I've got a bunch of SSL certificates in files on the local disk of a server, and want to find the right certificate for a given domain name. Recent versions of Python provide the ssl.match_hostname() function which in principle is all that's needed. However, it expects the certificate in a decoded Python dictionary format as returned by ssl.SSLSocket.getpeercert(), and I can't find a way to parse a certificate from a local file into that format. The underlying C function that performs the parsing does not seem to be exposed directly.
So how can I find the matching SSL certificate for a given hostname? This does not seem like a completely exotic thing to do.
What I would like to avoid is to parse the subject field and the subjectAltName extension of the x509 certificate and implement the hostname matching code myself, since there is a certain complexity involved. (The relevant code in the Python standard library for the domain name matching part alone goes on for more than hundred lines.)
Related
I'm using Webdav to synchronize files into my Owncloud. All working very fine.
But I need get MD5 from files in my result list. And i'm not having success in do this, and I not found nothing on owncloud's documentation. There are a way to receive the md5 file that's stored on owncloud?
I imagine it is some setting in ownCloud, or the header of the request should be made. But really I did not find anything on how to achieve this.
This is a method to get the hash. (I'm not sure this is the most correct way).
\OC\Files\Filesystem::hash('md5',$path_to_file);
(ex. 8aed7f13a298b27cd2f9dba91eb0698a)
I already tried to utilize openssl ciphers, but the format is different and I have to match them with a given set of ciphers. I also tried to translate the OpenSSL cipher suite format into the one I need, but that's a mess.
Hence, I'm searching for a way to retreive an up-to-date TLS cipher suite list with python in the appropriate format. Maybe there's even some Web-Interface?
Here are some examples:
The Format I need OpenSSL Format
--------------------------------- ---------------------
SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
I do have a private RSAKey (in XML format) that was generated by a .NET class. Those keys, are regularly used to sign parts of a URL. I am trying to sign these URLs with the existing keys via Python, because I am working now in a Linux based environment. The structure of the RSAKey looks like so:
RSAKeyValue,Modulus,Exponent,P,Q,DP,InverseQ,D represented in XML format.
Using C#, I simply instantiate a RSACryptoServiceProvider object and call SignData(bytes, new SHA1CryptoServiceProvider()), and I am done.
I have tried for several days now to replicate this process using Python in a Linux environment without any luck. I extracted modulus, and exponent, base64 decoded, and created byte arrays from them. I also changed the byte order. I was under the assumption that I could use M2Crypto and call RSA.new_pub_key((e,n)) and use that key to sign but no matter what I do I either can't create a proper key, or the signing process doesn't work.
My questions are:
-Is it possible to use an RSAKey in XML format that was generated via .NET, and sign data via Python (M2Crypto or any other lib will do) with the exact same result as in .NET ?
If so, what are the exact steps to do so?
My apologies for the long question. Thanks for any help.
I am trying to use M2Crypto to extract the signing certificates from a Windows PE file. According to the MS specification the data is stored in a PKCS#7 SignedData structure (stored in ASN.1 format, not the base64). I can't seem to get the binary format to load since it is not in PEM.
Pardon my ignorance with the crypto suites involved here, but if someone can show me the basics of how to get the signing certs out of a SignedData block I'd be most thankful!
If it helps, i found another solution for my problem but it is in C... how to Read the certificates file from the PKCS7.p7b certificate file usind openssl? If i could convert that to m2crpyto i'd be set.
I think there's more to this than just reading the certificate in PKCS7, unless you know absolutely what the offset & struct are.
You might want to take a look at either:
http://msdn.microsoft.com/en-us/library/aa380395(v=VS.85).aspx for the extraction process
Or possibly
http://msdn.microsoft.com/en-us/library/system.reflection.assemblyname.getpublickey%28VS.80%29.aspx
Additionally, it looks like Microsoft signs with a 'PFX' formatted file (I'd never heard of it before..)
But, I was able to find instructions on converting PFX back to a PEM, which should be a cakewalk to extract.
http://support.citrix.com/article/CTX106028
I'm using Python (under Google App Engine), and I have some RSA private keys that I need to export in PKCS#12 format. Is there anything out there that will assist me with this? I'm using PyCrypto/KeyCzar, and I've figured out how to import/export RSA keys in PKCS8 format, but I really need it in PKCS12.
Can anybody point me in the right direction? If it helps, the reason I need them in PKCS12 format is so that I can import them on the iPhone, which seems to only allow key-import in that format.
If you can handle some ASN.1 generation, you can relatively easily convert a PKCS#8-file into a PKCS#12-file. A PKCS#12-file is basically a wrapper around a PKCS#8 and a certificate, so to make a PKCS#12-file, you just have to add some additional data around your PKCS#8-file and your certificate.
Usually a PKCS#12-file will contain the certificate(s) in an encrypted structure, but all compliant parsers should be able to read it from an unencrypted structure. Also, PKCS#12-files will usually contain a MacData-structure for integrity-check, but this is optional and a compliant parser should work fine without it.
The standard tool for the job is typically OpenSSL.
See the openssl pkcs12 command.
This mailing list posting tends to suggest that PKCS12 is not planned for a future feature of that package, and is not currently implemented.
http://lists.dlitz.net/pipermail/pycrypto/2009q2/000104.html