def get_ctx(self,
allow_unknown_ca=False,
req_peer_cert=True,
session=None):
ctx = SSL.Context("sslv23")
# Set certificate and private key
m2.ssl_ctx_use_x509(ctx.ctx, self.cert.x509)
m2.ssl_ctx_use_rsa_privkey(ctx.ctx, self.rsakey.rsa)
if not m2.ssl_ctx_check_privkey(ctx.ctx):
raise CryptoError('public/private key mismatch')
# Ciphers/Options
ctx.set_cipher_list(CIPHER_SET)
ctx.set_options(CTX_OPTIONS)
# CA settings
cloc = os.path.join(global_certpath, 'cacert.root.pem')
if ctx.load_verify_locations(cafile=cloc) != 1:
log.error("Problem loading CA certificates")
raise CryptoError('CA certificates not loaded')
# Verification
cb = mk_verify_cb(allow_unknown_ca=allow_unknown_ca)
CTX_V_FLAGS = SSL.verify_peer
if req_peer_cert:
CTX_V_FLAGS |= SSL.verify_fail_if_no_peer_cert
ctx.set_verify(CTX_V_FLAGS, 3, cb)
# Session
if session:
ctx.set_session_id_ctx(session)
return ctx
def get_ctx(self, allow_unknown_ca=False, req_peer_cert=True, session=None):
ctx = SSL.Context("sslv23")
# Set certificate and private key
m2.ssl_ctx_use_x509(ctx.ctx, self.cert.x509)
m2.ssl_ctx_use_rsa_privkey(ctx.ctx, self.rsakey.rsa)
if not m2.ssl_ctx_check_privkey(ctx.ctx):
raise CryptoError('public/private key mismatch')
# Ciphers/Options
ctx.set_cipher_list(CIPHER_SET)
ctx.set_options(CTX_OPTIONS)
# CA settings
cloc = os.path.join(global_certpath, 'cacert.root.pem')
if ctx.load_verify_locations(cafile=cloc) != 1:
log.error("Problem loading CA certificates")
raise CryptoError('CA certificates not loaded')
# Verification
cb = mk_verify_cb(allow_unknown_ca=allow_unknown_ca)
CTX_V_FLAGS = SSL.verify_peer
if req_peer_cert:
CTX_V_FLAGS |= SSL.verify_fail_if_no_peer_cert
ctx.set_verify(CTX_V_FLAGS,3,cb)
# Session
if session:
ctx.set_session_id_ctx(session)
return ctx
def _initConnection(self,
ownerCertFile=None,
ownerKeyFile=None,
ownerPassphrase=None):
"""Initialise connection setting up SSL context and client and
server side identity checks
@type ownerCertFile: basestring
@param ownerCertFile: client certificate and owner of credential
to be acted on. Can be a proxy cert + proxy's signing cert. Cert
and private key are not necessary for getDelegation / logon calls
@type ownerKeyFile: basestring
@param ownerKeyFile: client private key file
@type ownerPassphrase: basestring
@param ownerPassphrase: pass-phrase protecting private key if set -
not needed in the case of a proxy private key
"""
# Must be version 3 for MyProxy
context = SSL.Context(protocol='sslv3')
# SDF
# context.load_verify_locations(cafile=self.caCertFilePath, capath='/etc/grid-security/certificates')
if self.caCertFilePath or self.caCertDir:
context.load_verify_locations(cafile=self.caCertFilePath,
capath=self.caCertDir)
# Stop if peer's certificate can't be verified
context.set_allow_unknown_ca(False)
else:
context.set_allow_unknown_ca(True)
from arcs.gsi import Certificate
if ownerCertFile:
try:
if isinstance(ownerCertFile, Certificate):
m2.ssl_ctx_passphrase_callback(context.ctx, lambda *ar: ownerPassphrase)
m2.ssl_ctx_use_x509(context.ctx, ownerCertFile._certificate.x509)
m2.ssl_ctx_use_rsa_privkey(context.ctx, ownerKeyFile.rsa)
if not m2.ssl_ctx_check_privkey(context.ctx):
raise ValueError, 'public/private key mismatch'
else:
context.load_cert_chain(ownerCertFile,
keyfile=ownerKeyFile,
callback=lambda *ar, **kw: ownerPassphrase)
except Exception, e:
raise MyProxyClientConfigError("Loading certificate "
"and private key for SSL "
"connection [also check CA "
"certificate settings]: %s" % e)
# Verify peer's certificate
context.set_verify(SSL.verify_peer, 1)
def set_client_key(self, key):
return m2.ssl_ctx_use_rsa_privkey(self.ctx, key.rsa)
