LBRYFoundation/LBRY-Vault
1
0
Fork 0
mirror of https://github.com/LBRYFoundation/LBRY-Vault.git synced 2025-09-02 02:05:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

x509: use SKI and AKI to find parent certificate if it is missing

Browse source
This commit is contained in:
ThomasV 2015-04-17 12:30:52 +02:00
parent fbf56c9cfa
commit f82de35bd2
2 changed files with 65 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
lib/paymentrequest.py
View file

@ -44,7 +44,7 @@ REQUEST_HEADERS = {'Accept': 'application/bitcoin-paymentrequest', 'User-Agent':
ACK_HEADERS = {'Content-Type':'application/bitcoin-payment','Accept':'application/bitcoin-paymentack','User-Agent':'Electrum'} ACK_HEADERS = {'Content-Type':'application/bitcoin-payment','Accept':'application/bitcoin-paymentack','User-Agent':'Electrum'}
ca_path = requests.certs.where() ca_path = requests.certs.where()
ca_list = x509.load_certificates(ca_path) ca_list, ca_keyID = x509.load_certificates(ca_path)
# status of payment requests # status of payment requests
@ -142,15 +142,17 @@ class PaymentRequest:
return False return False
# if the root CA is not supplied, add it to the chain # if the root CA is not supplied, add it to the chain
ca = x509_chain[cert_num-1] ca = x509_chain[cert_num-1]
if ca.get_common_name() not in ca_list: if ca.getFingerprint() not in ca_list:
x = ca_list.get(ca.get_issuer()) keyID = ca.get_issuer_keyID()
if x: f = ca_keyID.get(keyID)
x509_chain.append(x) if f:
root = ca_list[f]
x509_chain.append(root)
else: else:
self.error = "Supplied CA Not Found in Trusted CA Store." self.error = "Supplied CA Not Found in Trusted CA Store."
return False return False
# verify the chain of signatures # verify the chain of signatures
cert_num = len(cert.certificate) cert_num = len(x509_chain)
for i in range(1, cert_num): for i in range(1, cert_num):
x = x509_chain[i] x = x509_chain[i]
prev_x = x509_chain[i-1] prev_x = x509_chain[i-1]

82
lib/x509.py
View file

@ -50,9 +50,6 @@ PREFIX_RSA_SHA512 = bytearray([0x30,0x51,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01
class CertificateError(Exception): class CertificateError(Exception):
pass pass
def decode_str(data):
encoding = 'utf-16-be' if isinstance(data, BMPString) else 'utf-8'
return bytes(data).decode(encoding)
def decode_OID(s): def decode_OID(s):
s = map(ord, s) s = map(ord, s)
@ -69,27 +66,22 @@ def decode_OID(s):
return '.'.join(map(str,r)) return '.'.join(map(str,r))
def asn1_get_children(der, i):
class X509(tlslite.X509):
"""Child class of tlslite.X509 that uses pyasn1 to parse cert
information. Note: pyasn1 is a lot slower than tlslite, so we
should try to do everything in tlslite.
"""
def get_children(self, der, i):
nodes = [] nodes = []
ii = asn1_node_first_child(der,i) ii = asn1_node_first_child(der,i)
while True:
nodes.append(ii) nodes.append(ii)
while ii[2]<i[2]:
ii = asn1_node_next(der,ii) ii = asn1_node_next(der,ii)
if ii[0] > i[2]: nodes.append(ii)
break
return nodes return nodes
def get_dict(self, der, i): def asn1_get_sequence(s):
return map(lambda j: asn1_get_value(s, j), asn1_get_children(s, asn1_node_root(s)))
def asn1_get_dict(der, i):
p = {} p = {}
for ii in self.get_children(der, i): for ii in asn1_get_children(der, i):
for iii in self.get_children(der, ii): for iii in asn1_get_children(der, ii):
iiii = asn1_node_first_child(der, iii) iiii = asn1_node_first_child(der, iii)
oid = decode_OID(asn1_get_value_of_type(der, iiii, 'OBJECT IDENTIFIER')) oid = decode_OID(asn1_get_value_of_type(der, iiii, 'OBJECT IDENTIFIER'))
iiii = asn1_node_next(der, iiii) iiii = asn1_node_next(der, iiii)
@ -97,6 +89,9 @@ class X509(tlslite.X509):
p[oid] = value p[oid] = value
return p return p
class X509(tlslite.X509):
def parseBinary(self, b): def parseBinary(self, b):
# call tlslite method first # call tlslite method first
@ -123,7 +118,7 @@ class X509(tlslite.X509):
# issuer # issuer
issuer = asn1_node_next(der, sig_algo) issuer = asn1_node_next(der, sig_algo)
self.issuer = self.get_dict(der, issuer) self.issuer = asn1_get_dict(der, issuer)
# validity # validity
validity = asn1_node_next(der, issuer) validity = asn1_node_next(der, issuer)
@ -134,24 +129,29 @@ class X509(tlslite.X509):
# subject # subject
subject = asn1_node_next(der, validity) subject = asn1_node_next(der, validity)
self.subject = self.get_dict(der, subject) self.subject = asn1_get_dict(der, subject)
subject_pki = asn1_node_next(der, subject) subject_pki = asn1_node_next(der, subject)
# optional fields: issuer_uid, subject_uid, extensions # extensions
i = subject_pki
self.CA = False self.CA = False
while True: self.AKI = None
self.SKI = None
i = subject_pki
while i[2] < cert[2]:
i = asn1_node_next(der, i) i = asn1_node_next(der, i)
if i[0] > cert[2]: d = asn1_get_dict(der, i)
break for oid, value in d.items():
for ii in self.get_children(der, i): if oid == '2.5.29.19':
for iii in self.get_children(der, ii): # Basic Constraints
iiii = asn1_node_first_child(der, iii) self.CA = bool(value)
oid = decode_OID(asn1_get_value_of_type(der, iiii, 'OBJECT IDENTIFIER')) elif oid == '2.5.29.14':
iiii = asn1_node_next(der, iiii) # Subject Key Identifier
value = asn1_get_value(der, iiii) r = asn1_node_root(value)
if oid == '2.5.29.19': # basic constraints value = asn1_get_value_of_type(value, r, 'OCTET STRING')
self.CA = value self.SKI = value.encode('hex')
elif oid == '2.5.29.35':
# Authority Key Identifier
self.AKI = asn1_get_sequence(value)[0].encode('hex')
else: else:
pass pass
@ -162,13 +162,16 @@ class X509(tlslite.X509):
cert_sig = asn1_node_next(der, cert_sig_algo) cert_sig = asn1_node_next(der, cert_sig_algo)
self.signature = asn1_get_value(der, cert_sig)[1:] self.signature = asn1_get_value(der, cert_sig)[1:]
def get_keyID(self):
# http://security.stackexchange.com/questions/72077/validating-an-ssl-certificate-chain-according-to-rfc-5280-am-i-understanding-th
return self.SKI if self.SKI else repr(self.subject)
def get_issuer_keyID(self):
return self.AKI if self.AKI else repr(self.issuer)
def get_common_name(self): def get_common_name(self):
return self.subject.get('2.5.4.3', 'unknown') return self.subject.get('2.5.4.3', 'unknown')
def get_issuer(self):
return self.issuer.get('2.5.4.3', 'unknown')
def get_signature(self): def get_signature(self):
return self.cert_sig_algo, self.signature, self.data return self.cert_sig_algo, self.signature, self.data
@ -198,6 +201,7 @@ class X509CertChain(tlslite.X509CertChain):
@profiler @profiler
def load_certificates(ca_path): def load_certificates(ca_path):
ca_list = {} ca_list = {}
ca_keyID = {}
with open(ca_path, 'r') as f: with open(ca_path, 'r') as f:
s = f.read() s = f.read()
bList = tlslite.utils.pem.dePemList(s, "CERTIFICATE") bList = tlslite.utils.pem.dePemList(s, "CERTIFICATE")
@ -206,10 +210,12 @@ def load_certificates(ca_path):
try: try:
x.parseBinary(b) x.parseBinary(b)
x.check_date() x.check_date()
except Exception as e: except BaseException as e:
util.print_error("cert error:", e) util.print_error("cert error:", e)
continue continue
ca_list[x.get_common_name()] = x
fp = x.getFingerprint()
ca_list[fp] = x
ca_keyID[x.get_keyID()] = fp
return ca_list return ca_list, ca_keyID