[87] | 1 | ''' |
---|
| 2 | Utilities for manipulating certificates and SSL/TLS connections. |
---|
| 3 | |
---|
[130] | 4 | Copyright (C) 2014,2016,2017 Blindspot Security LLC |
---|
[87] | 5 | Author: Timothy D. Morgan |
---|
| 6 | |
---|
| 7 | This program is free software: you can redistribute it and/or modify |
---|
| 8 | it under the terms of the GNU Lesser General Public License, version 3, |
---|
| 9 | as published by the Free Software Foundation. |
---|
| 10 | |
---|
| 11 | This program is distributed in the hope that it will be useful, |
---|
| 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 14 | GNU General Public License for more details. |
---|
| 15 | |
---|
| 16 | You should have received a copy of the GNU General Public License |
---|
| 17 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
---|
| 18 | ''' |
---|
| 19 | |
---|
| 20 | import sys |
---|
| 21 | import argparse |
---|
| 22 | import traceback |
---|
[110] | 23 | import random |
---|
[130] | 24 | import time |
---|
[87] | 25 | import socket |
---|
| 26 | try: |
---|
| 27 | import OpenSSL |
---|
| 28 | from OpenSSL import SSL |
---|
| 29 | except: |
---|
| 30 | sys.stderr.write('ERROR: Could not locate pyOpenSSL module. Under Debian-based systems, try:\n') |
---|
| 31 | sys.stderr.write(' # apt-get install python3-openssl\n') |
---|
| 32 | sys.stderr.write('NOTE: pyOpenSSL version 0.14 or later is required!\n') |
---|
| 33 | sys.exit(2) |
---|
| 34 | try: |
---|
| 35 | import cffi |
---|
| 36 | except: |
---|
| 37 | sys.stderr.write('ERROR: Could not locate cffi module. Under Debian-based systems, try:\n') |
---|
| 38 | sys.stderr.write(' # apt-get install python3-cffi\n') |
---|
| 39 | sys.stderr.write('NOTE: This is a requirement because pyOpenSSL does not provide ' |
---|
| 40 | 'certificate extension removal procedures. Consider lobbying for the ' |
---|
| 41 | 'implementation of this:\n https://github.com/pyca/pyopenssl/issues/152\n') |
---|
| 42 | sys.exit(2) |
---|
| 43 | |
---|
| 44 | |
---|
| 45 | def createContext(method=SSL.TLSv1_METHOD, key=None, certChain=[]): |
---|
| 46 | context = SSL.Context(method) |
---|
| 47 | context.set_verify(SSL.VERIFY_NONE, (lambda a,b,c,d,e: True)) |
---|
[115] | 48 | |
---|
[87] | 49 | if key and len(certChain) > 0: |
---|
| 50 | context.use_privatekey(key) |
---|
| 51 | context.use_certificate(certChain[0]) |
---|
| 52 | for c in certChain[1:]: |
---|
| 53 | context.add_extra_chain_cert(c) |
---|
| 54 | |
---|
| 55 | return context |
---|
| 56 | |
---|
| 57 | |
---|
[126] | 58 | def startSSLTLS(sock, mode='client', protocol=SSL.TLSv1_METHOD, key=None, certChain=[], cipher_list=None, timeout=None): |
---|
[115] | 59 | ''' |
---|
[122] | 60 | cipher_list names drawn from: |
---|
| 61 | openssl ciphers -v "ALL:@SECLEVEL=0" |
---|
[115] | 62 | ''' |
---|
| 63 | |
---|
[120] | 64 | context = createContext(protocol, key=key, certChain=certChain) |
---|
[115] | 65 | if cipher_list: |
---|
| 66 | context.set_cipher_list(cipher_list) |
---|
[126] | 67 | if timeout: |
---|
| 68 | context.set_timeout(timeout) |
---|
| 69 | |
---|
[115] | 70 | #if not key and mode == 'server': |
---|
| 71 | #context.set_options(OpenSSL.SSL.OP_SINGLE_DH_USE) |
---|
| 72 | #context.set_options(OpenSSL.SSL.OP_EPHEMERAL_RSA) |
---|
[120] | 73 | |
---|
[115] | 74 | conn = SSL.Connection(context, sock) |
---|
[87] | 75 | if mode == 'client': |
---|
| 76 | conn.set_connect_state() |
---|
[131] | 77 | if timeout: |
---|
| 78 | # This polling is needed because the socket timeouts have put the |
---|
| 79 | # socket in non-blocking mode |
---|
| 80 | start = time.time()+timeout |
---|
| 81 | while time.time() < start: |
---|
| 82 | try: |
---|
| 83 | conn.do_handshake() |
---|
| 84 | break |
---|
| 85 | except (OpenSSL.SSL.WantReadError,OpenSSL.SSL.WantWriteError) as e: |
---|
| 86 | time.sleep(0.00001) |
---|
| 87 | else: |
---|
| 88 | conn.do_handshake() |
---|
| 89 | |
---|
[87] | 90 | else: |
---|
| 91 | conn.set_accept_state() |
---|
| 92 | |
---|
| 93 | return conn |
---|
| 94 | |
---|
| 95 | |
---|
[125] | 96 | def ConnectSSLTLS(host, port, cipher_list=None, timeout=None, handshake_callback=None, verbose=True): |
---|
[130] | 97 | backup_cipher_list = b'DES-CBC3-SHA:RC4-MD5:RC4-SHA:AES128-SHA:AES256-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ADH-AES256-GCM-SHA384' |
---|
| 98 | protocols = [("SSL 2/3", SSL.SSLv23_METHOD, cipher_list), |
---|
[124] | 99 | ("SSL 2/3", SSL.SSLv23_METHOD, backup_cipher_list), |
---|
[130] | 100 | ("TLS 1.0", SSL.TLSv1_METHOD, cipher_list), |
---|
[124] | 101 | ("TLS 1.0", SSL.TLSv1_METHOD, backup_cipher_list), |
---|
[130] | 102 | ("TLS 1.1", SSL.TLSv1_1_METHOD, cipher_list), |
---|
[124] | 103 | ("TLS 1.1", SSL.TLSv1_1_METHOD, backup_cipher_list), |
---|
[130] | 104 | ("TLS 1.2", SSL.TLSv1_2_METHOD, cipher_list), |
---|
[124] | 105 | ("TLS 1.2", SSL.TLSv1_2_METHOD, backup_cipher_list), |
---|
[130] | 106 | ("SSL 3.0", SSL.SSLv3_METHOD, cipher_list), |
---|
[124] | 107 | ("SSL 3.0", SSL.SSLv3_METHOD, backup_cipher_list), |
---|
[130] | 108 | ("SSL 2.0", SSL.SSLv2_METHOD, cipher_list), |
---|
[124] | 109 | ("SSL 2.0", SSL.SSLv2_METHOD, backup_cipher_list)] |
---|
[87] | 110 | |
---|
| 111 | conn = None |
---|
[124] | 112 | for pname,p,cl in protocols: |
---|
[87] | 113 | try: |
---|
[127] | 114 | serverSock = socket.socket() |
---|
| 115 | serverSock.connect((host,port)) |
---|
| 116 | if timeout: |
---|
| 117 | serverSock.settimeout(timeout) |
---|
[128] | 118 | except Exception as e: |
---|
| 119 | if verbose: |
---|
| 120 | sys.stderr.write("Unable to connect to %s:%s\n" % (host,port)) |
---|
| 121 | return None |
---|
[127] | 122 | |
---|
[128] | 123 | try: |
---|
[120] | 124 | if handshake_callback: |
---|
| 125 | if not handshake_callback(serverSock): |
---|
| 126 | return None |
---|
| 127 | except Exception as e: |
---|
| 128 | traceback.print_exc(file=sys.stderr) |
---|
| 129 | return None |
---|
| 130 | |
---|
| 131 | try: |
---|
[126] | 132 | conn = startSSLTLS(serverSock, mode='client', protocol=p, cipher_list=cl, timeout=timeout) |
---|
[87] | 133 | break |
---|
| 134 | except ValueError as e: |
---|
[121] | 135 | if verbose: |
---|
| 136 | sys.stderr.write("%s protocol not supported by your openssl library, trying others...\n" % pname) |
---|
[87] | 137 | except SSL.Error as e: |
---|
[121] | 138 | if verbose: |
---|
[130] | 139 | sys.stderr.write("Exception during %s handshake with server. (%s)" % (pname, e)) |
---|
| 140 | #traceback.print_exc(file=sys.stderr) |
---|
[121] | 141 | sys.stderr.write("\nThis could happen because the server requires " |
---|
[130] | 142 | "certain SSL/TLS versions or a client certificate." |
---|
[124] | 143 | " Have no fear, we'll keep trying...\n") |
---|
[87] | 144 | except Exception as e: |
---|
[121] | 145 | sys.stderr.write("Unknown exception during %s handshake with server: \n" % pname) |
---|
[87] | 146 | traceback.print_exc(file=sys.stderr) |
---|
| 147 | |
---|
| 148 | return conn |
---|
| 149 | |
---|
| 150 | |
---|
| 151 | def fetchCertificateChain(connection): |
---|
| 152 | chain = connection.get_peer_cert_chain() |
---|
| 153 | if chain: |
---|
| 154 | return chain |
---|
| 155 | return None |
---|
| 156 | |
---|
| 157 | |
---|
| 158 | def normalizeCertificateName(cert_name): |
---|
| 159 | n = cert_name.get_components() |
---|
| 160 | n.sort() |
---|
| 161 | return tuple(n) |
---|
| 162 | |
---|
| 163 | |
---|
| 164 | def normalizeCertificateChain(chain): |
---|
| 165 | # Organize certificates by subject and issuer for quick lookups |
---|
| 166 | subject_table = {} |
---|
| 167 | issuer_table = {} |
---|
| 168 | for c in chain: |
---|
| 169 | subject_table[normalizeCertificateName(c.get_subject())] = c |
---|
| 170 | issuer_table[normalizeCertificateName(c.get_issuer())] = c |
---|
| 171 | |
---|
| 172 | # Now find root or highest-level intermediary |
---|
| 173 | root = None |
---|
| 174 | for c in chain: |
---|
| 175 | i = normalizeCertificateName(c.get_issuer()) |
---|
| 176 | s = normalizeCertificateName(c.get_subject()) |
---|
| 177 | if (i == s) or (i not in subject_table): |
---|
| 178 | if root != None: |
---|
| 179 | sys.stderr.write("WARN: Multiple root certificates found or broken certificate chain detected.") |
---|
| 180 | else: |
---|
| 181 | # Go with the first identified "root", since that's more likely to link up with the server cert |
---|
| 182 | root = c |
---|
| 183 | |
---|
| 184 | # Finally, build the chain from the top-down in the correct order |
---|
| 185 | new_chain = [] |
---|
| 186 | nxt = root |
---|
| 187 | while nxt != None: |
---|
| 188 | new_chain = [nxt] + new_chain |
---|
| 189 | s = normalizeCertificateName(nxt.get_subject()) |
---|
| 190 | nxt = issuer_table.get(s) |
---|
| 191 | |
---|
| 192 | return new_chain |
---|
| 193 | |
---|
| 194 | |
---|
| 195 | def genFakeKey(certificate): |
---|
| 196 | fake_key = OpenSSL.crypto.PKey() |
---|
| 197 | old_pubkey = certificate.get_pubkey() |
---|
| 198 | fake_key.generate_key(old_pubkey.type(), old_pubkey.bits()) |
---|
| 199 | |
---|
| 200 | return fake_key |
---|
| 201 | |
---|
| 202 | |
---|
| 203 | def getDigestAlgorithm(certificate): |
---|
[88] | 204 | # XXX: ugly hack because openssl API for this is limited |
---|
| 205 | algo = certificate.get_signature_algorithm() |
---|
| 206 | if b'With' in algo: |
---|
| 207 | return algo.split(b'With', 1)[0].decode('utf-8') |
---|
| 208 | return None |
---|
[87] | 209 | |
---|
| 210 | |
---|
| 211 | def deleteExtension(certificate, index): |
---|
| 212 | ''' |
---|
| 213 | A dirty hack until this is implemented in pyOpenSSL. See: |
---|
| 214 | https://github.com/pyca/pyopenssl/issues/152 |
---|
| 215 | ''' |
---|
| 216 | ffi = cffi.FFI() |
---|
| 217 | ffi.cdef('''void* X509_delete_ext(void* x, int loc);''') |
---|
[108] | 218 | |
---|
| 219 | # Try to load libssl using several recent names because package |
---|
| 220 | # maintainers have the blinders on and don't have a universal |
---|
| 221 | # symlink to the most recent version. |
---|
| 222 | libssl = None |
---|
[109] | 223 | for libname in ('libssl.so','libssl.so.1.0.2', 'libssl.so.1.0.1', 'libssl.so.1.0.0','libssl.so.0.9.8'): |
---|
[108] | 224 | try: |
---|
| 225 | libssl = ffi.dlopen(libname) |
---|
| 226 | break |
---|
| 227 | except OSError as e: |
---|
| 228 | pass |
---|
| 229 | |
---|
[87] | 230 | ext = libssl.X509_delete_ext(certificate._x509, index) |
---|
| 231 | #XXX: memory leak. supposed to free ext here |
---|
| 232 | |
---|
| 233 | |
---|
| 234 | def removePeskyExtensions(certificate): |
---|
| 235 | #for index in range(0,certificate.get_extension_count()): |
---|
| 236 | # e = certificate.get_extension(index) |
---|
| 237 | # print("extension %d: %s\n" % (index, e.get_short_name()), e) |
---|
| 238 | |
---|
| 239 | index = 0 |
---|
| 240 | while index < certificate.get_extension_count(): |
---|
| 241 | e = certificate.get_extension(index) |
---|
| 242 | if e.get_short_name() in (b'subjectKeyIdentifier', b'authorityKeyIdentifier'): |
---|
| 243 | deleteExtension(certificate, index) |
---|
| 244 | #XXX: would be nice if each of these extensions were re-added with appropriate values |
---|
| 245 | index -= 1 |
---|
| 246 | index += 1 |
---|
| 247 | |
---|
| 248 | #for index in range(0,certificate.get_extension_count()): |
---|
| 249 | # e = certificate.get_extension(index) |
---|
| 250 | # print("extension %d: %s\n" % (index, e.get_short_name()), e) |
---|
| 251 | |
---|
| 252 | |
---|
[110] | 253 | def randomizeSerialNumber(certificate): |
---|
| 254 | certificate.set_serial_number(random.randint(0,2**64)) |
---|
| 255 | |
---|
[87] | 256 | def genFakeCertificateChain(cert_chain): |
---|
| 257 | ret_val = [] |
---|
| 258 | cert_chain.reverse() # start with highest level authority |
---|
| 259 | |
---|
| 260 | c = cert_chain[0] |
---|
| 261 | i = normalizeCertificateName(c.get_issuer()) |
---|
| 262 | s = normalizeCertificateName(c.get_subject()) |
---|
| 263 | if s != i: |
---|
| 264 | # XXX: consider retrieving root locally and including a forged version instead |
---|
| 265 | c.set_issuer(c.get_subject()) |
---|
| 266 | k = genFakeKey(c) |
---|
| 267 | c.set_pubkey(k) |
---|
| 268 | removePeskyExtensions(c) |
---|
[110] | 269 | randomizeSerialNumber(c) |
---|
[87] | 270 | c.sign(k, getDigestAlgorithm(c)) |
---|
| 271 | ret_val.append(c) |
---|
| 272 | |
---|
| 273 | prev = k |
---|
| 274 | for c in cert_chain[1:]: |
---|
| 275 | k = genFakeKey(c) |
---|
| 276 | c.set_pubkey(k) |
---|
| 277 | removePeskyExtensions(c) |
---|
[110] | 278 | randomizeSerialNumber(c) |
---|
[87] | 279 | c.sign(prev, getDigestAlgorithm(c)) |
---|
| 280 | prev = k |
---|
| 281 | ret_val.append(c) |
---|
| 282 | |
---|
| 283 | ret_val.reverse() |
---|
| 284 | return k,ret_val |
---|