def load_cert_chain(self, certchainfile, keyfile=None, callback=util.passphrase_callback): """Load certificate chain and private key into the context. @param certchainfile: File object containing the PEM-encoded certificate chain. @type certchainfile: str @param keyfile: File object containing the PEM-encoded private key. Default value of None indicates that the private key is to be found in 'certchainfile'. @type keyfile: str @param callback: Callable object to be invoked if the private key is passphrase-protected. Default callback provides a simple terminal-style input for the passphrase. """ m2.ssl_ctx_passphrase_callback(self.ctx, callback) m2.ssl_ctx_use_cert_chain(self.ctx, certchainfile) if not keyfile: keyfile = certchainfile m2.ssl_ctx_use_privkey(self.ctx, keyfile) if not m2.ssl_ctx_check_privkey(self.ctx): raise ValueError('public/private key mismatch')
def _initConnection(self, ownerCertFile=None, ownerKeyFile=None, ownerPassphrase=None): """Initialise connection setting up SSL context and client and server side identity checks @type ownerCertFile: basestring @param ownerCertFile: client certificate and owner of credential to be acted on. Can be a proxy cert + proxy's signing cert. Cert and private key are not necessary for getDelegation / logon calls @type ownerKeyFile: basestring @param ownerKeyFile: client private key file @type ownerPassphrase: basestring @param ownerPassphrase: pass-phrase protecting private key if set - not needed in the case of a proxy private key """ # Must be version 3 for MyProxy context = SSL.Context(protocol='sslv3') # SDF # context.load_verify_locations(cafile=self.caCertFilePath, capath='/etc/grid-security/certificates') if self.caCertFilePath or self.caCertDir: context.load_verify_locations(cafile=self.caCertFilePath, capath=self.caCertDir) # Stop if peer's certificate can't be verified context.set_allow_unknown_ca(False) else: context.set_allow_unknown_ca(True) from arcs.gsi import Certificate if ownerCertFile: try: if isinstance(ownerCertFile, Certificate): m2.ssl_ctx_passphrase_callback(context.ctx, lambda *ar: ownerPassphrase) m2.ssl_ctx_use_x509(context.ctx, ownerCertFile._certificate.x509) m2.ssl_ctx_use_rsa_privkey(context.ctx, ownerKeyFile.rsa) if not m2.ssl_ctx_check_privkey(context.ctx): raise ValueError, 'public/private key mismatch' else: context.load_cert_chain(ownerCertFile, keyfile=ownerKeyFile, callback=lambda *ar, **kw: ownerPassphrase) except Exception, e: raise MyProxyClientConfigError("Loading certificate " "and private key for SSL " "connection [also check CA " "certificate settings]: %s" % e) # Verify peer's certificate context.set_verify(SSL.verify_peer, 1)
def load_cert_pkey(self, certfile, pkey, callback=util.passphrase_callback): # type: (AnyStr, Optional[AnyStr], Callable) -> None """Load certificate and private key into the context. :param certfile: File that contains the PEM-encoded certificate. :param keyfile: 'M2Crypto.EVP' object :param callback: Callable object to be invoked if the private key is passphrase-protected. Default callback provides a simple terminal-style input for the passphrase. """ m2.ssl_ctx_passphrase_callback(self.ctx, callback) m2.ssl_ctx_use_cert(self.ctx, certfile) m2.ssl_ctx_use_pkey_privkey(self.ctx, pkey) if not m2.ssl_ctx_check_privkey(self.ctx): raise ValueError('public/private key mismatch')
def load_cert(self, certfile, keyfile=None, callback=util.passphrase_callback): # type: (AnyStr, Optional[AnyStr], Callable) -> None """Load certificate and private key into the context. @param certfile: File that contains the PEM-encoded certificate. @param keyfile: File that contains the PEM-encoded private key. Default value of None indicates that the private key is to be found in 'certfile'. @param callback: Callable object to be invoked if the private key is passphrase-protected. Default callback provides a simple terminal-style input for the passphrase. """ m2.ssl_ctx_passphrase_callback(self.ctx, callback) m2.ssl_ctx_use_cert(self.ctx, certfile) if not keyfile: keyfile = certfile m2.ssl_ctx_use_privkey(self.ctx, keyfile) if not m2.ssl_ctx_check_privkey(self.ctx): raise ValueError('public/private key mismatch')