def ec_error(): # type: () -> ECError raise ECError(m2.err_reason_error_string(m2.err_get_error()))
def rsa_error(): # type: () -> None raise RSAError(m2.err_reason_error_string(m2.err_get_error()))
def rsa_error(): raise RSAError(m2.err_reason_error_string(m2.err_get_error()))
def _m2_check_err(self, r=None, cls=TLSError): if m2.err_peek_error(): err = m2.err_reason_error_string(m2.err_get_error()) raise cls(err) return r
def get_error_code(): # type: () -> int return m2.err_get_error()
#ctx.set_verify(M2Crypto.SSL.verify_none, 10) if not self._cafile: # Verification was requested but on CA bundle found, therefore # impossible to verify. raise TLSError('CA bundle not found but verification requested.') else: # Load CA bundle. ctx.load_verify_locations(self._cafile) # M2Crypto does no error checking on this function, and at # least on my system it yields the delightfully inscrutable # "cert already in hash table" error (perhaps my distro's # CA bundle has duplicate certs?). It doesn't seem there's # anything that can be done about it, so just eat it. # (There may be multiple such errors, so clear them all.) while True: err = m2.err_get_error() if not err: break # The magic number is X509_R_CERT_ALREADY_IN_HASH_TABLE, which # is a constant that m2crypto doesn't export. :/ if err != 185057381: raise TLSError(m2.err_reason_error_string(err)) # Create a lower level (SWIG) SSL object using this context. self._ssl = _SSLWrapper(m2.ssl_new(ctx.ctx)) if kwargs['client']: self._m2_check_err(m2.ssl_set_connect_state(self._ssl.obj)) else: self._m2_check_err(m2.ssl_set_accept_state(self._ssl.obj))
if not self._cafile: # Verification was requested but on CA bundle found, therefore # impossible to verify. raise TLSError( 'CA bundle not found but verification requested.') else: # Load CA bundle. ctx.load_verify_locations(self._cafile) # M2Crypto does no error checking on this function, and at # least on my system it yields the delightfully inscrutable # "cert already in hash table" error (perhaps my distro's # CA bundle has duplicate certs?). It doesn't seem there's # anything that can be done about it, so just eat it. # (There may be multiple such errors, so clear them all.) while True: err = m2.err_get_error() if not err: break # The magic number is X509_R_CERT_ALREADY_IN_HASH_TABLE, which # is a constant that m2crypto doesn't export. :/ if err != 185057381: raise TLSError(m2.err_reason_error_string(err)) # Create a lower level (SWIG) SSL object using this context. self._ssl = _SSLWrapper(m2.ssl_new(ctx.ctx)) if kwargs['client']: self._m2_check_err(m2.ssl_set_connect_state(self._ssl.obj)) else: self._m2_check_err(m2.ssl_set_accept_state(self._ssl.obj)) # Setup the BIO pair. This diagram is instructive:
def ec_error(): raise ECError(m2.err_reason_error_string(m2.err_get_error()))
def _sign_request(self, x509_request, lifetime): not_before = ASN1.ASN1_UTCTIME() not_before.set_datetime(datetime.now(UTC)) not_after = ASN1.ASN1_UTCTIME() not_after.set_datetime(datetime.now(UTC) + lifetime) proxy_subject = X509.X509_Name() for entry in self.context.x509.get_subject(): ret = m2.x509_name_add_entry(proxy_subject._ptr(), entry._ptr(), -1, 0) if ret == 0: raise Exception( "%s: '%s'" % (m2.err_reason_error_string(m2.err_get_error()), entry) ) proxy = X509.X509() proxy.set_serial_number(self.context.x509.get_serial_number()) proxy.set_version(x509_request.get_version()) proxy.set_issuer(self.context.x509.get_subject()) proxy.set_pubkey(x509_request.get_pubkey()) # Extensions are broken in SL5!! if _m2crypto_extensions_broken(): log.warning("X509v3 extensions disabled!") else: # X509v3 Basic Constraints proxy.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE', critical=True)) # X509v3 Key Usage proxy.add_ext(X509.new_extension('keyUsage', 'Digital Signature, Key Encipherment', critical=True)) #X509v3 Authority Key Identifier identifier_ext = _workaround_new_extension( 'authorityKeyIdentifier', 'keyid', critical=False, issuer=self.context.x509 ) proxy.add_ext(identifier_ext) any_rfc_proxies = False # FTS-1217 Ignore the user input and select the min proxy lifetime available on the list min_cert_lifetime = self.context.x509_list[0].get_not_after() for cert in self.context.x509_list: if cert.get_not_after().get_datetime() < min_cert_lifetime.get_datetime(): not_after = cert.get_not_after() min_cert_lifetime = cert.get_not_after() try: cert.get_ext('proxyCertInfo') any_rfc_proxies = True except: pass proxy.set_not_after(not_after) proxy.set_not_before(not_before) if any_rfc_proxies: if _m2crypto_extensions_broken(): raise NotImplementedError("X509v3 extensions are disabled, so RFC proxies can not be generated!") else: _add_rfc3820_extensions(proxy) if any_rfc_proxies: m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], str(int(time.time()))) else: m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], 'proxy') proxy.set_subject(proxy_subject) proxy.set_version(2) proxy.sign(self.context.evp_key, 'sha1') return proxy
def set_session_id_ctx(self, id): ret = m2.ssl_set_session_id_context(self.ssl, id) if not ret: raise SSLError(m2.err_reason_error_string(m2.err_get_error()))
def get_error_code(): return m2.err_get_error()
def set_session_id_ctx(self, id): # type: (bytes) -> int ret = m2.ssl_set_session_id_context(self.ssl, id) if not ret: raise SSLError(m2.err_reason_error_string(m2.err_get_error()))