Example #1
0
    def signCertAs(self, cert, signas):
        '''
        Signs a certificate with a CA keypair.

        Args:
            cert (OpenSSL.crypto.X509): The certificate to sign.
            signas (str): The CA keypair name to sign the new keypair with.

        Examples:
            Sign a certificate with the CA "myca":

                cdir.signCertAs(mycert, 'myca')

        Returns:
            None
        '''
        cakey = self.getCaKey(signas)
        if cakey is None:
            raise s_exc.NoCertKey('Missing .key for %s' % signas)
        cacert = self.getCaCert(signas)
        if cacert is None:
            raise s_exc.NoCertKey('Missing .crt for %s' % signas)

        cert.set_issuer(cacert.get_subject())
        cert.sign(cakey, self.signing_digest)
Example #2
0
    def getServerSSLContext(self, hostname=None, caname=None):
        '''
        Returns an ssl.SSLContext appropriate to listen on a socket

        Args:

            hostname:  if None, the value from socket.gethostname is used to find the key in the servers directory.
                       This name should match the not-suffixed part of two files ending in .key and .crt in the hosts
                       subdirectory

            caname: If not None, the given name is used to locate a CA certificate used to validate client SSL certs.

        '''
        sslctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
        if hostname is None:
            hostname = socket.gethostname()

        certfile = self.getHostCertPath(hostname)
        if certfile is None:
            mesg = f'Missing TLS certificate file for host: {hostname}'
            raise s_exc.NoCertKey(mesg=mesg)

        keyfile = self.getHostKeyPath(hostname)
        if keyfile is None:
            mesg = f'Missing TLS key file for host: {hostname}'
            raise s_exc.NoCertKey(mesg=mesg)

        sslctx.load_cert_chain(certfile, keyfile)

        if caname is not None:
            cafile = self.getCaCertPath(caname)
            sslctx.verify_mode = ssl.VerifyMode.CERT_REQUIRED
            sslctx.load_verify_locations(cafile=cafile)

        return sslctx
Example #3
0
    def getClientSSLContext(self, certname=None):
        '''
        Returns an ssl.SSLContext appropriate for initiating a TLS session

        Args:
            certname:   If specified, use the user certificate with the matching
                        name to authenticate to the remote service.
        '''
        sslctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
        self._loadCasIntoSSLContext(sslctx)

        if certname is not None:

            username = certname
            if username.find('@') != -1:
                user, host = username.split('@', 1)
                username = self.getUserForHost(user, host)

            if username is None:
                mesg = f'User certificate not found: {certname}'
                raise s_exc.NoSuchCert(mesg=mesg)

            certpath = self.getUserCertPath(username)
            if certpath is None:
                mesg = f'User certificate not found: {certname}'
                raise s_exc.NoSuchCert(mesg=mesg)

            keypath = self.getUserKeyPath(username)
            if keypath is None:
                mesg = f'User private key not found: {certname}'
                raise s_exc.NoCertKey(mesg=mesg)

            sslctx.load_cert_chain(certpath, keypath)

        return sslctx
Example #4
0
    def getClientSSLContext(self, certname=None):
        '''
        Returns an ssl.SSLContext appropriate for initiating a TLS session

        Args:
            certname:   If specified, use the user certificate with the matching
                        name to authenticate to the remote service.
        '''
        sslctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
        self._loadCasIntoSSLContext(sslctx)

        if certname is not None:
            certfile = self.getUserCertPath(certname)
            if certfile is None:
                mesg = f'Missing TLS certificate file for user: {certname}'
                raise s_exc.NoSuchCert(mesg=mesg)

            keyfile = self.getUserKeyPath(certname)
            if keyfile is None:
                mesg = f'Missing TLS key file for user: {certname}'
                raise s_exc.NoCertKey(mesg=mesg)

            sslctx.load_cert_chain(certfile, keyfile)

        return sslctx
Example #5
0
    def getServerSSLContext(self, hostname=None):
        '''
        Returns an ssl.SSLContext appropriate to listen on a socket

        Args:
            hostname:  if None, the value from socket.gethostname is used to find the key in the servers directory.
            This name should match the not-suffixed part of two files ending in .key and .crt in the hosts subdirectory

        '''
        sslctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
        if hostname is None:
            hostname = socket.gethostname()
        certfile = self.getHostCertPath(hostname)
        if certfile is None:
            raise s_exc.NoCertKey('Missing .crt for %s' % hostname)
        keyfile = self.getHostKeyPath(hostname)
        if keyfile is None:
            raise s_exc.NoCertKey('Missing .key for %s' % hostname)

        sslctx.load_cert_chain(certfile, keyfile)

        return sslctx
Example #6
0
    def _getServerSSLContext(self, hostname=None, caname=None):
        sslctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
        if hostname is None:
            hostname = socket.gethostname()

        certfile = self.getHostCertPath(hostname)
        if certfile is None:
            mesg = f'Missing TLS certificate file for host: {hostname}'
            raise s_exc.NoCertKey(mesg=mesg)

        keyfile = self.getHostKeyPath(hostname)
        if keyfile is None:
            mesg = f'Missing TLS key file for host: {hostname}'
            raise s_exc.NoCertKey(mesg=mesg)

        sslctx.load_cert_chain(certfile, keyfile)

        if caname is not None:
            cafile = self.getCaCertPath(caname)
            sslctx.verify_mode = ssl.VerifyMode.CERT_REQUIRED
            sslctx.load_verify_locations(cafile=cafile)

        return sslctx
Example #7
0
    def sign(self, cert, **info):
        '''
        Sign a certificate with the current Cert.

        Args:
            cert (Cert): Certificate to sign with the current Cert.
            **info: Additional data to include in the signed message.

        Returns:
            None
        '''

        if self.rkey is None:
            raise s_exc.NoCertKey(mesg='sign() requires a private key')

        info['time'] = s_common.now()

        data = s_msgpack.en(info)
        tosign = data + cert.toknbytes()

        sign = self.rkey.sign(tosign)

        signer = (self.iden(), data, sign)
        cert.addsigner(signer)