From 073015b24a9f813072b8f7c0bae4a15317009193 Mon Sep 17 00:00:00 2001 From: Laurens Van Houtven <_@lvh.cc> Date: Tue, 17 Jun 2014 11:32:57 +0200 Subject: Add X509 verification parameters and associated functions --- cryptography/hazmat/bindings/openssl/binding.py | 1 + cryptography/hazmat/bindings/openssl/x509_vfy.py | 133 +++++++++++++++++++++++ 2 files changed, 134 insertions(+) create mode 100644 cryptography/hazmat/bindings/openssl/x509_vfy.py diff --git a/cryptography/hazmat/bindings/openssl/binding.py b/cryptography/hazmat/bindings/openssl/binding.py index 464081b0..554c3c3e 100644 --- a/cryptography/hazmat/bindings/openssl/binding.py +++ b/cryptography/hazmat/bindings/openssl/binding.py @@ -74,6 +74,7 @@ class Binding(object): "x509", "x509name", "x509v3", + "x509_vfy" ] _locks = None diff --git a/cryptography/hazmat/bindings/openssl/x509_vfy.py b/cryptography/hazmat/bindings/openssl/x509_vfy.py new file mode 100644 index 00000000..2a456708 --- /dev/null +++ b/cryptography/hazmat/bindings/openssl/x509_vfy.py @@ -0,0 +1,133 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import absolute_import, division, print_function + +INCLUDES = """ +#include + +/* + * This is part of a work-around for the difficulty cffi has in dealing with + * `STACK_OF(foo)` as the name of a type. We invent a new, simpler name that + * will be an alias for this type and use the alias throughout. This works + * together with another opaque typedef for the same name in the TYPES section. + * Note that the result is an opaque type. + */ +typedef STACK_OF(ASN1_OBJECT) Cryptography_STACK_OF_ASN1_OBJECT; +""" + +TYPES = """ +static const long Cryptography_HAS_102_VERIFICATION_PARAMS; +static const long Cryptography_HAS_100_VERIFICATION_PARAMS; + +typedef ... Cryptography_STACK_OF_ASN1_OBJECT; +typedef ... X509_VERIFY_PARAM; + +/* While these are defined in the source as ints, they're tagged here + as longs, just in case they ever grow to large, such as what we saw + with OP_ALL. */ +static const long X509_V_FLAG_CB_ISSUER_CHECK; +static const long X509_V_FLAG_USE_CHECK_TIME; +static const long X509_V_FLAG_CRL_CHECK; +static const long X509_V_FLAG_CRL_CHECK_ALL; +static const long X509_V_FLAG_IGNORE_CRITICAL; +static const long X509_V_FLAG_X509_STRICT; +static const long X509_V_FLAG_ALLOW_PROXY_CERTS; +static const long X509_V_FLAG_POLICY_CHECK; +static const long X509_V_FLAG_EXPLICIT_POLICY; +static const long X509_V_FLAG_INHIBIT_ANY; +static const long X509_V_FLAG_INHIBIT_MAP; +static const long X509_V_FLAG_NOTIFY_POLICY; +static const long X509_V_FLAG_EXTENDED_CRL_SUPPORT; +static const long X509_V_FLAG_USE_DELTAS; +static const long X509_V_FLAG_CHECK_SS_SIGNATURE; +static const long X509_V_FLAG_TRUSTED_FIRST; +static const long X509_V_FLAG_SUITEB_128_LOS_ONLY; +static const long X509_V_FLAG_SUITEB_192_LOS; +static const long X509_V_FLAG_SUITEB_128_LOS; +static const long X509_V_FLAG_PARTIAL_CHAIN; +""" + +FUNCTIONS = """ +X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); +int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *, unsigned long); +int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *, unsigned long); +unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *); +int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *, int); +int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *, int); +void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *, time_t); +int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *, ASN1_OBJECT *); +int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *, Cryptography_STACK_OF_ASN1_OBJECT *); +void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *, int); +int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *); +""" + +MACROS = """ +int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const unsigned char *, size_t); +void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *, unsigned int); +int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const unsigned char *, size_t); +int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *, size_t); +int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *); +""" + +CUSTOMIZATIONS = """ +// OpenSSL 1.0.2+ +#if OPENSSL_VERSION_NUMBER >= 0x10002000L +static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1; +#else +static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0; +static const long X509_V_FLAG_TRUSTED_FIRST = 0; +static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0; +static const long X509_V_FLAG_SUITEB_192_LOS = 0; +static const long X509_V_FLAG_SUITEB_128_LOS = 0; +static const long X509_V_FLAG_PARTIAL_CHAIN = 0; + +int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const unsigned char *, size_t) = NULL; +void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *, unsigned int) = NULL; +int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const unsigned char *, size_t) = NULL; +int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *, size_t) = NULL; +int (*X509_VERIFY_PARAM_set1_ip_asc)(X509_VERIFY_PARAM *, const char *) = NULL; +#endif + +// OpenSSL 1.0.0+ +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +static const long Cryptography_HAS_100_VERIFICATION_PARAMS = 1; +#else +static const long Cryptography_HAS_100_VERIFICATION_PARAMS = 0; +static const long X509_V_FLAG_EXTENDED_CRL_SUPPORT = 0; +static const long X509_V_FLAG_USE_DELTAS = 0; +static const long X509_V_FLAG_CHECK_SS_SIGNATURE = 0; +#endif +""" + +CONDITIONAL_NAMES = { + "Cryptography_HAS_102_VERIFICATION_PARAMS": [ + "X509_V_FLAG_TRUSTED_FIRST", + "X509_V_FLAG_SUITEB_128_LOS_ONLY", + "X509_V_FLAG_SUITEB_192_LOS", + "X509_V_FLAG_SUITEB_128_LOS", + "X509_V_FLAG_PARTIAL_CHAIN", + + "X509_VERIFY_PARAM_set1_host", + "X509_VERIFY_PARAM_set_hostflags", + "X509_VERIFY_PARAM_set1_email", + "X509_VERIFY_PARAM_set1_ip", + "X509_VERIFY_PARAM_set1_ip_asc", + ], + "Cryptography_HAS_100_VERIFICATION_PARAMS": [ + "Cryptography_HAS_100_VERIFICATION_PARAMS", + "X509_V_FLAG_EXTENDED_CRL_SUPPORT", + "X509_V_FLAG_USE_DELTAS", + "X509_V_FLAG_CHECK_SS_SIGNATURE", + ] +} -- cgit v1.2.3 From 19cc049139b77ec1b2935747b88fd6f25e9bd8af Mon Sep 17 00:00:00 2001 From: Laurens Van Houtven <_@lvh.cc> Date: Tue, 17 Jun 2014 14:15:04 +0200 Subject: Not all 1.0.2 releases! --- cryptography/hazmat/bindings/openssl/x509_vfy.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/bindings/openssl/x509_vfy.py b/cryptography/hazmat/bindings/openssl/x509_vfy.py index 2a456708..d6ae745b 100644 --- a/cryptography/hazmat/bindings/openssl/x509_vfy.py +++ b/cryptography/hazmat/bindings/openssl/x509_vfy.py @@ -27,6 +27,7 @@ typedef STACK_OF(ASN1_OBJECT) Cryptography_STACK_OF_ASN1_OBJECT; """ TYPES = """ +static const long Cryptography_HAS_X509_VERIFY_PARAM_SET_HOSTFLAGS; static const long Cryptography_HAS_102_VERIFICATION_PARAMS; static const long Cryptography_HAS_100_VERIFICATION_PARAMS; @@ -81,6 +82,14 @@ int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *); """ CUSTOMIZATIONS = """ +// OpenSSL 1.0.2+, but only some very new releases +#ifdef X509_VERIFY_PARAM_set_hostflags +static const long Cryptography_HAS_X509_VERIFY_PARAM_SET_HOSTFLAGS = 1; +#else +static const long Cryptography_HAS_X509_VERIFY_PARAM_SET_HOSTFLAGS = 0; +void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *, unsigned int) = NULL; +#endif + // OpenSSL 1.0.2+ #if OPENSSL_VERSION_NUMBER >= 0x10002000L static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1; @@ -93,7 +102,6 @@ static const long X509_V_FLAG_SUITEB_128_LOS = 0; static const long X509_V_FLAG_PARTIAL_CHAIN = 0; int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const unsigned char *, size_t) = NULL; -void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *, unsigned int) = NULL; int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const unsigned char *, size_t) = NULL; int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *, size_t) = NULL; int (*X509_VERIFY_PARAM_set1_ip_asc)(X509_VERIFY_PARAM *, const char *) = NULL; @@ -111,6 +119,9 @@ static const long X509_V_FLAG_CHECK_SS_SIGNATURE = 0; """ CONDITIONAL_NAMES = { + "Cryptography_HAS_X509_VERIFY_PARAM_SET_HOSTFLAGS": [ + "X509_VERIFY_PARAM_set_hostflags", + ], "Cryptography_HAS_102_VERIFICATION_PARAMS": [ "X509_V_FLAG_TRUSTED_FIRST", "X509_V_FLAG_SUITEB_128_LOS_ONLY", @@ -119,7 +130,6 @@ CONDITIONAL_NAMES = { "X509_V_FLAG_PARTIAL_CHAIN", "X509_VERIFY_PARAM_set1_host", - "X509_VERIFY_PARAM_set_hostflags", "X509_VERIFY_PARAM_set1_email", "X509_VERIFY_PARAM_set1_ip", "X509_VERIFY_PARAM_set1_ip_asc", -- cgit v1.2.3 From 2bb51f4c8b9208d18e4b19080a093437a8fdc9ee Mon Sep 17 00:00:00 2001 From: Laurens Van Houtven <_@lvh.cc> Date: Tue, 17 Jun 2014 14:18:16 +0200 Subject: Whitespace style fixes --- cryptography/hazmat/bindings/openssl/x509_vfy.py | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/cryptography/hazmat/bindings/openssl/x509_vfy.py b/cryptography/hazmat/bindings/openssl/x509_vfy.py index d6ae745b..88fc8bdd 100644 --- a/cryptography/hazmat/bindings/openssl/x509_vfy.py +++ b/cryptography/hazmat/bindings/openssl/x509_vfy.py @@ -68,16 +68,20 @@ int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *, int); int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *, int); void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *, time_t); int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *, ASN1_OBJECT *); -int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *, Cryptography_STACK_OF_ASN1_OBJECT *); +int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *, + Cryptography_STACK_OF_ASN1_OBJECT *); void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *, int); int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *); """ MACROS = """ -int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const unsigned char *, size_t); +int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const unsigned char *, + size_t); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *, unsigned int); -int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const unsigned char *, size_t); -int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *, size_t); +int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const unsigned char *, + size_t); +int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *, + size_t); int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *); """ @@ -87,7 +91,8 @@ CUSTOMIZATIONS = """ static const long Cryptography_HAS_X509_VERIFY_PARAM_SET_HOSTFLAGS = 1; #else static const long Cryptography_HAS_X509_VERIFY_PARAM_SET_HOSTFLAGS = 0; -void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *, unsigned int) = NULL; +void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *, + unsigned int) = NULL; #endif // OpenSSL 1.0.2+ @@ -101,9 +106,12 @@ static const long X509_V_FLAG_SUITEB_192_LOS = 0; static const long X509_V_FLAG_SUITEB_128_LOS = 0; static const long X509_V_FLAG_PARTIAL_CHAIN = 0; -int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const unsigned char *, size_t) = NULL; -int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const unsigned char *, size_t) = NULL; -int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *, size_t) = NULL; +int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const unsigned char *, + size_t) = NULL; +int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const unsigned char *, + size_t) = NULL; +int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *, + size_t) = NULL; int (*X509_VERIFY_PARAM_set1_ip_asc)(X509_VERIFY_PARAM *, const char *) = NULL; #endif -- cgit v1.2.3 From 75f34d140a4096ec87b7bc8aa503374d63dec61f Mon Sep 17 00:00:00 2001 From: Laurens Van Houtven <_@lvh.cc> Date: Tue, 17 Jun 2014 14:31:19 +0200 Subject: Manually check for X509_V_FLAG_CHECK_SS_SIGNATURE --- cryptography/hazmat/bindings/openssl/x509_vfy.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cryptography/hazmat/bindings/openssl/x509_vfy.py b/cryptography/hazmat/bindings/openssl/x509_vfy.py index 88fc8bdd..4db3da1d 100644 --- a/cryptography/hazmat/bindings/openssl/x509_vfy.py +++ b/cryptography/hazmat/bindings/openssl/x509_vfy.py @@ -30,6 +30,7 @@ TYPES = """ static const long Cryptography_HAS_X509_VERIFY_PARAM_SET_HOSTFLAGS; static const long Cryptography_HAS_102_VERIFICATION_PARAMS; static const long Cryptography_HAS_100_VERIFICATION_PARAMS; +static const long Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE; typedef ... Cryptography_STACK_OF_ASN1_OBJECT; typedef ... X509_VERIFY_PARAM; @@ -122,6 +123,13 @@ static const long Cryptography_HAS_100_VERIFICATION_PARAMS = 1; static const long Cryptography_HAS_100_VERIFICATION_PARAMS = 0; static const long X509_V_FLAG_EXTENDED_CRL_SUPPORT = 0; static const long X509_V_FLAG_USE_DELTAS = 0; +#endif + +// OpenSSL 0.9.8recent+ +#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE +static const long Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE = 1; +#else +static const long Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE = 0; static const long X509_V_FLAG_CHECK_SS_SIGNATURE = 0; #endif """ @@ -146,6 +154,8 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_100_VERIFICATION_PARAMS", "X509_V_FLAG_EXTENDED_CRL_SUPPORT", "X509_V_FLAG_USE_DELTAS", + ], + "Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE": [ "X509_V_FLAG_CHECK_SS_SIGNATURE", ] } -- cgit v1.2.3