1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
|
import logging
import uuid
import re
from StringIO import StringIO
import types
from java.lang import RuntimeException, System
from java.io import BufferedInputStream, BufferedReader, FileReader, InputStreamReader, ByteArrayInputStream, IOException
from java.security import KeyStore, Security, InvalidAlgorithmParameterException
from java.security.cert import CertificateException, CertificateFactory
from java.security.interfaces import RSAPrivateCrtKey
from java.security.interfaces import RSAPublicKey
from javax.net.ssl import X509KeyManager, X509TrustManager, KeyManagerFactory, SSLContext
try:
# jarjar-ed version
from org.python.netty.handler.ssl.util import SimpleTrustManagerFactory
except ImportError:
# dev version from extlibs
from io.netty.handler.ssl.util import SimpleTrustManagerFactory
try:
# dev version from extlibs OR if in classpath.
#
# Assumes BC's API is sufficiently stable, but this assumption
# seems safe based on our experience using BC.
#
# This change in import ordering - compared to similar conditional
# imports - is to workaround the problem in
# http://bugs.jython.org/issue2469, due to the fact that jarjar-ed
# jars - like other shading - lose their signatures. For most jars
# this is not an issue, and we have been removing signature files
# since 2.7.0. But in this specific case, removing signatures then
# causes conflicts with Java's security provider model, because it
# requires signing.
from org.bouncycastle.asn1.pkcs import PrivateKeyInfo
from org.bouncycastle.cert import X509CertificateHolder
from org.bouncycastle.cert.jcajce import JcaX509CertificateConverter
from org.bouncycastle.jce.provider import BouncyCastleProvider
from org.bouncycastle.jce import ECNamedCurveTable
from org.bouncycastle.jce.spec import ECNamedCurveSpec
from org.bouncycastle.openssl import PEMKeyPair, PEMParser, PEMEncryptedKeyPair, \
PEMException, EncryptionException
from org.bouncycastle.openssl.jcajce import JcaPEMKeyConverter, JcePEMDecryptorProviderBuilder
from org.bouncycastle.util.encoders import DecoderException
except ImportError:
# jarjar-ed version
from org.python.bouncycastle.asn1.pkcs import PrivateKeyInfo
from org.python.bouncycastle.cert import X509CertificateHolder
from org.python.bouncycastle.cert.jcajce import JcaX509CertificateConverter
from org.python.bouncycastle.jce.provider import BouncyCastleProvider
from org.python.bouncycastle.jce import ECNamedCurveTable
from org.python.bouncycastle.jce.spec import ECNamedCurveSpec
from org.python.bouncycastle.openssl import PEMKeyPair, PEMParser, PEMEncryptedKeyPair, \
PEMException, EncryptionException
from org.python.bouncycastle.openssl.jcajce import JcaPEMKeyConverter, JcePEMDecryptorProviderBuilder
from org.python.bouncycastle.util.encoders import DecoderException
log = logging.getLogger("_socket")
Security.addProvider(BouncyCastleProvider())
RE_BEGIN_KEY_CERT = re.compile(r'^-----BEGIN.*(PRIVATE KEY|CERTIFICATE)-----$')
def _get_ca_certs_trust_manager(ca_certs=None):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
num_certs_installed = 0
if ca_certs is not None:
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
num_certs_installed += 1
tmf = SimpleTrustManagerFactory.getInstance(SimpleTrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"})
return tmf
def _stringio_as_reader(s):
return BufferedReader(InputStreamReader(ByteArrayInputStream(bytearray(s.getvalue()))))
def _extract_readers(f):
string_ios = []
output = StringIO()
key_cert_start_line_found = False
for line in f:
if RE_BEGIN_KEY_CERT.match(line):
key_cert_start_line_found = True
if output.getvalue():
string_ios.append(output)
output = StringIO()
output.write(line)
if output.getvalue():
string_ios.append(output)
if not key_cert_start_line_found:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "PEM lib (no start line or not enough data)")
return [_stringio_as_reader(sio) for sio in string_ios]
def _get_openssl_key_manager(cert_file=None, key_file=None, password=None, _key_store=None):
certs, private_key = [], None
if _key_store is None:
_key_store = KeyStore.getInstance(KeyStore.getDefaultType())
_key_store.load(None, None)
if key_file is not None:
certs, private_key = _extract_certs_for_paths([key_file], password)
if private_key is None:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "PEM lib (No private key loaded)")
if cert_file is not None:
_certs, _private_key = _extract_certs_for_paths([cert_file], password)
private_key = _private_key if _private_key else private_key
certs.extend(_certs)
if not private_key:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "PEM lib (No private key loaded)")
keys_match, validateable_keys_found = False, False
for cert in certs:
# TODO works for RSA only for now
if isinstance(cert.publicKey, RSAPublicKey) and isinstance(private_key, RSAPrivateCrtKey):
validateable_keys_found = True
if validateable_keys_found:
if cert.publicKey.getModulus() == private_key.getModulus() \
and cert.publicKey.getPublicExponent() == private_key.getPublicExponent():
keys_match = True
break
if key_file is not None and validateable_keys_found and not keys_match:
from _socket import SSLError, SSL_ERROR_SSL
raise SSLError(SSL_ERROR_SSL, "key values mismatch")
_key_store.setKeyEntry(_str_hash_key_entry(private_key, *certs), private_key, [], certs)
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
kmf.init(_key_store, [])
return kmf
def _str_hash_key_entry(*args):
"""Very naiive"""
_hash = 0
for arg in args:
if arg:
_hash += hash(arg.toString().encode('utf8'))
return str(_hash)
def _parse_password(password):
is_password_func = False
if isinstance(password, (types.FunctionType, types.MethodType)) or hasattr(password, '__call__'):
password = password()
is_password_func = True
if password is None:
password = []
elif isinstance(password, (str, bytearray)):
password = str(password)
if len(password) >= 102400: # simulate openssl PEM_BUFSIZE limit error
raise ValueError("PEM lib (password cannot be longer than 102400 -1)")
else:
if is_password_func:
raise TypeError("PEM lib (must return a string")
else:
raise TypeError("PEM lib (password should be a string)")
return password
def _extract_certs_from_keystore_file(f, password):
keystore = KeyStore.getInstance(KeyStore.getDefaultType())
if password is None:
password = System.getProperty('javax.net.ssl.trustStorePassword')
if password is None: # default java keystore password is changeit
password = 'changeit'
elif not isinstance(password, str):
password = []
keystore.load(BufferedInputStream(f), password)
certs = []
alias_iter = keystore.aliases()
while alias_iter.hasMoreElements():
alias = alias_iter.nextElement()
certs.append(keystore.getCertificate(alias))
return certs
def _extract_certs_for_paths(paths, password=None):
# Go from Bouncy Castle API to Java's; a bit heavyweight for the Python dev ;)
key_converter = JcaPEMKeyConverter().setProvider("BC")
cert_converter = JcaX509CertificateConverter().setProvider("BC")
certs = []
private_key = None
for path in paths:
err = None
with open(path) as f:
# try to load the file as keystore file first
try:
_certs = _extract_certs_from_keystore_file(f, password)
certs.extend(_certs)
except IOException as err:
pass # reported as 'Invalid keystore format'
if err is not None: # try loading pem version instead
with open(path) as f:
_certs, _private_key = _extract_cert_from_data(f, password, key_converter, cert_converter)
private_key = _private_key if _private_key else private_key
certs.extend(_certs)
return certs, private_key
def _extract_cert_from_data(f, password=None, key_converter=None, cert_converter=None):
certs = []
private_key = None
if isinstance(f, unicode):
f = StringIO(str(f))
elif isinstance(f, str):
f = StringIO(f)
if not hasattr(f, 'seek'):
raise TypeError("PEM lib (data must be a file like object, string or bytes")
if _is_cert_pem(f):
certs, private_key = _read_pem_cert_from_data(f, password, key_converter, cert_converter)
else:
cf = CertificateFactory.getInstance("X.509")
certs = list(cf.generateCertificates(ByteArrayInputStream(f.read())))
return certs, private_key
def _read_pem_cert_from_data(f, password, key_converter, cert_converter):
def PEM_SSLError(err): # Shorthand
from _socket import SSLError, SSL_ERROR_SSL
return SSLError(SSL_ERROR_SSL, "PEM lib ({})".format(err))
certs = []
private_key = None
if key_converter is None:
key_converter = JcaPEMKeyConverter().setProvider("BC")
if cert_converter is None:
cert_converter = JcaX509CertificateConverter().setProvider("BC")
for br in _extract_readers(f):
while True:
try:
obj = PEMParser(br).readObject()
except PEMException as err:
raise PEM_SSLError(err)
except DecoderException as err:
raise PEM_SSLError(err)
if obj is None:
break
if isinstance(obj, PEMKeyPair):
private_key = key_converter.getKeyPair(obj).getPrivate()
elif isinstance(obj, PrivateKeyInfo):
private_key = key_converter.getPrivateKey(obj)
elif isinstance(obj, X509CertificateHolder):
certs.append(cert_converter.getCertificate(obj))
elif isinstance(obj, PEMEncryptedKeyPair):
provider = JcePEMDecryptorProviderBuilder().build(_parse_password(password))
try:
key_pair = key_converter.getKeyPair(obj.decryptKeyPair(provider))
except EncryptionException as err:
raise PEM_SSLError(err)
private_key = key_pair.getPrivate()
else:
raise NotImplementedError("Jython does not implement PEM object {!r}".format(obj))
return certs, private_key
def _is_cert_pem(f):
try:
# check if the data is string specifically to support DER certs
f.read().decode('ascii')
return True
except UnicodeDecodeError:
return False
finally:
f.seek(0)
assert "Should not reach here"
def _get_ecdh_parameter_spec(curve_name):
if not isinstance(curve_name, str):
raise TypeError("curve_name must be string/bytes")
spec_param = ECNamedCurveTable.getParameterSpec(curve_name)
if spec_param is None:
raise ValueError("unknown elliptic curve name {}".format(curve_name))
return ECNamedCurveSpec(spec_param.getName(), spec_param.getCurve(), spec_param.getG(), spec_param.getN(),
spec_param.getH(), spec_param.getSeed())
# CompositeX509KeyManager and CompositeX509TrustManager allow for mixing together Java built-in managers
# with new managers to support Python ssl.
#
# See http://tersesystems.com/2014/01/13/fixing-the-most-dangerous-code-in-the-world/
# for a good description of this composite approach.
#
# Ported to Python from http://codyaray.com/2013/04/java-ssl-with-multiple-keystores
# which was inspired by http://stackoverflow.com/questions/1793979/registering-multiple-keystores-in-jvm
class CompositeX509KeyManager(X509KeyManager):
def __init__(self, key_managers):
self.key_managers = key_managers
def chooseClientAlias(self, key_type, issuers, socket):
for key_manager in self.key_managers:
alias = key_manager.chooseClientAlias(key_type, issuers, socket)
if alias:
return alias;
return None
def chooseServerAlias(self, key_type, issuers, socket):
for key_manager in self.key_managers:
alias = key_manager.chooseServerAlias(key_type, issuers, socket)
if alias:
return alias;
return None
def getPrivateKey(self, alias):
for key_manager in self.key_managers:
private_key = key_manager.getPrivateKey(alias)
if private_key:
return private_key
return None
def getCertificateChain(self, alias):
for key_manager in self.key_managers:
chain = key_manager.getCertificateChain(alias)
if chain:
return chain
return None
def getClientAliases(self, key_type, issuers):
aliases = []
for key_manager in self.key_managers:
aliases.extend(key_manager.getClientAliases(key_type, issuers))
if not aliases:
return None
else:
return aliases
def getServerAliases(self, key_type, issuers):
aliases = []
for key_manager in self.key_managers:
aliases.extend(key_manager.getServerAliases(key_type, issuers))
if not aliases:
return None
else:
return aliases
class CompositeX509TrustManager(X509TrustManager):
def __init__(self, trust_managers):
self.trust_managers = trust_managers
def checkClientTrusted(self, chain, auth_type):
for trust_manager in self.trust_managers:
try:
trust_manager.checkClientTrusted(chain, auth_type)
return
except CertificateException:
continue
except RuntimeException as err:
# special-case to raise proper CertificateException ;)
if isinstance(err.getCause(), InvalidAlgorithmParameterException):
if err.getCause().getMessage() == u'the trustAnchors parameter must be non-empty':
continue
raise
raise CertificateException("certificate verify failed")
def checkServerTrusted(self, chain, auth_type):
for trust_manager in self.trust_managers:
try:
trust_manager.checkServerTrusted(chain, auth_type)
return
except CertificateException:
continue
except RuntimeException as err:
# special-case to raise proper CertificateException ;)
if isinstance(err.getCause(), InvalidAlgorithmParameterException):
if err.getCause().getMessage() == u'the trustAnchors parameter must be non-empty':
continue
raise
raise CertificateException("certificate verify failed")
def getAcceptedIssuers(self):
certs = []
for trust_manager in self.trust_managers:
certs.extend(trust_manager.getAcceptedIssuers())
return certs
class CompositeX509TrustManagerFactory(SimpleTrustManagerFactory):
def __init__(self, trust_managers):
self._trust_manager = CompositeX509TrustManager(trust_managers)
def engineInit(self, arg):
pass
def engineGetTrustManagers(self):
return [self._trust_manager]
|
