def _create_socket(self):
# TODO: remove the try block once python-nss is guaranteed to contain
# these values
try:
#pylint: disable=E1101
ssl_enable_renegotiation = ssl.SSL_ENABLE_RENEGOTIATION
ssl_require_safe_negotiation = ssl.SSL_REQUIRE_SAFE_NEGOTIATION
ssl_renegotiate_requires_xtn = ssl.SSL_RENEGOTIATE_REQUIRES_XTN
except:
ssl_enable_renegotiation = 20
ssl_require_safe_negotiation = 21
ssl_renegotiate_requires_xtn = 2
# Create the socket here so we can do things like let the caller
# override the NSS callbacks
self.sock = ssl.SSLSocket(family=self.family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
try:
self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max)
except NSPRError as e:
root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max))
raise
self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
# Provide a callback which notifies us when the SSL handshake is complete
self.sock.set_handshake_callback(self.handshake_callback)
# Provide a callback to verify the servers certificate
self.sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
self.sock.set_hostname(self.host)
def verify_ca_cert_validity(self, nickname):
certdb = cert = None
if nss.nss_is_initialized():
nss.nss_shutdown()
nss.nss_init(self.secdir)
try:
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
if not cert.subject:
raise ValueError("has empty subject")
try:
bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS)
except KeyError:
raise ValueError("missing basic constraints")
bc = nss.BasicConstraints(bc.value)
if not bc.is_ca:
raise ValueError("not a CA certificate")
intended_usage = nss.certificateUsageSSLCA
try:
approved_usage = cert.verify_now(certdb, True, intended_usage)
except NSPRError as e:
if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE
raise ValueError(e.strerror)
approved_usage = 0
if approved_usage & intended_usage != intended_usage:
raise ValueError('invalid for a CA')
finally:
del certdb, cert
nss.nss_shutdown()
def _create_socket(self):
ssl_enable_renegotiation = getattr(
ssl, 'SSL_ENABLE_RENEGOTIATION', 20)
ssl_require_safe_negotiation = getattr(
ssl,'SSL_REQUIRE_SAFE_NEGOTIATION', 21)
ssl_renegotiate_requires_xtn = getattr(
ssl, 'SSL_RENEGOTIATE_REQUIRES_XTN', 2)
# Create the socket here so we can do things like let the caller
# override the NSS callbacks
self.sock = ssl.SSLSocket(family=self.family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
try:
self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max)
except NSPRError:
root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max))
raise
self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
# Provide a callback which notifies us when the SSL handshake is complete
self.sock.set_handshake_callback(self.handshake_callback)
# Provide a callback to verify the servers certificate
self.sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
self.sock.set_hostname(self.host)
def verify_server_cert_validity(self, nickname, hostname):
"""Verify a certificate is valid for a SSL server with given hostname
Raises a ValueError if the certificate is invalid.
"""
certdb = cert = None
if nss.nss_is_initialized():
nss.nss_shutdown()
nss.nss_init(self.secdir)
try:
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
intended_usage = nss.certificateUsageSSLServer
try:
approved_usage = cert.verify_now(certdb, True, intended_usage)
except NSPRError as e:
if e.errno != -8102:
raise ValueError(e.strerror)
approved_usage = 0
if not approved_usage & intended_usage:
raise ValueError('invalid for a SSL server')
if not cert.verify_hostname(hostname):
raise ValueError('invalid for server %s' % hostname)
finally:
del certdb, cert
nss.nss_shutdown()
return None
def verify_ca_cert_validity(self, nickname):
certdb = cert = None
if nss.nss_is_initialized():
nss.nss_shutdown()
nss.nss_init(self.secdir)
try:
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
if not cert.subject:
raise ValueError("has empty subject")
try:
bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS)
except KeyError:
raise ValueError("missing basic constraints")
bc = nss.BasicConstraints(bc.value)
if not bc.is_ca:
raise ValueError("not a CA certificate")
intended_usage = nss.certificateUsageSSLCA
try:
approved_usage = cert.verify_now(certdb, True, intended_usage)
except NSPRError as e:
if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE
raise ValueError(e.strerror)
approved_usage = 0
if approved_usage & intended_usage != intended_usage:
raise ValueError('invalid for a CA')
finally:
del certdb, cert
nss.nss_shutdown()
def verify_server_cert_validity(self, nickname, hostname):
"""Verify a certificate is valid for a SSL server with given hostname
Raises a ValueError if the certificate is invalid.
"""
certdb = cert = None
if nss.nss_is_initialized():
nss.nss_shutdown()
nss.nss_init(self.secdir)
try:
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
intended_usage = nss.certificateUsageSSLServer
try:
approved_usage = cert.verify_now(certdb, True, intended_usage)
except NSPRError as e:
if e.errno != -8102:
raise ValueError(e.strerror)
approved_usage = 0
if not approved_usage & intended_usage:
raise ValueError('invalid for a SSL server')
if not cert.verify_hostname(hostname):
raise ValueError('invalid for server %s' % hostname)
finally:
del certdb, cert
nss.nss_shutdown()
return None
def _create_socket(self):
# TODO: remove the try block once python-nss is guaranteed to contain
# these values
try:
#pylint: disable=E1101
ssl_enable_renegotiation = ssl.SSL_ENABLE_RENEGOTIATION
ssl_require_safe_negotiation = ssl.SSL_REQUIRE_SAFE_NEGOTIATION
ssl_renegotiate_requires_xtn = ssl.SSL_RENEGOTIATE_REQUIRES_XTN
except:
ssl_enable_renegotiation = 20
ssl_require_safe_negotiation = 21
ssl_renegotiate_requires_xtn = 2
# Create the socket here so we can do things like let the caller
# override the NSS callbacks
self.sock = ssl.SSLSocket(family=self.family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
try:
self.sock.set_ssl_version_range(self.tls_version_min,
self.tls_version_max)
except NSPRError as e:
root_logger.error('Failed to set TLS range to %s, %s' %
(self.tls_version_min, self.tls_version_max))
raise
self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
self.sock.set_ssl_option(ssl_enable_renegotiation,
ssl_renegotiate_requires_xtn)
# Provide a callback which notifies us when the SSL handshake is complete
self.sock.set_handshake_callback(self.handshake_callback)
# Provide a callback to verify the servers certificate
self.sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
self.sock.set_hostname(self.host)
def connection_factory(host, port):
conn = nsslib.NSSConnection(host, port, dbdir=secdir)
conn.set_debuglevel(0)
conn.connect()
conn.sock.set_client_auth_data_callback(
nsslib.client_auth_data_callback,
nickname, password, nss.get_default_certdb())
return conn
def __init__(self, host, port, timeout=3, **kwargs):
http.client.HTTPConnection.__init__(
self, host, port, timeout=timeout, **kwargs)
log.info('%s init %s', self.__class__.__name__, host)
self.sock = None
self._timeout = timeout
self._certdb = nss.get_default_certdb()
def __init__(self, certdb=None, log=None, *args, **kwargs):
if not nss.nss_is_initialized():
NSSAdapterException('NSS is not initialized')
if certdb is None:
self.certdb = nss.get_default_certdb()
else:
self.certdb = certdb
self.log = log if log is not None else logger
super(NSSTransportAdapter, self).__init__(*args, **kwargs)
def client():
valid_addr = False
# Get the IP Address of our server
try:
addr_info = io.AddrInfo(options.hostname)
except:
print("ERROR: could not resolve hostname \"%s\"" % options.hostname)
return
for net_addr in addr_info:
net_addr.port = options.port
sock = ssl.SSLSocket(net_addr.family)
# Set client SSL socket options
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
sock.set_hostname(options.hostname)
# Provide a callback which notifies us when the SSL handshake is
# complete
sock.set_handshake_callback(handshake_callback)
# Provide a callback to verify the servers certificate
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
try:
print("try connecting to: %s" % (net_addr))
sock.connect(net_addr,
timeout=io.seconds_to_interval(timeout_secs))
print("connected to: %s" % (net_addr))
valid_addr = True
break
except:
continue
if not valid_addr:
print("ERROR: could not connect to \"%s\"" % options.hostname)
return
try:
# Talk to the server
n_received = 0
sock.send(request.encode('utf-8'))
while True:
buf = sock.recv(1024)
n_received += len(buf)
if not buf:
print("\nclient lost connection, received %d bytes" %
(n_received))
break
except Exception as e:
print(e)
sock.shutdown()
return
sock.shutdown()
return
def https_request(host, port, url, secdir, password, nickname, operation, args,
**kw):
"""
:param url: The URL to post to.
:param operation: GET, POST, (PUT and DELETE not yet implemented)
:param args: arguments for GET command line, or for POST
:param kw: Keyword arguments to encode into POST body.
:return: (http_status, http_reason_phrase, http_headers, http_body)
as (integer, unicode, dict, str)
Perform a client authenticated HTTPS request
"""
if isinstance(host, six.text_type):
host = host.encode('utf-8')
uri = 'https://%s%s' % (ipautil.format_netloc(host, port), url)
logging.info('sslget %r', uri)
request_headers = {
"Content-type": "application/xml",
"Accept": "application/xml"
}
if operation == "POST":
if args is not None:
post = args
elif kw is not None:
post = urlencode(kw)
request_headers = {
"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain"
}
conn = None
try:
conn = nsslib.NSSConnection(host, port, dbdir=secdir)
conn.set_debuglevel(0)
conn.connect()
conn.sock.set_client_auth_data_callback(
nsslib.client_auth_data_callback, nickname, password,
nss.get_default_certdb())
if operation == "GET":
url = url + "?" + args
conn.request("GET", url)
elif operation == "POST":
conn.request("POST", url, post, request_headers)
res = conn.getresponse()
http_status = res.status
http_reason_phrase = six.text_type(res.reason, 'utf-8')
http_headers = res.msg.dict
http_body = res.read()
except Exception as e:
raise NetworkError(uri=uri, error=str(e))
finally:
if conn is not None:
conn.close()
return http_status, http_reason_phrase, http_headers, http_body
def connection_factory(host, port):
conn = nsslib.NSSConnection(host, port, dbdir=secdir,
tls_version_min=api.env.tls_version_min,
tls_version_max=api.env.tls_version_max)
conn.set_debuglevel(0)
conn.connect()
conn.sock.set_client_auth_data_callback(
nsslib.client_auth_data_callback,
nickname, password, nss.get_default_certdb())
return conn
def __init__(self, host, port, timeout=3, **kwargs):
http.client.HTTPConnection.__init__(self,
host,
port,
timeout=timeout,
**kwargs)
log.info('%s init %s', self.__class__.__name__, host)
self.sock = None
self._timeout = timeout
self._certdb = nss.get_default_certdb()
def connection_factory(host, port):
no_init = secdir == nsslib.current_dbdir
conn = nsslib.NSSConnection(host, port, dbdir=secdir, no_init=no_init,
tls_version_min=api.env.tls_version_min,
tls_version_max=api.env.tls_version_max)
conn.set_debuglevel(0)
conn.connect()
conn.sock.set_client_auth_data_callback(
nsslib.client_auth_data_callback,
nickname, password, nss.get_default_certdb())
return conn
def https_request(
host, port, url, secdir, password, nickname, operation, args, **kw):
"""
:param url: The URL to post to.
:param operation: GET, POST, (PUT and DELETE not yet implemented)
:param args: arguments for GET command line, or for POST
:param kw: Keyword arguments to encode into POST body.
:return: (http_status, http_reason_phrase, http_headers, http_body)
as (integer, unicode, dict, str)
Perform a client authenticated HTTPS request
"""
if isinstance(host, six.text_type):
host = host.encode('utf-8')
uri = 'https://%s%s' % (ipautil.format_netloc(host, port), url)
logging.info('sslget %r', uri)
request_headers = {"Content-type": "application/xml",
"Accept": "application/xml"}
if operation == "POST":
if args is not None:
post = args
elif kw is not None:
post = urlencode(kw)
request_headers = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain"}
conn = None
try:
conn = nsslib.NSSConnection(host, port, dbdir=secdir)
conn.set_debuglevel(0)
conn.connect()
conn.sock.set_client_auth_data_callback(nsslib.client_auth_data_callback,
nickname,
password, nss.get_default_certdb())
if operation == "GET":
url = url + "?" + args
conn.request("GET", url)
elif operation == "POST":
conn.request("POST", url, post, request_headers)
res = conn.getresponse()
http_status = res.status
http_reason_phrase = six.text_type(res.reason, 'utf-8')
http_headers = res.msg.dict
http_body = res.read()
except Exception as e:
raise NetworkError(uri=uri, error=str(e))
finally:
if conn is not None:
conn.close()
return http_status, http_reason_phrase, http_headers, http_body
def _create_socket(self, family):
self.sock = ssl.SSLSocket(family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
self.sock.set_hostname(self.host)
# Provide a callback which notifies us when the SSL handshake is complete
self.sock.set_handshake_callback(handshake_callback)
# Provide a callback to verify the servers certificate
self.sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
def _create_socket(self, family):
self.sock = ssl.SSLSocket(family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
self.sock.set_hostname(self.host)
# Provide a callback which notifies us when the SSL handshake is complete
self.sock.set_handshake_callback(handshake_callback)
# Provide a callback to verify the servers certificate
self.sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
def client():
valid_addr = False
# Get the IP Address of our server
try:
addr_info = io.AddrInfo(hostname)
except:
print "ERROR: could not resolve hostname \"%s\"" % hostname
return
for net_addr in addr_info:
net_addr.port = port
sock = ssl.SSLSocket(net_addr.family)
# Set client SSL socket options
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
sock.set_hostname(hostname)
# Provide a callback which notifies us when the SSL handshake is
# complete
sock.set_handshake_callback(handshake_callback)
# Provide a callback to verify the servers certificate
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
try:
print "try connecting to: %s" % (net_addr)
sock.connect(net_addr, timeout=io.seconds_to_interval(timeout_secs))
print "connected to: %s" % (net_addr)
valid_addr = True
break
except:
continue
if not valid_addr:
print "ERROR: could not connect to \"%s\"" % hostname
return
try:
# Talk to the server
n_received = 0
sock.send(request)
while True:
buf = sock.recv(1024)
n_received += len(buf)
if not buf:
print "\nclient lost connection, received %d bytes" % (n_received)
break
except Exception, e:
print e.strerror
sock.shutdown()
return
def https_request(host, port, url, secdir, password, nickname, **kw):
"""
:param url: The URL to post to.
:param kw: Keyword arguments to encode into POST body.
:return: (http_status, http_reason_phrase, http_headers, http_body)
as (integer, unicode, dict, str)
Perform a client authenticated HTTPS request
"""
if isinstance(host, unicode):
host = host.encode('utf-8')
uri = 'https://%s%s' % (ipautil.format_netloc(host, port), url)
post = urlencode(kw)
root_logger.debug('https_request %r', uri)
root_logger.debug('https_request post %r', post)
request_headers = {
"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain"
}
try:
conn = nsslib.NSSConnection(host,
port,
dbdir=secdir,
tls_version_min=api.env.tls_version_min,
tls_version_max=api.env.tls_version_max)
conn.set_debuglevel(0)
conn.connect()
conn.sock.set_client_auth_data_callback(
nsslib.client_auth_data_callback, nickname, password,
nss.get_default_certdb())
conn.request("POST", url, post, request_headers)
res = conn.getresponse()
http_status = res.status
http_reason_phrase = unicode(res.reason, 'utf-8')
http_headers = res.msg.dict
http_body = res.read()
conn.close()
except Exception, e:
raise NetworkError(uri=uri, error=str(e))
def https_request(host, port, url, secdir, password, nickname, **kw):
"""
:param url: The URL to post to.
:param kw: Keyword arguments to encode into POST body.
:return: (http_status, http_reason_phrase, http_headers, http_body)
as (integer, unicode, dict, str)
Perform a client authenticated HTTPS request
"""
if isinstance(host, unicode):
host = host.encode('utf-8')
uri = 'https://%s%s' % (ipautil.format_netloc(host, port), url)
post = urlencode(kw)
root_logger.debug('https_request %r', uri)
root_logger.debug('https_request post %r', post)
request_headers = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain"}
try:
conn = nsslib.NSSConnection(host, port, dbdir=secdir,
tls_version_min=api.env.tls_version_min,
tls_version_max=api.env.tls_version_max)
conn.set_debuglevel(0)
conn.connect()
conn.sock.set_client_auth_data_callback(nsslib.client_auth_data_callback,
nickname,
password, nss.get_default_certdb())
conn.request("POST", url, post, request_headers)
res = conn.getresponse()
http_status = res.status
http_reason_phrase = unicode(res.reason, 'utf-8')
http_headers = res.msg.dict
http_body = res.read()
conn.close()
except Exception, e:
raise NetworkError(uri=uri, error=str(e))
def auth_certificate_callback(self, sock, check_sig, is_server):
cert_is_valid = False
certdb = nss.get_default_certdb()
cert = sock.get_peer_certificate()
logging.debug("auth_certificate_callback: check_sig=%s is_server=%s\n%s",
check_sig, is_server, str(cert))
pin_args = sock.get_pkcs11_pin_arg()
if pin_args is None:
pin_args = ()
intended_usage = nss.certificateUsageSSLServer
try:
# If the cert fails validation it will raise an exception, the errno attribute
# will be set to the error code matching the reason why the validation failed
# and the strerror attribute will contain a string describing the reason.
approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args)
except Exception, e:
logging.error('cert validation failed for "%s" (%s)', cert.subject, e.strerror)
cert_is_valid = False
return cert_is_valid
def server():
global family
if verbose: print "starting server:"
# Initialize
# Setup an IP Address to listen on any of our interfaces
if family == io.PR_AF_UNSPEC:
family = io.PR_AF_INET
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family)
if use_ssl:
if info: print "server: using SSL"
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type();
#if verbose: print "server cert:\n%s" % server_cert
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose: print "listening on: %s" % (net_addr)
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose: print "client connect from: %s" % (client_addr)
while True:
try:
# Handle the client connection
buf = client_sock.recv(1024)
if not buf:
print >>sys.stderr, "server: lost lost connection to %s" % (client_addr)
break
if info: print "server: received \"%s\"" % (buf)
reply = "{%s}" % buf # echo
if info: print "server: sending \"%s\"" % (reply)
client_sock.send(reply) # echo
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception, e:
print >>sys.stderr, "server: %s" % e
break
break
def client(request):
if use_ssl:
if info:
print("client: using SSL")
ssl.set_domestic_policy()
# Get the IP Address of our server
try:
addr_info = io.AddrInfo(hostname)
except Exception as e:
print("client: could not resolve host address \"%s\"" % hostname, file=sys.stderr)
return
for net_addr in addr_info:
net_addr.port = port
if use_ssl:
sock = ssl.SSLSocket(net_addr.family)
# Set client SSL socket options
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
sock.set_hostname(hostname)
# Provide a callback which notifies us when the SSL handshake is complete
sock.set_handshake_callback(handshake_callback)
# Provide a callback to supply our client certificate info
sock.set_client_auth_data_callback(client_auth_data_callback, client_nickname,
password, nss.get_default_certdb())
# Provide a callback to verify the servers certificate
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
else:
sock = io.Socket(net_addr.family)
try:
if verbose:
print("client trying connection to: %s" % (net_addr))
sock.connect(net_addr, timeout=io.seconds_to_interval(timeout_secs))
if verbose:
print("client connected to: %s" % (net_addr))
break
except Exception as e:
sock.close()
print("client: connection to: %s failed (%s)" % (net_addr, e), file=sys.stderr)
# Talk to the server
try:
if info:
print("client: sending \"%s\"" % (request))
data = request + "\n"; # newline is protocol record separator
sock.send(data.encode('utf-8'))
buf = sock.readline()
if not buf:
print("client: lost connection", file=sys.stderr)
sock.close()
return
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
if info:
print("client: received \"%s\"" % (buf))
except Exception as e:
print("client: %s" % e, file=sys.stderr)
try:
sock.close()
except:
pass
return
try:
sock.shutdown()
except Exception as e:
print("client: %s" % e, file=sys.stderr)
try:
sock.close()
if use_ssl:
ssl.clear_session_cache()
except Exception as e:
print("client: %s" % e, file=sys.stderr)
return buf
net_addr.port = port
if use_ssl:
sock = ssl.SSLSocket(net_addr.family)
# Set client SSL socket options
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
sock.set_hostname(hostname)
# Provide a callback which notifies us when the SSL handshake is complete
sock.set_handshake_callback(handshake_callback)
# Provide a callback to supply our client certificate info
sock.set_client_auth_data_callback(client_auth_data_callback, client_nickname,
password, nss.get_default_certdb())
# Provide a callback to verify the servers certificate
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
else:
sock = io.Socket(net_addr.family)
try:
if verbose: print "client trying connection to: %s" % (net_addr)
sock.connect(net_addr, timeout=io.seconds_to_interval(timeout_secs))
if verbose: print "client connected to: %s" % (net_addr)
valid_addr = True
break
except Exception, e:
sock.close()
def main():
# Command line argument processing
parser = optparse.OptionParser()
parser.set_defaults(dbdir = '/etc/pki/nssdb',
db_passwd = 'db_passwd',
input_format = 'pem',
check_sig = True,
print_cert = False,
with_log = True,
check_ca = True,
)
param_group = optparse.OptionGroup(parser, 'NSS Database',
'Specify & control the NSS Database')
param_group.add_option('-d', '--dbdir', dest='dbdir',
help='NSS database directory, default="%default"')
param_group.add_option('-P', '--db-passwd', dest='db_passwd',
help='NSS database password, default="%default"')
parser.add_option_group(param_group)
param_group = optparse.OptionGroup(parser, 'Certificate',
'Specify how the certificate is loaded')
param_group.add_option('-f', '--file', dest='cert_filename',
help='read cert from file')
param_group.add_option('--format', dest='input_format', choices=['pem', 'der'],
help='import format for certificate (der|pem) default="%default"')
param_group.add_option('-n', '--nickname', dest='cert_nickname',
help='load cert from NSS database by looking it up under this nickname')
parser.add_option_group(param_group)
param_group = optparse.OptionGroup(parser, 'Validation',
'Control the validation')
param_group.add_option('-u', '--usage', dest='cert_usage', action='append', choices=cert_usage_map.keys(),
help='may be specified multiple times, default="CheckAllUsages", may be one of: %s' % ', '.join(sorted(cert_usage_map.keys())))
param_group.add_option('-c', '--check-sig', action='store_true', dest='check_sig',
help='check signature default=%default')
param_group.add_option('-C', '--no-check-sig', action='store_false', dest='check_sig',
help='check signature')
param_group.add_option('-l', '--log', action='store_true', dest='with_log',
help='use verify log, default=%default')
param_group.add_option('-L', '--no-log', action='store_false', dest='with_log',
help='use verify log, default=%default')
param_group.add_option('-a', '--check-ca', action='store_true', dest='check_ca',
help='check if cert is CA, default=%default')
param_group.add_option('-A', '--no-check-ca', action='store_false', dest='check_ca',
help='check if cert is CA, default=%default')
parser.add_option_group(param_group)
param_group = optparse.OptionGroup(parser, 'Miscellaneous',
'Miscellaneous options')
param_group.add_option('-p', '--print-cert', action='store_true', dest='print_cert',
help='print the certificate in a friendly fashion, default=%default')
parser.add_option_group(param_group)
options, args = parser.parse_args()
# Process the command line arguments
# Get usage bitmask
if options.cert_usage:
intended_usage = 0
for usage in options.cert_usage:
try:
flag = cert_usage_map[usage]
except KeyError:
print "Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys())))
return 1
else:
intended_usage |= flag
else:
# We can't use nss.certificateUsageCheckAllUsages here because
# it's a special value of zero instead of being the bitwise OR
# of all the certificateUsage* flags (go figure!)
intended_usage = 0
for usage in cert_usage_map.values():
intended_usage |= usage
if options.cert_filename and options.cert_nickname:
print >>sys.stderr, "You may not specify both a cert filename and a nickname, only one or the other"
return 1
if not options.cert_filename and not options.cert_nickname:
print >>sys.stderr, "You must specify either a cert filename or a nickname to load"
return 1
# Initialize NSS.
print indented_output('NSS Database', options.dbdir)
print
nss.nss_init(options.dbdir)
certdb = nss.get_default_certdb()
nss.set_password_callback(password_callback)
# Load the cert
if options.cert_filename:
# Read the certificate as DER encoded data then initialize a Certificate from the DER data
filename = options.cert_filename
si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem')
# Parse the DER encoded data returning a Certificate object
cert = nss.Certificate(si)
else:
try:
cert = nss.find_cert_from_nickname(options.cert_nickname)
except Exception, e:
print e
print >>sys.stderr, 'Unable to load cert nickname "%s" from database "%s"' % \
(options.cert_nickname, options.dbdir)
return 1
def setUp(self):
nss.nss_init_read_write(db_name)
self.certdb = nss.get_default_certdb()
def Server():
# Setup an IP Address to listen on any of our interfaces
if options.family == io.PR_AF_UNSPEC:
options.family = io.PR_AF_INET
net_addr = io.NetworkAddress(io.PR_IpAddrAny, options.port, options.family)
if options.use_ssl:
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(options.server_nickname, options.password)
priv_key = nss.find_key_by_any_cert(server_cert, options.password)
server_cert_kea = server_cert.find_kea_type();
print("server cert:\n%s" % server_cert)
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(options.password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if options.client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if options.client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
print("listening on: %s" % (net_addr))
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if options.use_ssl:
client_sock.set_handshake_callback(handshake_callback)
print("client connect from: %s" % (client_addr))
while True:
try:
# Handle the client connection
buf = client_sock.readline()
if not buf:
print("server lost lost connection to %s" % (client_addr))
break
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
print("server received: %s" % (buf))
data ='Goodbye' + '\n' # newline is protocol record separator
client_sock.send(data.encode('utf-8'))
try:
client_sock.shutdown(io.PR_SHUTDOWN_RCV)
client_sock.close()
except:
pass
break
except Exception as e:
print(e.strerror)
break
break
try:
sock.shutdown()
sock.close()
if options.use_ssl:
ssl.shutdown_server_session_id_cache()
except Exception as e:
print(e)
pass
self.sock = ssl.SSLSocket(family=self.family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
try:
self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max)
except NSPRError, e:
root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max))
raise
self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
# Provide a callback which notifies us when the SSL handshake is complete
self.sock.set_handshake_callback(self.handshake_callback)
# Provide a callback to verify the servers certificate
self.sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
self.sock.set_hostname(self.host)
def password_callback(self, slot, retry, password):
if not retry and password: return password
return getpass.getpass("Enter password for %s: " % slot.token_name);
def handshake_callback(self, sock):
"""
Verify callback. If we get here then the certificate is ok.
"""
channel = sock.get_ssl_channel_info()
suite = ssl.get_cipher_suite_info(channel.cipher_suite)
root_logger.debug("handshake complete, peer = %s", sock.get_peer_name())
root_logger.debug('Protocol: %s' % channel.protocol_version_str.upper())
root_logger.debug('Cipher: %s' % suite.cipher_suite_name)
def setUp(self):
nss.nss_init_read_write(db_name)
self.certdb = nss.get_default_certdb()
def client(request):
if use_ssl:
if info:
print("client: using SSL")
ssl.set_domestic_policy()
# Get the IP Address of our server
try:
addr_info = io.AddrInfo(hostname)
except Exception as e:
print("client: could not resolve host address \"%s\"" % hostname,
file=sys.stderr)
return
for net_addr in addr_info:
net_addr.port = port
if use_ssl:
sock = ssl.SSLSocket(net_addr.family)
# Set client SSL socket options
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
sock.set_hostname(hostname)
# Provide a callback which notifies us when the SSL handshake is complete
sock.set_handshake_callback(handshake_callback)
# Provide a callback to supply our client certificate info
sock.set_client_auth_data_callback(client_auth_data_callback,
client_nickname, password,
nss.get_default_certdb())
# Provide a callback to verify the servers certificate
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
else:
sock = io.Socket(net_addr.family)
try:
if verbose:
print("client trying connection to: %s" % (net_addr))
sock.connect(net_addr,
timeout=io.seconds_to_interval(timeout_secs))
if verbose:
print("client connected to: %s" % (net_addr))
break
except Exception as e:
sock.close()
print("client: connection to: %s failed (%s)" % (net_addr, e),
file=sys.stderr)
# Talk to the server
try:
if info:
print("client: sending \"%s\"" % (request))
data = request + "\n"
# newline is protocol record separator
sock.send(data.encode('utf-8'))
buf = sock.readline()
if not buf:
print("client: lost connection", file=sys.stderr)
sock.close()
return
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
if info:
print("client: received \"%s\"" % (buf))
except Exception as e:
print("client: %s" % e, file=sys.stderr)
try:
sock.close()
except:
pass
return
try:
sock.shutdown()
except Exception as e:
print("client: %s" % e, file=sys.stderr)
try:
sock.close()
if use_ssl:
ssl.clear_session_cache()
except Exception as e:
print("client: %s" % e, file=sys.stderr)
return buf
def Client():
valid_addr = False
# Get the IP Address of our server
try:
addr_info = io.AddrInfo(options.hostname)
except Exception as e:
print("could not resolve host address \"%s\"" % options.hostname)
return
for net_addr in addr_info:
if options.family != io.PR_AF_UNSPEC:
if net_addr.family != options.family:
continue
net_addr.port = options.port
if options.use_ssl:
sock = ssl.SSLSocket(net_addr.family)
# Set client SSL socket options
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
sock.set_hostname(options.hostname)
# Provide a callback which notifies us when the SSL handshake is complete
sock.set_handshake_callback(handshake_callback)
# Provide a callback to supply our client certificate info
sock.set_client_auth_data_callback(client_auth_data_callback, options.client_nickname,
options.password, nss.get_default_certdb())
# Provide a callback to verify the servers certificate
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
else:
sock = io.Socket(net_addr.family)
try:
print("client trying connection to: %s" % (net_addr))
sock.connect(net_addr, timeout=io.seconds_to_interval(timeout_secs))
print("client connected to: %s" % (net_addr))
valid_addr = True
break
except Exception as e:
sock.close()
print("client connection to: %s failed (%s)" % (net_addr, e))
if not valid_addr:
print("Could not establish valid address for \"%s\" in family %s" % \
(options.hostname, io.addr_family_name(options.family)))
return
# Talk to the server
try:
data = 'Hello' + '\n' # newline is protocol record separator
sock.send(data.encode('utf-8'))
buf = sock.readline()
if not buf:
print("client lost connection")
sock.close()
return
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
print("client received: %s" % (buf))
except Exception as e:
print(e.strerror)
try:
sock.close()
except:
pass
return
# End of (simple) protocol session?
if buf == 'Goodbye':
try:
sock.shutdown()
except:
pass
try:
sock.close()
if options.use_ssl:
ssl.clear_session_cache()
except Exception as e:
print(e)
def Server():
global family
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type();
print "server cert:\n%s" % server_cert
# Setup an IP Address to listen on any of our interfaces
if family == io.PR_AF_UNSPEC:
family = io.PR_AF_INET
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family)
if use_ssl:
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
print "listening on: %s" % (net_addr)
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
print "client connect from: %s" % (client_addr)
while True:
try:
# Handle the client connection
buf = client_sock.recv(1024)
if not buf:
print "server lost lost connection to %s" % (client_addr)
break
print "server received: %s" % (buf)
client_sock.send("Goodbye")
try:
client_sock.shutdown(io.PR_SHUTDOWN_RCV)
client_sock.close()
except:
pass
break
except Exception, e:
print e.strerror
break
break
def __init__(self):
self.certdb_dir = os.path.expanduser(config.NSS_DB_DIR)
nss.nss_init(self.certdb_dir)
nss.enable_ocsp_checking()
self.certdb = nss.get_default_certdb()
def Server():
# Setup an IP Address to listen on any of our interfaces
if options.family == io.PR_AF_UNSPEC:
options.family = io.PR_AF_INET
net_addr = io.NetworkAddress(io.PR_IpAddrAny, options.port, options.family)
if options.use_ssl:
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(options.server_nickname,
options.password)
priv_key = nss.find_key_by_any_cert(server_cert, options.password)
server_cert_kea = server_cert.find_kea_type()
print("server cert:\n%s" % server_cert)
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(options.password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if options.client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if options.client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
print("listening on: %s" % (net_addr))
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if options.use_ssl:
client_sock.set_handshake_callback(handshake_callback)
print("client connect from: %s" % (client_addr))
while True:
try:
# Handle the client connection
buf = client_sock.readline()
if not buf:
print("server lost lost connection to %s" % (client_addr))
break
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
print("server received: %s" % (buf))
data = 'Goodbye' + '\n' # newline is protocol record separator
client_sock.send(data.encode('utf-8'))
try:
client_sock.shutdown(io.PR_SHUTDOWN_RCV)
client_sock.close()
except:
pass
break
except Exception as e:
print(e.strerror)
break
break
try:
sock.shutdown()
sock.close()
if options.use_ssl:
ssl.shutdown_server_session_id_cache()
except Exception as e:
print(e)
pass
def Client():
valid_addr = False
# Get the IP Address of our server
try:
addr_info = io.AddrInfo(options.hostname)
except Exception as e:
print("could not resolve host address \"%s\"" % options.hostname)
return
for net_addr in addr_info:
if options.family != io.PR_AF_UNSPEC:
if net_addr.family != options.family:
continue
net_addr.port = options.port
if options.use_ssl:
sock = ssl.SSLSocket(net_addr.family)
# Set client SSL socket options
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
sock.set_hostname(options.hostname)
# Provide a callback which notifies us when the SSL handshake is complete
sock.set_handshake_callback(handshake_callback)
# Provide a callback to supply our client certificate info
sock.set_client_auth_data_callback(
client_auth_data_callback,
options.client_nickname,
options.password,
nss.get_default_certdb(),
)
# Provide a callback to verify the servers certificate
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
else:
sock = io.Socket(net_addr.family)
try:
print("client trying connection to: %s" % (net_addr))
sock.connect(net_addr,
timeout=io.seconds_to_interval(timeout_secs))
print("client connected to: %s" % (net_addr))
valid_addr = True
break
except Exception as e:
sock.close()
print("client connection to: %s failed (%s)" % (net_addr, e))
if not valid_addr:
print("Could not establish valid address for \"%s\" in family %s" %
(options.hostname, io.addr_family_name(options.family)))
return
# Talk to the server
try:
data = 'Hello' + '\n' # newline is protocol record separator
sock.send(data.encode('utf-8'))
buf = sock.readline()
if not buf:
print("client lost connection")
sock.close()
return
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
print("client received: %s" % (buf))
except Exception as e:
print(e.strerror)
try:
sock.close()
except:
pass
return
# End of (simple) protocol session?
if buf == 'Goodbye':
try:
sock.shutdown()
except:
pass
try:
sock.close()
if options.use_ssl:
ssl.clear_session_cache()
except Exception as e:
print(e)
def main():
global options
parser = argparse.ArgumentParser(description='certificate trust example')
# === NSS Database Group ===
group = parser.add_argument_group('NSS Database',
'Specify & control the NSS Database')
group.add_argument('-d', '--db-name',
help='NSS database name (e.g. "sql:pki")')
group.add_argument('-P', '--db-passwd',
help='NSS database password')
# === Certificate Group ===
group = parser.add_argument_group('Certificate',
'Specify how the certificate is loaded')
group.add_argument('-f', '--file', dest='cert_filename',
help='read cert from file')
group.add_argument('-F', '--input-format', choices=['pem', 'der'],
help='format of input cert')
group.add_argument('-n', '--nickname', dest='cert_nickname',
help='load cert from NSS database by looking it up under this nickname')
group.add_argument('-t', '--trust', dest='cert_trust',
help='set the cert trust flags, see certutil for format')
group.add_argument('-i', '--install-cert', action='store_true', dest='cert_perm',
help='check signature')
group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert',
help='print the certificate in a friendly fashion')
parser.set_defaults(db_name = 'sql:pki',
db_passwd = 'db_passwd',
input_format = 'pem',
install_cert = False,
print_cert = False,
)
options = parser.parse_args()
# Process the command line arguments
if options.cert_perm:
if not options.cert_filename:
print("You must specify a cert filename to install a cert in the database", file=sys.stderr)
return 1
if not options.cert_nickname:
print("You must specify a cert nickname to install a cert in the database", file=sys.stderr)
return 1
else:
if options.cert_filename and options.cert_nickname:
print("You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr)
return 1
if not options.cert_filename and not options.cert_nickname:
print("You must specify either a cert filename or a nickname to load", file=sys.stderr)
return 1
# Initialize NSS.
print('NSS Database: %s' % (options.db_name))
print()
# Initialize the database as read/write, otherwise we would not
# be able to import a cert
nss.nss_init_read_write(options.db_name)
certdb = nss.get_default_certdb()
# Since we may update the cert make sure we're using the key slot
# and not just the internal slot
slot = nss.get_internal_key_slot()
# If we're importing or modifying a cert we'll need to authenticate
# to the database, the password callback supplies the password during
# authentication.
nss.set_password_callback(password_callback)
# Load the cert
if options.cert_filename:
# Read the certificate as DER encoded data then initialize a Certificate from the DER data
filename = options.cert_filename
si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem')
# Parse the DER encoded data returning a Certificate object.
#
# If we've been asked to install the cert in the database the
# options.cert_perm flag will be True and we'll need to supply
# the nickname (which is used to locate the cert in the database).
cert = nss.Certificate(si, certdb,
options.cert_perm, options.cert_nickname)
else:
try:
cert = nss.find_cert_from_nickname(options.cert_nickname)
except Exception as e:
print(e)
print('Unable to load cert nickname "%s" from database "%s"' % \
(options.cert_nickname, options.db_name), file=sys.stderr)
return 1
# Dump the cert if the user wants to see it
if options.print_cert:
print(cert)
else:
print('cert subject: %s' % (cert.subject))
print()
# Change the cert trust if specified
if options.cert_trust:
cert.set_trust_attributes(options.cert_trust, certdb, slot)
illustrate_ssl_trust(cert)
return 0
def server():
if verbose:
print("starting server:")
# Initialize
# Setup an IP Address to listen on any of our interfaces
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port)
if use_ssl:
if info:
print("server: using SSL")
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type()
#if verbose:
# print("server cert:\n%s" % server_cert)
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose:
print("listening on: %s" % (net_addr))
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose:
print("client connect from: %s" % (client_addr))
while True:
try:
# Handle the client connection
buf = client_sock.readline(
) # newline is protocol record separator
if not buf:
print("server: lost lost connection to %s" % (client_addr),
file=sys.stderr)
break
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
if info:
print("server: received \"%s\"" % (buf))
reply = "{%s}" % buf # echo embedded inside braces
if info:
print("server: sending \"%s\"" % (reply))
data = reply + "\n" # send echo with record separator
client_sock.send(data.encode('utf-8'))
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception as e:
print("server: %s" % e, file=sys.stderr)
break
break
# Clean up
sock.shutdown()
sock.close()
if use_ssl:
ssl.shutdown_server_session_id_cache()
def main():
global options
parser = argparse.ArgumentParser(
description='certificate validation example')
# === NSS Database Group ===
group = parser.add_argument_group('NSS Database',
'Specify & control the NSS Database')
group.add_argument('-d',
'--db-name',
help='NSS database name (e.g. "sql:pki")')
group.add_argument('-P', '--db-passwd', help='NSS database password')
# === Certificate Group ===
group = parser.add_argument_group('Certificate',
'Specify how the certificate is loaded')
group.add_argument('-f',
'--file',
dest='cert_filename',
help='read cert from file')
group.add_argument('-F',
'--input-format',
choices=['pem', 'der'],
help='format of input cert')
group.add_argument(
'-n',
'--nickname',
dest='cert_nickname',
help='load cert from NSS database by looking it up under this nickname'
)
# === Validation Group ===
group = parser.add_argument_group('Validation', 'Control the validation')
group.add_argument(
'-u',
'--usage',
dest='cert_usage',
action='append',
choices=list(cert_usage_map.keys()),
help='certificate usage flags, may be specified multiple times')
group.add_argument('-c',
'--check-sig',
action='store_true',
dest='check_sig',
help='check signature')
group.add_argument('-C',
'--no-check-sig',
action='store_false',
dest='check_sig',
help='do not check signature')
group.add_argument('-l',
'--log',
action='store_true',
dest='with_log',
help='use verify log')
group.add_argument('-L',
'--no-log',
action='store_false',
dest='with_log',
help='do not use verify log')
group.add_argument('-a',
'--check-ca',
action='store_true',
dest='check_ca',
help='check if cert is CA')
group.add_argument('-A',
'--no-check-ca',
action='store_false',
dest='check_ca',
help='do not check if cert is CA')
# === Miscellaneous Group ===
group = parser.add_argument_group('Miscellaneous', 'Miscellaneous options')
group.add_argument('-p',
'--print-cert',
action='store_true',
dest='print_cert',
help='print the certificate in a friendly fashion')
parser.set_defaults(
db_name='sql:pki',
db_passwd='db_passwd',
input_format='pem',
check_sig=True,
with_log=True,
check_ca=True,
print_cert=False,
)
options = parser.parse_args()
# Process the command line arguments
# Get usage bitmask
if options.cert_usage:
intended_usage = 0
for usage in options.cert_usage:
try:
flag = cert_usage_map[usage]
except KeyError:
print("Unknown usage '%s', valid values: %s" %
(usage, ', '.join(sorted(cert_usage_map.keys()))))
return 1
else:
intended_usage |= flag
else:
# We can't use nss.certificateUsageCheckAllUsages here because
# it's a special value of zero instead of being the bitwise OR
# of all the certificateUsage* flags (go figure!)
intended_usage = 0
for usage in list(cert_usage_map.values()):
intended_usage |= usage
if options.cert_filename and options.cert_nickname:
print(
"You may not specify both a cert filename and a nickname, only one or the other",
file=sys.stderr)
return 1
if not options.cert_filename and not options.cert_nickname:
print("You must specify either a cert filename or a nickname to load",
file=sys.stderr)
return 1
# Initialize NSS.
print(indented_output('NSS Database', options.db_name))
print()
nss.nss_init(options.db_name)
certdb = nss.get_default_certdb()
nss.set_password_callback(password_callback)
# Load the cert
if options.cert_filename:
# Read the certificate as DER encoded data then initialize a Certificate from the DER data
filename = options.cert_filename
si = nss.read_der_from_file(filename,
options.input_format.lower() == 'pem')
# Parse the DER encoded data returning a Certificate object
cert = nss.Certificate(si)
else:
try:
cert = nss.find_cert_from_nickname(options.cert_nickname)
except Exception as e:
print(e)
print('Unable to load cert nickname "%s" from database "%s"' % \
(options.cert_nickname, options.db_name), file=sys.stderr)
return 1
# Dump the cert if the user wants to see it
if options.print_cert:
print(cert)
else:
print(indented_output('cert subject', cert.subject))
print()
# Dump the usages attached to the cert
print(
indented_output('cert has these usages',
nss.cert_type_flags(cert.cert_type)))
# Should we check if the cert is a CA cert?
if options.check_ca:
# CA Cert?
is_ca, cert_type = cert.is_ca_cert(True)
print()
print(indented_output('is CA cert boolean', is_ca))
print(
indented_output('is CA cert returned usages',
nss.cert_type_flags(cert_type)))
print()
print(
indented_output('verifying usages for',
nss.cert_usage_flags(intended_usage)))
print()
# Use the log or non-log variant to verify the cert
#
# Note: Anytime a NSPR or NSS function returns an error in python-nss it
# raises a NSPRError exception. When an exception is raised the normal
# return values are discarded because the flow of control continues at
# the first except block prepared to catch the exception. Normally this
# is what is desired because the return values would be invalid due to
# the error. However the certificate verification functions are an
# exception (no pun intended). An error might be returned indicating the
# cert failed verification but you may still need access to the returned
# usage bitmask and the log (if using the log variant). To handle this a
# special error exception `CertVerifyError` (derived from `NSPRError`)
# is defined which in addition to the normal NSPRError fields will also
# contain the returned usages and optionally the CertVerifyLog
# object. If no exception is raised these are returned as normal return
# values.
approved_usage = 0
if options.with_log:
try:
approved_usage, log = cert.verify_with_log(certdb,
options.check_sig,
intended_usage, None)
except nss_error.CertVerifyError as e:
# approved_usage and log available in CertVerifyError exception on failure.
print(e)
print()
print(indented_obj('log', e.log))
print()
print(
indented_output('approved usages from exception',
nss.cert_usage_flags(e.usages)))
approved_usage = e.usages # Get the returned usage bitmask from the exception
except Exception as e:
print(e)
else:
print(
indented_output('approved usages',
nss.cert_usage_flags(approved_usage)))
if log.count:
print()
print(indented_obj('log', log))
else:
try:
approved_usage = cert.verify(certdb, options.check_sig,
intended_usage, None)
except nss_error.CertVerifyError as e:
# approved_usage available in CertVerifyError exception on failure.
print(e)
print(
indented_output('approved usages from exception',
nss.cert_usage_flags(e.usages)))
approved_usage = e.usages # Get the returned usage bitmask from the exception
except Exception as e:
print(e)
else:
print(
indented_output('approved usages',
nss.cert_usage_flags(approved_usage)))
# The cert is valid if all the intended usages are in the approved usages
valid = (intended_usage & approved_usage) == intended_usage
print()
if valid:
print(
indented_output('SUCCESS: cert is approved for',
nss.cert_usage_flags(intended_usage)))
return 0
else:
print(
indented_output(
'FAIL: cert not approved for',
nss.cert_usage_flags(intended_usage ^ approved_usage)))
return 1
def __init__(self):
self.certdb_dir = os.path.expanduser(config.NSS_DB_DIR)
nss.nss_init(self.certdb_dir)
nss.enable_ocsp_checking()
self.certdb = nss.get_default_certdb()
def main():
global options
parser = argparse.ArgumentParser(description='certificate validation example')
# === NSS Database Group ===
group = parser.add_argument_group('NSS Database',
'Specify & control the NSS Database')
group.add_argument('-d', '--db-name',
help='NSS database name (e.g. "sql:pki")')
group.add_argument('-P', '--db-passwd',
help='NSS database password')
# === Certificate Group ===
group = parser.add_argument_group('Certificate',
'Specify how the certificate is loaded')
group.add_argument('-f', '--file', dest='cert_filename',
help='read cert from file')
group.add_argument('-F', '--input-format', choices=['pem', 'der'],
help='format of input cert')
group.add_argument('-n', '--nickname', dest='cert_nickname',
help='load cert from NSS database by looking it up under this nickname')
# === Validation Group ===
group = parser.add_argument_group('Validation',
'Control the validation')
group.add_argument('-u', '--usage', dest='cert_usage', action='append', choices=list(cert_usage_map.keys()),
help='certificate usage flags, may be specified multiple times')
group.add_argument('-c', '--check-sig', action='store_true', dest='check_sig',
help='check signature')
group.add_argument('-C', '--no-check-sig', action='store_false', dest='check_sig',
help='do not check signature')
group.add_argument('-l', '--log', action='store_true', dest='with_log',
help='use verify log')
group.add_argument('-L', '--no-log', action='store_false', dest='with_log',
help='do not use verify log')
group.add_argument('-a', '--check-ca', action='store_true', dest='check_ca',
help='check if cert is CA')
group.add_argument('-A', '--no-check-ca', action='store_false', dest='check_ca',
help='do not check if cert is CA')
# === Miscellaneous Group ===
group = parser.add_argument_group('Miscellaneous',
'Miscellaneous options')
group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert',
help='print the certificate in a friendly fashion')
parser.set_defaults(db_name = 'sql:pki',
db_passwd = 'db_passwd',
input_format = 'pem',
check_sig = True,
with_log = True,
check_ca = True,
print_cert = False,
)
options = parser.parse_args()
# Process the command line arguments
# Get usage bitmask
if options.cert_usage:
intended_usage = 0
for usage in options.cert_usage:
try:
flag = cert_usage_map[usage]
except KeyError:
print("Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys()))))
return 1
else:
intended_usage |= flag
else:
# We can't use nss.certificateUsageCheckAllUsages here because
# it's a special value of zero instead of being the bitwise OR
# of all the certificateUsage* flags (go figure!)
intended_usage = 0
for usage in list(cert_usage_map.values()):
intended_usage |= usage
if options.cert_filename and options.cert_nickname:
print("You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr)
return 1
if not options.cert_filename and not options.cert_nickname:
print("You must specify either a cert filename or a nickname to load", file=sys.stderr)
return 1
# Initialize NSS.
print(indented_output('NSS Database', options.db_name))
print()
nss.nss_init(options.db_name)
certdb = nss.get_default_certdb()
nss.set_password_callback(password_callback)
# Load the cert
if options.cert_filename:
# Read the certificate as DER encoded data then initialize a Certificate from the DER data
filename = options.cert_filename
si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem')
# Parse the DER encoded data returning a Certificate object
cert = nss.Certificate(si)
else:
try:
cert = nss.find_cert_from_nickname(options.cert_nickname)
except Exception as e:
print(e)
print('Unable to load cert nickname "%s" from database "%s"' % \
(options.cert_nickname, options.db_name), file=sys.stderr)
return 1
# Dump the cert if the user wants to see it
if options.print_cert:
print(cert)
else:
print(indented_output('cert subject', cert.subject))
print()
# Dump the usages attached to the cert
print(indented_output('cert has these usages', nss.cert_type_flags(cert.cert_type)))
# Should we check if the cert is a CA cert?
if options.check_ca:
# CA Cert?
is_ca, cert_type = cert.is_ca_cert(True)
print()
print(indented_output('is CA cert boolean', is_ca))
print(indented_output('is CA cert returned usages', nss.cert_type_flags(cert_type)))
print()
print(indented_output('verifying usages for', nss.cert_usage_flags(intended_usage)))
print()
# Use the log or non-log variant to verify the cert
#
# Note: Anytime a NSPR or NSS function returns an error in python-nss it
# raises a NSPRError exception. When an exception is raised the normal
# return values are discarded because the flow of control continues at
# the first except block prepared to catch the exception. Normally this
# is what is desired because the return values would be invalid due to
# the error. However the certificate verification functions are an
# exception (no pun intended). An error might be returned indicating the
# cert failed verification but you may still need access to the returned
# usage bitmask and the log (if using the log variant). To handle this a
# special error exception `CertVerifyError` (derived from `NSPRError`)
# is defined which in addition to the normal NSPRError fields will also
# contain the returned usages and optionally the CertVerifyLog
# object. If no exception is raised these are returned as normal return
# values.
approved_usage = 0
if options.with_log:
try:
approved_usage, log = cert.verify_with_log(certdb, options.check_sig, intended_usage, None)
except nss_error.CertVerifyError as e:
# approved_usage and log available in CertVerifyError exception on failure.
print(e)
print()
print(indented_obj('log', e.log))
print()
print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages)))
approved_usage = e.usages # Get the returned usage bitmask from the exception
except Exception as e:
print(e)
else:
print(indented_output('approved usages', nss.cert_usage_flags(approved_usage)))
if log.count:
print()
print(indented_obj('log', log))
else:
try:
approved_usage = cert.verify(certdb, options.check_sig, intended_usage, None)
except nss_error.CertVerifyError as e:
# approved_usage available in CertVerifyError exception on failure.
print(e)
print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages)))
approved_usage = e.usages # Get the returned usage bitmask from the exception
except Exception as e:
print(e)
else:
print(indented_output('approved usages', nss.cert_usage_flags(approved_usage)))
# The cert is valid if all the intended usages are in the approved usages
valid = (intended_usage & approved_usage) == intended_usage
print()
if valid:
print(indented_output('SUCCESS: cert is approved for', nss.cert_usage_flags(intended_usage)))
return 0
else:
print(indented_output('FAIL: cert not approved for', nss.cert_usage_flags(intended_usage ^ approved_usage)))
return 1
net_addr.port = port
if use_ssl:
sock = ssl.SSLSocket(net_addr.family)
# Set client SSL socket options
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
sock.set_hostname(hostname)
# Provide a callback which notifies us when the SSL handshake is complete
sock.set_handshake_callback(handshake_callback)
# Provide a callback to supply our client certificate info
sock.set_client_auth_data_callback(client_auth_data_callback, client_nickname,
password, nss.get_default_certdb())
# Provide a callback to verify the servers certificate
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
else:
sock = io.Socket(net_addr.family)
try:
print "client trying connection to: %s" % (net_addr)
sock.connect(net_addr, timeout=io.seconds_to_interval(timeout_secs))
print "client connected to: %s" % (net_addr)
valid_addr = True
break
except Exception, e:
sock.close()
from conf import config
if __name__ == "__main__":
parser = optparse.OptionParser("usage: %prog -f <folder with certificates> ")
parser.add_option("-f", "--folder", dest="folder", help="Directory that holds certificates")
(opts, args) = parser.parse_args()
if opts.folder is None:
parser.error("Specify the name of directory")
path = os.path.expanduser(opts.folder)
certdb_dir = os.path.expanduser(config.NSS_DB_DIR)
nss.nss_init(certdb_dir)
certdb = nss.get_default_certdb()
db = PinDB("pfc", "keycontinuity")
for i in os.listdir(path):
file = os.path.join(path, i)
if os.path.isfile(file):
# f = open(file).readlines()
# f = ''.join(f)
try:
a = M2Crypto.X509.load_cert(file, format=FORMAT_DER)
except:
# we should transform PEM encoding to DER
cmdstr = ["openssl", "x509", "-in", file, "-inform", "PEM", "-out", file, "-outform", "DER"]
subprocess.call(cmdstr)
a = M2Crypto.X509.load_cert(file, format=FORMAT_DER)
def server():
global family
if verbose: print "starting server:"
# Initialize
# Setup an IP Address to listen on any of our interfaces
if family == io.PR_AF_UNSPEC:
family = io.PR_AF_INET
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family)
if use_ssl:
if info: print "server: using SSL"
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type()
#if verbose: print "server cert:\n%s" % server_cert
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose: print "listening on: %s" % (net_addr)
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose: print "client connect from: %s" % (client_addr)
while True:
try:
# Handle the client connection
buf = client_sock.recv(1024)
if not buf:
print >> sys.stderr, "server: lost lost connection to %s" % (
client_addr)
break
if info: print "server: received \"%s\"" % (buf)
reply = "{%s}" % buf # echo
if info: print "server: sending \"%s\"" % (reply)
client_sock.send(reply) # echo
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception, e:
print >> sys.stderr, "server: %s" % e
break
break
def Server():
global family
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type()
print "server cert:\n%s" % server_cert
# Setup an IP Address to listen on any of our interfaces
if family == io.PR_AF_UNSPEC:
family = io.PR_AF_INET
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family)
if use_ssl:
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
print "listening on: %s" % (net_addr)
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
print "client connect from: %s" % (client_addr)
while True:
try:
# Handle the client connection
buf = client_sock.recv(1024)
if not buf:
print "server lost lost connection to %s" % (client_addr)
break
print "server received: %s" % (buf)
client_sock.send("Goodbye")
try:
client_sock.shutdown(io.PR_SHUTDOWN_RCV)
client_sock.close()
except:
pass
break
except Exception, e:
print e.strerror
break
break
def server():
if verbose:
print("starting server:")
# Initialize
# Setup an IP Address to listen on any of our interfaces
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port)
if use_ssl:
if info:
print("server: using SSL")
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type();
#if verbose:
# print("server cert:\n%s" % server_cert)
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose:
print("listening on: %s" % (net_addr))
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose:
print("client connect from: %s" % (client_addr))
while True:
try:
# Handle the client connection
buf = client_sock.readline() # newline is protocol record separator
if not buf:
print("server: lost lost connection to %s" % (client_addr), file=sys.stderr)
break
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
if info:
print("server: received \"%s\"" % (buf))
reply = "{%s}" % buf # echo embedded inside braces
if info:
print("server: sending \"%s\"" % (reply))
data = reply + "\n" # send echo with record separator
client_sock.send(data.encode('utf-8'))
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception as e:
print("server: %s" % e, file=sys.stderr)
break
break
# Clean up
sock.shutdown()
sock.close()
if use_ssl:
ssl.shutdown_server_session_id_cache()
