All Downloads are FREE. Search and download functionalities are using the official Maven repository.

Lib._sslcerts.py Maven / Gradle / Ivy

Go to download

Jython is an implementation of the high-level, dynamic, object-oriented language Python written in 100% Pure Java, and seamlessly integrated with the Java platform. It thus allows you to run Python on any Java platform.

There is a newer version: 2.7.4
Show newest version
import logging
import sys
import uuid
from array import array
from contextlib import closing
from StringIO import StringIO

from java.io import BufferedInputStream, BufferedReader, FileReader, InputStreamReader, ByteArrayInputStream
from java.security import KeyStore, Security
from java.security.cert import CertificateException, CertificateFactory
from javax.net.ssl import (
    X509KeyManager, X509TrustManager, KeyManagerFactory, SSLContext, TrustManager, TrustManagerFactory)

try:
    # jarjar-ed version
    from org.python.bouncycastle.asn1.pkcs import PrivateKeyInfo
    from org.python.bouncycastle.cert import X509CertificateHolder
    from org.python.bouncycastle.cert.jcajce import JcaX509CertificateConverter
    from org.python.bouncycastle.jce.provider import BouncyCastleProvider
    from org.python.bouncycastle.openssl import PEMKeyPair, PEMParser
    from org.python.bouncycastle.openssl.jcajce import JcaPEMKeyConverter
except ImportError:
    # dev version from extlibs
    from org.bouncycastle.asn1.pkcs import PrivateKeyInfo
    from org.bouncycastle.cert import X509CertificateHolder
    from org.bouncycastle.cert.jcajce import JcaX509CertificateConverter
    from org.bouncycastle.jce.provider import BouncyCastleProvider
    from org.bouncycastle.openssl import PEMKeyPair, PEMParser
    from org.bouncycastle.openssl.jcajce import JcaPEMKeyConverter

log = logging.getLogger("ssl")


# FIXME what happens if reloaded?
Security.addProvider(BouncyCastleProvider())


# build the necessary certificate with a CertificateFactory; this can take the pem format:
# http://docs.oracle.com/javase/7/docs/api/java/security/cert/CertificateFactory.html#generateCertificate(java.io.InputStream)

# not certain if we can include a private key in the pem file; see 
# http://stackoverflow.com/questions/7216969/getting-rsa-private-key-from-pem-base64-encoded-private-key-file


# helpful advice for being able to manage ca_certs outside of Java's keystore
# specifically the example ReloadableX509TrustManager
# http://jcalcote.wordpress.com/2010/06/22/managing-a-dynamic-java-trust-store/

# in the case of http://docs.python.org/2/library/ssl.html#ssl.CERT_REQUIRED

# http://docs.python.org/2/library/ssl.html#ssl.CERT_NONE
# https://github.com/rackerlabs/romper/blob/master/romper/trust.py#L15
#
# it looks like CERT_OPTIONAL simply validates certificates if
# provided, probably something in checkServerTrusted - maybe a None
# arg? need to verify as usual with a real system... :)

# http://alesaudate.wordpress.com/2010/08/09/how-to-dynamically-select-a-certificate-alias-when-invoking-web-services/
# is somewhat relevant for managing the keyfile, certfile


def _get_ca_certs_trust_manager(ca_certs):
    trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
    trust_store.load(None, None)
    num_certs_installed = 0
    with open(ca_certs) as f:
        cf = CertificateFactory.getInstance("X.509")
        for cert in cf.generateCertificates(BufferedInputStream(f)):
            trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
            num_certs_installed += 1
    tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
    tmf.init(trust_store)
    log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"})
    return tmf


def _stringio_as_reader(s):
    return BufferedReader(InputStreamReader(ByteArrayInputStream(bytearray(s.getvalue()))))


def _extract_readers(cert_file):
    private_key = StringIO()
    certs = StringIO()
    output = certs
    with open(cert_file) as f:
        for line in f:
            if line.startswith("-----BEGIN PRIVATE KEY-----"):
                output = private_key
            output.write(line)
            if line.startswith("-----END PRIVATE KEY-----"):
                output = certs
    return _stringio_as_reader(private_key), _stringio_as_reader(certs)


def _get_openssl_key_manager(cert_file, key_file=None):
    paths = [key_file] if key_file else []
    paths.append(cert_file)

    # Go from Bouncy Castle API to Java's; a bit heavyweight for the Python dev ;)
    key_converter = JcaPEMKeyConverter().setProvider("BC")
    cert_converter = JcaX509CertificateConverter().setProvider("BC")

    private_key = None
    certs = []
    for path in paths:
        for br in _extract_readers(path):
            while True:
                obj = PEMParser(br).readObject()
                if obj is None:
                    break
                if isinstance(obj, PEMKeyPair):
                    private_key = key_converter.getKeyPair(obj).getPrivate()
                elif isinstance(obj, PrivateKeyInfo):
                    private_key = key_converter.getPrivateKey(obj)
                elif isinstance(obj, X509CertificateHolder):
                    certs.append(cert_converter.getCertificate(obj))

    assert private_key, "No private key loaded"
    key_store = KeyStore.getInstance(KeyStore.getDefaultType())
    key_store.load(None, None)
    key_store.setKeyEntry(str(uuid.uuid4()), private_key, [], certs)
    kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
    kmf.init(key_store, [])
    return kmf


def _get_ssl_context(keyfile, certfile, ca_certs):
    if certfile is None and ca_certs is None:
        log.debug("Using default SSL context", extra={"sock": "*"})
        return SSLContext.getDefault()
    else:
        log.debug("Setting up a specific SSL context for keyfile=%s, certfile=%s, ca_certs=%s",
                  keyfile, certfile, ca_certs, extra={"sock": "*"})
        if ca_certs:
            # should support composite usage below
            trust_managers = _get_ca_certs_trust_manager(ca_certs).getTrustManagers()
        else:
            trust_managers = None
        if certfile:
            key_managers = _get_openssl_key_manager(certfile, keyfile).getKeyManagers()
        else:
            key_managers = None

        # FIXME FIXME for performance, cache this lookup in the future
        # to avoid re-reading files on every lookup
        context = SSLContext.getInstance("SSL")
        context.init(key_managers, trust_managers, None)
        return context


# CompositeX509KeyManager and CompositeX509TrustManager allow for mixing together Java built-in managers
# with new managers to support Python ssl.
#
# See http://tersesystems.com/2014/01/13/fixing-the-most-dangerous-code-in-the-world/
# for a good description of this composite approach.
#
# Ported to Python from http://codyaray.com/2013/04/java-ssl-with-multiple-keystores
# which was inspired by http://stackoverflow.com/questions/1793979/registering-multiple-keystores-in-jvm

class CompositeX509KeyManager(X509KeyManager):
                                                   
    def __init__(self, key_managers):
        self.key_managers = key_managers

    def chooseClientAlias(self, key_type, issuers, socket):
        for key_manager in self.key_managers:
            alias = key_manager.chooseClientAlias(key_type, issuers, socket)
            if alias:
                return alias;
        return None

    def chooseServerAlias(self, key_type, issuers, socket):
        for key_manager in self.key_managers:
            alias = key_manager.chooseServerAlias(key_type, issuers, socket)
            if alias:
                return alias;
        return None
    
    def getPrivateKey(self, alias):
        for key_manager in self.key_managers:
            private_key = keyManager.getPrivateKey(alias)
            if private_key:
                return private_key
        return None

    def getCertificateChain(self, alias):
        for key_manager in self.key_managers:
            chain = key_manager.getCertificateChain(alias)
            if chain:
                return chain
        return None

    def getClientAliases(self, key_type, issuers):
        aliases = []
        for key_manager in self.key_managers:
            aliases.extend(key_manager.getClientAliases(key_type, issuers))
        if not aliases:
            return None
        else:
            return aliases

    def getServerAliases(self, key_type, issuers):
        aliases = []
        for key_manager in self.key_managers:
            aliases.extend(key_manager.getServerAliases(key_type, issuers))
        if not aliases:
            return None
        else:
            return aliases


class CompositeX509TrustManager(X509TrustManager):

    def __init__(self, trust_managers):
        self.trust_managers = trust_managers

    def checkClientTrusted(self, chain, auth_type):
        for trust_manager in self.trust_managers:
            try:
                trustManager.checkClientTrusted(chain, auth_type);
                return
            except CertificateException:
                pass
        raise CertificateException("None of the TrustManagers trust this certificate chain")

    def checkServerTrusted(self, chain, auth_type):
        for trust_manager in self.trust_managers:
            try:
                trustManager.checkServerTrusted(chain, auth_type);
                return
            except CertificateException:
                pass
        raise CertificateException("None of the TrustManagers trust this certificate chain")

    def getAcceptedIssuers(self):
        certs = []
        for trust_manager in self.trust_managers:
            certs.extend(trustManager.getAcceptedIssuers())
        return certs




© 2015 - 2024 Weber Informatics LLC | Privacy Policy