def configure(app):
POSTGRES = {
'user': '******',
'pw': 'root',
'db': 'db_ocsp',
'host': 'localhost',
'port': '5432',
}
app.config['SQLALCHEMY_DATABASE_URI'] = 'postgresql://%(user)s:\
%(pw)s@%(host)s:%(port)s/%(db)s' % POSTGRES
register_extensions(app)
app.config.from_pyfile('config.py')
app.config.from_pyfile
pem_responder_cert = pem.parse_file(app.config['CERT_PATH'])[0]
pem_responder_key = pem.parse_file(app.config['KEY_PATH'])[0]
app.config['CERT'] = load_pem_x509_certificate(
pem_responder_cert.as_bytes(),
backend=default_backend()
)
app.config['KEY'] = load_pem_private_key(
pem_responder_key.as_bytes(),
password=None,
backend=default_backend()
)
def main(files, check_chain, root_certs, details, quiet):
''' Expects PEM files formatted as
Private key -> Certificate -> Certificate chain
Checks each file in turn for private key/cert mismatches, expired certs, and valid chain of trust.
'''
root_certs = [str(c) for c in pem.parse_file(root_certs)]
for filename in files:
certs = [str(c) for c in pem.parse_file(filename)]
key, crt, chain = (lambda key, crt, *chain:
(key, crt, list(chain)))(*certs)
if details:
msg_details = "{} (CN: {} SAN: {})".format(
filename,
get_subject(crt).commonName, get_san(crt))
else:
msg_details = filename
if not private_key_matches_certificate(key, crt):
error_msg("key/cert mismatch", msg_details)
continue
if certificate_expired(crt):
error_msg("certificate expired", msg_details)
continue
if check_chain and not verify_chain_of_trust(crt, root_certs + chain):
error_msg("can't verify chain of trust", msg_details)
continue
if not quiet:
verified_msg(msg_details)
def get_cert_and_key(self, subdomain):
cert = ''
key = ''
key_path = self.get_key_path(subdomain)
if not os.path.exists(key_path):
raise ValueError('key not found: {}'.format(key_path))
key = str(pem.parse_file(key_path)[0])
cert_path = self.get_cert_path(subdomain)
if not os.path.exists(cert_path):
raise ValueError('cert not found: {}'.format(cert_path))
cert = str(pem.parse_file(cert_path)[0])
return cert, key, subdomain
def main(filename, check_chain):
certs = [str(c) for c in pem.parse_file(filename)]
root_certs = [
str(c) for c in pem.parse_file('/etc/pki/tls/certs/ca-bundle.crt')
]
if check_associate_cert_with_private_key(certs[1], certs[0]):
if check_chain:
if verify_chain_of_trust(certs[1], certs[2:] + root_certs):
print filename, "VERIFIED"
else:
print filename, "FAILED: can't verify chain of trust"
else:
print filename, "VERIFIED"
else:
print filename, "FAILED: key/cert mismatch"
def test_add_and_remove_authority():
bundle = X509Bundle(trust_domain, None)
pem_certs = pem.parse_file(_TEST_CERTS_PATH.format('certs.pem'))
x509_cert_1 = x509.load_pem_x509_certificate(pem_certs[0].as_bytes(),
default_backend())
x509_cert_2 = x509.load_pem_x509_certificate(pem_certs[1].as_bytes(),
default_backend())
# adding an object to the returned set, as it is a copy, it doesn't change the bundle
bundle.x509_authorities().add(x509_cert_1)
assert len(bundle.x509_authorities()) == 0
bundle.add_authority(x509_cert_1)
bundle.add_authority(x509_cert_2)
assert len(bundle.x509_authorities()) == 2
# repeat the adds
bundle.add_authority(x509_cert_1)
bundle.add_authority(x509_cert_2)
assert len(bundle.x509_authorities()) == 2
for a in bundle.x509_authorities():
assert isinstance(a, Certificate)
assert 'CN=PEMUTILTEST' in a.subject.rfc4514_string()
bundle.remove_authority(x509_cert_1)
assert len(bundle.x509_authorities()) == 1
bundle.remove_authority(x509_cert_2)
assert len(bundle.x509_authorities()) == 0
# removing an authority that is not present, do nothing
bundle.remove_authority(x509_cert_1)
bundle.remove_authority(x509_cert_2)
def load_revokations(self):
"""
Load PEM formatted certificates that are no longer trustworthy
and store the suject and issuer.
`cert_list` is the path to a file that contains glob-like patterns
to PEM-formatted certificates.
"""
revoke_file = self.revoke_file
revoke_state = self.revoke_state
if revoke_file is not None:
last_mod_time = revoke_state['last_mod_time']
fp = FilePath(revoke_file)
if not fp.exists():
return
mod_time = fp.getModificationTime()
if last_mod_time is None or mod_time > last_mod_time:
log.msg("[INFO] Loading revoked certificate files specified in '{0}'.".format(
revoke_file))
revoke_state['last_mod_time'] = mod_time
revoked = set([])
with open(revoke_file) as f:
for line in f:
pattern = line.rstrip('\r\n')
if pattern == '' or pattern.startswith('#'):
continue
for path in glob.glob(pattern):
certs = [pem_cert_to_x509(cert)
for cert in pem.parse_file(path)]
for certificate in certs:
revoked.add((
tuple(certificate.get_subject().get_components()),
tuple(certificate.get_issuer().get_components())))
revoke_state['revoked'] = revoked
def createSSLContext_(**kwargs):
privateKey = kwargs.get('privateKey', None)
assert privateKey is not None, '`tls:` endpoint requires `privateKey` option.'
certKey = kwargs.get('certKey', privateKey)
extraCertChain = kwargs.get('extraCertChain', None)
sslmethod = kwargs.get('sslmethod', None)
dhParameters = kwargs.get('dhParameters', None)
authorities_file = kwargs.get('authorities', None)
if authorities_file is not None:
verify_client = True
else:
verify_client = False
pem_files = [privateKey, certKey]
if extraCertChain is not None:
pem_files.append(extraCertChain)
kwds = {'method': SSL.SSLv23_METHOD}
if verify_client:
authorities = [pem_cert_to_x509(cert)
for cert in pem.parse_file(authorities_file)]
kwds['caCerts'] = authorities
kwds['verify'] = verify_client
if dhParameters is not None:
kwds['dhParameters'] = pem.DiffieHellmanParameters.fromFile(dhParameters)
ctxFactory = pem.certificateOptionsFromFiles(
*pem_files,
**kwds)
ssl_context = ctxFactory.getContext()
ssl_context.set_options(SSL.OP_NO_SSLv2)
if sslmethod is not None:
ssl_method_options = sslmethod.split('+')
for ssl_opt in ssl_method_options:
ssl_context.set_options(ssl_opt)
return (verify_client, ctxFactory)
def modifycacerts_pkcs12(id, outputdir, password):
"""
Modifies the ca certificates in a pkcs12.
Arguments: id - unique identifier to identify key and csr. These will be out to files based on the id
Returns: The p12 object
"""
# st_cert=open(cert, 'rt').read()
# cert = crypto.load_certificate(c.FILETYPE_PEM, cert)
p12file = os.path.join(outputdir, id + '.p12')
p12 = OpenSSL.crypto.load_pkcs12(open(p12file, "rb").read(), password)
try:
#f = open(cacert, 'rt')
cacertlist = pem.parse_file(cacert)
x509cacertlist = []
#cacertlist = []
for cert in range(len(cacertlist)):
x509cacertlist.append(
OpenSSL.crypto.load_certificate(crypto.FILETYPE_PEM,
cacertlist[cert].as_bytes()))
p12.set_ca_certificates(x509cacertlist)
pkcs12handle = open(p12file, "wb")
pkcs12handle.write(
p12.export(passphrase=password, iter=2048, maciter=2048))
logger.info("PKCS12 Modified for id:%s and written to %s", id, p12file)
pkcs12handle.close()
except crypto.Error as e:
logger.warning("Certificate file '%s' could not be loaded: %s", cacert,
e)
return None
def createSSLContext_(**kwargs):
privateKey = kwargs.get('privateKey', None)
assert privateKey is not None, '`tls:` endpoint requires `privateKey` option.'
certKey = kwargs.get('certKey', privateKey)
extraCertChain = kwargs.get('extraCertChain', None)
sslmethod = kwargs.get('sslmethod', None)
dhParameters = kwargs.get('dhParameters', None)
authorities_file = kwargs.get('authorities', None)
if authorities_file is not None:
verify_client = True
else:
verify_client = False
pem_files = [privateKey, certKey]
if extraCertChain is not None:
pem_files.append(extraCertChain)
kwds = {'method': SSL.SSLv23_METHOD}
if verify_client:
authorities = [
pem_cert_to_x509(cert) for cert in pem.parse_file(authorities_file)
]
kwds['caCerts'] = authorities
kwds['verify'] = verify_client
if dhParameters is not None:
kwds['dhParameters'] = pem.DiffieHellmanParameters.fromFile(
dhParameters)
ctxFactory = pem.certificateOptionsFromFiles(*pem_files, **kwds)
ssl_context = ctxFactory.getContext()
ssl_context.set_options(SSL.OP_NO_SSLv2)
if sslmethod is not None:
ssl_method_options = sslmethod.split('+')
for ssl_opt in ssl_method_options:
ssl_context.set_options(ssl_opt)
return (verify_client, ctxFactory)
def _load_from_directory(self, fpath, filetype):
#######################################################################
"""Helper function to read in (keys|certs) and store them correctly"""
#######################################################################
try:
print("Loading certs into database")
for fname in tqdm(listdir(fpath)):
if fname.endswith(tuple(self.extensions[filetype])):
uid = fname.split(".")[0]
filepath = path.join(fpath, fname)
if filetype == "certificate":
self.load_db(
uid, certlist=[x.as_text() for x in parse_file(filepath)]
)
elif filetype == "key":
session = sessionmaker(bind=self.args["db"]["engine"])()
create_or_update(
session,
Recipient,
unique_identifiers=["name"],
**{
"name": uid,
"key": filepath,
},
)
session.commit()
except OSError as error:
raise FileOpenError(fpath, str(error.strerror)) from error
def test_loads_certifi(self):
"""
Loading certifi returns a list of Certificates.
"""
cas = pem.parse_file(certifi.where())
assert isinstance(cas, list)
assert all(isinstance(ca, pem.Certificate) for ca in cas)
def ca_store(cls):
crt_paths = os.environ.get('CRT_PATH', '/etc/ssl')
crt_flush = os.environ.get('CRT_FLUSH')
if hasattr(cls, 'store') and not crt_flush:
return cls.store
else:
cls.store = crypto.X509Store()
suffix = r'(.+)\.(crt|pem)$'
for crt_path in crt_paths.split(':'):
for root, ds, fs in os.walk(crt_path):
for p in filter(lambda f: re.match(suffix, f), fs):
for cert in pem.parse_file(os.path.join(root, p)):
try:
cls.store.add_cert(
crypto.load_certificate(
crypto.FILETYPE_PEM, cert.as_bytes()))
except crypto.Error:
pass
return cls.store
def get_pem_text_from_file(private_key_path: str) -> str:
'''
Parses the pem file to get its value as unicode text.
Check the pem permission, parse file generates
a list of PEM objects and return plain text from it.
Args:
private_key_path (str): Path to the private key file.
Returns:
str: Text from PEM parsed file
Raises:
PermissionError: PEM File is not accessible
ValueError: PEM file is invalid, no certificates found.
'''
if not os.access(private_key_path, os.R_OK):
raise PermissionError()
certs = pem.parse_file(private_key_path)
if not certs:
raise ValueError('Invalid pem file.')
return certs[0].as_text()
def _generateJWT(self, pem_file):
"""
Generates Json web token
Method will take the permissions (.pem) file provided and populate the json web token
attribute
"""
# iss is the app id
# Ensuring that we request an access token that expires after a minute
payload = {
"iat": datetime.datetime.utcnow(),
"exp": datetime.datetime.utcnow() + datetime.timedelta(seconds=60),
"iss": self._app_id,
}
PEM = ""
if pem_file == "":
if "GITHUB_APP_PEM" in os.environ:
pem_file = os.environ.get("GITHUB_APP_PEM")
else:
error_msg = "A pem file has not been specified and GITHUB_APP_PEM env varaible is not defined"
raise Exception(error_msg)
self._log.info("File loc %s" % pem_file)
certs = pem.parse_file(pem_file)
PEM = str(certs[0])
if PEM == "":
error_msg = (
"No permissions enabled for parthenon metrics app, either a pem file needs to "
"be provided or the GITHUB_APP_PEM variable needs to be defined"
)
raise Exception(error_msg)
self._jwt_token = jwt.encode(payload, PEM,
algorithm="RS256").decode("utf-8")
def load_starttls_trust_anchor(self, pem_path):
"""
Load the startTLS trust anchor from a file in PEM format.
"""
log = self.log
if not self.use_starttls:
return
if pem_path is None:
return
starttls_hostname = six.u(self.starttls_hostname)
log.debug("type: {type}, value: {value}",
type=type(starttls_hostname),
value=starttls_hostname)
assert starttls_hostname is not None, "Must set option `starttls_hostname` when using `starttls_trust_anchor`."
log.debug("Reading PEM file {pem_path}.", pem_path=pem_path)
#with open(pem_path, "r") as f:
# data = f.read()
#authority = ssl.Certificate.loadPEM(data)
certs = pem.parse_file(pem_path)
log.debug("Length `certs`: {len}", len=len(certs))
for c in certs:
log.debug("Cert: {cert}", cert=str(c))
authority = ssl.Certificate.loadPEM('\n'.join(
str(cert) for cert in certs))
log.debug("StartTLS authority: {authority}",
authority=authority.inspect())
log.debug("StartTLS hostname: '{hostname}'",
hostname=starttls_hostname)
self.starttls_trust_anchor = ssl.optionsForClientTLS(
starttls_hostname, authority)
def test_loads_certifi(self):
"""
Loading certifi returns a list of Certificates.
"""
cas = pem.parse_file(certifi.where())
assert isinstance(cas, list)
assert all(isinstance(ca, pem.Certificate) for ca in cas)
def test_get_pem_text_from_file_parses_the_pem_file(lti_config_environ):
pem_key = os.environ.get('LTI13_PRIVATE_KEY')
certs = pem.parse_file(pem_key)
with patch.object(pem, 'parse_file',
return_value=certs) as mock_pem_parse_file:
get_pem_text_from_file(pem_key)
assert mock_pem_parse_file.called
def get_token(name):
payload = requests.get('http://localhost:8000/api/payload/' + name)
KEY = pem.parse_file('../keys/sluicekey.pem')
print(payload.status_code)
payload_json = json.loads(payload.text)
print(payload.text)
token = jwt.encode(payload_json, str(KEY[0]), algorithm='RS512')
return token
def __call__(self, parser, namespace, values, option_string=None):
try:
pem_parsed = pem.parse_file(values)
if not isinstance(pem_parsed, list) or len(pem_parsed) != 1:
raise TypeError('PEM file is not valid')
setattr(namespace, self.dest, values)
except Exception as e:
parser.error(e)
def count_keys_in_file(pem_path):
counter = 0
for raw_pem in pem.parse_file(pem_path):
if type(raw_pem) == pem._core.PrivateKey:
counter += 1
elif type(raw_pem) == pem._core.RSAPrivateKey:
counter += 1
return counter
def add_pki_cert(self, filename, trusted):
certs = []
for cert in pem.parse_file(filename):
content = "".join(cert.as_text().splitlines()[1:-1])
resp = self.post(amt.wsman.add_cert(self.path, content, trusted))
rv = _return_value(resp, AMT_PublicKeyManagementService)
selector = _find_node(resp, _WSMAN, "Selector")
certs.append((rv, None if selector is None else selector.text))
return certs
def lndconnect_node(node):
chain = pem.parse_file(node.cert())
chainCert = ssl.Certificate.loadPEM(str(chain[0]))
cert = base64.urlsafe_b64encode(chainCert.dump())
with open(node.macaroon(), 'rb') as macaroon_file:
macaroon = base64.urlsafe_b64encode(macaroon_file.read())
click.echo(click.style(f'lndconnect://127.0.0.1:{node.rpc_port}?cert={cert.decode()}&macaroon={macaroon.decode()}', fg='green'))
def sign_pki_csr(self, filename, selector):
requests = []
for request in pem.parse_file(filename):
content = "".join(request.as_text().splitlines()[1:-1])
resp = self.post(amt.wsman.sign_pki_csr(self.path, content, "InstanceID", selector))
rv = _return_value(resp, AMT_PublicKeyManagementService)
signed_request = _find_node(resp, AMT_PublicKeyManagementService, "SignedCertificateRequest")
requests.append((rv, None if signed_request is None else signed_request.text))
return requests
def add_pki_key(self, filename):
keys = []
for key in pem.parse_file(filename):
content = "".join(key.as_text().splitlines()[1:-1])
resp = self.post(amt.wsman.add_key(self.path, content))
rv = _return_value(resp, AMT_PublicKeyManagementService)
selector = _find_node(resp, _WSMAN, "Selector")
keys.append((rv, None if selector is None else selector.text))
return keys
async def test_get_lms_access_token_calls_get_pem_text_from_file(
mock_get_headers_to_jwt, mock_get_pem_text, lti_config_environ,
http_async_httpclient_with_simple_response):
pem_key = os.environ.get('LTI13_PRIVATE_KEY')
mock_get_headers_to_jwt.return_value = None
mock_get_pem_text.return_value = pem.parse_file(pem_key)[0].as_text()
# here we're using a httpclient mocked
await get_lms_access_token('url', pem_key, 'client-id')
assert mock_get_pem_text.called
def test_file(self, tmpdir):
"""
A file with multiple certificate PEMs is parsed into a list of
corresponding Certificates.
"""
certs_file = tmpdir.join('certs.pem')
certs_file.write(b''.join(CERT_PEMS))
certs = pem.parse_file(str(certs_file))
assert all(isinstance(c, pem.Certificate) for c in certs)
assert CERT_PEMS == [cert.as_bytes() for cert in certs]
def getTlsAuthority_(self, startTlsCaCert):
if startTlsCaCert is None:
return None
authorities = [str(cert) for cert in pem.parse_file(startTlsCaCert)]
if len(authorities) != 1:
raise Exception(
("The provided CA cert file, '{0}', "
"contained {1} certificates. It must contain exactly one."
).format(startTlsCaCert, len(authorities)))
return Certificate.loadPEM(authorities[0])
def createCustomPolicyFactoryFromPEMs(*pem_files):
authorities = []
for pem_file in pem_files:
for cert in pem.parse_file(pem_file):
authorities.append(pem_cert_to_x509(cert))
def _policyFactory():
return CustomPolicyForHTTPS(authorities)
return _policyFactory
def test_file(self, tmpdir):
"""
A file with multiple certificate PEMs is parsed into a list of
corresponding Certificates.
"""
certs_file = tmpdir.join('certs.pem')
certs_file.write(''.join(CERT_PEMS))
certs = pem.parse_file(str(certs_file))
assert all(isinstance(c, pem.Certificate) for c in certs)
assert CERT_PEMS == [str(cert) for cert in certs]
def createCustomPolicyFactoryFromPEMs(*pem_files):
authorities = []
for pem_file in pem_files:
for cert in pem.parse_file(pem_file):
authorities.append(pem_cert_to_x509(cert))
def _policyFactory():
return CustomPolicyForHTTPS(authorities)
return _policyFactory
def getTlsAuthority_(self, startTlsCaCert):
if startTlsCaCert is None:
return None
authorities = [str(cert) for cert in pem.parse_file(startTlsCaCert)]
if len(authorities) != 1:
raise Exception(
("The provided CA cert file, '{0}', "
"contained {1} certificates. It must contain exactly one.").format(
startTlsCaCert, len(authorities)))
return Certificate.loadPEM(authorities[0])
def get_certificates_from_pem(file_name, certificates):
"""Finds all certificate entries from PEM file and adds them to given list.
"""
entries = pem.parse_file(file_name)
index = 0
for entry in entries:
if type(entry) == pem.Certificate:
cert = load_certificate(FILETYPE_PEM, entry.as_bytes())
certificates.append(CertEntry(file_name, index, cert))
index = index + 1
def run():
token = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODY4MTYzMTIsImZvbyI6ImJhciIsImlhdCI6MTU4NjgxNjI1MiwianRpIjoiV1VJbkhrT01RSFMzSC1LUURIYUpZdyIsIm5iZiI6MTU4NjgxNjI1Miwid3VwIjo5MH0.Ep0hCSDh5FBTxwbPadjh-9P42ePrcTmWgWNv46oyQrSB6jgA9z3kPlZ9NKK7v_MmrfV_Pj1MlUhs1-Umvyk8Cr6gDVb7Mm9mcqDxf3e-sgmYCMxmPPofTPX_b0-faDzL7K_zjdjHmoVFUpsIBONZ8jU8YBXHxu4sKJXIyPNPiYp2kzffnMj8TClUXmCMRK7mrHYgD0RHXwdo9aJT3glmtnxGYdHqkV6ygiasOC5jGSdYKf3jBKzY10vYocOvsMniT25a8Z-CbeFNWriCCDcBOB3Z74speoGreqxBrqVu5h8AJ0EPQ6GJvrRSToNMQMCddEsqNGanU-Rt0wibTZ7hbg'
key_uri = os.path.join(BASE_DIR, 'afinidata.key')
key_file = pem.parse_file(key_uri)
key_string = str(key_file[0]).encode()
key = jwk.JWK.from_pem(key_string)
try:
header, claims = jwt.verify_jwt(token, key, ['RS256'])
print(header, claims)
except:
print('expired')
def validate_rsa_cert(rsa_cert_file):
"""
Verify that the RSA Certificate File is in our specific format
:param rsa_cert_file:
:return: contents of certificate file
"""
if check_rsa_file(rsa_cert_file, CERTIFICATE_FILE_HEADER):
return pem.parse_file(rsa_cert_file)
else:
print("Invalid RSA Cert!")
exit()
def load_certs_from_file(pem_path):
for raw_pem in pem.parse_file(pem_path):
if type(raw_pem) == pem._core.Certificate:
yield crypto.load_certificate(crypto.FILETYPE_PEM, str(raw_pem))
elif type(raw_pem) == pem._core.PrivateKey:
continue
elif type(raw_pem) == pem._core.RSAPrivateKey:
continue
else:
raise Exception("Invalid PEM file")
def validate_rsa_key(rsa_key_file):
"""
Verify that the RSA Ke file is in our specific format
:param rsa_key_file:
:return: contents of key file
"""
if check_rsa_file(rsa_key_file, KEY_FILE_HEADER):
return pem.parse_file(rsa_key_file)
else:
print("Invalid RSA Key!")
exit()
def get_jira_client():
""" Return a connected JIRA API client, configured by environment """
options = {
'server': os.environ.get('SERVER')
}
key_cert_data = pem.parse_file("mt-jira.pem")
key_cert_data = str(key_cert_data[0])
# key_cert_data = os.environ.get('JIRA_KEY')
# key_cert_data = open('mt-jira.pem', 'r')
oauth_dict = {
'access_token': os.environ.get('ACCESS_TOKEN'),
'access_token_secret': os.environ.get('ACCESS_TOKEN_SECRET'),
'consumer_key': os.environ.get('CONSUMER_KEY'),
'key_cert': key_cert_data
}
return JIRA(options, oauth=oauth_dict)
def test_file(self, tmpdir):
certs_file = tmpdir.join('certs.pem')
certs_file.write(''.join(CERT_PEMS))
certs = pem.parse_file(str(certs_file))
assert CERT_PEMS == [str(cert) for cert in certs]
def main(basefp):
print sys.argv
default_port = 443
port = None
ssl_enabled = True
redirect_port = 80
for arg in sys.argv:
if arg.startswith('--port='):
port = int(arg[len('--port='):])
elif arg.startswith('--redirectport='):
redirect_port = int(arg[len('--redirectport='):])
elif arg == '--dev':
ssl_enabled = False
redirect_port = None
default_port = 8000
elif arg == '--nossl':
ssl_enabled = False
redirect_port = None
default_port = 80
elif arg == '--noredirect':
redirect_port = None
if port is None:
port = default_port
config = Config()
logging.basicConfig(
stream = sys.stdout,
level = logging.DEBUG,
format = '%(asctime)s %(levelname) 7s [%(name)-65s L%(lineno)d] %(message)s',
datefmt = '%Y-%m-%dT%H:%M:%S%z',
)
root_log = logging.getLogger(__name__)
site = make_site(basefp, config)
root_log.info('Listening on port %d...' % (port,))
if ssl_enabled:
root_log.info('SSL/TLS is enabled (start with --nossl to disable).')
KEYFILE = '../secret_config/rapidssl/server.key'
CERTFILE = '../secret_config/rapidssl/server.crt'
assert os.path.exists(KEYFILE), "Private key file %s not found" % (KEYFILE,)
assert os.path.exists(CERTFILE), "Certificate file %s not found" % (CERTFILE,)
from twisted.internet import ssl
import pem
with open(KEYFILE) as keyFile:
key = keyFile.read()
certs = pem.parse_file(CERTFILE)
cert = ssl.PrivateCertificate.loadPEM(str(key) + str(certs[0]))
extraCertChain = [ssl.Certificate.loadPEM(str(certData)).original
for certData in certs[1 :]]
cert_options = ssl.CertificateOptions(
privateKey=cert.privateKey.original,
certificate=cert.original,
extraCertChain=extraCertChain,
)
reactor.listenSSL(port, site, cert_options)
if redirect_port is not None:
root_log.info('http->https redirector listening on port %d...' % (redirect_port,))
reactor.listenTCP(redirect_port, make_redirector_site(port))
else:
root_log.info('SSL/TLS is disabled.')
reactor.listenTCP(port, site)
