def _createSSLEngine(self, addr, hostname=None, cert_file=None, key_file=None):
trust_managers = [NoVerifyX509TrustManager()]
if self.verify_mode == CERT_REQUIRED:
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(self._trust_store)
trust_managers = [CompositeX509TrustManager(tmf.getTrustManagers())]
context = _JavaSSLContext.getInstance(self._protocol_name)
if self._key_managers is None:
context.init(
_get_openssl_key_manager(
cert_file=cert_file, key_file=key_file).getKeyManagers(),
trust_managers, None)
else:
context.init(
self._key_managers.getKeyManagers(),
trust_managers, None)
# addr could be ipv6, only extract relevant parts
engine = context.createSSLEngine((hostname or addr[0]), addr[1])
# apparently this can be used to enforce hostname verification
if hostname is not None and self._check_hostname:
params = engine.getSSLParameters()
params.setEndpointIdentificationAlgorithm('HTTPS')
engine.setSSLParameters(params)
if self._ciphers is not None:
engine.setEnabledCipherSuites(self._ciphers)
return engine
def _createSSLEngine(self, addr, hostname=None, cert_file=None, key_file=None):
trust_managers = [NoVerifyX509TrustManager()]
if self.verify_mode == CERT_REQUIRED:
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(self._trust_store)
trust_managers = [CompositeX509TrustManager(tmf.getTrustManagers())]
context = _JavaSSLContext.getInstance(self._protocol_name)
if self._key_managers is None:
context.init(
_get_openssl_key_manager(
cert_file=cert_file, key_file=key_file).getKeyManagers(),
trust_managers, None)
else:
context.init(
self._key_managers.getKeyManagers(),
trust_managers, None)
if hostname is not None:
engine = context.createSSLEngine(hostname, addr[1])
else:
engine = context.createSSLEngine(*addr)
# apparently this can be used to enforce hostname verification
if hostname is not None and self._check_hostname:
params = engine.getSSLParameters()
params.setEndpointIdentificationAlgorithm('HTTPS')
engine.setSSLParameters(params)
if self._ciphers is not None:
engine.setEnabledCipherSuites(self._ciphers)
return engine
def DefaultTrustManager():
trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm())
trustManagerFactory.init(None)
for trustManager in trustManagerFactory.getTrustManagers():
if isinstance(trustManager, X509TrustManager):
return trustManager
return None
def _get_ca_certs_trust_manager(ca_certs):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
return tmf
def _get_ca_certs_trust_manager(ca_certs):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
num_certs_installed = 0
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
num_certs_installed += 1
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"})
return tmf
def _get_ca_certs_trust_manager(ca_certs=None):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
num_certs_installed = 0
if ca_certs is not None:
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
num_certs_installed += 1
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"})
return tmf
def trustSpecificCertificate(self, pemCertificateFile, pemCertificateAlias):
from java.io import BufferedInputStream, FileInputStream
from java.security import KeyStore
from java.security.cert import CertificateFactory, X509Certificate
from javax.net.ssl import SSLContext, TrustManagerFactory
fis = FileInputStream(pemCertificateFile)
bis = BufferedInputStream(fis)
ca = CertificateFactory.getInstance("X.509").generateCertificate(bis)
ks = KeyStore.getInstance(KeyStore.getDefaultType())
ks.load(None, None)
ks.setCertificateEntry(pemCertificateAlias, ca)
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(ks)
context = SSLContext.getInstance("SSL")
context.init(None, tmf.getTrustManagers(), None)
SSLContext.setDefault(context)
def _createSSLEngine(self):
trust_managers = [NoVerifyX509TrustManager()]
if self.verify_mode == CERT_REQUIRED:
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(self._trust_store)
trust_managers = tmf.getTrustManagers()
if self._key_managers is None: # get an e
self._context.init(_get_openssl_key_manager().getKeyManagers(), trust_managers, None)
else:
self._context.init(self._key_managers.getKeyManagers(), trust_managers, None)
engine = self._context.createSSLEngine()
if self._ciphers is not None:
engine.setEnabledCipherSuites(self._ciphers)
return engine
def trustSpecificCertificate(self, pemCertificateFile,
pemCertificateAlias):
from java.io import BufferedInputStream, FileInputStream
from java.security import KeyStore
from java.security.cert import CertificateFactory, X509Certificate
from javax.net.ssl import SSLContext, TrustManagerFactory
fis = FileInputStream(pemCertificateFile)
bis = BufferedInputStream(fis)
ca = CertificateFactory.getInstance("X.509").generateCertificate(bis)
ks = KeyStore.getInstance(KeyStore.getDefaultType())
ks.load(None, None)
ks.setCertificateEntry(pemCertificateAlias, ca)
tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm())
tmf.init(ks)
context = SSLContext.getInstance("SSL")
context.init(None, tmf.getTrustManagers(), None)
SSLContext.setDefault(context)
def _createSSLEngine(self):
trust_managers = [NoVerifyX509TrustManager()]
if self.verify_mode == CERT_REQUIRED:
tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm())
tmf.init(self._trust_store)
trust_managers = tmf.getTrustManagers()
if self._key_managers is None: # get an e
self._context.init(_get_openssl_key_manager().getKeyManagers(),
trust_managers, None)
else:
self._context.init(self._key_managers.getKeyManagers(),
trust_managers, None)
engine = self._context.createSSLEngine()
if self._ciphers is not None:
engine.setEnabledCipherSuites(self._ciphers)
return engine
