def signCertAs(self, cert, signas):
'''
Signs a certificate with a CA keypair.
Args:
cert (OpenSSL.crypto.X509): The certificate to sign.
signas (str): The CA keypair name to sign the new keypair with.
Examples:
Sign a certificate with the CA "myca":
cdir.signCertAs(mycert, 'myca')
Returns:
None
'''
cakey = self.getCaKey(signas)
if cakey is None:
raise s_exc.NoCertKey('Missing .key for %s' % signas)
cacert = self.getCaCert(signas)
if cacert is None:
raise s_exc.NoCertKey('Missing .crt for %s' % signas)
cert.set_issuer(cacert.get_subject())
cert.sign(cakey, self.signing_digest)
def getServerSSLContext(self, hostname=None, caname=None):
'''
Returns an ssl.SSLContext appropriate to listen on a socket
Args:
hostname: if None, the value from socket.gethostname is used to find the key in the servers directory.
This name should match the not-suffixed part of two files ending in .key and .crt in the hosts
subdirectory
caname: If not None, the given name is used to locate a CA certificate used to validate client SSL certs.
'''
sslctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
if hostname is None:
hostname = socket.gethostname()
certfile = self.getHostCertPath(hostname)
if certfile is None:
mesg = f'Missing TLS certificate file for host: {hostname}'
raise s_exc.NoCertKey(mesg=mesg)
keyfile = self.getHostKeyPath(hostname)
if keyfile is None:
mesg = f'Missing TLS key file for host: {hostname}'
raise s_exc.NoCertKey(mesg=mesg)
sslctx.load_cert_chain(certfile, keyfile)
if caname is not None:
cafile = self.getCaCertPath(caname)
sslctx.verify_mode = ssl.VerifyMode.CERT_REQUIRED
sslctx.load_verify_locations(cafile=cafile)
return sslctx
def getClientSSLContext(self, certname=None):
'''
Returns an ssl.SSLContext appropriate for initiating a TLS session
Args:
certname: If specified, use the user certificate with the matching
name to authenticate to the remote service.
'''
sslctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
self._loadCasIntoSSLContext(sslctx)
if certname is not None:
username = certname
if username.find('@') != -1:
user, host = username.split('@', 1)
username = self.getUserForHost(user, host)
if username is None:
mesg = f'User certificate not found: {certname}'
raise s_exc.NoSuchCert(mesg=mesg)
certpath = self.getUserCertPath(username)
if certpath is None:
mesg = f'User certificate not found: {certname}'
raise s_exc.NoSuchCert(mesg=mesg)
keypath = self.getUserKeyPath(username)
if keypath is None:
mesg = f'User private key not found: {certname}'
raise s_exc.NoCertKey(mesg=mesg)
sslctx.load_cert_chain(certpath, keypath)
return sslctx
def getClientSSLContext(self, certname=None):
'''
Returns an ssl.SSLContext appropriate for initiating a TLS session
Args:
certname: If specified, use the user certificate with the matching
name to authenticate to the remote service.
'''
sslctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
self._loadCasIntoSSLContext(sslctx)
if certname is not None:
certfile = self.getUserCertPath(certname)
if certfile is None:
mesg = f'Missing TLS certificate file for user: {certname}'
raise s_exc.NoSuchCert(mesg=mesg)
keyfile = self.getUserKeyPath(certname)
if keyfile is None:
mesg = f'Missing TLS key file for user: {certname}'
raise s_exc.NoCertKey(mesg=mesg)
sslctx.load_cert_chain(certfile, keyfile)
return sslctx
def getServerSSLContext(self, hostname=None):
'''
Returns an ssl.SSLContext appropriate to listen on a socket
Args:
hostname: if None, the value from socket.gethostname is used to find the key in the servers directory.
This name should match the not-suffixed part of two files ending in .key and .crt in the hosts subdirectory
'''
sslctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
if hostname is None:
hostname = socket.gethostname()
certfile = self.getHostCertPath(hostname)
if certfile is None:
raise s_exc.NoCertKey('Missing .crt for %s' % hostname)
keyfile = self.getHostKeyPath(hostname)
if keyfile is None:
raise s_exc.NoCertKey('Missing .key for %s' % hostname)
sslctx.load_cert_chain(certfile, keyfile)
return sslctx
def _getServerSSLContext(self, hostname=None, caname=None):
sslctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
if hostname is None:
hostname = socket.gethostname()
certfile = self.getHostCertPath(hostname)
if certfile is None:
mesg = f'Missing TLS certificate file for host: {hostname}'
raise s_exc.NoCertKey(mesg=mesg)
keyfile = self.getHostKeyPath(hostname)
if keyfile is None:
mesg = f'Missing TLS key file for host: {hostname}'
raise s_exc.NoCertKey(mesg=mesg)
sslctx.load_cert_chain(certfile, keyfile)
if caname is not None:
cafile = self.getCaCertPath(caname)
sslctx.verify_mode = ssl.VerifyMode.CERT_REQUIRED
sslctx.load_verify_locations(cafile=cafile)
return sslctx
def sign(self, cert, **info):
'''
Sign a certificate with the current Cert.
Args:
cert (Cert): Certificate to sign with the current Cert.
**info: Additional data to include in the signed message.
Returns:
None
'''
if self.rkey is None:
raise s_exc.NoCertKey(mesg='sign() requires a private key')
info['time'] = s_common.now()
data = s_msgpack.en(info)
tosign = data + cert.toknbytes()
sign = self.rkey.sign(tosign)
signer = (self.iden(), data, sign)
cert.addsigner(signer)