def __str__(self): if (isinstance(self.client_addr, unicode)): s = self.client_addr.encode('utf8') else: s = self.client_addr return "%s: %s: %s" % \ (m2.err_func_error_string(self.err), s, m2.err_reason_error_string(self.err))
# Load CA bundle. ctx.load_verify_locations(self._cafile) # M2Crypto does no error checking on this function, and at # least on my system it yields the delightfully inscrutable # "cert already in hash table" error (perhaps my distro's # CA bundle has duplicate certs?). It doesn't seem there's # anything that can be done about it, so just eat it. # (There may be multiple such errors, so clear them all.) while True: err = m2.err_get_error() if not err: break # The magic number is X509_R_CERT_ALREADY_IN_HASH_TABLE, which # is a constant that m2crypto doesn't export. :/ if err != 185057381: raise TLSError(m2.err_reason_error_string(err)) # Create a lower level (SWIG) SSL object using this context. self._ssl = _SSLWrapper(m2.ssl_new(ctx.ctx)) if kwargs['client']: self._m2_check_err(m2.ssl_set_connect_state(self._ssl.obj)) else: self._m2_check_err(m2.ssl_set_accept_state(self._ssl.obj)) # Setup the BIO pair. This diagram is instructive: # # Application | TLS layer # | # Your Code | # /\ || |
def get_error_reason(err): return m2.err_reason_error_string(err)
def rsa_error(): raise RSAError(m2.err_reason_error_string(m2.err_get_error()))
def set_session_id_ctx(self, id): ret = m2.ssl_set_session_id_context(self.ssl, id) if not ret: raise SSLError(m2.err_reason_error_string(m2.err_get_error()))
def get_error_reason(err): # type: (int) -> str return six.ensure_text(m2.err_reason_error_string(err))
def get_error_reason(err): # type: (int) -> str return util.py3str(m2.err_reason_error_string(err))
def ec_error(): raise ECError(m2.err_reason_error_string(m2.err_get_error()))
def _sign_request(self, x509_request, lifetime): not_before = ASN1.ASN1_UTCTIME() not_before.set_datetime(datetime.now(UTC)) not_after = ASN1.ASN1_UTCTIME() not_after.set_datetime(datetime.now(UTC) + lifetime) proxy_subject = X509.X509_Name() for entry in self.context.x509.get_subject(): ret = m2.x509_name_add_entry(proxy_subject._ptr(), entry._ptr(), -1, 0) if ret == 0: raise Exception( "%s: '%s'" % (m2.err_reason_error_string(m2.err_get_error()), entry) ) proxy = X509.X509() proxy.set_serial_number(self.context.x509.get_serial_number()) proxy.set_version(x509_request.get_version()) proxy.set_issuer(self.context.x509.get_subject()) proxy.set_pubkey(x509_request.get_pubkey()) # Extensions are broken in SL5!! if _m2crypto_extensions_broken(): log.warning("X509v3 extensions disabled!") else: # X509v3 Basic Constraints proxy.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE', critical=True)) # X509v3 Key Usage proxy.add_ext(X509.new_extension('keyUsage', 'Digital Signature, Key Encipherment', critical=True)) #X509v3 Authority Key Identifier identifier_ext = _workaround_new_extension( 'authorityKeyIdentifier', 'keyid', critical=False, issuer=self.context.x509 ) proxy.add_ext(identifier_ext) any_rfc_proxies = False # FTS-1217 Ignore the user input and select the min proxy lifetime available on the list min_cert_lifetime = self.context.x509_list[0].get_not_after() for cert in self.context.x509_list: if cert.get_not_after().get_datetime() < min_cert_lifetime.get_datetime(): not_after = cert.get_not_after() min_cert_lifetime = cert.get_not_after() try: cert.get_ext('proxyCertInfo') any_rfc_proxies = True except: pass proxy.set_not_after(not_after) proxy.set_not_before(not_before) if any_rfc_proxies: if _m2crypto_extensions_broken(): raise NotImplementedError("X509v3 extensions are disabled, so RFC proxies can not be generated!") else: _add_rfc3820_extensions(proxy) if any_rfc_proxies: m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], str(int(time.time()))) else: m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], 'proxy') proxy.set_subject(proxy_subject) proxy.set_version(2) proxy.sign(self.context.evp_key, 'sha1') return proxy
def ec_error(): # type: () -> ECError raise ECError(m2.err_reason_error_string(m2.err_get_error()))
def _m2_check_err(self, r=None, cls=TLSError): if m2.err_peek_error(): err = m2.err_reason_error_string(m2.err_get_error()) raise cls(err) return r
def get_error_reason(err): # type: (Optional[int]) -> str err_str = m2.err_reason_error_string(err) return six.ensure_text(err_str) if err_str else ''
def rsa_error(): # type: () -> None raise RSAError(m2.err_reason_error_string(m2.err_get_error()))
# Load CA bundle. ctx.load_verify_locations(self._cafile) # M2Crypto does no error checking on this function, and at # least on my system it yields the delightfully inscrutable # "cert already in hash table" error (perhaps my distro's # CA bundle has duplicate certs?). It doesn't seem there's # anything that can be done about it, so just eat it. # (There may be multiple such errors, so clear them all.) while True: err = m2.err_get_error() if not err: break # The magic number is X509_R_CERT_ALREADY_IN_HASH_TABLE, which # is a constant that m2crypto doesn't export. :/ if err != 185057381: raise TLSError(m2.err_reason_error_string(err)) # Create a lower level (SWIG) SSL object using this context. self._ssl = _SSLWrapper(m2.ssl_new(ctx.ctx)) if kwargs['client']: self._m2_check_err(m2.ssl_set_connect_state(self._ssl.obj)) else: self._m2_check_err(m2.ssl_set_accept_state(self._ssl.obj)) # Setup the BIO pair. This diagram is instructive: # # Application | TLS layer # | # Your Code | # /\ || | # || \/ |
def set_session_id_ctx(self, id): # type: (bytes) -> int ret = m2.ssl_set_session_id_context(self.ssl, id) if not ret: raise SSLError(m2.err_reason_error_string(m2.err_get_error()))