def test_ssl(self):
"""
When passed an SSL strports description, L{clientFromString} returns a
L{SSL4ClientEndpoint} instance initialized with the values from the
string.
"""
reactor = object()
client = endpoints.clientFromString(
reactor, "ssl:host=example.net:port=4321:privateKey=%s:"
"certKey=%s:bindAddress=10.0.0.3:timeout=3:caCertsDir=%s" %
(escapedPEMPathName, escapedPEMPathName, escapedCAsPathName))
self.assertIsInstance(client, endpoints.SSL4ClientEndpoint)
self.assertIdentical(client._reactor, reactor)
self.assertEquals(client._host, "example.net")
self.assertEquals(client._port, 4321)
self.assertEquals(client._timeout, 3)
self.assertEquals(client._bindAddress, "10.0.0.3")
certOptions = client._sslContextFactory
self.assertIsInstance(certOptions, CertificateOptions)
ctx = certOptions.getContext()
self.assertIsInstance(ctx, ContextType)
self.assertEquals(Certificate(certOptions.certificate),
testCertificate)
privateCert = PrivateCertificate(certOptions.certificate)
privateCert._setPrivateKey(KeyPair(certOptions.privateKey))
self.assertEquals(privateCert, testPrivateCertificate)
expectedCerts = [
Certificate.loadPEM(x.getContent()) for x in
[casPath.child("thing1.pem"),
casPath.child("thing2.pem")]
if x.basename().lower().endswith('.pem')
]
self.assertEquals([Certificate(x) for x in certOptions.caCerts],
expectedCerts)
def getServerContext(self):
"""
Generate a new L{OpenSSL.SSL.Context} object configured to use a
certificate signed by C{self.ca} and only accept connections from peers
which are also using a certificate signed by C{self.ca}.
"""
# Generate a new key for the server and have the CA sign a certificate
# for it.
key = KeyPair.generate(size=512)
req = key.certificateRequest(DN(commonName='localhost'))
certData = self.ca.signCertificateRequest(req, lambda dn: True, 1)
cert = PrivateCertificate.load(certData, key)
# Use the new key/certificate
context = Context(TLSv1_METHOD)
context.use_privatekey(key.original)
context.use_certificate(cert.original)
context.check_privatekey()
# Allow peer certificates signed by the CA
store = context.get_cert_store()
store.add_cert(self.ca.original)
# Verify the peer certificate and require that they have one.
def verify(conn, cert, errno, depth, preverify_ok):
return preverify_ok
context.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify)
return context
def setUp(self):
"""
Create a L{PantheonHTTPChecker} pointed at a mock authentication service
with some simple site and user information.
"""
self.site = 'example.com'
self.cwd = '/some/path'
self.uid = 1542
self.username = '******'
self.password = '******'
keyString = FilePath(__file__).sibling('id_rsa').getContent()
self.privateKey = Key.fromString(keyString)
caKeyString = FilePath(__file__).sibling('cakey.pem').getContent()
self.caKey = KeyPair.load(caKeyString, FILETYPE_PEM)
caCertString = FilePath(__file__).sibling('cacert.pem').getContent()
self.caCert = PrivateCertificate.load(
caCertString, self.caKey, FILETYPE_PEM)
self.resource = MockPantheonAuthResource(
sites={self.site: [self.username]},
authorizations={self.site: dict(cwd=self.cwd, uid=self.uid)},
passwords={self.username: self.password},
keys={self.username: self.privateKey},
)
self.server = MockPantheonAuthServer(
reactor, self.resource, self.caCert)
self.server.startService()
self.addCleanup(self.server.stopService)
def clientCertFor(name):
signingCert = getCAPrivateCert()
clientKey = KeyPair.generate(size=4096)
csr = clientKey.requestObject(DN(CN=name), "sha1")
clientCert = signingCert.signRequestObject(
csr, serialNumber=1, digestAlgorithm="sha1")
return PrivateCertificate.fromCertificateAndKeyPair(clientCert, clientKey)
def pems():
for i in count():
key = KeyPair.generate()
cert = key.selfSignedCert(i, commonName=u"lae_automation testing")
pem = PrivateCertificate.fromCertificateAndKeyPair(cert,
key).dumpPEM()
yield pem.decode("ascii")
def getFactory(self):
if self.factory is None:
if self.certificateFile is not None:
cert = PrivateCertificate.loadPEM(
file(self.certificateFile).read())
certOpts = CertificateOptions(
cert.privateKey.original,
cert.original,
requireCertificate=False,
method=SSL.SSLv23_METHOD)
else:
certOpts = None
self.portal = portal.Portal(
self.userbase, [self.userbase, checkers.AllowAnonymousAccess()])
self.factory = ESMTPFactory(
self.portal,
self.domain,
{'CRAM-MD5': credentials.CramMD5Credentials,
'LOGIN': imap4.LOGINCredentials,
},
certOpts)
if self.debug:
self.factory = policies.TrafficLoggingFactory(self.factory, 'smtp')
return self.factory
def clientCertFor(p_name):
l_signingCert = getCAPrivateCert()
l_clientKey = KeyPair.generate(size = 4096)
l_csr = l_clientKey.requestObject(DN(CN = p_name), "sha1")
l_clientCert = l_signingCert.signRequestObject(
l_csr, serialNumber = 1, digestAlgorithm = "sha1")
return PrivateCertificate.fromCertificateAndKeyPair(l_clientCert, l_clientKey)
def connect(self, host=None, port=None, cert=None, key=None):
'''
Connect to another portal somewhere. If retry is set, will attempt to reconnect
with the target continuously. As of the time of this writing, you cannot stop a
polling connection without taking down the portal.
:param retry: continuously attempt to connect on drops or rejections
:type retry: bool.
'''
host = host if host else self.host
port = port if port else self.port
cert = cert if cert else self.certCa
key = key if key else self.keyPrivate # ???
# the first term is the name the server is using in the cert (for now)
ctx = optionsForClientTLS(u"pds.production", Certificate.loadPEM(cert), PrivateCertificate.loadPEM(key))
factory = RiffleClientFactory()
SSL4ClientEndpoint(reactor, host, port, ctx,).connect(factory)
print 'Connecting to ' + host + ':' + str(port)
avatar = yield factory.login(self)
defer.returnValue(Levy(avatar))
def getServerContext(self):
"""
Return a new SSL context suitable for use in a test server.
"""
cert = PrivateCertificate.load(
self._certificateText,
KeyPair.load(self._privateKeyText, FILETYPE_PEM), FILETYPE_PEM)
return cert.options()
def private_certificate(self):
"""
Combine private key and certificate into a ``PrivateCertificate``.
:return: ``PrivateCertificate`` instance.
"""
return PrivateCertificate.fromCertificateAndKeyPair(
self.certificate, self.keypair.keypair)
def main(reactor):
pemBytes = FilePath(b"ca-private-cert.pem").getContent()
certificateAuthority = Certificate.loadPEM(pemBytes)
myCertificate = PrivateCertificate.loadPEM(pemBytes)
serverEndpoint = SSL4ServerEndpoint(
reactor, 4321, myCertificate.options(certificateAuthority))
serverEndpoint.listen(Factory.forProtocol(ReportWhichClient))
return Deferred()
def clientCertFor(name):
signingCert = getCAPrivateCert()
clientKey = KeyPair.generate(size=4096)
csr = clientKey.requestObject(DN(CN=name), "sha1")
clientCert = signingCert.signRequestObject(csr,
serialNumber=1,
digestAlgorithm="sha1")
return PrivateCertificate.fromCertificateAndKeyPair(clientCert, clientKey)
def getServerContext(self):
"""
Return a new SSL context suitable for use in a test server.
"""
pem = self._pem.getContent()
cert = PrivateCertificate.load(
pem, KeyPair.load(pem, FILETYPE_PEM), FILETYPE_PEM)
return cert.options()
def getServerContext(self):
"""
Return a new SSL context suitable for use in a test server.
"""
pem = self._pem.getContent()
cert = PrivateCertificate.load(
pem, KeyPair.load(pem, FILETYPE_PEM), FILETYPE_PEM)
return cert.options()
def private_certificate(self):
"""
Combine private key and certificate into a ``PrivateCertificate``.
:return: ``PrivateCertificate`` instance.
"""
return PrivateCertificate.fromCertificateAndKeyPair(
self.certificate, self.keypair.keypair)
def addSubprocesses(self, fds, name, factory):
super(HendrixDeployTLS, self).addSubprocesses(fds, name, factory)
if name == 'main_web_ssl':
privateCert = PrivateCertificate.loadPEM(
open(self.options['cert']).read() +
open(self.options['key']).read())
factory = TLSMemoryBIOFactory(privateCert.options(), False,
factory)
def getCAPrivateCert():
l_privatePath = FilePath(b"ca-private-cert.pem")
if l_privatePath.exists():
return PrivateCertificate.loadPEM(l_privatePath.getContent())
else:
l_caKey = KeyPair.generate(size=4096)
l_caCert = l_caKey.selfSignedCert(1, CN="the-authority")
l_privatePath.setContent(l_caCert.dumpPEM())
return l_caCert
def getContextFactory(self):
if SSL is None:
raise RuntimeError("No SSL support: you need to install OpenSSL.")
cert = PrivateCertificate.loadPEM(self.certificatePath.open().read())
certOpts = CertificateOptions(cert.privateKey.original,
cert.original,
requireCertificate=False,
method=SSL.SSLv23_METHOD)
return certOpts
def clientCertFor(p_name):
l_signingCert = getCAPrivateCert()
l_clientKey = KeyPair.generate(size=4096)
l_csr = l_clientKey.requestObject(DN(CN=p_name), "sha1")
l_clientCert = l_signingCert.signRequestObject(l_csr,
serialNumber=1,
digestAlgorithm="sha1")
return PrivateCertificate.fromCertificateAndKeyPair(
l_clientCert, l_clientKey)
def main(reactor):
pemBytes = FilePath(b"ca-private-cert.pem").getContent()
certificateAuthority = Certificate.loadPEM(pemBytes)
myCertificate = PrivateCertificate.loadPEM(pemBytes)
serverEndpoint = SSL4ServerEndpoint(
reactor, 4321, myCertificate.options(certificateAuthority)
)
serverEndpoint.listen(Factory.forProtocol(ReportWhichClient))
return Deferred()
def getCAPrivateCert():
privatePath = FilePath(b"ca-private-cert.pem")
if privatePath.exists():
return PrivateCertificate.loadPEM(privatePath.getContent())
else:
caKey = KeyPair.generate(size=4096)
caCert = caKey.selfSignedCert(1, CN="the-authority")
privatePath.setContent(caCert.dumpPEM())
return caCert
def getServerContext(self):
"""
Return a new SSL context suitable for use in a test server.
"""
cert = PrivateCertificate.load(
self._certificateText,
KeyPair.load(self._privateKeyText, FILETYPE_PEM),
FILETYPE_PEM)
return cert.options()
def addSubprocesses(self, fds, name, factory):
super(HendrixDeploySSL, self).addSubprocesses(fds, name, factory)
if name == 'main_web_ssl':
privateCert = PrivateCertificate.loadPEM(
open(self.options['cert']).read() + open(self.options['key']).read()
)
factory = TLSMemoryBIOFactory(
privateCert.options(), False, factory
)
def createCertOptions(server): pk = None cert = None if server.cert: pc = PrivateCertificate.loadPEM(open(server.cert,"rb").read()) pk = pc.privateKey.original cert = pc.original tr = platformTrust() if server.verify else None return CertificateOptions(privateKey=pk, certificate=cert, trustRoot=tr)
def main(reactor):
pem = generate_certs.and_generate()
caPem = FilePath(b"ca-private-cert.pem").getContent()
clientEndpoint = SSL4ClientEndpoint(
reactor,
u"localhost",
4321,
optionsForClientTLS(u"the-authority", Certificate.loadPEM(caPem),
PrivateCertificate.loadPEM(pem)),
)
clientEndpoint = SSL4ClientEndpoint(
reactor,
u"localhost",
4321,
optionsForClientTLS(u"the-authority", Certificate.loadPEM(caPem),
PrivateCertificate.loadPEM(pem)),
)
proto = yield clientEndpoint.connect(Factory.forProtocol(SendAnyData))
yield proto.deferred
def getContextFactory(self):
if SSL is None:
raise RuntimeError("No SSL support: you need to install OpenSSL.")
cert = PrivateCertificate.loadPEM(
self.certificatePath.open().read())
certOpts = CertificateOptions(
cert.privateKey.original,
cert.original,
requireCertificate=False,
method=SSL.SSLv23_METHOD)
return certOpts
def open(self, port=None, cert=None):
'''
Listen for connections on the given port.
'''
port = port if port else self.port
cert = cert if cert else self.certCa
ca = Certificate.loadPEM(cert)
myCertificate = PrivateCertificate.loadPEM(cert)
SSL4ServerEndpoint(reactor, port, myCertificate.options(ca)).listen(RiffleServerFactory(self))
def start_ssl_cmd_server():
with open(settings["Agent_Cert"], 'r') as certfile:
certdata = certfile.read()
if settings["Agent_Priv_Key"] != settings["Agent_Cert"]:
with open(settings.get("Agent_Priv_Key"), 'r') as keyfile:
certdata += keyfile.read()
with open(settings.get("Broker_Cert"), 'r') as f:
authdata = f.read()
certificate = PrivateCertificate.loadPEM(certdata)
authority = Certificate.loadPEM(authdata)
factory = Factory.forProtocol(CommandHandler)
reactor.listenSSL(int(settings.get("Command_Port")), factory, certificate.options(authority))
def start_ssl_cmd_server():
with open(settings["Agent_Cert"], 'r') as certfile:
certdata = certfile.read()
if settings["Agent_Priv_Key"] != settings["Agent_Cert"]:
with open(settings.get("Agent_Priv_Key"), 'r') as keyfile:
certdata += keyfile.read()
with open(settings.get("Broker_Cert"), 'r') as f:
authdata = f.read()
certificate = PrivateCertificate.loadPEM(certdata)
authority = Certificate.loadPEM(authdata)
factory = Factory.forProtocol(CommandHandler)
reactor.listenSSL(int(settings.get("Command_Port")), factory,
certificate.options(authority))
def start(self, fd=None):
pids = [str(os.getpid())] # script pid
if fd is None:
# anything in this block is only run once
# TODO add global services here, possibly add a services kwarg on
# __init__
self.addGlobalServices()
self.hendrix.startService()
if self.options['workers']:
# Create a new listening port and several other processes to help out.
childFDs = {0: 0, 1: 1, 2: 2}
self.fds = {}
for name in self.servers:
port = self.hendrix.get_port(name)
fd = port.fileno()
childFDs[fd] = fd
self.fds[name] = fd
args = self.getSpawnArgs()
transports = []
for i in range(self.options['workers']):
transport = reactor.spawnProcess(
None, executable, args, childFDs=childFDs, env=environ
)
transports.append(transport)
pids.append(str(transport.pid))
with open(self.pid, 'w') as pid_file:
pid_file.write('\n'.join(pids))
else:
# Another process created the port, drop the tcp service and
# just start listening on it.
fds = pickle.loads(fd)
factories = {}
for name in self.servers:
factory = self.disownService(name)
factories[name] = factory
self.hendrix.startService()
for name, factory in factories.iteritems():
if name == 'main_web_ssl':
privateCert = PrivateCertificate.loadPEM(
open(self.options['cert']).read() + open(self.options['key']).read()
)
factory = TLSMemoryBIOFactory(
privateCert.options(), False, factory
)
port = reactor.adoptStreamPort(fds[name], AF_INET, factory)
reactor.run()
def _create_tls_client_context(config, cbdir, log):
"""
Create a CertificateOptions object for use with TLS listening endpoints.
"""
# server hostname: The expected name of the remote host.
hostname = config['hostname']
# explicit trust (certificate) root
ca_certs = None
if 'ca_certificates' in config:
log.info("TLS client using explicit trust ({cnt_certs} certificates)", cnt_certs=len(config['ca_certificates']))
ca_certs = []
for cert_fname in [os.path.abspath(os.path.join(cbdir, x)) for x in (config['ca_certificates'])]:
cert = crypto.load_certificate(
crypto.FILETYPE_PEM,
six.u(open(cert_fname, 'r').read())
)
log.info("TLS client trust root CA certificate loaded from '{fname}'", fname=cert_fname)
ca_certs.append(cert)
ca_certs = OpenSSLCertificateAuthorities(ca_certs)
else:
log.info("TLS client using platform trust")
# client key/cert to use
client_cert = None
if 'key' in config:
if 'certificate' not in config:
raise Exception('TLS client key present, but certificate missing')
key_fname = os.path.abspath(os.path.join(cbdir, config['key']))
with open(key_fname, 'r') as f:
private_key = KeyPair.load(f.read(), format=crypto.FILETYPE_PEM)
log.info("Loaded client TLS key from '{key_fname}'", key_fname=key_fname)
cert_fname = os.path.abspath(os.path.join(cbdir, config['certificate']))
with open(cert_fname, 'r') as f:
cert = Certificate.loadPEM(f.read(),)
log.info("Loaded client TLS certificate from '{cert_fname}' (cn='{cert_cn}', sha256={cert_sha256}..)",
cert_fname=cert_fname,
cert_cn=cert.getSubject().CN,
cert_sha256=cert.digest('sha256')[:12])
client_cert = PrivateCertificate.fromCertificateAndKeyPair(cert, private_key)
else:
if 'certificate' in config:
log.warn('TLS client certificate present, but key is missing')
# create TLS client context
ctx = optionsForClientTLS(hostname, trustRoot=ca_certs, clientCertificate=client_cert)
return ctx
def _create_tls_client_context(config, cbdir, log):
"""
Create a CertificateOptions object for use with TLS listening endpoints.
"""
# server hostname: The expected name of the remote host.
hostname = config['hostname']
# explicit trust (certificate) root
ca_certs = None
if 'ca_certificates' in config:
log.info("TLS client using explicit trust ({cnt_certs} certificates)", cnt_certs=len(config['ca_certificates']))
ca_certs = []
for cert_fname in [os.path.abspath(os.path.join(cbdir, x)) for x in (config['ca_certificates'])]:
cert = crypto.load_certificate(
crypto.FILETYPE_PEM,
six.u(open(cert_fname, 'r').read())
)
log.info("TLS client trust root CA certificate loaded from '{fname}'", fname=cert_fname)
ca_certs.append(cert)
ca_certs = OpenSSLCertificateAuthorities(ca_certs)
else:
log.info("TLS client using platform trust")
# client key/cert to use
client_cert = None
if 'key' in config:
if 'certificate' not in config:
raise Exception('TLS client key present, but certificate missing')
key_fname = os.path.abspath(os.path.join(cbdir, config['key']))
with open(key_fname, 'r') as f:
private_key = KeyPair.load(f.read(), format=crypto.FILETYPE_PEM)
log.info("Loaded client TLS key from '{key_fname}'", key_fname=key_fname)
cert_fname = os.path.abspath(os.path.join(cbdir, config['certificate']))
with open(cert_fname, 'r') as f:
cert = Certificate.loadPEM(f.read(),)
log.info("Loaded client TLS certificate from '{cert_fname}' (cn='{cert_cn}', sha256={cert_sha256}..)",
cert_fname=cert_fname,
cert_cn=cert.getSubject().CN,
cert_sha256=cert.digest('sha256')[:12])
client_cert = PrivateCertificate.fromCertificateAndKeyPair(cert, private_key)
else:
if 'certificate' in config:
log.warn('TLS client certificate present, but key is missing')
# create TLS client context
ctx = optionsForClientTLS(hostname, trustRoot=ca_certs, clientCertificate=client_cert)
return ctx
def test_ssl(self):
"""
When passed an SSL strports description, L{clientFromString} returns a
L{SSL4ClientEndpoint} instance initialized with the values from the
string.
"""
reactor = object()
client = endpoints.clientFromString(
reactor,
"ssl:host=example.net:port=4321:privateKey=%s:"
"certKey=%s:bindAddress=10.0.0.3:timeout=3:caCertsDir=%s" %
(escapedPEMPathName,
escapedPEMPathName,
escapedCAsPathName))
self.assertIsInstance(client, endpoints.SSL4ClientEndpoint)
self.assertIdentical(client._reactor, reactor)
self.assertEqual(client._host, "example.net")
self.assertEqual(client._port, 4321)
self.assertEqual(client._timeout, 3)
self.assertEqual(client._bindAddress, "10.0.0.3")
certOptions = client._sslContextFactory
self.assertIsInstance(certOptions, CertificateOptions)
ctx = certOptions.getContext()
self.assertIsInstance(ctx, ContextType)
self.assertEqual(Certificate(certOptions.certificate),
testCertificate)
privateCert = PrivateCertificate(certOptions.certificate)
privateCert._setPrivateKey(KeyPair(certOptions.privateKey))
self.assertEqual(privateCert, testPrivateCertificate)
expectedCerts = [
Certificate.loadPEM(x.getContent()) for x in
[casPath.child("thing1.pem"), casPath.child("thing2.pem")]
if x.basename().lower().endswith('.pem')
]
self.assertEqual(sorted((Certificate(x) for x in certOptions.caCerts),
key=lambda cert: cert.digest()),
sorted(expectedCerts,
key=lambda cert: cert.digest()))
def create_agent(ca_cert, client_cert, client_key):
ca_certificate = Certificate.loadPEM(FilePath(ca_cert).getContent())
client_certificate = PrivateCertificate.loadPEM(
FilePath(client_cert).getContent() + b"\n" +
FilePath(client_key).getContent())
customPolicy = BrowserLikePolicyForHTTPSWithClientCertificate(
trustRoot=ca_certificate,
clientCertificate=client_certificate)
pool = HTTPConnectionPool(reactor, persistent=True)
agent = Agent(reactor, customPolicy, pool=pool)
return agent
def __init__(self, uri, verify, timeout=600, reactor=reactor, clientCert=None):
Resource.__init__(self)
self._uri = URLPath.fromString(uri)
self._verify = verify
self._timeout = timeout
self._reactor = reactor
pool = HTTPConnectionPool(reactor)
if clientCert is not None:
clientCert = PrivateCertificate.loadPEM(
FilePath(clientCert).getContent())
self._agent = Agent(
reactor,
StupidPolicyForHTTPS(InsecureTLSOptions(clientCert)),
pool=pool)
def create_agent(ca_cert, client_cert, client_key):
ca_certificate = Certificate.loadPEM(FilePath(ca_cert).getContent())
client_certificate = PrivateCertificate.loadPEM(
FilePath(client_cert).getContent() + b"\n" +
FilePath(client_key).getContent())
customPolicy = BrowserLikePolicyForHTTPSWithClientCertificate(
trustRoot=ca_certificate, clientCertificate=client_certificate)
pool = HTTPConnectionPool(reactor, persistent=True)
pool.maxPersistentPerHost = CONNECTION_COUNT
agent = Agent(reactor, customPolicy, pool=pool)
return agent
def from_paths(
cls, endpoint, private_key_path: FilePath, cert_path: FilePath
) -> "_TLSEndpointWrapper":
"""
Create an endpoint with the given private key and certificate paths on
the filesystem.
"""
certificate = Certificate.loadPEM(cert_path.getContent()).original
private_key = PrivateCertificate.loadPEM(
cert_path.getContent() + b"\n" + private_key_path.getContent()
).privateKey.original
certificate_options = CertificateOptions(
privateKey=private_key, certificate=certificate
)
return cls(endpoint=endpoint, context_factory=certificate_options)
def test_authenticateSucceed(self):
"""
L{authenticateRequest} returns C{True} if the provided client
certificate has a matching hostname.
"""
privateCert = PrivateCertificate.loadPEM(
FilePath(__file__).sibling(b'data').child(b'test.cert').getContent())
self.assertEqual(
privateCert.original.get_subject().commonName, b'localhost')
options = CertificateOptions(
privateKey=privateCert.privateKey.original,
certificate=privateCert.original)
request = self.createRequest(options)
self.assertEqual(True, authenticateRequest(request, u'localhost'))
def test_handshakeFailure(self):
"""
L{TLSMemoryBIOProtocol} reports errors in the handshake process to the
application-level protocol object using its C{connectionLost} method
and disconnects the underlying transport.
"""
clientConnectionLost = Deferred()
clientFactory = ClientFactory()
clientFactory.protocol = (
lambda: ConnectionLostNotifyingProtocol(
clientConnectionLost))
clientContextFactory = HandshakeCallbackContextFactory()
wrapperFactory = TLSMemoryBIOFactory(
clientContextFactory, True, clientFactory)
sslClientProtocol = wrapperFactory.buildProtocol(None)
serverConnectionLost = Deferred()
serverFactory = ServerFactory()
serverFactory.protocol = (
lambda: ConnectionLostNotifyingProtocol(
serverConnectionLost))
# This context factory rejects any clients which do not present a
# certificate.
certificateData = FilePath(certPath).getContent()
certificate = PrivateCertificate.loadPEM(certificateData)
serverContextFactory = certificate.options(certificate)
wrapperFactory = TLSMemoryBIOFactory(
serverContextFactory, False, serverFactory)
sslServerProtocol = wrapperFactory.buildProtocol(None)
connectionDeferred = loopbackAsync(sslServerProtocol, sslClientProtocol)
def cbConnectionLost(protocol):
# The connection should close on its own in response to the error
# induced by the client not supplying the required certificate.
# After that, check to make sure the protocol's connectionLost was
# called with the right thing.
protocol.lostConnectionReason.trap(Error)
clientConnectionLost.addCallback(cbConnectionLost)
serverConnectionLost.addCallback(cbConnectionLost)
# Additionally, the underlying transport should have been told to
# go away.
return gatherResults([
clientConnectionLost, serverConnectionLost,
connectionDeferred])
def agent_call(url_trustRoot):
url, trustRoot = url_trustRoot
if trustRoot:
customPolicy = BrowserLikePolicyForHTTPS(
PrivateCertificate.loadPEM(trustRoot))
agent = Agent(reactor, customPolicy)
else:
agent = Agent(reactor)
headers = Headers({
'User-Agent': ['Twisted Webbot'],
'Content-Type': ['text/x-greeting']
})
d = agent.request('HEAD', url, headers=headers)
return d
def test_handshakeFailure(self):
"""
L{TLSMemoryBIOProtocol} reports errors in the handshake process to the
application-level protocol object using its C{connectionLost} method
and disconnects the underlying transport.
"""
clientConnectionLost = Deferred()
clientFactory = ClientFactory()
clientFactory.protocol = (
lambda: ConnectionLostNotifyingProtocol(clientConnectionLost))
clientContextFactory = HandshakeCallbackContextFactory()
wrapperFactory = TLSMemoryBIOFactory(clientContextFactory, True,
clientFactory)
sslClientProtocol = wrapperFactory.buildProtocol(None)
serverConnectionLost = Deferred()
serverFactory = ServerFactory()
serverFactory.protocol = (
lambda: ConnectionLostNotifyingProtocol(serverConnectionLost))
# This context factory rejects any clients which do not present a
# certificate.
certificateData = FilePath(certPath).getContent()
certificate = PrivateCertificate.loadPEM(certificateData)
serverContextFactory = certificate.options(certificate)
wrapperFactory = TLSMemoryBIOFactory(serverContextFactory, False,
serverFactory)
sslServerProtocol = wrapperFactory.buildProtocol(None)
connectionDeferred = loopbackAsync(sslServerProtocol,
sslClientProtocol)
def cbConnectionLost(protocol):
# The connection should close on its own in response to the error
# induced by the client not supplying the required certificate.
# After that, check to make sure the protocol's connectionLost was
# called with the right thing.
protocol.lostConnectionReason.trap(Error)
clientConnectionLost.addCallback(cbConnectionLost)
serverConnectionLost.addCallback(cbConnectionLost)
# Additionally, the underlying transport should have been told to
# go away.
return gatherResults(
[clientConnectionLost, serverConnectionLost, connectionDeferred])
def _serviceDescription(self):
"""
Produce a description of the service we should start.
"""
ca = Certificate.loadPEM(
FilePath(self.caPath.encode('utf-8')).getContent())
certBytes = FilePath(self.certPath.encode('utf-8')).getContent()
cert = PrivateCertificate.loadPEM(certBytes)
# Can't use PrivateCertificate.options until Twisted #6361 is fixed
options = CertificateOptions(
privateKey=cert.privateKey.original,
certificate=cert.original,
trustRoot=ca,
extraCertChain=chainCerts(certBytes))
router = IndexRouter(store=self.store)
return _ServiceDescription(
reactor=reactor, port=self.port, interface=self.interface,
options=options, router=router)
def actualTest(result):
ponged = defer.Deferred()
signer = self.serverService2.certificateStorage.getPrivateCertificate(
self.fromDomain).privateKey
req = signer.requestObject(DistinguishedName(commonName=self.toDomain))
sreq = signer.signRequestObject(
DistinguishedName(commonName=self.fromDomain), req, 12345)
selfSignedLie = PrivateCertificate.fromCertificateAndKeyPair(
sreq, signer)
self.serverService2.connectQ2Q(self.fromAddress,
self.toAddress,
'pony',
OneTrickPonyClientFactory(ponged),
selfSignedLie,
fakeFromDomain=self.toDomain).addErrback(
lambda e: e.trap(q2q.VerifyError))
return self.assertFailure(ponged, q2q.VerifyError)
def _get_ssl_context(self):
client_ca = get_certificate(self.client_ca_cert_path)
if not client_ca:
try:
ca = mTLS.generate_new_certificate(is_ca_generation_request=True, ca_cert_path=self.client_ca_cert_path, username="******")
if ca is not None:
save_certificate(self.client_ca_cert_path, ca)
client_ca = ca
except Exception as e:
log.error("Exception: {}".format(e))
raise e
client_ca_pem = "{}\n{}".format(base64.b64decode(client_ca.get('c')), base64.b64decode(client_ca.get('k')))
certificate_authority = Certificate.loadPEM(client_ca_pem)
self.server_ca_cert_path = self.server_cert_path+"_ca"
server_cert = get_certificate(self.server_cert_path)
server_cert_ca = get_certificate(self.server_ca_cert_path)
if not server_cert:
try:
if not server_cert_ca:
ca = mTLS.generate_new_certificate(is_ca_generation_request=True, ca_cert_path=self.server_ca_cert_path, username="******")
if ca is not None:
save_certificate(self.server_ca_cert_path, ca)
_server_cert = mTLS.generate_new_certificate(ca_cert_path=self.server_ca_cert_path, username="******", ip=self.ip)
if _server_cert is not None:
save_certificate(self.server_cert_path, _server_cert)
server_cert = _server_cert
else:
raise Exception("Server Certificate generation failed. Cert:{}".format(_server_cert))
except Exception as e:
log.error("Exception: {}".format(e))
raise e
server_cert_pem = "{}\n{}".format(base64.b64decode(server_cert.get('c')), base64.b64decode(server_cert.get('k')))
server_cert = PrivateCertificate.loadPEM(server_cert_pem)
return server_cert.options(certificate_authority)
def _ssl_agent(self):
"""
Get a Twisted Agent that performs Client SSL authentication for Koji.
"""
# Load "cert" into a PrivateCertificate.
certfile = self.lookup(self.profile, 'cert')
certfile = os.path.expanduser(certfile)
with open(certfile) as certfp:
pemdata = certfp.read()
client_cert = PrivateCertificate.loadPEM(pemdata)
trustRoot = None # Use Twisted's platformTrust().
# Optionally load "serverca" into a Certificate.
servercafile = self.lookup(self.profile, 'serverca')
if servercafile:
servercafile = os.path.expanduser(servercafile)
trustRoot = RootCATrustRoot(servercafile)
policy = ClientCertPolicy(trustRoot=trustRoot, client_cert=client_cert)
return Agent(reactor, policy)
def actualTest(result):
ponged = defer.Deferred()
signer = self.serverService2.certificateStorage.getPrivateCertificate(
self.fromDomain).privateKey
req = signer.requestObject(
DistinguishedName(commonName=self.toDomain))
sreq = signer.signRequestObject(
DistinguishedName(commonName=self.fromDomain), req, 12345)
selfSignedLie = PrivateCertificate.fromCertificateAndKeyPair(
sreq, signer)
self.serverService2.connectQ2Q(
self.fromAddress,
self.toAddress,
'pony',
OneTrickPonyClientFactory(ponged),
selfSignedLie,
fakeFromDomain=self.toDomain).addErrback(
lambda e: e.trap(q2q.VerifyError))
return self.assertFailure(ponged, q2q.VerifyError)
def getFactory(self):
if self.factory is None:
if self.certificateFile is not None:
cert = PrivateCertificate.loadPEM(
file(self.certificateFile).read())
certOpts = CertificateOptions(cert.privateKey.original,
cert.original,
requireCertificate=False,
method=SSL.SSLv23_METHOD)
else:
certOpts = None
self.portal = portal.Portal(
self.userbase,
[self.userbase, checkers.AllowAnonymousAccess()])
self.factory = ESMTPFactory(
self.portal, self.domain, {
'CRAM-MD5': credentials.CramMD5Credentials,
'LOGIN': imap4.LOGINCredentials,
}, certOpts)
if self.debug:
self.factory = policies.TrafficLoggingFactory(
self.factory, 'smtp')
return self.factory
def __init__(self, publicPath, privatePath, csrPath, key, cert, issuer):
self.publicPath = publicPath
self.privatePath = privatePath
self.csrPath = csrPath
self.cert = PrivateCertificate.fromCertificateAndKeyPair(cert, key)
self.issuer = issuer
def create_connecting_endpoint_from_config(config, cbdir, reactor):
"""
Create a Twisted stream client endpoint from a Crossbar.io transport configuration.
See: https://twistedmatrix.com/documents/current/api/twisted.internet.interfaces.IStreamClientEndpoint.html
:param config: The transport configuration.
:type config: dict
:param cbdir: Crossbar.io node directory (we need this for Unix domain socket paths and TLS key/certificates).
:type cbdir: str
:param reactor: The reactor to use for endpoint creation.
:type reactor: obj
:returns obj -- An instance implementing IStreamClientEndpoint
"""
endpoint = None
log = make_logger()
# a TCP endpoint
#
if config['type'] == 'tcp':
# the TCP protocol version (v4 or v6)
#
version = int(config.get('version', 4))
# the host to connect to
#
host = str(config['host'])
# the port to connect to
#
port = int(config['port'])
# connection timeout in seconds
#
timeout = int(config.get('timeout', 10))
if 'tls' in config:
if _HAS_TLS:
# if the config specified any CA certificates, we use those (only!)
if 'ca_certificates' in config['tls']:
ca_certs = []
for cert_fname in config['tls']['ca_certificates']:
cert = crypto.load_certificate(
crypto.FILETYPE_PEM,
six.u(open(cert_fname, 'r').read()))
log.info("Loaded CA certificate '{fname}'",
fname=cert_fname)
ca_certs.append(cert)
client_cert = None
if 'key' in config['tls']:
with open(config['tls']['certificate'], 'r') as f:
cert = Certificate.loadPEM(f.read(), )
log.info(
"{fname}: CN={subj.CN}, sha={sha}",
fname=config['tls']['certificate'],
subj=cert.getSubject(),
sha=cert.digest('sha'),
)
with open(config['tls']['key'], 'r') as f:
private_key = KeyPair.load(
f.read(),
format=crypto.FILETYPE_PEM,
)
log.info(
"{fname}: {key}",
fname=config['tls']['key'],
key=private_key.inspect(),
)
client_cert = PrivateCertificate.fromCertificateAndKeyPair(
cert, private_key)
# XXX OpenSSLCertificateAuthorities is a "private"
# class, in _sslverify, so we shouldn't really be
# using it. However, while you can pass a single
# Certificate as trustRoot= there's no way to pass
# multiple ones.
# XXX ...but maybe the config should only allow
# the user to configure a single cert to trust
# here anyway?
options = optionsForClientTLS(
config['tls']['hostname'],
trustRoot=OpenSSLCertificateAuthorities(ca_certs),
clientCertificate=client_cert,
)
else:
options = optionsForClientTLS(config['tls']['hostname'])
# create a TLS client endpoint
#
if version == 4:
endpoint = SSL4ClientEndpoint(
reactor,
host,
port,
options,
timeout=timeout,
)
elif version == 6:
raise Exception("TLS on IPv6 not implemented")
else:
raise Exception(
"invalid TCP protocol version {}".format(version))
else:
raise Exception(
"TLS transport requested, but TLS packages not available:\n{}"
.format(_LACKS_TLS_MSG))
else:
# create a non-TLS client endpoint
#
if version == 4:
endpoint = TCP4ClientEndpoint(reactor,
host,
port,
timeout=timeout)
elif version == 6:
endpoint = TCP6ClientEndpoint(reactor,
host,
port,
timeout=timeout)
else:
raise Exception(
"invalid TCP protocol version {}".format(version))
# a Unix Domain Socket endpoint
#
elif config['type'] == 'unix':
# the path
#
path = abspath(join(cbdir, config['path']))
# connection timeout in seconds
#
timeout = int(config.get('timeout', 10))
# create the endpoint
#
endpoint = UNIXClientEndpoint(reactor, path, timeout=timeout)
else:
raise Exception("invalid endpoint type '{}'".format(config['type']))
return endpoint
"""
from twisted.internet.protocol import ServerFactory
from twisted.internet.endpoints import SSL4ClientEndpoint
from twisted.internet.ssl import (
DN, KeyPair, PrivateCertificate, CertificateOptions)
from twisted.protocols.wire import Echo
from tcp_throughput import Client, driver
# Generate a new self-signed certificate
key = KeyPair.generate(size=2048)
req = key.certificateRequest(DN(commonName='localhost'), digestAlgorithm='sha1')
cert = PrivateCertificate.load(
key.signCertificateRequest(
DN(commonName='localhost'), req,
lambda dn: True, 1, digestAlgorithm='sha1'),
key)
def main(reactor, duration):
chunkSize = 16384
server = ServerFactory()
server.protocol = Echo
port = reactor.listenSSL(0, server, cert.options())
client = Client(
reactor,
SSL4ClientEndpoint(
reactor, '127.0.0.1', port.getHost().port,
CertificateOptions(
def loadCertificate(certData):
cert = PrivateCertificate.loadPEM(certData)
return cert
def load_options(path):
certificate = open(join(path, Certificate.CERTIFICATE_FILE), "rb").read() + \
open(join(path, Certificate.PRIVATE_KEY_FILE), "rb").read()
pem = PrivateCertificate.loadPEM(certificate)
return pem.options()
from twisted import plugins
from twisted.python.modules import getModule
from twisted.python.filepath import FilePath
pemPath = getModule("twisted.test").filePath.sibling("server.pem")
casPath = getModule(__name__).filePath.sibling("fake_CAs")
escapedPEMPathName = endpoints.quoteStringArgument(pemPath.path)
escapedCAsPathName = endpoints.quoteStringArgument(casPath.path)
try:
from twisted.test.test_sslverify import makeCertificate
from twisted.internet.ssl import CertificateOptions, Certificate, \
KeyPair, PrivateCertificate
from OpenSSL.SSL import ContextType
testCertificate = Certificate.loadPEM(pemPath.getContent())
testPrivateCertificate = PrivateCertificate.loadPEM(pemPath.getContent())
skipSSL = False
except ImportError:
skipSSL = "OpenSSL is required to construct SSL Endpoints"
class TestProtocol(Protocol):
"""
Protocol whose only function is to callback deferreds on the
factory when it is connected or disconnected.
"""
def __init__(self):
self.data = []
self.connectionsLost = []
self.connectionMadeCalls = 0
def loadCertificate(certData):
cert = PrivateCertificate.loadPEM(certData)
return cert
def get_client_certificate(key_file, certificate_file) -> PrivateCertificate:
with open(key_file, 'r') as key, open(certificate_file, 'r') as certificate:
pem = ''.join(key.readlines()) + ''.join(certificate.readlines())
return PrivateCertificate.loadPEM(pem)
def __init__(self, pem):
if pem is None:
self._clientCertificate = None
else:
self._clientCertificate = PrivateCertificate.loadPEM(pem)
from twisted.test.proto_helpers import (
MemoryReactor, RaisingMemoryReactor, StringTransport)
from twisted.internet.protocol import ClientFactory, Protocol
from twisted.internet.address import IPv4Address, IPv6Address
from twisted.internet import (_endpointspy3 as endpoints, error, defer,
interfaces, reactor)
from twisted.test import __file__ as testInitPath
pemPath = FilePath(testInitPath.encode("utf-8")).sibling(b"server.pem")
try:
from twisted.test.test_sslverify import makeCertificate
from twisted.internet.ssl import (CertificateOptions, Certificate,
PrivateCertificate)
testCertificate = Certificate.loadPEM(pemPath.getContent())
testPrivateCertificate = PrivateCertificate.loadPEM(pemPath.getContent())
skipSSL = False
except ImportError:
skipSSL = "OpenSSL is required to construct SSL Endpoints"
class TestProtocol(Protocol):
"""
Protocol whose only function is to callback deferreds on the
factory when it is connected or disconnected.
"""
def __init__(self):
self.data = []
self.connectionsLost = []
def creatorForNetloc(self, hostname, port):
client_cert = PrivateCertificate.loadPEM(pkcs12.pkey_pem + pkcs12.cert_pem)
return ssl.optionsForClientTLS(pkcs12.hostname,
clientCertificate=client_cert)
