def _createSSLEngine(self,
addr,
hostname=None,
cert_file=None,
key_file=None,
server_side=False):
tmf = InsecureTrustManagerFactory.INSTANCE
if self.verify_mode != CERT_NONE:
# XXX need to refactor so we don't have to get trust managers twice
stmf = SimpleTrustManagerFactory.getInstance(
SimpleTrustManagerFactory.getDefaultAlgorithm())
stmf.init(self._trust_store)
tmf = CompositeX509TrustManagerFactory(stmf.getTrustManagers())
tmf.init(self._trust_store)
kmf = self._key_managers
if self._key_managers is None:
kmf = _get_openssl_key_manager(cert_file=cert_file,
key_file=key_file)
context_builder = None
if not server_side:
context_builder = SslContextBuilder.forClient()
if kmf:
if server_side:
context_builder = SslContextBuilder.forServer(kmf)
else:
context_builder = context_builder.keyManager(kmf)
context_builder = context_builder.trustManager(tmf)
context_builder = context_builder.sslProvider(SslProvider.JDK)
context_builder = context_builder.clientAuth(
_CERT_TO_CLIENT_AUTH[self.verify_mode])
if self._ciphers is not None:
context_builder = context_builder.ciphers(self._ciphers)
if self._check_hostname:
engine = context_builder.build().newEngine(
ByteBufAllocator.DEFAULT, hostname, addr[1])
if HAS_SNI:
params = engine.getSSLParameters()
params.setEndpointIdentificationAlgorithm('HTTPS')
params.setServerNames([SNIHostName(hostname)])
engine.setSSLParameters(params)
else:
engine = context_builder.build().newEngine(
ByteBufAllocator.DEFAULT, addr[0], addr[1])
return engine
def _get_ca_certs_trust_manager(ca_certs=None):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
num_certs_installed = 0
if ca_certs is not None:
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
num_certs_installed += 1
tmf = SimpleTrustManagerFactory.getInstance(SimpleTrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"})
return tmf
def _get_ca_certs_trust_manager(ca_certs=None):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
num_certs_installed = 0
if ca_certs is not None:
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
num_certs_installed += 1
tmf = SimpleTrustManagerFactory.getInstance(
SimpleTrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
log.debug("Installed %s certificates",
num_certs_installed,
extra={"sock": "*"})
return tmf
def _createSSLEngine(self, addr, hostname=None, cert_file=None, key_file=None, server_side=False):
tmf = InsecureTrustManagerFactory.INSTANCE
if self.verify_mode != CERT_NONE:
# XXX need to refactor so we don't have to get trust managers twice
stmf = SimpleTrustManagerFactory.getInstance(SimpleTrustManagerFactory.getDefaultAlgorithm())
stmf.init(self._trust_store)
tmf = CompositeX509TrustManagerFactory(stmf.getTrustManagers())
tmf.init(self._trust_store)
kmf = self._key_managers
if self._key_managers is None:
kmf = _get_openssl_key_manager(cert_file=cert_file, key_file=key_file)
context_builder = None
if not server_side:
context_builder = SslContextBuilder.forClient()
if kmf:
if server_side:
context_builder = SslContextBuilder.forServer(kmf)
else:
context_builder = context_builder.keyManager(kmf)
context_builder = context_builder.trustManager(tmf)
context_builder = context_builder.sslProvider(SslProvider.JDK)
context_builder = context_builder.clientAuth(_CERT_TO_CLIENT_AUTH[self.verify_mode])
if self._ciphers is not None:
context_builder = context_builder.ciphers(self._ciphers)
if self._check_hostname:
engine = context_builder.build().newEngine(ByteBufAllocator.DEFAULT, hostname, addr[1])
if HAS_SNI:
params = engine.getSSLParameters()
params.setEndpointIdentificationAlgorithm('HTTPS')
params.setServerNames([SNIHostName(hostname)])
engine.setSSLParameters(params)
else:
engine = context_builder.build().newEngine(ByteBufAllocator.DEFAULT, addr[0], addr[1])
return engine
