def get_ctx(self, allow_unknown_ca=False, req_peer_cert=True, session=None): ctx = SSL.Context("sslv23") # Set certificate and private key m2.ssl_ctx_use_x509(ctx.ctx, self.cert.x509) m2.ssl_ctx_use_rsa_privkey(ctx.ctx, self.rsakey.rsa) if not m2.ssl_ctx_check_privkey(ctx.ctx): raise CryptoError('public/private key mismatch') # Ciphers/Options ctx.set_cipher_list(CIPHER_SET) ctx.set_options(CTX_OPTIONS) # CA settings cloc = os.path.join(global_certpath, 'cacert.root.pem') if ctx.load_verify_locations(cafile=cloc) != 1: log.error("Problem loading CA certificates") raise CryptoError('CA certificates not loaded') # Verification cb = mk_verify_cb(allow_unknown_ca=allow_unknown_ca) CTX_V_FLAGS = SSL.verify_peer if req_peer_cert: CTX_V_FLAGS |= SSL.verify_fail_if_no_peer_cert ctx.set_verify(CTX_V_FLAGS, 3, cb) # Session if session: ctx.set_session_id_ctx(session) return ctx
def get_ctx(self, allow_unknown_ca=False, req_peer_cert=True, session=None): ctx = SSL.Context("sslv23") # Set certificate and private key m2.ssl_ctx_use_x509(ctx.ctx, self.cert.x509) m2.ssl_ctx_use_rsa_privkey(ctx.ctx, self.rsakey.rsa) if not m2.ssl_ctx_check_privkey(ctx.ctx): raise CryptoError('public/private key mismatch') # Ciphers/Options ctx.set_cipher_list(CIPHER_SET) ctx.set_options(CTX_OPTIONS) # CA settings cloc = os.path.join(global_certpath, 'cacert.root.pem') if ctx.load_verify_locations(cafile=cloc) != 1: log.error("Problem loading CA certificates") raise CryptoError('CA certificates not loaded') # Verification cb = mk_verify_cb(allow_unknown_ca=allow_unknown_ca) CTX_V_FLAGS = SSL.verify_peer if req_peer_cert: CTX_V_FLAGS |= SSL.verify_fail_if_no_peer_cert ctx.set_verify(CTX_V_FLAGS,3,cb) # Session if session: ctx.set_session_id_ctx(session) return ctx
def _initConnection(self, ownerCertFile=None, ownerKeyFile=None, ownerPassphrase=None): """Initialise connection setting up SSL context and client and server side identity checks @type ownerCertFile: basestring @param ownerCertFile: client certificate and owner of credential to be acted on. Can be a proxy cert + proxy's signing cert. Cert and private key are not necessary for getDelegation / logon calls @type ownerKeyFile: basestring @param ownerKeyFile: client private key file @type ownerPassphrase: basestring @param ownerPassphrase: pass-phrase protecting private key if set - not needed in the case of a proxy private key """ # Must be version 3 for MyProxy context = SSL.Context(protocol='sslv3') # SDF # context.load_verify_locations(cafile=self.caCertFilePath, capath='/etc/grid-security/certificates') if self.caCertFilePath or self.caCertDir: context.load_verify_locations(cafile=self.caCertFilePath, capath=self.caCertDir) # Stop if peer's certificate can't be verified context.set_allow_unknown_ca(False) else: context.set_allow_unknown_ca(True) from arcs.gsi import Certificate if ownerCertFile: try: if isinstance(ownerCertFile, Certificate): m2.ssl_ctx_passphrase_callback(context.ctx, lambda *ar: ownerPassphrase) m2.ssl_ctx_use_x509(context.ctx, ownerCertFile._certificate.x509) m2.ssl_ctx_use_rsa_privkey(context.ctx, ownerKeyFile.rsa) if not m2.ssl_ctx_check_privkey(context.ctx): raise ValueError, 'public/private key mismatch' else: context.load_cert_chain(ownerCertFile, keyfile=ownerKeyFile, callback=lambda *ar, **kw: ownerPassphrase) except Exception, e: raise MyProxyClientConfigError("Loading certificate " "and private key for SSL " "connection [also check CA " "certificate settings]: %s" % e) # Verify peer's certificate context.set_verify(SSL.verify_peer, 1)
def set_client_key(self, key): return m2.ssl_ctx_use_rsa_privkey(self.ctx, key.rsa)