backend.globaleaks.utils.tls

Module Contents

Functions

gen_ecc_key(bits)
gen_x509_csr_pem(key_pair, csr_fields, csr_sign_bits)
gen_x509_csr(key_pair, csr_fields, csr_sign_bits) gen_x509_csr creates a certificate signature request by applying the passed
parse_issuer_name(x509) Returns the issuer’s name from a OpenSSL.crypto.X509 cert
split_pem_chain(s) Splits an ascii armored cert chain into a list of strings which could be valid certs
new_tls_server_context()
new_tls_client_context()
backend.globaleaks.utils.tls.OP_SINGLE_ECDH_USE = 524288[source]
backend.globaleaks.utils.tls.OP_NO_RENEGOTIATION = 1073741824[source]
backend.globaleaks.utils.tls.OP_PRIORITIZE_CHACHA = 2097152[source]
backend.globaleaks.utils.tls.TLS_CIPHER_LIST = b'TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305'[source]
backend.globaleaks.utils.tls.trustRoot[source]
exception backend.globaleaks.utils.tls.ValidationException[source]

Bases: Exception

Common base class for all non-exit exceptions.

backend.globaleaks.utils.tls.gen_ecc_key(bits)[source]
backend.globaleaks.utils.tls.gen_x509_csr_pem(key_pair, csr_fields, csr_sign_bits)[source]
backend.globaleaks.utils.tls.gen_x509_csr(key_pair, csr_fields, csr_sign_bits)[source]

gen_x509_csr creates a certificate signature request by applying the passed fields to the subject of the request, attaches the public key’s fingerprint and signs the request using the private key.

csr_fields dictionary and generates a certificate request using the passed keypair. Note that the default digest is sha256.

Parameters:
  • csr_sign_bits
  • key_pair (OpenSSL.crypto.PKey the key must have an attached) – A key pair that will sign the request

private component.

Parameters:csr_fields – A certifcate issuer’s details in X.509 Distinguished

Name format. :type csr_fields: dict

C - Country name ST - State or province name L - Locality name O - Organization name OU - Organizational unit name CN - Common name emailAddress - E-mail address
Return type:A pyopenssl.OpenSSL.crypto.X509Req
backend.globaleaks.utils.tls.parse_issuer_name(x509)[source]

Returns the issuer’s name from a OpenSSL.crypto.X509 cert

backend.globaleaks.utils.tls.split_pem_chain(s)[source]

Splits an ascii armored cert chain into a list of strings which could be valid certs

backend.globaleaks.utils.tls.new_tls_server_context()[source]
backend.globaleaks.utils.tls.new_tls_client_context()[source]
class backend.globaleaks.utils.tls.TLSServerContextFactory(priv_key, certificate, intermediate)[source]

Bases: twisted.internet.ssl.ContextFactory

getContext(self)[source]
class backend.globaleaks.utils.tls.TLSClientContextFactory[source]

Bases: twisted.internet.ssl.ClientContextFactory

getContext(self)[source]
class backend.globaleaks.utils.tls.CtxValidator[source]

Bases: object

parents = [][source]
_validate_parents(self, cfg, ctx, check_expiration)[source]
_validate(self, cfg, ctx, check_expiration)[source]
validate(self, cfg, must_be_disabled=True, check_expiration=True)[source]

Checks the validity of the passed config for usage in an OpenSSLContext

Parameters:
  • cfg – A dict composed of SSL material
  • must_be_disabled – A flag to toggle checking of https_enabled
  • check_expiration – A flag to toggle certificate expiration checks
Return type:

A tuple of (Bool, Exception) where True, None signifies success

class backend.globaleaks.utils.tls.PrivKeyValidator[source]

Bases: backend.globaleaks.utils.tls.CtxValidator

parents = [][source]
_validate(self, cfg, ctx, check_expiration)[source]
class backend.globaleaks.utils.tls.CertValidator[source]

Bases: backend.globaleaks.utils.tls.CtxValidator

parents[source]
_validate(self, cfg, ctx, check_expiration)[source]
class backend.globaleaks.utils.tls.ChainValidator[source]

Bases: backend.globaleaks.utils.tls.CtxValidator

parents[source]
_validate(self, cfg, ctx, check_expiration)[source]