Changeset 6835 for TI12-security/branches/MyProxyClient-pyopenssl/myproxy/client.py

Timestamp:

21/04/10 15:04:59 (11 years ago)

Author:

pjkersha

Message:

Completed port to PyOpenSSL from M2Crypto with all unit tests passed. Merge back into the main trunk as next step.

File:

• TI12-security/branches/MyProxyClient-pyopenssl/myproxy/client.py (modified) (11 diffs)

TI12-security/branches/MyProxyClient-pyopenssl/myproxy/client.py

@@ -26 +26 @@
 import os
 import socket
-from M2Crypto import X509, RSA, EVP, m2, BIO, SSL, util
 import base64
+import traceback
+from cStringIO import StringIO
 from ConfigParser import SafeConfigParser
+
+from OpenSSL import crypto, SSL
 
 from myproxy.utils.openssl import OpenSSLConfig, OpenSSLConfigError
@@ -43 +46 @@
 
 
-class _HostCheck(SSL.Checker.Checker):
-    """Override SSL.Checker.Checker to allow additional check of MyProxy 
-    server identity.  If hostname doesn't match, allow match of host's  
-    Distinguished Name against MYPROXY_SERVER_DN setting"""
-
-    def __init__(self, 
-                 myProxyServerDN=os.environ.get('MYPROXY_SERVER_DN'),
-                 cnHostPfx='host/',
-                 **kw):
-        """Override parent class __init__ to enable setting of myProxyServerDN
-        setting
-        
-        @type myProxyServerDN: string
-        @param myProxyServerDN: Set the expected Distinguished Name of the
-        MyProxy server to avoid errors matching hostnames.  This is useful
-        where the hostname is not fully qualified
-        
-        @type cnHostPfx: string
-        @param cnHostPfx: globus host certificates are 
-        generated by default with a 'host/' prefix to the host name.  Set
-        this keyword to '' or None to override and omit the prefix"""
-        
-        SSL.Checker.Checker.__init__(self, **kw)
-        
-        self.myProxyServerDN = myProxyServerDN
-        self.cnHostPfx = cnHostPfx
-        
-        
-    def __call__(self, peerCert, host=None):
-        """Carry out checks on server ID
-        @type peerCert: basestring
-        @param peerCert: MyProxy server host certificate as M2Crypto.X509.X509
-        instance
-        @type host: basestring
-        @param host: name of host to check
-        """
-        
-        # Globus host certificate has a "host/" prefix - see explanation in
-        # __init__.__doc__
-        cnHostPfx = isinstance(self.cnHostPfx, basestring) \
-                    and self.cnHostPfx or ''
-        host = None or cnHostPfx + self.host
-        
-        try:
-            SSL.Checker.Checker.__call__(self, peerCert, host=host)
-            
-        except SSL.Checker.WrongHost, e:
-            # Try match against DN set from MYPROXY_SERVER_DN / config
-            # file setting
-            peerCertDN = '/'+peerCert.get_subject().as_text().replace(', ','/')
-            
-            # If they match drop the exception and return all OK instead
-            if peerCertDN != self.myProxyServerDN:
-                raise
-            
-        return True
+#class _HostCheck(SSL.Checker.Checker):
+#    """Override SSL.Checker.Checker to allow additional check of MyProxy 
+#    server identity.  If hostname doesn't match, allow match of host's  
+#    Distinguished Name against MYPROXY_SERVER_DN setting"""
+#
+#    def __init__(self, 
+#                 myProxyServerDN=os.environ.get('MYPROXY_SERVER_DN'),
+#                 cnHostPfx='host/',
+#                 **kw):
+#        """Override parent class __init__ to enable setting of myProxyServerDN
+#        setting
+#        
+#        @type myProxyServerDN: string
+#        @param myProxyServerDN: Set the expected Distinguished Name of the
+#        MyProxy server to avoid errors matching hostnames.  This is useful
+#        where the hostname is not fully qualified
+#        
+#        @type cnHostPfx: string
+#        @param cnHostPfx: globus host certificates are 
+#        generated by default with a 'host/' prefix to the host name.  Set
+#        this keyword to '' or None to override and omit the prefix"""
+#        
+#        SSL.Checker.Checker.__init__(self, **kw)
+#        
+#        self.myProxyServerDN = myProxyServerDN
+#        self.cnHostPfx = cnHostPfx
+#        
+#        
+#    def __call__(self, peerCert, host=None):
+#        """Carry out checks on server ID
+#        @type peerCert: basestring
+#        @param peerCert: MyProxy server host certificate as M2Crypto.X509.X509
+#        instance
+#        @type host: basestring
+#        @param host: name of host to check
+#        """
+#        
+#        # Globus host certificate has a "host/" prefix - see explanation in
+#        # __init__.__doc__
+#        cnHostPfx = isinstance(self.cnHostPfx, basestring) \
+#                    and self.cnHostPfx or ''
+#        host = None or cnHostPfx + self.host
+#        
+#        try:
+#            SSL.Checker.Checker.__call__(self, peerCert, host=host)
+#            
+#        except SSL.Checker.WrongHost, e:
+#            # Try match against DN set from MYPROXY_SERVER_DN / config
+#            # file setting
+#            peerCertDN = '/'+peerCert.get_subject().as_text().replace(', ','/')
+#            
+#            # If they match drop the exception and return all OK instead
+#            if peerCertDN != self.myProxyServerDN:
+#                raise
+#            
+#        return True
     
     
@@ -503 +506 @@
         not needed in the case of a proxy private key
         """
-
         # Must be version 3 for MyProxy
-        context = SSL.Context(protocol='sslv3')
-
+        context = SSL.Context(SSL.SSLv3_METHOD)
+        
         if self.caCertFilePath or self.caCertDir:
-            context.load_verify_locations(cafile=self.caCertFilePath,
-                                          capath=self.caCertDir)
-                            
-            # Stop if peer's certificate can't be verified
-            context.set_allow_unknown_ca(False)
-        else:
-            context.set_allow_unknown_ca(True)
+            context.load_verify_locations(self.caCertFilePath, self.caCertDir)
             
         if ownerCertFile:
             try:
-                context.load_cert_chain(ownerCertFile,
-                                    keyfile=ownerKeyFile,
-                                    callback=lambda *ar, **kw: ownerPassphrase)
-            except Exception, e:
+#                context.use_certificate_file(ownerCertFile)
+                context.use_certificate_chain_file(ownerCertFile)
+                def pwdCallback(passphraseMaxLen, 
+                                promptPassphraseTwice,
+                                passphrase):
+                    if passphrase is None:
+                        return True
+                    else:
+                        if len(passphrase) > passphraseMaxLen:
+                            log.error('Passphrase length %d is greater than '
+                                      'the maximum length allowed %d',
+                                      len(passphrase), passphraseMaxLen)
+                            return ''
+                        return passphrase
+                    
+                context.set_passwd_cb(pwdCallback, ownerPassphrase)
+                context.use_privatekey_file(ownerKeyFile)
+            except Exception:
                 raise MyProxyClientConfigError("Loading certificate "
                                                "and private key for SSL "
                                                "connection [also check CA "
-                                               "certificate settings]: %s" % e) 
-            
-            # Verify peer's certificate
-            context.set_verify(SSL.verify_peer, 1) 
+                                               "certificate settings]: %s" % 
+                                               traceback.format_exc()) 
+            
+        # Verify peer's certificate
+        def callback(connection, x509Cert, *arg, **kw):
+            return True
+        
+        context.set_verify(SSL.VERIFY_PEER, callback) 
         
            
@@ -534 +548 @@
         # globus doesn't handle this case, apparently, and instead
         # chokes in proxy delegation code
-        context.set_options(m2.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
+        context.set_options(SSL.OP_DONT_INSERT_EMPTY_FRAGMENTS)
         
         # connect to myproxy server
-        conn = SSL.Connection(context, sock=socket.socket())
+        conn = SSL.Connection(context, socket.socket())
         
         # Check server host identity - if host doesn't match use explicit
         # 'serverDN' 
         # host/<hostname> one
-        hostCheck = _HostCheck(host=self.hostname,
-                               myProxyServerDN=self.serverDN,
-                               cnHostPfx=self.serverCNPrefix)
-        conn.set_post_connection_check_callback(hostCheck)
+#        hostCheck = _HostCheck(host=self.hostname,
+#                               myProxyServerDN=self.serverDN,
+#                               cnHostPfx=self.serverCNPrefix)
+#        conn.set_post_connection_check_callback(hostCheck)
         
         return conn
         
-    def _createKeys(self, nBitsForKey=PRIKEY_NBITS):
+    def _createKeyPair(self, nBitsForKey=PRIKEY_NBITS):
         """Generate key pair and return as PEM encoded string
         @type nBitsForKey: int
@@ -557 +571 @@
         @return: public/private key pair
         """
-        keyPair = RSA.gen_key(nBitsForKey, 65537L,#m2.RSA_F4, 
-                              callback=lambda *arg, **kw: None)
+        keyPair = crypto.PKey()
+        keyPair.generate_key(crypto.TYPE_RSA, nBitsForKey)
         
         return keyPair
@@ -578 +592 @@
         # Check all required certifcate request DN parameters are set                
         # Create certificate request
-        req = X509.Request()
+        certReq = crypto.X509Req()
         
         # Create public key object
-        pubKey = EVP.PKey()
-        pubKey.assign_rsa(keyPair)
+        certReq.set_pubkey(keyPair)
         
         # Add the public key to the request
-        req.set_version(0)
-        req.set_pubkey(pubKey)
-        
-        defaultReqDN = self._openSSLConfig.reqDN
-             
-        # Set DN
-        x509Name = X509.X509_Name()
-        x509Name.CN = CN
-        
-        if defaultReqDN:
-            x509Name.OU = defaultReqDN['OU']
-            x509Name.O = defaultReqDN['O']
-                        
-        req.set_subject_name(x509Name)
-        req.sign(pubKey, messageDigest)
-
-        return req.as_der()
+        certReq.sign(keyPair, messageDigest)
+        
+        derCertReq = crypto.dump_certificate_request(crypto.FILETYPE_ASN1, 
+                                                     certReq)
+
+        return derCertReq
     
     def _deserializeResponse(self, msg, *fieldNames):
@@ -648 +650 @@
         
         @return list containing the equivalent to the input in PEM format"""
-        pemCerts = []        
+        pemCerts = []
         dat = inputDat
         
-        while dat:    
+        while dat:
             # find start of cert, get length        
             ind = dat.find('\x30\x82')
@@ -661 +663 @@
             # extract der-format cert, and convert to pem
             derCert = dat[ind:ind+len+4]
-            
-            x509 = X509.load_cert_der_string(derCert)
-            pemCert = x509.as_pem()
-            
+            x509Cert = crypto.load_certificate(crypto.FILETYPE_ASN1, derCert)
+            pemCert = crypto.dump_certificate(crypto.FILETYPE_PEM, x509Cert)        
             pemCerts.append(pemCert)
     
@@ -1009 +1009 @@
         
         # Send certificate and private key
-        certTxt = X509.load_cert(certFile).as_pem()
+        certTxt = open(certFile).read()
         keyTxt = open(keyFile).read()
         
@@ -1051 +1051 @@
             # If no key pair was passed, generate here
             if keyPair is None:
-                keyPair = self._createKeys(nBitsForKey=nBitsForKey)
+                keyPair = self._createKeyPair(nBitsForKey=nBitsForKey)
                 
             certReq = self._createCertReq(username, keyPair)
 
         if keyPair is not None: 
-            pemKeyPair = keyPair.as_pem(cipher=None, 
-                                        callback=util.no_passphrase_callback)
+            pemKeyPair = crypto.dump_privatekey(crypto.FILETYPE_PEM, keyPair)
         
         # Set-up SSL connection
@@ -1147 +1146 @@
             for tries in range(MyProxyClient.MAX_RECV_TRIES):
                 dat += conn.recv(MyProxyClient.SERVER_RESP_BLK_SIZE)
-        except SSL.SSLError:
+        except SSL.SysCallError:
             # Expect this exception when response content exhausted
             pass