tyler.durden/PyKMIP
1
0
Fork 0
mirror of https://github.com/OpenKMIP/PyKMIP.git synced 2025-07-09 07:04:23 +02:00
Code Issues Packages Projects Releases Wiki Activity
PyKMIP/kmip/services/server/session.py
Peter Hamilton 8fd6349152 Adding session extraction of client identity from certificates 
This change updates the KmipSession, allowing it to extract client
identity from the client certificate of a TLS connection. The
certificate subject common name is used as the client identity if
the certificate has client authentication set in the extended key
usage extension.

This change breaks backwards compatibility. If a client certificate
does not define a client identity, the session will reject it and
shutdown the connection. Any client certificates used to connect
with the software server in the past will need to be replaced with
certificates that define a suitable client identity.
2016-09-13 15:30:08 -04:00

245 lines
8.7 KiB
Python
Raw Blame History

# Copyright (c) 2016 The Johns Hopkins University/Applied Physics Laboratory
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import logging
import socket
import struct
import threading
from cryptography import x509
from cryptography.hazmat import backends
from kmip.core import enums
from kmip.core import exceptions
from kmip.core.messages import contents
from kmip.core.messages import messages
from kmip.core import utils
class KmipSession(threading.Thread):
"""
A session thread representing a single KMIP client/server interaction.
"""
def __init__(self, engine, connection, name=None):
"""
Create a KmipSession.
Args:
engine (KmipEngine): A reference to the central server application
that handles message processing. Required.
connection (socket): A client socket.socket TLS connection
representing a new KMIP connection. Required.
name (str): The name of the KmipSession. Optional, defaults to
None.
"""
super(KmipSession, self).__init__(
group=None,
target=None,
name=name,
args=(),
kwargs={}
)
self._logger = logging.getLogger(
'kmip.server.session.{0}'.format(self.name)
)
self._engine = engine
self._connection = connection
self._max_buffer_size = 4096
self._max_request_size = 1048576
self._max_response_size = 1048576
def run(self):
"""
The main thread routine executed by invoking thread.start.
This method manages the new client connection, running a message
handling loop. Once this method completes, the thread is finished.
"""
self._logger.info("Starting session: {0}".format(self.name))
while True:
try:
self._handle_message_loop()
except exceptions.ConnectionClosed as e:
break
except Exception as e:
self._logger.info("Failure handling message loop")
self._logger.exception(e)
self._connection.shutdown(socket.SHUT_RDWR)
self._connection.close()
self._logger.info("Stopping session: {0}".format(self.name))
def _get_client_identity(self):
certificate_data = self._connection.getpeercert(binary_form=True)
try:
certificate = x509.load_der_x509_certificate(
certificate_data,
backends.default_backend()
)
except Exception:
# This should never get raised "in theory," as the ssl socket
# should fail to connect non-TLS connections before the session
# gets created. This is a failsafe in case that protection fails.
raise exceptions.PermissionDenied(
"Failure loading the client certificate from the session "
"connection. Could not retrieve client identity."
)
try:
extended_key_usage = certificate.extensions.get_extension_for_oid(
x509.oid.ExtensionOID.EXTENDED_KEY_USAGE
).value
except x509.ExtensionNotFound:
raise exceptions.PermissionDenied(
"The extended key usage extension is missing from the client "
"certificate. Session client identity unavailable."
)
if x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH in extended_key_usage:
client_identities = certificate.subject.get_attributes_for_oid(
x509.oid.NameOID.COMMON_NAME
)
if len(client_identities) > 0:
if len(client_identities) > 1:
self._logger.warning(
"Multiple client identities found. Using the first "
"one processed."
)
client_identity = client_identities[0].value
self._logger.info(
"Session client identity: {0}".format(client_identity)
)
return client_identity
else:
raise exceptions.PermissionDenied(
"The client certificate does not define a subject common "
"name. Session client identity unavailable."
)
raise exceptions.PermissionDenied(
"The extended key usage extension is not marked for client "
"authentication in the client certificate. Session client "
"identity unavailable."
)
def _handle_message_loop(self):
request_data = self._receive_request()
request = messages.RequestMessage()
max_size = self._max_response_size
try:
client_identity = self._get_client_identity()
request.read(request_data)
except Exception as e:
self._logger.warning("Failure parsing request message.")
self._logger.exception(e)
response = self._engine.build_error_response(
contents.ProtocolVersion.create(1, 0),
enums.ResultReason.INVALID_MESSAGE,
"Error parsing request message. See server logs for more "
"information."
)
else:
try:
response, max_response_size = self._engine.process_request(
request,
client_identity
)
if max_response_size:
max_size = max_response_size
except exceptions.KmipError as e:
response = self._engine.build_error_response(
request.request_header.protocol_version,
e.reason,
str(e)
)
except Exception as e:
self._logger.warning(
"An unexpected error occurred while processing request."
)
self._logger.exception(e)
response = self._engine.build_error_response(
request.request_header.protocol_version,
enums.ResultReason.GENERAL_FAILURE,
"An unexpected error occurred while processing request. "
"See server logs for more information."
)
response_data = utils.BytearrayStream()
response.write(response_data)
if len(response_data) > max_size:
self._logger.warning(
"Response message length too large: "
"{0} bytes, max {1} bytes".format(
len(response_data),
self._max_response_size
)
)
response = self._engine.build_error_response(
request.request_header.protocol_version,
enums.ResultReason.RESPONSE_TOO_LARGE,
"Response message length too large. See server logs for "
"more information."
)
response_data = utils.BytearrayStream()
response.write(response_data)
self._send_response(response_data.buffer)
def _receive_request(self):
header = self._receive_bytes(8)
message_size = struct.unpack('!I', header[4:])[0]
payload = self._receive_bytes(message_size)
data = utils.BytearrayStream(header + payload)
return data
def _receive_bytes(self, message_size):
bytes_received = 0
message = b''
while bytes_received < message_size:
partial_message = self._connection.recv(
min(message_size - bytes_received, self._max_buffer_size)
)
if partial_message is None:
break
elif len(partial_message) == 0:
raise exceptions.ConnectionClosed()
else:
bytes_received += len(partial_message)
message += partial_message
if bytes_received != message_size:
raise ValueError(
"Invalid KMIP message received. Actual message length "
"does not match the advertised header length."
)
else:
return message
def _send_response(self, data):
if len(data) > 0:
self._connection.sendall(bytes(data))
Reference in New Issue View Git Blame Copy Permalink