def __init__(self, config): self._config = config # Check if we're using a custom list of a CA certificates trust_root = config.federation_ca_trust_root if trust_root is None: # Use CA root certs provided by OpenSSL trust_root = platformTrust() # "insecurelyLowerMinimumTo" is the argument that will go lower than # Twisted's default, which is why it is marked as "insecure" (since # Twisted's defaults are reasonably secure). But, since Twisted is # moving to TLS 1.2 by default, we want to respect the config option if # it is set to 1.0 (which the alternate option, raiseMinimumTo, will not # let us do). minTLS = _TLS_VERSION_MAP[config.federation_client_minimum_tls_version] self._verify_ssl = CertificateOptions(trustRoot=trust_root, insecurelyLowerMinimumTo=minTLS) self._verify_ssl_context = self._verify_ssl.getContext() self._verify_ssl_context.set_info_callback(self._context_info_cb) self._no_verify_ssl = CertificateOptions( insecurelyLowerMinimumTo=minTLS) self._no_verify_ssl_context = self._no_verify_ssl.getContext() self._no_verify_ssl_context.set_info_callback(self._context_info_cb)
def __init__(self, config): self._config = config self._options_noverify = CertificateOptions() # Check if we're using a custom list of a CA certificates trust_root = config.federation_ca_trust_root if trust_root is None: # Use CA root certs provided by OpenSSL trust_root = platformTrust() self._options_verify = CertificateOptions(trustRoot=trust_root)
def setUp(self): """ Set up client and server SSL contexts for use later. """ self.sKey, self.sCert = makeCertificate(O="Server Test Certificate", CN="server") self.cKey, self.cCert = makeCertificate(O="Client Test Certificate", CN="client") self.serverSSLContext = CertificateOptions(privateKey=self.sKey, certificate=self.sCert, requireCertificate=False) self.clientSSLContext = CertificateOptions(requireCertificate=False)
def __init__(self, config): self._config = config # Check if we're using a custom list of a CA certificates trust_root = config.federation_ca_trust_root if trust_root is None: # Use CA root certs provided by OpenSSL trust_root = platformTrust() self._verify_ssl_context = CertificateOptions( trustRoot=trust_root).getContext() self._verify_ssl_context.set_info_callback(self._context_info_cb) self._no_verify_ssl_context = CertificateOptions().getContext() self._no_verify_ssl_context.set_info_callback(self._context_info_cb)
def get_context_factory(cert_path, pkey_path): """OpenSSL context factory. Generates an OpenSSL context factory using Twisted's CertificateOptions class. This will keep a server cipher order. Args: cert_path (string): The path to the certificate file pkey_path (string): The path to the private key file Returns: twisted.internet.ssl.CertificateOptions: An OpenSSL context factory """ with open(cert_path) as cert: certificate = Certificate.loadPEM(cert.read()).original with open(pkey_path) as pkey: private_key = KeyPair.load(pkey.read(), FILETYPE_PEM).original ciphers = AcceptableCiphers.fromOpenSSLCipherString(TLS_CIPHERS) cert_options = CertificateOptions( privateKey=private_key, certificate=certificate, raiseMinimumTo=TLSVersion.TLSv1_2, acceptableCiphers=ciphers, ) ctx = cert_options.getContext() ctx.use_certificate_chain_file(cert_path) ctx.set_options(SSL_OP_NO_RENEGOTIATION) return cert_options
def creatorForNetloc(self, hostname, port): certificateOptions = CertificateOptions( trustRoot=self._trustRoot) return PermissiveClientTLSOptions( hostname.decode("ascii"), certificateOptions.getContext())
def getContextFactory(self): if SSL is None: raise RuntimeError("No SSL support: you need to install OpenSSL.") cert = PrivateCertificate.loadPEM(self.certificatePath.open().read()) certOpts = CertificateOptions(cert.privateKey.original, cert.original, requireCertificate=False, method=SSL.SSLv23_METHOD) return certOpts
def createCertOptions(server): pk = None cert = None if server.cert: pc = PrivateCertificate.loadPEM(open(server.cert,"rb").read()) pk = pc.privateKey.original cert = pc.original tr = platformTrust() if server.verify else None return CertificateOptions(privateKey=pk, certificate=cert, trustRoot=tr)
def __init__(self): self.running = False # open/create poloniex database, ticker collection/table self.db = MongoClient().poloniex['ticker'] # thread namespace self._appProcess = None self._appRunner = ApplicationRunner(u"wss://api.poloniex.com:443", u"realm1", ssl=CertificateOptions())
def __init__(self, mapping): self.mapping = mapping self._negotiationDataForContext = collections.defaultdict( _NegotiationData) try: self.context = self.mapping['DEFAULT'].getContext() except KeyError: self.context = CertificateOptions().getContext() self.context.set_tlsext_servername_callback(self.selectContext)
def start_responding(self, server_name, challenge, response): """ Put a context into the mapping. """ server_name = response.z_domain.decode('ascii') cert, pkey = generate_tls_sni_01_cert( server_name, _generate_private_key=self._generate_private_key) server_name = server_name.encode('utf-8') self._challenge_options[server_name] = CertificateOptions( certificate=cert_cryptography_to_pyopenssl(cert), privateKey=key_cryptography_to_pyopenssl(pkey))
def test_snimap_default(self): """ SNIMap preferentially loads the DEFAULT value from the mapping if it's present. """ options = CertificateOptions() mapping = {'DEFAULT': options} sni_map = SNIMap(mapping) conn = sni_map.serverConnectionForTLS(protocol.Protocol()) self.assertIs(conn.get_context()._obj, options.getContext())
def __init__(self, settings, crawler=None): self.crawler = crawler self.default_maxsize = settings.getint('DOWNLOAD_MAXSIZE') self.default_warnsize = settings.getint('DOWNLOAD_WARNSIZE') self.fail_on_dataloss = settings.getbool('DOWNLOAD_FAIL_ON_DATALOSS') self.context_factory = CertificateOptions( verify=False, raiseMinimumTo=TLSVersion.TLSv1_2, fixBrokenPeers=True, )
def test_snimap_makes_its_own_defaults(self): """ If passed a mapping without a DEFAULT key, SNIMap will make its own default context. """ options = CertificateOptions() mapping = {'example.com': options} sni_map = SNIMap(mapping) conn = sni_map.serverConnectionForTLS(protocol.Protocol()) self.assertIsNot(conn.get_context(), options.getContext()) self.assertIsNotNone(conn.get_context())
def getCertificateOptions(self): from OpenSSL import crypto v1 = crypto.load_privatekey( crypto.FILETYPE_PEM, open('/Users/wupeiqi/client.key.unsecure', mode='r').read()) v2 = crypto.load_certificate( crypto.FILETYPE_PEM, open('/Users/wupeiqi/client.pem', mode='r').read()) return CertificateOptions( privateKey=v1, # pKey对象 certificate=v2, # X509对象 verify=False, method=getattr(self, 'method', getattr(self, '_ssl_method', None)))
def _default_options(self, trust_root): """ Construct a ``CertificateOptions`` that exposes this credential's certificate and keypair. :param trust_root: Trust root to pass to ``CertificateOptions``. :return: ``CertificateOptions`` instance with CA validation configured. """ key = self.credential.keypair.keypair.original certificate = self.credential.certificate.original return CertificateOptions( privateKey=key, certificate=certificate, trustRoot=trust_root)
def from_paths( cls, endpoint, private_key_path: FilePath, cert_path: FilePath ) -> "_TLSEndpointWrapper": """ Create an endpoint with the given private key and certificate paths on the filesystem. """ certificate = Certificate.loadPEM(cert_path.getContent()).original private_key = PrivateCertificate.loadPEM( cert_path.getContent() + b"\n" + private_key_path.getContent() ).privateKey.original certificate_options = CertificateOptions( privateKey=private_key, certificate=certificate ) return cls(endpoint=endpoint, context_factory=certificate_options)
def getCertificateOptions(self): # setting verify=True will require you to provide CAs # to verify against; in other words: it's not that simple # backward-compatible SSL/TLS method: # # * this will respect `method` attribute in often recommended # `ScrapyClientContextFactory` subclass # (https://github.com/scrapy/scrapy/issues/1429#issuecomment-131782133) # # * getattr() for `_ssl_method` attribute for context factories # not calling super(..., self).__init__ return CertificateOptions(verify=False, method=getattr(self, 'method', getattr(self, '_ssl_method', None)))
def start_ssl(self): log.debug("Enabling SSL with PKey: %s, Cert: %s", self.pkey, self.cert) check_ssl_keys() with open(configmanager.get_config_dir(self.cert)) as cert: certificate = Certificate.loadPEM(cert.read()).original with open(configmanager.get_config_dir(self.pkey)) as pkey: private_key = KeyPair.load(pkey.read(), FILETYPE_PEM).original options = CertificateOptions(privateKey=private_key, certificate=certificate, method=SSL.SSLv23_METHOD) ctx = options.getContext() ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) ctx.use_certificate_chain_file(configmanager.get_config_dir(self.cert)) self.socket = reactor.listenSSL(self.port, self.site, options, interface=self.interface) log.info("Serving on %s:%s view at https://%s:%s", self.interface, self.port, self.interface, self.port)
def __init__(self): # Use CA root certs provided by OpenSSL trust_root = platformTrust() # "insecurelyLowerMinimumTo" is the argument that will go lower than # Twisted's default, which is why it is marked as "insecure" (since # Twisted's defaults are reasonably secure). But, since Twisted is # moving to TLS 1.2 by default, we want to respect the config option if # it is set to 1.0 (which the alternate option, raiseMinimumTo, will not # let us do). minTLS = TLSVersion.TLSv1_2 self._verify_ssl = CertificateOptions(trustRoot=trust_root, insecurelyLowerMinimumTo=minTLS) self._verify_ssl_context = self._verify_ssl.getContext() self._verify_ssl_context.set_info_callback(self._context_info_cb)
def __init__(self): """ Sets defaults for all required options. These can be altered as required, and implementation-specific settings added """ self.host="localhost" """ :annotation = "localhost": defaults to "localhost". At this time MumbleClient is ipv4 only """ self.port=64738 self.nickname="MumblePythonBot" self.SSLOptions=CertificateOptions() self.password=None
def main(component, auto_reconnect=True): crossbar_host = os.getenv('CROSSBAR_HOST', 'localhost') with open( os.path.join(CommonSession.mdstudio_root_path(), '../data/crossbar/server_cert.pem'), 'r') as f: cert_data = f.read().encode('utf-8') cert = ssl.Certificate.loadPEM(cert_data) options = CertificateOptions(caCerts=[cert]) print('Connecting to host: {}'.format(crossbar_host)) runner = ApplicationRunner(u"wss://{}:8080/ws".format(crossbar_host), u"mdstudio", ssl=options) def start_component(config): logdir = os.path.join(component.component_root_path(), 'logs') if not os.path.exists(logdir): os.makedirs(logdir) gitignorepath = os.path.join(logdir, '.gitignore') if not os.path.isfile(gitignorepath): with open(gitignorepath, 'w') as f: f.write('*') log_file = DailyLogFile('daily.log', logdir) # twisted.python.log.addObserver(log_critical) twisted.python.log.addObserver(PrintingLogObserver(log_file)) print(ascii_brand) print('Crossbar host is: {}'.format(crossbar_host)) session = component(config) # type: CommonSession return session try: runner.run(start_component, auto_reconnect=auto_reconnect, start_reactor=not reactor.running, log_level='info') finally: if reactor.running: reactor.stop()
def test_verification(crypto_crossbar, request, self_signed_cert): """ Run a session with my own cert. """ privkey, certfile = self_signed_cert # load our self-signed cert as the only certificate-authority with open(certfile, 'r') as crt: cert = crypto.load_certificate(crypto.FILETYPE_PEM, crt.read()) options = CertificateOptions(caCerts=[cert]) d = functest_session(url=u"wss://localhost:6464/tls_ws", realm=u"auth_realm", ssl=options) results = yield DeferredList([d, sleep(5)], fireOnOneCallback=True, fireOnOneErrback=True) assert d.called, "timed out without connecting successfully"
def check_tls_config(self, ca_key, ca_cert, get_kubernetes): """ Verify that a TLS server configured with the given key and certificate and the Kubernetes client returned by ``get_kubernetes`` can negotiate a TLS connection. """ # Set up an HTTPS server that requires the certificate chain from the # configuration file. This, because there's no way to pry inside a # Context and inspect its state nor any easy way to make Agent talk # over an in-memory transport. from twisted.internet import reactor endpoint = SSL4ServerEndpoint( reactor, 0, CertificateOptions( privateKey=ca_key.original, certificate=ca_cert.original, trustRoot=trustRootFromCertificates([ca_cert]), ), ) root = Resource() root.putChild(b"", Data(b"success", "text/plain")) # Construct the Kubernetes client objects with a Redirectable reactor. # This is necessary because the URL we pass to the Agent we get needs # to agree with the configuration file that was already written (or it # won't select the right client certificate). Just one of the many # reasons it would be better if we didn't have to do real networking # here. redirectable = Redirectable(reactor) client = get_kubernetes(redirectable).client() agent = client.agent d = endpoint.listen(Site(root)) def listening(port): self.addCleanup(port.stopListening) redirectable.set_redirect(port.getHost().host, port.getHost().port) url = b"https://127.0.0.1:8443/" return agent.request(b"GET", url) d.addCallback(listening) return d
def main(reactor, duration): chunkSize = 16384 server = ServerFactory() server.protocol = Echo port = reactor.listenSSL(0, server, cert.options()) client = Client( reactor, SSL4ClientEndpoint( reactor, '127.0.0.1', port.getHost().port, CertificateOptions( verify=True, requireCertificate=True, caCerts=[cert.original]))) d = client.run(duration, chunkSize) def cleanup(passthrough): d = port.stopListening() d.addCallback(lambda ignored: passthrough) return d d.addCallback(cleanup) return d
def __init__(self, url, bot): self.__bot = bot self.__component = Component( realm=u'realm1', transports=[{ 'endpoint': { 'type': 'tcp', 'host': u'api.poloniex.com', 'port': 443, 'tls': CertificateOptions() }, 'type': 'websocket', 'url': url, 'options': { 'open_handshake_timeout': 60.0 } }] )
def test_untrusted_selfsigned(crypto_crossbar, request, self_signed_cert): """ Confirm we *don't* connect to untrusted server. """ (privkey, certfile) = self_signed_cert # load our self-signed cert as the only certificate-authority with open(certfile, 'r') as crt: cert = crypto.load_certificate(crypto.FILETYPE_PEM, crt.read()) options = CertificateOptions(caCerts=[cert]) # letting the defaults go through, which should mean we don't trust this connection d = functest_session(url=u"wss://localhost:6464/tls_ws", realm=u"auth_realm") timeout = sleep(5) results = yield DeferredList([d, timeout], fireOnOneCallback=True, fireOnOneErrback=True) # results in a 2-tuple: (result, index of Deferred that fired) assert results[1] is 1, "shouldn't have connected successfully"
def test_client_close(crypto_crossbar, request, self_signed_cert, close_style): """ is sendClose() sufficient to actually-close underlying transport? """ (privkey, certfile) = self_signed_cert # load our self-signed cert as the only certificate-authority with open(certfile, 'r') as crt: cert = crypto.load_certificate(crypto.FILETYPE_PEM, crt.read()) options = CertificateOptions(caCerts=[cert]) existing = Process().connections() sessions = [] for x in range(10): session = yield functest_session( url=u"wss://localhost:6464/tls_ws", realm=u"auth_realm", ssl=options, ) sessions.append(session) yield sleep(1) # overkill? let sessions start for-sure started = Process().connections() assert len(started) - len(existing) == 10 for session in sessions: assert session._transport is not None if close_style == 'session.leave': yield session.leave() elif close_style == 'transport.close': yield session._transport.close() elif close_style == 'transport.sendClose': session._transport.sendClose() else: raise RuntimeError("Unknown close_style from paramtrize") yield sleep(1) # overkill, but make sure connections can close finished = Process().connections() assert len(finished) == len(existing)
def certificateOptionsFromPileOfPEM(pemdata): objects = objectsFromPEM(pemdata) if len(objects.keys) != 1: raise ValueError("Expected 1 private key, found %d" % tuple([len(objects.keys)])) privateKey = objects.keys[0] certificatesByFingerprint = dict([(certificate.getPublicKey().keyHash(), certificate) for certificate in objects.certificates]) if privateKey.keyHash() not in certificatesByFingerprint: raise ValueError("No certificate matching %s found") openSSLCert = certificatesByFingerprint.pop(privateKey.keyHash()).original openSSLKey = privateKey.original openSSLChain = [c.original for c in certificatesByFingerprint.values()] return CertificateOptions(certificate=openSSLCert, privateKey=openSSLKey, extraCertChain=openSSLChain)
def start_ssl(self): check_ssl_keys() log.debug('Enabling SSL with PKey: %s, Cert: %s', self.pkey, self.cert) with open(configmanager.get_config_dir(self.cert)) as cert: certificate = Certificate.loadPEM(cert.read()).original with open(configmanager.get_config_dir(self.pkey)) as pkey: private_key = KeyPair.load(pkey.read(), FILETYPE_PEM).original options = CertificateOptions(privateKey=private_key, certificate=certificate, method=SSL.SSLv23_METHOD) ctx = options.getContext() ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) ctx.use_certificate_chain_file(configmanager.get_config_dir(self.cert)) self.socket = reactor.listenSSL(self.port, self.site, options, interface=self.interface) ip = self.socket.getHost().host ip = '[%s]' % ip if is_ipv6(ip) else ip log.info('Serving at https://%s:%s%s', ip, self.port, self.base)