Coverage for certbot/crypto_util.py : 99%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
"""Certbot client crypto utility functions.
.. todo:: Make the transition to use PSS rather than PKCS1_v1_5 when the server is capable of handling the signatures.
"""
# https://github.com/python/typeshed/tree/master/third_party/2/cryptography
# High level functions """Initializes and saves a privkey.
Inits key and saves it in PEM format on the filesystem.
.. note:: keyname is the attempted filename, it may be different if a file already exists at the path.
:param int key_size: RSA key size in bits :param str key_dir: Key save directory. :param str keyname: Filename of key
:returns: Key :rtype: :class:`certbot.util.Key`
:raises ValueError: If unable to generate the key given key_size.
"""
# Save file config.strict_permissions) os.path.join(key_dir, keyname), 0o600, "wb")
"""Initialize a CSR with the given private key.
:param privkey: Key to include in the CSR :type privkey: :class:`certbot.util.Key`
:param set names: `str` names to include in the CSR
:param str path: Certificate save directory.
:returns: CSR :rtype: :class:`certbot.util.CSR`
"""
privkey.pem, names, must_staple=config.must_staple)
# Save CSR config.strict_permissions) os.path.join(path, "csr-certbot.pem"), 0o644, "wb")
# WARNING: the csr and private key file are possible attack vectors for TOCTOU # We should either... # A. Do more checks to verify that the CSR is trusted/valid # B. Audit the parsing code for vulnerabilities
"""Validate CSR.
Check if `csr` is a valid CSR for the given domains.
:param str csr: CSR in PEM.
:returns: Validity of CSR. :rtype: bool
""" crypto.FILETYPE_PEM, csr)
"""Does private key correspond to the subject public key in the CSR?
:param str csr: CSR in PEM. :param str privkey: Private key file contents (PEM)
:returns: Correspondence of private key to CSR subject public key. :rtype: bool
""" crypto.FILETYPE_PEM, csr)
"""Import a CSR file, which can be either PEM or DER.
:param str csrfile: CSR filename :param str data: contents of the CSR file
:returns: (`crypto.FILETYPE_PEM`, util.CSR object representing the CSR, list of domains requested in the CSR) :rtype: tuple
""" # Try to parse as DER first, then fall back to PEM.
# Internally we always use PEM, so re-encode as PEM before returning.
"""Generate PEM encoded RSA key.
:param int bits: Number of bits, at least 1024.
:returns: new RSA key in PEM form with specified number of bits :rtype: str
"""
"""Is valid RSA private key?
:param str privkey: Private key file contents in PEM
:returns: Validity of private key. :rtype: bool
""" crypto.FILETYPE_PEM, privkey).check()
"""For checking that your certs were not corrupted on disk.
Several things are checked: 1. Signature verification for the cert. 2. That fullchain matches cert and chain when concatenated. 3. Check that the private key matches the certificate.
:param `.storage.RenewableCert` renewable_cert: cert to verify
:raises errors.Error: If verification fails. """
""" Verifies the signature of a `.storage.RenewableCert` object.
:param `.storage.RenewableCert` renewable_cert: cert to verify
:raises errors.Error: If signature verification fails. """ # https://github.com/python/typeshed/blob/master/third_party/2/cryptography/hazmat/primitives/asymmetric/rsa.pyi cert.signature, PKCS1v15(), cert.signature_hash_algorithm ) cert.signature, ECDSA(cert.signature_hash_algorithm) ) else: raise errors.Error("Unsupported public key type") Details: {1}".format(renewable_cert.cert, e)
""" Verifies that the private key and cert match.
:param str cert_path: path to a cert in PEM format :param str key_path: path to a private key file
:raises errors.Error: If they don't match. """ private key located at {1} has failed. \ Details: {2}".format(cert_path, key_path, e)
""" Verifies that fullchain is indeed cert concatenated with chain.
:param `.storage.RenewableCert` renewable_cert: cert to verify
:raises errors.Error: If cert and chain do not combine to fullchain. """
"""Load PEM/DER certificate.
:raises errors.Error:
"""
str(error) for error in openssl_errors)))
typ=crypto.FILETYPE_PEM):
typ=crypto.FILETYPE_PEM): # pylint: disable=protected-access cert_or_req_str, load_func, typ))
"""Get a list of Subject Alternative Names from a certificate.
:param str cert: Certificate (encoded). :param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1`
:returns: A list of Subject Alternative Names. :rtype: list
""" cert, crypto.load_certificate, typ)
# pylint: disable=protected-access
"""Get a list of domains from a cert, including the CN if it is set.
:param str cert: Certificate (encoded). :param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1`
:returns: A list of domain names. :rtype: list
""" csr, crypto.load_certificate, typ)
"""Dump certificate chain into a bundle.
:param list chain: List of `crypto.X509` (or wrapped in :class:`josepy.util.ComparableX509`).
""" # XXX: returns empty string when no chain is available, which # shuts up RenewableCert, but might not be the best solution... return acme_crypto_util.dump_pyopenssl_chain(chain, filetype)
"""When does the cert at cert_path start being valid?
:param str cert_path: path to a cert in PEM format
:returns: the notBefore value from the cert at cert_path :rtype: :class:`datetime.datetime`
"""
"""When does the cert at cert_path stop being valid?
:param str cert_path: path to a cert in PEM format
:returns: the notAfter value from the cert at cert_path :rtype: :class:`datetime.datetime`
"""
"""Internal helper function for finding notbefore/notafter.
:param str cert_path: path to a cert in PEM format :param function method: one of ``crypto.X509.get_notBefore`` or ``crypto.X509.get_notAfter``
:returns: the notBefore or notAfter value from the cert at cert_path :rtype: :class:`datetime.datetime`
""" # pylint: disable=redefined-outer-name f.read()) # pyopenssl always returns bytes timestamp[6:8], b"T", timestamp[8:10], b":", timestamp[10:12], b":", timestamp[12:]] # pyrfc3339 uses "native" strings. That is, bytes on Python 2 and unicode # on Python 3
"""Compute a sha256sum of a file.
NB: In given file, platform specific newlines characters will be converted into their equivalent unicode counterparts before calculating the hash.
:param str filename: path to the file whose hash will be computed
:returns: sha256 digest of the file in hexadecimal :rtype: str """
"""Split fullchain_pem into cert_pem and chain_pem
:param str fullchain_pem: concatenated cert + chain
:returns: tuple of string cert_pem and chain_pem :rtype: tuple
""" crypto.load_certificate(crypto.FILETYPE_PEM, fullchain_pem)).decode() |