_nonce_len) h = SHA256.new(signer_nonce + msg) signer = PKCS1_v1_5.new(key) signature = signer.sign(h) #print "signing:", signer_nonce + msg #print "signature:", signature n, e = key.n, key.e n_bytes = binascii.unhexlify(leading_zeros(hex(n)[2:].replace("L", ""))) e_bytes = binascii.unhexlify(leading_zeros(hex(e)[2:].replace("L", ""))) n_encoded = jose.b64encode_url(n_bytes) e_encoded = jose.b64encode_url(e_bytes) signer_nonce_encoded = jose.b64encode_url(signer_nonce) sig_encoded = jose.b64encode_url(signature) jwk = { "kty": "RSA", "n": n_encoded, "e": e_encoded } signature = { "nonce": signer_nonce_encoded, "alg": "RS256", "jwk": jwk, "sig": sig_encoded } # return json.dumps(signature) return (signature)
def test_b64encode_url_ascii(self): istr = 'eric idle' encoded = jose.b64encode_url(istr) self.assertEqual(jose.b64decode_url(encoded), istr)
def test_b64encode_url_utf8(self): istr = 'eric idle'.encode('utf8') encoded = jose.b64encode_url(istr) self.assertEqual(jose.b64decode_url(encoded), istr)
def certificate_request(self, csr_der, key): logger.info("Preparing and sending CSR..") return {"type":"certificateRequest", "csr":jose.b64encode_url(csr_der), "signature":crypto_util.create_sig(csr_der, self.key_file)}
def revocation_request(self, key_file, cert_der): return {"type":"revocationRequest", "certificate":jose.b64encode_url(cert_der), "signature":crypto_util.create_sig(cert_der, key_file)}
def revocation_request(self, key_file, cert_der): return { "type": "revocationRequest", "certificate": jose.b64encode_url(cert_der), "signature": crypto_util.create_sig(cert_der, key_file) }