def login(self,pin): self.session = self.pkcs11.openSession(self.tokenSlot) self.session.login(pin=pin) random = ''.join(chr(i) for i in self.session.generateRandom(size=1024)) objects = self.session.findObjects() my_cert = None privkey_id = None for obj in objects: print self.session.getAttributeValue(obj, [PyKCS11.CKA_LABEL]) my_cert = self.FindMyCert(my_cert, obj) privkey_id = self.FindPrivateId(obj, privkey_id) self.key_id = ''.join(chr(c) for c in privkey_id[0]).encode('hex') self.my_cert = X509.load_cert_der_string(''.join(chr(c) for c in my_cert)) Rand.rand_seed(random) # init the OpenSSL engine and load the user cert & private key ssl_key = 'slot_' + str(self.tokenSlot) + '-id_' + self.key_id self.my_pkey = self.engine.load_private_key(ssl_key, pin) ctx = SSL.Context('sslv23') m2.ssl_ctx_use_x509(ctx.ctx,self.my_cert.x509) m2.ssl_ctx_use_pkey_privkey(ctx.ctx,self.my_pkey.pkey) if not m2.ssl_ctx_check_privkey(ctx.ctx): raise ValueError, 'public/private key mismatch' ctx.set_verify(SSL.verify_peer, 10) self.ssl_ctx = ctx print self.my_cert print self.my_pkey self.session.logout() print str(threading.currentThread().name)+" finished"
def load_cert_chain(self, certchainfile, keyfile=None, callback=util.passphrase_callback): """Load certificate chain and private key into the context. @param certchainfile: File object containing the PEM-encoded certificate chain. @type certchainfile: str @param keyfile: File object containing the PEM-encoded private key. Default value of None indicates that the private key is to be found in 'certchainfile'. @type keyfile: str @param callback: Callable object to be invoked if the private key is passphrase-protected. Default callback provides a simple terminal-style input for the passphrase. """ m2.ssl_ctx_passphrase_callback(self.ctx, callback) m2.ssl_ctx_use_cert_chain(self.ctx, certchainfile) if not keyfile: keyfile = certchainfile m2.ssl_ctx_use_privkey(self.ctx, keyfile) if not m2.ssl_ctx_check_privkey(self.ctx): raise ValueError('public/private key mismatch')
def get_ctx(self, allow_unknown_ca=False, req_peer_cert=True, session=None): ctx = SSL.Context("sslv23") # Set certificate and private key m2.ssl_ctx_use_x509(ctx.ctx, self.cert.x509) m2.ssl_ctx_use_rsa_privkey(ctx.ctx, self.rsakey.rsa) if not m2.ssl_ctx_check_privkey(ctx.ctx): raise CryptoError('public/private key mismatch') # Ciphers/Options ctx.set_cipher_list(CIPHER_SET) ctx.set_options(CTX_OPTIONS) # CA settings cloc = os.path.join(global_certpath, 'cacert.root.pem') if ctx.load_verify_locations(cafile=cloc) != 1: log.error("Problem loading CA certificates") raise CryptoError('CA certificates not loaded') # Verification cb = mk_verify_cb(allow_unknown_ca=allow_unknown_ca) CTX_V_FLAGS = SSL.verify_peer if req_peer_cert: CTX_V_FLAGS |= SSL.verify_fail_if_no_peer_cert ctx.set_verify(CTX_V_FLAGS,3,cb) # Session if session: ctx.set_session_id_ctx(session) return ctx
def get_ctx(self, allow_unknown_ca=False, req_peer_cert=True, session=None): ctx = SSL.Context("sslv23") # Set certificate and private key m2.ssl_ctx_use_x509(ctx.ctx, self.cert.x509) m2.ssl_ctx_use_rsa_privkey(ctx.ctx, self.rsakey.rsa) if not m2.ssl_ctx_check_privkey(ctx.ctx): raise CryptoError('public/private key mismatch') # Ciphers/Options ctx.set_cipher_list(CIPHER_SET) ctx.set_options(CTX_OPTIONS) # CA settings cloc = os.path.join(global_certpath, 'cacert.root.pem') if ctx.load_verify_locations(cafile=cloc) != 1: log.error("Problem loading CA certificates") raise CryptoError('CA certificates not loaded') # Verification cb = mk_verify_cb(allow_unknown_ca=allow_unknown_ca) CTX_V_FLAGS = SSL.verify_peer if req_peer_cert: CTX_V_FLAGS |= SSL.verify_fail_if_no_peer_cert ctx.set_verify(CTX_V_FLAGS, 3, cb) # Session if session: ctx.set_session_id_ctx(session) return ctx
def _initConnection(self, ownerCertFile=None, ownerKeyFile=None, ownerPassphrase=None): """Initialise connection setting up SSL context and client and server side identity checks @type ownerCertFile: basestring @param ownerCertFile: client certificate and owner of credential to be acted on. Can be a proxy cert + proxy's signing cert. Cert and private key are not necessary for getDelegation / logon calls @type ownerKeyFile: basestring @param ownerKeyFile: client private key file @type ownerPassphrase: basestring @param ownerPassphrase: pass-phrase protecting private key if set - not needed in the case of a proxy private key """ # Must be version 3 for MyProxy context = SSL.Context(protocol='sslv3') # SDF # context.load_verify_locations(cafile=self.caCertFilePath, capath='/etc/grid-security/certificates') if self.caCertFilePath or self.caCertDir: context.load_verify_locations(cafile=self.caCertFilePath, capath=self.caCertDir) # Stop if peer's certificate can't be verified context.set_allow_unknown_ca(False) else: context.set_allow_unknown_ca(True) from arcs.gsi import Certificate if ownerCertFile: try: if isinstance(ownerCertFile, Certificate): m2.ssl_ctx_passphrase_callback(context.ctx, lambda *ar: ownerPassphrase) m2.ssl_ctx_use_x509(context.ctx, ownerCertFile._certificate.x509) m2.ssl_ctx_use_rsa_privkey(context.ctx, ownerKeyFile.rsa) if not m2.ssl_ctx_check_privkey(context.ctx): raise ValueError, 'public/private key mismatch' else: context.load_cert_chain(ownerCertFile, keyfile=ownerKeyFile, callback=lambda *ar, **kw: ownerPassphrase) except Exception, e: raise MyProxyClientConfigError("Loading certificate " "and private key for SSL " "connection [also check CA " "certificate settings]: %s" % e) # Verify peer's certificate context.set_verify(SSL.verify_peer, 1)
def load_cert_pkey(self, certfile, pkey, callback=util.passphrase_callback): # type: (AnyStr, Optional[AnyStr], Callable) -> None """Load certificate and private key into the context. :param certfile: File that contains the PEM-encoded certificate. :param keyfile: 'M2Crypto.EVP' object :param callback: Callable object to be invoked if the private key is passphrase-protected. Default callback provides a simple terminal-style input for the passphrase. """ m2.ssl_ctx_passphrase_callback(self.ctx, callback) m2.ssl_ctx_use_cert(self.ctx, certfile) m2.ssl_ctx_use_pkey_privkey(self.ctx, pkey) if not m2.ssl_ctx_check_privkey(self.ctx): raise ValueError('public/private key mismatch')
def load_cert(self, certfile, keyfile=None, callback=util.passphrase_callback): # type: (AnyStr, Optional[AnyStr], Callable) -> None """Load certificate and private key into the context. @param certfile: File that contains the PEM-encoded certificate. @param keyfile: File that contains the PEM-encoded private key. Default value of None indicates that the private key is to be found in 'certfile'. @param callback: Callable object to be invoked if the private key is passphrase-protected. Default callback provides a simple terminal-style input for the passphrase. """ m2.ssl_ctx_passphrase_callback(self.ctx, callback) m2.ssl_ctx_use_cert(self.ctx, certfile) if not keyfile: keyfile = certfile m2.ssl_ctx_use_privkey(self.ctx, keyfile) if not m2.ssl_ctx_check_privkey(self.ctx): raise ValueError('public/private key mismatch')