def __init__(self, config):
self._config = config
# Check if we're using a custom list of a CA certificates
trust_root = config.federation_ca_trust_root
if trust_root is None:
# Use CA root certs provided by OpenSSL
trust_root = platformTrust()
# "insecurelyLowerMinimumTo" is the argument that will go lower than
# Twisted's default, which is why it is marked as "insecure" (since
# Twisted's defaults are reasonably secure). But, since Twisted is
# moving to TLS 1.2 by default, we want to respect the config option if
# it is set to 1.0 (which the alternate option, raiseMinimumTo, will not
# let us do).
minTLS = _TLS_VERSION_MAP[config.federation_client_minimum_tls_version]
self._verify_ssl = CertificateOptions(trustRoot=trust_root,
insecurelyLowerMinimumTo=minTLS)
self._verify_ssl_context = self._verify_ssl.getContext()
self._verify_ssl_context.set_info_callback(self._context_info_cb)
self._no_verify_ssl = CertificateOptions(
insecurelyLowerMinimumTo=minTLS)
self._no_verify_ssl_context = self._no_verify_ssl.getContext()
self._no_verify_ssl_context.set_info_callback(self._context_info_cb)
def __init__(self, config):
self._config = config
self._options_noverify = CertificateOptions()
# Check if we're using a custom list of a CA certificates
trust_root = config.federation_ca_trust_root
if trust_root is None:
# Use CA root certs provided by OpenSSL
trust_root = platformTrust()
self._options_verify = CertificateOptions(trustRoot=trust_root)
def setUp(self):
"""
Set up client and server SSL contexts for use later.
"""
self.sKey, self.sCert = makeCertificate(O="Server Test Certificate",
CN="server")
self.cKey, self.cCert = makeCertificate(O="Client Test Certificate",
CN="client")
self.serverSSLContext = CertificateOptions(privateKey=self.sKey,
certificate=self.sCert,
requireCertificate=False)
self.clientSSLContext = CertificateOptions(requireCertificate=False)
def __init__(self, config):
self._config = config
# Check if we're using a custom list of a CA certificates
trust_root = config.federation_ca_trust_root
if trust_root is None:
# Use CA root certs provided by OpenSSL
trust_root = platformTrust()
self._verify_ssl_context = CertificateOptions(
trustRoot=trust_root).getContext()
self._verify_ssl_context.set_info_callback(self._context_info_cb)
self._no_verify_ssl_context = CertificateOptions().getContext()
self._no_verify_ssl_context.set_info_callback(self._context_info_cb)
def get_context_factory(cert_path, pkey_path):
"""OpenSSL context factory.
Generates an OpenSSL context factory using Twisted's CertificateOptions class.
This will keep a server cipher order.
Args:
cert_path (string): The path to the certificate file
pkey_path (string): The path to the private key file
Returns:
twisted.internet.ssl.CertificateOptions: An OpenSSL context factory
"""
with open(cert_path) as cert:
certificate = Certificate.loadPEM(cert.read()).original
with open(pkey_path) as pkey:
private_key = KeyPair.load(pkey.read(), FILETYPE_PEM).original
ciphers = AcceptableCiphers.fromOpenSSLCipherString(TLS_CIPHERS)
cert_options = CertificateOptions(
privateKey=private_key,
certificate=certificate,
raiseMinimumTo=TLSVersion.TLSv1_2,
acceptableCiphers=ciphers,
)
ctx = cert_options.getContext()
ctx.use_certificate_chain_file(cert_path)
ctx.set_options(SSL_OP_NO_RENEGOTIATION)
return cert_options
def creatorForNetloc(self, hostname, port):
certificateOptions = CertificateOptions(
trustRoot=self._trustRoot)
return PermissiveClientTLSOptions(
hostname.decode("ascii"),
certificateOptions.getContext())
def getContextFactory(self):
if SSL is None:
raise RuntimeError("No SSL support: you need to install OpenSSL.")
cert = PrivateCertificate.loadPEM(self.certificatePath.open().read())
certOpts = CertificateOptions(cert.privateKey.original,
cert.original,
requireCertificate=False,
method=SSL.SSLv23_METHOD)
return certOpts
def createCertOptions(server): pk = None cert = None if server.cert: pc = PrivateCertificate.loadPEM(open(server.cert,"rb").read()) pk = pc.privateKey.original cert = pc.original tr = platformTrust() if server.verify else None return CertificateOptions(privateKey=pk, certificate=cert, trustRoot=tr)
def __init__(self):
self.running = False
# open/create poloniex database, ticker collection/table
self.db = MongoClient().poloniex['ticker']
# thread namespace
self._appProcess = None
self._appRunner = ApplicationRunner(u"wss://api.poloniex.com:443",
u"realm1",
ssl=CertificateOptions())
def __init__(self, mapping):
self.mapping = mapping
self._negotiationDataForContext = collections.defaultdict(
_NegotiationData)
try:
self.context = self.mapping['DEFAULT'].getContext()
except KeyError:
self.context = CertificateOptions().getContext()
self.context.set_tlsext_servername_callback(self.selectContext)
def start_responding(self, server_name, challenge, response):
"""
Put a context into the mapping.
"""
server_name = response.z_domain.decode('ascii')
cert, pkey = generate_tls_sni_01_cert(
server_name, _generate_private_key=self._generate_private_key)
server_name = server_name.encode('utf-8')
self._challenge_options[server_name] = CertificateOptions(
certificate=cert_cryptography_to_pyopenssl(cert),
privateKey=key_cryptography_to_pyopenssl(pkey))
def test_snimap_default(self):
"""
SNIMap preferentially loads the DEFAULT value from the mapping if it's
present.
"""
options = CertificateOptions()
mapping = {'DEFAULT': options}
sni_map = SNIMap(mapping)
conn = sni_map.serverConnectionForTLS(protocol.Protocol())
self.assertIs(conn.get_context()._obj, options.getContext())
def __init__(self, settings, crawler=None):
self.crawler = crawler
self.default_maxsize = settings.getint('DOWNLOAD_MAXSIZE')
self.default_warnsize = settings.getint('DOWNLOAD_WARNSIZE')
self.fail_on_dataloss = settings.getbool('DOWNLOAD_FAIL_ON_DATALOSS')
self.context_factory = CertificateOptions(
verify=False,
raiseMinimumTo=TLSVersion.TLSv1_2,
fixBrokenPeers=True,
)
def test_snimap_makes_its_own_defaults(self):
"""
If passed a mapping without a DEFAULT key, SNIMap will make its own
default context.
"""
options = CertificateOptions()
mapping = {'example.com': options}
sni_map = SNIMap(mapping)
conn = sni_map.serverConnectionForTLS(protocol.Protocol())
self.assertIsNot(conn.get_context(), options.getContext())
self.assertIsNotNone(conn.get_context())
def getCertificateOptions(self):
from OpenSSL import crypto
v1 = crypto.load_privatekey(
crypto.FILETYPE_PEM,
open('/Users/wupeiqi/client.key.unsecure', mode='r').read())
v2 = crypto.load_certificate(
crypto.FILETYPE_PEM,
open('/Users/wupeiqi/client.pem', mode='r').read())
return CertificateOptions(
privateKey=v1, # pKey对象
certificate=v2, # X509对象
verify=False,
method=getattr(self, 'method', getattr(self, '_ssl_method', None)))
def _default_options(self, trust_root):
"""
Construct a ``CertificateOptions`` that exposes this credential's
certificate and keypair.
:param trust_root: Trust root to pass to ``CertificateOptions``.
:return: ``CertificateOptions`` instance with CA validation
configured.
"""
key = self.credential.keypair.keypair.original
certificate = self.credential.certificate.original
return CertificateOptions(
privateKey=key, certificate=certificate, trustRoot=trust_root)
def from_paths(
cls, endpoint, private_key_path: FilePath, cert_path: FilePath
) -> "_TLSEndpointWrapper":
"""
Create an endpoint with the given private key and certificate paths on
the filesystem.
"""
certificate = Certificate.loadPEM(cert_path.getContent()).original
private_key = PrivateCertificate.loadPEM(
cert_path.getContent() + b"\n" + private_key_path.getContent()
).privateKey.original
certificate_options = CertificateOptions(
privateKey=private_key, certificate=certificate
)
return cls(endpoint=endpoint, context_factory=certificate_options)
def getCertificateOptions(self):
# setting verify=True will require you to provide CAs
# to verify against; in other words: it's not that simple
# backward-compatible SSL/TLS method:
#
# * this will respect `method` attribute in often recommended
# `ScrapyClientContextFactory` subclass
# (https://github.com/scrapy/scrapy/issues/1429#issuecomment-131782133)
#
# * getattr() for `_ssl_method` attribute for context factories
# not calling super(..., self).__init__
return CertificateOptions(verify=False,
method=getattr(self, 'method',
getattr(self, '_ssl_method', None)))
def start_ssl(self):
log.debug("Enabling SSL with PKey: %s, Cert: %s", self.pkey, self.cert)
check_ssl_keys()
with open(configmanager.get_config_dir(self.cert)) as cert:
certificate = Certificate.loadPEM(cert.read()).original
with open(configmanager.get_config_dir(self.pkey)) as pkey:
private_key = KeyPair.load(pkey.read(), FILETYPE_PEM).original
options = CertificateOptions(privateKey=private_key, certificate=certificate, method=SSL.SSLv23_METHOD)
ctx = options.getContext()
ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
ctx.use_certificate_chain_file(configmanager.get_config_dir(self.cert))
self.socket = reactor.listenSSL(self.port, self.site, options, interface=self.interface)
log.info("Serving on %s:%s view at https://%s:%s", self.interface, self.port, self.interface, self.port)
def __init__(self):
# Use CA root certs provided by OpenSSL
trust_root = platformTrust()
# "insecurelyLowerMinimumTo" is the argument that will go lower than
# Twisted's default, which is why it is marked as "insecure" (since
# Twisted's defaults are reasonably secure). But, since Twisted is
# moving to TLS 1.2 by default, we want to respect the config option if
# it is set to 1.0 (which the alternate option, raiseMinimumTo, will not
# let us do).
minTLS = TLSVersion.TLSv1_2
self._verify_ssl = CertificateOptions(trustRoot=trust_root,
insecurelyLowerMinimumTo=minTLS)
self._verify_ssl_context = self._verify_ssl.getContext()
self._verify_ssl_context.set_info_callback(self._context_info_cb)
def __init__(self):
"""
Sets defaults for all required options. These can be altered as required, and implementation-specific
settings added
"""
self.host="localhost"
"""
:annotation = "localhost":
defaults to "localhost". At this time MumbleClient is ipv4 only
"""
self.port=64738
self.nickname="MumblePythonBot"
self.SSLOptions=CertificateOptions()
self.password=None
def main(component, auto_reconnect=True):
crossbar_host = os.getenv('CROSSBAR_HOST', 'localhost')
with open(
os.path.join(CommonSession.mdstudio_root_path(),
'../data/crossbar/server_cert.pem'), 'r') as f:
cert_data = f.read().encode('utf-8')
cert = ssl.Certificate.loadPEM(cert_data)
options = CertificateOptions(caCerts=[cert])
print('Connecting to host: {}'.format(crossbar_host))
runner = ApplicationRunner(u"wss://{}:8080/ws".format(crossbar_host),
u"mdstudio",
ssl=options)
def start_component(config):
logdir = os.path.join(component.component_root_path(), 'logs')
if not os.path.exists(logdir):
os.makedirs(logdir)
gitignorepath = os.path.join(logdir, '.gitignore')
if not os.path.isfile(gitignorepath):
with open(gitignorepath, 'w') as f:
f.write('*')
log_file = DailyLogFile('daily.log', logdir)
# twisted.python.log.addObserver(log_critical)
twisted.python.log.addObserver(PrintingLogObserver(log_file))
print(ascii_brand)
print('Crossbar host is: {}'.format(crossbar_host))
session = component(config) # type: CommonSession
return session
try:
runner.run(start_component,
auto_reconnect=auto_reconnect,
start_reactor=not reactor.running,
log_level='info')
finally:
if reactor.running:
reactor.stop()
def test_verification(crypto_crossbar, request, self_signed_cert):
"""
Run a session with my own cert.
"""
privkey, certfile = self_signed_cert
# load our self-signed cert as the only certificate-authority
with open(certfile, 'r') as crt:
cert = crypto.load_certificate(crypto.FILETYPE_PEM, crt.read())
options = CertificateOptions(caCerts=[cert])
d = functest_session(url=u"wss://localhost:6464/tls_ws",
realm=u"auth_realm",
ssl=options)
results = yield DeferredList([d, sleep(5)],
fireOnOneCallback=True,
fireOnOneErrback=True)
assert d.called, "timed out without connecting successfully"
def check_tls_config(self, ca_key, ca_cert, get_kubernetes):
"""
Verify that a TLS server configured with the given key and certificate and
the Kubernetes client returned by ``get_kubernetes`` can negotiate a
TLS connection.
"""
# Set up an HTTPS server that requires the certificate chain from the
# configuration file. This, because there's no way to pry inside a
# Context and inspect its state nor any easy way to make Agent talk
# over an in-memory transport.
from twisted.internet import reactor
endpoint = SSL4ServerEndpoint(
reactor,
0,
CertificateOptions(
privateKey=ca_key.original,
certificate=ca_cert.original,
trustRoot=trustRootFromCertificates([ca_cert]),
),
)
root = Resource()
root.putChild(b"", Data(b"success", "text/plain"))
# Construct the Kubernetes client objects with a Redirectable reactor.
# This is necessary because the URL we pass to the Agent we get needs
# to agree with the configuration file that was already written (or it
# won't select the right client certificate). Just one of the many
# reasons it would be better if we didn't have to do real networking
# here.
redirectable = Redirectable(reactor)
client = get_kubernetes(redirectable).client()
agent = client.agent
d = endpoint.listen(Site(root))
def listening(port):
self.addCleanup(port.stopListening)
redirectable.set_redirect(port.getHost().host, port.getHost().port)
url = b"https://127.0.0.1:8443/"
return agent.request(b"GET", url)
d.addCallback(listening)
return d
def main(reactor, duration):
chunkSize = 16384
server = ServerFactory()
server.protocol = Echo
port = reactor.listenSSL(0, server, cert.options())
client = Client(
reactor,
SSL4ClientEndpoint(
reactor, '127.0.0.1', port.getHost().port,
CertificateOptions(
verify=True, requireCertificate=True, caCerts=[cert.original])))
d = client.run(duration, chunkSize)
def cleanup(passthrough):
d = port.stopListening()
d.addCallback(lambda ignored: passthrough)
return d
d.addCallback(cleanup)
return d
def __init__(self, url, bot):
self.__bot = bot
self.__component = Component(
realm=u'realm1',
transports=[{
'endpoint': {
'type': 'tcp',
'host': u'api.poloniex.com',
'port': 443,
'tls': CertificateOptions()
},
'type': 'websocket',
'url': url,
'options': {
'open_handshake_timeout': 60.0
}
}]
)
def test_untrusted_selfsigned(crypto_crossbar, request, self_signed_cert):
"""
Confirm we *don't* connect to untrusted server.
"""
(privkey, certfile) = self_signed_cert
# load our self-signed cert as the only certificate-authority
with open(certfile, 'r') as crt:
cert = crypto.load_certificate(crypto.FILETYPE_PEM, crt.read())
options = CertificateOptions(caCerts=[cert])
# letting the defaults go through, which should mean we don't trust this connection
d = functest_session(url=u"wss://localhost:6464/tls_ws",
realm=u"auth_realm")
timeout = sleep(5)
results = yield DeferredList([d, timeout],
fireOnOneCallback=True,
fireOnOneErrback=True)
# results in a 2-tuple: (result, index of Deferred that fired)
assert results[1] is 1, "shouldn't have connected successfully"
def test_client_close(crypto_crossbar, request, self_signed_cert, close_style):
"""
is sendClose() sufficient to actually-close underlying transport?
"""
(privkey, certfile) = self_signed_cert
# load our self-signed cert as the only certificate-authority
with open(certfile, 'r') as crt:
cert = crypto.load_certificate(crypto.FILETYPE_PEM, crt.read())
options = CertificateOptions(caCerts=[cert])
existing = Process().connections()
sessions = []
for x in range(10):
session = yield functest_session(
url=u"wss://localhost:6464/tls_ws",
realm=u"auth_realm",
ssl=options,
)
sessions.append(session)
yield sleep(1) # overkill? let sessions start for-sure
started = Process().connections()
assert len(started) - len(existing) == 10
for session in sessions:
assert session._transport is not None
if close_style == 'session.leave':
yield session.leave()
elif close_style == 'transport.close':
yield session._transport.close()
elif close_style == 'transport.sendClose':
session._transport.sendClose()
else:
raise RuntimeError("Unknown close_style from paramtrize")
yield sleep(1) # overkill, but make sure connections can close
finished = Process().connections()
assert len(finished) == len(existing)
def certificateOptionsFromPileOfPEM(pemdata):
objects = objectsFromPEM(pemdata)
if len(objects.keys) != 1:
raise ValueError("Expected 1 private key, found %d" %
tuple([len(objects.keys)]))
privateKey = objects.keys[0]
certificatesByFingerprint = dict([(certificate.getPublicKey().keyHash(),
certificate)
for certificate in objects.certificates])
if privateKey.keyHash() not in certificatesByFingerprint:
raise ValueError("No certificate matching %s found")
openSSLCert = certificatesByFingerprint.pop(privateKey.keyHash()).original
openSSLKey = privateKey.original
openSSLChain = [c.original for c in certificatesByFingerprint.values()]
return CertificateOptions(certificate=openSSLCert,
privateKey=openSSLKey,
extraCertChain=openSSLChain)
def start_ssl(self):
check_ssl_keys()
log.debug('Enabling SSL with PKey: %s, Cert: %s', self.pkey, self.cert)
with open(configmanager.get_config_dir(self.cert)) as cert:
certificate = Certificate.loadPEM(cert.read()).original
with open(configmanager.get_config_dir(self.pkey)) as pkey:
private_key = KeyPair.load(pkey.read(), FILETYPE_PEM).original
options = CertificateOptions(privateKey=private_key,
certificate=certificate,
method=SSL.SSLv23_METHOD)
ctx = options.getContext()
ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
ctx.use_certificate_chain_file(configmanager.get_config_dir(self.cert))
self.socket = reactor.listenSSL(self.port,
self.site,
options,
interface=self.interface)
ip = self.socket.getHost().host
ip = '[%s]' % ip if is_ipv6(ip) else ip
log.info('Serving at https://%s:%s%s', ip, self.port, self.base)
