12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 |
- # -*- coding: utf-8 -*-
- # Copyright 2014 OpenMarket Ltd
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
- import logging
- import twisted.internet.ssl
- logger = logging.getLogger(__name__)
- class SslComponents:
- def __init__(self, sydent):
- self.sydent = sydent
- self.myPrivateCertificate = self.makeMyCertificate()
- self.trustRoot = self.makeTrustRoot()
- def makeMyCertificate(self):
- privKeyAndCertFilename = self.sydent.cfg.get('http', 'replication.https.certfile')
- if privKeyAndCertFilename == '':
- logger.warn("No HTTPS private key / cert found: not starting replication server "
- "or doing replication pushes")
- return None
- try:
- fp = open(privKeyAndCertFilename)
- except IOError:
- logger.warn("Unable to read private key / cert file from %s: not starting the replication HTTPS server "
- "or doing replication pushes.",
- privKeyAndCertFilename)
- return None
- authData = fp.read()
- fp.close()
- return twisted.internet.ssl.PrivateCertificate.loadPEM(authData)
- def makeTrustRoot(self):
- # If this option is specified, use a specific root CA cert. This is useful for testing when it's not
- # practical to get the client cert signed by a real root CA but should never be used on a production server.
- caCertFilename = self.sydent.cfg.get('http', 'replication.https.cacert')
- if len(caCertFilename) > 0:
- try:
- fp = open(caCertFilename)
- caCert = twisted.internet.ssl.Certificate.loadPEM(fp.read())
- fp.close()
- except:
- logger.warn("Failed to open CA cert file %s", caCertFilename)
- raise
- logger.warn("Using custom CA cert file: %s", caCertFilename)
- return twisted.internet._sslverify.OpenSSLCertificateAuthorities([caCert.original])
- else:
- return twisted.internet.ssl.OpenSSLDefaultPaths()
|