def setUp(self):
nss.nss_init(db_name)
nss.set_password_callback(password_callback)
nss.pkcs12_enable_all_ciphers()
self.cert_der = get_cert_der_from_db(cert_nickname)
if self.cert_der is None:
raise ValueError('cert with nickname "%s" not in database "%s"' % (cert_nickname, db_name))
def setUp(self):
nss.nss_init(db_name)
nss.set_password_callback(password_callback)
nss.pkcs12_enable_all_ciphers()
self.cert_der = get_cert_der_from_db(cert_nickname)
if self.cert_der is None:
raise ValueError('cert with nickname "%s" not in database "%s"' % (cert_nickname, db_name))
def init(self):
if nss.nss_is_initialized():
return
if _password_callback is not None:
nss.set_password_callback(_password_callback)
nss.nss_init(_certdb)
ssl.set_domestic_policy()
def init(self):
if nss.nss_is_initialized():
return
if _password_callback is not None:
nss.set_password_callback(_password_callback)
nss.nss_init(_certdb)
ssl.set_domestic_policy()
def __init__(self, host, port=None, strict=None, dbdir=None):
httplib.HTTPConnection.__init__(self, host, port, strict)
if not dbdir:
raise RuntimeError("dbdir is required")
logging.debug('%s init %s', self.__class__.__name__, host)
if not nss.nss_is_initialized(): nss.nss_init(dbdir)
self.sock = None
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
def __init__(self, host, port=None, strict=None, dbdir=None):
six.moves.http_client.HTTPConnection.__init__(self, host, port, strict)
if not dbdir:
raise RuntimeError("dbdir is required")
logging.debug('%s init host=%s dbdir=%s', self.__class__.__name__, host, dbdir)
if not nss.nss_is_initialized(): nss.nss_init(dbdir)
self.sock = None
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
def initialize_nss(dbdir):
"""Initialize NSS
nss_init() initializes NSS and the DB globally.
"""
# global settings
nss.nss_init(dbdir)
ssl.set_domestic_policy()
ssl.clear_session_cache()
# thread local callback
nss.set_password_callback(password_callback)
def setUp(self):
nss.nss_init(db_name)
nss.set_password_callback(password_callback)
# XXX: error in NSS prevents enabling ciphers
# nss.pkcs12_enable_all_ciphers()
self.cert_der = get_cert_der_from_db(cert_nickname)
if self.cert_der is None:
raise ValueError(
"cert with nickname '%s' not in database '%s'"
% (cert_nickname, db_name)
)
def __init__(
self,
host,
port=None,
strict=None,
dbdir=None,
family=socket.AF_UNSPEC,
no_init=False,
tls_version_min="tls1.1",
tls_version_max="tls1.2",
):
"""
:param host: the server to connect to
:param port: the port to use (default is set in HTTPConnection)
:param dbdir: the NSS database directory
:param family: network family to use (default AF_UNSPEC)
:param no_init: do not initialize the NSS database. This requires
that the database has already been initialized or
the request will fail.
:param tls_min_version: mininum version of SSL/TLS supported
:param tls_max_version: maximum version of SSL/TLS supported.
"""
httplib.HTTPConnection.__init__(self, host, port, strict)
NSSAddressFamilyFallback.__init__(self, family)
root_logger.debug("%s init %s", self.__class__.__name__, host)
# If initialization is requested, initialize the new database.
if not no_init:
if nss.nss_is_initialized():
ssl.clear_session_cache()
try:
nss.nss_shutdown()
except NSPRError as e:
if e.errno != error.SEC_ERROR_NOT_INITIALIZED:
raise e
if not dbdir:
raise RuntimeError("dbdir is required")
nss.nss_init(dbdir)
global current_dbdir
current_dbdir = dbdir
ssl.set_domestic_policy()
nss.set_password_callback(self.password_callback)
self.tls_version_min = str(tls_version_min)
self.tls_version_max = str(tls_version_max)
def __init__(self,
host,
port=None,
strict=None,
dbdir=None,
family=socket.AF_UNSPEC,
no_init=False,
tls_version_min='tls1.1',
tls_version_max='tls1.2'):
"""
:param host: the server to connect to
:param port: the port to use (default is set in HTTPConnection)
:param dbdir: the NSS database directory
:param family: network family to use (default AF_UNSPEC)
:param no_init: do not initialize the NSS database. This requires
that the database has already been initialized or
the request will fail.
:param tls_min_version: mininum version of SSL/TLS supported
:param tls_max_version: maximum version of SSL/TLS supported.
"""
httplib.HTTPConnection.__init__(self, host, port, strict)
NSSAddressFamilyFallback.__init__(self, family)
root_logger.debug('%s init %s', self.__class__.__name__, host)
# If initialization is requested, initialize the new database.
if not no_init:
if nss.nss_is_initialized():
ssl.clear_session_cache()
try:
nss.nss_shutdown()
except NSPRError as e:
if e.errno != error.SEC_ERROR_NOT_INITIALIZED:
raise e
if not dbdir:
raise RuntimeError("dbdir is required")
nss.nss_init(dbdir)
global current_dbdir
current_dbdir = dbdir
ssl.set_domestic_policy()
nss.set_password_callback(self.password_callback)
tls_versions = get_proper_tls_version_span(tls_version_min,
tls_version_max)
self.tls_version_min = tls_versions[0]
self.tls_version_max = tls_versions[-1]
def request(self, method, url, data=None, headers=None):
parsed = urllib.parse.urlparse(url)
port = parsed.port
if not port:
port = self.SCHEME_PORT_MAP[parsed.scheme]
key = (parsed.netloc, port)
conn = self._conns.get(key, None)
if conn is None:
conn = self._conns.setdefault(key, _NssHTTPConnection(parsed.netloc, port))
conn.connect()
# FIXME: python-nss stores password_callback on a per-thread dict
# Since this object will be called from different threads,
# some would not find it. It is not a big problem since setting the
# password callback is a fast operation, but maybe there's
# some better solution here?
if _password_callback is not None:
nss.set_password_callback(_password_callback)
conn.request(method, parsed.path, body=data, headers=headers)
return NssResponse(conn.getresponse())
def request(self, method, url, data=None, headers=None):
parsed = urlparse.urlparse(url)
port = parsed.port
if not port:
port = self.SCHEME_PORT_MAP[parsed.scheme]
key = (parsed.netloc, port)
conn = self._conns.get(key, None)
if conn is None:
conn = self._conns.setdefault(
key, _NssHTTPConnection(parsed.netloc, port))
conn.connect()
# FIXME: python-nss stores password_callback on a per-thread dict
# Since this object will be called from different threads,
# some would not find it. It is not a big problem since setting the
# password callback is a fast operation, but maybe there's
# some better solution here?
if _password_callback is not None:
nss.set_password_callback(_password_callback)
conn.request(method, parsed.path, body=data, headers=headers)
return NssResponse(conn.getresponse())
def main():
global options
parser = argparse.ArgumentParser(description='certificate validation example')
# === NSS Database Group ===
group = parser.add_argument_group('NSS Database',
'Specify & control the NSS Database')
group.add_argument('-d', '--db-name',
help='NSS database name (e.g. "sql:pki")')
group.add_argument('-P', '--db-passwd',
help='NSS database password')
# === Certificate Group ===
group = parser.add_argument_group('Certificate',
'Specify how the certificate is loaded')
group.add_argument('-f', '--file', dest='cert_filename',
help='read cert from file')
group.add_argument('-F', '--input-format', choices=['pem', 'der'],
help='format of input cert')
group.add_argument('-n', '--nickname', dest='cert_nickname',
help='load cert from NSS database by looking it up under this nickname')
# === Validation Group ===
group = parser.add_argument_group('Validation',
'Control the validation')
group.add_argument('-u', '--usage', dest='cert_usage', action='append', choices=list(cert_usage_map.keys()),
help='certificate usage flags, may be specified multiple times')
group.add_argument('-c', '--check-sig', action='store_true', dest='check_sig',
help='check signature')
group.add_argument('-C', '--no-check-sig', action='store_false', dest='check_sig',
help='do not check signature')
group.add_argument('-l', '--log', action='store_true', dest='with_log',
help='use verify log')
group.add_argument('-L', '--no-log', action='store_false', dest='with_log',
help='do not use verify log')
group.add_argument('-a', '--check-ca', action='store_true', dest='check_ca',
help='check if cert is CA')
group.add_argument('-A', '--no-check-ca', action='store_false', dest='check_ca',
help='do not check if cert is CA')
# === Miscellaneous Group ===
group = parser.add_argument_group('Miscellaneous',
'Miscellaneous options')
group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert',
help='print the certificate in a friendly fashion')
parser.set_defaults(db_name = 'sql:pki',
db_passwd = 'db_passwd',
input_format = 'pem',
check_sig = True,
with_log = True,
check_ca = True,
print_cert = False,
)
options = parser.parse_args()
# Process the command line arguments
# Get usage bitmask
if options.cert_usage:
intended_usage = 0
for usage in options.cert_usage:
try:
flag = cert_usage_map[usage]
except KeyError:
print("Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys()))))
return 1
else:
intended_usage |= flag
else:
# We can't use nss.certificateUsageCheckAllUsages here because
# it's a special value of zero instead of being the bitwise OR
# of all the certificateUsage* flags (go figure!)
intended_usage = 0
for usage in list(cert_usage_map.values()):
intended_usage |= usage
if options.cert_filename and options.cert_nickname:
print("You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr)
return 1
if not options.cert_filename and not options.cert_nickname:
print("You must specify either a cert filename or a nickname to load", file=sys.stderr)
return 1
# Initialize NSS.
print(indented_output('NSS Database', options.db_name))
print()
nss.nss_init(options.db_name)
certdb = nss.get_default_certdb()
nss.set_password_callback(password_callback)
# Load the cert
if options.cert_filename:
# Read the certificate as DER encoded data then initialize a Certificate from the DER data
filename = options.cert_filename
si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem')
# Parse the DER encoded data returning a Certificate object
cert = nss.Certificate(si)
else:
try:
cert = nss.find_cert_from_nickname(options.cert_nickname)
except Exception as e:
print(e)
print('Unable to load cert nickname "%s" from database "%s"' % \
(options.cert_nickname, options.db_name), file=sys.stderr)
return 1
# Dump the cert if the user wants to see it
if options.print_cert:
print(cert)
else:
print(indented_output('cert subject', cert.subject))
print()
# Dump the usages attached to the cert
print(indented_output('cert has these usages', nss.cert_type_flags(cert.cert_type)))
# Should we check if the cert is a CA cert?
if options.check_ca:
# CA Cert?
is_ca, cert_type = cert.is_ca_cert(True)
print()
print(indented_output('is CA cert boolean', is_ca))
print(indented_output('is CA cert returned usages', nss.cert_type_flags(cert_type)))
print()
print(indented_output('verifying usages for', nss.cert_usage_flags(intended_usage)))
print()
# Use the log or non-log variant to verify the cert
#
# Note: Anytime a NSPR or NSS function returns an error in python-nss it
# raises a NSPRError exception. When an exception is raised the normal
# return values are discarded because the flow of control continues at
# the first except block prepared to catch the exception. Normally this
# is what is desired because the return values would be invalid due to
# the error. However the certificate verification functions are an
# exception (no pun intended). An error might be returned indicating the
# cert failed verification but you may still need access to the returned
# usage bitmask and the log (if using the log variant). To handle this a
# special error exception `CertVerifyError` (derived from `NSPRError`)
# is defined which in addition to the normal NSPRError fields will also
# contain the returned usages and optionally the CertVerifyLog
# object. If no exception is raised these are returned as normal return
# values.
approved_usage = 0
if options.with_log:
try:
approved_usage, log = cert.verify_with_log(certdb, options.check_sig, intended_usage, None)
except nss_error.CertVerifyError as e:
# approved_usage and log available in CertVerifyError exception on failure.
print(e)
print()
print(indented_obj('log', e.log))
print()
print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages)))
approved_usage = e.usages # Get the returned usage bitmask from the exception
except Exception as e:
print(e)
else:
print(indented_output('approved usages', nss.cert_usage_flags(approved_usage)))
if log.count:
print()
print(indented_obj('log', log))
else:
try:
approved_usage = cert.verify(certdb, options.check_sig, intended_usage, None)
except nss_error.CertVerifyError as e:
# approved_usage available in CertVerifyError exception on failure.
print(e)
print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages)))
approved_usage = e.usages # Get the returned usage bitmask from the exception
except Exception as e:
print(e)
else:
print(indented_output('approved usages', nss.cert_usage_flags(approved_usage)))
# The cert is valid if all the intended usages are in the approved usages
valid = (intended_usage & approved_usage) == intended_usage
print()
if valid:
print(indented_output('SUCCESS: cert is approved for', nss.cert_usage_flags(intended_usage)))
return 0
else:
print(indented_output('FAIL: cert not approved for', nss.cert_usage_flags(intended_usage ^ approved_usage)))
return 1
def server():
global family
if verbose: print "starting server:"
# Initialize
# Setup an IP Address to listen on any of our interfaces
if family == io.PR_AF_UNSPEC:
family = io.PR_AF_INET
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family)
if use_ssl:
if info: print "server: using SSL"
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type();
#if verbose: print "server cert:\n%s" % server_cert
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose: print "listening on: %s" % (net_addr)
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose: print "client connect from: %s" % (client_addr)
while True:
try:
# Handle the client connection
buf = client_sock.recv(1024)
if not buf:
print >>sys.stderr, "server: lost lost connection to %s" % (client_addr)
break
if info: print "server: received \"%s\"" % (buf)
reply = "{%s}" % buf # echo
if info: print "server: sending \"%s\"" % (reply)
client_sock.send(reply) # echo
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception, e:
print >>sys.stderr, "server: %s" % e
break
break
def setUp(self):
nss.nss_init(certdir)
nss.set_password_callback(password_callback)
nss.pkcs12_enable_all_ciphers()
if options.client and options.server:
print("can't be both client and server")
sys.exit(1)
if not (options.client or options.server):
print("must be one of client or server")
sys.exit(1)
# Perform basic configuration and setup
if options.use_ssl:
nss.nss_init(options.db_name)
else:
nss.nss_init_nodb()
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
min_ssl_version, max_ssl_version = \
ssl.get_supported_ssl_version_range(repr_kind=nss.AsString)
print("Supported SSL version range: min=%s, max=%s" % \
(min_ssl_version, max_ssl_version))
min_ssl_version, max_ssl_version = \
ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
print("Default SSL version range: min=%s, max=%s" % \
(min_ssl_version, max_ssl_version))
if options.min_ssl_version is not None or \
options.max_ssl_version is not None:
if options.min_ssl_version is not None:
def setUp(self):
nss.nss_init_read_write(certdir)
nss.set_password_callback(password_callback)
nss.pkcs12_set_nickname_collision_callback(nickname_collision_callback)
nss.pkcs12_enable_all_ciphers()
def main():
# Command line argument processing
parser = optparse.OptionParser()
parser.set_defaults(dbdir = '/etc/pki/nssdb',
db_passwd = 'db_passwd',
input_format = 'pem',
check_sig = True,
print_cert = False,
with_log = True,
check_ca = True,
)
param_group = optparse.OptionGroup(parser, 'NSS Database',
'Specify & control the NSS Database')
param_group.add_option('-d', '--dbdir', dest='dbdir',
help='NSS database directory, default="%default"')
param_group.add_option('-P', '--db-passwd', dest='db_passwd',
help='NSS database password, default="%default"')
parser.add_option_group(param_group)
param_group = optparse.OptionGroup(parser, 'Certificate',
'Specify how the certificate is loaded')
param_group.add_option('-f', '--file', dest='cert_filename',
help='read cert from file')
param_group.add_option('--format', dest='input_format', choices=['pem', 'der'],
help='import format for certificate (der|pem) default="%default"')
param_group.add_option('-n', '--nickname', dest='cert_nickname',
help='load cert from NSS database by looking it up under this nickname')
parser.add_option_group(param_group)
param_group = optparse.OptionGroup(parser, 'Validation',
'Control the validation')
param_group.add_option('-u', '--usage', dest='cert_usage', action='append', choices=cert_usage_map.keys(),
help='may be specified multiple times, default="CheckAllUsages", may be one of: %s' % ', '.join(sorted(cert_usage_map.keys())))
param_group.add_option('-c', '--check-sig', action='store_true', dest='check_sig',
help='check signature default=%default')
param_group.add_option('-C', '--no-check-sig', action='store_false', dest='check_sig',
help='check signature')
param_group.add_option('-l', '--log', action='store_true', dest='with_log',
help='use verify log, default=%default')
param_group.add_option('-L', '--no-log', action='store_false', dest='with_log',
help='use verify log, default=%default')
param_group.add_option('-a', '--check-ca', action='store_true', dest='check_ca',
help='check if cert is CA, default=%default')
param_group.add_option('-A', '--no-check-ca', action='store_false', dest='check_ca',
help='check if cert is CA, default=%default')
parser.add_option_group(param_group)
param_group = optparse.OptionGroup(parser, 'Miscellaneous',
'Miscellaneous options')
param_group.add_option('-p', '--print-cert', action='store_true', dest='print_cert',
help='print the certificate in a friendly fashion, default=%default')
parser.add_option_group(param_group)
options, args = parser.parse_args()
# Process the command line arguments
# Get usage bitmask
if options.cert_usage:
intended_usage = 0
for usage in options.cert_usage:
try:
flag = cert_usage_map[usage]
except KeyError:
print "Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys())))
return 1
else:
intended_usage |= flag
else:
# We can't use nss.certificateUsageCheckAllUsages here because
# it's a special value of zero instead of being the bitwise OR
# of all the certificateUsage* flags (go figure!)
intended_usage = 0
for usage in cert_usage_map.values():
intended_usage |= usage
if options.cert_filename and options.cert_nickname:
print >>sys.stderr, "You may not specify both a cert filename and a nickname, only one or the other"
return 1
if not options.cert_filename and not options.cert_nickname:
print >>sys.stderr, "You must specify either a cert filename or a nickname to load"
return 1
# Initialize NSS.
print indented_output('NSS Database', options.dbdir)
print
nss.nss_init(options.dbdir)
certdb = nss.get_default_certdb()
nss.set_password_callback(password_callback)
# Load the cert
if options.cert_filename:
# Read the certificate as DER encoded data then initialize a Certificate from the DER data
filename = options.cert_filename
si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem')
# Parse the DER encoded data returning a Certificate object
cert = nss.Certificate(si)
else:
try:
cert = nss.find_cert_from_nickname(options.cert_nickname)
except Exception, e:
print e
print >>sys.stderr, 'Unable to load cert nickname "%s" from database "%s"' % \
(options.cert_nickname, options.dbdir)
return 1
def server():
if verbose:
print("starting server:")
# Initialize
# Setup an IP Address to listen on any of our interfaces
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port)
if use_ssl:
if info:
print("server: using SSL")
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type()
#if verbose:
# print("server cert:\n%s" % server_cert)
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose:
print("listening on: %s" % (net_addr))
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose:
print("client connect from: %s" % (client_addr))
while True:
try:
# Handle the client connection
buf = client_sock.readline(
) # newline is protocol record separator
if not buf:
print("server: lost lost connection to %s" % (client_addr),
file=sys.stderr)
break
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
if info:
print("server: received \"%s\"" % (buf))
reply = "{%s}" % buf # echo embedded inside braces
if info:
print("server: sending \"%s\"" % (reply))
data = reply + "\n" # send echo with record separator
client_sock.send(data.encode('utf-8'))
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception as e:
print("server: %s" % e, file=sys.stderr)
break
break
# Clean up
sock.shutdown()
sock.close()
if use_ssl:
ssl.shutdown_server_session_id_cache()
def server():
global family
if verbose: print "starting server:"
# Initialize
# Setup an IP Address to listen on any of our interfaces
if family == io.PR_AF_UNSPEC:
family = io.PR_AF_INET
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family)
if use_ssl:
if info: print "server: using SSL"
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type()
#if verbose: print "server cert:\n%s" % server_cert
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose: print "listening on: %s" % (net_addr)
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose: print "client connect from: %s" % (client_addr)
while True:
try:
# Handle the client connection
buf = client_sock.recv(1024)
if not buf:
print >> sys.stderr, "server: lost lost connection to %s" % (
client_addr)
break
if info: print "server: received \"%s\"" % (buf)
reply = "{%s}" % buf # echo
if info: print "server: sending \"%s\"" % (reply)
client_sock.send(reply) # echo
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception, e:
print >> sys.stderr, "server: %s" % e
break
break
def server():
if verbose:
print("starting server:")
# Initialize
# Setup an IP Address to listen on any of our interfaces
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port)
if use_ssl:
if info:
print("server: using SSL")
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type();
#if verbose:
# print("server cert:\n%s" % server_cert)
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose:
print("listening on: %s" % (net_addr))
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose:
print("client connect from: %s" % (client_addr))
while True:
try:
# Handle the client connection
buf = client_sock.readline() # newline is protocol record separator
if not buf:
print("server: lost lost connection to %s" % (client_addr), file=sys.stderr)
break
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
if info:
print("server: received \"%s\"" % (buf))
reply = "{%s}" % buf # echo embedded inside braces
if info:
print("server: sending \"%s\"" % (reply))
data = reply + "\n" # send echo with record separator
client_sock.send(data.encode('utf-8'))
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception as e:
print("server: %s" % e, file=sys.stderr)
break
break
# Clean up
sock.shutdown()
sock.close()
if use_ssl:
ssl.shutdown_server_session_id_cache()
if client and server:
print "can't be both client and server"
sys.exit(1)
if not (client or server):
print "must be one of client or server"
sys.exit(1)
# Perform basic configuration and setup
if certdir is None:
nss.nss_init_nodb()
else:
nss.nss_init(certdir)
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Run as a client or as a server
if client:
print "starting as client"
Client()
if server:
print "starting as server"
Server()
try:
nss.nss_shutdown()
except Exception, e:
print e
def setUp(self):
nss.nss_init(certdir)
nss.set_password_callback(password_callback)
nss.pkcs12_enable_all_ciphers()
def setUp(self):
nss.nss_init_read_write(certdir)
nss.set_password_callback(password_callback)
nss.pkcs12_set_nickname_collision_callback(nickname_collision_callback)
nss.pkcs12_enable_all_ciphers()
def main():
global options
parser = argparse.ArgumentParser(
description='certificate validation example')
# === NSS Database Group ===
group = parser.add_argument_group('NSS Database',
'Specify & control the NSS Database')
group.add_argument('-d',
'--db-name',
help='NSS database name (e.g. "sql:pki")')
group.add_argument('-P', '--db-passwd', help='NSS database password')
# === Certificate Group ===
group = parser.add_argument_group('Certificate',
'Specify how the certificate is loaded')
group.add_argument('-f',
'--file',
dest='cert_filename',
help='read cert from file')
group.add_argument('-F',
'--input-format',
choices=['pem', 'der'],
help='format of input cert')
group.add_argument(
'-n',
'--nickname',
dest='cert_nickname',
help='load cert from NSS database by looking it up under this nickname'
)
# === Validation Group ===
group = parser.add_argument_group('Validation', 'Control the validation')
group.add_argument(
'-u',
'--usage',
dest='cert_usage',
action='append',
choices=list(cert_usage_map.keys()),
help='certificate usage flags, may be specified multiple times')
group.add_argument('-c',
'--check-sig',
action='store_true',
dest='check_sig',
help='check signature')
group.add_argument('-C',
'--no-check-sig',
action='store_false',
dest='check_sig',
help='do not check signature')
group.add_argument('-l',
'--log',
action='store_true',
dest='with_log',
help='use verify log')
group.add_argument('-L',
'--no-log',
action='store_false',
dest='with_log',
help='do not use verify log')
group.add_argument('-a',
'--check-ca',
action='store_true',
dest='check_ca',
help='check if cert is CA')
group.add_argument('-A',
'--no-check-ca',
action='store_false',
dest='check_ca',
help='do not check if cert is CA')
# === Miscellaneous Group ===
group = parser.add_argument_group('Miscellaneous', 'Miscellaneous options')
group.add_argument('-p',
'--print-cert',
action='store_true',
dest='print_cert',
help='print the certificate in a friendly fashion')
parser.set_defaults(
db_name='sql:pki',
db_passwd='db_passwd',
input_format='pem',
check_sig=True,
with_log=True,
check_ca=True,
print_cert=False,
)
options = parser.parse_args()
# Process the command line arguments
# Get usage bitmask
if options.cert_usage:
intended_usage = 0
for usage in options.cert_usage:
try:
flag = cert_usage_map[usage]
except KeyError:
print("Unknown usage '%s', valid values: %s" %
(usage, ', '.join(sorted(cert_usage_map.keys()))))
return 1
else:
intended_usage |= flag
else:
# We can't use nss.certificateUsageCheckAllUsages here because
# it's a special value of zero instead of being the bitwise OR
# of all the certificateUsage* flags (go figure!)
intended_usage = 0
for usage in list(cert_usage_map.values()):
intended_usage |= usage
if options.cert_filename and options.cert_nickname:
print(
"You may not specify both a cert filename and a nickname, only one or the other",
file=sys.stderr)
return 1
if not options.cert_filename and not options.cert_nickname:
print("You must specify either a cert filename or a nickname to load",
file=sys.stderr)
return 1
# Initialize NSS.
print(indented_output('NSS Database', options.db_name))
print()
nss.nss_init(options.db_name)
certdb = nss.get_default_certdb()
nss.set_password_callback(password_callback)
# Load the cert
if options.cert_filename:
# Read the certificate as DER encoded data then initialize a Certificate from the DER data
filename = options.cert_filename
si = nss.read_der_from_file(filename,
options.input_format.lower() == 'pem')
# Parse the DER encoded data returning a Certificate object
cert = nss.Certificate(si)
else:
try:
cert = nss.find_cert_from_nickname(options.cert_nickname)
except Exception as e:
print(e)
print('Unable to load cert nickname "%s" from database "%s"' % \
(options.cert_nickname, options.db_name), file=sys.stderr)
return 1
# Dump the cert if the user wants to see it
if options.print_cert:
print(cert)
else:
print(indented_output('cert subject', cert.subject))
print()
# Dump the usages attached to the cert
print(
indented_output('cert has these usages',
nss.cert_type_flags(cert.cert_type)))
# Should we check if the cert is a CA cert?
if options.check_ca:
# CA Cert?
is_ca, cert_type = cert.is_ca_cert(True)
print()
print(indented_output('is CA cert boolean', is_ca))
print(
indented_output('is CA cert returned usages',
nss.cert_type_flags(cert_type)))
print()
print(
indented_output('verifying usages for',
nss.cert_usage_flags(intended_usage)))
print()
# Use the log or non-log variant to verify the cert
#
# Note: Anytime a NSPR or NSS function returns an error in python-nss it
# raises a NSPRError exception. When an exception is raised the normal
# return values are discarded because the flow of control continues at
# the first except block prepared to catch the exception. Normally this
# is what is desired because the return values would be invalid due to
# the error. However the certificate verification functions are an
# exception (no pun intended). An error might be returned indicating the
# cert failed verification but you may still need access to the returned
# usage bitmask and the log (if using the log variant). To handle this a
# special error exception `CertVerifyError` (derived from `NSPRError`)
# is defined which in addition to the normal NSPRError fields will also
# contain the returned usages and optionally the CertVerifyLog
# object. If no exception is raised these are returned as normal return
# values.
approved_usage = 0
if options.with_log:
try:
approved_usage, log = cert.verify_with_log(certdb,
options.check_sig,
intended_usage, None)
except nss_error.CertVerifyError as e:
# approved_usage and log available in CertVerifyError exception on failure.
print(e)
print()
print(indented_obj('log', e.log))
print()
print(
indented_output('approved usages from exception',
nss.cert_usage_flags(e.usages)))
approved_usage = e.usages # Get the returned usage bitmask from the exception
except Exception as e:
print(e)
else:
print(
indented_output('approved usages',
nss.cert_usage_flags(approved_usage)))
if log.count:
print()
print(indented_obj('log', log))
else:
try:
approved_usage = cert.verify(certdb, options.check_sig,
intended_usage, None)
except nss_error.CertVerifyError as e:
# approved_usage available in CertVerifyError exception on failure.
print(e)
print(
indented_output('approved usages from exception',
nss.cert_usage_flags(e.usages)))
approved_usage = e.usages # Get the returned usage bitmask from the exception
except Exception as e:
print(e)
else:
print(
indented_output('approved usages',
nss.cert_usage_flags(approved_usage)))
# The cert is valid if all the intended usages are in the approved usages
valid = (intended_usage & approved_usage) == intended_usage
print()
if valid:
print(
indented_output('SUCCESS: cert is approved for',
nss.cert_usage_flags(intended_usage)))
return 0
else:
print(
indented_output(
'FAIL: cert not approved for',
nss.cert_usage_flags(intended_usage ^ approved_usage)))
return 1
def main():
global options
parser = argparse.ArgumentParser(description='certificate trust example')
# === NSS Database Group ===
group = parser.add_argument_group('NSS Database',
'Specify & control the NSS Database')
group.add_argument('-d', '--db-name',
help='NSS database name (e.g. "sql:pki")')
group.add_argument('-P', '--db-passwd',
help='NSS database password')
# === Certificate Group ===
group = parser.add_argument_group('Certificate',
'Specify how the certificate is loaded')
group.add_argument('-f', '--file', dest='cert_filename',
help='read cert from file')
group.add_argument('-F', '--input-format', choices=['pem', 'der'],
help='format of input cert')
group.add_argument('-n', '--nickname', dest='cert_nickname',
help='load cert from NSS database by looking it up under this nickname')
group.add_argument('-t', '--trust', dest='cert_trust',
help='set the cert trust flags, see certutil for format')
group.add_argument('-i', '--install-cert', action='store_true', dest='cert_perm',
help='check signature')
group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert',
help='print the certificate in a friendly fashion')
parser.set_defaults(db_name = 'sql:pki',
db_passwd = 'db_passwd',
input_format = 'pem',
install_cert = False,
print_cert = False,
)
options = parser.parse_args()
# Process the command line arguments
if options.cert_perm:
if not options.cert_filename:
print("You must specify a cert filename to install a cert in the database", file=sys.stderr)
return 1
if not options.cert_nickname:
print("You must specify a cert nickname to install a cert in the database", file=sys.stderr)
return 1
else:
if options.cert_filename and options.cert_nickname:
print("You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr)
return 1
if not options.cert_filename and not options.cert_nickname:
print("You must specify either a cert filename or a nickname to load", file=sys.stderr)
return 1
# Initialize NSS.
print('NSS Database: %s' % (options.db_name))
print()
# Initialize the database as read/write, otherwise we would not
# be able to import a cert
nss.nss_init_read_write(options.db_name)
certdb = nss.get_default_certdb()
# Since we may update the cert make sure we're using the key slot
# and not just the internal slot
slot = nss.get_internal_key_slot()
# If we're importing or modifying a cert we'll need to authenticate
# to the database, the password callback supplies the password during
# authentication.
nss.set_password_callback(password_callback)
# Load the cert
if options.cert_filename:
# Read the certificate as DER encoded data then initialize a Certificate from the DER data
filename = options.cert_filename
si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem')
# Parse the DER encoded data returning a Certificate object.
#
# If we've been asked to install the cert in the database the
# options.cert_perm flag will be True and we'll need to supply
# the nickname (which is used to locate the cert in the database).
cert = nss.Certificate(si, certdb,
options.cert_perm, options.cert_nickname)
else:
try:
cert = nss.find_cert_from_nickname(options.cert_nickname)
except Exception as e:
print(e)
print('Unable to load cert nickname "%s" from database "%s"' % \
(options.cert_nickname, options.db_name), file=sys.stderr)
return 1
# Dump the cert if the user wants to see it
if options.print_cert:
print(cert)
else:
print('cert subject: %s' % (cert.subject))
print()
# Change the cert trust if specified
if options.cert_trust:
cert.set_trust_attributes(options.cert_trust, certdb, slot)
illustrate_ssl_trust(cert)
return 0