kalikaneko/verifycert.py

## verifycert.py
import re

from OpenSSL.crypto import X509StoreContext
from OpenSSL.SSL import Context
from OpenSSL.SSL import TLSv1_METHOD
from OpenSSL.crypto import X509StoreContextError

from twisted.internet.ssl import Certificate
from twisted.internet._sslverify import OpenSSLCertificateAuthorities
from twisted.python.filepath import FilePath


_PEM_RE = re.compile(
    "-----BEGIN CERTIFICATE-----\r?.+?\r?-----END CERTIFICATE-----\r?\n?""",
    re.DOTALL)


def certsFromBundle(path):
    pems = FilePath(path).getContent()
    certs = [match.group(0) for match in _PEM_RE.finditer(pems)]
    return [Certificate.loadPEM(_c).original for _c in certs]


# openssl s_client -showcerts -connect eff.org:443 > EFFchain.pem

_knownchain = certsFromBundle('EFFchain.pem')
_knowncert = _knownchain[0]
_knowninterm = _knownchain[1:]


def _verify_test_cert(store, cert):
    store_ctx = X509StoreContext(store, cert)
    try:
        assert store_ctx.verify_certificate() is None
    except (X509StoreContextError, AssertionError):
        return False
    else:
        return True


def _add_intermediate_certs(store, intermediates):
    for _cert in intermediates:
        store.add_cert(_cert)


def hasUsablePlatformTrust():
    ctx = Context(TLSv1_METHOD)
    ctx.set_default_verify_paths()
    store = ctx.get_cert_store()
    _add_intermediate_certs(store, _knowninterm)
    return _verify_test_cert(store, _knowncert)


def verifyWithBundleTrust():
    import certifi
    cacerts = certsFromBundle(certifi.where())
    ctx = Context(TLSv1_METHOD)

    # TEST that this fails without these two lines
    authorities = OpenSSLCertificateAuthorities(cacerts)
    authorities._addCACertsToContext(ctx)

    store = ctx.get_cert_store()
    _add_intermediate_certs(store, _knowninterm)
    if _verify_test_cert(store, _knowncert):
        print "GOOD (CERTIFI)"
    else:
        print "BAD"


if hasUsablePlatformTrust():
    print "OK"
else:
    print "BAD"
    verifyWithBundleTrust()
	import re

	from OpenSSL.crypto import X509StoreContext
	from OpenSSL.SSL import Context
	from OpenSSL.SSL import TLSv1_METHOD
	from OpenSSL.crypto import X509StoreContextError

	from twisted.internet.ssl import Certificate
	from twisted.internet._sslverify import OpenSSLCertificateAuthorities
	from twisted.python.filepath import FilePath


	_PEM_RE = re.compile(
	"-----BEGIN CERTIFICATE-----\r?.+?\r?-----END CERTIFICATE-----\r?\n?""",
	re.DOTALL)


	def certsFromBundle(path):
	pems = FilePath(path).getContent()
	certs = [match.group(0) for match in _PEM_RE.finditer(pems)]
	return [Certificate.loadPEM(_c).original for _c in certs]


	# openssl s_client -showcerts -connect eff.org:443 > EFFchain.pem

	_knownchain = certsFromBundle('EFFchain.pem')
	_knowncert = _knownchain[0]
	_knowninterm = _knownchain[1:]


	def _verify_test_cert(store, cert):
	store_ctx = X509StoreContext(store, cert)
	try:
	assert store_ctx.verify_certificate() is None
	except (X509StoreContextError, AssertionError):
	return False
	else:
	return True


	def _add_intermediate_certs(store, intermediates):
	for _cert in intermediates:
	store.add_cert(_cert)


	def hasUsablePlatformTrust():
	ctx = Context(TLSv1_METHOD)
	ctx.set_default_verify_paths()
	store = ctx.get_cert_store()
	_add_intermediate_certs(store, _knowninterm)
	return _verify_test_cert(store, _knowncert)


	def verifyWithBundleTrust():
	import certifi
	cacerts = certsFromBundle(certifi.where())
	ctx = Context(TLSv1_METHOD)

	# TEST that this fails without these two lines
	authorities = OpenSSLCertificateAuthorities(cacerts)
	authorities._addCACertsToContext(ctx)

	store = ctx.get_cert_store()
	_add_intermediate_certs(store, _knowninterm)
	if _verify_test_cert(store, _knowncert):
	print "GOOD (CERTIFI)"
	else:
	print "BAD"


	if hasUsablePlatformTrust():
	print "OK"
	else:
	print "BAD"
	verifyWithBundleTrust()