def __str__(self):
if (isinstance(self.client_addr, unicode)):
s = self.client_addr.encode('utf8')
else:
s = self.client_addr
return "%s: %s: %s" % \
(m2.err_func_error_string(self.err), s,
m2.err_reason_error_string(self.err))
def __str__(self):
if (isinstance(self.client_addr, unicode)):
s = self.client_addr.encode('utf8')
else:
s = self.client_addr
return "%s: %s: %s" % \
(m2.err_func_error_string(self.err), s,
m2.err_reason_error_string(self.err))
# Load CA bundle.
ctx.load_verify_locations(self._cafile)
# M2Crypto does no error checking on this function, and at
# least on my system it yields the delightfully inscrutable
# "cert already in hash table" error (perhaps my distro's
# CA bundle has duplicate certs?). It doesn't seem there's
# anything that can be done about it, so just eat it.
# (There may be multiple such errors, so clear them all.)
while True:
err = m2.err_get_error()
if not err:
break
# The magic number is X509_R_CERT_ALREADY_IN_HASH_TABLE, which
# is a constant that m2crypto doesn't export. :/
if err != 185057381:
raise TLSError(m2.err_reason_error_string(err))
# Create a lower level (SWIG) SSL object using this context.
self._ssl = _SSLWrapper(m2.ssl_new(ctx.ctx))
if kwargs['client']:
self._m2_check_err(m2.ssl_set_connect_state(self._ssl.obj))
else:
self._m2_check_err(m2.ssl_set_accept_state(self._ssl.obj))
# Setup the BIO pair. This diagram is instructive:
#
# Application | TLS layer
# |
# Your Code |
# /\ || |
def get_error_reason(err):
return m2.err_reason_error_string(err)
def rsa_error():
raise RSAError(m2.err_reason_error_string(m2.err_get_error()))
def set_session_id_ctx(self, id):
ret = m2.ssl_set_session_id_context(self.ssl, id)
if not ret:
raise SSLError(m2.err_reason_error_string(m2.err_get_error()))
def get_error_reason(err):
# type: (int) -> str
return six.ensure_text(m2.err_reason_error_string(err))
def get_error_reason(err):
# type: (int) -> str
return util.py3str(m2.err_reason_error_string(err))
def rsa_error():
raise RSAError(m2.err_reason_error_string(m2.err_get_error()))
def ec_error():
raise ECError(m2.err_reason_error_string(m2.err_get_error()))
def _sign_request(self, x509_request, lifetime):
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.now(UTC))
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(datetime.now(UTC) + lifetime)
proxy_subject = X509.X509_Name()
for entry in self.context.x509.get_subject():
ret = m2.x509_name_add_entry(proxy_subject._ptr(), entry._ptr(), -1, 0)
if ret == 0:
raise Exception(
"%s: '%s'" % (m2.err_reason_error_string(m2.err_get_error()), entry)
)
proxy = X509.X509()
proxy.set_serial_number(self.context.x509.get_serial_number())
proxy.set_version(x509_request.get_version())
proxy.set_issuer(self.context.x509.get_subject())
proxy.set_pubkey(x509_request.get_pubkey())
# Extensions are broken in SL5!!
if _m2crypto_extensions_broken():
log.warning("X509v3 extensions disabled!")
else:
# X509v3 Basic Constraints
proxy.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE', critical=True))
# X509v3 Key Usage
proxy.add_ext(X509.new_extension('keyUsage', 'Digital Signature, Key Encipherment', critical=True))
#X509v3 Authority Key Identifier
identifier_ext = _workaround_new_extension(
'authorityKeyIdentifier', 'keyid', critical=False, issuer=self.context.x509
)
proxy.add_ext(identifier_ext)
any_rfc_proxies = False
# FTS-1217 Ignore the user input and select the min proxy lifetime available on the list
min_cert_lifetime = self.context.x509_list[0].get_not_after()
for cert in self.context.x509_list:
if cert.get_not_after().get_datetime() < min_cert_lifetime.get_datetime():
not_after = cert.get_not_after()
min_cert_lifetime = cert.get_not_after()
try:
cert.get_ext('proxyCertInfo')
any_rfc_proxies = True
except:
pass
proxy.set_not_after(not_after)
proxy.set_not_before(not_before)
if any_rfc_proxies:
if _m2crypto_extensions_broken():
raise NotImplementedError("X509v3 extensions are disabled, so RFC proxies can not be generated!")
else:
_add_rfc3820_extensions(proxy)
if any_rfc_proxies:
m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], str(int(time.time())))
else:
m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], 'proxy')
proxy.set_subject(proxy_subject)
proxy.set_version(2)
proxy.sign(self.context.evp_key, 'sha1')
return proxy
def ec_error():
# type: () -> ECError
raise ECError(m2.err_reason_error_string(m2.err_get_error()))
def get_error_reason(err):
# type: (int) -> str
return six.ensure_text(m2.err_reason_error_string(err))
def _m2_check_err(self, r=None, cls=TLSError):
if m2.err_peek_error():
err = m2.err_reason_error_string(m2.err_get_error())
raise cls(err)
return r
def get_error_reason(err):
# type: (int) -> str
return util.py3str(m2.err_reason_error_string(err))
def get_error_reason(err):
# type: (Optional[int]) -> str
err_str = m2.err_reason_error_string(err)
return six.ensure_text(err_str) if err_str else ''
def ec_error():
raise ECError(m2.err_reason_error_string(m2.err_get_error()))
def rsa_error():
# type: () -> None
raise RSAError(m2.err_reason_error_string(m2.err_get_error()))
# Load CA bundle.
ctx.load_verify_locations(self._cafile)
# M2Crypto does no error checking on this function, and at
# least on my system it yields the delightfully inscrutable
# "cert already in hash table" error (perhaps my distro's
# CA bundle has duplicate certs?). It doesn't seem there's
# anything that can be done about it, so just eat it.
# (There may be multiple such errors, so clear them all.)
while True:
err = m2.err_get_error()
if not err:
break
# The magic number is X509_R_CERT_ALREADY_IN_HASH_TABLE, which
# is a constant that m2crypto doesn't export. :/
if err != 185057381:
raise TLSError(m2.err_reason_error_string(err))
# Create a lower level (SWIG) SSL object using this context.
self._ssl = _SSLWrapper(m2.ssl_new(ctx.ctx))
if kwargs['client']:
self._m2_check_err(m2.ssl_set_connect_state(self._ssl.obj))
else:
self._m2_check_err(m2.ssl_set_accept_state(self._ssl.obj))
# Setup the BIO pair. This diagram is instructive:
#
# Application | TLS layer
# |
# Your Code |
# /\ || |
# || \/ |
def ec_error():
# type: () -> ECError
raise ECError(m2.err_reason_error_string(m2.err_get_error()))
def _m2_check_err(self, r=None, cls=TLSError):
if m2.err_peek_error():
err = m2.err_reason_error_string(m2.err_get_error())
raise cls(err)
return r
def set_session_id_ctx(self, id):
# type: (bytes) -> int
ret = m2.ssl_set_session_id_context(self.ssl, id)
if not ret:
raise SSLError(m2.err_reason_error_string(m2.err_get_error()))
def get_error_reason(err):
return m2.err_reason_error_string(err)
