Updated certificate files.

Author: philipkershaw

README.md

@@ -8,6 +8,10 @@ of the SSL peer using ``pyasn1``.
 
 Releases
 ========
+0.4.4
+-----
+ * Updated test certificates
+
 0.4.3
 -----
  * Fix to ``ndg`` namespace package warning issue (https://github.com/cedadev/ndg_httpsclient/issues/3).  

build/lib/ndg/__init__.py

@@ -0,0 +1 @@
+__path__ = __import__('pkgutil').extend_path(__path__, __name__)

build/lib/ndg/httpsclient/LICENSE

@@ -0,0 +1,26 @@
+Copyright (c) 2012, Science & Technology Facilities Council (STFC)
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without 
+modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice, 
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of the Science & Technology Facilities Council (STFC) 
+      nor the names of its contributors may be used to endorse or promote 
+      products derived from this software without specific prior written 
+      permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

build/lib/ndg/httpsclient/__init__.py

@@ -0,0 +1,9 @@
+"""ndg_httpsclient - PyOpenSSL utility to make a httplib-like interface suitable
+for use with urllib2
+"""
+__author__ = "P J Kershaw (STFC) and Richard Wilkinson (Tessella)"
+__date__ = "09/12/11"
+__copyright__ = "(C) 2011 Science and Technology Facilities Council"
+__license__ = "BSD - see LICENSE file in top-level directory"
+__contact__ = "[email protected]"
+__revision__ = '$Id$'

build/lib/ndg/httpsclient/https.py

@@ -0,0 +1,131 @@
+"""ndg_httpsclient HTTPS module containing PyOpenSSL implementation of
+httplib.HTTPSConnection
+
+PyOpenSSL utility to make a httplib-like interface suitable for use with 
+urllib2
+"""
+__author__ = "P J Kershaw (STFC)"
+__date__ = "09/12/11"
+__copyright__ = "(C) 2012 Science and Technology Facilities Council"
+__license__ = "BSD - see LICENSE file in top-level directory"
+__contact__ = "[email protected]"
+__revision__ = '$Id$'
+import logging
+import socket
+import sys
+
+if sys.version_info[0] > 2:
+    from http.client import HTTPS_PORT
+    from http.client import HTTPConnection
+
+    from urllib.request import AbstractHTTPHandler
+else:
+    from httplib import HTTPS_PORT
+    from httplib import HTTPConnection
+
+    from urllib2 import AbstractHTTPHandler
+
+
+from OpenSSL import SSL
+
+from ndg.httpsclient.ssl_socket import SSLSocket
+
+log = logging.getLogger(__name__)
+
+
+class HTTPSConnection(HTTPConnection):
+    """This class allows communication via SSL using PyOpenSSL.
+    It is based on httplib.HTTPSConnection, modified to use PyOpenSSL.
+
+    Note: This uses the constructor inherited from HTTPConnection to allow it to
+    be used with httplib and HTTPSContextHandler. To use the class directly with
+    an SSL context set ssl_context after construction.
+    
+    @cvar default_port: default port for this class (443)
+    @type default_port: int
+    @cvar default_ssl_method: default SSL method used if no SSL context is
+    explicitly set - defaults to version 2/3.
+    @type default_ssl_method: int
+    """
+    default_port = HTTPS_PORT
+    default_ssl_method = SSL.SSLv23_METHOD
+    
+    def __init__(self, host, port=None, strict=None,
+                 timeout=socket._GLOBAL_DEFAULT_TIMEOUT, ssl_context=None):
+        HTTPConnection.__init__(self, host, port, strict, timeout)
+        if not hasattr(self, 'ssl_context'):
+            self.ssl_context = None
+
+        if ssl_context is not None:
+            if not isinstance(ssl_context, SSL.Context):
+                raise TypeError('Expecting OpenSSL.SSL.Context type for "'
+                                'ssl_context" keyword; got %r instead' %
+                                ssl_context)
+                
+            self.ssl_context = ssl_context
+            
+    def connect(self):
+        """Create SSL socket and connect to peer
+        """
+        if getattr(self, 'ssl_context', None):
+            if not isinstance(self.ssl_context, SSL.Context):
+                raise TypeError('Expecting OpenSSL.SSL.Context type for "'
+                                'ssl_context" attribute; got %r instead' %
+                                self.ssl_context)
+            ssl_context = self.ssl_context
+        else:
+            ssl_context = SSL.Context(self.__class__.default_ssl_method)
+
+        sock = socket.create_connection((self.host, self.port), self.timeout)
+        
+        # Tunnel if using a proxy - ONLY available for Python 2.6.2 and above      
+        if getattr(self, '_tunnel_host', None):
+            self.sock = sock
+            self._tunnel()
+            
+        self.sock = SSLSocket(ssl_context, sock)
+        
+        # Go to client mode.
+        self.sock.set_connect_state()
+
+    def close(self):
+        """Close socket and shut down SSL connection"""
+        if hasattr(self.sock, "close"):
+            self.sock.close()
+        
+        
+class HTTPSContextHandler(AbstractHTTPHandler):
+    '''HTTPS handler that allows a SSL context to be set for the SSL
+    connections.
+    '''
+    https_request = AbstractHTTPHandler.do_request_
+
+    def __init__(self, ssl_context, debuglevel=0):
+        """
+        @param ssl_context:SSL context
+        @type ssl_context: OpenSSL.SSL.Context
+        @param debuglevel: debug level for HTTPSHandler
+        @type debuglevel: int
+        """
+        AbstractHTTPHandler.__init__(self, debuglevel)
+
+        if ssl_context is not None:
+            if not isinstance(ssl_context, SSL.Context):
+                raise TypeError('Expecting OpenSSL.SSL.Context type for "'
+                                'ssl_context" keyword; got %r instead' %
+                                ssl_context)
+            self.ssl_context = ssl_context
+        else:
+            self.ssl_context = SSL.Context(SSL.TLSv1_METHOD)
+
+    def https_open(self, req):
+        """Opens HTTPS request
+        @param req: HTTP request
+        @return: HTTP Response object
+        """
+        # Make a custom class extending HTTPSConnection, with the SSL context
+        # set as a class variable so that it is available to the connect method.
+        customHTTPSContextConnection = type('CustomHTTPSContextConnection',
+                                            (HTTPSConnection, object),
+                                            {'ssl_context': self.ssl_context})
+        return self.do_open(customHTTPSContextConnection, req)

build/lib/ndg/httpsclient/ssl_context_util.py

@@ -0,0 +1,98 @@
+"""ndg_httpsclient SSL Context utilities module containing convenience routines
+for setting SSL context configuration.
+
+"""
+__author__ = "P J Kershaw (STFC)"
+__date__ = "09/12/11"
+__copyright__ = "(C) 2012 Science and Technology Facilities Council"
+__license__ = "BSD - see LICENSE file in top-level directory"
+__contact__ = "[email protected]"
+__revision__ = '$Id$'
+import sys
+
+if sys.version_info[0] > 2:
+    import urllib.parse as urlparse_
+else:
+    import urlparse as urlparse_
+
+from OpenSSL import SSL
+
+from ndg.httpsclient.ssl_peer_verification import ServerSSLCertVerification
+
+
+class SSlContextConfig(object):
+    """
+    Holds configuration options for creating a SSL context. This is used as a
+    template to create the contexts with specific verification callbacks.
+    """
+    def __init__(self, key_file=None, cert_file=None, pem_file=None, ca_dir=None,
+                 verify_peer=False):
+        self.key_file = key_file
+        self.cert_file = cert_file
+        self.pem_file = pem_file
+        self.ca_dir = ca_dir
+        self.verify_peer = verify_peer
+
+
+def make_ssl_context_from_config(ssl_config=False, url=None):
+    return make_ssl_context(ssl_config.key_file, ssl_config.cert_file,
+                            ssl_config.pem_file, ssl_config.ca_dir,
+                            ssl_config.verify_peer, url)
+
+
+def make_ssl_context(key_file=None, cert_file=None, pem_file=None, ca_dir=None,
+                     verify_peer=False, url=None, method=SSL.TLSv1_METHOD,
+                     key_file_passphrase=None):
+    """
+    Creates SSL context containing certificate and key file locations.
+    """
+    ssl_context = SSL.Context(method)
+    
+    # Key file defaults to certificate file if present.
+    if cert_file:
+        ssl_context.use_certificate_file(cert_file)
+        
+    if key_file_passphrase:
+        passwd_cb = lambda max_passphrase_len, set_prompt, userdata: \
+                           key_file_passphrase 
+        ssl_context.set_passwd_cb(passwd_cb)
+        
+    if key_file:
+        ssl_context.use_privatekey_file(key_file)
+    elif cert_file:
+        ssl_context.use_privatekey_file(cert_file)
+
+    if pem_file or ca_dir:
+        ssl_context.load_verify_locations(pem_file, ca_dir)
+
+    def _callback(conn, x509, errnum, errdepth, preverify_ok):
+        """Default certification verification callback.
+        Performs no checks and returns the status passed in.
+        """
+        return preverify_ok
+    
+    verify_callback = _callback
+
+    if verify_peer:
+        ssl_context.set_verify_depth(9)
+        if url:
+            set_peer_verification_for_url_hostname(ssl_context, url)
+        else:
+            ssl_context.set_verify(SSL.VERIFY_PEER, verify_callback)
+    else:
+        ssl_context.set_verify(SSL.VERIFY_NONE, verify_callback)
+        
+    return ssl_context
+
+
+def set_peer_verification_for_url_hostname(ssl_context, url, 
+                                           if_verify_enabled=False):
+    '''Convenience routine to set peer verification callback based on
+    ServerSSLCertVerification class'''
+    if not if_verify_enabled or (ssl_context.get_verify_mode() & SSL.VERIFY_PEER):
+        urlObj = urlparse_.urlparse(url)
+        hostname = urlObj.hostname
+        server_ssl_cert_verif = ServerSSLCertVerification(hostname=hostname)
+        verify_callback_ = server_ssl_cert_verif.get_verify_server_cert_func()
+        ssl_context.set_verify(SSL.VERIFY_PEER, verify_callback_)
+