def connect(self):
sock = socket.create_connection((self.host, self.port), self.timeout)
if hasattr(self, "_tunnel_host") and self._tunnel_host:
self.sock = sock
self._tunnel()
self.Vars = DataVarsConsole()
self.Vars.importConsole()
self.Vars.flIniFile()
user_root_cert = self.Vars.Get("core.cl_user_root_cert")
homePath = self.Vars.Get("ur_home_path")
user_root_cert = user_root_cert.replace("~", homePath)
result_user_root = 1
while True:
if os.path.exists(user_root_cert):
result_user_root = self.connect_trusted_root(sock, user_root_cert, self.CRL_PATH)
if result_user_root == 1:
glob_root_cert = self.Vars.Get("core.cl_glob_root_cert")
result_root_con = 1
if os.path.exists(glob_root_cert):
sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address)
if self._tunnel_host:
self.sock = sock
self._tunnel()
result_root_con = self.connect_trusted_root(sock, glob_root_cert, self.CRL_PATH)
if result_root_con == 1:
sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address)
if self._tunnel_host:
self.sock = sock
self._tunnel()
result_server_con = self.connect_trusted_server(sock, self.CRL_PATH)
if result_server_con in [1, 2]:
raise Exception(1)
elif result_server_con == 3:
continue
elif result_server_con == 4:
print _("This server is not trusted")
self.wait_thread.stop()
sys.exit(1)
# raise Exception (_('This server is not trusted'))
elif result_root_con == 2:
raise Exception(1)
elif result_user_root == 2:
raise Exception(1)
break
class CheckingClientHTTPSConnection(CheckingHTTPSConnection):
"""based on httplib.HTTPSConnection code - extended to support
server certificate verification and client certificate authorization"""
def __init__(
self, cert_path, host, ca_certs=None, cert_verifier=None, keyobj=None, certobj=None, wait_thread=None, **kw
):
"""cert_verifier is a function returning either True or False
based on whether the certificate was found to be OK,
keyobj and certobj represent internal PyOpenSSL structures holding
the key and certificate respectively.
"""
CheckingHTTPSConnection.__init__(self, host, ca_certs, cert_verifier, keyobj, certobj, **kw)
# self.ClientObj = ClientObj
self.cert_path = cert_path
self.ca_certs = ca_certs
self.CRL_PATH = os.path.join(cert_path, "ca/crl/")
self.wait_thread = wait_thread
# get filename store cert server
def cert_list(self, host, ca_certs, server_cert):
if host == "127.0.0.1":
host = "localhost"
if not os.path.exists(self.trusted_path):
try:
os.makedirs(self.trusted_path)
except OSError:
pass
if not os.path.exists(ca_certs):
fc = open(ca_certs, "w")
fc.close()
filename = None
try:
with open(ca_certs) as fd:
t = fd.read()
# for each line
for line in t.splitlines():
# Split string into a words list
words = line.split()
if len(words) > 1:
# if first word...
if words[0] == host:
filename = words[1]
if not filename:
return None
except:
print _("Certificate not found on the client’s side")
return None
try:
fd = open(self.trusted_path + filename, "r")
store_cert = fd.read()
fd.close()
if store_cert == server_cert:
return filename
except:
print _("Failed to open the file"), self.trusted_path, filename
return None
def add_all_ca_cert(self, list_ca_certs):
# so root cert be first, ca after
clVarsCore = DataVarsCore()
clVarsCore.importCore()
clVarsCore.flIniFile()
list_ca_certs.reverse()
system_ca_db = clVarsCore.Get("core.cl_glob_root_cert")
clVars = DataVars()
clVars.flIniFile()
homePath = clVars.Get("ur_home_path")
cl_client_cert_dir = clVarsCore.Get("core.cl_client_cert_dir")
cl_client_cert_dir = cl_client_cert_dir.replace("~", homePath)
root_cert_md5 = os.path.join(cl_client_cert_dir, "ca/cert_list")
user_root_cert = clVarsCore.Get("core.cl_user_root_cert")
user_root_cert = user_root_cert.replace("~", homePath)
for cert in list_ca_certs:
if os.path.exists(system_ca_db):
if cert in open(system_ca_db, "r").read():
continue
if os.path.exists(user_root_cert):
if cert in open(user_root_cert, "r").read():
continue
md5 = hashlib.md5()
md5.update(cert)
md5sum = md5.hexdigest()
print "\n================================================="
print "md5sum = ", md5sum
if not os.path.exists(root_cert_md5):
fc = open(root_cert_md5, "w")
fc.close()
filename = None
with open(root_cert_md5) as fd:
t = fd.read()
# for each line
for line in t.splitlines():
# Split string into a words list
words = line.split(" ", 1)
if words[0] == md5sum:
filename = words[1]
if not filename:
certobj = OpenSSL.crypto.load_certificate(OpenSSL.SSL.FILETYPE_PEM, cert)
Issuer = certobj.get_issuer().get_components()
for item in Issuer:
if item[0] == "CN":
filename = item[1]
fc = open(root_cert_md5, "a")
fc.write("%s %s\n" % (md5sum, filename))
fc.close()
if not filename:
print _('Field "CN" not found in the certificate!')
return 1
fd = open(os.path.join(cl_client_cert_dir, "ca/", filename), "w")
fd.write(cert)
fd.close()
fa = open(user_root_cert, "a")
fa.write(cert)
fa.close()
print _("filename = "), filename
print _("Certificate added")
else:
print _("The file containing the CA certificate now exists")
get_CRL(cl_client_cert_dir)
def add_ca_cert(self, cert, list_ca_certs):
url = "https://%s:%s/?wsdl" % (self.host, self.port)
client = Client_suds(url, transport=HTTPSClientCertTransport(None, None, self.cert_path))
client.wsdl.services[0].setlocation(url)
cert = client.service.get_ca()
if cert == "1":
print _("Invalid server certificate!")
raise Exception(1)
if cert == "2":
print _("CA certificate not found on the server")
raise Exception(1)
try:
certobj = OpenSSL.crypto.load_certificate(OpenSSL.SSL.FILETYPE_PEM, cert)
except:
print _("Error. Certificate not added to trusted")
raise Exception(1)
print "\n", _("Fingerprint = %s") % certobj.digest("SHA1")
print _("Serial Number = "), certobj.get_serial_number()
Issuer = certobj.get_issuer().get_components()
print "\n", _("Issuer")
for i in Issuer:
print "%s : %s" % (i[0], i[1])
Subject = certobj.get_subject().get_components()
print "\n", _("Subject")
for subj in Subject:
print "%s : %s" % (subj[0], subj[1])
ans = raw_input(_("Add the CA certificate to trusted? y/[n]:"))
if ans.lower() in ["y", "yes"]:
list_ca_certs.append(cert)
self.add_all_ca_cert(list_ca_certs)
else:
print _("Certificate not added to trusted")
# add certificate server in trusted
def add_server_cert(self, cert):
self.wait_thread.stop()
print _("Untrusted server certificate!")
certobj = OpenSSL.crypto.load_certificate(OpenSSL.SSL.FILETYPE_PEM, cert)
print "\n" + _("Fingerprint = %s") % certobj.digest("SHA1")
print _("Serial Number = "), certobj.get_serial_number()
Issuer = certobj.get_issuer().get_components()
print "\n" + _("Issuer")
for i in Issuer:
print "%s : %s" % (i[0], i[1])
Subject = certobj.get_subject().get_components()
print "\n" + _("Subject")
for item in Subject:
print "%s : %s" % (item[0], item[1])
print "\n" + _("Add this server certificate to trusted (s) or")
print _("Try to add the CA and root certificates to trusted (c) or")
choice = raw_input(_("Quit (q)? s/c/[q]: "))
if choice.lower() in ["s", "c"]:
# self.sock = ssl.wrap_socket(sock)
ca_certs = os.path.join(self.trusted_path, "cert.list")
if not os.path.exists(ca_certs):
fc = open(ca_certs, "w")
fc.close()
if self.host == "127.0.0.1":
host = "localhost"
else:
host = self.host
filename = host
fc = open(self.trusted_path + filename, "w")
fc.write(cert)
fc.close()
with open(ca_certs) as fd:
t = fd.read()
# for each line
for line in t.splitlines():
# Split string into a words list
words = line.split()
if len(words) > 1:
# if first word...
if words[0] == host:
return 0
# Open file with compliance server certificates and server hostname
fcl = open(ca_certs, "a")
fcl.write(host + " " + filename + "\n")
fcl.close()
if choice.lower() != "c":
return 3
if choice.lower() == "c":
clVars = DataVarsCore()
clVars.importCore()
clVars.flIniFile()
cl_client_cert_dir = clVars.Get("core.cl_client_cert_dir")
homePath = clVars.Get("ur_home_path")
cl_client_cert_dir = cl_client_cert_dir.replace("~", homePath)
root_cert_dir = os.path.join(cl_client_cert_dir, "ca")
if not os.path.exists(root_cert_dir):
try:
os.makedirs(root_cert_dir)
except OSError:
print _("Failed to create directory %s") % root_cert_dir
raise Exception(1)
print "\n" + _("Add the CA and root certificates")
self.list_ca_certs = []
self.add_ca_cert(cert, self.list_ca_certs)
return 3
elif not choice.lower() in ["c", "s"]:
return 4
def connect_trusted_root(self, sock, root_cert, crl_certs):
self.ca_path = self.cert_path + "ca/"
server_cert = ssl.get_server_certificate(addr=(self.host, self.port))
global flag
if self.cert_file:
f = verify(server_cert, crl_certs, flag)
if not f:
flag = 1
elif f == 1:
raise Exception(1)
else:
import time
time.sleep(0.1)
try:
if self.FORCE_SSL_VERSION:
add = {"ssl_version": self.FORCE_SSL_VERSION}
else:
add = {}
add["cert_reqs"] = ssl.CERT_REQUIRED
# try to use PyOpenSSL by default
if PYOPENSSL_AVAILABLE:
wrap_class = PyOpenSSLSocket
add["keyobj"] = self.keyobj
add["certobj"] = self.certobj
add["keyfile"] = self.key_file
add["certfile"] = self.cert_file
else:
wrap_class = ssl.SSLSocket
self.sock = wrap_class(sock, ca_certs=self.ca_certs, **add)
return 0
except:
return 1
def connect_trusted_server(self, sock, crl_certs):
self.trusted_path = self.cert_path + "trusted/"
ca_cert_list = self.trusted_path + "cert.list"
server_cert = ssl.get_server_certificate(addr=(self.host, self.port))
global flag
if self.cert_file:
f = verify(server_cert, crl_certs, flag)
if not f:
flag = 1
elif f == 1:
raise Exception(1)
# if not hasattr(HTTPSClientCertTransport, 'filename') or \
# HTTPSClientCertTransport.filename == None:
HTTPSClientCertTransport.filename = self.cert_list(self.host, ca_cert_list, server_cert)
if HTTPSClientCertTransport.filename:
try:
if self.FORCE_SSL_VERSION:
add = {"ssl_version": self.FORCE_SSL_VERSION}
else:
add = {}
add["cert_reqs"] = ssl.CERT_NONE
# try to use PyOpenSSL by default
if PYOPENSSL_AVAILABLE:
wrap_class = PyOpenSSLSocket
add["keyobj"] = self.keyobj
add["certobj"] = self.certobj
add["keyfile"] = self.key_file
add["certfile"] = self.cert_file
else:
wrap_class = ssl.SSLSocket
self.sock = wrap_class(sock, ca_certs=None, **add)
return 0
except Exception:
# print (e)
HTTPSClientCertTransport.filename = None
return 1
else:
return self.add_server_cert(server_cert)
def connect(self):
sock = socket.create_connection((self.host, self.port), self.timeout)
if hasattr(self, "_tunnel_host") and self._tunnel_host:
self.sock = sock
self._tunnel()
self.Vars = DataVarsConsole()
self.Vars.importConsole()
self.Vars.flIniFile()
user_root_cert = self.Vars.Get("core.cl_user_root_cert")
homePath = self.Vars.Get("ur_home_path")
user_root_cert = user_root_cert.replace("~", homePath)
result_user_root = 1
while True:
if os.path.exists(user_root_cert):
result_user_root = self.connect_trusted_root(sock, user_root_cert, self.CRL_PATH)
if result_user_root == 1:
glob_root_cert = self.Vars.Get("core.cl_glob_root_cert")
result_root_con = 1
if os.path.exists(glob_root_cert):
sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address)
if self._tunnel_host:
self.sock = sock
self._tunnel()
result_root_con = self.connect_trusted_root(sock, glob_root_cert, self.CRL_PATH)
if result_root_con == 1:
sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address)
if self._tunnel_host:
self.sock = sock
self._tunnel()
result_server_con = self.connect_trusted_server(sock, self.CRL_PATH)
if result_server_con in [1, 2]:
raise Exception(1)
elif result_server_con == 3:
continue
elif result_server_con == 4:
print _("This server is not trusted")
self.wait_thread.stop()
sys.exit(1)
# raise Exception (_('This server is not trusted'))
elif result_root_con == 2:
raise Exception(1)
elif result_user_root == 2:
raise Exception(1)
break
