def __str__(self):
parts = [
"Application Layer Protocol: %s" % self.alp,
"Cipher: %s, %s bit, %s" % self.cipher, "SSL certificate chain:"
]
for i in self.certchain:
parts.append("\tSubject: ")
for cn in i.get_subject().get_components():
parts.append("\t\t%s=%s" % cn)
parts.append("\tIssuer: ")
for cn in i.get_issuer().get_components():
parts.append("\t\t%s=%s" % cn)
parts.extend([
"\tVersion: %s" % i.get_version(),
"\tValidity: %s - %s" % (i.get_notBefore(), i.get_notAfter()),
"\tSerial: %s" % i.get_serial_number(),
"\tAlgorithm: %s" % i.get_signature_algorithm()
])
pk = i.get_pubkey()
types = {
OpenSSL.crypto.TYPE_RSA: "RSA",
OpenSSL.crypto.TYPE_DSA: "DSA"
}
t = types.get(pk.type(), "Uknown")
parts.append("\tPubkey: %s bit %s" % (pk.bits(), t))
s = certutils.SSLCert(i)
if s.altnames:
parts.append("\tSANs: %s" % " ".join(s.altnames))
return "\n".join(parts)
def save_cert(conn_, cert, errno_, depth_, preverify_ok_):
self.clientcert = certutils.SSLCert(cert)
# Return true to prevent cert verification error
return True
def convert_to_ssl(self, sni=None, alpn_protos=None, **sslctx_kwargs):
"""
cert: Path to a file containing both client cert and private key.
options: A bit field consisting of OpenSSL.SSL.OP_* values
verify_options: A bit field consisting of OpenSSL.SSL.VERIFY_* values
ca_path: Path to a directory of trusted CA certificates prepared using the c_rehash tool
ca_pemfile: Path to a PEM formatted trusted CA certificate
"""
verification_mode = sslctx_kwargs.get('verify_options', None)
if verification_mode == SSL.VERIFY_PEER and not sni:
raise exceptions.TlsException(
"Cannot validate certificate hostname without SNI")
context = self.create_ssl_context(alpn_protos=alpn_protos,
sni=sni,
**sslctx_kwargs)
self.connection = SSL.Connection(context, self.connection)
if sni:
self.sni = sni
self.connection.set_tlsext_host_name(sni.encode("idna"))
self.connection.set_connect_state()
try:
self.connection.do_handshake()
except SSL.Error as v:
if self.ssl_verification_error:
raise self.ssl_verification_error
else:
raise exceptions.TlsException("SSL handshake error: %s" %
repr(v))
else:
# Fix for pre v1.0 OpenSSL, which doesn't throw an exception on
# certificate validation failure
if verification_mode == SSL.VERIFY_PEER and self.ssl_verification_error:
raise self.ssl_verification_error
self.cert = certutils.SSLCert(self.connection.get_peer_certificate())
# Keep all server certificates in a list
for i in self.connection.get_peer_cert_chain():
self.server_certs.append(certutils.SSLCert(i))
# Validate TLS Hostname
try:
crt = dict(subjectAltName=[("DNS", x.decode("ascii", "strict"))
for x in self.cert.altnames])
if self.cert.cn:
crt["subject"] = [[[
"commonName",
self.cert.cn.decode("ascii", "strict")
]]]
if sni:
hostname = sni
else:
hostname = "no-hostname"
ssl_match_hostname.match_hostname(crt, hostname)
except (ValueError, ssl_match_hostname.CertificateError) as e:
self.ssl_verification_error = exceptions.InvalidCertificateException(
"Certificate Verification Error for {}: {}".format(
sni or repr(self.address), str(e)))
if verification_mode == SSL.VERIFY_PEER:
raise self.ssl_verification_error
self.ssl_established = True
self.rfile.set_descriptor(self.connection)
self.wfile.set_descriptor(self.connection)
if self.sslinfo:
print >> fp, "Cipher: %s, %s bit, %s" % self.sslinfo.cipher
print >> fp, "SSL certificate chain:\n"
for i in self.sslinfo.certchain:
print >> fp, "\tSubject: ",
for cn in i.get_subject().get_components():
print >> fp, "%s=%s" % cn,
print >> fp
print >> fp, "\tIssuer: ",
for cn in i.get_issuer().get_components():
print >> fp, "%s=%s" % cn,
print >> fp
print >> fp, "\tVersion: %s" % i.get_version()
print >> fp, "\tValidity: %s - %s" % (i.get_notBefore(),
i.get_notAfter())
print >> fp, "\tSerial: %s" % i.get_serial_number()
print >> fp, "\tAlgorithm: %s" % i.get_signature_algorithm(
)
pk = i.get_pubkey()
types = {
OpenSSL.crypto.TYPE_RSA: "RSA",
OpenSSL.crypto.TYPE_DSA: "DSA"
}
t = types.get(pk.type(), "Uknown")
print >> fp, "\tPubkey: %s bit %s" % (pk.bits(), t)
s = certutils.SSLCert(i)
if s.altnames:
print >> fp, "\tSANs:", " ".join(s.altnames)
print >> fp
return True
