lmoskala/SSLClient
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Wrote small python utility based off of pycert to autogenerate bearSSL trust anchor header files, need to finish commenting it and created web hosted version

Browse source
This commit is contained in:
Noah Laptop 2019-03-13 16:13:20 -07:00
parent ef4a55cbe8
commit ac951f1b30
2 changed files with 411 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

286
tools/pycert_bearssl/cert_util.py Normal file
View file

@ -0,0 +1,286 @@
# Utility functions for a Python SSL certificate conversion tool.
# These functions are in this file so the can also be used in
# A web API implementing this tool.
# Author: Tony DiCola, Modified by Noah Koontz
#
# Dependencies:
# click - Install with 'sudo pip install click' (omit sudo on windows)
# PyOpenSSL - See homepage: https://pyopenssl.readthedocs.org/en/latest/
# Should just be a 'sudo pip install pyopenssl' command, HOWEVER
# on Windows you probably need a precompiled binary version. Try
# installing with pip and if you see errors when running that
# OpenSSL can't be found then try installing egenix's prebuilt
# PyOpenSSL library and OpenSSL lib:
# http://www.egenix.com/products/python/pyOpenSSL/
# certifi - Install with 'sudo pip install certifi' (omit sudo on windows)
import re
from OpenSSL import SSL, crypto
import socket
import textwrap
import math
import os
CERT_PATTERN = re.compile("^\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-[a-z,A-Z,0-9,\n,\/,+]+={0,2}\n\-\-\-\-\-END CERTIFICATE-\-\-\-\-", re.MULTILINE)
# Default name prefixes for varibles used in the hearder autogeneration
# Autogenerator will follow these names with a number
# e.g. "TA_DN0"
# Distinguished name array prefix
DN_PRE = "TA_DN"
# RSA public key number prefix
RSA_N_PRE = "TA_RSA_N"
# RSA public key exponent prefix
RSA_E_PRE = "TA_RSA_E"
# Template that defines the C header output format.
# This takes in a few named parameters:
# - guard_name: Unique name to apply to the #ifndef header guard.
# - cert_length_var: Variable/define name for the length of the certificate.
# - cert_length: Length of the certificate (in bytes).
# - cert_var: Variable name for the certificate data.
# - cert_data: Certificate data, formatted as a bearssl trust anchor array
# - cert_description: Any descriptive info about the certs to put in comments.
# NOTE: If you're changing the template make sure to escape all curly braces
# with a double brace (like {{ or }}) or else Python will try to interpret as a
# string format variable.
CFILE_TEMPLATE = """\
#ifndef _{guard_name}_H_
#define _{guard_name}_H_
#ifdef __cplusplus
extern "C"
{{
#endif
/* This file is auto-generated by the pycert_bearssl tool. Do not change it manually.
* Certificates are BearSSL br_x509_trust_anchor format. Included certs:
*
{cert_description}
*/
#define {cert_length_var} {cert_length}
{cert_data}
#ifdef __cplusplus
}} /* extern "C" */
#endif
#endif /* ifndef _{guard_name}_H_ */
"""
# Template that defines a static array of bytes
# This takes in a few named parameters:
# - ray_type: The type (int, unsigned char) to use for the static array
# - ray_name: The varible name of the static array
# - ray_data: The comma seperated data of the array (ex. "0x12, 0x34, ...")
CRAY_TEMPLATE = """\
static const {ray_type} {ray_name}[] = {{
{ray_data}
}};"""
# Template that defines a single root certificate entry in the BearSSL trust
# anchor list
# This takes in a few named parameters:
# - ta_dn_name: The name of the static byte array containing the distunguished
# name of the certificate.
# - rsa_number_name: Varible name of the static array containing the RSA number
# - rsa_exp_name: Varible name of the static array containing the RSA exponent
CROOTCA_TEMPLATE = """\
{{
{{ (unsigned char *){ta_dn_name}, sizeof {ta_dn_name} }},
BR_X509_TA_CA,
{{
BR_KEYTYPE_RSA,
{{ .rsa = {{
(unsigned char *){rsa_number_name}, sizeof {rsa_number_name},
(unsigned char *){rsa_exp_name}, sizeof {rsa_exp_name},
}} }}
}}
}},"""
# Template that defines a description of the certificate, so that the header
# file can be slightly more human readable
# This takes in a few named parameters:
# - cert_num: The index used to represent the certificate to the computer
# - cert_label: The certificate's name field (Usually CN, in the subject)
# - cert_issue: The certificate's issuer string
# - cert_subject: The certificate's subject string
CCERT_DESC_TEMPLATE = """\
* Index: {cert_num}
* Label: {cert_label}
* Subject: {cert_subject}"""
def PEM_split(cert_pem):
"""Split a certificate / certificate chain in PEM format into multiple
PEM certificates. This is useful for extracting the last / root PEM cert
in a chain for example. Will return a list of strings with each string
being an individual PEM certificate (including its '-----BEGIN CERTIFICATE...'
delineaters).
"""
# Split cert based on begin certificate sections, then reconstruct as an
# array of individual cert strings.
return re.findall(CERT_PATTERN, cert_pem)
def parse_root_certificate_store(store):
"""Parses a list of trusted root certificates, which we
can match to the respective certificates sent from the websites. The where
parameter takes a loaded certificate file (certifi.where()),
and the function returns a list of crypto.x509 objects.
"""
# perform file operations
certStore = PEM_split(store.read())
# convert the raw PEM files into x509 object
return [crypto.load_certificate(crypto.FILETYPE_PEM, pem) for pem in certStore]
def get_server_root_cert(address, port, certDict):
"""Attempt to retrieve the the root certificate in the full SSL cert chain
from the provided server address & port. The certDict parameter should
contain a dictionary of { certificate.get_subject().hash() md5 hash : certificate },
which this function will use to match the certificate chain to a stored root
certificate. This function will return a single certificate as a PyOpenSSL X509
object, or None if the chain couldn't be retrieved for some reason, or the
certDict did not contain a matching certificate.
"""
# Use PyOpenSSL to initiate an SSL connection and get the full cert chain.
# Sadly Python's built in SSL library can't do this so we must use this
# OpenSSL-based library.
cert = None
ctx = SSL.Context(SSL.TLSv1_2_METHOD)
# do the connection, and fetch the cert chain
soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_soc = SSL.Connection(ctx, soc)
ssl_soc.connect((address, port))
try:
ssl_soc.do_handshake()
cert = ssl_soc.get_peer_cert_chain()[-1]
finally:
ssl_soc.shutdown()
soc.close()
# match the certificate in the chain to the respective root certificate using the common name
if cert == None:
print("Failed to fetch certificate on domain: " + address)
return None
cn_hash = cert.get_issuer().hash()
# if there is a respective certificate, return it
# else print an error and return None
if cn_hash not in certDict:
print("Could not find matching root certificate for domain: " + address)
return None
return certDict[cn_hash]
def filter_duplicate_x509(certs):
serial_numbers = set()
out_certs = list()
# filter duplicate certs
for cert in certs:
# Skip duplicate certs where required.
if cert.get_serial_number() in serial_numbers:
continue
out_certs.append(cert)
serial_numbers.add(cert.get_serial_number())
return out_certs
def bytes_to_c_data(mah_bytes, length=None):
"""Converts a byte array to a CSV C array data format, with endlines!
e.g: 0x12, 0xA4, etc.
mah_bytes is the bytearray, and length is the number of bytes to
generate in the array, and indent is how much to indent the output
"""
ret = []
# create an array of byte strings, including an endline every 10 or so bytes
for i, bytestr in enumerate(textwrap.wrap(mah_bytes.hex(), 2)):
ret.append("0x" + bytestr + ", ")
# pad with extra zeros
while length != None and len(ret) < length:
ret.append("0x00, ")
# join, wrap, and return
return textwrap.fill(''.join(ret), width=6*12 + 5, initial_indent=' ', subsequent_indent=' ', break_long_words=False)
def decribe_cert_object(cert, cert_num):
# get the label from the subject feild on the certificate
label = ""
com = dict(cert.get_subject().get_components())
if b'CN' in com:
label = com[b'CN'].decode("utf-8")
elif b'OU' in com:
label = com[b'OU'].decode("utf-8")
elif b'O' in com:
label = com[b'O'].decode("utf-8")
# return the formated string
crypto = cert.to_cryptography()
return CCERT_DESC_TEMPLATE.format(
cert_num=cert_num,
cert_label=label,
cert_subject=crypto.subject.rfc4514_string(),
)
def x509_to_header(x509Certs, cert_var, cert_length_var, output_file, keep_dupes):
"""Combine a collection of PEM format certificates into a single C header with the
combined cert data in BearSSL format. x509Certs should be a list of pyOpenSSL x590 objects,
cert_var controls the name of the cert data variable in the output header, cert_length_var
controls the name of the cert data length variable/define, output is the output file
(which must be open for writing). Keep_dupes is a boolean to indicate if duplicate
certificates should be left intact (true) or removed (false).
"""
cert_description = ''
certs = x509Certs
if not keep_dupes:
certs = filter_duplicate_x509(x509Certs)
# Save cert data as a C style header.
# start by building each component
cert_data = ""
static_arrays = list()
CAs = list()
cert_desc = list()
for i, cert in enumerate(certs):
# add a description of the certificate to the array
cert_desc.append(decribe_cert_object(cert, i))
# build static arrays containing all the keys of the certificate
# start with distinguished name
# get the distinguished name in bytes
dn_bytes_str = bytes_to_c_data(cert.get_subject().der())
static_arrays.append(CRAY_TEMPLATE.format(
ray_type="unsigned char",
ray_name=DN_PRE + str(i),
ray_data=dn_bytes_str))
# next, the RSA public numbers
pubkey = cert.get_pubkey()
numbers = pubkey.to_cryptography_key().public_numbers()
# starting with the modulous
n_bytes_str = bytes_to_c_data(numbers.n.to_bytes(pubkey.bits() // 8, byteorder="big"))
static_arrays.append(CRAY_TEMPLATE.format(
ray_type="unsigned char",
ray_name=RSA_N_PRE + str(i),
ray_data=n_bytes_str))
# and then the exponent
e_bytes_str = bytes_to_c_data(numbers.e.to_bytes(math.ceil(numbers.e.bit_length() / 8), byteorder="big"))
static_arrays.append(CRAY_TEMPLATE.format(
ray_type="unsigned char",
ray_name=RSA_E_PRE + str(i),
ray_data=e_bytes_str))
# format the root certificate entry
CAs.append(CROOTCA_TEMPLATE.format(
ta_dn_name=DN_PRE + str(i),
rsa_number_name=RSA_N_PRE + str(i),
rsa_exp_name=RSA_E_PRE + str(i)))
# concatonate it all into the big header file template
# cert descriptions
cert_desc_out = '\n * \n'.join(cert_desc)
# static arrays
cert_data_out = '\n\n'.join(static_arrays)
cert_data_out += '\n\n' + CRAY_TEMPLATE.format(
ray_type="br_x509_trust_anchor",
ray_name=cert_var,
ray_data='\n'.join(CAs))
# create final header file
output_file.write(CFILE_TEMPLATE.format(
guard_name=os.path.splitext(output_file.name)[0].upper(),
cert_description=cert_desc_out,
cert_length_var=cert_length_var,
cert_length=str(len(certs)),
cert_data=cert_data_out,
))

125
tools/pycert_bearssl/pycert_bearssl.py Normal file
View file

@ -0,0 +1,125 @@
# Python SSL certificate conversion tool.
# Download and converts SSL certs from PEM format into a C header that can be
# referenced from a sketch to load the certificate data (in binary DER format).
# Modified by the OPEnS lab to output certificate data in a format supported by
# BearSSL.
# Author: Tony DiCola, Modified by Noah Koontz
#
# Dependencies:
# click - Install with 'sudo pip install click' (omit sudo on windows)
# PyOpenSSL - See homepage: https://pyopenssl.readthedocs.org/en/latest/
# Should just be a 'sudo pip install pyopenssl' command, HOWEVER
# on Windows you probably need a precompiled binary version. Try
# installing with pip and if you see errors when running that
# OpenSSL can't be found then try installing egenix's prebuilt
# PyOpenSSL library and OpenSSL lib:
# http://www.egenix.com/products/python/pyOpenSSL/
#
import cert_util
import click
import certifi
# Default name for the cert length varible
CERT_LENGTH_NAME = "TAs_NUM"
# Defualt name for the cert array varible
CERT_ARRAY_NAME = "TAs"
# Click setup and commands:
@click.group()
def pycert_bearssl():
"""OPEnS Python Certificate Tool
This is a tool to download and convert SSL certificates and certificate
chains into a C header format that can be imported into BearSSL
"""
pass
@pycert_bearssl.command(short_help='Download SSL certs and save as a C header.')
@click.option('--port', '-p', type=click.INT, default=443,
help='port to use for reading certificate (default 443, SSL)')
@click.option('--cert-var', '-c', default=CERT_ARRAY_NAME,
help='name of the variable in the header which will contain certificate data (default: {0})'.format(CERT_ARRAY_NAME))
@click.option('--cert-length-var', '-l', default=CERT_LENGTH_NAME,
help='name of the define in the header which will contain the length of the certificate data (default: {0})'.format(CERT_LENGTH_NAME))
@click.option('--output', '-o', type=click.File('w'), default='certificates.h',
help='name of the output file (default: certificates.h)')
@click.option('--use-store', '-s', type=click.File('r'), default=certifi.where(),
help='the location of the .pem file containing a list of trusted root certificates (default: use certifi.where())')
@click.option('--keep-dupes', '-d', is_flag=True, default=False,
help='write all certs including any duplicates across domains (default: remove duplicates)')
@click.argument('domain', nargs=-1)
def download(port, cert_var, cert_length_var, output, use_store, keep_dupes, domain):
"""Download the SSL certificates for specified domain(s) and save them as a C
header file that can be imported into a sketch.
Provide at least one argument that is the domain to query for its SSL
certificate, for example google.com for Google's SSL certificate. You can
provide any number of domains as additional arguments. All of the certificates
will be combined into a single output header.
By default the file 'certificates.h' will be created, however you can change
the name of the file with the --output option.
If a chain of certificates is retrieved then only the root certificate (i.e.
the last in the chain) will be saved. However you can override this and
force the full chain to be saved with the --full-chain option.
Example of downloading google.com's SSL certificate and storing it in
certificates.h:
pycert download google.com
Example of downloading google.com and adafruit.com's SSL certificates and
storing them in data.h:
pycert download --output data.h google.com adafruit.com
Note that the certificates will be validated before they are downloaded!
"""
# prepare the root certificate store
cert_obj_store = cert_util.parse_root_certificate_store(use_store)
cert_dict = dict([(cert.get_subject().hash(), cert) for cert in cert_obj_store])
# Download the cert object for each provided domain.
down_certs = []
for d in domain:
# Download the certificate (unfortunately python will _always_ try to
# validate it so we have no control over turning that off).
cert = cert_util.get_server_root_cert(d, port, cert_dict)
if cert is None:
raise click.ClickException('Could not download and/or validate the certificate for {0} port {1}!'.format(d, port))
click.echo('Retrieved certificate for {0}'.format(d))
# append cert to array
down_certs.append(cert)
# Combine PEMs and write output header.
cert_util.x509_to_header(down_certs, cert_var, cert_length_var, output, keep_dupes)
@pycert_bearssl.command(short_help='Convert PEM certs into a C header.')
@click.option('--cert-var', '-c', default=CERT_ARRAY_NAME,
help='name of the variable in the header which will contain certificate data (default: {0})'.format(CERT_ARRAY_NAME))
@click.option('--cert-length-var', '-l', default=CERT_LENGTH_NAME,
help='name of the define in the header which will contain the length of the certificate data (default: {0})'.format(CERT_LENGTH_NAME))
@click.option('--output', '-o', type=click.File('w'), default='certificates.h',
help='name of the output file (default: certificates.h)')
@click.option('--full-chain', '-f', is_flag=True, default=False,
help='use the full certificate chain and not just the root/last cert (default: false, root cert only)')
@click.option('--keep-dupes', '-d', is_flag=True, default=False,
help='write all certs including any duplicates (default: remove duplicates)')
@click.argument('cert', type=click.File('r'), nargs=-1)
def convert(cert_var, cert_length_var, output, full_chain, keep_dupes, cert):
"""Convert PEM certificates into a C header that can be imported into a
sketch. Specify each certificate to encode as a separate argument (each
must be in PEM format) and they will be merged into a single file.
By default the file 'certificates.h' will be created, however you can change
the name of the file with the --output option.
If a chain of certificates is found then only the root certificate (i.e.
the last in the chain) will be saved. However you can override this and
force the full chain to be saved with the --full-chain option.
Example of converting a foo.pem certificate into a certificates.h header:
pycert convert foo.pem
Example of converting foo.pem and bar.pem certificates into data.h:
pycert convert foo.pem bar.pem
"""
# Load all the provided PEM files.
pems = []
for c in cert:
cert_pem = c.read()
click.echo('Loaded certificate {0}'.format(c.name))
pems.append(cert_pem)
# Combine PEMs and write output header.
PEM_to_header(pems, cert_var, cert_length_var, output, full_chain, keep_dupes)
if __name__ == '__main__':
pycert_bearssl()