def _createSSLEngine(self, addr, hostname=None, cert_file=None, key_file=None):
trust_managers = [NoVerifyX509TrustManager()]
if self.verify_mode == CERT_REQUIRED:
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(self._trust_store)
trust_managers = [CompositeX509TrustManager(tmf.getTrustManagers())]
context = _JavaSSLContext.getInstance(self._protocol_name)
if self._key_managers is None:
context.init(
_get_openssl_key_manager(
cert_file=cert_file, key_file=key_file).getKeyManagers(),
trust_managers, None)
else:
context.init(
self._key_managers.getKeyManagers(),
trust_managers, None)
# addr could be ipv6, only extract relevant parts
engine = context.createSSLEngine((hostname or addr[0]), addr[1])
# apparently this can be used to enforce hostname verification
if hostname is not None and self._check_hostname:
params = engine.getSSLParameters()
params.setEndpointIdentificationAlgorithm('HTTPS')
engine.setSSLParameters(params)
if self._ciphers is not None:
engine.setEnabledCipherSuites(self._ciphers)
return engine
def _createSSLEngine(self, addr, hostname=None, cert_file=None, key_file=None):
trust_managers = [NoVerifyX509TrustManager()]
if self.verify_mode == CERT_REQUIRED:
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(self._trust_store)
trust_managers = [CompositeX509TrustManager(tmf.getTrustManagers())]
context = _JavaSSLContext.getInstance(self._protocol_name)
if self._key_managers is None:
context.init(
_get_openssl_key_manager(
cert_file=cert_file, key_file=key_file).getKeyManagers(),
trust_managers, None)
else:
context.init(
self._key_managers.getKeyManagers(),
trust_managers, None)
if hostname is not None:
engine = context.createSSLEngine(hostname, addr[1])
else:
engine = context.createSSLEngine(*addr)
# apparently this can be used to enforce hostname verification
if hostname is not None and self._check_hostname:
params = engine.getSSLParameters()
params.setEndpointIdentificationAlgorithm('HTTPS')
engine.setSSLParameters(params)
if self._ciphers is not None:
engine.setEnabledCipherSuites(self._ciphers)
return engine
def _createSSLEngine(self,
addr,
hostname=None,
cert_file=None,
key_file=None,
server_side=False):
tmf = InsecureTrustManagerFactory.INSTANCE
if self.verify_mode != CERT_NONE:
# XXX need to refactor so we don't have to get trust managers twice
stmf = SimpleTrustManagerFactory.getInstance(
SimpleTrustManagerFactory.getDefaultAlgorithm())
stmf.init(self._trust_store)
tmf = CompositeX509TrustManagerFactory(stmf.getTrustManagers())
tmf.init(self._trust_store)
kmf = self._key_managers
if self._key_managers is None:
kmf = _get_openssl_key_manager(cert_file=cert_file,
key_file=key_file)
context_builder = None
if not server_side:
context_builder = SslContextBuilder.forClient()
if kmf:
if server_side:
context_builder = SslContextBuilder.forServer(kmf)
else:
context_builder = context_builder.keyManager(kmf)
context_builder = context_builder.trustManager(tmf)
context_builder = context_builder.sslProvider(SslProvider.JDK)
context_builder = context_builder.clientAuth(
_CERT_TO_CLIENT_AUTH[self.verify_mode])
if self._ciphers is not None:
context_builder = context_builder.ciphers(self._ciphers)
if self._check_hostname:
engine = context_builder.build().newEngine(
ByteBufAllocator.DEFAULT, hostname, addr[1])
if HAS_SNI:
params = engine.getSSLParameters()
params.setEndpointIdentificationAlgorithm('HTTPS')
params.setServerNames([SNIHostName(hostname)])
engine.setSSLParameters(params)
else:
engine = context_builder.build().newEngine(
ByteBufAllocator.DEFAULT, addr[0], addr[1])
return engine
def _createSSLEngine(self):
trust_managers = [NoVerifyX509TrustManager()]
if self.verify_mode == CERT_REQUIRED:
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(self._trust_store)
trust_managers = tmf.getTrustManagers()
if self._key_managers is None: # get an e
self._context.init(_get_openssl_key_manager().getKeyManagers(), trust_managers, None)
else:
self._context.init(self._key_managers.getKeyManagers(), trust_managers, None)
engine = self._context.createSSLEngine()
if self._ciphers is not None:
engine.setEnabledCipherSuites(self._ciphers)
return engine
def _createSSLEngine(self, addr, hostname=None, cert_file=None, key_file=None, server_side=False):
tmf = InsecureTrustManagerFactory.INSTANCE
if self.verify_mode != CERT_NONE:
# XXX need to refactor so we don't have to get trust managers twice
stmf = SimpleTrustManagerFactory.getInstance(SimpleTrustManagerFactory.getDefaultAlgorithm())
stmf.init(self._trust_store)
tmf = CompositeX509TrustManagerFactory(stmf.getTrustManagers())
tmf.init(self._trust_store)
kmf = self._key_managers
if self._key_managers is None:
kmf = _get_openssl_key_manager(cert_file=cert_file, key_file=key_file)
context_builder = None
if not server_side:
context_builder = SslContextBuilder.forClient()
if kmf:
if server_side:
context_builder = SslContextBuilder.forServer(kmf)
else:
context_builder = context_builder.keyManager(kmf)
context_builder = context_builder.trustManager(tmf)
context_builder = context_builder.sslProvider(SslProvider.JDK)
context_builder = context_builder.clientAuth(_CERT_TO_CLIENT_AUTH[self.verify_mode])
if self._ciphers is not None:
context_builder = context_builder.ciphers(self._ciphers)
if self._check_hostname:
engine = context_builder.build().newEngine(ByteBufAllocator.DEFAULT, hostname, addr[1])
if HAS_SNI:
params = engine.getSSLParameters()
params.setEndpointIdentificationAlgorithm('HTTPS')
params.setServerNames([SNIHostName(hostname)])
engine.setSSLParameters(params)
else:
engine = context_builder.build().newEngine(ByteBufAllocator.DEFAULT, addr[0], addr[1])
return engine
def _createSSLEngine(self):
trust_managers = [NoVerifyX509TrustManager()]
if self.verify_mode == CERT_REQUIRED:
tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm())
tmf.init(self._trust_store)
trust_managers = tmf.getTrustManagers()
if self._key_managers is None: # get an e
self._context.init(_get_openssl_key_manager().getKeyManagers(),
trust_managers, None)
else:
self._context.init(self._key_managers.getKeyManagers(),
trust_managers, None)
engine = self._context.createSSLEngine()
if self._ciphers is not None:
engine.setEnabledCipherSuites(self._ciphers)
return engine
def load_cert_chain(self, certfile, keyfile=None, password=None):
try:
self._key_managers = _get_openssl_key_manager(certfile, keyfile, password, _key_store=self._key_store)
except IllegalArgumentException as err:
raise SSLError(SSL_ERROR_SSL, "PEM lib ({})".format(err))
def load_cert_chain(self, certfile, keyfile=None, password=None):
self._key_managers = _get_openssl_key_manager(certfile, keyfile, password, _key_store=self._key_store)
def load_cert_chain(self, certfile, keyfile=None, password=None):
self._key_managers = _get_openssl_key_manager(
certfile, keyfile, password, _key_store=self._key_store)
