def __init__(self, protocol):
try:
self._protocol_name = _PROTOCOL_NAMES[protocol]
except KeyError:
raise ValueError("invalid protocol version")
if protocol == PROTOCOL_SSLv23: # darjus: at least my Java does not let me use v2
self._protocol_name = 'SSL'
self.protocol = protocol
self._check_hostname = False
# defaults from _ssl.c
self.options = OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3
self._verify_flags = VERIFY_DEFAULT
self._verify_mode = CERT_NONE
self._ciphers = None
self._trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
self._trust_store.load(None, None)
self._key_store = KeyStore.getInstance(KeyStore.getDefaultType())
self._key_store.load(None, None)
self._key_managers = None
self._server_name_callback = None
def _get_openssl_key_manager(cert_file, key_file=None):
paths = [key_file] if key_file else []
paths.append(cert_file)
# Go from Bouncy Castle API to Java's; a bit heavyweight for the Python dev ;)
key_converter = JcaPEMKeyConverter().setProvider("BC")
cert_converter = JcaX509CertificateConverter().setProvider("BC")
private_key = None
certs = []
for path in paths:
for br in _extract_readers(path):
while True:
obj = PEMParser(br).readObject()
if obj is None:
break
if isinstance(obj, PEMKeyPair):
private_key = key_converter.getKeyPair(obj).getPrivate()
elif isinstance(obj, PrivateKeyInfo):
private_key = key_converter.getPrivateKey(obj)
elif isinstance(obj, X509CertificateHolder):
certs.append(cert_converter.getCertificate(obj))
assert private_key, "No private key loaded"
key_store = KeyStore.getInstance(KeyStore.getDefaultType())
key_store.load(None, None)
key_store.setKeyEntry(str(uuid.uuid4()), private_key, [], certs)
kmf = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm())
kmf.init(key_store, [])
return kmf
def _get_openssl_key_manager(cert_file, key_file=None):
paths = [key_file] if key_file else []
paths.append(cert_file)
# Go from Bouncy Castle API to Java's; a bit heavyweight for the Python dev ;)
key_converter = JcaPEMKeyConverter().setProvider("BC")
cert_converter = JcaX509CertificateConverter().setProvider("BC")
private_key = None
certs = []
for path in paths:
for br in _extract_readers(path):
while True:
obj = PEMParser(br).readObject()
if obj is None:
break
if isinstance(obj, PEMKeyPair):
private_key = key_converter.getKeyPair(obj).getPrivate()
elif isinstance(obj, PrivateKeyInfo):
private_key = key_converter.getPrivateKey(obj)
elif isinstance(obj, X509CertificateHolder):
certs.append(cert_converter.getCertificate(obj))
assert private_key, "No private key loaded"
key_store = KeyStore.getInstance(KeyStore.getDefaultType())
key_store.load(None, None)
key_store.setKeyEntry(str(uuid.uuid4()), private_key, [], certs)
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
kmf.init(key_store, [])
return kmf
def __init__(self, protocol):
protocol_name = _PROTOCOL_NAMES[protocol]
if protocol == PROTOCOL_SSLv23: # darjus: at least my Java does not let me use v2
protocol_name = 'SSL'
self.protocol = protocol
self.check_hostname = False
self.options = OP_ALL
self.verify_flags = None
self.verify_mode = CERT_NONE
self._ciphers = None
self._trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
self._trust_store.load(None, None)
self._key_store = KeyStore.getInstance(KeyStore.getDefaultType())
self._key_store.load(None, None)
self._context = _JavaSSLContext.getInstance(protocol_name)
self._key_managers = None
def __init__(self, protocol):
protocol_name = _PROTOCOL_NAMES[protocol]
if protocol == PROTOCOL_SSLv23: # darjus: at least my Java does not let me use v2
protocol_name = 'SSL'
self.protocol = protocol
self.check_hostname = False
self.options = OP_ALL
self.verify_flags = None
self.verify_mode = CERT_NONE
self._ciphers = None
self._trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
self._trust_store.load(None, None)
self._key_store = KeyStore.getInstance(KeyStore.getDefaultType())
self._key_store.load(None, None)
self._context = _JavaSSLContext.getInstance(protocol_name)
self._key_managers = None
def _get_ca_certs_trust_manager(ca_certs):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
return tmf
def _get_ca_certs_trust_manager(ca_certs):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
num_certs_installed = 0
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
num_certs_installed += 1
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"})
return tmf
def _get_openssl_key_manager(cert_file=None,
key_file=None,
password=None,
_key_store=None):
certs, private_key = [], None
if _key_store is None:
_key_store = KeyStore.getInstance(KeyStore.getDefaultType())
_key_store.load(None, None)
if key_file is not None:
certs, private_key = _extract_certs_for_paths([key_file], password)
if private_key is None:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "PEM lib (No private key loaded)")
if cert_file is not None:
_certs, _private_key = _extract_certs_for_paths([cert_file], password)
private_key = _private_key if _private_key else private_key
certs.extend(_certs)
if not private_key:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "PEM lib (No private key loaded)")
keys_match = False
for cert in certs:
# TODO works for RSA only for now
if not isinstance(cert.publicKey, RSAPublicKey) and isinstance(
private_key, RSAPrivateCrtKey):
keys_match = True
continue
if cert.publicKey.getModulus() == private_key.getModulus() \
and cert.publicKey.getPublicExponent() == private_key.getPublicExponent():
keys_match = True
else:
keys_match = False
if key_file is not None and not keys_match:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "key values mismatch")
_key_store.setKeyEntry(_str_hash_key_entry(private_key, *certs),
private_key, [], certs)
kmf = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm())
kmf.init(_key_store, [])
return kmf
def _get_ca_certs_trust_manager(ca_certs=None):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
num_certs_installed = 0
if ca_certs is not None:
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
num_certs_installed += 1
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"})
return tmf
def getKeychain(self, sign_keyname):
"""Get key and chain from a Keystore"""
if not 'PYJASPER_KEYSTORE_FILE' in os.environ:
raise ValueError('No keychain defined')
password = list(os.environ.get('PYJASPER_KEYSTORE_PASSWORD', ''))
keystore = KeyStore.getInstance(KeyStore.getDefaultType())
keystore.load(open(os.environ['PYJASPER_KEYSTORE_FILE']), password)
if not keystore.containsAlias(sign_keyname):
raise ValueError('No key named %s' % sign_keyname)
key = keystore.getKey(sign_keyname, password)
chain = keystore.getCertificateChain(sign_keyname)
return key, chain
def _extract_certs_from_keystore_file(f, password):
keystore = KeyStore.getInstance(KeyStore.getDefaultType())
if password is None: # default java keystore password is changeit
password = '******'
elif not isinstance(password, str):
password = []
keystore.load(BufferedInputStream(f), password)
certs = []
alias_iter = keystore.aliases()
while alias_iter.hasMoreElements():
alias = alias_iter.nextElement()
certs.append(keystore.getCertificate(alias))
return certs
def _extract_certs_from_keystore_file(f, password):
keystore = KeyStore.getInstance(KeyStore.getDefaultType())
if password is None: # default java keystore password is changeit
password = '******'
elif not isinstance(password, str):
password = []
keystore.load(BufferedInputStream(f), password)
certs = []
alias_iter = keystore.aliases()
while alias_iter.hasMoreElements():
alias = alias_iter.nextElement()
certs.append(keystore.getCertificate(alias))
return certs
def trustSpecificCertificate(self, pemCertificateFile, pemCertificateAlias):
from java.io import BufferedInputStream, FileInputStream
from java.security import KeyStore
from java.security.cert import CertificateFactory, X509Certificate
from javax.net.ssl import SSLContext, TrustManagerFactory
fis = FileInputStream(pemCertificateFile)
bis = BufferedInputStream(fis)
ca = CertificateFactory.getInstance("X.509").generateCertificate(bis)
ks = KeyStore.getInstance(KeyStore.getDefaultType())
ks.load(None, None)
ks.setCertificateEntry(pemCertificateAlias, ca)
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(ks)
context = SSLContext.getInstance("SSL")
context.init(None, tmf.getTrustManagers(), None)
SSLContext.setDefault(context)
def _get_openssl_key_manager(cert_file=None, key_file=None, password=None, _key_store=None):
certs, private_key = [], None
if _key_store is None:
_key_store = KeyStore.getInstance(KeyStore.getDefaultType())
_key_store.load(None, None)
if key_file is not None:
certs, private_key = _extract_certs_for_paths([key_file], password)
if private_key is None:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "PEM lib (No private key loaded)")
if cert_file is not None:
_certs, _private_key = _extract_certs_for_paths([cert_file], password)
private_key = _private_key if _private_key else private_key
certs.extend(_certs)
if not private_key:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "PEM lib (No private key loaded)")
keys_match = False
for cert in certs:
# TODO works for RSA only for now
if not isinstance(cert.publicKey, RSAPublicKey) and isinstance(private_key, RSAPrivateCrtKey):
keys_match = True
continue
if cert.publicKey.getModulus() == private_key.getModulus() \
and cert.publicKey.getPublicExponent() == private_key.getPublicExponent():
keys_match = True
else:
keys_match = False
if key_file is not None and not keys_match:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "key values mismatch")
_key_store.setKeyEntry(_str_hash_key_entry(private_key, *certs), private_key, [], certs)
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
kmf.init(_key_store, [])
return kmf
def trustSpecificCertificate(self, pemCertificateFile,
pemCertificateAlias):
from java.io import BufferedInputStream, FileInputStream
from java.security import KeyStore
from java.security.cert import CertificateFactory, X509Certificate
from javax.net.ssl import SSLContext, TrustManagerFactory
fis = FileInputStream(pemCertificateFile)
bis = BufferedInputStream(fis)
ca = CertificateFactory.getInstance("X.509").generateCertificate(bis)
ks = KeyStore.getInstance(KeyStore.getDefaultType())
ks.load(None, None)
ks.setCertificateEntry(pemCertificateAlias, ca)
tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm())
tmf.init(ks)
context = SSLContext.getInstance("SSL")
context.init(None, tmf.getTrustManagers(), None)
SSLContext.setDefault(context)
def _get_openssl_key_manager(cert_file, key_file=None):
paths = [key_file] if key_file else []
paths.append(cert_file)
private_key = None
certs = []
for path in paths:
with closing(FileReader(path)) as reader:
br = BufferedReader(reader)
while True:
obj = PEMReader(br).readObject()
if obj is None:
break
if isinstance(obj, KeyPair):
private_key = obj.getPrivate()
elif isinstance(obj, X509Certificate):
certs.append(obj)
key_store = KeyStore.getInstance(KeyStore.getDefaultType())
key_store.load(None, None)
key_store.setKeyEntry(str(uuid.uuid4()), private_key, [], certs)
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
kmf.init(key_store, [])
return kmf
}
}
private C1448a() {
}
/* renamed from: e */
private static SSLSocketFactory m8521e() {
KeyStore keyStore;
KeyStoreException e;
C1454c cVar;
NoSuchAlgorithmException e2;
UnrecoverableKeyException e3;
KeyManagementException e4;
try {
keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
try {
keyStore.load(null, null);
} catch (Exception e5) {
e = e5;
e.printStackTrace();
cVar = new C1454c(keyStore);
cVar.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
return cVar;
}
} catch (Exception e6) {
e = e6;
keyStore = null;
e.printStackTrace();
cVar = new C1454c(keyStore);
cVar.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
