Funktionierender Prototyp des Serious Games zur Vermittlung von Wissen zu Software-Engineering-Arbeitsmodellen.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

pyopenssl.py 19KB

1 year ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557
  1. """
  2. Module for using pyOpenSSL as a TLS backend. This module was relevant before
  3. the standard library ``ssl`` module supported SNI, but now that we've dropped
  4. support for Python 2.7 all relevant Python versions support SNI so
  5. **this module is no longer recommended**.
  6. This needs the following packages installed:
  7. * `pyOpenSSL`_ (tested with 16.0.0)
  8. * `cryptography`_ (minimum 1.3.4, from pyopenssl)
  9. * `idna`_ (minimum 2.0, from cryptography)
  10. However, pyOpenSSL depends on cryptography, which depends on idna, so while we
  11. use all three directly here we end up having relatively few packages required.
  12. You can install them with the following command:
  13. .. code-block:: bash
  14. $ python -m pip install pyopenssl cryptography idna
  15. To activate certificate checking, call
  16. :func:`~urllib3.contrib.pyopenssl.inject_into_urllib3` from your Python code
  17. before you begin making HTTP requests. This can be done in a ``sitecustomize``
  18. module, or at any other time before your application begins using ``urllib3``,
  19. like this:
  20. .. code-block:: python
  21. try:
  22. import urllib3.contrib.pyopenssl
  23. urllib3.contrib.pyopenssl.inject_into_urllib3()
  24. except ImportError:
  25. pass
  26. .. _pyopenssl: https://www.pyopenssl.org
  27. .. _cryptography: https://cryptography.io
  28. .. _idna: https://github.com/kjd/idna
  29. """
  30. from __future__ import annotations
  31. import OpenSSL.SSL # type: ignore[import]
  32. from cryptography import x509
  33. try:
  34. from cryptography.x509 import UnsupportedExtension # type: ignore[attr-defined]
  35. except ImportError:
  36. # UnsupportedExtension is gone in cryptography >= 2.1.0
  37. class UnsupportedExtension(Exception): # type: ignore[no-redef]
  38. pass
  39. import logging
  40. import ssl
  41. import typing
  42. import warnings
  43. from io import BytesIO
  44. from socket import socket as socket_cls
  45. from socket import timeout
  46. from .. import util
  47. warnings.warn(
  48. "'urllib3.contrib.pyopenssl' module is deprecated and will be removed "
  49. "in urllib3 v2.1.0. Read more in this issue: "
  50. "https://github.com/urllib3/urllib3/issues/2680",
  51. category=DeprecationWarning,
  52. stacklevel=2,
  53. )
  54. if typing.TYPE_CHECKING:
  55. from OpenSSL.crypto import X509 # type: ignore[import]
  56. __all__ = ["inject_into_urllib3", "extract_from_urllib3"]
  57. # Map from urllib3 to PyOpenSSL compatible parameter-values.
  58. _openssl_versions = {
  59. util.ssl_.PROTOCOL_TLS: OpenSSL.SSL.SSLv23_METHOD, # type: ignore[attr-defined]
  60. util.ssl_.PROTOCOL_TLS_CLIENT: OpenSSL.SSL.SSLv23_METHOD, # type: ignore[attr-defined]
  61. ssl.PROTOCOL_TLSv1: OpenSSL.SSL.TLSv1_METHOD,
  62. }
  63. if hasattr(ssl, "PROTOCOL_TLSv1_1") and hasattr(OpenSSL.SSL, "TLSv1_1_METHOD"):
  64. _openssl_versions[ssl.PROTOCOL_TLSv1_1] = OpenSSL.SSL.TLSv1_1_METHOD
  65. if hasattr(ssl, "PROTOCOL_TLSv1_2") and hasattr(OpenSSL.SSL, "TLSv1_2_METHOD"):
  66. _openssl_versions[ssl.PROTOCOL_TLSv1_2] = OpenSSL.SSL.TLSv1_2_METHOD
  67. _stdlib_to_openssl_verify = {
  68. ssl.CERT_NONE: OpenSSL.SSL.VERIFY_NONE,
  69. ssl.CERT_OPTIONAL: OpenSSL.SSL.VERIFY_PEER,
  70. ssl.CERT_REQUIRED: OpenSSL.SSL.VERIFY_PEER
  71. + OpenSSL.SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
  72. }
  73. _openssl_to_stdlib_verify = {v: k for k, v in _stdlib_to_openssl_verify.items()}
  74. # The SSLvX values are the most likely to be missing in the future
  75. # but we check them all just to be sure.
  76. _OP_NO_SSLv2_OR_SSLv3: int = getattr(OpenSSL.SSL, "OP_NO_SSLv2", 0) | getattr(
  77. OpenSSL.SSL, "OP_NO_SSLv3", 0
  78. )
  79. _OP_NO_TLSv1: int = getattr(OpenSSL.SSL, "OP_NO_TLSv1", 0)
  80. _OP_NO_TLSv1_1: int = getattr(OpenSSL.SSL, "OP_NO_TLSv1_1", 0)
  81. _OP_NO_TLSv1_2: int = getattr(OpenSSL.SSL, "OP_NO_TLSv1_2", 0)
  82. _OP_NO_TLSv1_3: int = getattr(OpenSSL.SSL, "OP_NO_TLSv1_3", 0)
  83. _openssl_to_ssl_minimum_version: dict[int, int] = {
  84. ssl.TLSVersion.MINIMUM_SUPPORTED: _OP_NO_SSLv2_OR_SSLv3,
  85. ssl.TLSVersion.TLSv1: _OP_NO_SSLv2_OR_SSLv3,
  86. ssl.TLSVersion.TLSv1_1: _OP_NO_SSLv2_OR_SSLv3 | _OP_NO_TLSv1,
  87. ssl.TLSVersion.TLSv1_2: _OP_NO_SSLv2_OR_SSLv3 | _OP_NO_TLSv1 | _OP_NO_TLSv1_1,
  88. ssl.TLSVersion.TLSv1_3: (
  89. _OP_NO_SSLv2_OR_SSLv3 | _OP_NO_TLSv1 | _OP_NO_TLSv1_1 | _OP_NO_TLSv1_2
  90. ),
  91. ssl.TLSVersion.MAXIMUM_SUPPORTED: (
  92. _OP_NO_SSLv2_OR_SSLv3 | _OP_NO_TLSv1 | _OP_NO_TLSv1_1 | _OP_NO_TLSv1_2
  93. ),
  94. }
  95. _openssl_to_ssl_maximum_version: dict[int, int] = {
  96. ssl.TLSVersion.MINIMUM_SUPPORTED: (
  97. _OP_NO_SSLv2_OR_SSLv3
  98. | _OP_NO_TLSv1
  99. | _OP_NO_TLSv1_1
  100. | _OP_NO_TLSv1_2
  101. | _OP_NO_TLSv1_3
  102. ),
  103. ssl.TLSVersion.TLSv1: (
  104. _OP_NO_SSLv2_OR_SSLv3 | _OP_NO_TLSv1_1 | _OP_NO_TLSv1_2 | _OP_NO_TLSv1_3
  105. ),
  106. ssl.TLSVersion.TLSv1_1: _OP_NO_SSLv2_OR_SSLv3 | _OP_NO_TLSv1_2 | _OP_NO_TLSv1_3,
  107. ssl.TLSVersion.TLSv1_2: _OP_NO_SSLv2_OR_SSLv3 | _OP_NO_TLSv1_3,
  108. ssl.TLSVersion.TLSv1_3: _OP_NO_SSLv2_OR_SSLv3,
  109. ssl.TLSVersion.MAXIMUM_SUPPORTED: _OP_NO_SSLv2_OR_SSLv3,
  110. }
  111. # OpenSSL will only write 16K at a time
  112. SSL_WRITE_BLOCKSIZE = 16384
  113. orig_util_SSLContext = util.ssl_.SSLContext
  114. log = logging.getLogger(__name__)
  115. def inject_into_urllib3() -> None:
  116. "Monkey-patch urllib3 with PyOpenSSL-backed SSL-support."
  117. _validate_dependencies_met()
  118. util.SSLContext = PyOpenSSLContext # type: ignore[assignment]
  119. util.ssl_.SSLContext = PyOpenSSLContext # type: ignore[assignment]
  120. util.IS_PYOPENSSL = True
  121. util.ssl_.IS_PYOPENSSL = True
  122. def extract_from_urllib3() -> None:
  123. "Undo monkey-patching by :func:`inject_into_urllib3`."
  124. util.SSLContext = orig_util_SSLContext
  125. util.ssl_.SSLContext = orig_util_SSLContext
  126. util.IS_PYOPENSSL = False
  127. util.ssl_.IS_PYOPENSSL = False
  128. def _validate_dependencies_met() -> None:
  129. """
  130. Verifies that PyOpenSSL's package-level dependencies have been met.
  131. Throws `ImportError` if they are not met.
  132. """
  133. # Method added in `cryptography==1.1`; not available in older versions
  134. from cryptography.x509.extensions import Extensions
  135. if getattr(Extensions, "get_extension_for_class", None) is None:
  136. raise ImportError(
  137. "'cryptography' module missing required functionality. "
  138. "Try upgrading to v1.3.4 or newer."
  139. )
  140. # pyOpenSSL 0.14 and above use cryptography for OpenSSL bindings. The _x509
  141. # attribute is only present on those versions.
  142. from OpenSSL.crypto import X509
  143. x509 = X509()
  144. if getattr(x509, "_x509", None) is None:
  145. raise ImportError(
  146. "'pyOpenSSL' module missing required functionality. "
  147. "Try upgrading to v0.14 or newer."
  148. )
  149. def _dnsname_to_stdlib(name: str) -> str | None:
  150. """
  151. Converts a dNSName SubjectAlternativeName field to the form used by the
  152. standard library on the given Python version.
  153. Cryptography produces a dNSName as a unicode string that was idna-decoded
  154. from ASCII bytes. We need to idna-encode that string to get it back, and
  155. then on Python 3 we also need to convert to unicode via UTF-8 (the stdlib
  156. uses PyUnicode_FromStringAndSize on it, which decodes via UTF-8).
  157. If the name cannot be idna-encoded then we return None signalling that
  158. the name given should be skipped.
  159. """
  160. def idna_encode(name: str) -> bytes | None:
  161. """
  162. Borrowed wholesale from the Python Cryptography Project. It turns out
  163. that we can't just safely call `idna.encode`: it can explode for
  164. wildcard names. This avoids that problem.
  165. """
  166. import idna
  167. try:
  168. for prefix in ["*.", "."]:
  169. if name.startswith(prefix):
  170. name = name[len(prefix) :]
  171. return prefix.encode("ascii") + idna.encode(name)
  172. return idna.encode(name)
  173. except idna.core.IDNAError:
  174. return None
  175. # Don't send IPv6 addresses through the IDNA encoder.
  176. if ":" in name:
  177. return name
  178. encoded_name = idna_encode(name)
  179. if encoded_name is None:
  180. return None
  181. return encoded_name.decode("utf-8")
  182. def get_subj_alt_name(peer_cert: X509) -> list[tuple[str, str]]:
  183. """
  184. Given an PyOpenSSL certificate, provides all the subject alternative names.
  185. """
  186. cert = peer_cert.to_cryptography()
  187. # We want to find the SAN extension. Ask Cryptography to locate it (it's
  188. # faster than looping in Python)
  189. try:
  190. ext = cert.extensions.get_extension_for_class(x509.SubjectAlternativeName).value
  191. except x509.ExtensionNotFound:
  192. # No such extension, return the empty list.
  193. return []
  194. except (
  195. x509.DuplicateExtension,
  196. UnsupportedExtension,
  197. x509.UnsupportedGeneralNameType,
  198. UnicodeError,
  199. ) as e:
  200. # A problem has been found with the quality of the certificate. Assume
  201. # no SAN field is present.
  202. log.warning(
  203. "A problem was encountered with the certificate that prevented "
  204. "urllib3 from finding the SubjectAlternativeName field. This can "
  205. "affect certificate validation. The error was %s",
  206. e,
  207. )
  208. return []
  209. # We want to return dNSName and iPAddress fields. We need to cast the IPs
  210. # back to strings because the match_hostname function wants them as
  211. # strings.
  212. # Sadly the DNS names need to be idna encoded and then, on Python 3, UTF-8
  213. # decoded. This is pretty frustrating, but that's what the standard library
  214. # does with certificates, and so we need to attempt to do the same.
  215. # We also want to skip over names which cannot be idna encoded.
  216. names = [
  217. ("DNS", name)
  218. for name in map(_dnsname_to_stdlib, ext.get_values_for_type(x509.DNSName))
  219. if name is not None
  220. ]
  221. names.extend(
  222. ("IP Address", str(name)) for name in ext.get_values_for_type(x509.IPAddress)
  223. )
  224. return names
  225. class WrappedSocket:
  226. """API-compatibility wrapper for Python OpenSSL's Connection-class."""
  227. def __init__(
  228. self,
  229. connection: OpenSSL.SSL.Connection,
  230. socket: socket_cls,
  231. suppress_ragged_eofs: bool = True,
  232. ) -> None:
  233. self.connection = connection
  234. self.socket = socket
  235. self.suppress_ragged_eofs = suppress_ragged_eofs
  236. self._io_refs = 0
  237. self._closed = False
  238. def fileno(self) -> int:
  239. return self.socket.fileno()
  240. # Copy-pasted from Python 3.5 source code
  241. def _decref_socketios(self) -> None:
  242. if self._io_refs > 0:
  243. self._io_refs -= 1
  244. if self._closed:
  245. self.close()
  246. def recv(self, *args: typing.Any, **kwargs: typing.Any) -> bytes:
  247. try:
  248. data = self.connection.recv(*args, **kwargs)
  249. except OpenSSL.SSL.SysCallError as e:
  250. if self.suppress_ragged_eofs and e.args == (-1, "Unexpected EOF"):
  251. return b""
  252. else:
  253. raise OSError(e.args[0], str(e)) from e
  254. except OpenSSL.SSL.ZeroReturnError:
  255. if self.connection.get_shutdown() == OpenSSL.SSL.RECEIVED_SHUTDOWN:
  256. return b""
  257. else:
  258. raise
  259. except OpenSSL.SSL.WantReadError as e:
  260. if not util.wait_for_read(self.socket, self.socket.gettimeout()):
  261. raise timeout("The read operation timed out") from e
  262. else:
  263. return self.recv(*args, **kwargs)
  264. # TLS 1.3 post-handshake authentication
  265. except OpenSSL.SSL.Error as e:
  266. raise ssl.SSLError(f"read error: {e!r}") from e
  267. else:
  268. return data # type: ignore[no-any-return]
  269. def recv_into(self, *args: typing.Any, **kwargs: typing.Any) -> int:
  270. try:
  271. return self.connection.recv_into(*args, **kwargs) # type: ignore[no-any-return]
  272. except OpenSSL.SSL.SysCallError as e:
  273. if self.suppress_ragged_eofs and e.args == (-1, "Unexpected EOF"):
  274. return 0
  275. else:
  276. raise OSError(e.args[0], str(e)) from e
  277. except OpenSSL.SSL.ZeroReturnError:
  278. if self.connection.get_shutdown() == OpenSSL.SSL.RECEIVED_SHUTDOWN:
  279. return 0
  280. else:
  281. raise
  282. except OpenSSL.SSL.WantReadError as e:
  283. if not util.wait_for_read(self.socket, self.socket.gettimeout()):
  284. raise timeout("The read operation timed out") from e
  285. else:
  286. return self.recv_into(*args, **kwargs)
  287. # TLS 1.3 post-handshake authentication
  288. except OpenSSL.SSL.Error as e:
  289. raise ssl.SSLError(f"read error: {e!r}") from e
  290. def settimeout(self, timeout: float) -> None:
  291. return self.socket.settimeout(timeout)
  292. def _send_until_done(self, data: bytes) -> int:
  293. while True:
  294. try:
  295. return self.connection.send(data) # type: ignore[no-any-return]
  296. except OpenSSL.SSL.WantWriteError as e:
  297. if not util.wait_for_write(self.socket, self.socket.gettimeout()):
  298. raise timeout() from e
  299. continue
  300. except OpenSSL.SSL.SysCallError as e:
  301. raise OSError(e.args[0], str(e)) from e
  302. def sendall(self, data: bytes) -> None:
  303. total_sent = 0
  304. while total_sent < len(data):
  305. sent = self._send_until_done(
  306. data[total_sent : total_sent + SSL_WRITE_BLOCKSIZE]
  307. )
  308. total_sent += sent
  309. def shutdown(self) -> None:
  310. # FIXME rethrow compatible exceptions should we ever use this
  311. self.connection.shutdown()
  312. def close(self) -> None:
  313. self._closed = True
  314. if self._io_refs <= 0:
  315. self._real_close()
  316. def _real_close(self) -> None:
  317. try:
  318. return self.connection.close() # type: ignore[no-any-return]
  319. except OpenSSL.SSL.Error:
  320. return
  321. def getpeercert(
  322. self, binary_form: bool = False
  323. ) -> dict[str, list[typing.Any]] | None:
  324. x509 = self.connection.get_peer_certificate()
  325. if not x509:
  326. return x509 # type: ignore[no-any-return]
  327. if binary_form:
  328. return OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, x509) # type: ignore[no-any-return]
  329. return {
  330. "subject": ((("commonName", x509.get_subject().CN),),), # type: ignore[dict-item]
  331. "subjectAltName": get_subj_alt_name(x509),
  332. }
  333. def version(self) -> str:
  334. return self.connection.get_protocol_version_name() # type: ignore[no-any-return]
  335. WrappedSocket.makefile = socket_cls.makefile # type: ignore[attr-defined]
  336. class PyOpenSSLContext:
  337. """
  338. I am a wrapper class for the PyOpenSSL ``Context`` object. I am responsible
  339. for translating the interface of the standard library ``SSLContext`` object
  340. to calls into PyOpenSSL.
  341. """
  342. def __init__(self, protocol: int) -> None:
  343. self.protocol = _openssl_versions[protocol]
  344. self._ctx = OpenSSL.SSL.Context(self.protocol)
  345. self._options = 0
  346. self.check_hostname = False
  347. self._minimum_version: int = ssl.TLSVersion.MINIMUM_SUPPORTED
  348. self._maximum_version: int = ssl.TLSVersion.MAXIMUM_SUPPORTED
  349. @property
  350. def options(self) -> int:
  351. return self._options
  352. @options.setter
  353. def options(self, value: int) -> None:
  354. self._options = value
  355. self._set_ctx_options()
  356. @property
  357. def verify_mode(self) -> int:
  358. return _openssl_to_stdlib_verify[self._ctx.get_verify_mode()]
  359. @verify_mode.setter
  360. def verify_mode(self, value: ssl.VerifyMode) -> None:
  361. self._ctx.set_verify(_stdlib_to_openssl_verify[value], _verify_callback)
  362. def set_default_verify_paths(self) -> None:
  363. self._ctx.set_default_verify_paths()
  364. def set_ciphers(self, ciphers: bytes | str) -> None:
  365. if isinstance(ciphers, str):
  366. ciphers = ciphers.encode("utf-8")
  367. self._ctx.set_cipher_list(ciphers)
  368. def load_verify_locations(
  369. self,
  370. cafile: str | None = None,
  371. capath: str | None = None,
  372. cadata: bytes | None = None,
  373. ) -> None:
  374. if cafile is not None:
  375. cafile = cafile.encode("utf-8") # type: ignore[assignment]
  376. if capath is not None:
  377. capath = capath.encode("utf-8") # type: ignore[assignment]
  378. try:
  379. self._ctx.load_verify_locations(cafile, capath)
  380. if cadata is not None:
  381. self._ctx.load_verify_locations(BytesIO(cadata))
  382. except OpenSSL.SSL.Error as e:
  383. raise ssl.SSLError(f"unable to load trusted certificates: {e!r}") from e
  384. def load_cert_chain(
  385. self,
  386. certfile: str,
  387. keyfile: str | None = None,
  388. password: str | None = None,
  389. ) -> None:
  390. try:
  391. self._ctx.use_certificate_chain_file(certfile)
  392. if password is not None:
  393. if not isinstance(password, bytes):
  394. password = password.encode("utf-8") # type: ignore[assignment]
  395. self._ctx.set_passwd_cb(lambda *_: password)
  396. self._ctx.use_privatekey_file(keyfile or certfile)
  397. except OpenSSL.SSL.Error as e:
  398. raise ssl.SSLError(f"Unable to load certificate chain: {e!r}") from e
  399. def set_alpn_protocols(self, protocols: list[bytes | str]) -> None:
  400. protocols = [util.util.to_bytes(p, "ascii") for p in protocols]
  401. return self._ctx.set_alpn_protos(protocols) # type: ignore[no-any-return]
  402. def wrap_socket(
  403. self,
  404. sock: socket_cls,
  405. server_side: bool = False,
  406. do_handshake_on_connect: bool = True,
  407. suppress_ragged_eofs: bool = True,
  408. server_hostname: bytes | str | None = None,
  409. ) -> WrappedSocket:
  410. cnx = OpenSSL.SSL.Connection(self._ctx, sock)
  411. # If server_hostname is an IP, don't use it for SNI, per RFC6066 Section 3
  412. if server_hostname and not util.ssl_.is_ipaddress(server_hostname):
  413. if isinstance(server_hostname, str):
  414. server_hostname = server_hostname.encode("utf-8")
  415. cnx.set_tlsext_host_name(server_hostname)
  416. cnx.set_connect_state()
  417. while True:
  418. try:
  419. cnx.do_handshake()
  420. except OpenSSL.SSL.WantReadError as e:
  421. if not util.wait_for_read(sock, sock.gettimeout()):
  422. raise timeout("select timed out") from e
  423. continue
  424. except OpenSSL.SSL.Error as e:
  425. raise ssl.SSLError(f"bad handshake: {e!r}") from e
  426. break
  427. return WrappedSocket(cnx, sock)
  428. def _set_ctx_options(self) -> None:
  429. self._ctx.set_options(
  430. self._options
  431. | _openssl_to_ssl_minimum_version[self._minimum_version]
  432. | _openssl_to_ssl_maximum_version[self._maximum_version]
  433. )
  434. @property
  435. def minimum_version(self) -> int:
  436. return self._minimum_version
  437. @minimum_version.setter
  438. def minimum_version(self, minimum_version: int) -> None:
  439. self._minimum_version = minimum_version
  440. self._set_ctx_options()
  441. @property
  442. def maximum_version(self) -> int:
  443. return self._maximum_version
  444. @maximum_version.setter
  445. def maximum_version(self, maximum_version: int) -> None:
  446. self._maximum_version = maximum_version
  447. self._set_ctx_options()
  448. def _verify_callback(
  449. cnx: OpenSSL.SSL.Connection,
  450. x509: X509,
  451. err_no: int,
  452. err_depth: int,
  453. return_code: int,
  454. ) -> bool:
  455. return err_no == 0