Last active
July 11, 2017 14:17
-
-
Save kalikaneko/6f37d867d3c989068173ed5d46298c4a to your computer and use it in GitHub Desktop.
trust platform ++
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import re | |
from OpenSSL.crypto import X509StoreContext | |
from OpenSSL.SSL import Context | |
from OpenSSL.SSL import TLSv1_METHOD | |
from OpenSSL.crypto import X509StoreContextError | |
from twisted.internet.ssl import Certificate | |
from twisted.internet._sslverify import OpenSSLCertificateAuthorities | |
from twisted.python.filepath import FilePath | |
_PEM_RE = re.compile( | |
"-----BEGIN CERTIFICATE-----\r?.+?\r?-----END CERTIFICATE-----\r?\n?""", | |
re.DOTALL) | |
def certsFromBundle(path): | |
pems = FilePath(path).getContent() | |
certs = [match.group(0) for match in _PEM_RE.finditer(pems)] | |
return [Certificate.loadPEM(_c).original for _c in certs] | |
# openssl s_client -showcerts -connect eff.org:443 > EFFchain.pem | |
_knownchain = certsFromBundle('EFFchain.pem') | |
_knowncert = _knownchain[0] | |
_knowninterm = _knownchain[1:] | |
def _verify_test_cert(store, cert): | |
store_ctx = X509StoreContext(store, cert) | |
try: | |
assert store_ctx.verify_certificate() is None | |
except (X509StoreContextError, AssertionError): | |
return False | |
else: | |
return True | |
def _add_intermediate_certs(store, intermediates): | |
for _cert in intermediates: | |
store.add_cert(_cert) | |
def hasUsablePlatformTrust(): | |
ctx = Context(TLSv1_METHOD) | |
ctx.set_default_verify_paths() | |
store = ctx.get_cert_store() | |
_add_intermediate_certs(store, _knowninterm) | |
return _verify_test_cert(store, _knowncert) | |
def verifyWithBundleTrust(): | |
import certifi | |
cacerts = certsFromBundle(certifi.where()) | |
ctx = Context(TLSv1_METHOD) | |
# TEST that this fails without these two lines | |
authorities = OpenSSLCertificateAuthorities(cacerts) | |
authorities._addCACertsToContext(ctx) | |
store = ctx.get_cert_store() | |
_add_intermediate_certs(store, _knowninterm) | |
if _verify_test_cert(store, _knowncert): | |
print "GOOD (CERTIFI)" | |
else: | |
print "BAD" | |
if hasUsablePlatformTrust(): | |
print "OK" | |
else: | |
print "BAD" | |
verifyWithBundleTrust() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment