~certify-web-dev/twisted/certify-trunk

« back to all changes in this revision

Viewing changes to twisted/pb/crypto.py

• browse files at revision 10
• compare with another revision
• download diff
• download tarball
• view history from revision 10

Show diffs side-by-side

added

removed

twisted/pb/crypto.py

 

1

# -*- test-case-name: twisted.pb.test.test_crypto -*-

 

2

 

 

3

available = False # hack to deal with half-broken imports in python <2.4

 

4

 

 

5

from OpenSSL import SSL

 

6

import sslverify

 

7

from sslverify import DistinguishedName, KeyPair

 

8

peerFromTransport = sslverify.Certificate.peerFromTransport

 

9

from twisted.pb import base32

 

10

 

 

11

class MyOptions(sslverify.OpenSSLCertificateOptions):

 

12

    def _makeContext(self):

 

13

        ctx = sslverify.OpenSSLCertificateOptions._makeContext(self)

 

14

        def alwaysValidate(conn, cert, errno, depth, preverify_ok):

 

15

            # This function is called to validate the certificate received by

 

16

            # the other end. OpenSSL calls it multiple times, each time it

 

17

            # see something funny, to ask if it should proceed.

 

18

 

 

19

            # We do not care about certificate authorities or revocation

 

20

            # lists, we just want to know that the certificate has a valid

 

21

            # signature and follow the chain back to one which is

 

22

            # self-signed. The TubID will be the digest of one of these

 

23

            # certificates. We need to protect against forged signatures, but

 

24

            # not the usual SSL concerns about invalid CAs or revoked

 

25

            # certificates.

 

26

            

 

27

            # these constants are from openssl-0.9.7g/crypto/x509/x509_vfy.h

 

28

            # and do not appear to be exposed by pyopenssl. Ick. TODO. We

 

29

            # could just always return '1' here (ignoring all errors), but I

 

30

            # think that would ignore forged signatures too, which would

 

31

            # obviously be a security hole.

 

32

            things_are_ok = (0,  # X509_V_OK

 

33

                             18, # X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT

 

34

                             19, # X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN

 

35

                             )

 

36

            if errno in things_are_ok:

 

37

                return 1

 

38

            return 0

 

39

 

 

40

        # VERIFY_PEER means we ask the the other end for their certificate.

 

41

        # not adding VERIFY_FAIL_IF_NO_PEER_CERT means it's ok if they don't

 

42

        # give us one (i.e. if an anonymous client connects to an

 

43

        # authenticated server). I don't know what VERIFY_CLIENT_ONCE does.

 

44

        ctx.set_verify(SSL.VERIFY_PEER |

 

45

                       #SSL.VERIFY_FAIL_IF_NO_PEER_CERT |

 

46

                       SSL.VERIFY_CLIENT_ONCE,

 

47

                       alwaysValidate)

 

48

        return ctx

 

49

 

 

50

def digest32(colondigest):

 

51

    digest = "".join([chr(int(c,16)) for c in colondigest.split(":")])

 

52

    digest = base32.encode(digest)

 

53

    return digest

 

54

 

 

55

available = True

• Older »

Loggerhead is a web-based interface for Breezy
Version: 2.0.1