calculate
/
calculate-utils-3-core
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '42f2d230d7'
${ noResults }
calculate-utils-3-core/pym/core/client/cert_verify.py

313 lines
9.8 KiB
Raw Blame History

# -*- coding: utf-8 -*-
# Copyright 2012-2016 Mir Calculate. http://www.calculate-linux.org
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import sys
import os
import re
from calculate.core.datavars import DataVarsCore
from calculate.lib.utils.files import readFile
_ = lambda x: x
from calculate.lib.cl_lang import setLocalTranslate
setLocalTranslate('cl_core3', sys.modules[__name__])
class VerifyError(Exception):
def __init__(self, value):
self.value = value
def __str__(self):
return repr(self.value)
# check recall of server certificate
def verify(server_cert, crl_path, flag):
import OpenSSL
certobj = OpenSSL.crypto.load_certificate(OpenSSL.SSL.FILETYPE_PEM,
server_cert)
serverSerial = certobj.get_serial_number()
Issuer = certobj.get_issuer().get_components()
CN, L = None, None
for i in Issuer:
if i[0] == 'CN':
CN = i[1]
elif i[0] == 'L':
L = i[1]
if CN and len(CN) > 2:
crl_file = crl_path + CN
elif L:
try:
host = L.split(':')[0]
except Exception:
if not flag:
print(_('The CN and L fields in the CA certificate are '
'incorrect!'))
return 0
crl_file = crl_path + host
else:
if not flag:
print(_('The CN and L fields in the CA certificate are incorrect!'))
return 0
if not os.path.exists(crl_file):
if not flag:
print(_("This certificate cannot be verified in the CRL."))
return 0
with open(crl_file, 'r') as _crl_file:
crl = "".join(_crl_file.readlines())
if crl == '':
return 0
crl_object = OpenSSL.crypto.load_crl(OpenSSL.crypto.FILETYPE_PEM, crl)
revoked_objects = crl_object.get_revoked()
for rvk in revoked_objects:
if serverSerial == int(rvk.get_serial(), 16):
print(_("This certificate has been revoked!"))
print (_("Serial") + ': %s\n' % rvk.get_serial() +
_("Revoke date") + _(': %s') % rvk.get_rev_date())
raise VerifyError('CRL Exception')
return 0
def get_CRL(path_to_cert):
""" get new CRL (Certificate Revocation List) from all CA """
# local CRL
CRL_path = path_to_cert + 'ca/crl/'
if not os.path.exists(CRL_path):
if not os.path.exists(path_to_cert + '/ca'):
if not os.path.exists(path_to_cert):
try:
os.makedirs(path_to_cert)
except OSError:
print(_("Error creating directory %s") % path_to_cert)
sys.exit()
try:
os.makedirs(path_to_cert + '/ca')
except OSError:
print(_("Error creating directory %s") % (path_to_cert + '/ca'))
sys.exit()
os.makedirs(CRL_path)
clVars = DataVarsCore()
clVars.importCore()
clVars.flIniFile()
# user and system ca and root certificates
user_root_cert = clVars.Get('cl_user_root_cert')
homePath = clVars.Get('ur_home_path')
user_root_cert = user_root_cert.replace("~", homePath)
glob_root_cert = clVars.Get('cl_glob_root_cert')
if os.path.exists(user_root_cert):
user_ca_certs = readFile(user_root_cert)
else:
user_ca_certs = ''
if os.path.exists(glob_root_cert):
glob_ca_certs = readFile(glob_root_cert)
else:
glob_ca_certs = ''
# get certificates list fron text
p = re.compile('[-]+[\w ]+[-]+\n+[\w\n\+\\=/]+[-]+[\w ]+[-]+\n?')
user_ca_certs_list = p.findall(user_ca_certs)
glob_ca_certs_list = p.findall(glob_ca_certs)
# association in one list
all_ca_certs_list = user_ca_certs_list + glob_ca_certs_list
import OpenSSL
for ca in all_ca_certs_list:
certobj = OpenSSL.crypto.load_certificate(OpenSSL.SSL.FILETYPE_PEM, ca)
# get url from certificates
url = None
CN = None
Subject = certobj.get_subject().get_components()
subj = None
for subj in Subject:
if subj[0] == 'L':
url = "https://" + subj[1] + "/?wsdl"
if subj[0] == 'CN':
CN = subj[1]
if subj and url:
from calculate.core.client.client_class import Client_suds
from .client_class import HTTPSClientCertTransport
# connect to ca server (url get from certificates)
try:
client = Client_suds(url, transport=HTTPSClientCertTransport(
None, None, path_to_cert))
client.set_parameters(path_to_cert, None, None)
new_crl = client.service.get_crl()
if new_crl:
if CN and len(CN) > 2:
CRL_file = CRL_path + CN
else:
host = subj[1].split(':')[0]
CRL_file = CRL_path + host
if new_crl == ' ':
open(CRL_file, 'w').close()
# if os.path.exists(CRL_file):
# os.unlink(CRL_file)
continue
if os.path.exists(CRL_file):
if readFile(CRL_file) == new_crl:
continue
with open(CRL_file, 'w') as fd:
fd.write(new_crl)
print(_("CRL added"))
except VerifyError as e:
print(e.value)
# rm_ca_from_trusted(ca)
sys.exit()
except Exception:
pass
find_ca_in_crl(CRL_path, all_ca_certs_list)
def find_ca_in_crl(CRL_path, all_ca_certs_list):
import OpenSSL
for ca in all_ca_certs_list:
certobj = OpenSSL.crypto.load_certificate(OpenSSL.SSL.FILETYPE_PEM,
ca)
Issuer = certobj.get_issuer().get_components()
for item in Issuer:
if item[0] == 'CN':
CN = item[1]
break
else:
continue
server_serial = certobj.get_serial_number()
CRL = CRL_path + CN
if not os.path.exists(CRL):
continue
with open(CRL, 'r') as _crl_file:
crl = "".join(_crl_file.readlines())
try:
crl_object = OpenSSL.crypto.load_crl(OpenSSL.crypto.FILETYPE_PEM,
crl)
except OpenSSL.SSL.Error:
continue
revoked_objects = crl_object.get_revoked()
for rvk in revoked_objects:
if server_serial == int(rvk.get_serial(), 16):
rm_ca_from_trusted(ca)
def rm_ca_from_trusted(ca_cert):
clVars = DataVarsCore()
clVars.importCore()
clVars.flIniFile()
user_ca_dir = clVars.Get('cl_client_cert_dir')
homePath = clVars.Get('ur_home_path')
user_ca_dir = user_ca_dir.replace("~", homePath)
user_ca_dir = os.path.join(user_ca_dir, 'ca')
user_ca_list = os.path.join(user_ca_dir, 'cert_list')
user_ca_db = clVars.Get('cl_user_root_cert')
homePath = clVars.Get('ur_home_path')
user_ca_db = user_ca_db.replace("~", homePath)
system_ca_dir = clVars.Get('cl_core_cert_path')
system_ca_db = clVars.Get('cl_glob_root_cert')
import hashlib
md5 = hashlib.md5()
md5.update(ca_cert.encode("UTF-8"))
md5sum = md5.hexdigest()
# search ca certificate in user ca list
newfile = ''
with open(user_ca_list) as fd:
t = fd.read()
# See each line
for line in t.splitlines():
newfile = ''
# and each word in line
words = line.split()
if words[0] == md5sum:
filename = os.path.join(user_ca_dir, words[1])
if ca_cert == readFile(filename):
os.unlink(filename)
else:
newfile += (line + '\n')
else:
newfile += (line + '\n')
fd.close()
fn = open(user_ca_list, 'w')
fn.write(newfile)
fn.close()
p = re.compile('[-]+[\w ]+[-]+\n+[\w\n\+\\=/]+[-]+[\w ]+[-]+\n?')
# open, write and split user ca certificates
user_ca_certs = readFile(user_ca_db)
user_ca_certs_list = p.findall(user_ca_certs)
if ca_cert in user_ca_certs_list:
new_user_ca_certs = []
for cert in user_ca_certs_list:
if ca_cert != cert:
new_user_ca_certs.append(cert)
else:
print(_("CA certificate deleted from the user's trusted "
"certificates list"))
with open(user_ca_db, 'w') as fd:
for cert in new_user_ca_certs:
fd.write(cert)
if not os.path.exists(system_ca_db):
open(system_ca_db, 'w').close()
system_ca_certs = readFile(system_ca_db)
system_ca_certs_list = p.findall(system_ca_certs)
if ca_cert in system_ca_certs_list:
new_system_ca_certs = []
for cert in system_ca_certs_list:
if ca_cert != cert:
new_system_ca_certs.append(cert)
else:
print(_('CA certificate deleted from the system trusted '
'certificates list'))
fd = open(system_ca_db, 'w')
for cert in new_system_ca_certs:
fd.write(cert)
fd.close()
return 0
Reference in new issue View Git Blame Copy Permalink