def test_ssl(self): """ When passed an SSL strports description, L{clientFromString} returns a L{SSL4ClientEndpoint} instance initialized with the values from the string. """ reactor = object() client = endpoints.clientFromString( reactor, "ssl:host=example.net:port=4321:privateKey=%s:" "certKey=%s:bindAddress=10.0.0.3:timeout=3:caCertsDir=%s" % (escapedPEMPathName, escapedPEMPathName, escapedCAsPathName)) self.assertIsInstance(client, endpoints.SSL4ClientEndpoint) self.assertIdentical(client._reactor, reactor) self.assertEquals(client._host, "example.net") self.assertEquals(client._port, 4321) self.assertEquals(client._timeout, 3) self.assertEquals(client._bindAddress, "10.0.0.3") certOptions = client._sslContextFactory self.assertIsInstance(certOptions, CertificateOptions) ctx = certOptions.getContext() self.assertIsInstance(ctx, ContextType) self.assertEquals(Certificate(certOptions.certificate), testCertificate) privateCert = PrivateCertificate(certOptions.certificate) privateCert._setPrivateKey(KeyPair(certOptions.privateKey)) self.assertEquals(privateCert, testPrivateCertificate) expectedCerts = [ Certificate.loadPEM(x.getContent()) for x in [casPath.child("thing1.pem"), casPath.child("thing2.pem")] if x.basename().lower().endswith('.pem') ] self.assertEquals([Certificate(x) for x in certOptions.caCerts], expectedCerts)
def getServerContext(self): """ Generate a new L{OpenSSL.SSL.Context} object configured to use a certificate signed by C{self.ca} and only accept connections from peers which are also using a certificate signed by C{self.ca}. """ # Generate a new key for the server and have the CA sign a certificate # for it. key = KeyPair.generate(size=512) req = key.certificateRequest(DN(commonName='localhost')) certData = self.ca.signCertificateRequest(req, lambda dn: True, 1) cert = PrivateCertificate.load(certData, key) # Use the new key/certificate context = Context(TLSv1_METHOD) context.use_privatekey(key.original) context.use_certificate(cert.original) context.check_privatekey() # Allow peer certificates signed by the CA store = context.get_cert_store() store.add_cert(self.ca.original) # Verify the peer certificate and require that they have one. def verify(conn, cert, errno, depth, preverify_ok): return preverify_ok context.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify) return context
def setUp(self): """ Create a L{PantheonHTTPChecker} pointed at a mock authentication service with some simple site and user information. """ self.site = 'example.com' self.cwd = '/some/path' self.uid = 1542 self.username = '******' self.password = '******' keyString = FilePath(__file__).sibling('id_rsa').getContent() self.privateKey = Key.fromString(keyString) caKeyString = FilePath(__file__).sibling('cakey.pem').getContent() self.caKey = KeyPair.load(caKeyString, FILETYPE_PEM) caCertString = FilePath(__file__).sibling('cacert.pem').getContent() self.caCert = PrivateCertificate.load( caCertString, self.caKey, FILETYPE_PEM) self.resource = MockPantheonAuthResource( sites={self.site: [self.username]}, authorizations={self.site: dict(cwd=self.cwd, uid=self.uid)}, passwords={self.username: self.password}, keys={self.username: self.privateKey}, ) self.server = MockPantheonAuthServer( reactor, self.resource, self.caCert) self.server.startService() self.addCleanup(self.server.stopService)
def clientCertFor(name): signingCert = getCAPrivateCert() clientKey = KeyPair.generate(size=4096) csr = clientKey.requestObject(DN(CN=name), "sha1") clientCert = signingCert.signRequestObject( csr, serialNumber=1, digestAlgorithm="sha1") return PrivateCertificate.fromCertificateAndKeyPair(clientCert, clientKey)
def pems(): for i in count(): key = KeyPair.generate() cert = key.selfSignedCert(i, commonName=u"lae_automation testing") pem = PrivateCertificate.fromCertificateAndKeyPair(cert, key).dumpPEM() yield pem.decode("ascii")
def getFactory(self): if self.factory is None: if self.certificateFile is not None: cert = PrivateCertificate.loadPEM( file(self.certificateFile).read()) certOpts = CertificateOptions( cert.privateKey.original, cert.original, requireCertificate=False, method=SSL.SSLv23_METHOD) else: certOpts = None self.portal = portal.Portal( self.userbase, [self.userbase, checkers.AllowAnonymousAccess()]) self.factory = ESMTPFactory( self.portal, self.domain, {'CRAM-MD5': credentials.CramMD5Credentials, 'LOGIN': imap4.LOGINCredentials, }, certOpts) if self.debug: self.factory = policies.TrafficLoggingFactory(self.factory, 'smtp') return self.factory
def clientCertFor(p_name): l_signingCert = getCAPrivateCert() l_clientKey = KeyPair.generate(size = 4096) l_csr = l_clientKey.requestObject(DN(CN = p_name), "sha1") l_clientCert = l_signingCert.signRequestObject( l_csr, serialNumber = 1, digestAlgorithm = "sha1") return PrivateCertificate.fromCertificateAndKeyPair(l_clientCert, l_clientKey)
def connect(self, host=None, port=None, cert=None, key=None): ''' Connect to another portal somewhere. If retry is set, will attempt to reconnect with the target continuously. As of the time of this writing, you cannot stop a polling connection without taking down the portal. :param retry: continuously attempt to connect on drops or rejections :type retry: bool. ''' host = host if host else self.host port = port if port else self.port cert = cert if cert else self.certCa key = key if key else self.keyPrivate # ??? # the first term is the name the server is using in the cert (for now) ctx = optionsForClientTLS(u"pds.production", Certificate.loadPEM(cert), PrivateCertificate.loadPEM(key)) factory = RiffleClientFactory() SSL4ClientEndpoint(reactor, host, port, ctx,).connect(factory) print 'Connecting to ' + host + ':' + str(port) avatar = yield factory.login(self) defer.returnValue(Levy(avatar))
def getServerContext(self): """ Return a new SSL context suitable for use in a test server. """ cert = PrivateCertificate.load( self._certificateText, KeyPair.load(self._privateKeyText, FILETYPE_PEM), FILETYPE_PEM) return cert.options()
def private_certificate(self): """ Combine private key and certificate into a ``PrivateCertificate``. :return: ``PrivateCertificate`` instance. """ return PrivateCertificate.fromCertificateAndKeyPair( self.certificate, self.keypair.keypair)
def main(reactor): pemBytes = FilePath(b"ca-private-cert.pem").getContent() certificateAuthority = Certificate.loadPEM(pemBytes) myCertificate = PrivateCertificate.loadPEM(pemBytes) serverEndpoint = SSL4ServerEndpoint( reactor, 4321, myCertificate.options(certificateAuthority)) serverEndpoint.listen(Factory.forProtocol(ReportWhichClient)) return Deferred()
def clientCertFor(name): signingCert = getCAPrivateCert() clientKey = KeyPair.generate(size=4096) csr = clientKey.requestObject(DN(CN=name), "sha1") clientCert = signingCert.signRequestObject(csr, serialNumber=1, digestAlgorithm="sha1") return PrivateCertificate.fromCertificateAndKeyPair(clientCert, clientKey)
def getServerContext(self): """ Return a new SSL context suitable for use in a test server. """ pem = self._pem.getContent() cert = PrivateCertificate.load( pem, KeyPair.load(pem, FILETYPE_PEM), FILETYPE_PEM) return cert.options()
def addSubprocesses(self, fds, name, factory): super(HendrixDeployTLS, self).addSubprocesses(fds, name, factory) if name == 'main_web_ssl': privateCert = PrivateCertificate.loadPEM( open(self.options['cert']).read() + open(self.options['key']).read()) factory = TLSMemoryBIOFactory(privateCert.options(), False, factory)
def getCAPrivateCert(): l_privatePath = FilePath(b"ca-private-cert.pem") if l_privatePath.exists(): return PrivateCertificate.loadPEM(l_privatePath.getContent()) else: l_caKey = KeyPair.generate(size=4096) l_caCert = l_caKey.selfSignedCert(1, CN="the-authority") l_privatePath.setContent(l_caCert.dumpPEM()) return l_caCert
def getContextFactory(self): if SSL is None: raise RuntimeError("No SSL support: you need to install OpenSSL.") cert = PrivateCertificate.loadPEM(self.certificatePath.open().read()) certOpts = CertificateOptions(cert.privateKey.original, cert.original, requireCertificate=False, method=SSL.SSLv23_METHOD) return certOpts
def clientCertFor(p_name): l_signingCert = getCAPrivateCert() l_clientKey = KeyPair.generate(size=4096) l_csr = l_clientKey.requestObject(DN(CN=p_name), "sha1") l_clientCert = l_signingCert.signRequestObject(l_csr, serialNumber=1, digestAlgorithm="sha1") return PrivateCertificate.fromCertificateAndKeyPair( l_clientCert, l_clientKey)
def main(reactor): pemBytes = FilePath(b"ca-private-cert.pem").getContent() certificateAuthority = Certificate.loadPEM(pemBytes) myCertificate = PrivateCertificate.loadPEM(pemBytes) serverEndpoint = SSL4ServerEndpoint( reactor, 4321, myCertificate.options(certificateAuthority) ) serverEndpoint.listen(Factory.forProtocol(ReportWhichClient)) return Deferred()
def getCAPrivateCert(): privatePath = FilePath(b"ca-private-cert.pem") if privatePath.exists(): return PrivateCertificate.loadPEM(privatePath.getContent()) else: caKey = KeyPair.generate(size=4096) caCert = caKey.selfSignedCert(1, CN="the-authority") privatePath.setContent(caCert.dumpPEM()) return caCert
def addSubprocesses(self, fds, name, factory): super(HendrixDeploySSL, self).addSubprocesses(fds, name, factory) if name == 'main_web_ssl': privateCert = PrivateCertificate.loadPEM( open(self.options['cert']).read() + open(self.options['key']).read() ) factory = TLSMemoryBIOFactory( privateCert.options(), False, factory )
def createCertOptions(server): pk = None cert = None if server.cert: pc = PrivateCertificate.loadPEM(open(server.cert,"rb").read()) pk = pc.privateKey.original cert = pc.original tr = platformTrust() if server.verify else None return CertificateOptions(privateKey=pk, certificate=cert, trustRoot=tr)
def main(reactor): pem = generate_certs.and_generate() caPem = FilePath(b"ca-private-cert.pem").getContent() clientEndpoint = SSL4ClientEndpoint( reactor, u"localhost", 4321, optionsForClientTLS(u"the-authority", Certificate.loadPEM(caPem), PrivateCertificate.loadPEM(pem)), ) clientEndpoint = SSL4ClientEndpoint( reactor, u"localhost", 4321, optionsForClientTLS(u"the-authority", Certificate.loadPEM(caPem), PrivateCertificate.loadPEM(pem)), ) proto = yield clientEndpoint.connect(Factory.forProtocol(SendAnyData)) yield proto.deferred
def getContextFactory(self): if SSL is None: raise RuntimeError("No SSL support: you need to install OpenSSL.") cert = PrivateCertificate.loadPEM( self.certificatePath.open().read()) certOpts = CertificateOptions( cert.privateKey.original, cert.original, requireCertificate=False, method=SSL.SSLv23_METHOD) return certOpts
def open(self, port=None, cert=None): ''' Listen for connections on the given port. ''' port = port if port else self.port cert = cert if cert else self.certCa ca = Certificate.loadPEM(cert) myCertificate = PrivateCertificate.loadPEM(cert) SSL4ServerEndpoint(reactor, port, myCertificate.options(ca)).listen(RiffleServerFactory(self))
def start_ssl_cmd_server(): with open(settings["Agent_Cert"], 'r') as certfile: certdata = certfile.read() if settings["Agent_Priv_Key"] != settings["Agent_Cert"]: with open(settings.get("Agent_Priv_Key"), 'r') as keyfile: certdata += keyfile.read() with open(settings.get("Broker_Cert"), 'r') as f: authdata = f.read() certificate = PrivateCertificate.loadPEM(certdata) authority = Certificate.loadPEM(authdata) factory = Factory.forProtocol(CommandHandler) reactor.listenSSL(int(settings.get("Command_Port")), factory, certificate.options(authority))
def start(self, fd=None): pids = [str(os.getpid())] # script pid if fd is None: # anything in this block is only run once # TODO add global services here, possibly add a services kwarg on # __init__ self.addGlobalServices() self.hendrix.startService() if self.options['workers']: # Create a new listening port and several other processes to help out. childFDs = {0: 0, 1: 1, 2: 2} self.fds = {} for name in self.servers: port = self.hendrix.get_port(name) fd = port.fileno() childFDs[fd] = fd self.fds[name] = fd args = self.getSpawnArgs() transports = [] for i in range(self.options['workers']): transport = reactor.spawnProcess( None, executable, args, childFDs=childFDs, env=environ ) transports.append(transport) pids.append(str(transport.pid)) with open(self.pid, 'w') as pid_file: pid_file.write('\n'.join(pids)) else: # Another process created the port, drop the tcp service and # just start listening on it. fds = pickle.loads(fd) factories = {} for name in self.servers: factory = self.disownService(name) factories[name] = factory self.hendrix.startService() for name, factory in factories.iteritems(): if name == 'main_web_ssl': privateCert = PrivateCertificate.loadPEM( open(self.options['cert']).read() + open(self.options['key']).read() ) factory = TLSMemoryBIOFactory( privateCert.options(), False, factory ) port = reactor.adoptStreamPort(fds[name], AF_INET, factory) reactor.run()
def _create_tls_client_context(config, cbdir, log): """ Create a CertificateOptions object for use with TLS listening endpoints. """ # server hostname: The expected name of the remote host. hostname = config['hostname'] # explicit trust (certificate) root ca_certs = None if 'ca_certificates' in config: log.info("TLS client using explicit trust ({cnt_certs} certificates)", cnt_certs=len(config['ca_certificates'])) ca_certs = [] for cert_fname in [os.path.abspath(os.path.join(cbdir, x)) for x in (config['ca_certificates'])]: cert = crypto.load_certificate( crypto.FILETYPE_PEM, six.u(open(cert_fname, 'r').read()) ) log.info("TLS client trust root CA certificate loaded from '{fname}'", fname=cert_fname) ca_certs.append(cert) ca_certs = OpenSSLCertificateAuthorities(ca_certs) else: log.info("TLS client using platform trust") # client key/cert to use client_cert = None if 'key' in config: if 'certificate' not in config: raise Exception('TLS client key present, but certificate missing') key_fname = os.path.abspath(os.path.join(cbdir, config['key'])) with open(key_fname, 'r') as f: private_key = KeyPair.load(f.read(), format=crypto.FILETYPE_PEM) log.info("Loaded client TLS key from '{key_fname}'", key_fname=key_fname) cert_fname = os.path.abspath(os.path.join(cbdir, config['certificate'])) with open(cert_fname, 'r') as f: cert = Certificate.loadPEM(f.read(),) log.info("Loaded client TLS certificate from '{cert_fname}' (cn='{cert_cn}', sha256={cert_sha256}..)", cert_fname=cert_fname, cert_cn=cert.getSubject().CN, cert_sha256=cert.digest('sha256')[:12]) client_cert = PrivateCertificate.fromCertificateAndKeyPair(cert, private_key) else: if 'certificate' in config: log.warn('TLS client certificate present, but key is missing') # create TLS client context ctx = optionsForClientTLS(hostname, trustRoot=ca_certs, clientCertificate=client_cert) return ctx
def test_ssl(self): """ When passed an SSL strports description, L{clientFromString} returns a L{SSL4ClientEndpoint} instance initialized with the values from the string. """ reactor = object() client = endpoints.clientFromString( reactor, "ssl:host=example.net:port=4321:privateKey=%s:" "certKey=%s:bindAddress=10.0.0.3:timeout=3:caCertsDir=%s" % (escapedPEMPathName, escapedPEMPathName, escapedCAsPathName)) self.assertIsInstance(client, endpoints.SSL4ClientEndpoint) self.assertIdentical(client._reactor, reactor) self.assertEqual(client._host, "example.net") self.assertEqual(client._port, 4321) self.assertEqual(client._timeout, 3) self.assertEqual(client._bindAddress, "10.0.0.3") certOptions = client._sslContextFactory self.assertIsInstance(certOptions, CertificateOptions) ctx = certOptions.getContext() self.assertIsInstance(ctx, ContextType) self.assertEqual(Certificate(certOptions.certificate), testCertificate) privateCert = PrivateCertificate(certOptions.certificate) privateCert._setPrivateKey(KeyPair(certOptions.privateKey)) self.assertEqual(privateCert, testPrivateCertificate) expectedCerts = [ Certificate.loadPEM(x.getContent()) for x in [casPath.child("thing1.pem"), casPath.child("thing2.pem")] if x.basename().lower().endswith('.pem') ] self.assertEqual(sorted((Certificate(x) for x in certOptions.caCerts), key=lambda cert: cert.digest()), sorted(expectedCerts, key=lambda cert: cert.digest()))
def create_agent(ca_cert, client_cert, client_key): ca_certificate = Certificate.loadPEM(FilePath(ca_cert).getContent()) client_certificate = PrivateCertificate.loadPEM( FilePath(client_cert).getContent() + b"\n" + FilePath(client_key).getContent()) customPolicy = BrowserLikePolicyForHTTPSWithClientCertificate( trustRoot=ca_certificate, clientCertificate=client_certificate) pool = HTTPConnectionPool(reactor, persistent=True) agent = Agent(reactor, customPolicy, pool=pool) return agent
def __init__(self, uri, verify, timeout=600, reactor=reactor, clientCert=None): Resource.__init__(self) self._uri = URLPath.fromString(uri) self._verify = verify self._timeout = timeout self._reactor = reactor pool = HTTPConnectionPool(reactor) if clientCert is not None: clientCert = PrivateCertificate.loadPEM( FilePath(clientCert).getContent()) self._agent = Agent( reactor, StupidPolicyForHTTPS(InsecureTLSOptions(clientCert)), pool=pool)
def create_agent(ca_cert, client_cert, client_key): ca_certificate = Certificate.loadPEM(FilePath(ca_cert).getContent()) client_certificate = PrivateCertificate.loadPEM( FilePath(client_cert).getContent() + b"\n" + FilePath(client_key).getContent()) customPolicy = BrowserLikePolicyForHTTPSWithClientCertificate( trustRoot=ca_certificate, clientCertificate=client_certificate) pool = HTTPConnectionPool(reactor, persistent=True) pool.maxPersistentPerHost = CONNECTION_COUNT agent = Agent(reactor, customPolicy, pool=pool) return agent
def from_paths( cls, endpoint, private_key_path: FilePath, cert_path: FilePath ) -> "_TLSEndpointWrapper": """ Create an endpoint with the given private key and certificate paths on the filesystem. """ certificate = Certificate.loadPEM(cert_path.getContent()).original private_key = PrivateCertificate.loadPEM( cert_path.getContent() + b"\n" + private_key_path.getContent() ).privateKey.original certificate_options = CertificateOptions( privateKey=private_key, certificate=certificate ) return cls(endpoint=endpoint, context_factory=certificate_options)
def test_authenticateSucceed(self): """ L{authenticateRequest} returns C{True} if the provided client certificate has a matching hostname. """ privateCert = PrivateCertificate.loadPEM( FilePath(__file__).sibling(b'data').child(b'test.cert').getContent()) self.assertEqual( privateCert.original.get_subject().commonName, b'localhost') options = CertificateOptions( privateKey=privateCert.privateKey.original, certificate=privateCert.original) request = self.createRequest(options) self.assertEqual(True, authenticateRequest(request, u'localhost'))
def test_handshakeFailure(self): """ L{TLSMemoryBIOProtocol} reports errors in the handshake process to the application-level protocol object using its C{connectionLost} method and disconnects the underlying transport. """ clientConnectionLost = Deferred() clientFactory = ClientFactory() clientFactory.protocol = ( lambda: ConnectionLostNotifyingProtocol( clientConnectionLost)) clientContextFactory = HandshakeCallbackContextFactory() wrapperFactory = TLSMemoryBIOFactory( clientContextFactory, True, clientFactory) sslClientProtocol = wrapperFactory.buildProtocol(None) serverConnectionLost = Deferred() serverFactory = ServerFactory() serverFactory.protocol = ( lambda: ConnectionLostNotifyingProtocol( serverConnectionLost)) # This context factory rejects any clients which do not present a # certificate. certificateData = FilePath(certPath).getContent() certificate = PrivateCertificate.loadPEM(certificateData) serverContextFactory = certificate.options(certificate) wrapperFactory = TLSMemoryBIOFactory( serverContextFactory, False, serverFactory) sslServerProtocol = wrapperFactory.buildProtocol(None) connectionDeferred = loopbackAsync(sslServerProtocol, sslClientProtocol) def cbConnectionLost(protocol): # The connection should close on its own in response to the error # induced by the client not supplying the required certificate. # After that, check to make sure the protocol's connectionLost was # called with the right thing. protocol.lostConnectionReason.trap(Error) clientConnectionLost.addCallback(cbConnectionLost) serverConnectionLost.addCallback(cbConnectionLost) # Additionally, the underlying transport should have been told to # go away. return gatherResults([ clientConnectionLost, serverConnectionLost, connectionDeferred])
def agent_call(url_trustRoot): url, trustRoot = url_trustRoot if trustRoot: customPolicy = BrowserLikePolicyForHTTPS( PrivateCertificate.loadPEM(trustRoot)) agent = Agent(reactor, customPolicy) else: agent = Agent(reactor) headers = Headers({ 'User-Agent': ['Twisted Webbot'], 'Content-Type': ['text/x-greeting'] }) d = agent.request('HEAD', url, headers=headers) return d
def test_handshakeFailure(self): """ L{TLSMemoryBIOProtocol} reports errors in the handshake process to the application-level protocol object using its C{connectionLost} method and disconnects the underlying transport. """ clientConnectionLost = Deferred() clientFactory = ClientFactory() clientFactory.protocol = ( lambda: ConnectionLostNotifyingProtocol(clientConnectionLost)) clientContextFactory = HandshakeCallbackContextFactory() wrapperFactory = TLSMemoryBIOFactory(clientContextFactory, True, clientFactory) sslClientProtocol = wrapperFactory.buildProtocol(None) serverConnectionLost = Deferred() serverFactory = ServerFactory() serverFactory.protocol = ( lambda: ConnectionLostNotifyingProtocol(serverConnectionLost)) # This context factory rejects any clients which do not present a # certificate. certificateData = FilePath(certPath).getContent() certificate = PrivateCertificate.loadPEM(certificateData) serverContextFactory = certificate.options(certificate) wrapperFactory = TLSMemoryBIOFactory(serverContextFactory, False, serverFactory) sslServerProtocol = wrapperFactory.buildProtocol(None) connectionDeferred = loopbackAsync(sslServerProtocol, sslClientProtocol) def cbConnectionLost(protocol): # The connection should close on its own in response to the error # induced by the client not supplying the required certificate. # After that, check to make sure the protocol's connectionLost was # called with the right thing. protocol.lostConnectionReason.trap(Error) clientConnectionLost.addCallback(cbConnectionLost) serverConnectionLost.addCallback(cbConnectionLost) # Additionally, the underlying transport should have been told to # go away. return gatherResults( [clientConnectionLost, serverConnectionLost, connectionDeferred])
def _serviceDescription(self): """ Produce a description of the service we should start. """ ca = Certificate.loadPEM( FilePath(self.caPath.encode('utf-8')).getContent()) certBytes = FilePath(self.certPath.encode('utf-8')).getContent() cert = PrivateCertificate.loadPEM(certBytes) # Can't use PrivateCertificate.options until Twisted #6361 is fixed options = CertificateOptions( privateKey=cert.privateKey.original, certificate=cert.original, trustRoot=ca, extraCertChain=chainCerts(certBytes)) router = IndexRouter(store=self.store) return _ServiceDescription( reactor=reactor, port=self.port, interface=self.interface, options=options, router=router)
def actualTest(result): ponged = defer.Deferred() signer = self.serverService2.certificateStorage.getPrivateCertificate( self.fromDomain).privateKey req = signer.requestObject(DistinguishedName(commonName=self.toDomain)) sreq = signer.signRequestObject( DistinguishedName(commonName=self.fromDomain), req, 12345) selfSignedLie = PrivateCertificate.fromCertificateAndKeyPair( sreq, signer) self.serverService2.connectQ2Q(self.fromAddress, self.toAddress, 'pony', OneTrickPonyClientFactory(ponged), selfSignedLie, fakeFromDomain=self.toDomain).addErrback( lambda e: e.trap(q2q.VerifyError)) return self.assertFailure(ponged, q2q.VerifyError)
def _get_ssl_context(self): client_ca = get_certificate(self.client_ca_cert_path) if not client_ca: try: ca = mTLS.generate_new_certificate(is_ca_generation_request=True, ca_cert_path=self.client_ca_cert_path, username="******") if ca is not None: save_certificate(self.client_ca_cert_path, ca) client_ca = ca except Exception as e: log.error("Exception: {}".format(e)) raise e client_ca_pem = "{}\n{}".format(base64.b64decode(client_ca.get('c')), base64.b64decode(client_ca.get('k'))) certificate_authority = Certificate.loadPEM(client_ca_pem) self.server_ca_cert_path = self.server_cert_path+"_ca" server_cert = get_certificate(self.server_cert_path) server_cert_ca = get_certificate(self.server_ca_cert_path) if not server_cert: try: if not server_cert_ca: ca = mTLS.generate_new_certificate(is_ca_generation_request=True, ca_cert_path=self.server_ca_cert_path, username="******") if ca is not None: save_certificate(self.server_ca_cert_path, ca) _server_cert = mTLS.generate_new_certificate(ca_cert_path=self.server_ca_cert_path, username="******", ip=self.ip) if _server_cert is not None: save_certificate(self.server_cert_path, _server_cert) server_cert = _server_cert else: raise Exception("Server Certificate generation failed. Cert:{}".format(_server_cert)) except Exception as e: log.error("Exception: {}".format(e)) raise e server_cert_pem = "{}\n{}".format(base64.b64decode(server_cert.get('c')), base64.b64decode(server_cert.get('k'))) server_cert = PrivateCertificate.loadPEM(server_cert_pem) return server_cert.options(certificate_authority)
def _ssl_agent(self): """ Get a Twisted Agent that performs Client SSL authentication for Koji. """ # Load "cert" into a PrivateCertificate. certfile = self.lookup(self.profile, 'cert') certfile = os.path.expanduser(certfile) with open(certfile) as certfp: pemdata = certfp.read() client_cert = PrivateCertificate.loadPEM(pemdata) trustRoot = None # Use Twisted's platformTrust(). # Optionally load "serverca" into a Certificate. servercafile = self.lookup(self.profile, 'serverca') if servercafile: servercafile = os.path.expanduser(servercafile) trustRoot = RootCATrustRoot(servercafile) policy = ClientCertPolicy(trustRoot=trustRoot, client_cert=client_cert) return Agent(reactor, policy)
def actualTest(result): ponged = defer.Deferred() signer = self.serverService2.certificateStorage.getPrivateCertificate( self.fromDomain).privateKey req = signer.requestObject( DistinguishedName(commonName=self.toDomain)) sreq = signer.signRequestObject( DistinguishedName(commonName=self.fromDomain), req, 12345) selfSignedLie = PrivateCertificate.fromCertificateAndKeyPair( sreq, signer) self.serverService2.connectQ2Q( self.fromAddress, self.toAddress, 'pony', OneTrickPonyClientFactory(ponged), selfSignedLie, fakeFromDomain=self.toDomain).addErrback( lambda e: e.trap(q2q.VerifyError)) return self.assertFailure(ponged, q2q.VerifyError)
def getFactory(self): if self.factory is None: if self.certificateFile is not None: cert = PrivateCertificate.loadPEM( file(self.certificateFile).read()) certOpts = CertificateOptions(cert.privateKey.original, cert.original, requireCertificate=False, method=SSL.SSLv23_METHOD) else: certOpts = None self.portal = portal.Portal( self.userbase, [self.userbase, checkers.AllowAnonymousAccess()]) self.factory = ESMTPFactory( self.portal, self.domain, { 'CRAM-MD5': credentials.CramMD5Credentials, 'LOGIN': imap4.LOGINCredentials, }, certOpts) if self.debug: self.factory = policies.TrafficLoggingFactory( self.factory, 'smtp') return self.factory
def __init__(self, publicPath, privatePath, csrPath, key, cert, issuer): self.publicPath = publicPath self.privatePath = privatePath self.csrPath = csrPath self.cert = PrivateCertificate.fromCertificateAndKeyPair(cert, key) self.issuer = issuer
def create_connecting_endpoint_from_config(config, cbdir, reactor): """ Create a Twisted stream client endpoint from a Crossbar.io transport configuration. See: https://twistedmatrix.com/documents/current/api/twisted.internet.interfaces.IStreamClientEndpoint.html :param config: The transport configuration. :type config: dict :param cbdir: Crossbar.io node directory (we need this for Unix domain socket paths and TLS key/certificates). :type cbdir: str :param reactor: The reactor to use for endpoint creation. :type reactor: obj :returns obj -- An instance implementing IStreamClientEndpoint """ endpoint = None log = make_logger() # a TCP endpoint # if config['type'] == 'tcp': # the TCP protocol version (v4 or v6) # version = int(config.get('version', 4)) # the host to connect to # host = str(config['host']) # the port to connect to # port = int(config['port']) # connection timeout in seconds # timeout = int(config.get('timeout', 10)) if 'tls' in config: if _HAS_TLS: # if the config specified any CA certificates, we use those (only!) if 'ca_certificates' in config['tls']: ca_certs = [] for cert_fname in config['tls']['ca_certificates']: cert = crypto.load_certificate( crypto.FILETYPE_PEM, six.u(open(cert_fname, 'r').read())) log.info("Loaded CA certificate '{fname}'", fname=cert_fname) ca_certs.append(cert) client_cert = None if 'key' in config['tls']: with open(config['tls']['certificate'], 'r') as f: cert = Certificate.loadPEM(f.read(), ) log.info( "{fname}: CN={subj.CN}, sha={sha}", fname=config['tls']['certificate'], subj=cert.getSubject(), sha=cert.digest('sha'), ) with open(config['tls']['key'], 'r') as f: private_key = KeyPair.load( f.read(), format=crypto.FILETYPE_PEM, ) log.info( "{fname}: {key}", fname=config['tls']['key'], key=private_key.inspect(), ) client_cert = PrivateCertificate.fromCertificateAndKeyPair( cert, private_key) # XXX OpenSSLCertificateAuthorities is a "private" # class, in _sslverify, so we shouldn't really be # using it. However, while you can pass a single # Certificate as trustRoot= there's no way to pass # multiple ones. # XXX ...but maybe the config should only allow # the user to configure a single cert to trust # here anyway? options = optionsForClientTLS( config['tls']['hostname'], trustRoot=OpenSSLCertificateAuthorities(ca_certs), clientCertificate=client_cert, ) else: options = optionsForClientTLS(config['tls']['hostname']) # create a TLS client endpoint # if version == 4: endpoint = SSL4ClientEndpoint( reactor, host, port, options, timeout=timeout, ) elif version == 6: raise Exception("TLS on IPv6 not implemented") else: raise Exception( "invalid TCP protocol version {}".format(version)) else: raise Exception( "TLS transport requested, but TLS packages not available:\n{}" .format(_LACKS_TLS_MSG)) else: # create a non-TLS client endpoint # if version == 4: endpoint = TCP4ClientEndpoint(reactor, host, port, timeout=timeout) elif version == 6: endpoint = TCP6ClientEndpoint(reactor, host, port, timeout=timeout) else: raise Exception( "invalid TCP protocol version {}".format(version)) # a Unix Domain Socket endpoint # elif config['type'] == 'unix': # the path # path = abspath(join(cbdir, config['path'])) # connection timeout in seconds # timeout = int(config.get('timeout', 10)) # create the endpoint # endpoint = UNIXClientEndpoint(reactor, path, timeout=timeout) else: raise Exception("invalid endpoint type '{}'".format(config['type'])) return endpoint
""" from twisted.internet.protocol import ServerFactory from twisted.internet.endpoints import SSL4ClientEndpoint from twisted.internet.ssl import ( DN, KeyPair, PrivateCertificate, CertificateOptions) from twisted.protocols.wire import Echo from tcp_throughput import Client, driver # Generate a new self-signed certificate key = KeyPair.generate(size=2048) req = key.certificateRequest(DN(commonName='localhost'), digestAlgorithm='sha1') cert = PrivateCertificate.load( key.signCertificateRequest( DN(commonName='localhost'), req, lambda dn: True, 1, digestAlgorithm='sha1'), key) def main(reactor, duration): chunkSize = 16384 server = ServerFactory() server.protocol = Echo port = reactor.listenSSL(0, server, cert.options()) client = Client( reactor, SSL4ClientEndpoint( reactor, '127.0.0.1', port.getHost().port, CertificateOptions(
def loadCertificate(certData): cert = PrivateCertificate.loadPEM(certData) return cert
def load_options(path): certificate = open(join(path, Certificate.CERTIFICATE_FILE), "rb").read() + \ open(join(path, Certificate.PRIVATE_KEY_FILE), "rb").read() pem = PrivateCertificate.loadPEM(certificate) return pem.options()
from twisted import plugins from twisted.python.modules import getModule from twisted.python.filepath import FilePath pemPath = getModule("twisted.test").filePath.sibling("server.pem") casPath = getModule(__name__).filePath.sibling("fake_CAs") escapedPEMPathName = endpoints.quoteStringArgument(pemPath.path) escapedCAsPathName = endpoints.quoteStringArgument(casPath.path) try: from twisted.test.test_sslverify import makeCertificate from twisted.internet.ssl import CertificateOptions, Certificate, \ KeyPair, PrivateCertificate from OpenSSL.SSL import ContextType testCertificate = Certificate.loadPEM(pemPath.getContent()) testPrivateCertificate = PrivateCertificate.loadPEM(pemPath.getContent()) skipSSL = False except ImportError: skipSSL = "OpenSSL is required to construct SSL Endpoints" class TestProtocol(Protocol): """ Protocol whose only function is to callback deferreds on the factory when it is connected or disconnected. """ def __init__(self): self.data = [] self.connectionsLost = [] self.connectionMadeCalls = 0
def get_client_certificate(key_file, certificate_file) -> PrivateCertificate: with open(key_file, 'r') as key, open(certificate_file, 'r') as certificate: pem = ''.join(key.readlines()) + ''.join(certificate.readlines()) return PrivateCertificate.loadPEM(pem)
def __init__(self, pem): if pem is None: self._clientCertificate = None else: self._clientCertificate = PrivateCertificate.loadPEM(pem)
from twisted.test.proto_helpers import ( MemoryReactor, RaisingMemoryReactor, StringTransport) from twisted.internet.protocol import ClientFactory, Protocol from twisted.internet.address import IPv4Address, IPv6Address from twisted.internet import (_endpointspy3 as endpoints, error, defer, interfaces, reactor) from twisted.test import __file__ as testInitPath pemPath = FilePath(testInitPath.encode("utf-8")).sibling(b"server.pem") try: from twisted.test.test_sslverify import makeCertificate from twisted.internet.ssl import (CertificateOptions, Certificate, PrivateCertificate) testCertificate = Certificate.loadPEM(pemPath.getContent()) testPrivateCertificate = PrivateCertificate.loadPEM(pemPath.getContent()) skipSSL = False except ImportError: skipSSL = "OpenSSL is required to construct SSL Endpoints" class TestProtocol(Protocol): """ Protocol whose only function is to callback deferreds on the factory when it is connected or disconnected. """ def __init__(self): self.data = [] self.connectionsLost = []
def creatorForNetloc(self, hostname, port): client_cert = PrivateCertificate.loadPEM(pkcs12.pkey_pem + pkcs12.cert_pem) return ssl.optionsForClientTLS(pkcs12.hostname, clientCertificate=client_cert)