证书透明实用程序库和脚本。
ctutlz的Python项目详细描述
->;`CT部署 研究<;https://theno.github.io/presi ct deployment>;`\uuu<;-
CTUTLZ
python实用程序库和用于Certificate Transparency的工具。
这是python中的第一个实现,它在 tls握手由certificate extension, 通过TLS extension, 并通过OCSP stapling 直接使用openssl c-api(不需要分叉子进程来调用 任何openssl命令)。
* Usage |
* verify-scts |
* ctloglist |
* decompose-cert |
* API |
* Installation |
* Development |
* Fabfile |
* Devel-Commands |
使用量
验证SCT
> verify-scts --help
usage: verify-scts [-h] [--short | --debug]
[--cert-only | --tls-only | --ocsp-only]
[--log-list <filename> | --latest-logs]
hostname [hostname ...]
Verify Signed Certificate Timestamps (SCTs) delivered from one or several
hosts by X.509v3 extension, TLS extension, or OCSP stapling
positional arguments:
hostname host name of the server (example: 'ritter.vg')
optional arguments:
-h, --help show this help message and exit
--short show short results and warnings/errors only
--debug show more for diagnostic purposes
--cert-only only verify SCTs included in the certificate
--tls-only only verify SCTs gathered from TLS handshake
--ocsp-only only verify SCTs gathered via OCSP request
--log-list <filename>
filename of a log list in JSON format
--latest-logs for SCT verification against known CT Logs (compliant
with Chrome's CT policy) download latest version of
https://www.certificate-transparency.org/known-
logs/all_logs_list.json -- use built-in log list
really_all_logs.json from 2017-08-11 if --latest-logs
or --log-list are not set
示例:
> verify-scts google.com --short # google.com ## SCTs by Certificate no SCTs ## SCTs by TLS ``` LogID b64 : pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA= Sign. b64 : MEUCIGUHno90gGUepkOAkIWf0js56ce7FVnq1sXRM+cW8xdzAiEAzTRcHqxnBTTBceBlniPpc8OmyxJQLK6nQY8VW3bUsZk= Log found : Google 'Pilot' log Result : Verified OK ``` ``` LogID b64 : 3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvsw= Sign. b64 : MEYCIQDpSgD3XhIQfqmO0IpHIJma/lchgYbT5yLjlVUYDBOspAIhAOjiHIhceJn0zxrfaT36HMDyY55IntNJ0Ur394NJnU8B Log found : Symantec log Result : Verified OK ``` ## SCTs by OCSP no SCTs
> verify-scts ritter.vg sslanalyzer.comodoca.com www.db.com
# has ⇧ ⇧ ⇧
# scts by: TLS-extension OCSP-extension certificate (precert)
# nice: convert the markdown formatted output into other formats with pandoc domain=ritter.vg fmt=pdf # {pdf,html,rst,...} verify-scts $domain2>&1| pandoc --from=markdown -o $domain-scts.$fmt
ctloglist
> ctloglist --help usage: ctloglist [-h] [-v] [--short | --debug] [--json | --schema] Download, merge and summarize known logs for Certificate Transparency (CT) optional arguments: -h, --help show this help message and exit -v, --version print version number --short show short results --debug show more for diagnostic purposes --json print merged log lists as json --schema print json schema Print output to stdout, warning and errors to stderr. Currently there exist three log lists with differing infos: 1. listing of webpage https://www.certificate-transparency.org/known-logs 2. log_list.json 3. all_logs_list.json. This three log lists will be merged into one list in the future.
用ctloglist:创建* really_all_logs.md * really_all_logs.json
示例:
# list really all known logs # infos aggregated from: # * log_list.json # * all_logs.json # * from log list webpage # overview > ctloglist --short # full, aggregated info > ctloglist # write into a json file > ctloglist --json > really_all_logs.json
# only show inconsistencies of the ct log lists > ctloglist 1>/dev/null
分解证书
> decompose-cert --help
usage: decompose-cert [-h] [-v] --cert <filename> [--tbscert <filename>]
[--sign-algo <filename>] [--signature <filename>]
Decompose an ASN.1 certificate into its components tbsCertificate in DER
format, signatureAlgorithm in DER format, and signatureValue as bytes
according to https://tools.ietf.org/html/rfc5280#section-4.1
optional arguments:
-h, --help show this help message and exit
-v, --version print version number
--tbscert <filename> write extracted tbsCertificate to this file (DER
encoded)
--sign-algo <filename>
write extracted signatureAlgorithm to this file (DER
encoded)
--signature <filename>
write extracted signatureValue to this file
required arguments:
--cert <filename> Certificate in PEM, Base64, or DER format
API
在python代码中导入模块,例如:
>python3.6>>>fromctutlz.ctlogimportdownload_log_list>>>fromctutlz.scripts.verify_sctsimportverify_scts_by_tls>>>fromctutlz.tls.handshakeimportdo_handshake>>>>>>ctlogs=download_log_list()>>>handshake_res=do_handshake('google.com')>>>verifications=verify_scts_by_tls(handshake_res,ctlogs)>>>forverinverifications:...print(f'{ver.verified}: {ver.log.description}')...True:Google'Pilot'logTrue:Symanteclog>>>>>>fromctutlz.rfc6962importSignedCertificateTimestamp,MerkleTreeLeaf
发展
克隆源代码repository:
git clone https://github.com/theno/ctutlz.git cd ctutlz
制作文件
fabfile.py包含要使用执行的devel任务 Fabric(也许你需要 install它:
> fab -l Available commands: clean Delete temporary files not under version control. pypi Build package and upload to pypi. pythons Install latest pythons with pyenv. test Run unit tests. tox Run tox. # Show task details, e.g. for task `test`: > fab -d test Run unit tests. Keyword-Args: args: Optional arguments passed to pytest py: python version to run the tests against Example: fab test:args=-s,py=py27
首先,使用 pyenv和virtualenvs 使用tox:
开发fab pythons fab tox
tox创建不同Python版本的虚拟机(如果它们不存在) 并对每个virtualenv运行单元测试。
在ubuntu 16.04上你必须安装libpython-dev和 libpython3-dev以便使python-2.7和 python-3.5:
sudo apt-get install libpython-dev libpython3-dev # Then, rebuild the non-working Python-2.7 and Python-3.5 virtualenv and # run the unit tests: fab tox:'-e py27 -e py35 --recreate'
devel命令
对几种带有毒素的Python进行单元测试(需要定义Python 与pyenv一起安装的tox.ini的环境列表中:
python3.6 -m tox # only against one python version: python3.6 -m tox -e py27 # rebuild virtual environments: python3.6 -m tox -r
使用pytest运行单元测试(使用tox virtualenv,将py36替换为 例如,py27如适用:
PYTHONPATH='.' .tox/py36/bin/python -m pytest # show output PYTHONPATH='.' .tox/py36/bin/python -m pytest -s
从源代码运行工具verify-scts:
PYTHONPATH='.' .tox/py36/bin/python ctutlz/scripts/verify_scts.py -h
真正更新所有日志
.tox/py36/bin/ctloglist > ctutlz/really_all_logs.md .tox/py36/bin/ctloglist --json > ctutlz/really_all_logs.json