| OLD | NEW |
|---|
| (Empty) |
| 1 """Class representing an X.509 certificate chain.""" | |
| 2 | |
| 3 from utils import cryptomath | |
| 4 from X509 import X509 | |
| 5 | |
| 6 class X509CertChain: | |
| 7 """This class represents a chain of X.509 certificates. | |
| 8 | |
| 9 @type x509List: list | |
| 10 @ivar x509List: A list of L{tlslite.X509.X509} instances, | |
| 11 starting with the end-entity certificate and with every | |
| 12 subsequent certificate certifying the previous. | |
| 13 """ | |
| 14 | |
| 15 def __init__(self, x509List=None): | |
| 16 """Create a new X509CertChain. | |
| 17 | |
| 18 @type x509List: list | |
| 19 @param x509List: A list of L{tlslite.X509.X509} instances, | |
| 20 starting with the end-entity certificate and with every | |
| 21 subsequent certificate certifying the previous. | |
| 22 """ | |
| 23 if x509List: | |
| 24 self.x509List = x509List | |
| 25 else: | |
| 26 self.x509List = [] | |
| 27 | |
| 28 def parseChain(self, s): | |
| 29 """Parse a PEM-encoded X.509 certificate file chain file. | |
| 30 | |
| 31 @type s: str | |
| 32 @param s: A PEM-encoded (eg: Base64) X.509 certificate file, with every | |
| 33 certificate wrapped within "-----BEGIN CERTIFICATE-----" and | |
| 34 "-----END CERTIFICATE-----" tags). Extraneous data outside such tags, | |
| 35 such as human readable representations, will be ignored. | |
| 36 """ | |
| 37 | |
| 38 class PEMIterator(object): | |
| 39 """Simple iterator over PEM-encoded certificates within a string. | |
| 40 | |
| 41 @type data: string | |
| 42 @ivar data: A string containing PEM-encoded (Base64) certificates, | |
| 43 with every certificate wrapped within "-----BEGIN CERTIFICATE-----" | |
| 44 and "-----END CERTIFICATE-----" tags). Extraneous data outside such | |
| 45 tags, such as human readable representations, will be ignored. | |
| 46 | |
| 47 @type index: integer | |
| 48 @ivar index: The current offset within data to begin iterating from. | |
| 49 """ | |
| 50 | |
| 51 _CERTIFICATE_HEADER = "-----BEGIN CERTIFICATE-----" | |
| 52 """The PEM encoding block header for X.509 certificates.""" | |
| 53 | |
| 54 _CERTIFICATE_FOOTER = "-----END CERTIFICATE-----" | |
| 55 """The PEM encoding block footer for X.509 certificates.""" | |
| 56 | |
| 57 def __init__(self, s): | |
| 58 self.data = s | |
| 59 self.index = 0 | |
| 60 | |
| 61 def __iter__(self): | |
| 62 return self | |
| 63 | |
| 64 def next(self): | |
| 65 """Iterates and returns the next L{tlslite.X509.X509} | |
| 66 certificate in data. | |
| 67 | |
| 68 @rtype tlslite.X509.X509 | |
| 69 """ | |
| 70 | |
| 71 self.index = self.data.find(self._CERTIFICATE_HEADER, | |
| 72 self.index) | |
| 73 if self.index == -1: | |
| 74 raise StopIteration | |
| 75 end = self.data.find(self._CERTIFICATE_FOOTER, self.index) | |
| 76 if end == -1: | |
| 77 raise StopIteration | |
| 78 | |
| 79 certStr = self.data[self.index+len(self._CERTIFICATE_HEADER) : | |
| 80 end] | |
| 81 self.index = end + len(self._CERTIFICATE_FOOTER) | |
| 82 bytes = cryptomath.base64ToBytes(certStr) | |
| 83 return X509().parseBinary(bytes) | |
| 84 | |
| 85 self.x509List = list(PEMIterator(s)) | |
| 86 return self | |
| 87 | |
| 88 def getNumCerts(self): | |
| 89 """Get the number of certificates in this chain. | |
| 90 | |
| 91 @rtype: int | |
| 92 """ | |
| 93 return len(self.x509List) | |
| 94 | |
| 95 def getEndEntityPublicKey(self): | |
| 96 """Get the public key from the end-entity certificate. | |
| 97 | |
| 98 @rtype: L{tlslite.utils.RSAKey.RSAKey} | |
| 99 """ | |
| 100 if self.getNumCerts() == 0: | |
| 101 raise AssertionError() | |
| 102 return self.x509List[0].publicKey | |
| 103 | |
| 104 def getFingerprint(self): | |
| 105 """Get the hex-encoded fingerprint of the end-entity certificate. | |
| 106 | |
| 107 @rtype: str | |
| 108 @return: A hex-encoded fingerprint. | |
| 109 """ | |
| 110 if self.getNumCerts() == 0: | |
| 111 raise AssertionError() | |
| 112 return self.x509List[0].getFingerprint() | |
| 113 | |
| 114 def getCommonName(self): | |
| 115 """Get the Subject's Common Name from the end-entity certificate. | |
| 116 | |
| 117 The cryptlib_py module must be installed in order to use this | |
| 118 function. | |
| 119 | |
| 120 @rtype: str or None | |
| 121 @return: The CN component of the certificate's subject DN, if | |
| 122 present. | |
| 123 """ | |
| 124 if self.getNumCerts() == 0: | |
| 125 raise AssertionError() | |
| 126 return self.x509List[0].getCommonName() | |
| 127 | |
| 128 def validate(self, x509TrustList): | |
| 129 """Check the validity of the certificate chain. | |
| 130 | |
| 131 This checks that every certificate in the chain validates with | |
| 132 the subsequent one, until some certificate validates with (or | |
| 133 is identical to) one of the passed-in root certificates. | |
| 134 | |
| 135 The cryptlib_py module must be installed in order to use this | |
| 136 function. | |
| 137 | |
| 138 @type x509TrustList: list of L{tlslite.X509.X509} | |
| 139 @param x509TrustList: A list of trusted root certificates. The | |
| 140 certificate chain must extend to one of these certificates to | |
| 141 be considered valid. | |
| 142 """ | |
| 143 | |
| 144 import cryptlib_py | |
| 145 c1 = None | |
| 146 c2 = None | |
| 147 lastC = None | |
| 148 rootC = None | |
| 149 | |
| 150 try: | |
| 151 rootFingerprints = [c.getFingerprint() for c in x509TrustList] | |
| 152 | |
| 153 #Check that every certificate in the chain validates with the | |
| 154 #next one | |
| 155 for cert1, cert2 in zip(self.x509List, self.x509List[1:]): | |
| 156 | |
| 157 #If we come upon a root certificate, we're done. | |
| 158 if cert1.getFingerprint() in rootFingerprints: | |
| 159 return True | |
| 160 | |
| 161 c1 = cryptlib_py.cryptImportCert(cert1.writeBytes(), | |
| 162 cryptlib_py.CRYPT_UNUSED) | |
| 163 c2 = cryptlib_py.cryptImportCert(cert2.writeBytes(), | |
| 164 cryptlib_py.CRYPT_UNUSED) | |
| 165 try: | |
| 166 cryptlib_py.cryptCheckCert(c1, c2) | |
| 167 except: | |
| 168 return False | |
| 169 cryptlib_py.cryptDestroyCert(c1) | |
| 170 c1 = None | |
| 171 cryptlib_py.cryptDestroyCert(c2) | |
| 172 c2 = None | |
| 173 | |
| 174 #If the last certificate is one of the root certificates, we're | |
| 175 #done. | |
| 176 if self.x509List[-1].getFingerprint() in rootFingerprints: | |
| 177 return True | |
| 178 | |
| 179 #Otherwise, find a root certificate that the last certificate | |
| 180 #chains to, and validate them. | |
| 181 lastC = cryptlib_py.cryptImportCert(self.x509List[-1].writeBytes(), | |
| 182 cryptlib_py.CRYPT_UNUSED) | |
| 183 for rootCert in x509TrustList: | |
| 184 rootC = cryptlib_py.cryptImportCert(rootCert.writeBytes(), | |
| 185 cryptlib_py.CRYPT_UNUSED) | |
| 186 if self._checkChaining(lastC, rootC): | |
| 187 try: | |
| 188 cryptlib_py.cryptCheckCert(lastC, rootC) | |
| 189 return True | |
| 190 except: | |
| 191 return False | |
| 192 return False | |
| 193 finally: | |
| 194 if not (c1 is None): | |
| 195 cryptlib_py.cryptDestroyCert(c1) | |
| 196 if not (c2 is None): | |
| 197 cryptlib_py.cryptDestroyCert(c2) | |
| 198 if not (lastC is None): | |
| 199 cryptlib_py.cryptDestroyCert(lastC) | |
| 200 if not (rootC is None): | |
| 201 cryptlib_py.cryptDestroyCert(rootC) | |
| 202 | |
| 203 | |
| 204 | |
| 205 def _checkChaining(self, lastC, rootC): | |
| 206 import cryptlib_py | |
| 207 import array | |
| 208 def compareNames(name): | |
| 209 try: | |
| 210 length = cryptlib_py.cryptGetAttributeString(lastC, name, None) | |
| 211 lastName = array.array('B', [0] * length) | |
| 212 cryptlib_py.cryptGetAttributeString(lastC, name, lastName) | |
| 213 lastName = lastName.tostring() | |
| 214 except cryptlib_py.CryptException, e: | |
| 215 if e[0] == cryptlib_py.CRYPT_ERROR_NOTFOUND: | |
| 216 lastName = None | |
| 217 try: | |
| 218 length = cryptlib_py.cryptGetAttributeString(rootC, name, None) | |
| 219 rootName = array.array('B', [0] * length) | |
| 220 cryptlib_py.cryptGetAttributeString(rootC, name, rootName) | |
| 221 rootName = rootName.tostring() | |
| 222 except cryptlib_py.CryptException, e: | |
| 223 if e[0] == cryptlib_py.CRYPT_ERROR_NOTFOUND: | |
| 224 rootName = None | |
| 225 | |
| 226 return lastName == rootName | |
| 227 | |
| 228 cryptlib_py.cryptSetAttribute(lastC, | |
| 229 cryptlib_py.CRYPT_CERTINFO_ISSUERNAME, | |
| 230 cryptlib_py.CRYPT_UNUSED) | |
| 231 | |
| 232 if not compareNames(cryptlib_py.CRYPT_CERTINFO_COUNTRYNAME): | |
| 233 return False | |
| 234 if not compareNames(cryptlib_py.CRYPT_CERTINFO_LOCALITYNAME): | |
| 235 return False | |
| 236 if not compareNames(cryptlib_py.CRYPT_CERTINFO_ORGANIZATIONNAME): | |
| 237 return False | |
| 238 if not compareNames(cryptlib_py.CRYPT_CERTINFO_ORGANIZATIONALUNITNAME): | |
| 239 return False | |
| 240 if not compareNames(cryptlib_py.CRYPT_CERTINFO_COMMONNAME): | |
| 241 return False | |
| 242 return True | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 211173006:
Perform tlslite 0.3.8 -> 0.4.6 renames ahead of time. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src