本文整理汇总了Python中OpenSSL.crypto.X509Store方法的典型用法代码示例。如果您正苦于以下问题:Python crypto.X509Store方法的具体用法?Python crypto.X509Store怎么用?Python crypto.X509Store使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类OpenSSL.crypto
的用法示例。
在下文中一共展示了crypto.X509Store方法的14个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: _is_trusted_x509_attestation_cert
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def _is_trusted_x509_attestation_cert(trust_path, trust_anchors):
if not trust_path or not isinstance(trust_path, list) or not trust_anchors or not isinstance(trust_anchors, list):
return False
attestation_cert = trust_path[0]
store = crypto.X509Store()
for i in trust_anchors:
store.add_cert(i)
store_ctx = crypto.X509StoreContext(store, attestation_cert)
try:
store_ctx.verify_certificate()
return True
except Exception as e:
log.info('Unable to verify certificate: {}'.format(e))
return False
示例2: _verify_ca
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def _verify_ca(self):
"""
(internal use only)
verifies the current x509 is signed
by the associated CA
"""
store = crypto.X509Store()
store.add_cert(self.ca.x509)
store_ctx = crypto.X509StoreContext(store, self.x509)
try:
store_ctx.verify_certificate()
except crypto.X509StoreContextError as e:
raise ValidationError(
_("CA doesn't match, got the " 'following error from pyOpenSSL: "%s"')
% e.args[0][2]
)
示例3: assertSignature
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def assertSignature(self, chain, cert):
# see: http://stackoverflow.com/questions/30700348
store = X509Store()
# set the time of the OpenSSL context - freezegun doesn't work, because timestamp comes from OpenSSL
now = datetime.utcnow()
store.set_time(now)
for elem in chain:
ca = load_certificate(FILETYPE_PEM, elem.dump_certificate())
store.add_cert(ca)
# Verify that the CA itself is valid
store_ctx = X509StoreContext(store, ca)
self.assertIsNone(store_ctx.verify_certificate())
cert = load_certificate(FILETYPE_PEM, cert.dump_certificate())
store_ctx = X509StoreContext(store, cert)
self.assertIsNone(store_ctx.verify_certificate())
示例4: verify_certificate
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def verify_certificate(self, crt=None, cacrt=None):
try:
cert = load_certificate(FILETYPE_PEM, crt)
intermediate_cert = load_certificate(FILETYPE_PEM, cacrt)
validation_cert = load_certificate(FILETYPE_PEM, cacrt)
store = X509Store()
store.add_cert(intermediate_cert)
store.add_cert(cert)
store_ctx = X509StoreContext(store, validation_cert)
if(store_ctx.verify_certificate() == None):
print "Certificate verification Passed on Client side"
return True
else:
raise Exception("Certificate Verification Failed on Client side")
except Exception as e:
raise Exception("Certificate Validation Failed on Client side", e)
示例5: verify_certificate
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def verify_certificate(self, crt=None, cacrt=None):
try:
cert = load_certificate(FILETYPE_PEM, crt)
intermediate_cert = load_certificate(FILETYPE_PEM, cacrt)
validation_cert = load_certificate(FILETYPE_PEM, cacrt)
store = X509Store()
store.add_cert(intermediate_cert)
store.add_cert(cert)
store_ctx = X509StoreContext(store, validation_cert)
if(store_ctx.verify_certificate() == None):
LOG.info("Certificate verification Passed on Server side")
return True
else:
raise Exception("Certificate Verification Failed on Server side")
except Exception as e:
LOG.error(str(e))
raise Exception("Certificate Validation Failed on Server side", e)
示例6: _is_trusted_attestation_cert
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def _is_trusted_attestation_cert(trust_path, trust_anchors):
if not trust_path or not isinstance(trust_path, list):
return False
# NOTE: Only using the first attestation cert in the
# attestation trust path for now, but should be
# able to build a chain.
attestation_cert = trust_path[0]
store = crypto.X509Store()
for _ta in trust_anchors:
store.add_cert(_ta)
store_ctx = crypto.X509StoreContext(store, attestation_cert)
try:
store_ctx.verify_certificate()
return True
except Exception as e:
print('Unable to verify certificate: {}.'.format(e), file=sys.stderr)
return False
示例7: verify_trust_chain
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def verify_trust_chain(certificate, ca):
cert = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
store = crypto.X509Store()
store_ctx = crypto.X509StoreContext(store, cert)
result = store_ctx.verify_certificate()
示例8: test_get_cert_store
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def test_get_cert_store(self):
"""
:py:obj:`Context.get_cert_store` returns a :py:obj:`X509Store` instance.
"""
context = Context(TLSv1_METHOD)
store = context.get_cert_store()
self.assertIsInstance(store, X509Store)
示例9: test_new
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def test_new(self):
cert = self._create_cert()
self.assertNotEqual(cert.certificate, '')
self.assertNotEqual(cert.private_key, '')
x509 = cert.x509
self.assertEqual(x509.get_serial_number(), cert.serial_number)
subject = x509.get_subject()
# check subject
self.assertEqual(subject.countryName, cert.country_code)
self.assertEqual(subject.stateOrProvinceName, cert.state)
self.assertEqual(subject.localityName, cert.city)
self.assertEqual(subject.organizationName, cert.organization_name)
self.assertEqual(subject.emailAddress, cert.email)
self.assertEqual(subject.commonName, cert.common_name)
# check issuer
issuer = x509.get_issuer()
ca = cert.ca
self.assertEqual(issuer.countryName, ca.country_code)
self.assertEqual(issuer.stateOrProvinceName, ca.state)
self.assertEqual(issuer.localityName, ca.city)
self.assertEqual(issuer.organizationName, ca.organization_name)
self.assertEqual(issuer.emailAddress, ca.email)
self.assertEqual(issuer.commonName, ca.common_name)
# check signature
store = crypto.X509Store()
store.add_cert(ca.x509)
store_ctx = crypto.X509StoreContext(store, cert.x509)
store_ctx.verify_certificate()
# ensure version is 3 (indexed 0 based counting)
self.assertEqual(x509.get_version(), 2)
# basic constraints
e = cert.x509.get_extension(0)
self.assertEqual(e.get_critical(), 0)
self.assertEqual(e.get_short_name().decode(), 'basicConstraints')
self.assertEqual(e.get_data(), b'0\x00')
示例10: verify_certificate_chain
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def verify_certificate_chain(cert_bytes, trusted_certs, ignore_self_signed=True):
"""Verify a given certificate against a trust store."""
# Load the certificate
certificate = crypto.load_certificate(crypto.FILETYPE_ASN1, cert_bytes)
# Create a certificate store and add your trusted certs
try:
store = crypto.X509Store()
if ignore_self_signed:
store.add_cert(certificate)
# Assuming the certificates are in PEM format in a trusted_certs list
for _cert in trusted_certs:
store.add_cert(crypto.load_certificate(crypto.FILETYPE_ASN1, _cert))
# Create a certificate context using the store and the certificate
store_ctx = crypto.X509StoreContext(store, certificate)
# Verify the certificate, returns None if certificate is not valid
store_ctx.verify_certificate()
return True
except crypto.X509StoreContextError as e:
raise AS2Exception(
"Partner Certificate Invalid: %s" % e.args[-1][-1], "invalid-certificate"
)
示例11: get_apple_pki_store
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def get_apple_pki_store():
store = crypto.X509Store()
# add apple CA
for filename in ("Apple_iPhone_Device_CA.pem",
"Apple_iPhone_Certification_Authority.pem",
"Apple_Root_CA.pem"):
with open(os.path.join(APPLE_PKI_DIR, filename), "rb") as f:
store.add_cert(crypto.load_certificate(crypto.FILETYPE_PEM, f.read()))
return store
示例12: test_get_cert_store
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def test_get_cert_store(self):
"""
`Context.get_cert_store` returns a `X509Store` instance.
"""
context = Context(TLSv1_METHOD)
store = context.get_cert_store()
assert isinstance(store, X509Store)
示例13: verify_certs_chain
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def verify_certs_chain(certs_chain: List[crypto.X509], amazon_cert: crypto.X509) -> bool:
"""Verifies if Amazon and additional certificates creates chain of trust to a root CA.
Args:
certs_chain: List of pycrypto X509 intermediate certificates from signature chain URL.
amazon_cert: Pycrypto X509 Amazon certificate.
Returns:
result: True if verification was successful, False if not.
"""
store = crypto.X509Store()
# add certificates from Amazon provided certs chain
for cert in certs_chain:
store.add_cert(cert)
# add CA certificates
default_verify_paths = ssl.get_default_verify_paths()
default_verify_file = default_verify_paths.cafile
default_verify_file = Path(default_verify_file).resolve() if default_verify_file else None
default_verify_path = default_verify_paths.capath
default_verify_path = Path(default_verify_path).resolve() if default_verify_path else None
ca_files = [ca_file for ca_file in default_verify_path.iterdir()] if default_verify_path else []
if default_verify_file:
ca_files.append(default_verify_file)
for ca_file in ca_files:
ca_file: Path
if ca_file.is_file():
with ca_file.open('r', encoding='ascii') as crt_f:
ca_certs_txt = crt_f.read()
ca_certs = extract_certs(ca_certs_txt)
for cert in ca_certs:
store.add_cert(cert)
# add CA certificates (Windows)
ssl_context = ssl.create_default_context()
der_certs = ssl_context.get_ca_certs(binary_form=True)
pem_certs = '\n'.join([ssl.DER_cert_to_PEM_cert(der_cert) for der_cert in der_certs])
ca_certs = extract_certs(pem_certs)
for ca_cert in ca_certs:
store.add_cert(ca_cert)
store_context = crypto.X509StoreContext(store, amazon_cert)
try:
store_context.verify_certificate()
result = True
except crypto.X509StoreContextError:
result = False
return result
示例14: basic_assertions
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509Store [as 别名]
def basic_assertions(self, cdir, cert, key, cacert=None):
'''
test basic certificate assumptions
Args:
cdir (s_certdir.CertDir): certdir object
cert (crypto.X509): Cert to test
key (crypto.PKey): Key for the certification
cacert (crypto.X509): Corresponding CA cert (optional)
'''
self.nn(cert)
self.nn(key)
# Make sure the certs were generated with the expected number of bits
self.eq(cert.get_pubkey().bits(), cdir.crypto_numbits)
self.eq(key.bits(), cdir.crypto_numbits)
# Make sure the certs were generated with the correct version number
self.eq(cert.get_version(), 2)
# ensure we can sign / verify data with our keypair
buf = b'The quick brown fox jumps over the lazy dog.'
sig = crypto.sign(key, buf, 'sha256')
sig2 = crypto.sign(key, buf + b'wut', 'sha256')
self.none(crypto.verify(cert, sig, buf, 'sha256'))
self.raises(crypto.Error, crypto.verify, cert, sig2, buf, 'sha256')
# ensure that a ssl context using both cert/key match
sslcontext = SSL.Context(SSL.TLSv1_2_METHOD)
sslcontext.use_certificate(cert)
sslcontext.use_privatekey(key)
self.none(sslcontext.check_privatekey())
if cacert:
# Make sure the cert was signed by the CA
self.eq(cert.get_issuer().der(), cacert.get_subject().der())
store = crypto.X509Store()
ctx = crypto.X509StoreContext(store, cert)
# OpenSSL should NOT be able to verify the certificate if its CA is not loaded
store.add_cert(cert)
self.raises(crypto.X509StoreContextError, ctx.verify_certificate) # unable to get local issuer certificate
# Generate a separate CA that did not sign the certificate
try:
cdir.genCaCert('otherca')
except s_exc.DupFileName:
pass
# OpenSSL should NOT be able to verify the certificate if its CA is not loaded
store.add_cert(cdir.getCaCert('otherca'))
self.raises(crypto.X509StoreContextError, ctx.verify_certificate) # unable to get local issuer certificate
# OpenSSL should be able to verify the certificate, once its CA is loaded
store.add_cert(cacert)
self.none(ctx.verify_certificate()) # valid