summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRuben Pollan <meskio@sindominio.net>2017-05-29 21:39:02 +0200
committerRuben Pollan <meskio@sindominio.net>2017-06-05 19:42:12 +0200
commit0edc6cf6a4270e94443fc6c8bfa73c5ca1ad5d92 (patch)
tree0e2937b6b320573fffdbab99dd61903d67f56a13
parent878a206db60278066a7f962a5d3a75eed232ed84 (diff)
[feat] check ca cert fingreprint against provider.json
-rw-r--r--src/leap/bitmask/bonafide/config.py22
1 files changed, 20 insertions, 2 deletions
diff --git a/src/leap/bitmask/bonafide/config.py b/src/leap/bitmask/bonafide/config.py
index 7db6260f..5f3bff9e 100644
--- a/src/leap/bitmask/bonafide/config.py
+++ b/src/leap/bitmask/bonafide/config.py
@@ -17,6 +17,7 @@
"""
Configuration for a LEAP provider.
"""
+import binascii
import datetime
import json
import os
@@ -25,6 +26,9 @@ import shutil
import sys
from collections import defaultdict
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.x509 import load_pem_x509_certificate
from urlparse import urlparse
from twisted.internet import defer, reactor
@@ -337,9 +341,23 @@ class Provider(object):
return d
def validate_ca_cert(self, ignored):
- # TODO Need to verify fingerprint against the one in provider.json
expected = self._get_expected_ca_cert_fingerprint()
- print "EXPECTED FINGERPRINT:", expected
+ algo, expectedfp = expected.split(':')
+ expectedfp = expectedfp.replace(' ', '')
+ backend = default_backend()
+
+ with open(self._get_ca_cert_path(), 'r') as f:
+ certstr = f.read()
+ cert = load_pem_x509_certificate(certstr, backend)
+ hasher = getattr(hashes, algo)()
+ fpbytes = cert.fingerprint(hasher)
+ fp = binascii.hexlify(fpbytes)
+
+ if fp != expectedfp:
+ os.unlink(self._get_ca_cert_path())
+ self.log.error("Fingerprint of CA cert doesn't match: %s <-> %s"
+ % (fp, expectedfp))
+ raise NetworkError("The provider's CA fingerprint doesn't match")
def _get_expected_ca_cert_fingerprint(self):
try: