Initial checkin of peer SSL cert checks

git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@1869 ce84e21b-d406-0410-9b95-82705330c041
author: Narayan Desai <desai@mcs.anl.gov> 2006-06-02 21:08:53 +0000
committer: Narayan Desai <desai@mcs.anl.gov> 2006-06-02 21:08:53 +0000
commit: b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e (patch)
tree: 34c7a42b7db51976d6ebc2b41ad51bb0cf5d2105 /src
parent: 8a9a0968340d998bc46195bde54e28d57f5f8850 (diff)
download: bcfg2-b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e.tar.gz
bcfg2-b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e.tar.bz2
bcfg2-b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e.zip
2 files changed, 47 insertions, 6 deletions
diff --git a/src/lib/Client/Proxy.py b/src/lib/Client/Proxy.py
index 9d96fd936..0e86c959c 100644
--- a/src/lib/Client/Proxy.py
+++ b/src/lib/Client/Proxy.py
@@ -1,12 +1,20 @@
 '''Cobalt proxy provides client access to cobalt components'''
 __revision__ = '$Revision$'
 
-import logging, socket, time, xmlrpclib, ConfigParser
+import logging, socket, time, xmlrpclib, ConfigParser, httplib
 
 class CobaltComponentError(Exception):
     '''This error signals component connection errors'''
     pass
 
+class SafeTransport(xmlrpclib.Transport):
+    """Handles an HTTPS transaction to an XML-RPC server."""
+    def make_connection(self, host):
+        # create a HTTPS connection object from a host descriptor
+        # host may be a string, or a (host, x509-dict) tuple
+        host, extra_headers, x509 = self.get_host_info(host)
+        return httplib.HTTPS(host, None, '/tmp/keys/client.pkey', '/tmp/keys/client.cert')
+
 class SafeProxy:
     '''Wrapper for proxy'''
     _cfile = ConfigParser.ConfigParser()
@@ -32,7 +40,7 @@ class SafeProxy:
         else:
             address = self.__get_location(component)
         try:
-            self.proxy = xmlrpclib.ServerProxy(address)
+            self.proxy = xmlrpclib.ServerProxy(address, transport=SafeTransport())
         except IOError, io_error:
             self.log.error("Invalid server URL %s: %s" % (address, io_error))
             raise CobaltComponentError
diff --git a/src/lib/Server/Component.py b/src/lib/Server/Component.py
index 73f28446e..3315276b2 100644
--- a/src/lib/Server/Component.py
+++ b/src/lib/Server/Component.py
@@ -51,13 +51,45 @@ class SSLServer(BaseHTTPServer.HTTPServer):
     def __init__(self, address, keyfile, handler):
         SocketServer.BaseServer.__init__(self, address, handler)
         ctxt = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
-        ctxt.use_privatekey_file (keyfile)
-        ctxt.use_certificate_file(keyfile)
+        ctxt.use_privatekey_file ('/tmp/keys/server.pkey')
+        ctxt.use_certificate_file('/tmp/keys/server.cert')
+        ctxt.load_verify_locations('/tmp/keys/CA.cert')
+        ctxt.set_verify(OpenSSL.SSL.VERIFY_PEER, self.verify_cb)
         self.socket = OpenSSL.SSL.Connection(ctxt,
                                              socket.socket(self.address_family, self.socket_type))
         self.server_bind()
         self.server_activate()
 
+    def verify_cb(self, conn, cert, errnum, depth, ok):
+        '''handle cerificate verification'''
+        print "here"
+        print 'Got cert: %s' % (cert.get_subject())
+        print cert.get_pubkey()
+        return ok
+
+
+#         print cert.subject_name_hash()
+#         
+#         print dir(cert.get_pubkey())
+#         return ok
+
+    def handle_request(self):
+        """Handle one request, possibly blocking."""
+        try:
+            request, client_address = self.get_request()
+        except socket.error:
+            return
+        if self.verify_request(request, client_address):
+            try:
+                self.process_request(request, client_address)
+            except Exception, err:
+                print err
+                if err[0][0][0] == 'SSL routines':
+                    log.error("%s from %s" % (err[0][0][2], client_address[0]))
+                else:
+                    log.error("Unknown socket I/O failure from %s" % (client_address[0]), exc_info=1)
+                self.close_request(request)
+                
 class Component(SSLServer,
                 SimpleXMLRPCServer.SimpleXMLRPCDispatcher):
     """Cobalt component providing XML-RPC access"""
@@ -93,7 +125,8 @@ class Component(SSLServer,
         else:
             location = (socket.gethostname(), 0)
         try:
-            keyfile = self.cfile.get('communication', 'key')
+            #keyfile = self.cfile.get('communication', 'key')
+            keyfile = '/tmp/keys/server.pkey'
         except ConfigParser.NoOptionError:
             print "No key specified in cobalt.conf"
             raise SystemExit, 1
@@ -103,7 +136,7 @@ class Component(SSLServer,
         try:
             SSLServer.__init__(self, location, keyfile, CobaltXMLRPCRequestHandler)
         except:
-            self.logger.error("Failed to load ssl key %s" % (keyfile))
+            self.logger.error("Failed to load ssl key %s" % (keyfile), exc_info=1)
             raise ComponentInitError
         SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self)
         self.logRequests = 0
author	Narayan Desai <desai@mcs.anl.gov>	2006-06-02 21:08:53 +0000
committer	Narayan Desai <desai@mcs.anl.gov>	2006-06-02 21:08:53 +0000
commit	b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e (patch)
tree	34c7a42b7db51976d6ebc2b41ad51bb0cf5d2105 /src
parent	8a9a0968340d998bc46195bde54e28d57f5f8850 (diff)
download	bcfg2-b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e.tar.gz bcfg2-b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e.tar.bz2 bcfg2-b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e.zip