SSL and confirming certs

Yogesh Chawla - PD premiergeneration at yahoo.com
Thu Oct 26 13:56:22 EDT 2006


Hello All,
Here is a script I wrote to validate the cert sent by
the server.  It just makes system calls to open ssl. 
This is because python support is inadequate in this
area.  Let me know if this is helpful.  I monkeyed
with twisted, m2crypto, pyopenssl, and found myself
sinking into a deep depression:

import commands
import urllib

# Get a file-like object for the crl, this is a URL
for the CRL
f =
urllib.urlopen("http://devca.wijis.state.wi.us/certenroll/devca.wijis.state.wi.us.crl")

# Read from the object, storing the page's contents in
's'.
s = f.read()
f.close()
	
#Write the CRL in DER format to a file	 
outFile = open('./tempCerts/crlDER.crl', 'w')
outFile.write(s)
outFile.close()

#Convert the CRL using openssl to a PEM file
commands.getoutput('openssl crl -in
./tempCerts/crlDER.crl -out ./tempCerts/crlPEM.crl
-inform DER ')	
	
#Store the root and intermediary of the server cert in
a file
#called yourChain.cer, here it is WijisChain.cer
#Copy your CRL and your chair to tempCertChain.cer	 
outFile = open('./tempCerts/tempCertChain.cer', 'w')
outFilePermCer = open('./tempCerts/WijisChain.cer',
'r')	
outFileCRL = open('./tempCerts/crlPEM.crl', 'r')	

outFile.write(outFilePermCer.read())
outFile.write(outFileCRL.read())	
outFile.close()
outFilePermCer.close()
outFileCRL.close()	
	 
#Now actually get the server cert, dont know if this
work on windows
#You must pass in your client cert and private key
#enter server port
bigString =  commands.getoutput('echo | openssl
s_client -connect SERVER:PORT  -key myserver.key 
-cert Yogesh02.cer')
	
#Get the server cert out by parsing the output of the
above openSSL command
blockBegin = '-----BEGIN CERTIFICATE-----'
blockEnd = '-----END CERTIFICATE-----'

beginOuter = bigString.find(blockBegin) 
if beginOuter < 0:
	print 'Unable to continue: block begin string not
found'
	
	
beginInner = beginOuter + len(blockBegin)

endInner = bigString.find(blockEnd)
if endInner < 0:
	print 'Unable to continue: block end string not
found'
	
	
endOuter = endInner + len(blockEnd)

blockWithDelims = bigString[beginOuter:endOuter]
blockWithoutDelims = bigString[beginInner:endInner]

#Write the server cert to a file
outFile = open('./tempCerts/server.cer', 'w')
outFile.write(blockWithDelims)
outFile.write('\n')

outFile.close()	

#Verify the server cert and check it against the CRL
as well
statusOutput = commands.getstatusoutput('openssl
verify  -CAfile ./tempCerts/tempCertChain.cer -purpose
sslserver -crl_check  ./tempCerts/server.cer')

#Look at the output and cry or rejoice, drink beer
here/repeat
print statusOutput
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bruteForce.py
Type: application/octet-stream
Size: 2283 bytes
Desc: 1437792454-bruteForce.py
URL: <http://mail.python.org/pipermail/python-list/attachments/20061026/aeef60f9/attachment.obj>


More information about the Python-list mailing list