def connect(self, host=None, port=None, cert=None, key=None): ''' Connect to another portal somewhere. If retry is set, will attempt to reconnect with the target continuously. As of the time of this writing, you cannot stop a polling connection without taking down the portal. :param retry: continuously attempt to connect on drops or rejections :type retry: bool. ''' host = host if host else self.host port = port if port else self.port cert = cert if cert else self.certCa key = key if key else self.keyPrivate # ??? # the first term is the name the server is using in the cert (for now) ctx = optionsForClientTLS(u"pds.production", Certificate.loadPEM(cert), PrivateCertificate.loadPEM(key)) factory = RiffleClientFactory() SSL4ClientEndpoint(reactor, host, port, ctx,).connect(factory) print 'Connecting to ' + host + ':' + str(port) avatar = yield factory.login(self) defer.returnValue(Levy(avatar))
def getFactory(self): if self.factory is None: if self.certificateFile is not None: cert = PrivateCertificate.loadPEM( file(self.certificateFile).read()) certOpts = CertificateOptions( cert.privateKey.original, cert.original, requireCertificate=False, method=SSL.SSLv23_METHOD) else: certOpts = None self.portal = portal.Portal( self.userbase, [self.userbase, checkers.AllowAnonymousAccess()]) self.factory = ESMTPFactory( self.portal, self.domain, {'CRAM-MD5': credentials.CramMD5Credentials, 'LOGIN': imap4.LOGINCredentials, }, certOpts) if self.debug: self.factory = policies.TrafficLoggingFactory(self.factory, 'smtp') return self.factory
def main(reactor): pemBytes = FilePath(b"ca-private-cert.pem").getContent() certificateAuthority = Certificate.loadPEM(pemBytes) myCertificate = PrivateCertificate.loadPEM(pemBytes) serverEndpoint = SSL4ServerEndpoint( reactor, 4321, myCertificate.options(certificateAuthority)) serverEndpoint.listen(Factory.forProtocol(ReportWhichClient)) return Deferred()
def addSubprocesses(self, fds, name, factory): super(HendrixDeployTLS, self).addSubprocesses(fds, name, factory) if name == 'main_web_ssl': privateCert = PrivateCertificate.loadPEM( open(self.options['cert']).read() + open(self.options['key']).read()) factory = TLSMemoryBIOFactory(privateCert.options(), False, factory)
def getCAPrivateCert(): l_privatePath = FilePath(b"ca-private-cert.pem") if l_privatePath.exists(): return PrivateCertificate.loadPEM(l_privatePath.getContent()) else: l_caKey = KeyPair.generate(size=4096) l_caCert = l_caKey.selfSignedCert(1, CN="the-authority") l_privatePath.setContent(l_caCert.dumpPEM()) return l_caCert
def getCAPrivateCert(): privatePath = FilePath(b"ca-private-cert.pem") if privatePath.exists(): return PrivateCertificate.loadPEM(privatePath.getContent()) else: caKey = KeyPair.generate(size=4096) caCert = caKey.selfSignedCert(1, CN="the-authority") privatePath.setContent(caCert.dumpPEM()) return caCert
def addSubprocesses(self, fds, name, factory): super(HendrixDeploySSL, self).addSubprocesses(fds, name, factory) if name == 'main_web_ssl': privateCert = PrivateCertificate.loadPEM( open(self.options['cert']).read() + open(self.options['key']).read() ) factory = TLSMemoryBIOFactory( privateCert.options(), False, factory )
def main(reactor): pemBytes = FilePath(b"ca-private-cert.pem").getContent() certificateAuthority = Certificate.loadPEM(pemBytes) myCertificate = PrivateCertificate.loadPEM(pemBytes) serverEndpoint = SSL4ServerEndpoint( reactor, 4321, myCertificate.options(certificateAuthority) ) serverEndpoint.listen(Factory.forProtocol(ReportWhichClient)) return Deferred()
def getContextFactory(self): if SSL is None: raise RuntimeError("No SSL support: you need to install OpenSSL.") cert = PrivateCertificate.loadPEM(self.certificatePath.open().read()) certOpts = CertificateOptions(cert.privateKey.original, cert.original, requireCertificate=False, method=SSL.SSLv23_METHOD) return certOpts
def createCertOptions(server): pk = None cert = None if server.cert: pc = PrivateCertificate.loadPEM(open(server.cert,"rb").read()) pk = pc.privateKey.original cert = pc.original tr = platformTrust() if server.verify else None return CertificateOptions(privateKey=pk, certificate=cert, trustRoot=tr)
def main(reactor): pem = generate_certs.and_generate() caPem = FilePath(b"ca-private-cert.pem").getContent() clientEndpoint = SSL4ClientEndpoint( reactor, u"localhost", 4321, optionsForClientTLS(u"the-authority", Certificate.loadPEM(caPem), PrivateCertificate.loadPEM(pem)), ) clientEndpoint = SSL4ClientEndpoint( reactor, u"localhost", 4321, optionsForClientTLS(u"the-authority", Certificate.loadPEM(caPem), PrivateCertificate.loadPEM(pem)), ) proto = yield clientEndpoint.connect(Factory.forProtocol(SendAnyData)) yield proto.deferred
def open(self, port=None, cert=None): ''' Listen for connections on the given port. ''' port = port if port else self.port cert = cert if cert else self.certCa ca = Certificate.loadPEM(cert) myCertificate = PrivateCertificate.loadPEM(cert) SSL4ServerEndpoint(reactor, port, myCertificate.options(ca)).listen(RiffleServerFactory(self))
def getContextFactory(self): if SSL is None: raise RuntimeError("No SSL support: you need to install OpenSSL.") cert = PrivateCertificate.loadPEM( self.certificatePath.open().read()) certOpts = CertificateOptions( cert.privateKey.original, cert.original, requireCertificate=False, method=SSL.SSLv23_METHOD) return certOpts
def start_ssl_cmd_server(): with open(settings["Agent_Cert"], 'r') as certfile: certdata = certfile.read() if settings["Agent_Priv_Key"] != settings["Agent_Cert"]: with open(settings.get("Agent_Priv_Key"), 'r') as keyfile: certdata += keyfile.read() with open(settings.get("Broker_Cert"), 'r') as f: authdata = f.read() certificate = PrivateCertificate.loadPEM(certdata) authority = Certificate.loadPEM(authdata) factory = Factory.forProtocol(CommandHandler) reactor.listenSSL(int(settings.get("Command_Port")), factory, certificate.options(authority))
def start(self, fd=None): pids = [str(os.getpid())] # script pid if fd is None: # anything in this block is only run once # TODO add global services here, possibly add a services kwarg on # __init__ self.addGlobalServices() self.hendrix.startService() if self.options['workers']: # Create a new listening port and several other processes to help out. childFDs = {0: 0, 1: 1, 2: 2} self.fds = {} for name in self.servers: port = self.hendrix.get_port(name) fd = port.fileno() childFDs[fd] = fd self.fds[name] = fd args = self.getSpawnArgs() transports = [] for i in range(self.options['workers']): transport = reactor.spawnProcess( None, executable, args, childFDs=childFDs, env=environ ) transports.append(transport) pids.append(str(transport.pid)) with open(self.pid, 'w') as pid_file: pid_file.write('\n'.join(pids)) else: # Another process created the port, drop the tcp service and # just start listening on it. fds = pickle.loads(fd) factories = {} for name in self.servers: factory = self.disownService(name) factories[name] = factory self.hendrix.startService() for name, factory in factories.iteritems(): if name == 'main_web_ssl': privateCert = PrivateCertificate.loadPEM( open(self.options['cert']).read() + open(self.options['key']).read() ) factory = TLSMemoryBIOFactory( privateCert.options(), False, factory ) port = reactor.adoptStreamPort(fds[name], AF_INET, factory) reactor.run()
def create_agent(ca_cert, client_cert, client_key): ca_certificate = Certificate.loadPEM(FilePath(ca_cert).getContent()) client_certificate = PrivateCertificate.loadPEM( FilePath(client_cert).getContent() + b"\n" + FilePath(client_key).getContent()) customPolicy = BrowserLikePolicyForHTTPSWithClientCertificate( trustRoot=ca_certificate, clientCertificate=client_certificate) pool = HTTPConnectionPool(reactor, persistent=True) agent = Agent(reactor, customPolicy, pool=pool) return agent
def __init__(self, uri, verify, timeout=600, reactor=reactor, clientCert=None): Resource.__init__(self) self._uri = URLPath.fromString(uri) self._verify = verify self._timeout = timeout self._reactor = reactor pool = HTTPConnectionPool(reactor) if clientCert is not None: clientCert = PrivateCertificate.loadPEM( FilePath(clientCert).getContent()) self._agent = Agent( reactor, StupidPolicyForHTTPS(InsecureTLSOptions(clientCert)), pool=pool)
def create_agent(ca_cert, client_cert, client_key): ca_certificate = Certificate.loadPEM(FilePath(ca_cert).getContent()) client_certificate = PrivateCertificate.loadPEM( FilePath(client_cert).getContent() + b"\n" + FilePath(client_key).getContent()) customPolicy = BrowserLikePolicyForHTTPSWithClientCertificate( trustRoot=ca_certificate, clientCertificate=client_certificate) pool = HTTPConnectionPool(reactor, persistent=True) pool.maxPersistentPerHost = CONNECTION_COUNT agent = Agent(reactor, customPolicy, pool=pool) return agent
def from_paths( cls, endpoint, private_key_path: FilePath, cert_path: FilePath ) -> "_TLSEndpointWrapper": """ Create an endpoint with the given private key and certificate paths on the filesystem. """ certificate = Certificate.loadPEM(cert_path.getContent()).original private_key = PrivateCertificate.loadPEM( cert_path.getContent() + b"\n" + private_key_path.getContent() ).privateKey.original certificate_options = CertificateOptions( privateKey=private_key, certificate=certificate ) return cls(endpoint=endpoint, context_factory=certificate_options)
def test_authenticateSucceed(self): """ L{authenticateRequest} returns C{True} if the provided client certificate has a matching hostname. """ privateCert = PrivateCertificate.loadPEM( FilePath(__file__).sibling(b'data').child(b'test.cert').getContent()) self.assertEqual( privateCert.original.get_subject().commonName, b'localhost') options = CertificateOptions( privateKey=privateCert.privateKey.original, certificate=privateCert.original) request = self.createRequest(options) self.assertEqual(True, authenticateRequest(request, u'localhost'))
def test_handshakeFailure(self): """ L{TLSMemoryBIOProtocol} reports errors in the handshake process to the application-level protocol object using its C{connectionLost} method and disconnects the underlying transport. """ clientConnectionLost = Deferred() clientFactory = ClientFactory() clientFactory.protocol = ( lambda: ConnectionLostNotifyingProtocol( clientConnectionLost)) clientContextFactory = HandshakeCallbackContextFactory() wrapperFactory = TLSMemoryBIOFactory( clientContextFactory, True, clientFactory) sslClientProtocol = wrapperFactory.buildProtocol(None) serverConnectionLost = Deferred() serverFactory = ServerFactory() serverFactory.protocol = ( lambda: ConnectionLostNotifyingProtocol( serverConnectionLost)) # This context factory rejects any clients which do not present a # certificate. certificateData = FilePath(certPath).getContent() certificate = PrivateCertificate.loadPEM(certificateData) serverContextFactory = certificate.options(certificate) wrapperFactory = TLSMemoryBIOFactory( serverContextFactory, False, serverFactory) sslServerProtocol = wrapperFactory.buildProtocol(None) connectionDeferred = loopbackAsync(sslServerProtocol, sslClientProtocol) def cbConnectionLost(protocol): # The connection should close on its own in response to the error # induced by the client not supplying the required certificate. # After that, check to make sure the protocol's connectionLost was # called with the right thing. protocol.lostConnectionReason.trap(Error) clientConnectionLost.addCallback(cbConnectionLost) serverConnectionLost.addCallback(cbConnectionLost) # Additionally, the underlying transport should have been told to # go away. return gatherResults([ clientConnectionLost, serverConnectionLost, connectionDeferred])
def agent_call(url_trustRoot): url, trustRoot = url_trustRoot if trustRoot: customPolicy = BrowserLikePolicyForHTTPS( PrivateCertificate.loadPEM(trustRoot)) agent = Agent(reactor, customPolicy) else: agent = Agent(reactor) headers = Headers({ 'User-Agent': ['Twisted Webbot'], 'Content-Type': ['text/x-greeting'] }) d = agent.request('HEAD', url, headers=headers) return d
def test_handshakeFailure(self): """ L{TLSMemoryBIOProtocol} reports errors in the handshake process to the application-level protocol object using its C{connectionLost} method and disconnects the underlying transport. """ clientConnectionLost = Deferred() clientFactory = ClientFactory() clientFactory.protocol = ( lambda: ConnectionLostNotifyingProtocol(clientConnectionLost)) clientContextFactory = HandshakeCallbackContextFactory() wrapperFactory = TLSMemoryBIOFactory(clientContextFactory, True, clientFactory) sslClientProtocol = wrapperFactory.buildProtocol(None) serverConnectionLost = Deferred() serverFactory = ServerFactory() serverFactory.protocol = ( lambda: ConnectionLostNotifyingProtocol(serverConnectionLost)) # This context factory rejects any clients which do not present a # certificate. certificateData = FilePath(certPath).getContent() certificate = PrivateCertificate.loadPEM(certificateData) serverContextFactory = certificate.options(certificate) wrapperFactory = TLSMemoryBIOFactory(serverContextFactory, False, serverFactory) sslServerProtocol = wrapperFactory.buildProtocol(None) connectionDeferred = loopbackAsync(sslServerProtocol, sslClientProtocol) def cbConnectionLost(protocol): # The connection should close on its own in response to the error # induced by the client not supplying the required certificate. # After that, check to make sure the protocol's connectionLost was # called with the right thing. protocol.lostConnectionReason.trap(Error) clientConnectionLost.addCallback(cbConnectionLost) serverConnectionLost.addCallback(cbConnectionLost) # Additionally, the underlying transport should have been told to # go away. return gatherResults( [clientConnectionLost, serverConnectionLost, connectionDeferred])
def _serviceDescription(self): """ Produce a description of the service we should start. """ ca = Certificate.loadPEM( FilePath(self.caPath.encode('utf-8')).getContent()) certBytes = FilePath(self.certPath.encode('utf-8')).getContent() cert = PrivateCertificate.loadPEM(certBytes) # Can't use PrivateCertificate.options until Twisted #6361 is fixed options = CertificateOptions( privateKey=cert.privateKey.original, certificate=cert.original, trustRoot=ca, extraCertChain=chainCerts(certBytes)) router = IndexRouter(store=self.store) return _ServiceDescription( reactor=reactor, port=self.port, interface=self.interface, options=options, router=router)
def _get_ssl_context(self): client_ca = get_certificate(self.client_ca_cert_path) if not client_ca: try: ca = mTLS.generate_new_certificate(is_ca_generation_request=True, ca_cert_path=self.client_ca_cert_path, username="******") if ca is not None: save_certificate(self.client_ca_cert_path, ca) client_ca = ca except Exception as e: log.error("Exception: {}".format(e)) raise e client_ca_pem = "{}\n{}".format(base64.b64decode(client_ca.get('c')), base64.b64decode(client_ca.get('k'))) certificate_authority = Certificate.loadPEM(client_ca_pem) self.server_ca_cert_path = self.server_cert_path+"_ca" server_cert = get_certificate(self.server_cert_path) server_cert_ca = get_certificate(self.server_ca_cert_path) if not server_cert: try: if not server_cert_ca: ca = mTLS.generate_new_certificate(is_ca_generation_request=True, ca_cert_path=self.server_ca_cert_path, username="******") if ca is not None: save_certificate(self.server_ca_cert_path, ca) _server_cert = mTLS.generate_new_certificate(ca_cert_path=self.server_ca_cert_path, username="******", ip=self.ip) if _server_cert is not None: save_certificate(self.server_cert_path, _server_cert) server_cert = _server_cert else: raise Exception("Server Certificate generation failed. Cert:{}".format(_server_cert)) except Exception as e: log.error("Exception: {}".format(e)) raise e server_cert_pem = "{}\n{}".format(base64.b64decode(server_cert.get('c')), base64.b64decode(server_cert.get('k'))) server_cert = PrivateCertificate.loadPEM(server_cert_pem) return server_cert.options(certificate_authority)
def _ssl_agent(self): """ Get a Twisted Agent that performs Client SSL authentication for Koji. """ # Load "cert" into a PrivateCertificate. certfile = self.lookup(self.profile, 'cert') certfile = os.path.expanduser(certfile) with open(certfile) as certfp: pemdata = certfp.read() client_cert = PrivateCertificate.loadPEM(pemdata) trustRoot = None # Use Twisted's platformTrust(). # Optionally load "serverca" into a Certificate. servercafile = self.lookup(self.profile, 'serverca') if servercafile: servercafile = os.path.expanduser(servercafile) trustRoot = RootCATrustRoot(servercafile) policy = ClientCertPolicy(trustRoot=trustRoot, client_cert=client_cert) return Agent(reactor, policy)
def getFactory(self): if self.factory is None: if self.certificateFile is not None: cert = PrivateCertificate.loadPEM( file(self.certificateFile).read()) certOpts = CertificateOptions(cert.privateKey.original, cert.original, requireCertificate=False, method=SSL.SSLv23_METHOD) else: certOpts = None self.portal = portal.Portal( self.userbase, [self.userbase, checkers.AllowAnonymousAccess()]) self.factory = ESMTPFactory( self.portal, self.domain, { 'CRAM-MD5': credentials.CramMD5Credentials, 'LOGIN': imap4.LOGINCredentials, }, certOpts) if self.debug: self.factory = policies.TrafficLoggingFactory( self.factory, 'smtp') return self.factory
def loadCertificate(certData): cert = PrivateCertificate.loadPEM(certData) return cert
def __init__(self, pem): if pem is None: self._clientCertificate = None else: self._clientCertificate = PrivateCertificate.loadPEM(pem)
def get_client_certificate(key_file, certificate_file) -> PrivateCertificate: with open(key_file, 'r') as key, open(certificate_file, 'r') as certificate: pem = ''.join(key.readlines()) + ''.join(certificate.readlines()) return PrivateCertificate.loadPEM(pem)
print "Storing location %s for pseudonym %r" % (location, pseudonym) def sanitize(self): ''' Delete old pseudonyms from database ''' now = datetime.now() for pseudonym, value in self.database.items(): date = value[2] diff = now - date if diff.seconds > constants.LIFETIME: del self.database[pseudonym] try: del self.paging_names[pseudonym] except KeyError: pass if __name__ == "__main__": # setup SSL with open('ssl/localhost.pem') as keyandcert: certificate = PrivateCertificate.loadPEM(keyandcert.read()) factory = LocationProviderFactory() reactor.listenSSL(constants.L.port, factory, certificate.options()) reactor.connectTCP(constants.N.ip, constants.N.port, NetworkConnector(factory)) sanitizing = task.LoopingCall(factory.sanitize) sanitizing.start(3, False) # once a minute reactor.run() # XXX: Broadcast fuehrt zu erkennbarer Information
def load_options(path): certificate = open(join(path, Certificate.CERTIFICATE_FILE), "rb").read() + \ open(join(path, Certificate.PRIVATE_KEY_FILE), "rb").read() pem = PrivateCertificate.loadPEM(certificate) return pem.options()
from twisted import plugins from twisted.python.modules import getModule from twisted.python.filepath import FilePath pemPath = getModule("twisted.test").filePath.sibling("server.pem") casPath = getModule(__name__).filePath.sibling("fake_CAs") escapedPEMPathName = endpoints.quoteStringArgument(pemPath.path) escapedCAsPathName = endpoints.quoteStringArgument(casPath.path) try: from twisted.test.test_sslverify import makeCertificate from twisted.internet.ssl import CertificateOptions, Certificate, \ KeyPair, PrivateCertificate from OpenSSL.SSL import ContextType testCertificate = Certificate.loadPEM(pemPath.getContent()) testPrivateCertificate = PrivateCertificate.loadPEM(pemPath.getContent()) skipSSL = False except ImportError: skipSSL = "OpenSSL is required to construct SSL Endpoints" class TestProtocol(Protocol): """ Protocol whose only function is to callback deferreds on the factory when it is connected or disconnected. """ def __init__(self): self.data = [] self.connectionsLost = [] self.connectionMadeCalls = 0
def creatorForNetloc(self, hostname, port): client_cert = PrivateCertificate.loadPEM(pkcs12.pkey_pem + pkcs12.cert_pem) return ssl.optionsForClientTLS(pkcs12.hostname, clientCertificate=client_cert)
from twisted.test.proto_helpers import ( MemoryReactor, RaisingMemoryReactor, StringTransport) from twisted.internet.protocol import ClientFactory, Protocol from twisted.internet.address import IPv4Address, IPv6Address from twisted.internet import (_endpointspy3 as endpoints, error, defer, interfaces, reactor) from twisted.test import __file__ as testInitPath pemPath = FilePath(testInitPath.encode("utf-8")).sibling(b"server.pem") try: from twisted.test.test_sslverify import makeCertificate from twisted.internet.ssl import (CertificateOptions, Certificate, PrivateCertificate) testCertificate = Certificate.loadPEM(pemPath.getContent()) testPrivateCertificate = PrivateCertificate.loadPEM(pemPath.getContent()) skipSSL = False except ImportError: skipSSL = "OpenSSL is required to construct SSL Endpoints" class TestProtocol(Protocol): """ Protocol whose only function is to callback deferreds on the factory when it is connected or disconnected. """ def __init__(self): self.data = [] self.connectionsLost = []