def setUp(self): nss.nss_init(db_name) nss.set_password_callback(password_callback) nss.pkcs12_enable_all_ciphers() self.cert_der = get_cert_der_from_db(cert_nickname) if self.cert_der is None: raise ValueError('cert with nickname "%s" not in database "%s"' % (cert_nickname, db_name))
def init(self): if nss.nss_is_initialized(): return if _password_callback is not None: nss.set_password_callback(_password_callback) nss.nss_init(_certdb) ssl.set_domestic_policy()
def __init__(self, host, port=None, strict=None, dbdir=None): httplib.HTTPConnection.__init__(self, host, port, strict) if not dbdir: raise RuntimeError("dbdir is required") logging.debug('%s init %s', self.__class__.__name__, host) if not nss.nss_is_initialized(): nss.nss_init(dbdir) self.sock = None ssl.set_domestic_policy() nss.set_password_callback(password_callback)
def __init__(self, host, port=None, strict=None, dbdir=None): six.moves.http_client.HTTPConnection.__init__(self, host, port, strict) if not dbdir: raise RuntimeError("dbdir is required") logging.debug('%s init host=%s dbdir=%s', self.__class__.__name__, host, dbdir) if not nss.nss_is_initialized(): nss.nss_init(dbdir) self.sock = None ssl.set_domestic_policy() nss.set_password_callback(password_callback)
def initialize_nss(dbdir): """Initialize NSS nss_init() initializes NSS and the DB globally. """ # global settings nss.nss_init(dbdir) ssl.set_domestic_policy() ssl.clear_session_cache() # thread local callback nss.set_password_callback(password_callback)
def setUp(self): nss.nss_init(db_name) nss.set_password_callback(password_callback) # XXX: error in NSS prevents enabling ciphers # nss.pkcs12_enable_all_ciphers() self.cert_der = get_cert_der_from_db(cert_nickname) if self.cert_der is None: raise ValueError( "cert with nickname '%s' not in database '%s'" % (cert_nickname, db_name) )
def __init__( self, host, port=None, strict=None, dbdir=None, family=socket.AF_UNSPEC, no_init=False, tls_version_min="tls1.1", tls_version_max="tls1.2", ): """ :param host: the server to connect to :param port: the port to use (default is set in HTTPConnection) :param dbdir: the NSS database directory :param family: network family to use (default AF_UNSPEC) :param no_init: do not initialize the NSS database. This requires that the database has already been initialized or the request will fail. :param tls_min_version: mininum version of SSL/TLS supported :param tls_max_version: maximum version of SSL/TLS supported. """ httplib.HTTPConnection.__init__(self, host, port, strict) NSSAddressFamilyFallback.__init__(self, family) root_logger.debug("%s init %s", self.__class__.__name__, host) # If initialization is requested, initialize the new database. if not no_init: if nss.nss_is_initialized(): ssl.clear_session_cache() try: nss.nss_shutdown() except NSPRError as e: if e.errno != error.SEC_ERROR_NOT_INITIALIZED: raise e if not dbdir: raise RuntimeError("dbdir is required") nss.nss_init(dbdir) global current_dbdir current_dbdir = dbdir ssl.set_domestic_policy() nss.set_password_callback(self.password_callback) self.tls_version_min = str(tls_version_min) self.tls_version_max = str(tls_version_max)
def __init__(self, host, port=None, strict=None, dbdir=None, family=socket.AF_UNSPEC, no_init=False, tls_version_min='tls1.1', tls_version_max='tls1.2'): """ :param host: the server to connect to :param port: the port to use (default is set in HTTPConnection) :param dbdir: the NSS database directory :param family: network family to use (default AF_UNSPEC) :param no_init: do not initialize the NSS database. This requires that the database has already been initialized or the request will fail. :param tls_min_version: mininum version of SSL/TLS supported :param tls_max_version: maximum version of SSL/TLS supported. """ httplib.HTTPConnection.__init__(self, host, port, strict) NSSAddressFamilyFallback.__init__(self, family) root_logger.debug('%s init %s', self.__class__.__name__, host) # If initialization is requested, initialize the new database. if not no_init: if nss.nss_is_initialized(): ssl.clear_session_cache() try: nss.nss_shutdown() except NSPRError as e: if e.errno != error.SEC_ERROR_NOT_INITIALIZED: raise e if not dbdir: raise RuntimeError("dbdir is required") nss.nss_init(dbdir) global current_dbdir current_dbdir = dbdir ssl.set_domestic_policy() nss.set_password_callback(self.password_callback) tls_versions = get_proper_tls_version_span(tls_version_min, tls_version_max) self.tls_version_min = tls_versions[0] self.tls_version_max = tls_versions[-1]
def request(self, method, url, data=None, headers=None): parsed = urllib.parse.urlparse(url) port = parsed.port if not port: port = self.SCHEME_PORT_MAP[parsed.scheme] key = (parsed.netloc, port) conn = self._conns.get(key, None) if conn is None: conn = self._conns.setdefault(key, _NssHTTPConnection(parsed.netloc, port)) conn.connect() # FIXME: python-nss stores password_callback on a per-thread dict # Since this object will be called from different threads, # some would not find it. It is not a big problem since setting the # password callback is a fast operation, but maybe there's # some better solution here? if _password_callback is not None: nss.set_password_callback(_password_callback) conn.request(method, parsed.path, body=data, headers=headers) return NssResponse(conn.getresponse())
def request(self, method, url, data=None, headers=None): parsed = urlparse.urlparse(url) port = parsed.port if not port: port = self.SCHEME_PORT_MAP[parsed.scheme] key = (parsed.netloc, port) conn = self._conns.get(key, None) if conn is None: conn = self._conns.setdefault( key, _NssHTTPConnection(parsed.netloc, port)) conn.connect() # FIXME: python-nss stores password_callback on a per-thread dict # Since this object will be called from different threads, # some would not find it. It is not a big problem since setting the # password callback is a fast operation, but maybe there's # some better solution here? if _password_callback is not None: nss.set_password_callback(_password_callback) conn.request(method, parsed.path, body=data, headers=headers) return NssResponse(conn.getresponse())
def main(): global options parser = argparse.ArgumentParser(description='certificate validation example') # === NSS Database Group === group = parser.add_argument_group('NSS Database', 'Specify & control the NSS Database') group.add_argument('-d', '--db-name', help='NSS database name (e.g. "sql:pki")') group.add_argument('-P', '--db-passwd', help='NSS database password') # === Certificate Group === group = parser.add_argument_group('Certificate', 'Specify how the certificate is loaded') group.add_argument('-f', '--file', dest='cert_filename', help='read cert from file') group.add_argument('-F', '--input-format', choices=['pem', 'der'], help='format of input cert') group.add_argument('-n', '--nickname', dest='cert_nickname', help='load cert from NSS database by looking it up under this nickname') # === Validation Group === group = parser.add_argument_group('Validation', 'Control the validation') group.add_argument('-u', '--usage', dest='cert_usage', action='append', choices=list(cert_usage_map.keys()), help='certificate usage flags, may be specified multiple times') group.add_argument('-c', '--check-sig', action='store_true', dest='check_sig', help='check signature') group.add_argument('-C', '--no-check-sig', action='store_false', dest='check_sig', help='do not check signature') group.add_argument('-l', '--log', action='store_true', dest='with_log', help='use verify log') group.add_argument('-L', '--no-log', action='store_false', dest='with_log', help='do not use verify log') group.add_argument('-a', '--check-ca', action='store_true', dest='check_ca', help='check if cert is CA') group.add_argument('-A', '--no-check-ca', action='store_false', dest='check_ca', help='do not check if cert is CA') # === Miscellaneous Group === group = parser.add_argument_group('Miscellaneous', 'Miscellaneous options') group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert', help='print the certificate in a friendly fashion') parser.set_defaults(db_name = 'sql:pki', db_passwd = 'db_passwd', input_format = 'pem', check_sig = True, with_log = True, check_ca = True, print_cert = False, ) options = parser.parse_args() # Process the command line arguments # Get usage bitmask if options.cert_usage: intended_usage = 0 for usage in options.cert_usage: try: flag = cert_usage_map[usage] except KeyError: print("Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys())))) return 1 else: intended_usage |= flag else: # We can't use nss.certificateUsageCheckAllUsages here because # it's a special value of zero instead of being the bitwise OR # of all the certificateUsage* flags (go figure!) intended_usage = 0 for usage in list(cert_usage_map.values()): intended_usage |= usage if options.cert_filename and options.cert_nickname: print("You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr) return 1 if not options.cert_filename and not options.cert_nickname: print("You must specify either a cert filename or a nickname to load", file=sys.stderr) return 1 # Initialize NSS. print(indented_output('NSS Database', options.db_name)) print() nss.nss_init(options.db_name) certdb = nss.get_default_certdb() nss.set_password_callback(password_callback) # Load the cert if options.cert_filename: # Read the certificate as DER encoded data then initialize a Certificate from the DER data filename = options.cert_filename si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem') # Parse the DER encoded data returning a Certificate object cert = nss.Certificate(si) else: try: cert = nss.find_cert_from_nickname(options.cert_nickname) except Exception as e: print(e) print('Unable to load cert nickname "%s" from database "%s"' % \ (options.cert_nickname, options.db_name), file=sys.stderr) return 1 # Dump the cert if the user wants to see it if options.print_cert: print(cert) else: print(indented_output('cert subject', cert.subject)) print() # Dump the usages attached to the cert print(indented_output('cert has these usages', nss.cert_type_flags(cert.cert_type))) # Should we check if the cert is a CA cert? if options.check_ca: # CA Cert? is_ca, cert_type = cert.is_ca_cert(True) print() print(indented_output('is CA cert boolean', is_ca)) print(indented_output('is CA cert returned usages', nss.cert_type_flags(cert_type))) print() print(indented_output('verifying usages for', nss.cert_usage_flags(intended_usage))) print() # Use the log or non-log variant to verify the cert # # Note: Anytime a NSPR or NSS function returns an error in python-nss it # raises a NSPRError exception. When an exception is raised the normal # return values are discarded because the flow of control continues at # the first except block prepared to catch the exception. Normally this # is what is desired because the return values would be invalid due to # the error. However the certificate verification functions are an # exception (no pun intended). An error might be returned indicating the # cert failed verification but you may still need access to the returned # usage bitmask and the log (if using the log variant). To handle this a # special error exception `CertVerifyError` (derived from `NSPRError`) # is defined which in addition to the normal NSPRError fields will also # contain the returned usages and optionally the CertVerifyLog # object. If no exception is raised these are returned as normal return # values. approved_usage = 0 if options.with_log: try: approved_usage, log = cert.verify_with_log(certdb, options.check_sig, intended_usage, None) except nss_error.CertVerifyError as e: # approved_usage and log available in CertVerifyError exception on failure. print(e) print() print(indented_obj('log', e.log)) print() print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages))) approved_usage = e.usages # Get the returned usage bitmask from the exception except Exception as e: print(e) else: print(indented_output('approved usages', nss.cert_usage_flags(approved_usage))) if log.count: print() print(indented_obj('log', log)) else: try: approved_usage = cert.verify(certdb, options.check_sig, intended_usage, None) except nss_error.CertVerifyError as e: # approved_usage available in CertVerifyError exception on failure. print(e) print(indented_output('approved usages from exception', nss.cert_usage_flags(e.usages))) approved_usage = e.usages # Get the returned usage bitmask from the exception except Exception as e: print(e) else: print(indented_output('approved usages', nss.cert_usage_flags(approved_usage))) # The cert is valid if all the intended usages are in the approved usages valid = (intended_usage & approved_usage) == intended_usage print() if valid: print(indented_output('SUCCESS: cert is approved for', nss.cert_usage_flags(intended_usage))) return 0 else: print(indented_output('FAIL: cert not approved for', nss.cert_usage_flags(intended_usage ^ approved_usage))) return 1
def server(): global family if verbose: print "starting server:" # Initialize # Setup an IP Address to listen on any of our interfaces if family == io.PR_AF_UNSPEC: family = io.PR_AF_INET net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family) if use_ssl: if info: print "server: using SSL" ssl.set_domestic_policy() nss.set_password_callback(password_callback) # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(server_nickname, password) priv_key = nss.find_key_by_any_cert(server_cert, password) server_cert_kea = server_cert.find_kea_type(); #if verbose: print "server cert:\n%s" % server_cert sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) if verbose: print "listening on: %s" % (net_addr) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if use_ssl: client_sock.set_handshake_callback(handshake_callback) if verbose: print "client connect from: %s" % (client_addr) while True: try: # Handle the client connection buf = client_sock.recv(1024) if not buf: print >>sys.stderr, "server: lost lost connection to %s" % (client_addr) break if info: print "server: received \"%s\"" % (buf) reply = "{%s}" % buf # echo if info: print "server: sending \"%s\"" % (reply) client_sock.send(reply) # echo time.sleep(sleep_time) client_sock.shutdown() client_sock.close() break except Exception, e: print >>sys.stderr, "server: %s" % e break break
def setUp(self): nss.nss_init(certdir) nss.set_password_callback(password_callback) nss.pkcs12_enable_all_ciphers()
if options.client and options.server: print("can't be both client and server") sys.exit(1) if not (options.client or options.server): print("must be one of client or server") sys.exit(1) # Perform basic configuration and setup if options.use_ssl: nss.nss_init(options.db_name) else: nss.nss_init_nodb() ssl.set_domestic_policy() nss.set_password_callback(password_callback) min_ssl_version, max_ssl_version = \ ssl.get_supported_ssl_version_range(repr_kind=nss.AsString) print("Supported SSL version range: min=%s, max=%s" % \ (min_ssl_version, max_ssl_version)) min_ssl_version, max_ssl_version = \ ssl.get_default_ssl_version_range(repr_kind=nss.AsString) print("Default SSL version range: min=%s, max=%s" % \ (min_ssl_version, max_ssl_version)) if options.min_ssl_version is not None or \ options.max_ssl_version is not None: if options.min_ssl_version is not None:
def setUp(self): nss.nss_init_read_write(certdir) nss.set_password_callback(password_callback) nss.pkcs12_set_nickname_collision_callback(nickname_collision_callback) nss.pkcs12_enable_all_ciphers()
def main(): # Command line argument processing parser = optparse.OptionParser() parser.set_defaults(dbdir = '/etc/pki/nssdb', db_passwd = 'db_passwd', input_format = 'pem', check_sig = True, print_cert = False, with_log = True, check_ca = True, ) param_group = optparse.OptionGroup(parser, 'NSS Database', 'Specify & control the NSS Database') param_group.add_option('-d', '--dbdir', dest='dbdir', help='NSS database directory, default="%default"') param_group.add_option('-P', '--db-passwd', dest='db_passwd', help='NSS database password, default="%default"') parser.add_option_group(param_group) param_group = optparse.OptionGroup(parser, 'Certificate', 'Specify how the certificate is loaded') param_group.add_option('-f', '--file', dest='cert_filename', help='read cert from file') param_group.add_option('--format', dest='input_format', choices=['pem', 'der'], help='import format for certificate (der|pem) default="%default"') param_group.add_option('-n', '--nickname', dest='cert_nickname', help='load cert from NSS database by looking it up under this nickname') parser.add_option_group(param_group) param_group = optparse.OptionGroup(parser, 'Validation', 'Control the validation') param_group.add_option('-u', '--usage', dest='cert_usage', action='append', choices=cert_usage_map.keys(), help='may be specified multiple times, default="CheckAllUsages", may be one of: %s' % ', '.join(sorted(cert_usage_map.keys()))) param_group.add_option('-c', '--check-sig', action='store_true', dest='check_sig', help='check signature default=%default') param_group.add_option('-C', '--no-check-sig', action='store_false', dest='check_sig', help='check signature') param_group.add_option('-l', '--log', action='store_true', dest='with_log', help='use verify log, default=%default') param_group.add_option('-L', '--no-log', action='store_false', dest='with_log', help='use verify log, default=%default') param_group.add_option('-a', '--check-ca', action='store_true', dest='check_ca', help='check if cert is CA, default=%default') param_group.add_option('-A', '--no-check-ca', action='store_false', dest='check_ca', help='check if cert is CA, default=%default') parser.add_option_group(param_group) param_group = optparse.OptionGroup(parser, 'Miscellaneous', 'Miscellaneous options') param_group.add_option('-p', '--print-cert', action='store_true', dest='print_cert', help='print the certificate in a friendly fashion, default=%default') parser.add_option_group(param_group) options, args = parser.parse_args() # Process the command line arguments # Get usage bitmask if options.cert_usage: intended_usage = 0 for usage in options.cert_usage: try: flag = cert_usage_map[usage] except KeyError: print "Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys()))) return 1 else: intended_usage |= flag else: # We can't use nss.certificateUsageCheckAllUsages here because # it's a special value of zero instead of being the bitwise OR # of all the certificateUsage* flags (go figure!) intended_usage = 0 for usage in cert_usage_map.values(): intended_usage |= usage if options.cert_filename and options.cert_nickname: print >>sys.stderr, "You may not specify both a cert filename and a nickname, only one or the other" return 1 if not options.cert_filename and not options.cert_nickname: print >>sys.stderr, "You must specify either a cert filename or a nickname to load" return 1 # Initialize NSS. print indented_output('NSS Database', options.dbdir) print nss.nss_init(options.dbdir) certdb = nss.get_default_certdb() nss.set_password_callback(password_callback) # Load the cert if options.cert_filename: # Read the certificate as DER encoded data then initialize a Certificate from the DER data filename = options.cert_filename si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem') # Parse the DER encoded data returning a Certificate object cert = nss.Certificate(si) else: try: cert = nss.find_cert_from_nickname(options.cert_nickname) except Exception, e: print e print >>sys.stderr, 'Unable to load cert nickname "%s" from database "%s"' % \ (options.cert_nickname, options.dbdir) return 1
def server(): if verbose: print("starting server:") # Initialize # Setup an IP Address to listen on any of our interfaces net_addr = io.NetworkAddress(io.PR_IpAddrAny, port) if use_ssl: if info: print("server: using SSL") ssl.set_domestic_policy() nss.set_password_callback(password_callback) # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(server_nickname, password) priv_key = nss.find_key_by_any_cert(server_cert, password) server_cert_kea = server_cert.find_kea_type() #if verbose: # print("server cert:\n%s" % server_cert) sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) if verbose: print("listening on: %s" % (net_addr)) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if use_ssl: client_sock.set_handshake_callback(handshake_callback) if verbose: print("client connect from: %s" % (client_addr)) while True: try: # Handle the client connection buf = client_sock.readline( ) # newline is protocol record separator if not buf: print("server: lost lost connection to %s" % (client_addr), file=sys.stderr) break buf = buf.decode('utf-8') buf = buf.rstrip() # remove newline record separator if info: print("server: received \"%s\"" % (buf)) reply = "{%s}" % buf # echo embedded inside braces if info: print("server: sending \"%s\"" % (reply)) data = reply + "\n" # send echo with record separator client_sock.send(data.encode('utf-8')) time.sleep(sleep_time) client_sock.shutdown() client_sock.close() break except Exception as e: print("server: %s" % e, file=sys.stderr) break break # Clean up sock.shutdown() sock.close() if use_ssl: ssl.shutdown_server_session_id_cache()
def server(): global family if verbose: print "starting server:" # Initialize # Setup an IP Address to listen on any of our interfaces if family == io.PR_AF_UNSPEC: family = io.PR_AF_INET net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family) if use_ssl: if info: print "server: using SSL" ssl.set_domestic_policy() nss.set_password_callback(password_callback) # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(server_nickname, password) priv_key = nss.find_key_by_any_cert(server_cert, password) server_cert_kea = server_cert.find_kea_type() #if verbose: print "server cert:\n%s" % server_cert sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) if verbose: print "listening on: %s" % (net_addr) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if use_ssl: client_sock.set_handshake_callback(handshake_callback) if verbose: print "client connect from: %s" % (client_addr) while True: try: # Handle the client connection buf = client_sock.recv(1024) if not buf: print >> sys.stderr, "server: lost lost connection to %s" % ( client_addr) break if info: print "server: received \"%s\"" % (buf) reply = "{%s}" % buf # echo if info: print "server: sending \"%s\"" % (reply) client_sock.send(reply) # echo time.sleep(sleep_time) client_sock.shutdown() client_sock.close() break except Exception, e: print >> sys.stderr, "server: %s" % e break break
def server(): if verbose: print("starting server:") # Initialize # Setup an IP Address to listen on any of our interfaces net_addr = io.NetworkAddress(io.PR_IpAddrAny, port) if use_ssl: if info: print("server: using SSL") ssl.set_domestic_policy() nss.set_password_callback(password_callback) # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(server_nickname, password) priv_key = nss.find_key_by_any_cert(server_cert, password) server_cert_kea = server_cert.find_kea_type(); #if verbose: # print("server cert:\n%s" % server_cert) sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) if verbose: print("listening on: %s" % (net_addr)) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if use_ssl: client_sock.set_handshake_callback(handshake_callback) if verbose: print("client connect from: %s" % (client_addr)) while True: try: # Handle the client connection buf = client_sock.readline() # newline is protocol record separator if not buf: print("server: lost lost connection to %s" % (client_addr), file=sys.stderr) break buf = buf.decode('utf-8') buf = buf.rstrip() # remove newline record separator if info: print("server: received \"%s\"" % (buf)) reply = "{%s}" % buf # echo embedded inside braces if info: print("server: sending \"%s\"" % (reply)) data = reply + "\n" # send echo with record separator client_sock.send(data.encode('utf-8')) time.sleep(sleep_time) client_sock.shutdown() client_sock.close() break except Exception as e: print("server: %s" % e, file=sys.stderr) break break # Clean up sock.shutdown() sock.close() if use_ssl: ssl.shutdown_server_session_id_cache()
if client and server: print "can't be both client and server" sys.exit(1) if not (client or server): print "must be one of client or server" sys.exit(1) # Perform basic configuration and setup if certdir is None: nss.nss_init_nodb() else: nss.nss_init(certdir) ssl.set_domestic_policy() nss.set_password_callback(password_callback) # Run as a client or as a server if client: print "starting as client" Client() if server: print "starting as server" Server() try: nss.nss_shutdown() except Exception, e: print e
def main(): global options parser = argparse.ArgumentParser( description='certificate validation example') # === NSS Database Group === group = parser.add_argument_group('NSS Database', 'Specify & control the NSS Database') group.add_argument('-d', '--db-name', help='NSS database name (e.g. "sql:pki")') group.add_argument('-P', '--db-passwd', help='NSS database password') # === Certificate Group === group = parser.add_argument_group('Certificate', 'Specify how the certificate is loaded') group.add_argument('-f', '--file', dest='cert_filename', help='read cert from file') group.add_argument('-F', '--input-format', choices=['pem', 'der'], help='format of input cert') group.add_argument( '-n', '--nickname', dest='cert_nickname', help='load cert from NSS database by looking it up under this nickname' ) # === Validation Group === group = parser.add_argument_group('Validation', 'Control the validation') group.add_argument( '-u', '--usage', dest='cert_usage', action='append', choices=list(cert_usage_map.keys()), help='certificate usage flags, may be specified multiple times') group.add_argument('-c', '--check-sig', action='store_true', dest='check_sig', help='check signature') group.add_argument('-C', '--no-check-sig', action='store_false', dest='check_sig', help='do not check signature') group.add_argument('-l', '--log', action='store_true', dest='with_log', help='use verify log') group.add_argument('-L', '--no-log', action='store_false', dest='with_log', help='do not use verify log') group.add_argument('-a', '--check-ca', action='store_true', dest='check_ca', help='check if cert is CA') group.add_argument('-A', '--no-check-ca', action='store_false', dest='check_ca', help='do not check if cert is CA') # === Miscellaneous Group === group = parser.add_argument_group('Miscellaneous', 'Miscellaneous options') group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert', help='print the certificate in a friendly fashion') parser.set_defaults( db_name='sql:pki', db_passwd='db_passwd', input_format='pem', check_sig=True, with_log=True, check_ca=True, print_cert=False, ) options = parser.parse_args() # Process the command line arguments # Get usage bitmask if options.cert_usage: intended_usage = 0 for usage in options.cert_usage: try: flag = cert_usage_map[usage] except KeyError: print("Unknown usage '%s', valid values: %s" % (usage, ', '.join(sorted(cert_usage_map.keys())))) return 1 else: intended_usage |= flag else: # We can't use nss.certificateUsageCheckAllUsages here because # it's a special value of zero instead of being the bitwise OR # of all the certificateUsage* flags (go figure!) intended_usage = 0 for usage in list(cert_usage_map.values()): intended_usage |= usage if options.cert_filename and options.cert_nickname: print( "You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr) return 1 if not options.cert_filename and not options.cert_nickname: print("You must specify either a cert filename or a nickname to load", file=sys.stderr) return 1 # Initialize NSS. print(indented_output('NSS Database', options.db_name)) print() nss.nss_init(options.db_name) certdb = nss.get_default_certdb() nss.set_password_callback(password_callback) # Load the cert if options.cert_filename: # Read the certificate as DER encoded data then initialize a Certificate from the DER data filename = options.cert_filename si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem') # Parse the DER encoded data returning a Certificate object cert = nss.Certificate(si) else: try: cert = nss.find_cert_from_nickname(options.cert_nickname) except Exception as e: print(e) print('Unable to load cert nickname "%s" from database "%s"' % \ (options.cert_nickname, options.db_name), file=sys.stderr) return 1 # Dump the cert if the user wants to see it if options.print_cert: print(cert) else: print(indented_output('cert subject', cert.subject)) print() # Dump the usages attached to the cert print( indented_output('cert has these usages', nss.cert_type_flags(cert.cert_type))) # Should we check if the cert is a CA cert? if options.check_ca: # CA Cert? is_ca, cert_type = cert.is_ca_cert(True) print() print(indented_output('is CA cert boolean', is_ca)) print( indented_output('is CA cert returned usages', nss.cert_type_flags(cert_type))) print() print( indented_output('verifying usages for', nss.cert_usage_flags(intended_usage))) print() # Use the log or non-log variant to verify the cert # # Note: Anytime a NSPR or NSS function returns an error in python-nss it # raises a NSPRError exception. When an exception is raised the normal # return values are discarded because the flow of control continues at # the first except block prepared to catch the exception. Normally this # is what is desired because the return values would be invalid due to # the error. However the certificate verification functions are an # exception (no pun intended). An error might be returned indicating the # cert failed verification but you may still need access to the returned # usage bitmask and the log (if using the log variant). To handle this a # special error exception `CertVerifyError` (derived from `NSPRError`) # is defined which in addition to the normal NSPRError fields will also # contain the returned usages and optionally the CertVerifyLog # object. If no exception is raised these are returned as normal return # values. approved_usage = 0 if options.with_log: try: approved_usage, log = cert.verify_with_log(certdb, options.check_sig, intended_usage, None) except nss_error.CertVerifyError as e: # approved_usage and log available in CertVerifyError exception on failure. print(e) print() print(indented_obj('log', e.log)) print() print( indented_output('approved usages from exception', nss.cert_usage_flags(e.usages))) approved_usage = e.usages # Get the returned usage bitmask from the exception except Exception as e: print(e) else: print( indented_output('approved usages', nss.cert_usage_flags(approved_usage))) if log.count: print() print(indented_obj('log', log)) else: try: approved_usage = cert.verify(certdb, options.check_sig, intended_usage, None) except nss_error.CertVerifyError as e: # approved_usage available in CertVerifyError exception on failure. print(e) print( indented_output('approved usages from exception', nss.cert_usage_flags(e.usages))) approved_usage = e.usages # Get the returned usage bitmask from the exception except Exception as e: print(e) else: print( indented_output('approved usages', nss.cert_usage_flags(approved_usage))) # The cert is valid if all the intended usages are in the approved usages valid = (intended_usage & approved_usage) == intended_usage print() if valid: print( indented_output('SUCCESS: cert is approved for', nss.cert_usage_flags(intended_usage))) return 0 else: print( indented_output( 'FAIL: cert not approved for', nss.cert_usage_flags(intended_usage ^ approved_usage))) return 1
def main(): global options parser = argparse.ArgumentParser(description='certificate trust example') # === NSS Database Group === group = parser.add_argument_group('NSS Database', 'Specify & control the NSS Database') group.add_argument('-d', '--db-name', help='NSS database name (e.g. "sql:pki")') group.add_argument('-P', '--db-passwd', help='NSS database password') # === Certificate Group === group = parser.add_argument_group('Certificate', 'Specify how the certificate is loaded') group.add_argument('-f', '--file', dest='cert_filename', help='read cert from file') group.add_argument('-F', '--input-format', choices=['pem', 'der'], help='format of input cert') group.add_argument('-n', '--nickname', dest='cert_nickname', help='load cert from NSS database by looking it up under this nickname') group.add_argument('-t', '--trust', dest='cert_trust', help='set the cert trust flags, see certutil for format') group.add_argument('-i', '--install-cert', action='store_true', dest='cert_perm', help='check signature') group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert', help='print the certificate in a friendly fashion') parser.set_defaults(db_name = 'sql:pki', db_passwd = 'db_passwd', input_format = 'pem', install_cert = False, print_cert = False, ) options = parser.parse_args() # Process the command line arguments if options.cert_perm: if not options.cert_filename: print("You must specify a cert filename to install a cert in the database", file=sys.stderr) return 1 if not options.cert_nickname: print("You must specify a cert nickname to install a cert in the database", file=sys.stderr) return 1 else: if options.cert_filename and options.cert_nickname: print("You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr) return 1 if not options.cert_filename and not options.cert_nickname: print("You must specify either a cert filename or a nickname to load", file=sys.stderr) return 1 # Initialize NSS. print('NSS Database: %s' % (options.db_name)) print() # Initialize the database as read/write, otherwise we would not # be able to import a cert nss.nss_init_read_write(options.db_name) certdb = nss.get_default_certdb() # Since we may update the cert make sure we're using the key slot # and not just the internal slot slot = nss.get_internal_key_slot() # If we're importing or modifying a cert we'll need to authenticate # to the database, the password callback supplies the password during # authentication. nss.set_password_callback(password_callback) # Load the cert if options.cert_filename: # Read the certificate as DER encoded data then initialize a Certificate from the DER data filename = options.cert_filename si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem') # Parse the DER encoded data returning a Certificate object. # # If we've been asked to install the cert in the database the # options.cert_perm flag will be True and we'll need to supply # the nickname (which is used to locate the cert in the database). cert = nss.Certificate(si, certdb, options.cert_perm, options.cert_nickname) else: try: cert = nss.find_cert_from_nickname(options.cert_nickname) except Exception as e: print(e) print('Unable to load cert nickname "%s" from database "%s"' % \ (options.cert_nickname, options.db_name), file=sys.stderr) return 1 # Dump the cert if the user wants to see it if options.print_cert: print(cert) else: print('cert subject: %s' % (cert.subject)) print() # Change the cert trust if specified if options.cert_trust: cert.set_trust_attributes(options.cert_trust, certdb, slot) illustrate_ssl_trust(cert) return 0