added support for certificate chain download

Author: eeisegn

CHANGELOG.md

@@ -9,7 +9,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Upcoming changes...
 
-## [1.4.0] - 2023-01-01
+## [1.4.2] - 2023-03-09
+### Fixed
+- Fixed issue with custom certificate when scanning (--ca-cert)
+### Added
+- Added support to download full certificate chain with:
+  - `cert_download.sh`
+  - `scanoss-py utils cdl`
+
+## [1.4.0] - 2023-03-01
 ### Added
 - Added support for fast winnowing (15x improvement) thanks to a contribution from [tardyp](https://github.com/tardyp)
   - This is enabled by a supporting package; [scanoss_winnowing](https://github.com/scanoss/scanoss-winnowing.py).
@@ -209,3 +217,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.3.6]: https://github.com/scanoss/scanoss.py/compare/v1.3.5...v1.3.6
 [1.3.7]: https://github.com/scanoss/scanoss.py/compare/v1.3.6...v1.3.7
 [1.4.0]: https://github.com/scanoss/scanoss.py/compare/v1.3.7...v1.4.0
+[1.4.2]: https://github.com/scanoss/scanoss.py/compare/v1.4.0...v1.4.2

cert_download.sh

@@ -100,4 +100,4 @@ if [ $force -eq 0 ] && [ -f "$pemfile" ] ; then
 fi
 echo "Attempting to get PEM certificate from $host:$port and saving to $pemfile ..."
 
-openssl s_client -showcerts -connect "$host:$port" -servername "$host" </dev/null 2>/dev/null | openssl x509 -outform PEM > "$pemfile"
+openssl s_client -showcerts -verify 5 -connect "$host:$port" -servername "$host" < /dev/null 2> /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; print}' > "$pemfile"

requirements.txt

@@ -5,4 +5,5 @@ progress
 grpcio>1.42.0
 protobuf>3.19.1
 pypac
-urllib3
+urllib3
+pyOpenSSL

setup.cfg

@@ -32,6 +32,7 @@ install_requires =
     grpcio>1.42.0
     protobuf>3.19.1
     pypac
+    pyOpenSSL
 
 [options.extras_require]
 fast_winnowing =

src/scanoss/__init__.py

@@ -22,4 +22,4 @@
    THE SOFTWARE.
 """
 
-__version__ = '1.4.1'
+__version__ = '1.4.2'

src/scanoss/cli.py

@@ -561,43 +561,40 @@ def utils_cert_download(_, args):
     :param _: ignore/unused
     :param args: Parsed arguments
     """
-    import ssl
     from urllib.parse import urlparse
     import socket
+    from OpenSSL import SSL, crypto
     import traceback
 
     file = sys.stdout
     hostname = 'unset'
     port = 'unkown'
+    if args.output:
+        file = open(args.output, 'w')
+    parsed_url = urlparse(args.hostname)
+    hostname = parsed_url.hostname or args.hostname  # Use the parse hostname, or it None use the supplied one
+    port = int(parsed_url.port or args.port)  # Use the parsed port, if not use the supplied one (default 443)
+    certs = []
     try:
-        if args.output:
-            file = open(args.output, 'w')
-        parsed_url = urlparse(args.hostname)
-        hostname = parsed_url.hostname or args.hostname  # Use the parse hostname, or it None use the supplied one
-        port = int(parsed_url.port or args.port)  # Use the parsed port, if not use the supplied one (default 443)
-        conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-        sock = context.wrap_socket(conn, server_hostname=hostname)
-        if not args.quiet or args.debug:
-            print_stderr(f'Attempting to download PEM certificate from {hostname}:{port} ...')
         if args.debug:
-            print_stderr('Connecting to host...')
-        sock.connect((hostname, port))
-        if args.debug:
-            print_stderr('Getting peer cert...')
-        peer_cert = sock.getpeercert(True)
-        if not peer_cert:
-            print_stderr(f'Error: Failed to download peer certificate data from {hostname}:{port}')
-            exit(1)
-        if args.debug:
-            print_stderr('Converting DER to PEM...')
-        cert_data = ssl.DER_cert_to_PEM_cert(peer_cert)
-        if not cert_data or cert_data == '':
-            print_stderr(f'Error: Failed to convert certificate data to PEM from {hostname}:{port}')
-            exit(1)
-        else:
-            print(cert_data.strip(), file=file)  # Print the downloaded PEM certificate
-    except Exception as e:
+            print_stderr(f'Connecting to {hostname} on {port}...')
+        conn = SSL.Connection(SSL.Context(SSL.TLSv1_2_METHOD), socket.socket())
+        conn.connect((hostname, port))
+        conn.do_handshake()
+        certs = conn.get_peer_cert_chain()
+        for index, cert in enumerate(certs):
+            cert_components = dict(cert.get_subject().get_components())
+            if(sys.version_info[0] >= 3):
+                cn = cert_components.get(b'CN')
+            else:
+                cn = cert_components.get('CN')
+            if not args.quiet:
+                print_stderr(f'Centificate {index} - CN: {cn}')
+            if(sys.version_info[0] >= 3):
+                print((crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8')).strip(), file=file)  # Print the downloaded PEM certificate
+            else:
+                print((crypto.dump_certificate(crypto.FILETYPE_PEM, cert)).strip(), file=file)
+    except SSL.Error as e:
         print_stderr(f'ERROR: Exception ({e.__class__.__name__}) Downloading certificate from {hostname}:{port} - {e}.')
         if args.debug:
             traceback.print_exc()