def ec_error():
# type: () -> ECError
raise ECError(m2.err_reason_error_string(m2.err_get_error()))
def rsa_error():
# type: () -> None
raise RSAError(m2.err_reason_error_string(m2.err_get_error()))
def rsa_error():
raise RSAError(m2.err_reason_error_string(m2.err_get_error()))
def _m2_check_err(self, r=None, cls=TLSError):
if m2.err_peek_error():
err = m2.err_reason_error_string(m2.err_get_error())
raise cls(err)
return r
def get_error_code():
# type: () -> int
return m2.err_get_error()
def ec_error():
# type: () -> ECError
raise ECError(m2.err_reason_error_string(m2.err_get_error()))
#ctx.set_verify(M2Crypto.SSL.verify_none, 10)
if not self._cafile:
# Verification was requested but on CA bundle found, therefore
# impossible to verify.
raise TLSError('CA bundle not found but verification requested.')
else:
# Load CA bundle.
ctx.load_verify_locations(self._cafile)
# M2Crypto does no error checking on this function, and at
# least on my system it yields the delightfully inscrutable
# "cert already in hash table" error (perhaps my distro's
# CA bundle has duplicate certs?). It doesn't seem there's
# anything that can be done about it, so just eat it.
# (There may be multiple such errors, so clear them all.)
while True:
err = m2.err_get_error()
if not err:
break
# The magic number is X509_R_CERT_ALREADY_IN_HASH_TABLE, which
# is a constant that m2crypto doesn't export. :/
if err != 185057381:
raise TLSError(m2.err_reason_error_string(err))
# Create a lower level (SWIG) SSL object using this context.
self._ssl = _SSLWrapper(m2.ssl_new(ctx.ctx))
if kwargs['client']:
self._m2_check_err(m2.ssl_set_connect_state(self._ssl.obj))
else:
self._m2_check_err(m2.ssl_set_accept_state(self._ssl.obj))
if not self._cafile:
# Verification was requested but on CA bundle found, therefore
# impossible to verify.
raise TLSError(
'CA bundle not found but verification requested.')
else:
# Load CA bundle.
ctx.load_verify_locations(self._cafile)
# M2Crypto does no error checking on this function, and at
# least on my system it yields the delightfully inscrutable
# "cert already in hash table" error (perhaps my distro's
# CA bundle has duplicate certs?). It doesn't seem there's
# anything that can be done about it, so just eat it.
# (There may be multiple such errors, so clear them all.)
while True:
err = m2.err_get_error()
if not err:
break
# The magic number is X509_R_CERT_ALREADY_IN_HASH_TABLE, which
# is a constant that m2crypto doesn't export. :/
if err != 185057381:
raise TLSError(m2.err_reason_error_string(err))
# Create a lower level (SWIG) SSL object using this context.
self._ssl = _SSLWrapper(m2.ssl_new(ctx.ctx))
if kwargs['client']:
self._m2_check_err(m2.ssl_set_connect_state(self._ssl.obj))
else:
self._m2_check_err(m2.ssl_set_accept_state(self._ssl.obj))
# Setup the BIO pair. This diagram is instructive:
def _m2_check_err(self, r=None, cls=TLSError):
if m2.err_peek_error():
err = m2.err_reason_error_string(m2.err_get_error())
raise cls(err)
return r
def get_error_code():
# type: () -> int
return m2.err_get_error()
def ec_error():
raise ECError(m2.err_reason_error_string(m2.err_get_error()))
def ec_error():
raise ECError(m2.err_reason_error_string(m2.err_get_error()))
def rsa_error():
raise RSAError(m2.err_reason_error_string(m2.err_get_error()))
def _sign_request(self, x509_request, lifetime):
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.now(UTC))
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(datetime.now(UTC) + lifetime)
proxy_subject = X509.X509_Name()
for entry in self.context.x509.get_subject():
ret = m2.x509_name_add_entry(proxy_subject._ptr(), entry._ptr(), -1, 0)
if ret == 0:
raise Exception(
"%s: '%s'" % (m2.err_reason_error_string(m2.err_get_error()), entry)
)
proxy = X509.X509()
proxy.set_serial_number(self.context.x509.get_serial_number())
proxy.set_version(x509_request.get_version())
proxy.set_issuer(self.context.x509.get_subject())
proxy.set_pubkey(x509_request.get_pubkey())
# Extensions are broken in SL5!!
if _m2crypto_extensions_broken():
log.warning("X509v3 extensions disabled!")
else:
# X509v3 Basic Constraints
proxy.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE', critical=True))
# X509v3 Key Usage
proxy.add_ext(X509.new_extension('keyUsage', 'Digital Signature, Key Encipherment', critical=True))
#X509v3 Authority Key Identifier
identifier_ext = _workaround_new_extension(
'authorityKeyIdentifier', 'keyid', critical=False, issuer=self.context.x509
)
proxy.add_ext(identifier_ext)
any_rfc_proxies = False
# FTS-1217 Ignore the user input and select the min proxy lifetime available on the list
min_cert_lifetime = self.context.x509_list[0].get_not_after()
for cert in self.context.x509_list:
if cert.get_not_after().get_datetime() < min_cert_lifetime.get_datetime():
not_after = cert.get_not_after()
min_cert_lifetime = cert.get_not_after()
try:
cert.get_ext('proxyCertInfo')
any_rfc_proxies = True
except:
pass
proxy.set_not_after(not_after)
proxy.set_not_before(not_before)
if any_rfc_proxies:
if _m2crypto_extensions_broken():
raise NotImplementedError("X509v3 extensions are disabled, so RFC proxies can not be generated!")
else:
_add_rfc3820_extensions(proxy)
if any_rfc_proxies:
m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], str(int(time.time())))
else:
m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], 'proxy')
proxy.set_subject(proxy_subject)
proxy.set_version(2)
proxy.sign(self.context.evp_key, 'sha1')
return proxy
def set_session_id_ctx(self, id):
ret = m2.ssl_set_session_id_context(self.ssl, id)
if not ret:
raise SSLError(m2.err_reason_error_string(m2.err_get_error()))
def get_error_code():
return m2.err_get_error()
def set_session_id_ctx(self, id):
# type: (bytes) -> int
ret = m2.ssl_set_session_id_context(self.ssl, id)
if not ret:
raise SSLError(m2.err_reason_error_string(m2.err_get_error()))
def get_error_code():
return m2.err_get_error()
