Loading

Paste #p6ibi3bkn

  1. import sys
  2. import OpenSSL
  3.  
  4. class CertChecker(object):
  5.     def __init__(self):
  6.         pass
  7.    
  8.     def check(self, certs):
  9.         for cert in certs:
  10.             self._check_cert(cert)
  11.        
  12.     def _check_cert(self, cert):
  13.         data = ""
  14.        
  15.         # todo: bastl prepsat
  16.         if cert.key:
  17.             try:
  18.                 data += open(cert.key).read() + "\n"
  19.             except Exception as e:
  20.                 report_error("nepodarilo se otevrit: %s %s" % (cert.key, str(e)))
  21.         if cert.cert:
  22.             try:
  23.                 data += open(cert.cert).read() + "\n"
  24.             except Exception as e:
  25.                 report_error("nepodarilo se otevrit: %s %s" % (cert.cert, str(e)))
  26.         if cert.ca:
  27.             try:
  28.                 data += open(cert.ca).read() + "\n"
  29.             except Exception as e:
  30.                 report_error("nepodarilo se otevrit: %s %s" % (cert.ca, str(e)))
  31.        
  32.         try:
  33.             ocert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, data)
  34.         except Exception as e:
  35.             report_error("nepodarilo se nacist cert: %s %s" % (str(cert), str(e)))
  36.             return
  37.         try:
  38.             okey = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, data)
  39.         except Exception as e:
  40.             report_error("nepodarilo se nacist klic: %s %s" % (str(cert), str(e)))
  41.             return
  42.                
  43.         ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
  44.         ctx.use_privatekey(okey)
  45.         ctx.use_certificate(ocert)
  46.         try:
  47.             ctx.check_privatekey()
  48.         except OpenSSL.SSL.Error:
  49.             report_error("nesouhlasi cert a klic: %s - %s" (cert.cert, cert.key))
  50.             return
  51.        
  52.         data_split = self._split_pem(data) + self._split_pem(root_certs)
  53.         store = self._openssl_store(data_split)
  54.         store_ctx = OpenSSL.crypto.X509StoreContext(store, ocert)
  55.         try:
  56.             store_ctx.verify_certificate()
  57.         except OpenSSL.crypto.X509StoreContextError as e:
  58.             if e[0][0] == 20 or e[0][0] == 2:
  59.                 report_error("zavada v chainu u %s %s" % (cert, str(e)))
  60.                 return
  61.        
  62.         """data_split = self._split_pem(open("/tmp/cacert.pem").read())
  63.        for x in data_split:
  64.            data_split_r = list(data_split)
  65.            data_split_r.remove(x)
  66.            store = self._openssl_store(data_split_r)
  67.            try:
  68.                store_ctx = OpenSSL.crypto.X509StoreContext(store, OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, x))
  69.            except Exception as e:
  70.                print e
  71.            try:
  72.                print store_ctx.verify_certificate()
  73.            except Exception as e:
  74.                if e[0][0] == 18:
  75.                    print x"""
  76.                    
  77.         #nalezeni prvniho cert
  78.         for c in self._split_pem(data):
  79.             try:
  80.                 OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, c)
  81.                 first_cert = c
  82.                 break
  83.             except:
  84.                 continue
  85.                
  86.         #overeni chainu
  87.         for c in self._split_pem(data):
  88.             try:
  89.                 data_split_r = list(data_split)
  90.                 data_split_r.remove(c)
  91.                 store = self._openssl_store(data_split_r)
  92.                 try:
  93.                     oc = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, c)
  94.                 except:
  95.                     continue
  96.                 store_ctx = OpenSSL.crypto.X509StoreContext(store, oc)
  97.                 store_ctx.verify_certificate()
  98.             except OpenSSL.crypto.X509StoreContextError as e:
  99.                 if c == first_cert:
  100.                     if e[0][0] == 20 or e[0][0] == 2:
  101.                         report_error("zavada v chainu u %s %s" % (cert, str(e)))
  102.                 else:
  103.                     report_error("zavada v chainu u %s %s" % (cert, str(e)))
  104.                 return
  105.        
  106.     def _split_pem(self, data):
  107.         # demence, proc to nedela to openssl samo
  108.         return re.findall(r"-----BEGIN.*?-----.*?-----END.*?-----", data, re.DOTALL)
  109.    
  110.     def _openssl_store(self, trusted):
  111.         store = OpenSSL.crypto.X509Store()
  112.         for c in trusted:
  113.             try:
  114.                 oc = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, c)
  115.                 store.add_cert(oc)
  116.             except:
  117.                 pass
  118.         return store
  119.  
  120. root_certs = """-----BEGIN CERTIFICATE-----
  121. MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
  122. GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
  123. b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
  124. BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
  125. VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
  126. DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
  127. THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
  128. Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP
  129. c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX
  130. gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
  131. HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF
  132. AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj
  133. Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG
  134. j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH
  135. hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC
  136. X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
  137. -----END CERTIFICATE-----
  138. """