def get_node_context(self):
_, certfile = tempfile.mkstemp()
_, keyfile = tempfile.mkstemp()
try:
open(certfile, 'w').write(self._node_cert)
open(keyfile, 'w').write(self._node_prikey)
context = Context()
context.load_cert(certfile, keyfile)
return context
finally:
os.unlink(certfile)
os.unlink(keyfile)
def __int_call(self, node_address, packet, conn_timeout, read_timeout=None):
sock = None
try:
address = node_address.split(':')
if len(address) != 2:
raise FriException('Node address %s is invalid! ' \
'Address should be in format <hostname>:<port>'%node_address)
hostname = address[0]
try:
port = int(address[1])
if 0 > port > 65535:
raise ValueError()
except ValueError:
raise FriException('Node address %s is invalid! ' \
'Port should be integer in range 0...65535'%node_address)
if not isinstance(packet, FabnetPacket):
raise Exception('FRI request packet should be an object of FabnetPacket')
packet.session_id = self.session_id
data = packet.dump()
if self.is_ssl:
context = Context()
context.set_verify(0, depth = 0)
sock = Connection(context)
sock.set_post_connection_check_callback(None)
sock.set_socket_read_timeout(M2Crypto.SSL.timeout(sec=conn_timeout))
else:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(conn_timeout)
sock.connect((hostname, port))
sock.sendall(data)
if self.is_ssl:
sock.set_socket_read_timeout(M2Crypto.SSL.timeout(sec=read_timeout))
else:
sock.settimeout(read_timeout)
ret_packet = self.__read_packet(sock)
if ret_packet.get('ret_code', -1) == RC_REQ_CERTIFICATE:
self.__send_cert(sock)
ret_packet = self.__read_packet(sock)
return ret_packet
finally:
if sock:
sock.close()
def _reset_proxy(self):
parsed = urlparse(self.url.lower())
self.transport = None
# This scheme is used for debugging and looping back
if parsed.scheme == "test":
self.proxy = BasicAuthServerProxy(
test_to_http(self.url),
username=self.username,
password=self.password,
transport=TestClientTransport())
elif parsed.scheme == "https":
from M2Crypto.m2xmlrpclib import SSL_Transport
from M2Crypto.SSL import Context
self.transport = SSL_Transport(Context(protocol='tlsv1'))
self.proxy = BasicAuthServerProxy(self.url,
username=self.username,
password=self.password,
transport=self.transport,
#verbose=getattr(settings, "DEBUG", False))
verbose=False)
self.set_verify_certs()
else:
self.proxy = BasicAuthServerProxy(self.url,
username=self.username,
password=self.password)
def usage():
# form context by passing cert and private key file
context = Context();
context.set_allow_unknown_ca(False)
context.load_cert(certfile='cert.pem', keyfile='key.pem')
# make server verification
# capath should contain hash soft link to CA certifiates
context.load_verify_info(capath='./')
context.set_verify(SSL.verify_peer, 3)
# context.set_verify(SSL.verify_none, 3)
# using MyHTTPS to send request
send_request(context)
def stop(self):
if self.stopped:
return
self.operator.stop()
self.__conn_handler_thread.stop()
self.__check_neighbours_thread.stop()
sock = None
try:
if self.keystorage:
context = Context()
context.set_verify(0, depth = 0)
sock = Connection(context)
sock.set_post_connection_check_callback(None)
sock.set_socket_read_timeout(M2Crypto.SSL.timeout(sec=1))
else:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1.0)
if self.hostname == '0.0.0.0':
hostname = '127.0.0.1'
else:
hostname = self.hostname
sock.connect((hostname, self.port))
except socket.error:
pass
finally:
if sock:
sock.close()
del sock
self.__workers_manager_thread.stop()
#waiting threads finishing...
self.__workers_manager_thread.join()
self.__conn_handler_thread.join()
self.__check_neighbours_thread.join()
self.stopped = True
def _reset(self):
parsed = urlparse(self.url.lower())
assert parsed.scheme == "https"
self.transport = None
from M2Crypto.m2xmlrpclib import SSL_Transport
from M2Crypto.SSL import Context
self.transport = SSL_Transport(Context(protocol='tlsv1'))
new_url = add_basic_auth(self.url, self.username, self.password)
self.proxy = xmlrpclib.ServerProxy(str(new_url),
transport=self.transport,
verbose=False)
def ssl_verify_callback(ssl_ctx_ptr, x509_ptr, errnum, errdepth, ok):
# Deprecated
from M2Crypto.SSL import Context
ssl_ctx = Context.map()[long(ssl_ctx_ptr)]
if errnum in unknown_issuer:
if ssl_ctx.get_allow_unknown_ca():
sys.stderr.write("policy: %s: permitted...\n" %
(m2.x509_get_verify_error(errnum)))
sys.stderr.flush()
ok = 1
# CRL checking goes here...
if ok:
if ssl_ctx.get_verify_depth() >= errdepth:
ok = 1
else:
ok = 0
return ok
def ssl_verify_callback(ssl_ctx_ptr, x509_ptr, errnum, errdepth, ok):
# Deprecated
from M2Crypto.SSL import Context
ssl_ctx = Context.map()[long(ssl_ctx_ptr)]
if errnum in unknown_issuer:
if ssl_ctx.get_allow_unknown_ca():
sys.stderr.write("policy: %s: permitted...\n" %
(m2.x509_get_verify_error(errnum)))
sys.stderr.flush()
ok = 1
# CRL checking goes here...
if ok:
if ssl_ctx.get_verify_depth() >= errdepth:
ok = 1
else:
ok = 0
return ok
def usage1():
context = Context();
context.set_allow_unknown_ca(False)
# add client site certificate and private key
# to support Client verification
context.load_cert(certfile='cert.pem', keyfile='key.pem')
# add server site trusted CA certifications
# to support server verification
context.load_verify_info(capath='./')
opener = m2urllib2.build_opener(context)
response = opener.open("https://sjmcm1csa2/")
print 'html: ', response.read()
print 'info: ', response.info()
print 'url: ', response.geturl()
def usage1():
# form context by passing cert and private key content
context = Context();
context.set_allow_unknown_ca(False)
cert_file = open('/opt/cisco/creds/id.cert', 'rb').read().encode('ascii')
cert_file = X509.load_cert_string(cert_file)
key_file = open('/opt/cisco/creds/id.cert', 'rb').read().encode('ascii') # pem-encoded pkey
key_file = EVP.load_key_string(key_file)
m2.ssl_ctx_use_x509(context.ctx, cert_file.x509)
m2.ssl_ctx_use_pkey_privkey(context.ctx, key_file.pkey)
# make server verification
# capath should contain hash soft link to CA certifiates
context.load_verify_info(capath='./')
context.set_verify(SSL.verify_peer, 3)
# context.set_verify(SSL.verify_none, 3)
# using MyHTTPS to send request
send_request(context)
def _reset_proxy(self):
parsed = urlparse(self.url.lower())
self.transport = None
# This scheme is used for debugging and looping back
if parsed.scheme == "test":
self.proxy = BasicAuthServerProxy(self.url.lower().replace(
"test", "http"),
username=self.username,
password=self.password,
transport=TestClientTransport())
elif parsed.scheme == "https":
from M2Crypto.m2xmlrpclib import SSL_Transport
from M2Crypto.SSL import Context
self.transport = SSL_Transport(Context(protocol='tlsv1'))
self.proxy = BasicAuthServerProxy(self.url,
username=self.username,
password=self.password,
transport=self.transport)
self.set_verify_certs()
else:
self.proxy = BasicAuthServerProxy(self.url,
username=self.username,
password=self.password)
log.debug('Entered FTPSServer.GetDownloadDescriptor')
descriptor = urlparse.urlunparse(("ftps",
"%s:%d" % (self.hostname,
self.port),
"%s/%s" % (prefix, urllib.quote(fil)),
"", "", ""))
log.debug(' descriptor = %s', descriptor)
return descriptor
if __name__ == '__main__':
from M2Crypto.SSL import Context
import socket
ssl_ctx = Context('sslv23')
ssl_ctx.load_cert('server.pem')
# cheat to get the ca cert dir
if sys.platform == 'win32':
caDir = r'c:\\program files\\AGTk-2.4\\Config\CAcertificates'
elif sys.platform == 'linux2':
caDir = '/etc/AccessGrid/Config/CAcertificates'
elif sys.platform == 'darwin':
caDir = '/Applications/AccessGridToolkit.app/Contents/Resources/Config/CAcertificates/'
else:
print 'Unrecognized platform: ', sys.platform
sys.exit(1)
ssl_ctx.load_verify_locations(capath=caDir)
ssl_ctx.set_cipher_list('LOW:TLSv1:@STRENGTH')
ssl_ctx.set_verify(SSL.verify_peer,10)
ssl_ctx.set_session_id_ctx('127.0.0.1:8006')
'''
Get the download descriptor for the specified file
'''
log.debug('Entered FTPSServer.GetDownloadDescriptor')
descriptor = urlparse.urlunparse(
("ftps", "%s:%d" % (self.hostname, self.port),
"%s/%s" % (prefix, urllib.quote(fil)), "", "", ""))
log.debug(' descriptor = %s', descriptor)
return descriptor
if __name__ == '__main__':
from M2Crypto.SSL import Context
import socket
ssl_ctx = Context('sslv23')
ssl_ctx.load_cert('server.pem')
# cheat to get the ca cert dir
if sys.platform == 'win32':
caDir = r'c:\\program files\\AGTk-2.4\\Config\CAcertificates'
elif sys.platform == 'linux2':
caDir = '/etc/AccessGrid/Config/CAcertificates'
elif sys.platform == 'darwin':
caDir = '/Applications/AccessGridToolkit.app/Contents/Resources/Config/CAcertificates/'
else:
print 'Unrecognized platform: ', sys.platform
sys.exit(1)
ssl_ctx.load_verify_locations(capath=caDir)
ssl_ctx.set_cipher_list('LOW:TLSv1:@STRENGTH')
ssl_ctx.set_verify(SSL.verify_peer, 10)
ssl_ctx.set_session_id_ctx('127.0.0.1:8006')
def getContext(self):
ctx = Context()
ctx.load_cert(certfile="cert.pem", keyfile="key.pem")
return ctx
