atomicshop 2.15.11__py3-none-any.whl → 3.10.5__py3-none-any.whl

atomicshop/wrappers/socketw/creator.py

@@ -1,7 +1,8 @@
+import os
 import socket
 import ssl
 
-from . import base, sni, certificator, exception_wrapper
+from . import socket_base, exception_wrapper
 from ...print_api import print_api
 
 
@@ -24,24 +25,113 @@ def add_reusable_address_option(socket_instance):
     socket_instance.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
 
 
-def create_ssl_context_for_server():
+def create_ssl_context_for_server(
+        enable_sslkeylogfile_env_to_client_ssl_context: bool = False,
+        sslkeylog_file_path: str = None,
+        allow_legacy: bool = False
+) -> ssl.SSLContext:
+    """
+    This function creates the SSL context for the server.
+    Meaning that your script will act like a server, and the client will connect to it.
+    """
     # Creating context with SSL certificate and the private key before the socket
     # https://docs.python.org/3/library/ssl.html
     # Creating context for SSL wrapper, specifying "PROTOCOL_TLS_SERVER" will pick the best TLS version protocol for
     # the server.
-    return ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-    # return ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
 
+    # ssl_context: ssl.SSLContext = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+
+    # # Enforce the use of TLS 1.2 only (disable TLS 1.0, TLS 1.1, and TLS 1.3)
+    # ssl_context.options |= ssl.OP_NO_TLSv1           # Disable TLS 1.0
+    # ssl_context.options |= ssl.OP_NO_TLSv1_1         # Disable TLS 1.1
+    # ssl_context.options |= ssl.OP_NO_TLSv1_3         # Disable TLS 1.3
+
+    # Correct factory for servers
+    ssl_context: ssl.SSLContext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+
+    # Modern default; relax only if you must
+    ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
+
+    # Don't verify client certificates.
+    ssl_context.verify_mode = ssl.CERT_NONE
+    ssl_context.check_hostname = False
+
+    if enable_sslkeylogfile_env_to_client_ssl_context:
+        if sslkeylog_file_path is None:
+            sslkeylog_file_path = os.environ.get('SSLKEYLOGFILE')
+
+        if not os.path.exists(sslkeylog_file_path):
+            open(sslkeylog_file_path, "a").close()
+
+        ssl_context.keylog_filename = sslkeylog_file_path
+
+    # If you must support old clients that only offer TLS_RSA_* suites under OpenSSL 3:
+    if allow_legacy:
+        # This enables RSA key exchange and other legacy bits at security level 1
+        ssl_context.set_ciphers('DEFAULT:@SECLEVEL=1')
+        # If you truly have TLS 1.0/1.1 clients, uncomment the next line (not recommended):
+        ssl_context.minimum_version = ssl.TLSVersion.TLSv1
+
+    return ssl_context
+
+
+def create_ssl_context_for_client(
+        enable_sslkeylogfile_env_to_client_ssl_context: bool = False,
+        sslkeylog_file_path: str = None
+) -> ssl.SSLContext:
+    """
+    This function creates the SSL context for the client.
+    This means that your script will act like a client, and will connect to a server.
+    The SSL context is created with the "PROTOCOL_TLS_CLIENT" protocol.
+
+    :param enable_sslkeylogfile_env_to_client_ssl_context: boolean, enables the SSLKEYLOGFILE environment variable
+        to the SSL context. Default is False.
+        if True, SSLKEYLOGFILE will be added to SSL context with:
+        ssl_context.keylog_filename = os.environ.get('SSLKEYLOGFILE')
+        This is useful for debugging SSL/TLS connections with WireShark.
+        Since WireShark also uses this environment variable to read the key log file and apply to the SSL/TLS
+        connections, so you can see the decrypted traffic.
+    :param sslkeylog_file_path: string, full file path for the SSL key log file. Default is None.
+
+    :return: ssl.SSLContext
+    """
+    ssl_context: ssl.SSLContext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+
+    if enable_sslkeylogfile_env_to_client_ssl_context:
+        if sslkeylog_file_path is None:
+            sslkeylog_file_path = os.environ.get('SSLKEYLOGFILE')
+
+        if not os.path.exists(sslkeylog_file_path):
+            open(sslkeylog_file_path, "a").close()
+
+        ssl_context.keylog_filename = sslkeylog_file_path
 
-def create_ssl_context_for_client():
-    return ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    current_ciphers = 'AES256-GCM-SHA384:' + ssl._DEFAULT_CIPHERS
+    ssl_context.set_ciphers(current_ciphers)
+
+    return ssl_context
 
 
-def set_client_ssl_context_default_certs(ssl_context):
-    # "load_default_certs" method is telling the client to check the local certificate storage on the system for the
-    # needed certificate of the server. Without this line you will get an error from the server that the client
-    # is using self-signed certificate. Which is partly true, since you used the SLL wrapper,
-    # but didn't specify the certificate at all.
+def set_client_ssl_context_ca_default_certs(ssl_context):
+    """
+    "load_default_certs" method is telling the client to check the local certificate storage on the system for the
+    needed certificate of the server. Without this line you will get an error from the server that the client
+    is using self-signed certificate. Which is partly true, since you used the SLL wrapper,
+    but didn't specify the certificate at all.
+    -----------------------------------------
+    https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_default_certs
+    Load a set of default “certification authority” (CA) certificates from default locations.
+    On Windows it loads CA certs from the CA and ROOT system stores.
+    On all systems it calls SSLContext.set_default_verify_paths().
+    In the future the method may load CA certificates from other locations, too.
+
+    The purpose flag specifies what kind of CA certificates are loaded.
+    The default settings Purpose.SERVER_AUTH loads certificates, that are flagged and trusted for
+    TLS web server authentication (client side sockets). Purpose.CLIENT_AUTH loads CA certificates for
+    client certificate verification on the server side.
+    -----------------------------------------
+    """
+
     # The purpose of the certificate is to authenticate on the server
     # context.load_default_certs(Purpose.SERVER_AUTH)
     # You don't have to specify the purpose to connect, but if you get a purpose error, you know where to find it
@@ -91,9 +181,48 @@ def load_certificate_and_key_into_server_ssl_context(
             print_api(message, error_type=True, logger_method="critical", **print_kwargs)
 
 
-def create_server_ssl_context___load_certificate_and_key(certificate_file_path: str, key_file_path):
+def copy_server_ctx_settings(src: ssl.SSLContext, dst: ssl.SSLContext) -> None:
+    # Versions & options
+    try: dst.minimum_version = src.minimum_version
+    except Exception: pass
+    try: dst.maximum_version = src.maximum_version
+    except Exception: pass
+    try: dst.options = src.options
+    except Exception: pass
+
+    # Verification knobs (server usually CERT_NONE unless you do mTLS)
+    try: dst.verify_mode = src.verify_mode
+    except Exception: pass
+    try: dst.check_hostname = src.check_hostname
+    except Exception: pass
+
+    # Cipher policy – replicate current enabled list
+    try:
+        cipher_names = ':'.join(c['name'] for c in src.get_ciphers())
+        if cipher_names:
+            dst.set_ciphers(cipher_names)
+    except Exception:
+        pass
+
+    # (ALPN/curves/etc. don’t have public getters; set them the same way you set them on src, if applicable)
+
+
+def create_server_ssl_context___load_certificate_and_key(
+        certificate_file_path: str,
+        key_file_path: str | None,
+        inherit_from: ssl.SSLContext | None = None,
+        enable_sslkeylogfile_env_to_client_ssl_context: bool = False,
+        sslkeylog_file_path: str = None,
+) -> ssl.SSLContext:
     # Create and set ssl context for server.
-    ssl_context = create_ssl_context_for_server()
+    ssl_context: ssl.SSLContext = create_ssl_context_for_server(
+        allow_legacy=True, enable_sslkeylogfile_env_to_client_ssl_context=enable_sslkeylogfile_env_to_client_ssl_context,
+        sslkeylog_file_path=sslkeylog_file_path)
+
+    # If you replaced contexts during SNI, copy policy from the old one
+    if inherit_from is not None:
+        copy_server_ctx_settings(inherit_from, ssl_context)
+
     # Load certificate into context.
     load_certificate_and_key_into_server_ssl_context(ssl_context, certificate_file_path, key_file_path)
     # Return ssl context only.
@@ -101,17 +230,22 @@ def create_server_ssl_context___load_certificate_and_key(certificate_file_path:
 
 
 @exception_wrapper.connection_exception_decorator
-def wrap_socket_with_ssl_context_server(socket_object, ssl_context, dns_domain: str = None, print_kwargs: dict = None):
+def wrap_socket_with_ssl_context_server(
+        socket_object,
+        ssl_context,
+        domain_from_dns_server: str = None,
+        print_kwargs: dict = None
+):
     """
     This function is wrapped with exception wrapper.
     After you execute the function, you can get the error message if there was any with:
         error_message = wrap_socket_with_ssl_context_server.message
 
-    :param socket_object:
-    :param ssl_context:
-    :param dns_domain:
-    :param print_kwargs:
-    :return:
+    :param socket_object: The socket object to accept the connection on.
+    :param ssl_context: The SSL context to wrap the socket with.
+    :param domain_from_dns_server: The domain that will be printed to console on logger, needed for the decorator.
+        If not provided, the TCP data will be used.
+    :param print_kwargs: Additional arguments for the print_api function, needed for the decorator.
     """
 
     # Wrapping the server socket with SSL context. This should happen right after setting up the raw socket.
@@ -122,10 +256,16 @@ def wrap_socket_with_ssl_context_server(socket_object, ssl_context, dns_domain:
 
 
 def wrap_socket_with_ssl_context_server_with_error_message(
-        socket_object, ssl_context, dns_domain: str = None, print_kwargs: dict = None):
+        socket_object,
+        ssl_context,
+        domain_from_dns_server,
+        print_kwargs: dict = None
+):
 
     ssl_socket = wrap_socket_with_ssl_context_server(
-        socket_object, ssl_context, dns_domain=dns_domain, print_kwargs=print_kwargs)
+        socket_object=socket_object, ssl_context=ssl_context, domain_from_dns_server=domain_from_dns_server,
+        print_kwargs=print_kwargs)
+
     error_message = wrap_socket_with_ssl_context_server.message
 
     return ssl_socket, error_message
@@ -173,7 +313,7 @@ def set_listen_on_socket(socket_object, **kwargs):
     # To determine the maximum listening sockets, you may use the 'socket' library and 'SOMAXCONN' parameter
     # from it.
     socket_object.listen(socket.SOMAXCONN)
-    ip_address, port = base.get_destination_address_from_socket(socket_object)
+    ip_address, port = socket_base.get_destination_address_from_socket(socket_object)
 
     print_api(f"Listening for new connections on: {ip_address}:{port}", **kwargs)
 
@@ -182,36 +322,36 @@ def set_listen_on_socket(socket_object, **kwargs):
 # Socket Creator Presets
 
 def wrap_socket_with_ssl_context_client___default_certs___ignore_verification(
-        socket_object, server_hostname: str = None):
-    ssl_context: ssl.SSLContext = create_ssl_context_for_client()
-    set_client_ssl_context_default_certs(ssl_context)
+        socket_object,
+        server_hostname: str = None,
+        custom_pem_client_certificate_file_path: str = None,
+        enable_sslkeylogfile_env_to_client_ssl_context: bool = False,
+        sslkeylog_file_path: str = None
+) -> ssl.SSLSocket:
+    """
+    This function is a preset for wrapping the socket with SSL context for the client.
+    It sets the CA default certificates, and ignores the server's certificate verification.
+
+    :param socket_object: socket.socket object
+    :param server_hostname: string, hostname of the server. Default is None.
+    :param custom_pem_client_certificate_file_path: string, full file path for the client certificate PEM file.
+        Default is None.
+    :param enable_sslkeylogfile_env_to_client_ssl_context: boolean, enables the SSLKEYLOGFILE environment variable
+        to the SSL context. Default is False.
+    :param sslkeylog_file_path: string, full file path for the SSL key log file. Default is None.
+
+    :return: ssl.SSLSocket object
+    """
+    ssl_context: ssl.SSLContext = create_ssl_context_for_client(
+        enable_sslkeylogfile_env_to_client_ssl_context=enable_sslkeylogfile_env_to_client_ssl_context
+        ,sslkeylog_file_path=sslkeylog_file_path)
+    set_client_ssl_context_ca_default_certs(ssl_context)
     set_client_ssl_context_certificate_verification_ignore(ssl_context)
+
+    if custom_pem_client_certificate_file_path:
+        ssl_context.load_cert_chain(certfile=custom_pem_client_certificate_file_path, keyfile=None)
+
     ssl_socket: ssl.SSLSocket = wrap_socket_with_ssl_context_client(
         socket_object, ssl_context, server_hostname=server_hostname)
 
     return ssl_socket
-
-
-def wrap_socket_with_ssl_context_server_sni_extended(
-        socket_object, config: dict, dns_domain: str = None, print_kwargs: dict = None):
-
-    ssl_context = create_ssl_context_for_server()
-
-    sni.add_sni_callback_function_reference_to_ssl_context(
-        ssl_context=ssl_context, config=config, dns_domain=dns_domain, use_default_sni_function=True,
-        use_sni_extended=True, print_kwargs=print_kwargs)
-
-    server_certificate_file_path, server_private_key_file_path = \
-        certificator.select_server_ssl_context_certificate(config=config, print_kwargs=print_kwargs)
-
-    # If the user chose 'sni_create_server_certificate_for_each_domain = 1' in the configuration file,
-    # it means that 'self.server_certificate_file_path' will be empty, which is OK, since we'll inject
-    # dynamically created certificate from certs folder through SNI.
-    if server_certificate_file_path:
-        load_certificate_and_key_into_server_ssl_context(
-            ssl_context, server_certificate_file_path, server_private_key_file_path,
-            print_kwargs=print_kwargs)
-
-    ssl_socket, error_message = wrap_socket_with_ssl_context_server_with_error_message(
-        socket_object, ssl_context, dns_domain=dns_domain, print_kwargs=print_kwargs)
-    return ssl_socket, error_message