1 """A library for integrating pyOpenSSL with CherryPy.
2
3 The OpenSSL module must be importable for SSL functionality.
4 You can obtain it from http://pyopenssl.sourceforge.net/
5
6 To use this module, set CherryPyWSGIServer.ssl_adapter to an instance of
7 SSLAdapter. There are two ways to use SSL:
8
9 Method One
10 ----------
11
12 * ``ssl_adapter.context``: an instance of SSL.Context.
13
14 If this is not None, it is assumed to be an SSL.Context instance,
15 and will be passed to SSL.Connection on bind(). The developer is
16 responsible for forming a valid Context object. This approach is
17 to be preferred for more flexibility, e.g. if the cert and key are
18 streams instead of files, or need decryption, or SSL.SSLv3_METHOD
19 is desired instead of the default SSL.SSLv23_METHOD, etc. Consult
20 the pyOpenSSL documentation for complete options.
21
22 Method Two (shortcut)
23 ---------------------
24
25 * ``ssl_adapter.certificate``: the filename of the server SSL certificate.
26 * ``ssl_adapter.private_key``: the filename of the server's private key file.
27
28 Both are None by default. If ssl_adapter.context is None, but .private_key
29 and .certificate are both given and valid, they will be read, and the
30 context will be automatically created from them.
31 """
32
33 import socket
34 import threading
35 import time
36
37 from cherrypy import wsgiserver
38
39 try:
40 from OpenSSL import SSL
41 from OpenSSL import crypto
42 except ImportError:
43 SSL = None
44
45
47 """SSL file object attached to a socket object."""
48
49 ssl_timeout = 3
50 ssl_retry = .01
51
52 - def _safe_call(self, is_reader, call, *args, **kwargs):
53 """Wrap the given call with SSL error-trapping.
54
55 is_reader: if False EOF errors will be raised. If True, EOF errors
56 will return "" (to emulate normal sockets).
57 """
58 start = time.time()
59 while True:
60 try:
61 return call(*args, **kwargs)
62 except SSL.WantReadError:
63
64
65
66
67 time.sleep(self.ssl_retry)
68 except SSL.WantWriteError:
69 time.sleep(self.ssl_retry)
70 except SSL.SysCallError, e:
71 if is_reader and e.args == (-1, 'Unexpected EOF'):
72 return ""
73
74 errnum = e.args[0]
75 if is_reader and errnum in wsgiserver.socket_errors_to_ignore:
76 return ""
77 raise socket.error(errnum)
78 except SSL.Error, e:
79 if is_reader and e.args == (-1, 'Unexpected EOF'):
80 return ""
81
82 thirdarg = None
83 try:
84 thirdarg = e.args[0][0][2]
85 except IndexError:
86 pass
87
88 if thirdarg == 'http request':
89
90 raise wsgiserver.NoSSLError()
91
92 raise wsgiserver.FatalSSLAlert(*e.args)
93 except:
94 raise
95
96 if time.time() - start > self.ssl_timeout:
97 raise socket.timeout("timed out")
98
99 - def recv(self, *args, **kwargs):
108
109 - def sendall(self, *args, **kwargs):
112
113 - def send(self, *args, **kwargs):
116
117
119 """A thread-safe wrapper for an SSL.Connection.
120
121 ``*args``: the arguments to create the wrapped ``SSL.Connection(*args)``.
122 """
123
125 self._ssl_conn = SSL.Connection(*args)
126 self._lock = threading.RLock()
127
128 for f in ('get_context', 'pending', 'send', 'write', 'recv', 'read',
129 'renegotiate', 'bind', 'listen', 'connect', 'accept',
130 'setblocking', 'fileno', 'close', 'get_cipher_list',
131 'getpeername', 'getsockname', 'getsockopt', 'setsockopt',
132 'makefile', 'get_app_data', 'set_app_data', 'state_string',
133 'sock_shutdown', 'get_peer_certificate', 'want_read',
134 'want_write', 'set_connect_state', 'set_accept_state',
135 'connect_ex', 'sendall', 'settimeout', 'gettimeout'):
136 exec("""def %s(self, *args):
137 self._lock.acquire()
138 try:
139 return self._ssl_conn.%s(*args)
140 finally:
141 self._lock.release()
142 """ % (f, f))
143
145 self._lock.acquire()
146 try:
147
148 return self._ssl_conn.shutdown()
149 finally:
150 self._lock.release()
151
152
154 """A wrapper for integrating pyOpenSSL with CherryPy."""
155
156 context = None
157 """An instance of SSL.Context."""
158
159 certificate = None
160 """The filename of the server SSL certificate."""
161
162 private_key = None
163 """The filename of the server's private key file."""
164
165 certificate_chain = None
166 """Optional. The filename of CA's intermediate certificate bundle.
167
168 This is needed for cheaper "chained root" SSL certificates, and should be
169 left as None if not required."""
170
171 - def __init__(self, certificate, private_key, certificate_chain=None):
180
181 - def bind(self, sock):
188
189 - def wrap(self, sock):
190 """Wrap and return the given socket, plus WSGI environ entries."""
191 return sock, self._environ.copy()
192
193 - def get_context(self):
194 """Return an SSL.Context from self attributes."""
195
196 c = SSL.Context(SSL.SSLv23_METHOD)
197 c.use_privatekey_file(self.private_key)
198 if self.certificate_chain:
199 c.load_verify_locations(self.certificate_chain)
200 c.use_certificate_file(self.certificate)
201 return c
202
204 """Return WSGI environ entries to be merged into each request."""
205 ssl_environ = {
206 "HTTPS": "on",
207
208
209
210
211
212 }
213
214 if self.certificate:
215
216 cert = open(self.certificate, 'rb').read()
217 cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
218 ssl_environ.update({
219 'SSL_SERVER_M_VERSION': cert.get_version(),
220 'SSL_SERVER_M_SERIAL': cert.get_serial_number(),
221
222
223 })
224
225 for prefix, dn in [("I", cert.get_issuer()),
226 ("S", cert.get_subject())]:
227
228
229
230 dnstr = str(dn)[18:-2]
231
232 wsgikey = 'SSL_SERVER_%s_DN' % prefix
233 ssl_environ[wsgikey] = dnstr
234
235
236
237 while dnstr:
238 pos = dnstr.rfind("=")
239 dnstr, value = dnstr[:pos], dnstr[pos + 1:]
240 pos = dnstr.rfind("/")
241 dnstr, key = dnstr[:pos], dnstr[pos + 1:]
242 if key and value:
243 wsgikey = 'SSL_SERVER_%s_DN_%s' % (prefix, key)
244 ssl_environ[wsgikey] = value
245
246 return ssl_environ
247
248 - def makefile(self, sock, mode='r', bufsize=-1):
256