[87] | 1 | ''' |
---|
| 2 | Utilities for manipulating certificates and SSL/TLS connections. |
---|
| 3 | |
---|
[88] | 4 | Copyright (C) 2014,2016 Blindspot Security LLC |
---|
[87] | 5 | Author: Timothy D. Morgan |
---|
| 6 | |
---|
| 7 | This program is free software: you can redistribute it and/or modify |
---|
| 8 | it under the terms of the GNU Lesser General Public License, version 3, |
---|
| 9 | as published by the Free Software Foundation. |
---|
| 10 | |
---|
| 11 | This program is distributed in the hope that it will be useful, |
---|
| 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 14 | GNU General Public License for more details. |
---|
| 15 | |
---|
| 16 | You should have received a copy of the GNU General Public License |
---|
| 17 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
---|
| 18 | ''' |
---|
| 19 | |
---|
| 20 | import sys |
---|
| 21 | import argparse |
---|
| 22 | import traceback |
---|
[110] | 23 | import random |
---|
[87] | 24 | import socket |
---|
| 25 | try: |
---|
| 26 | import OpenSSL |
---|
| 27 | from OpenSSL import SSL |
---|
| 28 | except: |
---|
| 29 | sys.stderr.write('ERROR: Could not locate pyOpenSSL module. Under Debian-based systems, try:\n') |
---|
| 30 | sys.stderr.write(' # apt-get install python3-openssl\n') |
---|
| 31 | sys.stderr.write('NOTE: pyOpenSSL version 0.14 or later is required!\n') |
---|
| 32 | sys.exit(2) |
---|
| 33 | try: |
---|
| 34 | import cffi |
---|
| 35 | except: |
---|
| 36 | sys.stderr.write('ERROR: Could not locate cffi module. Under Debian-based systems, try:\n') |
---|
| 37 | sys.stderr.write(' # apt-get install python3-cffi\n') |
---|
| 38 | sys.stderr.write('NOTE: This is a requirement because pyOpenSSL does not provide ' |
---|
| 39 | 'certificate extension removal procedures. Consider lobbying for the ' |
---|
| 40 | 'implementation of this:\n https://github.com/pyca/pyopenssl/issues/152\n') |
---|
| 41 | sys.exit(2) |
---|
| 42 | |
---|
| 43 | |
---|
| 44 | def createContext(method=SSL.TLSv1_METHOD, key=None, certChain=[]): |
---|
| 45 | context = SSL.Context(method) |
---|
| 46 | context.set_verify(SSL.VERIFY_NONE, (lambda a,b,c,d,e: True)) |
---|
[115] | 47 | |
---|
[87] | 48 | if key and len(certChain) > 0: |
---|
| 49 | context.use_privatekey(key) |
---|
| 50 | context.use_certificate(certChain[0]) |
---|
| 51 | for c in certChain[1:]: |
---|
| 52 | context.add_extra_chain_cert(c) |
---|
| 53 | |
---|
| 54 | return context |
---|
| 55 | |
---|
| 56 | |
---|
[123] | 57 | def startSSLTLS(sock, mode='client', protocol=SSL.TLSv1_METHOD, key=None, certChain=[], cipher_list=b'DES-CBC3-SHA:RC4-MD5:RC4-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:ADH-AES256-GCM-SHA384'): |
---|
[115] | 58 | ''' |
---|
[122] | 59 | cipher_list names drawn from: |
---|
| 60 | openssl ciphers -v "ALL:@SECLEVEL=0" |
---|
[115] | 61 | ''' |
---|
| 62 | |
---|
[120] | 63 | context = createContext(protocol, key=key, certChain=certChain) |
---|
[115] | 64 | if cipher_list: |
---|
| 65 | context.set_cipher_list(cipher_list) |
---|
| 66 | #if not key and mode == 'server': |
---|
| 67 | #context.set_options(OpenSSL.SSL.OP_SINGLE_DH_USE) |
---|
| 68 | #context.set_options(OpenSSL.SSL.OP_EPHEMERAL_RSA) |
---|
[120] | 69 | |
---|
[115] | 70 | conn = SSL.Connection(context, sock) |
---|
[87] | 71 | if mode == 'client': |
---|
| 72 | conn.set_connect_state() |
---|
| 73 | conn.do_handshake() |
---|
| 74 | else: |
---|
| 75 | conn.set_accept_state() |
---|
| 76 | |
---|
| 77 | return conn |
---|
| 78 | |
---|
| 79 | |
---|
[121] | 80 | def ConnectSSLTLS(host, port, cipher_list=None, handshake_callback=None, verbose=True): |
---|
[87] | 81 | protocols = [("SSL 2/3", SSL.SSLv23_METHOD), |
---|
| 82 | ("TLS 1.0", SSL.TLSv1_METHOD), |
---|
| 83 | ("TLS 1.1", SSL.TLSv1_1_METHOD), |
---|
| 84 | ("TLS 1.2", SSL.TLSv1_2_METHOD), |
---|
| 85 | ("SSL 3.0", SSL.SSLv3_METHOD), |
---|
| 86 | ("SSL 2.0", SSL.SSLv2_METHOD)] |
---|
| 87 | |
---|
| 88 | conn = None |
---|
| 89 | for pname,p in protocols: |
---|
| 90 | serverSock = socket.socket() |
---|
| 91 | serverSock.connect((host,port)) |
---|
| 92 | |
---|
| 93 | try: |
---|
[120] | 94 | if handshake_callback: |
---|
| 95 | if not handshake_callback(serverSock): |
---|
| 96 | return None |
---|
| 97 | except Exception as e: |
---|
| 98 | traceback.print_exc(file=sys.stderr) |
---|
| 99 | return None |
---|
| 100 | |
---|
| 101 | try: |
---|
| 102 | conn = startSSLTLS(serverSock, mode='client', protocol=p, cipher_list=cipher_list) |
---|
[87] | 103 | break |
---|
| 104 | except ValueError as e: |
---|
[121] | 105 | if verbose: |
---|
| 106 | sys.stderr.write("%s protocol not supported by your openssl library, trying others...\n" % pname) |
---|
[87] | 107 | except SSL.Error as e: |
---|
[121] | 108 | if verbose: |
---|
| 109 | sys.stderr.write("Exception during %s handshake with server." % pname) |
---|
| 110 | sys.stderr.write("\nThis could happen because the server requires " |
---|
| 111 | "certain SSL/TLS versions or a client certificiate." |
---|
| 112 | " Have no fear, we'll keep trying...\n") |
---|
[87] | 113 | except Exception as e: |
---|
[121] | 114 | sys.stderr.write("Unknown exception during %s handshake with server: \n" % pname) |
---|
[87] | 115 | traceback.print_exc(file=sys.stderr) |
---|
| 116 | |
---|
| 117 | return conn |
---|
| 118 | |
---|
| 119 | |
---|
| 120 | def fetchCertificateChain(connection): |
---|
| 121 | chain = connection.get_peer_cert_chain() |
---|
| 122 | if chain: |
---|
| 123 | return chain |
---|
| 124 | return None |
---|
| 125 | |
---|
| 126 | |
---|
| 127 | def normalizeCertificateName(cert_name): |
---|
| 128 | n = cert_name.get_components() |
---|
| 129 | n.sort() |
---|
| 130 | return tuple(n) |
---|
| 131 | |
---|
| 132 | |
---|
| 133 | def normalizeCertificateChain(chain): |
---|
| 134 | # Organize certificates by subject and issuer for quick lookups |
---|
| 135 | subject_table = {} |
---|
| 136 | issuer_table = {} |
---|
| 137 | for c in chain: |
---|
| 138 | subject_table[normalizeCertificateName(c.get_subject())] = c |
---|
| 139 | issuer_table[normalizeCertificateName(c.get_issuer())] = c |
---|
| 140 | |
---|
| 141 | # Now find root or highest-level intermediary |
---|
| 142 | root = None |
---|
| 143 | for c in chain: |
---|
| 144 | i = normalizeCertificateName(c.get_issuer()) |
---|
| 145 | s = normalizeCertificateName(c.get_subject()) |
---|
| 146 | if (i == s) or (i not in subject_table): |
---|
| 147 | if root != None: |
---|
| 148 | sys.stderr.write("WARN: Multiple root certificates found or broken certificate chain detected.") |
---|
| 149 | else: |
---|
| 150 | # Go with the first identified "root", since that's more likely to link up with the server cert |
---|
| 151 | root = c |
---|
| 152 | |
---|
| 153 | # Finally, build the chain from the top-down in the correct order |
---|
| 154 | new_chain = [] |
---|
| 155 | nxt = root |
---|
| 156 | while nxt != None: |
---|
| 157 | new_chain = [nxt] + new_chain |
---|
| 158 | s = normalizeCertificateName(nxt.get_subject()) |
---|
| 159 | nxt = issuer_table.get(s) |
---|
| 160 | |
---|
| 161 | return new_chain |
---|
| 162 | |
---|
| 163 | |
---|
| 164 | def genFakeKey(certificate): |
---|
| 165 | fake_key = OpenSSL.crypto.PKey() |
---|
| 166 | old_pubkey = certificate.get_pubkey() |
---|
| 167 | fake_key.generate_key(old_pubkey.type(), old_pubkey.bits()) |
---|
| 168 | |
---|
| 169 | return fake_key |
---|
| 170 | |
---|
| 171 | |
---|
| 172 | def getDigestAlgorithm(certificate): |
---|
[88] | 173 | # XXX: ugly hack because openssl API for this is limited |
---|
| 174 | algo = certificate.get_signature_algorithm() |
---|
| 175 | if b'With' in algo: |
---|
| 176 | return algo.split(b'With', 1)[0].decode('utf-8') |
---|
| 177 | return None |
---|
[87] | 178 | |
---|
| 179 | |
---|
| 180 | def deleteExtension(certificate, index): |
---|
| 181 | ''' |
---|
| 182 | A dirty hack until this is implemented in pyOpenSSL. See: |
---|
| 183 | https://github.com/pyca/pyopenssl/issues/152 |
---|
| 184 | ''' |
---|
| 185 | ffi = cffi.FFI() |
---|
| 186 | ffi.cdef('''void* X509_delete_ext(void* x, int loc);''') |
---|
[108] | 187 | |
---|
| 188 | # Try to load libssl using several recent names because package |
---|
| 189 | # maintainers have the blinders on and don't have a universal |
---|
| 190 | # symlink to the most recent version. |
---|
| 191 | libssl = None |
---|
[109] | 192 | for libname in ('libssl.so','libssl.so.1.0.2', 'libssl.so.1.0.1', 'libssl.so.1.0.0','libssl.so.0.9.8'): |
---|
[108] | 193 | try: |
---|
| 194 | libssl = ffi.dlopen(libname) |
---|
| 195 | break |
---|
| 196 | except OSError as e: |
---|
| 197 | pass |
---|
| 198 | |
---|
[87] | 199 | ext = libssl.X509_delete_ext(certificate._x509, index) |
---|
| 200 | #XXX: memory leak. supposed to free ext here |
---|
| 201 | |
---|
| 202 | |
---|
| 203 | def removePeskyExtensions(certificate): |
---|
| 204 | #for index in range(0,certificate.get_extension_count()): |
---|
| 205 | # e = certificate.get_extension(index) |
---|
| 206 | # print("extension %d: %s\n" % (index, e.get_short_name()), e) |
---|
| 207 | |
---|
| 208 | index = 0 |
---|
| 209 | while index < certificate.get_extension_count(): |
---|
| 210 | e = certificate.get_extension(index) |
---|
| 211 | if e.get_short_name() in (b'subjectKeyIdentifier', b'authorityKeyIdentifier'): |
---|
| 212 | deleteExtension(certificate, index) |
---|
| 213 | #XXX: would be nice if each of these extensions were re-added with appropriate values |
---|
| 214 | index -= 1 |
---|
| 215 | index += 1 |
---|
| 216 | |
---|
| 217 | #for index in range(0,certificate.get_extension_count()): |
---|
| 218 | # e = certificate.get_extension(index) |
---|
| 219 | # print("extension %d: %s\n" % (index, e.get_short_name()), e) |
---|
| 220 | |
---|
| 221 | |
---|
[110] | 222 | def randomizeSerialNumber(certificate): |
---|
| 223 | certificate.set_serial_number(random.randint(0,2**64)) |
---|
| 224 | |
---|
[87] | 225 | def genFakeCertificateChain(cert_chain): |
---|
| 226 | ret_val = [] |
---|
| 227 | cert_chain.reverse() # start with highest level authority |
---|
| 228 | |
---|
| 229 | c = cert_chain[0] |
---|
| 230 | i = normalizeCertificateName(c.get_issuer()) |
---|
| 231 | s = normalizeCertificateName(c.get_subject()) |
---|
| 232 | if s != i: |
---|
| 233 | # XXX: consider retrieving root locally and including a forged version instead |
---|
| 234 | c.set_issuer(c.get_subject()) |
---|
| 235 | k = genFakeKey(c) |
---|
| 236 | c.set_pubkey(k) |
---|
| 237 | removePeskyExtensions(c) |
---|
[110] | 238 | randomizeSerialNumber(c) |
---|
[87] | 239 | c.sign(k, getDigestAlgorithm(c)) |
---|
| 240 | ret_val.append(c) |
---|
| 241 | |
---|
| 242 | prev = k |
---|
| 243 | for c in cert_chain[1:]: |
---|
| 244 | k = genFakeKey(c) |
---|
| 245 | c.set_pubkey(k) |
---|
| 246 | removePeskyExtensions(c) |
---|
[110] | 247 | randomizeSerialNumber(c) |
---|
[87] | 248 | c.sign(prev, getDigestAlgorithm(c)) |
---|
| 249 | prev = k |
---|
| 250 | ret_val.append(c) |
---|
| 251 | |
---|
| 252 | ret_val.reverse() |
---|
| 253 | return k,ret_val |
---|