1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from __future__ import absolute_import, division, print_function
import datetime
from cryptography import utils, x509
from cryptography.hazmat.primitives import hashes
@utils.register_interface(x509.Certificate)
class _Certificate(object):
def __init__(self, backend, x509):
self._backend = backend
self._x509 = x509
def fingerprint(self, algorithm):
h = hashes.Hash(algorithm, self._backend)
bio = self._backend._create_mem_bio()
res = self._backend._lib.i2d_X509_bio(
bio, self._x509
)
assert res == 1
der = self._backend._read_mem_bio(bio)
h.update(der)
return h.finalize()
@property
def version(self):
version = self._backend._lib.X509_get_version(self._x509)
if version == 0:
return x509.Version.v1
elif version == 2:
return x509.Version.v3
else:
raise x509.InvalidVersion(
"{0} is not a valid X509 version".format(version), version
)
@property
def serial(self):
asn1_int = self._backend._lib.X509_get_serialNumber(self._x509)
assert asn1_int != self._backend._ffi.NULL
bn = self._backend._lib.ASN1_INTEGER_to_BN(
asn1_int, self._backend._ffi.NULL
)
assert bn != self._backend._ffi.NULL
bn = self._backend._ffi.gc(bn, self._backend._lib.BN_free)
return self._backend._bn_to_int(bn)
def public_key(self):
pkey = self._backend._lib.X509_get_pubkey(self._x509)
assert pkey != self._backend._ffi.NULL
pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free)
# The following check is to find ECDSA certificates with unnamed
# curves and raise an error for now.
if (
self._backend._lib.Cryptography_HAS_EC == 1 and
pkey.type == self._backend._lib.EVP_PKEY_EC
):
ec_cdata = self._backend._lib.EVP_PKEY_get1_EC_KEY(pkey)
assert ec_cdata != self._backend._ffi.NULL
ec_cdata = self._backend._ffi.gc(
ec_cdata, self._backend._lib.EC_KEY_free
)
group = self._backend._lib.EC_KEY_get0_group(ec_cdata)
assert group != self._backend._ffi.NULL
nid = self._backend._lib.EC_GROUP_get_curve_name(group)
if nid == self._backend._lib.NID_undef:
raise NotImplementedError(
"ECDSA certificates with unnamed curves are unsupported "
"at this time"
)
return self._backend._evp_pkey_to_public_key(pkey)
@property
def not_valid_before(self):
asn1_time = self._backend._lib.X509_get_notBefore(self._x509)
return self._parse_asn1_time(asn1_time)
@property
def not_valid_after(self):
asn1_time = self._backend._lib.X509_get_notAfter(self._x509)
return self._parse_asn1_time(asn1_time)
def _parse_asn1_time(self, asn1_time):
assert asn1_time != self._backend._ffi.NULL
generalized_time = self._backend._lib.ASN1_TIME_to_generalizedtime(
asn1_time, self._backend._ffi.NULL
)
assert generalized_time != self._backend._ffi.NULL
generalized_time = self._backend._ffi.gc(
generalized_time, self._backend._lib.ASN1_GENERALIZEDTIME_free
)
time = self._backend._ffi.string(
self._backend._lib.ASN1_STRING_data(
self._backend._ffi.cast("ASN1_STRING *", generalized_time)
)
).decode("ascii")
return datetime.datetime.strptime(time, "%Y%m%d%H%M%SZ")
|