CouchPotatoServer/libs/ndg/httpsclient/ssl_context_util.py

"""ndg_httpsclient SSL Context utilities module containing convenience routines
for setting SSL context configuration.

"""
__author__ = "P J Kershaw (STFC)"
__date__ = "09/12/11"
__copyright__ = "(C) 2012 Science and Technology Facilities Council"
__license__ = "BSD - see LICENSE file in top-level directory"
__contact__ = "Philip.Kershaw@stfc.ac.uk"
__revision__ = '$Id$'
import sys

if sys.version_info[0] > 2:
    import urllib.parse as urlparse_
else:
    import urlparse as urlparse_

from OpenSSL import SSL

from ndg.httpsclient.ssl_peer_verification import ServerSSLCertVerification


class SSlContextConfig(object):
    """
    Holds configuration options for creating a SSL context. This is used as a
    template to create the contexts with specific verification callbacks.
    """
    def __init__(self, key_file=None, cert_file=None, pem_file=None, ca_dir=None,
                 verify_peer=False):
        self.key_file = key_file
        self.cert_file = cert_file
        self.pem_file = pem_file
        self.ca_dir = ca_dir
        self.verify_peer = verify_peer


def make_ssl_context_from_config(ssl_config=False, url=None):
    return make_ssl_context(ssl_config.key_file, ssl_config.cert_file,
                            ssl_config.pem_file, ssl_config.ca_dir,
                            ssl_config.verify_peer, url)


def make_ssl_context(key_file=None, cert_file=None, pem_file=None, ca_dir=None,
                     verify_peer=False, url=None, method=SSL.TLSv1_METHOD,
                     key_file_passphrase=None):
    """
    Creates SSL context containing certificate and key file locations.
    """
    ssl_context = SSL.Context(method)
    
    # Key file defaults to certificate file if present.
    if cert_file:
        ssl_context.use_certificate_file(cert_file)
        
    if key_file_passphrase:
        passwd_cb = lambda max_passphrase_len, set_prompt, userdata: \
                           key_file_passphrase 
        ssl_context.set_passwd_cb(passwd_cb)
        
    if key_file:
        ssl_context.use_privatekey_file(key_file)
    elif cert_file:
        ssl_context.use_privatekey_file(cert_file)

    if pem_file or ca_dir:
        ssl_context.load_verify_locations(pem_file, ca_dir)

    def _callback(conn, x509, errnum, errdepth, preverify_ok):
        """Default certification verification callback.
        Performs no checks and returns the status passed in.
        """
        return preverify_ok
    
    verify_callback = _callback

    if verify_peer:
        ssl_context.set_verify_depth(9)
        if url:
            set_peer_verification_for_url_hostname(ssl_context, url)
        else:
            ssl_context.set_verify(SSL.VERIFY_PEER, verify_callback)
    else:
        ssl_context.set_verify(SSL.VERIFY_NONE, verify_callback)
        
    return ssl_context


def set_peer_verification_for_url_hostname(ssl_context, url, 
                                           if_verify_enabled=False):
    '''Convenience routine to set peer verification callback based on
    ServerSSLCertVerification class'''
    if not if_verify_enabled or (ssl_context.get_verify_mode() & SSL.VERIFY_PEER):
        urlObj = urlparse_.urlparse(url)
        hostname = urlObj.hostname
        server_ssl_cert_verif = ServerSSLCertVerification(hostname=hostname)
        verify_callback_ = server_ssl_cert_verif.get_verify_server_cert_func()
        ssl_context.set_verify(SSL.VERIFY_PEER, verify_callback_)