def load_cert_chain(self,
certchainfile,
keyfile=None,
callback=util.passphrase_callback):
"""Load certificate chain and private key into the context.
@param certchainfile: File object containing the PEM-encoded
certificate chain.
@type certchainfile: str
@param keyfile: File object containing the PEM-encoded private
key. Default value of None indicates that the
private key is to be found in 'certchainfile'.
@type keyfile: str
@param callback: Callable object to be invoked if the private key
is passphrase-protected. Default callback
provides a simple terminal-style input for the
passphrase.
"""
m2.ssl_ctx_passphrase_callback(self.ctx, callback)
m2.ssl_ctx_use_cert_chain(self.ctx, certchainfile)
if not keyfile:
keyfile = certchainfile
m2.ssl_ctx_use_privkey(self.ctx, keyfile)
if not m2.ssl_ctx_check_privkey(self.ctx):
raise ValueError('public/private key mismatch')
def _initConnection(self,
ownerCertFile=None,
ownerKeyFile=None,
ownerPassphrase=None):
"""Initialise connection setting up SSL context and client and
server side identity checks
@type ownerCertFile: basestring
@param ownerCertFile: client certificate and owner of credential
to be acted on. Can be a proxy cert + proxy's signing cert. Cert
and private key are not necessary for getDelegation / logon calls
@type ownerKeyFile: basestring
@param ownerKeyFile: client private key file
@type ownerPassphrase: basestring
@param ownerPassphrase: pass-phrase protecting private key if set -
not needed in the case of a proxy private key
"""
# Must be version 3 for MyProxy
context = SSL.Context(protocol='sslv3')
# SDF
# context.load_verify_locations(cafile=self.caCertFilePath, capath='/etc/grid-security/certificates')
if self.caCertFilePath or self.caCertDir:
context.load_verify_locations(cafile=self.caCertFilePath,
capath=self.caCertDir)
# Stop if peer's certificate can't be verified
context.set_allow_unknown_ca(False)
else:
context.set_allow_unknown_ca(True)
from arcs.gsi import Certificate
if ownerCertFile:
try:
if isinstance(ownerCertFile, Certificate):
m2.ssl_ctx_passphrase_callback(context.ctx, lambda *ar: ownerPassphrase)
m2.ssl_ctx_use_x509(context.ctx, ownerCertFile._certificate.x509)
m2.ssl_ctx_use_rsa_privkey(context.ctx, ownerKeyFile.rsa)
if not m2.ssl_ctx_check_privkey(context.ctx):
raise ValueError, 'public/private key mismatch'
else:
context.load_cert_chain(ownerCertFile,
keyfile=ownerKeyFile,
callback=lambda *ar, **kw: ownerPassphrase)
except Exception, e:
raise MyProxyClientConfigError("Loading certificate "
"and private key for SSL "
"connection [also check CA "
"certificate settings]: %s" % e)
# Verify peer's certificate
context.set_verify(SSL.verify_peer, 1)
def load_cert_pkey(self,
certfile,
pkey,
callback=util.passphrase_callback):
# type: (AnyStr, Optional[AnyStr], Callable) -> None
"""Load certificate and private key into the context.
:param certfile: File that contains the PEM-encoded certificate.
:param keyfile: 'M2Crypto.EVP' object
:param callback: Callable object to be invoked if the private key is
passphrase-protected. Default callback provides a
simple terminal-style input for the passphrase.
"""
m2.ssl_ctx_passphrase_callback(self.ctx, callback)
m2.ssl_ctx_use_cert(self.ctx, certfile)
m2.ssl_ctx_use_pkey_privkey(self.ctx, pkey)
if not m2.ssl_ctx_check_privkey(self.ctx):
raise ValueError('public/private key mismatch')
def load_cert(self, certfile, keyfile=None,
callback=util.passphrase_callback):
# type: (AnyStr, Optional[AnyStr], Callable) -> None
"""Load certificate and private key into the context.
@param certfile: File that contains the PEM-encoded certificate.
@param keyfile: File that contains the PEM-encoded private key.
Default value of None indicates that the private key
is to be found in 'certfile'.
@param callback: Callable object to be invoked if the private key is
passphrase-protected. Default callback provides a
simple terminal-style input for the passphrase.
"""
m2.ssl_ctx_passphrase_callback(self.ctx, callback)
m2.ssl_ctx_use_cert(self.ctx, certfile)
if not keyfile:
keyfile = certfile
m2.ssl_ctx_use_privkey(self.ctx, keyfile)
if not m2.ssl_ctx_check_privkey(self.ctx):
raise ValueError('public/private key mismatch')
