From f3c0011f033766b99a17dd2e5fd8c5ec47b48583 Mon Sep 17 00:00:00 2001 From: Sviatoslav Sydorenko Date: Sun, 30 Dec 2018 03:47:49 +0100 Subject: [PATCH 1/5] Ignore pyenv local config --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index cdf907c..81a7c3f 100644 --- a/.gitignore +++ b/.gitignore @@ -63,3 +63,6 @@ coverage.xml # Sphinx documentation doc/_build/ + +# pyenv +.python-version From c255b0e430b2376d9872d3290444986deac9baa6 Mon Sep 17 00:00:00 2001 From: Sviatoslav Sydorenko Date: Sun, 30 Dec 2018 03:48:02 +0100 Subject: [PATCH 2/5] Add an example of the client cert auth --- docs/source/trustme-trio-example.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/source/trustme-trio-example.py b/docs/source/trustme-trio-example.py index 6b0c407..d7091ea 100644 --- a/docs/source/trustme-trio-example.py +++ b/docs/source/trustme-trio-example.py @@ -1,11 +1,15 @@ # trustme-trio-example.py +import ssl + import trustme import trio # Create our fake certificates ca = trustme.CA() +client_ca = trustme.CA() server_cert = ca.issue_cert(u"test-host.example.org") +client_cert = client_ca.issue_cert(u"@webknjaz here") async def demo_server(server_raw_stream): @@ -15,6 +19,13 @@ async def demo_server(server_raw_stream): # Set up the server's SSLContext to use our fake server cert server_cert.configure_cert(server_ssl_context) + # Set up the server's SSLContext to trust our fake CA, that signed + # our client cert + client_ca.configure_trust(server_ssl_context) + + # Verify that client sent us their TLS cert signed by a trusted CA + server_ssl_context.verify_mode = ssl.CERT_REQUIRED + server_ssl_stream = trio.ssl.SSLStream( server_raw_stream, server_ssl_context, @@ -23,6 +34,8 @@ async def demo_server(server_raw_stream): # Send some data to check that the connection is really working await server_ssl_stream.send_all(b"x") + print("Server successfully sent data over the encrypted channel!") + print("Client cert looks like:", server_ssl_stream.getpeercert()) async def demo_client(client_raw_stream): @@ -32,6 +45,9 @@ async def demo_client(client_raw_stream): # server cert ca.configure_trust(client_ssl_context) + # Set up the client's SSLContext to use our fake client cert + client_cert.configure_cert(client_ssl_context) + client_ssl_stream = trio.ssl.SSLStream( client_raw_stream, client_ssl_context, @@ -42,7 +58,7 @@ async def demo_client(client_raw_stream): assert await client_ssl_stream.receive_some(1) == b"x" print("Client successfully received data over the encrypted channel!") - print("Cert looks like:", client_ssl_stream.getpeercert()) + print("Server cert looks like:", client_ssl_stream.getpeercert()) async def main(): From 4c45224f2ffc48a9aa39cab35e2ae9824969fefb Mon Sep 17 00:00:00 2001 From: Sviatoslav Sydorenko Date: Sun, 30 Dec 2018 09:14:11 +0100 Subject: [PATCH 3/5] Use Trio's proxy ssl module instead of stdlib one --- docs/source/trustme-trio-example.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/source/trustme-trio-example.py b/docs/source/trustme-trio-example.py index d7091ea..9dea9ba 100644 --- a/docs/source/trustme-trio-example.py +++ b/docs/source/trustme-trio-example.py @@ -1,7 +1,5 @@ # trustme-trio-example.py -import ssl - import trustme import trio @@ -24,7 +22,7 @@ async def demo_server(server_raw_stream): client_ca.configure_trust(server_ssl_context) # Verify that client sent us their TLS cert signed by a trusted CA - server_ssl_context.verify_mode = ssl.CERT_REQUIRED + server_ssl_context.verify_mode = trio.ssl.CERT_REQUIRED server_ssl_stream = trio.ssl.SSLStream( server_raw_stream, From 7829dda8e322cae11527f8b61cc5688170f69a22 Mon Sep 17 00:00:00 2001 From: Sviatoslav Sydorenko Date: Sun, 13 Jan 2019 19:17:36 +0100 Subject: [PATCH 4/5] =?UTF-8?q?=F0=9F=8E=A8=20Use=20email=20for=20client?= =?UTF-8?q?=20cert=20in=20docs=20example?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/source/trustme-trio-example.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/trustme-trio-example.py b/docs/source/trustme-trio-example.py index 9dea9ba..eea2da3 100644 --- a/docs/source/trustme-trio-example.py +++ b/docs/source/trustme-trio-example.py @@ -7,7 +7,7 @@ ca = trustme.CA() client_ca = trustme.CA() server_cert = ca.issue_cert(u"test-host.example.org") -client_cert = client_ca.issue_cert(u"@webknjaz here") +client_cert = client_ca.issue_cert(u"client@example.org") async def demo_server(server_raw_stream): From 0cf8668b39013798feaa7394de10a18c3da9cbee Mon Sep 17 00:00:00 2001 From: Sviatoslav Sydorenko Date: Sun, 13 Jan 2019 19:20:55 +0100 Subject: [PATCH 5/5] =?UTF-8?q?=F0=9F=8E=A8=20Reuse=20the=20same=20CA=20fo?= =?UTF-8?q?r=20client=20and=20server=20certs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/source/trustme-trio-example.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/source/trustme-trio-example.py b/docs/source/trustme-trio-example.py index eea2da3..e53f463 100644 --- a/docs/source/trustme-trio-example.py +++ b/docs/source/trustme-trio-example.py @@ -5,9 +5,8 @@ # Create our fake certificates ca = trustme.CA() -client_ca = trustme.CA() server_cert = ca.issue_cert(u"test-host.example.org") -client_cert = client_ca.issue_cert(u"client@example.org") +client_cert = ca.issue_cert(u"client@example.org") async def demo_server(server_raw_stream): @@ -18,8 +17,8 @@ async def demo_server(server_raw_stream): server_cert.configure_cert(server_ssl_context) # Set up the server's SSLContext to trust our fake CA, that signed - # our client cert - client_ca.configure_trust(server_ssl_context) + # our client cert, so that it can validate client's cert. + ca.configure_trust(server_ssl_context) # Verify that client sent us their TLS cert signed by a trusted CA server_ssl_context.verify_mode = trio.ssl.CERT_REQUIRED @@ -39,8 +38,8 @@ async def demo_server(server_raw_stream): async def demo_client(client_raw_stream): client_ssl_context = trio.ssl.create_default_context() - # Set up the client's SSLContext to trust our fake CA, that signed our - # server cert + # Set up the client's SSLContext to trust our fake CA, that signed + # our server cert, so that it can validate server's cert. ca.configure_trust(client_ssl_context) # Set up the client's SSLContext to use our fake client cert