def clientCertFor(name):
signingCert = getCAPrivateCert()
clientKey = KeyPair.generate(size=4096)
csr = clientKey.requestObject(DN(CN=name), "sha1")
clientCert = signingCert.signRequestObject(
csr, serialNumber=1, digestAlgorithm="sha1")
return PrivateCertificate.fromCertificateAndKeyPair(clientCert, clientKey)
def pems():
for i in count():
key = KeyPair.generate()
cert = key.selfSignedCert(i, commonName=u"lae_automation testing")
pem = PrivateCertificate.fromCertificateAndKeyPair(cert,
key).dumpPEM()
yield pem.decode("ascii")
def clientCertFor(p_name):
l_signingCert = getCAPrivateCert()
l_clientKey = KeyPair.generate(size = 4096)
l_csr = l_clientKey.requestObject(DN(CN = p_name), "sha1")
l_clientCert = l_signingCert.signRequestObject(
l_csr, serialNumber = 1, digestAlgorithm = "sha1")
return PrivateCertificate.fromCertificateAndKeyPair(l_clientCert, l_clientKey)
def private_certificate(self):
"""
Combine private key and certificate into a ``PrivateCertificate``.
:return: ``PrivateCertificate`` instance.
"""
return PrivateCertificate.fromCertificateAndKeyPair(
self.certificate, self.keypair.keypair)
def private_certificate(self):
"""
Combine private key and certificate into a ``PrivateCertificate``.
:return: ``PrivateCertificate`` instance.
"""
return PrivateCertificate.fromCertificateAndKeyPair(
self.certificate, self.keypair.keypair)
def clientCertFor(name):
signingCert = getCAPrivateCert()
clientKey = KeyPair.generate(size=4096)
csr = clientKey.requestObject(DN(CN=name), "sha1")
clientCert = signingCert.signRequestObject(csr,
serialNumber=1,
digestAlgorithm="sha1")
return PrivateCertificate.fromCertificateAndKeyPair(clientCert, clientKey)
def clientCertFor(p_name):
l_signingCert = getCAPrivateCert()
l_clientKey = KeyPair.generate(size=4096)
l_csr = l_clientKey.requestObject(DN(CN=p_name), "sha1")
l_clientCert = l_signingCert.signRequestObject(l_csr,
serialNumber=1,
digestAlgorithm="sha1")
return PrivateCertificate.fromCertificateAndKeyPair(
l_clientCert, l_clientKey)
def _create_tls_client_context(config, cbdir, log):
"""
Create a CertificateOptions object for use with TLS listening endpoints.
"""
# server hostname: The expected name of the remote host.
hostname = config['hostname']
# explicit trust (certificate) root
ca_certs = None
if 'ca_certificates' in config:
log.info("TLS client using explicit trust ({cnt_certs} certificates)", cnt_certs=len(config['ca_certificates']))
ca_certs = []
for cert_fname in [os.path.abspath(os.path.join(cbdir, x)) for x in (config['ca_certificates'])]:
cert = crypto.load_certificate(
crypto.FILETYPE_PEM,
six.u(open(cert_fname, 'r').read())
)
log.info("TLS client trust root CA certificate loaded from '{fname}'", fname=cert_fname)
ca_certs.append(cert)
ca_certs = OpenSSLCertificateAuthorities(ca_certs)
else:
log.info("TLS client using platform trust")
# client key/cert to use
client_cert = None
if 'key' in config:
if 'certificate' not in config:
raise Exception('TLS client key present, but certificate missing')
key_fname = os.path.abspath(os.path.join(cbdir, config['key']))
with open(key_fname, 'r') as f:
private_key = KeyPair.load(f.read(), format=crypto.FILETYPE_PEM)
log.info("Loaded client TLS key from '{key_fname}'", key_fname=key_fname)
cert_fname = os.path.abspath(os.path.join(cbdir, config['certificate']))
with open(cert_fname, 'r') as f:
cert = Certificate.loadPEM(f.read(),)
log.info("Loaded client TLS certificate from '{cert_fname}' (cn='{cert_cn}', sha256={cert_sha256}..)",
cert_fname=cert_fname,
cert_cn=cert.getSubject().CN,
cert_sha256=cert.digest('sha256')[:12])
client_cert = PrivateCertificate.fromCertificateAndKeyPair(cert, private_key)
else:
if 'certificate' in config:
log.warn('TLS client certificate present, but key is missing')
# create TLS client context
ctx = optionsForClientTLS(hostname, trustRoot=ca_certs, clientCertificate=client_cert)
return ctx
def _create_tls_client_context(config, cbdir, log):
"""
Create a CertificateOptions object for use with TLS listening endpoints.
"""
# server hostname: The expected name of the remote host.
hostname = config['hostname']
# explicit trust (certificate) root
ca_certs = None
if 'ca_certificates' in config:
log.info("TLS client using explicit trust ({cnt_certs} certificates)", cnt_certs=len(config['ca_certificates']))
ca_certs = []
for cert_fname in [os.path.abspath(os.path.join(cbdir, x)) for x in (config['ca_certificates'])]:
cert = crypto.load_certificate(
crypto.FILETYPE_PEM,
six.u(open(cert_fname, 'r').read())
)
log.info("TLS client trust root CA certificate loaded from '{fname}'", fname=cert_fname)
ca_certs.append(cert)
ca_certs = OpenSSLCertificateAuthorities(ca_certs)
else:
log.info("TLS client using platform trust")
# client key/cert to use
client_cert = None
if 'key' in config:
if 'certificate' not in config:
raise Exception('TLS client key present, but certificate missing')
key_fname = os.path.abspath(os.path.join(cbdir, config['key']))
with open(key_fname, 'r') as f:
private_key = KeyPair.load(f.read(), format=crypto.FILETYPE_PEM)
log.info("Loaded client TLS key from '{key_fname}'", key_fname=key_fname)
cert_fname = os.path.abspath(os.path.join(cbdir, config['certificate']))
with open(cert_fname, 'r') as f:
cert = Certificate.loadPEM(f.read(),)
log.info("Loaded client TLS certificate from '{cert_fname}' (cn='{cert_cn}', sha256={cert_sha256}..)",
cert_fname=cert_fname,
cert_cn=cert.getSubject().CN,
cert_sha256=cert.digest('sha256')[:12])
client_cert = PrivateCertificate.fromCertificateAndKeyPair(cert, private_key)
else:
if 'certificate' in config:
log.warn('TLS client certificate present, but key is missing')
# create TLS client context
ctx = optionsForClientTLS(hostname, trustRoot=ca_certs, clientCertificate=client_cert)
return ctx
def actualTest(result):
ponged = defer.Deferred()
signer = self.serverService2.certificateStorage.getPrivateCertificate(
self.fromDomain).privateKey
req = signer.requestObject(DistinguishedName(commonName=self.toDomain))
sreq = signer.signRequestObject(
DistinguishedName(commonName=self.fromDomain), req, 12345)
selfSignedLie = PrivateCertificate.fromCertificateAndKeyPair(
sreq, signer)
self.serverService2.connectQ2Q(self.fromAddress,
self.toAddress,
'pony',
OneTrickPonyClientFactory(ponged),
selfSignedLie,
fakeFromDomain=self.toDomain).addErrback(
lambda e: e.trap(q2q.VerifyError))
return self.assertFailure(ponged, q2q.VerifyError)
def actualTest(result):
ponged = defer.Deferred()
signer = self.serverService2.certificateStorage.getPrivateCertificate(
self.fromDomain).privateKey
req = signer.requestObject(
DistinguishedName(commonName=self.toDomain))
sreq = signer.signRequestObject(
DistinguishedName(commonName=self.fromDomain), req, 12345)
selfSignedLie = PrivateCertificate.fromCertificateAndKeyPair(
sreq, signer)
self.serverService2.connectQ2Q(
self.fromAddress,
self.toAddress,
'pony',
OneTrickPonyClientFactory(ponged),
selfSignedLie,
fakeFromDomain=self.toDomain).addErrback(
lambda e: e.trap(q2q.VerifyError))
return self.assertFailure(ponged, q2q.VerifyError)
def __init__(self, publicPath, privatePath, csrPath, key, cert, issuer):
self.publicPath = publicPath
self.privatePath = privatePath
self.csrPath = csrPath
self.cert = PrivateCertificate.fromCertificateAndKeyPair(cert, key)
self.issuer = issuer
def create_connecting_endpoint_from_config(config, cbdir, reactor):
"""
Create a Twisted stream client endpoint from a Crossbar.io transport configuration.
See: https://twistedmatrix.com/documents/current/api/twisted.internet.interfaces.IStreamClientEndpoint.html
:param config: The transport configuration.
:type config: dict
:param cbdir: Crossbar.io node directory (we need this for Unix domain socket paths and TLS key/certificates).
:type cbdir: str
:param reactor: The reactor to use for endpoint creation.
:type reactor: obj
:returns obj -- An instance implementing IStreamClientEndpoint
"""
endpoint = None
log = make_logger()
# a TCP endpoint
#
if config['type'] == 'tcp':
# the TCP protocol version (v4 or v6)
#
version = int(config.get('version', 4))
# the host to connect to
#
host = str(config['host'])
# the port to connect to
#
port = int(config['port'])
# connection timeout in seconds
#
timeout = int(config.get('timeout', 10))
if 'tls' in config:
if _HAS_TLS:
# if the config specified any CA certificates, we use those (only!)
if 'ca_certificates' in config['tls']:
ca_certs = []
for cert_fname in config['tls']['ca_certificates']:
cert = crypto.load_certificate(
crypto.FILETYPE_PEM,
six.u(open(cert_fname, 'r').read()))
log.info("Loaded CA certificate '{fname}'",
fname=cert_fname)
ca_certs.append(cert)
client_cert = None
if 'key' in config['tls']:
with open(config['tls']['certificate'], 'r') as f:
cert = Certificate.loadPEM(f.read(), )
log.info(
"{fname}: CN={subj.CN}, sha={sha}",
fname=config['tls']['certificate'],
subj=cert.getSubject(),
sha=cert.digest('sha'),
)
with open(config['tls']['key'], 'r') as f:
private_key = KeyPair.load(
f.read(),
format=crypto.FILETYPE_PEM,
)
log.info(
"{fname}: {key}",
fname=config['tls']['key'],
key=private_key.inspect(),
)
client_cert = PrivateCertificate.fromCertificateAndKeyPair(
cert, private_key)
# XXX OpenSSLCertificateAuthorities is a "private"
# class, in _sslverify, so we shouldn't really be
# using it. However, while you can pass a single
# Certificate as trustRoot= there's no way to pass
# multiple ones.
# XXX ...but maybe the config should only allow
# the user to configure a single cert to trust
# here anyway?
options = optionsForClientTLS(
config['tls']['hostname'],
trustRoot=OpenSSLCertificateAuthorities(ca_certs),
clientCertificate=client_cert,
)
else:
options = optionsForClientTLS(config['tls']['hostname'])
# create a TLS client endpoint
#
if version == 4:
endpoint = SSL4ClientEndpoint(
reactor,
host,
port,
options,
timeout=timeout,
)
elif version == 6:
raise Exception("TLS on IPv6 not implemented")
else:
raise Exception(
"invalid TCP protocol version {}".format(version))
else:
raise Exception(
"TLS transport requested, but TLS packages not available:\n{}"
.format(_LACKS_TLS_MSG))
else:
# create a non-TLS client endpoint
#
if version == 4:
endpoint = TCP4ClientEndpoint(reactor,
host,
port,
timeout=timeout)
elif version == 6:
endpoint = TCP6ClientEndpoint(reactor,
host,
port,
timeout=timeout)
else:
raise Exception(
"invalid TCP protocol version {}".format(version))
# a Unix Domain Socket endpoint
#
elif config['type'] == 'unix':
# the path
#
path = abspath(join(cbdir, config['path']))
# connection timeout in seconds
#
timeout = int(config.get('timeout', 10))
# create the endpoint
#
endpoint = UNIXClientEndpoint(reactor, path, timeout=timeout)
else:
raise Exception("invalid endpoint type '{}'".format(config['type']))
return endpoint
def pems():
for i in count():
key = KeyPair.generate()
cert = key.selfSignedCert(i, commonName=u"lae_automation testing")
pem = PrivateCertificate.fromCertificateAndKeyPair(cert, key).dumpPEM()
yield pem.decode("ascii")
