def login(self,pin): self.session = self.pkcs11.openSession(self.tokenSlot) self.session.login(pin=pin) random = ''.join(chr(i) for i in self.session.generateRandom(size=1024)) objects = self.session.findObjects() my_cert = None privkey_id = None for obj in objects: print self.session.getAttributeValue(obj, [PyKCS11.CKA_LABEL]) my_cert = self.FindMyCert(my_cert, obj) privkey_id = self.FindPrivateId(obj, privkey_id) self.key_id = ''.join(chr(c) for c in privkey_id[0]).encode('hex') self.my_cert = X509.load_cert_der_string(''.join(chr(c) for c in my_cert)) Rand.rand_seed(random) # init the OpenSSL engine and load the user cert & private key ssl_key = 'slot_' + str(self.tokenSlot) + '-id_' + self.key_id self.my_pkey = self.engine.load_private_key(ssl_key, pin) ctx = SSL.Context('sslv23') m2.ssl_ctx_use_x509(ctx.ctx,self.my_cert.x509) m2.ssl_ctx_use_pkey_privkey(ctx.ctx,self.my_pkey.pkey) if not m2.ssl_ctx_check_privkey(ctx.ctx): raise ValueError, 'public/private key mismatch' ctx.set_verify(SSL.verify_peer, 10) self.ssl_ctx = ctx print self.my_cert print self.my_pkey self.session.logout() print str(threading.currentThread().name)+" finished"
def get_ctx(self, allow_unknown_ca=False, req_peer_cert=True, session=None): ctx = SSL.Context("sslv23") # Set certificate and private key m2.ssl_ctx_use_x509(ctx.ctx, self.cert.x509) m2.ssl_ctx_use_rsa_privkey(ctx.ctx, self.rsakey.rsa) if not m2.ssl_ctx_check_privkey(ctx.ctx): raise CryptoError('public/private key mismatch') # Ciphers/Options ctx.set_cipher_list(CIPHER_SET) ctx.set_options(CTX_OPTIONS) # CA settings cloc = os.path.join(global_certpath, 'cacert.root.pem') if ctx.load_verify_locations(cafile=cloc) != 1: log.error("Problem loading CA certificates") raise CryptoError('CA certificates not loaded') # Verification cb = mk_verify_cb(allow_unknown_ca=allow_unknown_ca) CTX_V_FLAGS = SSL.verify_peer if req_peer_cert: CTX_V_FLAGS |= SSL.verify_fail_if_no_peer_cert ctx.set_verify(CTX_V_FLAGS,3,cb) # Session if session: ctx.set_session_id_ctx(session) return ctx
def robot_init(): e = Engine.load_dynamic_engine("pkcs11", "/usr/local/lib/engine_pkcs11.so") pk = Engine.Engine("pkcs11") pk.ctrl_cmd_string("MODULE_PATH", "/usr/lib/libeTPkcs11.so") ret = pk.init() print "Loading certificate DeRoberto" cert = e.load_certificate("30354530383037334131344144353636") print "Loading key ..." key = e.load_private_key("30354530383037334131344144353636", "indicate#2011") ctx = SSL.Context("sslv23") ctx.set_cipher_list("HIGH:!aNULL:!eNULL:@STRENGTH") ctx.set_session_id_ctx("foobar") m2.ssl_ctx_use_x509(ctx.ctx, cert.x509) m2.ssl_ctx_use_pkey_privkey(ctx.ctx, key.pkey) class SmartRedirectHandler(m2urllib2.HTTPRedirectHandler): def http_error_302(self, req, fp, code, msg, headers): redirect = headers['Location'] return redirect opener = m2urllib2.build_opener(ctx, SmartRedirectHandler()) return opener
def get_ctx(self, allow_unknown_ca=False, req_peer_cert=True, session=None): ctx = SSL.Context("sslv23") # Set certificate and private key m2.ssl_ctx_use_x509(ctx.ctx, self.cert.x509) m2.ssl_ctx_use_rsa_privkey(ctx.ctx, self.rsakey.rsa) if not m2.ssl_ctx_check_privkey(ctx.ctx): raise CryptoError('public/private key mismatch') # Ciphers/Options ctx.set_cipher_list(CIPHER_SET) ctx.set_options(CTX_OPTIONS) # CA settings cloc = os.path.join(global_certpath, 'cacert.root.pem') if ctx.load_verify_locations(cafile=cloc) != 1: log.error("Problem loading CA certificates") raise CryptoError('CA certificates not loaded') # Verification cb = mk_verify_cb(allow_unknown_ca=allow_unknown_ca) CTX_V_FLAGS = SSL.verify_peer if req_peer_cert: CTX_V_FLAGS |= SSL.verify_fail_if_no_peer_cert ctx.set_verify(CTX_V_FLAGS, 3, cb) # Session if session: ctx.set_session_id_ctx(session) return ctx
def _make_context(self): # Use False to prevent setting the crypto list which causes an NPE ctx = SSL.Context('sslv23', False) # Manually load the key and cert into the context because the helper # doesn't read from the smart card or handle DER-encoded certs m2.ssl_ctx_use_pkey_privkey(ctx.ctx, self.key._ptr()) m2.ssl_ctx_use_x509(ctx.ctx, self.cert.x509) return ctx
def _get_ssl_context(self, host): context = self._cached_ssl_context.get(host) if not context: context = SSL.Context() cert = self._new_certificate(host) pkey = self._get_shared_private_key() m2.ssl_ctx_use_x509(context.ctx, cert.x509) m2.ssl_ctx_use_pkey_privkey(context.ctx, pkey.pkey) self._cached_ssl_context.setdefault(host, context) return context
def _initConnection(self, ownerCertFile=None, ownerKeyFile=None, ownerPassphrase=None): """Initialise connection setting up SSL context and client and server side identity checks @type ownerCertFile: basestring @param ownerCertFile: client certificate and owner of credential to be acted on. Can be a proxy cert + proxy's signing cert. Cert and private key are not necessary for getDelegation / logon calls @type ownerKeyFile: basestring @param ownerKeyFile: client private key file @type ownerPassphrase: basestring @param ownerPassphrase: pass-phrase protecting private key if set - not needed in the case of a proxy private key """ # Must be version 3 for MyProxy context = SSL.Context(protocol='sslv3') # SDF # context.load_verify_locations(cafile=self.caCertFilePath, capath='/etc/grid-security/certificates') if self.caCertFilePath or self.caCertDir: context.load_verify_locations(cafile=self.caCertFilePath, capath=self.caCertDir) # Stop if peer's certificate can't be verified context.set_allow_unknown_ca(False) else: context.set_allow_unknown_ca(True) from arcs.gsi import Certificate if ownerCertFile: try: if isinstance(ownerCertFile, Certificate): m2.ssl_ctx_passphrase_callback(context.ctx, lambda *ar: ownerPassphrase) m2.ssl_ctx_use_x509(context.ctx, ownerCertFile._certificate.x509) m2.ssl_ctx_use_rsa_privkey(context.ctx, ownerKeyFile.rsa) if not m2.ssl_ctx_check_privkey(context.ctx): raise ValueError, 'public/private key mismatch' else: context.load_cert_chain(ownerCertFile, keyfile=ownerKeyFile, callback=lambda *ar, **kw: ownerPassphrase) except Exception, e: raise MyProxyClientConfigError("Loading certificate " "and private key for SSL " "connection [also check CA " "certificate settings]: %s" % e) # Verify peer's certificate context.set_verify(SSL.verify_peer, 1)
def usage1(): # form context by passing cert and private key content context = Context(); context.set_allow_unknown_ca(False) cert_file = open('/opt/cisco/creds/id.cert', 'rb').read().encode('ascii') cert_file = X509.load_cert_string(cert_file) key_file = open('/opt/cisco/creds/id.cert', 'rb').read().encode('ascii') # pem-encoded pkey key_file = EVP.load_key_string(key_file) m2.ssl_ctx_use_x509(context.ctx, cert_file.x509) m2.ssl_ctx_use_pkey_privkey(context.ctx, key_file.pkey) # make server verification # capath should contain hash soft link to CA certifiates context.load_verify_info(capath='./') context.set_verify(SSL.verify_peer, 3) # context.set_verify(SSL.verify_none, 3) # using MyHTTPS to send request send_request(context)
def __init__(self, use_datetime=0, pin='', key_name="01:01"): Transport.__init__(self, use_datetime=use_datetime) self.get_engine() cls = PKCS11Transport import getpass pin = getpass.getpass() self.cert = cls._pkcs11.load_certificate(key_name) self.key = cls._pkcs11.load_private_key(key_name, pin=pin) # Use False to prevent setting the crypto list which causes an NPE self.context = SSL.Context('tlsv1', False) # Manually load the key and cert into the context because the helper # doesn't read from the smart card or handle DER-encoded certs m2.ssl_ctx_use_pkey_privkey(self.context.ctx, self.key._ptr()) m2.ssl_ctx_use_x509(self.context.ctx, self.cert._ptr()) self.context.load_verify_locations("ca.pem", "") self.context.set_verify(SSL.verify_peer, 10) self.context.set_info_callback()
def set_client_cert(self, cert): return m2.ssl_ctx_use_x509(self.ctx, cert.x509)