How to use the oscrypto._mac._security.Security function in oscrypto
To help you get started, we’ve selected a few oscrypto examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
wbond / oscrypto / oscrypto / _mac / symmetric.py View on Github 
cf_key = None
cf_data = None
cf_iv = None
sec_key = None
sec_transform = None
try:
cf_dict = CFHelpers.cf_dictionary_from_pairs([(Security.kSecAttrKeyType, cipher)])
cf_key = CFHelpers.cf_data_from_bytes(key)
cf_data = CFHelpers.cf_data_from_bytes(data)
error_pointer = new(CoreFoundation, 'CFErrorRef *')
sec_key = Security.SecKeyCreateFromData(cf_dict, cf_key, error_pointer)
handle_cf_error(error_pointer)
sec_transform = Security.SecDecryptTransformCreate(sec_key, error_pointer)
handle_cf_error(error_pointer)
if cipher != Security.kSecAttrKeyTypeRC4:
Security.SecTransformSetAttribute(sec_transform, Security.kSecModeCBCKey, null(), error_pointer)
handle_cf_error(error_pointer)
Security.SecTransformSetAttribute(sec_transform, Security.kSecPaddingKey, padding, error_pointer)
handle_cf_error(error_pointer)
cf_iv = CFHelpers.cf_data_from_bytes(iv)
Security.SecTransformSetAttribute(sec_transform, Security.kSecIVKey, cf_iv, error_pointer)
handle_cf_error(error_pointer)
Security.SecTransformSetAttribute(
sec_transform,
Security.kSecTransformInputAttributeName,handle_sec_error(result)
if disable_auto_validation:
result = Security.SSLSetEnableCertVerify(session_context, False)
handle_sec_error(result)
else:
protocol_consts = [_PROTOCOL_STRING_CONST_MAP[protocol] for protocol in self._session._protocols]
min_protocol = min(protocol_consts)
max_protocol = max(protocol_consts)
result = Security.SSLSetProtocolVersionMin(
session_context,
min_protocol
)
handle_sec_error(result)
result = Security.SSLSetProtocolVersionMax(
session_context,
max_protocol
)
handle_sec_error(result)
if disable_auto_validation:
result = Security.SSLSetSessionOption(
session_context,
SecurityConst.kSSLSessionOptionBreakOnServerAuth,
True
)
handle_sec_error(result)
# Disable all sorts of bad cipher suites
supported_ciphers_pointer = new(Security, 'size_t *')
result = Security.SSLGetNumberSupportedCiphers(session_context, supported_ciphers_pointer)cf_dict = CFHelpers.cf_dictionary_from_pairs([(Security.kSecAttrKeyType, cipher)])
cf_key = CFHelpers.cf_data_from_bytes(key)
cf_data = CFHelpers.cf_data_from_bytes(data)
error_pointer = new(CoreFoundation, 'CFErrorRef *')
sec_key = Security.SecKeyCreateFromData(cf_dict, cf_key, error_pointer)
handle_cf_error(error_pointer)
sec_transform = Security.SecDecryptTransformCreate(sec_key, error_pointer)
handle_cf_error(error_pointer)
if cipher != Security.kSecAttrKeyTypeRC4:
Security.SecTransformSetAttribute(sec_transform, Security.kSecModeCBCKey, null(), error_pointer)
handle_cf_error(error_pointer)
Security.SecTransformSetAttribute(sec_transform, Security.kSecPaddingKey, padding, error_pointer)
handle_cf_error(error_pointer)
cf_iv = CFHelpers.cf_data_from_bytes(iv)
Security.SecTransformSetAttribute(sec_transform, Security.kSecIVKey, cf_iv, error_pointer)
handle_cf_error(error_pointer)
Security.SecTransformSetAttribute(
sec_transform,
Security.kSecTransformInputAttributeName,
cf_data,
error_pointer
)
handle_cf_error(error_pointer)
plaintext = Security.SecTransformExecute(sec_transform, error_pointer)
handle_cf_error(error_pointer)crl_policy_ref,
ocsp_policy_ref
])
result = Security.SecTrustSetPolicies(trust_ref, policy_array_ref)
handle_sec_error(result)
if self._session._extra_trust_roots:
ca_cert_refs = []
ca_certs = []
for cert in self._session._extra_trust_roots:
ca_cert = load_certificate(cert)
ca_certs.append(ca_cert)
ca_cert_refs.append(ca_cert.sec_certificate_ref)
result = Security.SecTrustSetAnchorCertificatesOnly(trust_ref, False)
handle_sec_error(result)
array_ref = CFHelpers.cf_array_from_list(ca_cert_refs)
result = Security.SecTrustSetAnchorCertificates(trust_ref, array_ref)
handle_sec_error(result)
result_pointer = new(Security, 'SecTrustResultType *')
result = Security.SecTrustEvaluate(trust_ref, result_pointer)
handle_sec_error(result)
trust_result_code = deref(result_pointer)
invalid_chain_error_codes = set([
SecurityConst.kSecTrustResultProceed,
SecurityConst.kSecTrustResultUnspecified
])
if trust_result_code not in invalid_chain_error_codes:def _shutdown(self, manual):
"""
Shuts down the TLS session and then shuts down the underlying socket
:param manual:
A boolean if the connection was manually shutdown
"""
if self._session_context is None:
return
# Ignore error during close in case other end closed already
result = Security.SSLClose(self._session_context)
if osx_version_info < (10, 8):
result = Security.SSLDisposeContext(self._session_context)
handle_sec_error(result)
else:
result = CoreFoundation.CFRelease(self._session_context)
handle_cf_error(result)
self._session_context = None
if manual:
self._local_closed = True
try:
self._socket.shutdown(socket_.SHUT_RDWR)
except (socket_.error):
passif osx_version_info < (10, 10):
dh_params_length = get_dh_params_length(self._server_hello)
if dh_params_length is not None and dh_params_length < 1024:
raise_dh_params()
would_block = handshake_result == SecurityConst.errSSLWouldBlock
server_auth_complete = handshake_result == SecurityConst.errSSLServerAuthCompleted
manual_validation = self._session._manual_validation and server_auth_complete
if not would_block and not manual_validation:
handle_sec_error(handshake_result, TLSError)
self._session_context = session_context
protocol_const_pointer = new(Security, 'SSLProtocol *')
result = Security.SSLGetNegotiatedProtocolVersion(
session_context,
protocol_const_pointer
)
handle_sec_error(result)
protocol_const = deref(protocol_const_pointer)
self._protocol = _PROTOCOL_CONST_STRING_MAP[protocol_const]
cipher_int_pointer = new(Security, 'SSLCipherSuite *')
result = Security.SSLGetNegotiatedCipher(
session_context,
cipher_int_pointer
)
handle_sec_error(result)
cipher_int = deref(cipher_int_pointer)trust_ref = None
cf_data_ref = None
result = None
try:
trust_ref_pointer = new(Security, 'SecTrustRef *')
result = Security.SSLCopyPeerTrust(
self._session_context,
trust_ref_pointer
)
handle_sec_error(result)
trust_ref = unwrap(trust_ref_pointer)
number_certs = Security.SecTrustGetCertificateCount(trust_ref)
self._intermediates = []
for index in range(0, number_certs):
sec_certificate_ref = Security.SecTrustGetCertificateAtIndex(
trust_ref,
index
)
cf_data_ref = Security.SecCertificateCopyData(sec_certificate_ref)
cert_data = CFHelpers.cf_data_to_bytes(cf_data_ref)
result = CoreFoundation.CFRelease(cf_data_ref)
handle_cf_error(result)
cf_data_ref = Nonenum_good_ciphers = len(good_ciphers)
good_ciphers_array = new(Security, 'uint32_t[]', num_good_ciphers)
array_set(good_ciphers_array, good_ciphers)
good_ciphers_pointer = cast(Security, 'uint32_t *', good_ciphers_array)
result = Security.SSLSetEnabledCiphers(
session_context,
good_ciphers_pointer,
num_good_ciphers
)
handle_sec_error(result)
# Set a peer id from the session to allow for session reuse, the hostname
# is appended to prevent a bug on OS X 10.7 where it tries to reuse a
# connection even if the hostnames are different.
peer_id = self._session._peer_id + self._hostname.encode('utf-8')
result = Security.SSLSetPeerID(session_context, peer_id, len(peer_id))
handle_sec_error(result)
handshake_result = Security.SSLHandshake(session_context)
if self._exception is not None:
exception = self._exception
self._exception = None
raise exception
while handshake_result == SecurityConst.errSSLWouldBlock:
handshake_result = Security.SSLHandshake(session_context)
if self._exception is not None:
exception = self._exception
self._exception = None
raise exception
if osx_version_info < (10, 8) and osx_version_info >= (10, 7):
do_validation = explicit_validation and handshake_result == 0"""
Loads an ASN.1 object of an x509 certificate into a Certificate object
:param certificate:
An asn1crypto.x509.Certificate object
:return:
A Certificate object
"""
source = certificate.dump()
cf_source = None
try:
cf_source = CFHelpers.cf_data_from_bytes(source)
sec_key_ref = Security.SecCertificateCreateWithData(CoreFoundation.kCFAllocatorDefault, cf_source)
return Certificate(sec_key_ref, certificate)
finally:
if cf_source:
CoreFoundation.CFRelease(cf_source)for domain in [SecurityConst.kSecTrustSettingsDomainUser, SecurityConst.kSecTrustSettingsDomainAdmin]:
cert_trust_settings_pointer_pointer = new(CoreFoundation, 'CFArrayRef *')
res = Security.SecTrustSettingsCopyCertificates(domain, cert_trust_settings_pointer_pointer)
if res == SecurityConst.errSecNoTrustSettings:
continue
handle_sec_error(res)
cert_trust_settings_pointer = unwrap(cert_trust_settings_pointer_pointer)
length = CoreFoundation.CFArrayGetCount(cert_trust_settings_pointer)
for index in range(0, length):
cert_pointer = CoreFoundation.CFArrayGetValueAtIndex(cert_trust_settings_pointer, index)
trust_settings_pointer_pointer = new(CoreFoundation, 'CFArrayRef *')
res = Security.SecTrustSettingsCopyTrustSettings(cert_pointer, domain, trust_settings_pointer_pointer)
# In OS X 10.11, this value started being seen. From the comments in
# the Security Framework Reference, the lack of any settings should
# indicate "always trust this certificate"
if res == SecurityConst.errSecItemNotFound:
continue
# If the trust settings for a certificate are invalid, we need to
# assume the certificate should not be trusted
if res == SecurityConst.errSecInvalidTrustSettings:
der_cert, cert_hash = _cert_details(cert_pointer)
if cert_hash in certificates:
_cert_callback(
cert_callback,
certificates[cert_hash],
'invalid trust settings'oscrypto
TLS (SSL) sockets, key generation, encryption, decryption, signing, verification and KDFs using the OS crypto libraries. Does not require a compiler, and relies on the OS for patching. Works on Windows, OS X and Linux/BSD.
Package Health Score
76 / 100Popular oscrypto functions
- oscrypto._asn1.int_from_bytes
- oscrypto._asn1.int_to_bytes
- oscrypto._errors.pretty_message
- oscrypto._ffi.buffer_from_bytes
- oscrypto._ffi.bytes_from_buffer
- oscrypto._ffi.deref
- oscrypto._ffi.is_null
- oscrypto._ffi.new
- oscrypto._ffi.null
- oscrypto._ffi.struct
- oscrypto._ffi.unwrap
- oscrypto._int.fill_width
- oscrypto._mac._core_foundation.CoreFoundation.CFRelease
- oscrypto._mac._security.handle_sec_error
- oscrypto._mac._security.Security
- oscrypto._mac._security.Security.SecTransformSetAttribute
- oscrypto._openssl._libcrypto.handle_openssl_error
- oscrypto._types.type_name
- oscrypto._win._advapi32.handle_error
- oscrypto.asymmetric.load_public_key