[CalendarServer-changes] [15213] PySecureTransport/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Thu Oct 22 14:58:28 PDT 2015
Revision: 15213
http://trac.calendarserver.org//changeset/15213
Author: cdaboo at apple.com
Date: 2015-10-22 14:58:28 -0700 (Thu, 22 Oct 2015)
Log Message:
-----------
Add certificate/keychain identity import features. Add tests and update documentation.
Modified Paths:
--------------
PySecureTransport/trunk/OpenSSL/SSL.py
PySecureTransport/trunk/OpenSSL/__init__.py
PySecureTransport/trunk/OpenSSL/crypto.py
PySecureTransport/trunk/README
Added Paths:
-----------
PySecureTransport/trunk/OpenSSL/test/
PySecureTransport/trunk/OpenSSL/test/__init__.py
PySecureTransport/trunk/OpenSSL/test/data/
PySecureTransport/trunk/OpenSSL/test/data/server.pem
PySecureTransport/trunk/OpenSSL/test/test_crypto.py
Modified: PySecureTransport/trunk/OpenSSL/SSL.py
===================================================================
--- PySecureTransport/trunk/OpenSSL/SSL.py 2015-10-22 21:49:54 UTC (rev 15212)
+++ PySecureTransport/trunk/OpenSSL/SSL.py 2015-10-22 21:58:28 UTC (rev 15213)
@@ -23,7 +23,7 @@
from osx._corefoundation import ffi, lib as security
from osx.corefoundation import CFArrayRef
-from OpenSSL.crypto import _getIdentityCertificate
+from OpenSSL.crypto import load_certificate, load_privatekey, load_keychain_identity, FILETYPE_PEM
class Error(Exception):
@@ -91,6 +91,8 @@
@type method: L{int}
"""
self.method = method
+ self.certificate = None
+ self.pkey = None
self.identity = None
self.options = set()
@@ -110,11 +112,14 @@
Certificate file to use - for SecureTransport we actually treat the file name as the certificate name
to lookup in the KeyChain. Set it only if an identity has not already been set.
- @param certificateFileName: subject name of the certificate to use
+ @param certificateFileName: name of the certificate file to use
@type certificateFileName: L{str}
"""
if self.identity is None and certificateFileName:
- self.identity = _getIdentityCertificate(certificateFileName)
+ with open(certificateFileName) as f:
+ data = f.read()
+ self.certificate = load_certificate(FILETYPE_PEM, data)
+ raise NotImplementedError("SecureTransport cannot use cert files directly. Put them in the keychain.")
def use_privatekey_file(self, privateKeyFileName):
@@ -122,17 +127,25 @@
Private key file to use - for SecureTransport we actually treat the file name as the certificate name
to lookup in the KeyChain. Set it only if an identity has not already been set.
- @param certificateFileName: subject name of the certificate to use
- @type certificateFileName: L{str}
+ @param privateKeyFileName: name of the private key file to use
+ @type privateKeyFileName: L{str}
"""
if self.identity is None and privateKeyFileName:
- self.identity = _getIdentityCertificate(privateKeyFileName)
+ with open(privateKeyFileName) as f:
+ data = f.read()
+ self.pkey = load_privatekey(FILETYPE_PEM, data)
+ raise NotImplementedError("SecureTransport cannot use of pkey files directly. Put them in the keychain.")
def use_certificate_chain_file(self, certfile):
pass
+ def use_keychain_identity(self, identity):
+ if self.identity is None and identity:
+ self.identity = load_keychain_identity(identity)
+
+
def set_passwd_cb(self, callback, userdata=None):
pass
@@ -365,7 +378,7 @@
self.shutdown()
raise Error("No certificate")
- # Add the crtificate
+ # Add the certificate
if self.context.identity is not None:
certs = CFArrayRef.fromList([self.context.identity])
err = security.SSLSetCertificate(self.ctx, certs.ref())
Modified: PySecureTransport/trunk/OpenSSL/__init__.py
===================================================================
--- PySecureTransport/trunk/OpenSSL/__init__.py 2015-10-22 21:49:54 UTC (rev 15212)
+++ PySecureTransport/trunk/OpenSSL/__init__.py 2015-10-22 21:58:28 UTC (rev 15213)
@@ -17,6 +17,8 @@
from OpenSSL import crypto, SSL
from OpenSSL.version import __version__
+__SecureTransport__ = True
+
__all__ = [
'crypto', 'SSL', '__version__'
]
Modified: PySecureTransport/trunk/OpenSSL/crypto.py
===================================================================
--- PySecureTransport/trunk/OpenSSL/crypto.py 2015-10-22 21:49:54 UTC (rev 15212)
+++ PySecureTransport/trunk/OpenSSL/crypto.py 2015-10-22 21:58:28 UTC (rev 15213)
@@ -20,7 +20,7 @@
from osx._corefoundation import ffi, lib as security
from osx.corefoundation import CFDictionaryRef, CFStringRef, CFArrayRef, \
- CFBooleanRef, CFObjectRef, CFErrorRef
+ CFBooleanRef, CFObjectRef, CFErrorRef, CFDataRef
userIDOID = "0.9.2342.19200300.100.1.1"
@@ -50,6 +50,16 @@
+class PKey(object):
+ """
+ Equivalent of an pyOpenSSL OpenSSL.crypto.PKey object, with many methods unimplemented.
+ """
+
+ def __init__(self, pkey=None):
+ self._pkey = pkey
+
+
+
class X509Name(object):
"""
Equivalent of an pyOpenSSL OpenSSL.crypto.X509Name object.
@@ -70,7 +80,7 @@
"""
def __init__(self, certificate=None):
- self.certificate = certificate
+ self._x509 = certificate
def set_version(self, version):
@@ -164,7 +174,7 @@
"""
keys = CFArrayRef.fromList([CFStringRef.fromRef(security.kSecOIDX509V1SubjectName)])
error = ffi.new("CFErrorRef *")
- values = security.SecCertificateCopyValues(self.certificate.ref(), keys.ref(), error)
+ values = security.SecCertificateCopyValues(self._x509.ref(), keys.ref(), error)
if values == ffi.NULL:
error = CFErrorRef(error[0])
raise Error("Unable to get certificate subject")
@@ -202,29 +212,104 @@
def load_certificate(certtype, buffer):
"""
- Load a certificate with the supplied identity string.
+ Load a certificate with the supplied type and data. If the type is
+ L{None} then assume the data is the name of a Keychain identity,
+ otherwise assume it is data of the specified type.
+ @param certtype: certificate data type or L{None} to read from Keychain
+ @type certtype: L{int}
+ @param buffer: certificate data or name of the KeyChain item to lookup
+ @type buffer: L{str}
+
+ @return: the certificate
+ @rtype: L{X509}
+ """
+
+ if certtype is None:
+ return _load_keychain_item(buffer)
+ else:
+ return X509(_load_certificate_data(certtype, buffer, security.SecCertificateGetTypeID()))
+
+
+
+def load_privatekey(certtype, buffer, passphrase=None):
+ """
+ Load a private key with the supplied type and data. If the type is
+ L{None} then assume the data is the name of a Keychain identity,
+ otherwise assume it is data of the specified type.
+
+ @param certtype: certificate data type or L{None} to read from Keychain
+ @type certtype: L{int}
+ @param buffer: certificate data or name of the KeyChain item to lookup
+ @type buffer: L{str}
+
+ @return: the certificate
+ @rtype: L{X509}
+ """
+
+ if certtype is None:
+ return _load_keychain_item(buffer)
+ else:
+ return PKey(_load_certificate_data(certtype, buffer, security.SecKeyGetTypeID()))
+
+
+
+def _load_certificate_data(certtype, buffer, result_typeid):
+ """
+ Load a certificate with the supplied type and data.
+
@param certtype: ignored
@type certtype: -
@param buffer: name of the KeyChain item to lookup
@type buffer: L{str}
+ @param result_typeid: The type to return (certificate or key)
+ @type result_typeid: L{ffi.CFTypeID}
@return: the certificate
@rtype: L{X509}
"""
# First try to get the identity from the KeyChain
- name = CFStringRef.fromString(buffer)
+ data = CFDataRef.fromString(buffer)
+ results = ffi.new("CFArrayRef *")
+ err = security.SecItemImport(data.ref(), ffi.NULL, ffi.NULL, ffi.NULL, 0, ffi.NULL, ffi.NULL, results)
+ if err != 0:
+ raise Error("Could not load certificate data")
+
+ results = CFArrayRef(results[0]).toList()
+
+ # Try to find a SecCertificateRef
+ for result in results:
+ if result.instanceTypeId() == result_typeid:
+ return result
+ else:
+ raise Error("No certificate in data")
+
+
+
+def _load_keychain_item(identifier):
+ """
+ Load a certificate with the supplied identity string.
+
+ @param identifier: name of the KeyChain item to lookup
+ @type identifier: L{str}
+
+ @return: the certificate
+ @rtype: L{X509}
+ """
+
+ # First try to get the identity from the KeyChain
+ name = CFStringRef.fromString(identifier)
certificate = security.SecCertificateCopyPreferred(name.ref(), ffi.NULL)
if certificate == ffi.NULL:
try:
- identity = _getIdentityCertificate(buffer)
+ identity = load_keychain_identity(identifier)
except Error:
- raise Error("Certificate for preferred name '{}' was not found".format(buffer))
+ raise Error("Identity for preferred name '{}' was not found".format(identifier))
certificate = ffi.new("SecCertificateRef *")
err = security.SecIdentityCopyCertificate(identity.ref(), certificate)
if err != 0:
- raise Error("Certificate for preferred name '{}' was not found".format(buffer))
+ raise Error("Identity for preferred name '{}' was not found".format(identifier))
certificate = certificate[0]
certificate = CFObjectRef(certificate)
@@ -232,7 +317,7 @@
-def _getIdentityCertificate(subject):
+def load_keychain_identity(subject):
"""
Retrieve a SecIdentityRef from the KeyChain with a subject that exactly matches the passed in value.
@@ -240,8 +325,16 @@
@type subject: L{str}
@return: matched SecIdentityRef item or L{None}
- @rtpe: L{CFObjectRef}
+ @rtype: L{CFObjectRef}
"""
+
+ # First try to load this from an identity preference
+ cfsubject = CFStringRef.fromString(subject)
+ identity = security.SecIdentityCopyPreferred(cfsubject.ref(), ffi.NULL, ffi.NULL)
+ if identity != ffi.NULL:
+ return CFObjectRef(identity)
+
+ # Now iterate items to find a match
match = CFDictionaryRef.fromDict({
CFStringRef.fromRef(security.kSecClass): CFStringRef.fromRef(security.kSecClassIdentity),
CFStringRef.fromRef(security.kSecReturnRef): CFBooleanRef.fromBool(True),
@@ -265,8 +358,3 @@
raise Error("Certificate with id '{}' was not found in the KeyChain".format(subject))
return identity
-
-
-if __name__ == '__main__':
- x = load_certificate("", "APSP:d6e49079-75ba-4380-a2cd-a66191469145")
- print(x.get_subject().get_components())
Added: PySecureTransport/trunk/OpenSSL/test/__init__.py
===================================================================
--- PySecureTransport/trunk/OpenSSL/test/__init__.py (rev 0)
+++ PySecureTransport/trunk/OpenSSL/test/__init__.py 2015-10-22 21:58:28 UTC (rev 15213)
@@ -0,0 +1,15 @@
+##
+# Copyright (c) 2015 Apple Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
Added: PySecureTransport/trunk/OpenSSL/test/data/server.pem
===================================================================
--- PySecureTransport/trunk/OpenSSL/test/data/server.pem (rev 0)
+++ PySecureTransport/trunk/OpenSSL/test/data/server.pem 2015-10-22 21:58:28 UTC (rev 15213)
@@ -0,0 +1,52 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAuhBjrq4nmSEo/V5nfnq+euKyRP5gJB0tp8lvawwTPT/kftqu
+ouXq58NvX9TwmDidzFgNGEqqirCLu14GYkFpL6fUjs8zlTIGrNIDb/W//DbiQ0Dy
+rhJMvGPErl3tTQn2pg9cw65zIHXQ2GgR4i/Fm52dZ9hIaybaYcO1UFqMQ6lHjLWE
+mc8svIhhovIgcLV3YZQ8hrhrTMSJfFqeVhMUrOxcdc5VnEiKXkblOtbeAiVOZdEm
+2jC5ME4w0PH3bXiQouqlmxtuPZuw7KZUNqiwJ0X1lhhM2SH3F/HHC2bY8ff/25sy
+ZdzoHwe2EuYwm1wAYN5IfjWqtGuuElr0jdL/TQIDAQABAoIBAGzJlF7XuJNRzhOG
+FODgh2p2DWFFkZTL8pu9rQVbxAv1xXVeCul3oIbtv7q6WAnIYIrPmKhxT5FTc/+T
+FAxyzjts11zATRqYa0q0aAoYF64xsM09tiaM0Iz9kEua41o9zxZ8uPI4l1uNRxSg
+lIQ5BkLcPuIulPkBeIHc2bAnoQcVfSQc1ZRR4IOtiZqk6bwxN/U6a1kbQ6EVrdEp
+tIWa6RHKemwNoTPiFc3eQHe8sYmVjkPu6S9yQI69hOicPK4y/PkH+5L+LtCh9cBC
+ijbAp7uTdGJ9BvXf+aIA9bM/eFG5+9nU8nsrOj2xT2axJ02FuLI/H0IxC8aCi1eP
+aKHB+IECgYEA5F/k0KkDa2mIg/tsIhHVCo5ic073pCMUQ6Ka2O9SM2EL7WrZSppm
+A0+sJpc/8aPuia1hB4izIME4zOKlIArMXvATq6OT2dAaXqGZFDwiOdyinFHKFDaP
+U68g4bQktMLb3phAsqTtXNxiyRnmiKDEkvPVbK6WbxVJ6RUdSFySLJECgYEA0JJC
+OjTPuz9e3DJc9PFvxSuwBmsV0kOkVa3D2Two24vNieWHv3ZujHSfN/prqZVkIgsL
+6grL9nfVxt/m2t62irBBKL2DlfxTMZhf+8H1anAjDF6h4jDsg3Ybar6NF0gl4w0t
+3km/8/UwQYNe1TDfuh+M4/rONqP+VbX9jDkXtP0CgYEAsEA95Lf79qLtBAc/jg+7
+HrmCy8EvKFMWaZiN70zMYPDN9r6W0pfUkUuk7eefJwvApirUDq92p5nYD2//xnnu
+/npEhBvrmJeeMlh/Pvml5IgeS4xn7C+rcAdh1i9kgMk+TU2t6PGWayt/ZfsCS4Hg
+FBXxKj6XxUVl1GhCQD2JZrECgYEAkUZOetxuFK5/FEDAHpxMjblwUggkmuAihssR
+ry4IB2PJNlN5yhJjzdEtVYBHnUdBB7VKByqeBn5RmMQ7uBeIbfF2cToPfVjTWagY
+svLWTdztjKAdgb8x/h812ZQAEkdenFeBq2MTIImXowot87CnJKz1JZZ8K/LuJCUv
+BYx+xsECgYAXspEZGSoW1LlJnnpAI8MUXBGYz1QnyOFn41O9niZ9rg0dX5L7laO/
+Frjq4ibegsNtVAPOIDebzrbhkocmH/vhgWbemTTs+Jiq0zfYxi/4m6kYDAruUKii
+Ol+8r1ZG1YZtuZg1FKe7cOY9FToMRjVethqiVJeoTlT62BzPhl1j8w==
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIEMDCCAxigAwIBAgIJAJYU3laSIOMjMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQK
+EwpBcHBsZSBJbmMuMRQwEgYDVQQLEwtPUyBYIFNlcnZlcjESMBAGA1UEAxMJbG9j
+YWxob3N0MB4XDTE0MDUyODE5MjUyOFoXDTE3MDUyNzE5MjUyOFowbTELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDdXBlcnRpbm8xEzARBgNVBAoT
+CkFwcGxlIEluYy4xFDASBgNVBAsTC09TIFggU2VydmVyMRIwEAYDVQQDEwlsb2Nh
+bGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6EGOurieZISj9
+Xmd+er564rJE/mAkHS2nyW9rDBM9P+R+2q6i5ernw29f1PCYOJ3MWA0YSqqKsIu7
+XgZiQWkvp9SOzzOVMgas0gNv9b/8NuJDQPKuEky8Y8SuXe1NCfamD1zDrnMgddDY
+aBHiL8WbnZ1n2EhrJtphw7VQWoxDqUeMtYSZzyy8iGGi8iBwtXdhlDyGuGtMxIl8
+Wp5WExSs7Fx1zlWcSIpeRuU61t4CJU5l0SbaMLkwTjDQ8fdteJCi6qWbG249m7Ds
+plQ2qLAnRfWWGEzZIfcX8ccLZtjx9//bmzJl3OgfB7YS5jCbXABg3kh+Naq0a64S
+WvSN0v9NAgMBAAGjgdIwgc8wHQYDVR0OBBYEFMoKhtrzSrJs/1DHjE7XuSAx4w8y
+MIGfBgNVHSMEgZcwgZSAFMoKhtrzSrJs/1DHjE7XuSAx4w8yoXGkbzBtMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCUN1cGVydGlubzETMBEGA1UE
+ChMKQXBwbGUgSW5jLjEUMBIGA1UECxMLT1MgWCBTZXJ2ZXIxEjAQBgNVBAMTCWxv
+Y2FsaG9zdIIJAJYU3laSIOMjMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBAFdLKR6+xddHJ4jZw6b0M6oh5pQgDPU9iUQEBoPHS4BrtkODyUeJViEkVLVJ
+UhJYpkMiGl0B+2x7mymUTSCd/Z5xDsuexzfU1pbcArn34Be4L40+YlHBREkw+ZgM
+rcwUF1MWUw2YIb+EAJIJ1K3KNScYWi3j+0fUZ569Gg8a2/c0YETQ0+3jItg4ADZw
+Nj9Nc0TxEtKByl9Mpvz65CqM75zDkZzxS4DSOPT8v3j8QRz90A+U9J4K+xpox1Xg
+cLMvGmxHsBXktJ4ULKXS31oyAZQ4xZGj1J5YnvyNLk0ExHFpZLlxzrqpd2QBv6xX
+3UDm/8ymLyqZzD92CxVAEGOc3fc=
+-----END CERTIFICATE-----
Added: PySecureTransport/trunk/OpenSSL/test/test_crypto.py
===================================================================
--- PySecureTransport/trunk/OpenSSL/test/test_crypto.py (rev 0)
+++ PySecureTransport/trunk/OpenSSL/test/test_crypto.py 2015-10-22 21:58:28 UTC (rev 15213)
@@ -0,0 +1,57 @@
+##
+# Copyright (c) 2010-2015 Apple Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+from OpenSSL import crypto
+import os
+import unittest
+
+
+"""
+crypto tests.
+"""
+
+class CryptoTestCase(unittest.TestCase):
+ """
+ Tests for L{crypto} module.
+ """
+
+ dataDir = os.path.join(os.path.dirname(__file__), "data")
+
+ def test_load_certificate_pem(self):
+ """
+ Make sure L{crypto.load_certificate} can load a PEM file.
+ """
+
+ with open(os.path.join(self.dataDir, "server.pem")) as f:
+ data = f.read()
+
+ cert = crypto.load_certificate(crypto.FILETYPE_PEM, data)
+ self.assertTrue(isinstance(cert, crypto.X509))
+ for item in cert.get_subject().get_components():
+ if item[0] == "CN":
+ self.assertEqual(item[1], "localhost")
+
+
+ def test_load_privatekey_pem(self):
+ """
+ Make sure L{crypto.load_privatekey} can load a PEM file.
+ """
+
+ with open(os.path.join(self.dataDir, "server.pem")) as f:
+ data = f.read()
+
+ pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, data)
+ self.assertTrue(isinstance(pkey, crypto.PKey))
Modified: PySecureTransport/trunk/README
===================================================================
--- PySecureTransport/trunk/README 2015-10-22 21:49:54 UTC (rev 15212)
+++ PySecureTransport/trunk/README 2015-10-22 21:58:28 UTC (rev 15213)
@@ -3,7 +3,11 @@
OS X SecureTransport cffi based API that looks like pyOpenSSL.
+The goal here is to provide the minimum API needed to support
+TLS in Twisted. All certificate handling and verification is
+managed via OS X (via the Keychain and its trust related settings).
+
Copyright and License
=====================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20151022/a8910e9f/attachment-0001.html>
More information about the calendarserver-changes
mailing list