本文整理汇总了Python中OpenSSL.crypto.X509StoreContextError方法的典型用法代码示例。如果您正苦于以下问题:Python crypto.X509StoreContextError方法的具体用法?Python crypto.X509StoreContextError怎么用?Python crypto.X509StoreContextError使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类OpenSSL.crypto
的用法示例。
在下文中一共展示了crypto.X509StoreContextError方法的11个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: test_modification_pre_verify
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509StoreContextError [as 别名]
def test_modification_pre_verify(self):
"""
:py:obj:`verify_certificate` can use a store context modified after
instantiation.
"""
store_bad = X509Store()
store_bad.add_cert(self.intermediate_cert)
store_good = X509Store()
store_good.add_cert(self.root_cert)
store_good.add_cert(self.intermediate_cert)
store_ctx = X509StoreContext(store_bad, self.intermediate_server_cert)
e = self.assertRaises(X509StoreContextError, store_ctx.verify_certificate)
self.assertEqual(e.args[0][2], 'unable to get issuer certificate')
self.assertEqual(e.certificate.get_subject().CN, 'intermediate')
store_ctx.set_store(store_good)
self.assertEqual(store_ctx.verify_certificate(), None)
示例2: _verify_ca
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509StoreContextError [as 别名]
def _verify_ca(self):
"""
(internal use only)
verifies the current x509 is signed
by the associated CA
"""
store = crypto.X509Store()
store.add_cert(self.ca.x509)
store_ctx = crypto.X509StoreContext(store, self.x509)
try:
store_ctx.verify_certificate()
except crypto.X509StoreContextError as e:
raise ValidationError(
_("CA doesn't match, got the " 'following error from pyOpenSSL: "%s"')
% e.args[0][2]
)
示例3: test_untrusted_self_signed
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509StoreContextError [as 别名]
def test_untrusted_self_signed(self):
"""
:py:obj:`verify_certificate` raises error when a self-signed certificate is
verified without itself in the chain.
"""
store = X509Store()
store_ctx = X509StoreContext(store, self.root_cert)
e = self.assertRaises(X509StoreContextError, store_ctx.verify_certificate)
self.assertEqual(e.args[0][2], 'self signed certificate')
self.assertEqual(e.certificate.get_subject().CN, 'Testing Root CA')
示例4: test_invalid_chain_no_root
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509StoreContextError [as 别名]
def test_invalid_chain_no_root(self):
"""
:py:obj:`verify_certificate` raises error when a root certificate is missing
from the chain.
"""
store = X509Store()
store.add_cert(self.intermediate_cert)
store_ctx = X509StoreContext(store, self.intermediate_server_cert)
e = self.assertRaises(X509StoreContextError, store_ctx.verify_certificate)
self.assertEqual(e.args[0][2], 'unable to get issuer certificate')
self.assertEqual(e.certificate.get_subject().CN, 'intermediate')
示例5: test_invalid_chain_no_intermediate
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509StoreContextError [as 别名]
def test_invalid_chain_no_intermediate(self):
"""
:py:obj:`verify_certificate` raises error when an intermediate certificate is
missing from the chain.
"""
store = X509Store()
store.add_cert(self.root_cert)
store_ctx = X509StoreContext(store, self.intermediate_server_cert)
e = self.assertRaises(X509StoreContextError, store_ctx.verify_certificate)
self.assertEqual(e.args[0][2], 'unable to get local issuer certificate')
self.assertEqual(e.certificate.get_subject().CN, 'intermediate-service')
示例6: verify_certificate_chain
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509StoreContextError [as 别名]
def verify_certificate_chain(cert_bytes, trusted_certs, ignore_self_signed=True):
"""Verify a given certificate against a trust store."""
# Load the certificate
certificate = crypto.load_certificate(crypto.FILETYPE_ASN1, cert_bytes)
# Create a certificate store and add your trusted certs
try:
store = crypto.X509Store()
if ignore_self_signed:
store.add_cert(certificate)
# Assuming the certificates are in PEM format in a trusted_certs list
for _cert in trusted_certs:
store.add_cert(crypto.load_certificate(crypto.FILETYPE_ASN1, _cert))
# Create a certificate context using the store and the certificate
store_ctx = crypto.X509StoreContext(store, certificate)
# Verify the certificate, returns None if certificate is not valid
store_ctx.verify_certificate()
return True
except crypto.X509StoreContextError as e:
raise AS2Exception(
"Partner Certificate Invalid: %s" % e.args[-1][-1], "invalid-certificate"
)
示例7: _add_cert_to_store
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509StoreContextError [as 别名]
def _add_cert_to_store(store, cert):
from OpenSSL.crypto import X509StoreContext, X509StoreContextError, Error as OpenSSLCryptoError
try:
X509StoreContext(store, cert).verify_certificate()
except X509StoreContextError as e:
raise InvalidCertificate(e)
try:
store.add_cert(cert)
return cert
except OpenSSLCryptoError as e:
if e.args == ([('x509 certificate routines', 'X509_STORE_add_cert', 'cert already in hash table')],):
raise RedundantCert(e)
raise
示例8: verify_apple_iphone_device_ca_issuer_pyopenssl
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509StoreContextError [as 别名]
def verify_apple_iphone_device_ca_issuer_pyopenssl(certificate_bytes):
certificate = crypto.load_certificate(crypto.FILETYPE_ASN1, certificate_bytes)
store_ctx = crypto.X509StoreContext(APPLE_PKI_STORE, certificate)
try:
store_ctx.verify_certificate()
except crypto.X509StoreContextError:
return False
else:
return True
示例9: test_certdir_valUserCert
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509StoreContextError [as 别名]
def test_certdir_valUserCert(self):
with self.getCertDir() as cdir: # type: s_certdir.CertDir
cdir._getPathJoin()
cdir.genCaCert('syntest')
cdir.genCaCert('newp')
cdir.getCaCerts()
syntestca = cdir.getCaCert('syntest')
newpca = cdir.getCaCert('newp')
self.raises(crypto.Error, cdir.valUserCert, b'')
cdir.genUserCert('cool')
path = cdir.getUserCertPath('cool')
byts = cdir._getPathBytes(path)
self.raises(crypto.X509StoreContextError, cdir.valUserCert, byts)
cdir.genUserCert('cooler', signas='syntest')
path = cdir.getUserCertPath('cooler')
byts = cdir._getPathBytes(path)
self.nn(cdir.valUserCert(byts))
self.nn(cdir.valUserCert(byts, cacerts=(syntestca,)))
self.raises(crypto.X509StoreContextError, cdir.valUserCert, byts, cacerts=(newpca,))
self.raises(crypto.X509StoreContextError, cdir.valUserCert, byts, cacerts=())
cdir.genUserCert('coolest', signas='newp')
path = cdir.getUserCertPath('coolest')
byts = cdir._getPathBytes(path)
self.nn(cdir.valUserCert(byts))
self.nn(cdir.valUserCert(byts, cacerts=(newpca,)))
self.raises(crypto.X509StoreContextError, cdir.valUserCert, byts, cacerts=(syntestca,))
self.raises(crypto.X509StoreContextError, cdir.valUserCert, byts, cacerts=())
示例10: verify_certs_chain
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509StoreContextError [as 别名]
def verify_certs_chain(certs_chain: List[crypto.X509], amazon_cert: crypto.X509) -> bool:
"""Verifies if Amazon and additional certificates creates chain of trust to a root CA.
Args:
certs_chain: List of pycrypto X509 intermediate certificates from signature chain URL.
amazon_cert: Pycrypto X509 Amazon certificate.
Returns:
result: True if verification was successful, False if not.
"""
store = crypto.X509Store()
# add certificates from Amazon provided certs chain
for cert in certs_chain:
store.add_cert(cert)
# add CA certificates
default_verify_paths = ssl.get_default_verify_paths()
default_verify_file = default_verify_paths.cafile
default_verify_file = Path(default_verify_file).resolve() if default_verify_file else None
default_verify_path = default_verify_paths.capath
default_verify_path = Path(default_verify_path).resolve() if default_verify_path else None
ca_files = [ca_file for ca_file in default_verify_path.iterdir()] if default_verify_path else []
if default_verify_file:
ca_files.append(default_verify_file)
for ca_file in ca_files:
ca_file: Path
if ca_file.is_file():
with ca_file.open('r', encoding='ascii') as crt_f:
ca_certs_txt = crt_f.read()
ca_certs = extract_certs(ca_certs_txt)
for cert in ca_certs:
store.add_cert(cert)
# add CA certificates (Windows)
ssl_context = ssl.create_default_context()
der_certs = ssl_context.get_ca_certs(binary_form=True)
pem_certs = '\n'.join([ssl.DER_cert_to_PEM_cert(der_cert) for der_cert in der_certs])
ca_certs = extract_certs(pem_certs)
for ca_cert in ca_certs:
store.add_cert(ca_cert)
store_context = crypto.X509StoreContext(store, amazon_cert)
try:
store_context.verify_certificate()
result = True
except crypto.X509StoreContextError:
result = False
return result
示例11: basic_assertions
# 需要导入模块: from OpenSSL import crypto [as 别名]
# 或者: from OpenSSL.crypto import X509StoreContextError [as 别名]
def basic_assertions(self, cdir, cert, key, cacert=None):
'''
test basic certificate assumptions
Args:
cdir (s_certdir.CertDir): certdir object
cert (crypto.X509): Cert to test
key (crypto.PKey): Key for the certification
cacert (crypto.X509): Corresponding CA cert (optional)
'''
self.nn(cert)
self.nn(key)
# Make sure the certs were generated with the expected number of bits
self.eq(cert.get_pubkey().bits(), cdir.crypto_numbits)
self.eq(key.bits(), cdir.crypto_numbits)
# Make sure the certs were generated with the correct version number
self.eq(cert.get_version(), 2)
# ensure we can sign / verify data with our keypair
buf = b'The quick brown fox jumps over the lazy dog.'
sig = crypto.sign(key, buf, 'sha256')
sig2 = crypto.sign(key, buf + b'wut', 'sha256')
self.none(crypto.verify(cert, sig, buf, 'sha256'))
self.raises(crypto.Error, crypto.verify, cert, sig2, buf, 'sha256')
# ensure that a ssl context using both cert/key match
sslcontext = SSL.Context(SSL.TLSv1_2_METHOD)
sslcontext.use_certificate(cert)
sslcontext.use_privatekey(key)
self.none(sslcontext.check_privatekey())
if cacert:
# Make sure the cert was signed by the CA
self.eq(cert.get_issuer().der(), cacert.get_subject().der())
store = crypto.X509Store()
ctx = crypto.X509StoreContext(store, cert)
# OpenSSL should NOT be able to verify the certificate if its CA is not loaded
store.add_cert(cert)
self.raises(crypto.X509StoreContextError, ctx.verify_certificate) # unable to get local issuer certificate
# Generate a separate CA that did not sign the certificate
try:
cdir.genCaCert('otherca')
except s_exc.DupFileName:
pass
# OpenSSL should NOT be able to verify the certificate if its CA is not loaded
store.add_cert(cdir.getCaCert('otherca'))
self.raises(crypto.X509StoreContextError, ctx.verify_certificate) # unable to get local issuer certificate
# OpenSSL should be able to verify the certificate, once its CA is loaded
store.add_cert(cacert)
self.none(ctx.verify_certificate()) # valid