summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--pkg/requirements.pip1
-rw-r--r--src/leap/eip/checks.py18
-rw-r--r--src/leap/eip/tests/test_checks.py13
3 files changed, 26 insertions, 6 deletions
diff --git a/pkg/requirements.pip b/pkg/requirements.pip
index 3d8e11df..91257a07 100644
--- a/pkg/requirements.pip
+++ b/pkg/requirements.pip
@@ -3,3 +3,4 @@ configuration
requests
ping
netifaces
+python-gnutls
diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index 4dd4a95c..f368c551 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -1,8 +1,10 @@
import logging
import ssl
import platform
+import time
import os
+from gnutls import crypto
import netifaces
import ping
import requests
@@ -221,12 +223,13 @@ class ProviderCertChecker(object):
certfile = self._get_client_cert_path()
return os.path.isfile(certfile)
- def is_cert_not_expired(self):
- return True
- # XXX TODO
- # waiting on #507. If we're not using PyOpenSSL or anything alike
- # we will have to roll our own x509 parsing to extract time info.
- # XXX use gnutls
+ def is_cert_not_expired(self, certfile=None, now=time.gmtime):
+ if certfile is None:
+ certfile = self._get_client_cert_path()
+ with open(certfile) as cf:
+ cert_s = cf.read()
+ cert = crypto.X509Certificate(cert_s)
+ return cert.activation_time < now() < cert.expiration_time
def is_valid_pemfile(self, cert_s=None):
"""
@@ -244,6 +247,9 @@ class ProviderCertChecker(object):
# XXX get a real cert validation
# so far this is only checking begin/end
# delimiters :)
+ # XXX use gnutls for get proper
+ # validation.
+ # crypto.X509Certificate(cert_s)
ssl.PEM_cert_to_DER_cert(cert_s)
except:
# XXX raise proper exception
diff --git a/src/leap/eip/tests/test_checks.py b/src/leap/eip/tests/test_checks.py
index bc7db79c..952b10d2 100644
--- a/src/leap/eip/tests/test_checks.py
+++ b/src/leap/eip/tests/test_checks.py
@@ -6,6 +6,7 @@ try:
except ImportError:
import unittest
import os
+import time
import urlparse
from StringIO import StringIO
@@ -372,10 +373,22 @@ class ProviderCertCheckerHTTPSTests(BaseHTTPSServerTestCase, BaseLeapTest):
def test_is_cert_valid(self):
checker = eipchecks.ProviderCertChecker()
# TODO: better exception catching
+ # should raise eipexceptions.BadClientCertificate, and give reasons
+ # on msg.
with self.assertRaises(Exception) as exc:
self.assertFalse(checker.is_cert_valid())
exc.message = "missing cert"
+ def test_bad_validity_certs(self):
+ checker = eipchecks.ProviderCertChecker()
+ certfile = where_cert('leaptestscert.pem')
+ self.assertFalse(checker.is_cert_not_expired(
+ certfile=certfile,
+ now=lambda: time.mktime((2038, 1, 1, 1, 1, 1, 1, 1, 1))))
+ self.assertFalse(checker.is_cert_not_expired(
+ certfile=certfile,
+ now=lambda: time.mktime((1970, 1, 1, 1, 1, 1, 1, 1, 1))))
+
def test_check_new_cert_needed(self):
# check: missing cert
checker = eipchecks.ProviderCertChecker()