def _createSSLEngine(self, addr, hostname=None, cert_file=None, key_file=None): trust_managers = [NoVerifyX509TrustManager()] if self.verify_mode == CERT_REQUIRED: tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) tmf.init(self._trust_store) trust_managers = [CompositeX509TrustManager(tmf.getTrustManagers())] context = _JavaSSLContext.getInstance(self._protocol_name) if self._key_managers is None: context.init( _get_openssl_key_manager( cert_file=cert_file, key_file=key_file).getKeyManagers(), trust_managers, None) else: context.init( self._key_managers.getKeyManagers(), trust_managers, None) # addr could be ipv6, only extract relevant parts engine = context.createSSLEngine((hostname or addr[0]), addr[1]) # apparently this can be used to enforce hostname verification if hostname is not None and self._check_hostname: params = engine.getSSLParameters() params.setEndpointIdentificationAlgorithm('HTTPS') engine.setSSLParameters(params) if self._ciphers is not None: engine.setEnabledCipherSuites(self._ciphers) return engine
def _createSSLEngine(self, addr, hostname=None, cert_file=None, key_file=None): trust_managers = [NoVerifyX509TrustManager()] if self.verify_mode == CERT_REQUIRED: tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) tmf.init(self._trust_store) trust_managers = [CompositeX509TrustManager(tmf.getTrustManagers())] context = _JavaSSLContext.getInstance(self._protocol_name) if self._key_managers is None: context.init( _get_openssl_key_manager( cert_file=cert_file, key_file=key_file).getKeyManagers(), trust_managers, None) else: context.init( self._key_managers.getKeyManagers(), trust_managers, None) if hostname is not None: engine = context.createSSLEngine(hostname, addr[1]) else: engine = context.createSSLEngine(*addr) # apparently this can be used to enforce hostname verification if hostname is not None and self._check_hostname: params = engine.getSSLParameters() params.setEndpointIdentificationAlgorithm('HTTPS') engine.setSSLParameters(params) if self._ciphers is not None: engine.setEnabledCipherSuites(self._ciphers) return engine
def DefaultTrustManager(): trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()) trustManagerFactory.init(None) for trustManager in trustManagerFactory.getTrustManagers(): if isinstance(trustManager, X509TrustManager): return trustManager return None
def _get_ca_certs_trust_manager(ca_certs): trust_store = KeyStore.getInstance(KeyStore.getDefaultType()) trust_store.load(None, None) with open(ca_certs) as f: cf = CertificateFactory.getInstance("X.509") for cert in cf.generateCertificates(BufferedInputStream(f)): trust_store.setCertificateEntry(str(uuid.uuid4()), cert) tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) tmf.init(trust_store) return tmf
def _get_ca_certs_trust_manager(ca_certs): trust_store = KeyStore.getInstance(KeyStore.getDefaultType()) trust_store.load(None, None) num_certs_installed = 0 with open(ca_certs) as f: cf = CertificateFactory.getInstance("X.509") for cert in cf.generateCertificates(BufferedInputStream(f)): trust_store.setCertificateEntry(str(uuid.uuid4()), cert) num_certs_installed += 1 tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) tmf.init(trust_store) log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"}) return tmf
def _get_ca_certs_trust_manager(ca_certs=None): trust_store = KeyStore.getInstance(KeyStore.getDefaultType()) trust_store.load(None, None) num_certs_installed = 0 if ca_certs is not None: with open(ca_certs) as f: cf = CertificateFactory.getInstance("X.509") for cert in cf.generateCertificates(BufferedInputStream(f)): trust_store.setCertificateEntry(str(uuid.uuid4()), cert) num_certs_installed += 1 tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) tmf.init(trust_store) log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"}) return tmf
def trustSpecificCertificate(self, pemCertificateFile, pemCertificateAlias): from java.io import BufferedInputStream, FileInputStream from java.security import KeyStore from java.security.cert import CertificateFactory, X509Certificate from javax.net.ssl import SSLContext, TrustManagerFactory fis = FileInputStream(pemCertificateFile) bis = BufferedInputStream(fis) ca = CertificateFactory.getInstance("X.509").generateCertificate(bis) ks = KeyStore.getInstance(KeyStore.getDefaultType()) ks.load(None, None) ks.setCertificateEntry(pemCertificateAlias, ca) tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) tmf.init(ks) context = SSLContext.getInstance("SSL") context.init(None, tmf.getTrustManagers(), None) SSLContext.setDefault(context)
def _createSSLEngine(self): trust_managers = [NoVerifyX509TrustManager()] if self.verify_mode == CERT_REQUIRED: tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) tmf.init(self._trust_store) trust_managers = tmf.getTrustManagers() if self._key_managers is None: # get an e self._context.init(_get_openssl_key_manager().getKeyManagers(), trust_managers, None) else: self._context.init(self._key_managers.getKeyManagers(), trust_managers, None) engine = self._context.createSSLEngine() if self._ciphers is not None: engine.setEnabledCipherSuites(self._ciphers) return engine
def trustSpecificCertificate(self, pemCertificateFile, pemCertificateAlias): from java.io import BufferedInputStream, FileInputStream from java.security import KeyStore from java.security.cert import CertificateFactory, X509Certificate from javax.net.ssl import SSLContext, TrustManagerFactory fis = FileInputStream(pemCertificateFile) bis = BufferedInputStream(fis) ca = CertificateFactory.getInstance("X.509").generateCertificate(bis) ks = KeyStore.getInstance(KeyStore.getDefaultType()) ks.load(None, None) ks.setCertificateEntry(pemCertificateAlias, ca) tmf = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()) tmf.init(ks) context = SSLContext.getInstance("SSL") context.init(None, tmf.getTrustManagers(), None) SSLContext.setDefault(context)
def _createSSLEngine(self): trust_managers = [NoVerifyX509TrustManager()] if self.verify_mode == CERT_REQUIRED: tmf = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()) tmf.init(self._trust_store) trust_managers = tmf.getTrustManagers() if self._key_managers is None: # get an e self._context.init(_get_openssl_key_manager().getKeyManagers(), trust_managers, None) else: self._context.init(self._key_managers.getKeyManagers(), trust_managers, None) engine = self._context.createSSLEngine() if self._ciphers is not None: engine.setEnabledCipherSuites(self._ciphers) return engine