Exemplo n.º 1
0
Arquivo: etoken.py Projeto: zbo/zbodo
    def login(self,pin):
        self.session = self.pkcs11.openSession(self.tokenSlot)
        self.session.login(pin=pin)
        random = ''.join(chr(i) for i in self.session.generateRandom(size=1024))
        objects = self.session.findObjects()
        my_cert = None
        privkey_id = None
        for obj in objects:
            print self.session.getAttributeValue(obj, [PyKCS11.CKA_LABEL])
            my_cert = self.FindMyCert(my_cert, obj)
            privkey_id = self.FindPrivateId(obj, privkey_id)
        self.key_id = ''.join(chr(c) for c in privkey_id[0]).encode('hex')
        self.my_cert = X509.load_cert_der_string(''.join(chr(c) for c in my_cert))
        Rand.rand_seed(random)
        #  init the OpenSSL engine and load the user cert & private key
        ssl_key = 'slot_' + str(self.tokenSlot) + '-id_' + self.key_id
        self.my_pkey = self.engine.load_private_key(ssl_key, pin)
        ctx = SSL.Context('sslv23')
        m2.ssl_ctx_use_x509(ctx.ctx,self.my_cert.x509)
        m2.ssl_ctx_use_pkey_privkey(ctx.ctx,self.my_pkey.pkey)

        if not m2.ssl_ctx_check_privkey(ctx.ctx):
            raise ValueError, 'public/private key mismatch'
        ctx.set_verify(SSL.verify_peer, 10)
        self.ssl_ctx = ctx
        print self.my_cert
        print self.my_pkey
        self.session.logout()
        print str(threading.currentThread().name)+" finished"
Exemplo n.º 2
0
    def load_cert_chain(self,
                        certchainfile,
                        keyfile=None,
                        callback=util.passphrase_callback):
        """Load certificate chain and private key into the context.

        @param certchainfile: File object containing the PEM-encoded
                              certificate chain.
        @type  certchainfile: str
        @param keyfile:       File object containing the PEM-encoded private
                              key. Default value of None indicates that the
                              private key is to be found in 'certchainfile'.
        @type keyfile:        str

        @param callback:      Callable object to be invoked if the private key
                              is passphrase-protected. Default callback
                              provides a simple terminal-style input for the
                              passphrase.
        """
        m2.ssl_ctx_passphrase_callback(self.ctx, callback)
        m2.ssl_ctx_use_cert_chain(self.ctx, certchainfile)
        if not keyfile:
            keyfile = certchainfile
        m2.ssl_ctx_use_privkey(self.ctx, keyfile)
        if not m2.ssl_ctx_check_privkey(self.ctx):
            raise ValueError('public/private key mismatch')
Exemplo n.º 3
0
 def get_ctx(self, allow_unknown_ca=False, req_peer_cert=True, session=None):
     ctx = SSL.Context("sslv23")
     # Set certificate and private key
     m2.ssl_ctx_use_x509(ctx.ctx, self.cert.x509)
     m2.ssl_ctx_use_rsa_privkey(ctx.ctx, self.rsakey.rsa)
     if not m2.ssl_ctx_check_privkey(ctx.ctx):
         raise CryptoError('public/private key mismatch')
     # Ciphers/Options
     ctx.set_cipher_list(CIPHER_SET)
     ctx.set_options(CTX_OPTIONS)
     # CA settings
     cloc = os.path.join(global_certpath, 'cacert.root.pem')
     if ctx.load_verify_locations(cafile=cloc) != 1:
         log.error("Problem loading CA certificates")
         raise CryptoError('CA certificates not loaded')
     # Verification
     cb = mk_verify_cb(allow_unknown_ca=allow_unknown_ca)
     CTX_V_FLAGS = SSL.verify_peer
     if req_peer_cert:
         CTX_V_FLAGS |= SSL.verify_fail_if_no_peer_cert
     ctx.set_verify(CTX_V_FLAGS,3,cb)
     # Session
     if session:
         ctx.set_session_id_ctx(session)
     return ctx
Exemplo n.º 4
0
 def get_ctx(self,
             allow_unknown_ca=False,
             req_peer_cert=True,
             session=None):
     ctx = SSL.Context("sslv23")
     # Set certificate and private key
     m2.ssl_ctx_use_x509(ctx.ctx, self.cert.x509)
     m2.ssl_ctx_use_rsa_privkey(ctx.ctx, self.rsakey.rsa)
     if not m2.ssl_ctx_check_privkey(ctx.ctx):
         raise CryptoError('public/private key mismatch')
     # Ciphers/Options
     ctx.set_cipher_list(CIPHER_SET)
     ctx.set_options(CTX_OPTIONS)
     # CA settings
     cloc = os.path.join(global_certpath, 'cacert.root.pem')
     if ctx.load_verify_locations(cafile=cloc) != 1:
         log.error("Problem loading CA certificates")
         raise CryptoError('CA certificates not loaded')
     # Verification
     cb = mk_verify_cb(allow_unknown_ca=allow_unknown_ca)
     CTX_V_FLAGS = SSL.verify_peer
     if req_peer_cert:
         CTX_V_FLAGS |= SSL.verify_fail_if_no_peer_cert
     ctx.set_verify(CTX_V_FLAGS, 3, cb)
     # Session
     if session:
         ctx.set_session_id_ctx(session)
     return ctx
Exemplo n.º 5
0
    def _initConnection(self, 
                        ownerCertFile=None, 
                        ownerKeyFile=None,
                        ownerPassphrase=None):
        """Initialise connection setting up SSL context and client and
        server side identity checks
        
        @type ownerCertFile: basestring
        @param ownerCertFile: client certificate and owner of credential
        to be acted on.  Can be a proxy cert + proxy's signing cert.  Cert
        and private key are not necessary for getDelegation / logon calls
        @type ownerKeyFile: basestring
        @param ownerKeyFile: client private key file
        @type ownerPassphrase: basestring
        @param ownerPassphrase: pass-phrase protecting private key if set - 
        not needed in the case of a proxy private key
        """

        # Must be version 3 for MyProxy
        context = SSL.Context(protocol='sslv3')

# SDF
#        context.load_verify_locations(cafile=self.caCertFilePath, capath='/etc/grid-security/certificates')

        if self.caCertFilePath or self.caCertDir:
            context.load_verify_locations(cafile=self.caCertFilePath,
                                          capath=self.caCertDir)


            # Stop if peer's certificate can't be verified
            context.set_allow_unknown_ca(False)
        else:
            context.set_allow_unknown_ca(True)

        from arcs.gsi import Certificate
        if ownerCertFile:
            try:
                if isinstance(ownerCertFile, Certificate):
                    m2.ssl_ctx_passphrase_callback(context.ctx, lambda *ar: ownerPassphrase)
                    m2.ssl_ctx_use_x509(context.ctx, ownerCertFile._certificate.x509)
                    m2.ssl_ctx_use_rsa_privkey(context.ctx, ownerKeyFile.rsa)
                    if not m2.ssl_ctx_check_privkey(context.ctx):
                        raise ValueError, 'public/private key mismatch'
                else:
                    context.load_cert_chain(ownerCertFile,
                                        keyfile=ownerKeyFile,
                                        callback=lambda *ar, **kw: ownerPassphrase)
            except Exception, e:
                raise MyProxyClientConfigError("Loading certificate "
                                               "and private key for SSL "
                                               "connection [also check CA "
                                               "certificate settings]: %s" % e) 
            
            # Verify peer's certificate
            context.set_verify(SSL.verify_peer, 1) 
Exemplo n.º 6
0
    def load_cert_pkey(self,
                       certfile,
                       pkey,
                       callback=util.passphrase_callback):
        # type: (AnyStr, Optional[AnyStr], Callable) -> None
        """Load certificate and private key into the context.

        :param certfile: File that contains the PEM-encoded certificate.
        :param keyfile:  'M2Crypto.EVP' object
        :param callback: Callable object to be invoked if the private key is
                         passphrase-protected. Default callback provides a
                         simple terminal-style input for the passphrase.
        """
        m2.ssl_ctx_passphrase_callback(self.ctx, callback)
        m2.ssl_ctx_use_cert(self.ctx, certfile)
        m2.ssl_ctx_use_pkey_privkey(self.ctx, pkey)
        if not m2.ssl_ctx_check_privkey(self.ctx):
            raise ValueError('public/private key mismatch')
Exemplo n.º 7
0
    def load_cert(self, certfile, keyfile=None,
                  callback=util.passphrase_callback):
        # type: (AnyStr, Optional[AnyStr], Callable) -> None
        """Load certificate and private key into the context.

        @param certfile: File that contains the PEM-encoded certificate.
        @param keyfile:  File that contains the PEM-encoded private key.
                         Default value of None indicates that the private key
                         is to be found in 'certfile'.
        @param callback: Callable object to be invoked if the private key is
                         passphrase-protected. Default callback provides a
                         simple terminal-style input for the passphrase.
        """
        m2.ssl_ctx_passphrase_callback(self.ctx, callback)
        m2.ssl_ctx_use_cert(self.ctx, certfile)
        if not keyfile:
            keyfile = certfile
        m2.ssl_ctx_use_privkey(self.ctx, keyfile)
        if not m2.ssl_ctx_check_privkey(self.ctx):
            raise ValueError('public/private key mismatch')