def _save_certificates(sip_address, crt, key, ca):
crt = crt.strip() + os.linesep
key = key.strip() + os.linesep
ca = ca.strip() + os.linesep
X509Certificate(crt)
X509PrivateKey(key)
X509Certificate(ca)
makedirs(ApplicationData.get('tls'))
certificate_path = ApplicationData.get(
os.path.join('tls', sip_address + '.crt'))
certificate_file = open(certificate_path, 'w')
os.chmod(certificate_path, 0600)
certificate_file.write(crt + key)
certificate_file.close()
ca_path = ApplicationData.get(os.path.join('tls', 'ca.crt'))
try:
existing_cas = open(ca_path).read().strip() + os.linesep
except:
certificate_file = open(ca_path, 'w')
certificate_file.write(ca)
certificate_file.close()
else:
if ca not in existing_cas:
certificate_file = open(ca_path, 'w')
certificate_file.write(existing_cas + ca)
certificate_file.close()
settings = SIPSimpleSettings()
settings.tls.ca_list = ca_path
settings.save()
return certificate_path
def save_certificates(self, response):
passport = response["passport"]
address = response["sip_address"]
tls_folder = ApplicationData.get('tls')
if not os.path.exists(tls_folder):
os.mkdir(tls_folder, 0o700)
ca = passport["ca"].strip() + os.linesep
self.add_certificate_authority(ca)
crt = passport["crt"].strip() + os.linesep
try:
X509Certificate(crt)
except GNUTLSError as e:
BlinkLogger().log_error("Invalid TLS certificate: %s" % e)
return None
key = passport["key"].strip() + os.linesep
try:
X509PrivateKey(key)
except GNUTLSError as e:
BlinkLogger().log_error("Invalid Private Key: %s" % e)
return None
crt_path = os.path.join(tls_folder, address + ".crt")
f = open(crt_path, "w")
os.chmod(crt_path, 0o600)
f.write(crt)
f.write(key)
f.close()
BlinkLogger().log_info("Saved new TLS Certificate and Private Key to %s" % crt_path)
return crt_path
def __new__(cls, value):
if isinstance(value, str):
try:
return X509PrivateKey(file_content(value))
except Exception, e:
log.warn("Private key file '%s' could not be loaded: %s" %
(value, str(e)))
return None
def __new__(cls, value):
if isinstance(value, basestring):
try:
return X509PrivateKey(file_content(value))
except Exception as e:
log.warn("Private key file '%s' could not be loaded: %s" % (value, str(e)))
return None
else:
raise TypeError('value should be a string')
def tls_credentials(self):
# This property can be optimized to cache the credentials it loads from disk,
# however this is not a time consuming operation (~ 3000 req/sec). -Luci
settings = SIPSimpleSettings()
tls_certificate = self.tls.certificate or settings.tls.certificate
certificate = None
private_key = None
if tls_certificate is not None:
try:
certificate_data = open(tls_certificate.normalized).read()
certificate = X509Certificate(certificate_data)
private_key = X509PrivateKey(certificate_data)
except (FileNotFoundError, GNUTLSError, UnicodeDecodeError):
pass
trusted_cas = []
ca_list = self.tls.ca_list or settings.tls.ca_list
if ca_list is not None:
if len(self.trusted_cas) > 0:
trusted_cas = self.trusted_cas
else:
crt = None
start = False
try:
ca_text = open(ca_list.normalized).read()
except (FileNotFoundError, GNUTLSError, UnicodeDecodeError):
ca_text = ''
for line in ca_text.split("\n"):
if "BEGIN CERT" in line:
start = True
crt = line + "\n"
elif "END CERT" in line:
crt = crt + line + "\n"
end = True
start = False
try:
trusted_cas.append(X509Certificate(crt))
except (GNUTLSError, ValueError) as e:
continue
elif start:
crt = crt + line + "\n"
self.trusted_cas = trusted_cas
self.ca_list = ca_list
credentials = X509Credentials(certificate, private_key, trusted_cas)
credentials.verify_peer = self.tls.verify_server or settings.tls.certificate
return credentials
def tls_credentials(self):
# This property can be optimized to cache the credentials it loads from disk,
# however this is not a time consuming operation (~ 3000 req/sec). -Luci
settings = SIPSimpleSettings()
tls_certificate = self.tls.certificate or settings.tls.certificate
if tls_certificate is not None:
certificate_data = open(tls_certificate.normalized).read()
certificate = X509Certificate(certificate_data)
private_key = X509PrivateKey(certificate_data)
else:
certificate = None
private_key = None
credentials = X509Credentials(certificate, private_key, [])
credentials.verify_peer = False
return credentials
def __init__(self, config, bind_and_activate=True):
self.config = config
if is_ipv6_address(self.config.listen_address):
self.address_family = socket.AF_INET6
with open(self.config.cert, 'rb') as f:
self.encoded_cert = f.read()
with open(self.config.key, 'r') as f:
self.key = f.read()
with open(self.config.onion_secret_key, 'r') as f:
self.onion_secret_key = f.read()
self.set_handler()
self.server_context = TLSContext(
X509Credentials(
X509Certificate(self.encoded_cert, format=X509_FMT_DER),
X509PrivateKey(self.key)), config.priority_string_as_server)
self.client_context = TLSContext(X509Credentials(),
config.priority_string_as_client)
self.identity_pubkey = RSA.import_key(self.encoded_cert)
self.identity_privkey = RSA.import_key(self.key)
self.onion_privkey = RSA.import_key(self.onion_secret_key)
ntor_onion_secret_key = self.config.ntor_onion_secret_key.decode(
"base64").strip()
self.ntor_onion_key = NTorOnionKey(
ntor_onion_secret_key,
NTorKey(ntor_onion_secret_key).get_public())
self.fingerprint = self.make_digest_fingerprint()
self.descriptor = self.create_bridge_descriptor()
self.dir_identity_response = self.create_dir_response()
self.print_fingerprint()
SocketServer.ThreadingTCPServer.__init__(self, config.listen_address,
ORMITMHandler,
bind_and_activate)
def _parseTLS(factory,
port,
privateKey='server.pem',
certKey=None,
sslmethod=None,
interface='',
backlog=50):
from gnutls.interfaces.twisted import X509Credentials
from gnutls.crypto import X509Certificate, X509PrivateKey
if certKey is None:
certKey = privateKey
cert = X509Certificate(open(certKey).read())
key = X509PrivateKey(open(privateKey).read())
cf = X509Credentials(cert, key)
return ((int(port), factory, cf), {
'interface': interface,
'backlog': int(backlog)
})
def tls_credentials(self):
# This property can be optimized to cache the credentials it loads from disk,
# however this is not a time consuming operation (~ 3000 req/sec). -Luci
settings = SIPSimpleSettings()
if self.tls.certificate is not None:
certificate_data = open(self.tls.certificate.normalized).read()
certificate = X509Certificate(certificate_data)
private_key = X509PrivateKey(certificate_data)
else:
certificate = None
private_key = None
if settings.tls.ca_list is not None:
# we should read all certificates in the file, rather than just the first -Luci
trusted = [
X509Certificate(open(settings.tls.ca_list.normalized).read())
]
else:
trusted = []
credentials = X509Credentials(certificate, private_key, trusted)
credentials.verify_peer = self.tls.verify_server
return credentials
if not os.path.exists(tls_folder):
os.mkdir(tls_folder, 0700)
ca = passport["ca"].strip() + os.linesep
self.add_certificate_authority(ca)
crt = passport["crt"].strip() + os.linesep
try:
X509Certificate(crt)
except GNUTLSError, e:
BlinkLogger().log_error(u"Invalid TLS certificate: %s" % e)
return None
key = passport["key"].strip() + os.linesep
try:
X509PrivateKey(key)
except GNUTLSError, e:
BlinkLogger().log_error(u"Invalid Private Key: %s" % e)
return None
crt_path = os.path.join(tls_folder, address + ".crt")
f = open(crt_path, "w")
os.chmod(crt_path, 0600)
f.write(crt)
f.write(key)
f.close()
BlinkLogger().log_info(
u"Saved new TLS Certificate and Private Key to %s" % crt_path)
return crt_path
class TLSMixin(object):
use_tls = True
cert = X509Certificate(open('valid.crt').read())
key = X509PrivateKey(open('valid.key').read())
server_credentials = X509Credentials(cert, key)
def __init__(self, config, bind_and_activate=True):
self.config = config
if is_ipv6_address(self.config.listen_address):
self.address_family = socket.AF_INET6
with open(self.config.cert, 'rb') as keyfile:
self.encoded_cert = keyfile.read()
with open(self.config.key, 'r') as keyfile:
self.key = keyfile.read()
with open(self.config.onion_secret_key, 'r') as keyfile:
self.onion_secret_key = keyfile.read()
self.set_handler()
self.server_context = TLSContext(
X509Credentials(
X509Certificate(self.encoded_cert, format=X509_FMT_DER),
X509PrivateKey(self.key)),
self.config.priority_string_as_server)
if self.has_tls_client_credentials():
self.tls_credentials = self.config.client_tls_credentials
else:
self.tls_credentials = X509Credentials()
self.client_context = TLSContext(self.tls_credentials,
self.config.priority_string_as_client)
self.identity_pubkey = load_der_x509_certificate(
self.encoded_cert, backend=_default_backend).public_key()
self.identity_privkey = load_pem_private_key(self.key,
password=None,
backend=_default_backend)
self.onion_privkey = load_pem_private_key(self.onion_secret_key,
password=None,
backend=_default_backend)
if not isinstance(self.identity_pubkey, RSAPublicKey):
raise RuntimeError(
"Certificate of instance {} does not have an RSA key".format(
self.config.listen_address))
if not isinstance(self.identity_privkey, RSAPrivateKey):
raise RuntimeError("Key of instance {} is not an RSA key".format(
self.config.listen_address))
if not isinstance(self.onion_privkey, RSAPrivateKey):
raise RuntimeError(
"Onion key of instance {} is not an RSA key".format(
self.config.listen_address))
ntor_onion_secret_key = base64.b64decode(
self.config.ntor_onion_secret_key.strip())
self.ntor_onion_key = NTorOnionKey(
ntor_onion_secret_key,
NTorKey(ntor_onion_secret_key).get_public())
self.fingerprint = self.make_digest_fingerprint()
self.descriptor = self.create_bridge_descriptor()
self.dir_identity_response = self.create_dir_response()
self.print_fingerprint()
SocketServer.ThreadingTCPServer.__init__(self,
self.config.listen_address,
ORMITMHandler,
bind_and_activate)