korylprince/verify.py

## verify.py
# usage: python3 verify.py /path/to/request
import base64, plistlib, tempfile, os, subprocess, re, sys

request = sys.argv[1]

# open request
with open(request) as f:
    plist = plistlib.loads(base64.b64decode(f.read()))

# write separate chain certificates
certs = re.findall(r"-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----", plist["PushCertCertificateChain"], re.S)

with tempfile.NamedTemporaryFile(delete=False) as f:
    cert = f.name
    f.write(certs[0].encode("utf-8"))
with tempfile.NamedTemporaryFile(delete=False) as f:
    intermediate = f.name
    f.write(certs[1].encode("utf-8"))
with tempfile.NamedTemporaryFile(delete=False) as f:
    root = f.name
    f.write(certs[2].encode("utf-8"))

# write CSR
with tempfile.NamedTemporaryFile(delete=False) as f:
    csr = f.name
    f.write(base64.b64decode(plist["PushCertRequestCSR"]))

# write signature
with tempfile.NamedTemporaryFile(delete=False) as f:
    sig = f.name
    f.write(base64.b64decode(plist["PushCertSignature"]))

# print certificate fields
cert_info = subprocess.check_output(f"openssl x509 -in {cert} -noout -text", shell=True).decode("utf-8")
subject = re.search("Subject.*$", cert_info, re.M).group()
before = re.search("Not Before.*$", cert_info, re.M).group()
after = re.search("Not After.*$", cert_info, re.M).group()
print("\n".join([subject, before, after]))

# write public key of certificate chain
pub = tempfile.mkstemp()[1]
os.system(f"openssl x509 -pubkey -noout -in {cert} > {pub}")

# verify certificate chain
print("Certificate Chain: ", end="")
sys.stdout.flush()
os.system(f"openssl verify -CAfile {root} -untrusted {intermediate} {cert}")

# verify signature
print("Signature: ", end="")
sys.stdout.flush()
os.system(f"openssl sha256 -verify {pub} -signature {sig} {csr}")

# clean up
os.system(f"rm {cert} {intermediate} {root} {csr} {sig} {pub}")
	# usage: python3 verify.py /path/to/request
	import base64, plistlib, tempfile, os, subprocess, re, sys

	request = sys.argv[1]

	# open request
	with open(request) as f:
	plist = plistlib.loads(base64.b64decode(f.read()))

	# write separate chain certificates
	certs = re.findall(r"-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----", plist["PushCertCertificateChain"], re.S)

	with tempfile.NamedTemporaryFile(delete=False) as f:
	cert = f.name
	f.write(certs[0].encode("utf-8"))
	with tempfile.NamedTemporaryFile(delete=False) as f:
	intermediate = f.name
	f.write(certs[1].encode("utf-8"))
	with tempfile.NamedTemporaryFile(delete=False) as f:
	root = f.name
	f.write(certs[2].encode("utf-8"))

	# write CSR
	with tempfile.NamedTemporaryFile(delete=False) as f:
	csr = f.name
	f.write(base64.b64decode(plist["PushCertRequestCSR"]))

	# write signature
	with tempfile.NamedTemporaryFile(delete=False) as f:
	sig = f.name
	f.write(base64.b64decode(plist["PushCertSignature"]))

	# print certificate fields
	cert_info = subprocess.check_output(f"openssl x509 -in {cert} -noout -text", shell=True).decode("utf-8")
	subject = re.search("Subject.*$", cert_info, re.M).group()
	before = re.search("Not Before.*$", cert_info, re.M).group()
	after = re.search("Not After.*$", cert_info, re.M).group()
	print("\n".join([subject, before, after]))

	# write public key of certificate chain
	pub = tempfile.mkstemp()[1]
	os.system(f"openssl x509 -pubkey -noout -in {cert} > {pub}")

	# verify certificate chain
	print("Certificate Chain: ", end="")
	sys.stdout.flush()
	os.system(f"openssl verify -CAfile {root} -untrusted {intermediate} {cert}")

	# verify signature
	print("Signature: ", end="")
	sys.stdout.flush()
	os.system(f"openssl sha256 -verify {pub} -signature {sig} {csr}")

	# clean up
	os.system(f"rm {cert} {intermediate} {root} {csr} {sig} {pub}")