def _createSSLEngine(self, addr, hostname=None, cert_file=None, key_file=None, server_side=False): tmf = InsecureTrustManagerFactory.INSTANCE if self.verify_mode != CERT_NONE: # XXX need to refactor so we don't have to get trust managers twice stmf = SimpleTrustManagerFactory.getInstance( SimpleTrustManagerFactory.getDefaultAlgorithm()) stmf.init(self._trust_store) tmf = CompositeX509TrustManagerFactory(stmf.getTrustManagers()) tmf.init(self._trust_store) kmf = self._key_managers if self._key_managers is None: kmf = _get_openssl_key_manager(cert_file=cert_file, key_file=key_file) context_builder = None if not server_side: context_builder = SslContextBuilder.forClient() if kmf: if server_side: context_builder = SslContextBuilder.forServer(kmf) else: context_builder = context_builder.keyManager(kmf) context_builder = context_builder.trustManager(tmf) context_builder = context_builder.sslProvider(SslProvider.JDK) context_builder = context_builder.clientAuth( _CERT_TO_CLIENT_AUTH[self.verify_mode]) if self._ciphers is not None: context_builder = context_builder.ciphers(self._ciphers) if self._check_hostname: engine = context_builder.build().newEngine( ByteBufAllocator.DEFAULT, hostname, addr[1]) if HAS_SNI: params = engine.getSSLParameters() params.setEndpointIdentificationAlgorithm('HTTPS') params.setServerNames([SNIHostName(hostname)]) engine.setSSLParameters(params) else: engine = context_builder.build().newEngine( ByteBufAllocator.DEFAULT, addr[0], addr[1]) return engine
def _get_ca_certs_trust_manager(ca_certs=None): trust_store = KeyStore.getInstance(KeyStore.getDefaultType()) trust_store.load(None, None) num_certs_installed = 0 if ca_certs is not None: with open(ca_certs) as f: cf = CertificateFactory.getInstance("X.509") for cert in cf.generateCertificates(BufferedInputStream(f)): trust_store.setCertificateEntry(str(uuid.uuid4()), cert) num_certs_installed += 1 tmf = SimpleTrustManagerFactory.getInstance(SimpleTrustManagerFactory.getDefaultAlgorithm()) tmf.init(trust_store) log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"}) return tmf
def _get_ca_certs_trust_manager(ca_certs=None): trust_store = KeyStore.getInstance(KeyStore.getDefaultType()) trust_store.load(None, None) num_certs_installed = 0 if ca_certs is not None: with open(ca_certs) as f: cf = CertificateFactory.getInstance("X.509") for cert in cf.generateCertificates(BufferedInputStream(f)): trust_store.setCertificateEntry(str(uuid.uuid4()), cert) num_certs_installed += 1 tmf = SimpleTrustManagerFactory.getInstance( SimpleTrustManagerFactory.getDefaultAlgorithm()) tmf.init(trust_store) log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"}) return tmf
def _createSSLEngine(self, addr, hostname=None, cert_file=None, key_file=None, server_side=False): tmf = InsecureTrustManagerFactory.INSTANCE if self.verify_mode != CERT_NONE: # XXX need to refactor so we don't have to get trust managers twice stmf = SimpleTrustManagerFactory.getInstance(SimpleTrustManagerFactory.getDefaultAlgorithm()) stmf.init(self._trust_store) tmf = CompositeX509TrustManagerFactory(stmf.getTrustManagers()) tmf.init(self._trust_store) kmf = self._key_managers if self._key_managers is None: kmf = _get_openssl_key_manager(cert_file=cert_file, key_file=key_file) context_builder = None if not server_side: context_builder = SslContextBuilder.forClient() if kmf: if server_side: context_builder = SslContextBuilder.forServer(kmf) else: context_builder = context_builder.keyManager(kmf) context_builder = context_builder.trustManager(tmf) context_builder = context_builder.sslProvider(SslProvider.JDK) context_builder = context_builder.clientAuth(_CERT_TO_CLIENT_AUTH[self.verify_mode]) if self._ciphers is not None: context_builder = context_builder.ciphers(self._ciphers) if self._check_hostname: engine = context_builder.build().newEngine(ByteBufAllocator.DEFAULT, hostname, addr[1]) if HAS_SNI: params = engine.getSSLParameters() params.setEndpointIdentificationAlgorithm('HTTPS') params.setServerNames([SNIHostName(hostname)]) engine.setSSLParameters(params) else: engine = context_builder.build().newEngine(ByteBufAllocator.DEFAULT, addr[0], addr[1]) return engine