def connect(self, host=None, port=None, cert=None, key=None):
'''
Connect to another portal somewhere. If retry is set, will attempt to reconnect
with the target continuously. As of the time of this writing, you cannot stop a
polling connection without taking down the portal.
:param retry: continuously attempt to connect on drops or rejections
:type retry: bool.
'''
host = host if host else self.host
port = port if port else self.port
cert = cert if cert else self.certCa
key = key if key else self.keyPrivate # ???
# the first term is the name the server is using in the cert (for now)
ctx = optionsForClientTLS(u"pds.production", Certificate.loadPEM(cert), PrivateCertificate.loadPEM(key))
factory = RiffleClientFactory()
SSL4ClientEndpoint(reactor, host, port, ctx,).connect(factory)
print 'Connecting to ' + host + ':' + str(port)
avatar = yield factory.login(self)
defer.returnValue(Levy(avatar))
def getFactory(self):
if self.factory is None:
if self.certificateFile is not None:
cert = PrivateCertificate.loadPEM(
file(self.certificateFile).read())
certOpts = CertificateOptions(
cert.privateKey.original,
cert.original,
requireCertificate=False,
method=SSL.SSLv23_METHOD)
else:
certOpts = None
self.portal = portal.Portal(
self.userbase, [self.userbase, checkers.AllowAnonymousAccess()])
self.factory = ESMTPFactory(
self.portal,
self.domain,
{'CRAM-MD5': credentials.CramMD5Credentials,
'LOGIN': imap4.LOGINCredentials,
},
certOpts)
if self.debug:
self.factory = policies.TrafficLoggingFactory(self.factory, 'smtp')
return self.factory
def main(reactor):
pemBytes = FilePath(b"ca-private-cert.pem").getContent()
certificateAuthority = Certificate.loadPEM(pemBytes)
myCertificate = PrivateCertificate.loadPEM(pemBytes)
serverEndpoint = SSL4ServerEndpoint(
reactor, 4321, myCertificate.options(certificateAuthority))
serverEndpoint.listen(Factory.forProtocol(ReportWhichClient))
return Deferred()
def addSubprocesses(self, fds, name, factory):
super(HendrixDeployTLS, self).addSubprocesses(fds, name, factory)
if name == 'main_web_ssl':
privateCert = PrivateCertificate.loadPEM(
open(self.options['cert']).read() +
open(self.options['key']).read())
factory = TLSMemoryBIOFactory(privateCert.options(), False,
factory)
def getCAPrivateCert():
l_privatePath = FilePath(b"ca-private-cert.pem")
if l_privatePath.exists():
return PrivateCertificate.loadPEM(l_privatePath.getContent())
else:
l_caKey = KeyPair.generate(size=4096)
l_caCert = l_caKey.selfSignedCert(1, CN="the-authority")
l_privatePath.setContent(l_caCert.dumpPEM())
return l_caCert
def getCAPrivateCert():
privatePath = FilePath(b"ca-private-cert.pem")
if privatePath.exists():
return PrivateCertificate.loadPEM(privatePath.getContent())
else:
caKey = KeyPair.generate(size=4096)
caCert = caKey.selfSignedCert(1, CN="the-authority")
privatePath.setContent(caCert.dumpPEM())
return caCert
def addSubprocesses(self, fds, name, factory):
super(HendrixDeploySSL, self).addSubprocesses(fds, name, factory)
if name == 'main_web_ssl':
privateCert = PrivateCertificate.loadPEM(
open(self.options['cert']).read() + open(self.options['key']).read()
)
factory = TLSMemoryBIOFactory(
privateCert.options(), False, factory
)
def main(reactor):
pemBytes = FilePath(b"ca-private-cert.pem").getContent()
certificateAuthority = Certificate.loadPEM(pemBytes)
myCertificate = PrivateCertificate.loadPEM(pemBytes)
serverEndpoint = SSL4ServerEndpoint(
reactor, 4321, myCertificate.options(certificateAuthority)
)
serverEndpoint.listen(Factory.forProtocol(ReportWhichClient))
return Deferred()
def getContextFactory(self):
if SSL is None:
raise RuntimeError("No SSL support: you need to install OpenSSL.")
cert = PrivateCertificate.loadPEM(self.certificatePath.open().read())
certOpts = CertificateOptions(cert.privateKey.original,
cert.original,
requireCertificate=False,
method=SSL.SSLv23_METHOD)
return certOpts
def createCertOptions(server): pk = None cert = None if server.cert: pc = PrivateCertificate.loadPEM(open(server.cert,"rb").read()) pk = pc.privateKey.original cert = pc.original tr = platformTrust() if server.verify else None return CertificateOptions(privateKey=pk, certificate=cert, trustRoot=tr)
def main(reactor):
pem = generate_certs.and_generate()
caPem = FilePath(b"ca-private-cert.pem").getContent()
clientEndpoint = SSL4ClientEndpoint(
reactor,
u"localhost",
4321,
optionsForClientTLS(u"the-authority", Certificate.loadPEM(caPem),
PrivateCertificate.loadPEM(pem)),
)
clientEndpoint = SSL4ClientEndpoint(
reactor,
u"localhost",
4321,
optionsForClientTLS(u"the-authority", Certificate.loadPEM(caPem),
PrivateCertificate.loadPEM(pem)),
)
proto = yield clientEndpoint.connect(Factory.forProtocol(SendAnyData))
yield proto.deferred
def open(self, port=None, cert=None):
'''
Listen for connections on the given port.
'''
port = port if port else self.port
cert = cert if cert else self.certCa
ca = Certificate.loadPEM(cert)
myCertificate = PrivateCertificate.loadPEM(cert)
SSL4ServerEndpoint(reactor, port, myCertificate.options(ca)).listen(RiffleServerFactory(self))
def getContextFactory(self):
if SSL is None:
raise RuntimeError("No SSL support: you need to install OpenSSL.")
cert = PrivateCertificate.loadPEM(
self.certificatePath.open().read())
certOpts = CertificateOptions(
cert.privateKey.original,
cert.original,
requireCertificate=False,
method=SSL.SSLv23_METHOD)
return certOpts
def start_ssl_cmd_server():
with open(settings["Agent_Cert"], 'r') as certfile:
certdata = certfile.read()
if settings["Agent_Priv_Key"] != settings["Agent_Cert"]:
with open(settings.get("Agent_Priv_Key"), 'r') as keyfile:
certdata += keyfile.read()
with open(settings.get("Broker_Cert"), 'r') as f:
authdata = f.read()
certificate = PrivateCertificate.loadPEM(certdata)
authority = Certificate.loadPEM(authdata)
factory = Factory.forProtocol(CommandHandler)
reactor.listenSSL(int(settings.get("Command_Port")), factory, certificate.options(authority))
def start_ssl_cmd_server():
with open(settings["Agent_Cert"], 'r') as certfile:
certdata = certfile.read()
if settings["Agent_Priv_Key"] != settings["Agent_Cert"]:
with open(settings.get("Agent_Priv_Key"), 'r') as keyfile:
certdata += keyfile.read()
with open(settings.get("Broker_Cert"), 'r') as f:
authdata = f.read()
certificate = PrivateCertificate.loadPEM(certdata)
authority = Certificate.loadPEM(authdata)
factory = Factory.forProtocol(CommandHandler)
reactor.listenSSL(int(settings.get("Command_Port")), factory,
certificate.options(authority))
def start(self, fd=None):
pids = [str(os.getpid())] # script pid
if fd is None:
# anything in this block is only run once
# TODO add global services here, possibly add a services kwarg on
# __init__
self.addGlobalServices()
self.hendrix.startService()
if self.options['workers']:
# Create a new listening port and several other processes to help out.
childFDs = {0: 0, 1: 1, 2: 2}
self.fds = {}
for name in self.servers:
port = self.hendrix.get_port(name)
fd = port.fileno()
childFDs[fd] = fd
self.fds[name] = fd
args = self.getSpawnArgs()
transports = []
for i in range(self.options['workers']):
transport = reactor.spawnProcess(
None, executable, args, childFDs=childFDs, env=environ
)
transports.append(transport)
pids.append(str(transport.pid))
with open(self.pid, 'w') as pid_file:
pid_file.write('\n'.join(pids))
else:
# Another process created the port, drop the tcp service and
# just start listening on it.
fds = pickle.loads(fd)
factories = {}
for name in self.servers:
factory = self.disownService(name)
factories[name] = factory
self.hendrix.startService()
for name, factory in factories.iteritems():
if name == 'main_web_ssl':
privateCert = PrivateCertificate.loadPEM(
open(self.options['cert']).read() + open(self.options['key']).read()
)
factory = TLSMemoryBIOFactory(
privateCert.options(), False, factory
)
port = reactor.adoptStreamPort(fds[name], AF_INET, factory)
reactor.run()
def create_agent(ca_cert, client_cert, client_key):
ca_certificate = Certificate.loadPEM(FilePath(ca_cert).getContent())
client_certificate = PrivateCertificate.loadPEM(
FilePath(client_cert).getContent() + b"\n" +
FilePath(client_key).getContent())
customPolicy = BrowserLikePolicyForHTTPSWithClientCertificate(
trustRoot=ca_certificate,
clientCertificate=client_certificate)
pool = HTTPConnectionPool(reactor, persistent=True)
agent = Agent(reactor, customPolicy, pool=pool)
return agent
def __init__(self, uri, verify, timeout=600, reactor=reactor, clientCert=None):
Resource.__init__(self)
self._uri = URLPath.fromString(uri)
self._verify = verify
self._timeout = timeout
self._reactor = reactor
pool = HTTPConnectionPool(reactor)
if clientCert is not None:
clientCert = PrivateCertificate.loadPEM(
FilePath(clientCert).getContent())
self._agent = Agent(
reactor,
StupidPolicyForHTTPS(InsecureTLSOptions(clientCert)),
pool=pool)
def create_agent(ca_cert, client_cert, client_key):
ca_certificate = Certificate.loadPEM(FilePath(ca_cert).getContent())
client_certificate = PrivateCertificate.loadPEM(
FilePath(client_cert).getContent() + b"\n" +
FilePath(client_key).getContent())
customPolicy = BrowserLikePolicyForHTTPSWithClientCertificate(
trustRoot=ca_certificate, clientCertificate=client_certificate)
pool = HTTPConnectionPool(reactor, persistent=True)
pool.maxPersistentPerHost = CONNECTION_COUNT
agent = Agent(reactor, customPolicy, pool=pool)
return agent
def from_paths(
cls, endpoint, private_key_path: FilePath, cert_path: FilePath
) -> "_TLSEndpointWrapper":
"""
Create an endpoint with the given private key and certificate paths on
the filesystem.
"""
certificate = Certificate.loadPEM(cert_path.getContent()).original
private_key = PrivateCertificate.loadPEM(
cert_path.getContent() + b"\n" + private_key_path.getContent()
).privateKey.original
certificate_options = CertificateOptions(
privateKey=private_key, certificate=certificate
)
return cls(endpoint=endpoint, context_factory=certificate_options)
def test_authenticateSucceed(self):
"""
L{authenticateRequest} returns C{True} if the provided client
certificate has a matching hostname.
"""
privateCert = PrivateCertificate.loadPEM(
FilePath(__file__).sibling(b'data').child(b'test.cert').getContent())
self.assertEqual(
privateCert.original.get_subject().commonName, b'localhost')
options = CertificateOptions(
privateKey=privateCert.privateKey.original,
certificate=privateCert.original)
request = self.createRequest(options)
self.assertEqual(True, authenticateRequest(request, u'localhost'))
def test_handshakeFailure(self):
"""
L{TLSMemoryBIOProtocol} reports errors in the handshake process to the
application-level protocol object using its C{connectionLost} method
and disconnects the underlying transport.
"""
clientConnectionLost = Deferred()
clientFactory = ClientFactory()
clientFactory.protocol = (
lambda: ConnectionLostNotifyingProtocol(
clientConnectionLost))
clientContextFactory = HandshakeCallbackContextFactory()
wrapperFactory = TLSMemoryBIOFactory(
clientContextFactory, True, clientFactory)
sslClientProtocol = wrapperFactory.buildProtocol(None)
serverConnectionLost = Deferred()
serverFactory = ServerFactory()
serverFactory.protocol = (
lambda: ConnectionLostNotifyingProtocol(
serverConnectionLost))
# This context factory rejects any clients which do not present a
# certificate.
certificateData = FilePath(certPath).getContent()
certificate = PrivateCertificate.loadPEM(certificateData)
serverContextFactory = certificate.options(certificate)
wrapperFactory = TLSMemoryBIOFactory(
serverContextFactory, False, serverFactory)
sslServerProtocol = wrapperFactory.buildProtocol(None)
connectionDeferred = loopbackAsync(sslServerProtocol, sslClientProtocol)
def cbConnectionLost(protocol):
# The connection should close on its own in response to the error
# induced by the client not supplying the required certificate.
# After that, check to make sure the protocol's connectionLost was
# called with the right thing.
protocol.lostConnectionReason.trap(Error)
clientConnectionLost.addCallback(cbConnectionLost)
serverConnectionLost.addCallback(cbConnectionLost)
# Additionally, the underlying transport should have been told to
# go away.
return gatherResults([
clientConnectionLost, serverConnectionLost,
connectionDeferred])
def agent_call(url_trustRoot):
url, trustRoot = url_trustRoot
if trustRoot:
customPolicy = BrowserLikePolicyForHTTPS(
PrivateCertificate.loadPEM(trustRoot))
agent = Agent(reactor, customPolicy)
else:
agent = Agent(reactor)
headers = Headers({
'User-Agent': ['Twisted Webbot'],
'Content-Type': ['text/x-greeting']
})
d = agent.request('HEAD', url, headers=headers)
return d
def test_handshakeFailure(self):
"""
L{TLSMemoryBIOProtocol} reports errors in the handshake process to the
application-level protocol object using its C{connectionLost} method
and disconnects the underlying transport.
"""
clientConnectionLost = Deferred()
clientFactory = ClientFactory()
clientFactory.protocol = (
lambda: ConnectionLostNotifyingProtocol(clientConnectionLost))
clientContextFactory = HandshakeCallbackContextFactory()
wrapperFactory = TLSMemoryBIOFactory(clientContextFactory, True,
clientFactory)
sslClientProtocol = wrapperFactory.buildProtocol(None)
serverConnectionLost = Deferred()
serverFactory = ServerFactory()
serverFactory.protocol = (
lambda: ConnectionLostNotifyingProtocol(serverConnectionLost))
# This context factory rejects any clients which do not present a
# certificate.
certificateData = FilePath(certPath).getContent()
certificate = PrivateCertificate.loadPEM(certificateData)
serverContextFactory = certificate.options(certificate)
wrapperFactory = TLSMemoryBIOFactory(serverContextFactory, False,
serverFactory)
sslServerProtocol = wrapperFactory.buildProtocol(None)
connectionDeferred = loopbackAsync(sslServerProtocol,
sslClientProtocol)
def cbConnectionLost(protocol):
# The connection should close on its own in response to the error
# induced by the client not supplying the required certificate.
# After that, check to make sure the protocol's connectionLost was
# called with the right thing.
protocol.lostConnectionReason.trap(Error)
clientConnectionLost.addCallback(cbConnectionLost)
serverConnectionLost.addCallback(cbConnectionLost)
# Additionally, the underlying transport should have been told to
# go away.
return gatherResults(
[clientConnectionLost, serverConnectionLost, connectionDeferred])
def _serviceDescription(self):
"""
Produce a description of the service we should start.
"""
ca = Certificate.loadPEM(
FilePath(self.caPath.encode('utf-8')).getContent())
certBytes = FilePath(self.certPath.encode('utf-8')).getContent()
cert = PrivateCertificate.loadPEM(certBytes)
# Can't use PrivateCertificate.options until Twisted #6361 is fixed
options = CertificateOptions(
privateKey=cert.privateKey.original,
certificate=cert.original,
trustRoot=ca,
extraCertChain=chainCerts(certBytes))
router = IndexRouter(store=self.store)
return _ServiceDescription(
reactor=reactor, port=self.port, interface=self.interface,
options=options, router=router)
def _get_ssl_context(self):
client_ca = get_certificate(self.client_ca_cert_path)
if not client_ca:
try:
ca = mTLS.generate_new_certificate(is_ca_generation_request=True, ca_cert_path=self.client_ca_cert_path, username="******")
if ca is not None:
save_certificate(self.client_ca_cert_path, ca)
client_ca = ca
except Exception as e:
log.error("Exception: {}".format(e))
raise e
client_ca_pem = "{}\n{}".format(base64.b64decode(client_ca.get('c')), base64.b64decode(client_ca.get('k')))
certificate_authority = Certificate.loadPEM(client_ca_pem)
self.server_ca_cert_path = self.server_cert_path+"_ca"
server_cert = get_certificate(self.server_cert_path)
server_cert_ca = get_certificate(self.server_ca_cert_path)
if not server_cert:
try:
if not server_cert_ca:
ca = mTLS.generate_new_certificate(is_ca_generation_request=True, ca_cert_path=self.server_ca_cert_path, username="******")
if ca is not None:
save_certificate(self.server_ca_cert_path, ca)
_server_cert = mTLS.generate_new_certificate(ca_cert_path=self.server_ca_cert_path, username="******", ip=self.ip)
if _server_cert is not None:
save_certificate(self.server_cert_path, _server_cert)
server_cert = _server_cert
else:
raise Exception("Server Certificate generation failed. Cert:{}".format(_server_cert))
except Exception as e:
log.error("Exception: {}".format(e))
raise e
server_cert_pem = "{}\n{}".format(base64.b64decode(server_cert.get('c')), base64.b64decode(server_cert.get('k')))
server_cert = PrivateCertificate.loadPEM(server_cert_pem)
return server_cert.options(certificate_authority)
def _ssl_agent(self):
"""
Get a Twisted Agent that performs Client SSL authentication for Koji.
"""
# Load "cert" into a PrivateCertificate.
certfile = self.lookup(self.profile, 'cert')
certfile = os.path.expanduser(certfile)
with open(certfile) as certfp:
pemdata = certfp.read()
client_cert = PrivateCertificate.loadPEM(pemdata)
trustRoot = None # Use Twisted's platformTrust().
# Optionally load "serverca" into a Certificate.
servercafile = self.lookup(self.profile, 'serverca')
if servercafile:
servercafile = os.path.expanduser(servercafile)
trustRoot = RootCATrustRoot(servercafile)
policy = ClientCertPolicy(trustRoot=trustRoot, client_cert=client_cert)
return Agent(reactor, policy)
def getFactory(self):
if self.factory is None:
if self.certificateFile is not None:
cert = PrivateCertificate.loadPEM(
file(self.certificateFile).read())
certOpts = CertificateOptions(cert.privateKey.original,
cert.original,
requireCertificate=False,
method=SSL.SSLv23_METHOD)
else:
certOpts = None
self.portal = portal.Portal(
self.userbase,
[self.userbase, checkers.AllowAnonymousAccess()])
self.factory = ESMTPFactory(
self.portal, self.domain, {
'CRAM-MD5': credentials.CramMD5Credentials,
'LOGIN': imap4.LOGINCredentials,
}, certOpts)
if self.debug:
self.factory = policies.TrafficLoggingFactory(
self.factory, 'smtp')
return self.factory
def loadCertificate(certData):
cert = PrivateCertificate.loadPEM(certData)
return cert
def __init__(self, pem):
if pem is None:
self._clientCertificate = None
else:
self._clientCertificate = PrivateCertificate.loadPEM(pem)
def get_client_certificate(key_file, certificate_file) -> PrivateCertificate:
with open(key_file, 'r') as key, open(certificate_file, 'r') as certificate:
pem = ''.join(key.readlines()) + ''.join(certificate.readlines())
return PrivateCertificate.loadPEM(pem)
def __init__(self, pem):
if pem is None:
self._clientCertificate = None
else:
self._clientCertificate = PrivateCertificate.loadPEM(pem)
print "Storing location %s for pseudonym %r" % (location, pseudonym)
def sanitize(self):
''' Delete old pseudonyms from database '''
now = datetime.now()
for pseudonym, value in self.database.items():
date = value[2]
diff = now - date
if diff.seconds > constants.LIFETIME:
del self.database[pseudonym]
try:
del self.paging_names[pseudonym]
except KeyError:
pass
if __name__ == "__main__":
# setup SSL
with open('ssl/localhost.pem') as keyandcert:
certificate = PrivateCertificate.loadPEM(keyandcert.read())
factory = LocationProviderFactory()
reactor.listenSSL(constants.L.port, factory, certificate.options())
reactor.connectTCP(constants.N.ip, constants.N.port, NetworkConnector(factory))
sanitizing = task.LoopingCall(factory.sanitize)
sanitizing.start(3, False) # once a minute
reactor.run()
# XXX: Broadcast fuehrt zu erkennbarer Information
def load_options(path):
certificate = open(join(path, Certificate.CERTIFICATE_FILE), "rb").read() + \
open(join(path, Certificate.PRIVATE_KEY_FILE), "rb").read()
pem = PrivateCertificate.loadPEM(certificate)
return pem.options()
from twisted import plugins
from twisted.python.modules import getModule
from twisted.python.filepath import FilePath
pemPath = getModule("twisted.test").filePath.sibling("server.pem")
casPath = getModule(__name__).filePath.sibling("fake_CAs")
escapedPEMPathName = endpoints.quoteStringArgument(pemPath.path)
escapedCAsPathName = endpoints.quoteStringArgument(casPath.path)
try:
from twisted.test.test_sslverify import makeCertificate
from twisted.internet.ssl import CertificateOptions, Certificate, \
KeyPair, PrivateCertificate
from OpenSSL.SSL import ContextType
testCertificate = Certificate.loadPEM(pemPath.getContent())
testPrivateCertificate = PrivateCertificate.loadPEM(pemPath.getContent())
skipSSL = False
except ImportError:
skipSSL = "OpenSSL is required to construct SSL Endpoints"
class TestProtocol(Protocol):
"""
Protocol whose only function is to callback deferreds on the
factory when it is connected or disconnected.
"""
def __init__(self):
self.data = []
self.connectionsLost = []
self.connectionMadeCalls = 0
def creatorForNetloc(self, hostname, port):
client_cert = PrivateCertificate.loadPEM(pkcs12.pkey_pem + pkcs12.cert_pem)
return ssl.optionsForClientTLS(pkcs12.hostname,
clientCertificate=client_cert)
from twisted.test.proto_helpers import (
MemoryReactor, RaisingMemoryReactor, StringTransport)
from twisted.internet.protocol import ClientFactory, Protocol
from twisted.internet.address import IPv4Address, IPv6Address
from twisted.internet import (_endpointspy3 as endpoints, error, defer,
interfaces, reactor)
from twisted.test import __file__ as testInitPath
pemPath = FilePath(testInitPath.encode("utf-8")).sibling(b"server.pem")
try:
from twisted.test.test_sslverify import makeCertificate
from twisted.internet.ssl import (CertificateOptions, Certificate,
PrivateCertificate)
testCertificate = Certificate.loadPEM(pemPath.getContent())
testPrivateCertificate = PrivateCertificate.loadPEM(pemPath.getContent())
skipSSL = False
except ImportError:
skipSSL = "OpenSSL is required to construct SSL Endpoints"
class TestProtocol(Protocol):
"""
Protocol whose only function is to callback deferreds on the
factory when it is connected or disconnected.
"""
def __init__(self):
self.data = []
self.connectionsLost = []
def loadCertificate(certData):
cert = PrivateCertificate.loadPEM(certData)
return cert
