def creatorForNetloc(self, hostname, port):
hostname = hostname.decode("ascii")
certificate_options = OpenSSLCertificateOptions(
trustRoot=None,
acceptableProtocols=None,
)
return DisabledVerificationClientTLSOptions(
hostname, certificate_options.getContext())
def creatorForNetloc(self, hostname, port):
opts = ClientTLSOptions(
hostname.decode("ascii"),
OpenSSLCertificateOptions(verify=False).getContext())
# This forces Twisted to not validate the hostname of the certificate.
opts._ctx.set_info_callback(lambda *args: None)
return opts
def root_ctx(self) -> OpenSSLCertificateOptions:
"""Get SSL context of rootCA ceritficate. Use for passing to twisted StartTLS
Returns:
twisted.internet._sslverify.OpenSSLCertificateOptions
"""
# TODO: toctou?
if self._root_ctx is None:
self._root_ctx = OpenSSLCertificateOptions(
privateKey=self.root_key, certificate=self.root_cert)
return self._root_ctx
def optionsForClientTLS(hostname, trustRoot=None, clientCertificate=None, **kw):
"""
Reimplemented from twisted.internet.ssl to allow extra parameters to be passed correctly.
@return: A client connection creator.
@rtype: L{IOpenSSLClientConnectionCreator}
"""
extraCertificateOptions = kw.pop('extraCertificateOptions', None) or {}
if kw:
raise TypeError(
"optionsForClientTLS() got an unexpected keyword argument"
" '{arg}'".format(
arg=kw.popitem()[0]
)
)
if not isinstance(hostname, unicode):
raise TypeError(
"optionsForClientTLS requires text for host names, not "
+ hostname.__class__.__name__
)
if clientCertificate:
extraCertificateOptions.update(
privateKey=clientCertificate.privateKey.original,
certificate=clientCertificate.original
)
# Only pass the trustRoot if it is not None to avoid mutually exclusive param issues.
if trustRoot:
certificateOptions = OpenSSLCertificateOptions(
trustRoot=trustRoot,
**extraCertificateOptions
)
else:
certificateOptions = OpenSSLCertificateOptions(**extraCertificateOptions)
return SSLClientConnectionCreator(hostname, certificateOptions.getContext())
def _gen_dummy_cert(self, commonname: str, sans: List[str],
organization: str):
"""Generate dummy certificate and store in instance context"""
# reuse privkey of root_ca, no need to regenerate
privkey = self.root_key
cacert = self.root_cert
ss = []
for i in sans:
try:
ipaddress.ip_address(i.decode("ascii"))
except ValueError:
ss.append(b"DNS:%s" % i)
else:
ss.append(b"IP:%s" % i)
ss = b", ".join(ss)
cert = crypto.X509()
cert.gmtime_adj_notBefore(-3600 * 48)
cert.gmtime_adj_notAfter(63072000)
cert.set_issuer(cacert.get_subject())
if commonname is not None and len(commonname) < 64:
cert.get_subject().CN = commonname
if organization is not None:
cert.get_subject().O = organization
cert.set_serial_number(int(time.time() * 10000))
if ss:
cert.set_version(2)
cert.add_extensions(
[crypto.X509Extension(b"subjectAltName", False, ss)])
cert.add_extensions([
crypto.X509Extension(b"extendedKeyUsage", False,
b"serverAuth,clientAuth")
])
cert.set_pubkey(cacert.get_pubkey())
cert.sign(privkey, "sha256")
ctx = OpenSSLCertificateOptions(privateKey=privkey, certificate=cert)
# TODO: toctou, but ... no but
commonname = commonname.lower()
if commonname in self._store:
return
self._store[commonname] = ctx
def creatorForNetloc(self, hostname, port):
certificateOptions = OpenSSLCertificateOptions()
return ClientTLSOptions(hostname, certificateOptions.getContext())
def creatorForNetloc(self, hostname, port):
certificateOptions = OpenSSLCertificateOptions()
return ClientTLSOptions(hostname, certificateOptions.getContext())