From 19da34c598ce6db172c1e1a8978bf031fc6db89b Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 24 Jan 2013 20:07:06 +0900 Subject: check cert time_boundaries uses pyOpenSSL I had missed this one while deprecating gnutls --- src/leap/crypto/certs.py | 15 ++++++++++++++- src/leap/eip/checks.py | 13 ++----------- src/leap/gui/firstrun/tests/integration/fake_provider.py | 6 +++--- 3 files changed, 19 insertions(+), 15 deletions(-) diff --git a/src/leap/crypto/certs.py b/src/leap/crypto/certs.py index c2835878..cbb5725a 100644 --- a/src/leap/crypto/certs.py +++ b/src/leap/crypto/certs.py @@ -2,7 +2,9 @@ import logging import os from StringIO import StringIO import ssl +import time +from dateutil.parser import parse from OpenSSL import crypto from leap.util.misc import null_check @@ -33,7 +35,7 @@ def get_https_cert_from_domain(domain, port=443): def get_cert_from_file(_file): null_check(_file, "pem file") - if isinstance(_file, str): + if isinstance(_file, (str, unicode)): if not os.path.isfile(_file): raise NoCertError with open(_file) as f: @@ -97,3 +99,14 @@ def get_cert_fingerprint(domain=None, port=443, filepath=None, cert = get_cert_from_file(filepath) hex_fpr = cert.digest(hash_type) return hex_fpr + + +def get_time_boundaries(certfile): + cert = get_cert_from_file(certfile) + null_check(cert, 'certificate') + + fromts, tots = (cert.get_notBefore(), cert.get_notAfter()) + from_, to_ = map( + lambda ts: time.gmtime(time.mktime(parse(ts).timetuple())), + (fromts, tots)) + return from_, to_ diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index de738de6..9a34a428 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,13 +1,8 @@ import logging -#import ssl -#import platform import time import os import sys -import gnutls.crypto -#import netifaces -#import ping import requests from leap import __branding as BRANDING @@ -24,7 +19,6 @@ from leap.eip import specs as eipspecs from leap.util.certs import get_mac_cabundle from leap.util.fileutil import mkdir_p from leap.util.web import get_https_domain_and_port -from leap.util.misc import null_check logger = logging.getLogger(name=__name__) @@ -276,11 +270,8 @@ class ProviderCertChecker(object): def is_cert_not_expired(self, certfile=None, now=time.gmtime): if certfile is None: certfile = self._get_client_cert_path() - with open(certfile) as cf: - cert_s = cf.read() - cert = gnutls.crypto.X509Certificate(cert_s) - from_ = time.gmtime(cert.activation_time) - to_ = time.gmtime(cert.expiration_time) + from_, to_ = certs.get_time_boundaries(certfile) + return from_ < now() < to_ def is_valid_pemfile(self, cert_s=None): diff --git a/src/leap/gui/firstrun/tests/integration/fake_provider.py b/src/leap/gui/firstrun/tests/integration/fake_provider.py index 445b4487..668db5d1 100755 --- a/src/leap/gui/firstrun/tests/integration/fake_provider.py +++ b/src/leap/gui/firstrun/tests/integration/fake_provider.py @@ -25,9 +25,9 @@ import sys import srp # GnuTLS Example -- is not working as expected -from gnutls import crypto -from gnutls.constants import COMP_LZO, COMP_DEFLATE, COMP_NULL -from gnutls.interfaces.twisted import X509Credentials +#from gnutls import crypto +#from gnutls.constants import COMP_LZO, COMP_DEFLATE, COMP_NULL +#from gnutls.interfaces.twisted import X509Credentials # Going with OpenSSL as a workaround instead # But we DO NOT want to introduce this dependency. -- cgit v1.2.3