def _get_openssl_key_manager(cert_file, key_file=None):
paths = [key_file] if key_file else []
paths.append(cert_file)
# Go from Bouncy Castle API to Java's; a bit heavyweight for the Python dev ;)
key_converter = JcaPEMKeyConverter().setProvider("BC")
cert_converter = JcaX509CertificateConverter().setProvider("BC")
private_key = None
certs = []
for path in paths:
for br in _extract_readers(path):
while True:
obj = PEMParser(br).readObject()
if obj is None:
break
if isinstance(obj, PEMKeyPair):
private_key = key_converter.getKeyPair(obj).getPrivate()
elif isinstance(obj, PrivateKeyInfo):
private_key = key_converter.getPrivateKey(obj)
elif isinstance(obj, X509CertificateHolder):
certs.append(cert_converter.getCertificate(obj))
assert private_key, "No private key loaded"
key_store = KeyStore.getInstance(KeyStore.getDefaultType())
key_store.load(None, None)
key_store.setKeyEntry(str(uuid.uuid4()), private_key, [], certs)
kmf = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm())
kmf.init(key_store, [])
return kmf
def _read_pem_cert_from_data(f, password, key_converter, cert_converter):
certs = []
private_key = None
if key_converter is None:
key_converter = JcaPEMKeyConverter().setProvider("BC")
if cert_converter is None:
cert_converter = JcaX509CertificateConverter().setProvider("BC")
for br in _extract_readers(f):
while True:
try:
obj = PEMParser(br).readObject()
except PEMException as err:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "PEM lib ({})".format(err))
if obj is None:
break
if isinstance(obj, PEMKeyPair):
private_key = key_converter.getKeyPair(obj).getPrivate()
elif isinstance(obj, PrivateKeyInfo):
private_key = key_converter.getPrivateKey(obj)
elif isinstance(obj, X509CertificateHolder):
certs.append(cert_converter.getCertificate(obj))
elif isinstance(obj, PEMEncryptedKeyPair):
provider = JcePEMDecryptorProviderBuilder().build(
_parse_password(password))
try:
key_pair = key_converter.getKeyPair(
obj.decryptKeyPair(provider))
except EncryptionException as err:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "PEM lib ({})".format(err))
private_key = key_pair.getPrivate()
else:
raise NotImplementedError(
"Jython does not implement PEM object {!r}".format(obj))
return certs, private_key
def _extract_certs_for_paths(paths, password=None):
# Go from Bouncy Castle API to Java's; a bit heavyweight for the Python dev ;)
key_converter = JcaPEMKeyConverter().setProvider("BC")
cert_converter = JcaX509CertificateConverter().setProvider("BC")
certs = []
private_key = None
for path in paths:
err = None
with open(path) as f:
# try to load the file as keystore file first
try:
_certs = _extract_certs_from_keystore_file(f, password)
certs.extend(_certs)
except IOException as err:
pass # reported as 'Invalid keystore format'
if err is not None: # try loading pem version instead
with open(path) as f:
_certs, _private_key = _extract_cert_from_data(
f, password, key_converter, cert_converter)
private_key = _private_key if _private_key else private_key
certs.extend(_certs)
return certs, private_key