| 1 | #!/usr/local/bin/python |
|---|
| 2 | |
|---|
| 3 | import sys |
|---|
| 4 | from M2Crypto import SSL |
|---|
| 5 | |
|---|
| 6 | # Turn off the matching of hostname to certificate ID |
|---|
| 7 | SSL.Connection.clientPostConnectionCheck = None |
|---|
| 8 | |
|---|
| 9 | class ssl_context(SSL.Context): |
|---|
| 10 | """ |
|---|
| 11 | Simple wrapper around an M2Crypto.SSL.Context to initialize it for use with |
|---|
| 12 | self-signed certs. |
|---|
| 13 | """ |
|---|
| 14 | def __init__(self, my_cert, trusted_certs=None, password=None): |
|---|
| 15 | """ |
|---|
| 16 | construct a cred_ssl_context |
|---|
| 17 | |
|---|
| 18 | @param my_cert: PEM file with my certificate in it |
|---|
| 19 | @param trusted_certs: PEM file with trusted certs in it (optional) |
|---|
| 20 | """ |
|---|
| 21 | SSL.Context.__init__(self) |
|---|
| 22 | |
|---|
| 23 | # load_cert takes a callback to get a password, not a password, so if |
|---|
| 24 | # the caller provided a password, this creates a nonce callback using a |
|---|
| 25 | # lambda form. |
|---|
| 26 | if password != None and not callable(password): |
|---|
| 27 | # This is cute. password = lambda *args: password produces a |
|---|
| 28 | # function object that returns itself rather than one that returns |
|---|
| 29 | # the object itself. This is because password is an object |
|---|
| 30 | # reference and after the assignment it's a lambda. So we assign |
|---|
| 31 | # to a temp. |
|---|
| 32 | pwd = str(password) |
|---|
| 33 | password =lambda *args: pwd |
|---|
| 34 | |
|---|
| 35 | # The calls to str below (and above) are because the underlying SSL |
|---|
| 36 | # stuff is intolerant of unicode. |
|---|
| 37 | if password != None: |
|---|
| 38 | self.load_cert(str(my_cert), callback=password) |
|---|
| 39 | else: |
|---|
| 40 | self.load_cert(str(my_cert)) |
|---|
| 41 | |
|---|
| 42 | # If no trusted certificates are specified, allow unknown CAs. |
|---|
| 43 | if trusted_certs: |
|---|
| 44 | self.load_verify_locations(trusted_certs) |
|---|
| 45 | self.set_verify(SSL.verify_peer, 10) |
|---|
| 46 | else: |
|---|
| 47 | callb = getattr(SSL.cb, "ssl_verify_callback") |
|---|
| 48 | self.set_allow_unknown_ca(True) |
|---|
| 49 | self.set_verify(SSL.verify_peer, 10, |
|---|
| 50 | callback=SSL.cb.ssl_verify_callback_allow_unknown_ca) |
|---|
| 51 | |
|---|
| 52 | # Python 2.7 broke the MCrypto 2.1 SSL_Transport. If this is an older python, |
|---|
| 53 | # use SSL_Transport unchanged, otherwise use a tweaked version. Export them as |
|---|
| 54 | # SSLTransport. |
|---|
| 55 | if sys.version_info == 2 and sys.version_info < 7: |
|---|
| 56 | from M2Crypto.m2xmlrpclib import SSL_Transport |
|---|
| 57 | class SSLTransport(SSL_Transport): pass |
|---|
| 58 | else: |
|---|
| 59 | # Most of this is directly from M2Crypto |
|---|
| 60 | import base64, string, sys |
|---|
| 61 | |
|---|
| 62 | from xmlrpclib import * |
|---|
| 63 | import M2Crypto |
|---|
| 64 | import M2Crypto.SSL, M2Crypto.httpslib, M2Crypto.m2urllib |
|---|
| 65 | |
|---|
| 66 | __version__ = M2Crypto.version |
|---|
| 67 | |
|---|
| 68 | class SSLTransport(Transport): |
|---|
| 69 | |
|---|
| 70 | user_agent = "M2Crypto_XMLRPC/%s - %s" % (__version__, |
|---|
| 71 | Transport.user_agent) |
|---|
| 72 | |
|---|
| 73 | def __init__(self, ssl_context=None, *args, **kw): |
|---|
| 74 | if getattr(Transport, '__init__', None) is not None: |
|---|
| 75 | Transport.__init__(self, *args, **kw) |
|---|
| 76 | if ssl_context is None: |
|---|
| 77 | self.ssl_ctx=M2Crypto.SSL.Context('sslv23') |
|---|
| 78 | else: |
|---|
| 79 | self.ssl_ctx=ssl_context |
|---|
| 80 | |
|---|
| 81 | def request(self, host, handler, request_body, verbose=0): |
|---|
| 82 | # Handle username and password. |
|---|
| 83 | user_passwd, host_port = M2Crypto.m2urllib.splituser(host) |
|---|
| 84 | _host, _port = M2Crypto.m2urllib.splitport(host_port) |
|---|
| 85 | |
|---|
| 86 | # This is a difference, was an (obsolete) HTTPS object, but |
|---|
| 87 | # HTTPSConnection is more supported and clear --tvf |
|---|
| 88 | h = M2Crypto.httpslib.HTTPSConnection(_host, int(_port), |
|---|
| 89 | ssl_context=self.ssl_ctx) |
|---|
| 90 | if verbose: |
|---|
| 91 | h.set_debuglevel(1) |
|---|
| 92 | |
|---|
| 93 | # What follows is as in xmlrpclib.Transport. (Except the authz bit.) |
|---|
| 94 | h.putrequest("POST", handler) |
|---|
| 95 | |
|---|
| 96 | # required by HTTP/1.1 |
|---|
| 97 | h.putheader("Host", _host) |
|---|
| 98 | |
|---|
| 99 | # required by XML-RPC |
|---|
| 100 | h.putheader("User-Agent", self.user_agent) |
|---|
| 101 | h.putheader("Content-Type", "text/xml") |
|---|
| 102 | h.putheader("Content-Length", str(len(request_body))) |
|---|
| 103 | |
|---|
| 104 | # Authorisation. |
|---|
| 105 | if user_passwd is not None: |
|---|
| 106 | auth=string.strip(base64.encodestring(user_passwd)) |
|---|
| 107 | h.putheader('Authorization', 'Basic %s' % auth) |
|---|
| 108 | |
|---|
| 109 | h.endheaders() |
|---|
| 110 | |
|---|
| 111 | if request_body: |
|---|
| 112 | h.send(request_body) |
|---|
| 113 | |
|---|
| 114 | # These are the modifications -- tvf |
|---|
| 115 | |
|---|
| 116 | resp = h.getresponse() |
|---|
| 117 | errcode = resp.status |
|---|
| 118 | errmsg = resp.reason |
|---|
| 119 | |
|---|
| 120 | # end mods -- tvf |
|---|
| 121 | |
|---|
| 122 | if errcode != 200: |
|---|
| 123 | raise ProtocolError( |
|---|
| 124 | host + handler, |
|---|
| 125 | errcode, errmsg, |
|---|
| 126 | headers |
|---|
| 127 | ) |
|---|
| 128 | |
|---|
| 129 | self.verbose = verbose |
|---|
| 130 | return self.parse_response(resp) |
|---|
| 131 | |
|---|
