From 79764a5624acee85bcd03cd315c3d834a9a25a02 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 12 Sep 2012 10:00:29 +0900
Subject: time boundary check of certificate using gnutls

---
 pkg/requirements.pip              |  1 +
 src/leap/eip/checks.py            | 18 ++++++++++++------
 src/leap/eip/tests/test_checks.py | 13 +++++++++++++
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/pkg/requirements.pip b/pkg/requirements.pip
index 3d8e11df..91257a07 100644
--- a/pkg/requirements.pip
+++ b/pkg/requirements.pip
@@ -3,3 +3,4 @@ configuration
 requests
 ping
 netifaces
+python-gnutls
diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index 4dd4a95c..f368c551 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -1,8 +1,10 @@
 import logging
 import ssl
 import platform
+import time
 import os
 
+from gnutls import crypto
 import netifaces
 import ping
 import requests
@@ -221,12 +223,13 @@ class ProviderCertChecker(object):
             certfile = self._get_client_cert_path()
         return os.path.isfile(certfile)
 
-    def is_cert_not_expired(self):
-        return True
-        # XXX TODO
-        # waiting on #507. If we're not using PyOpenSSL or anything alike
-        # we will have to roll our own x509 parsing to extract time info.
-        # XXX use gnutls
+    def is_cert_not_expired(self, certfile=None, now=time.gmtime):
+        if certfile is None:
+            certfile = self._get_client_cert_path()
+        with open(certfile) as cf:
+            cert_s = cf.read()
+        cert = crypto.X509Certificate(cert_s)
+        return cert.activation_time < now() < cert.expiration_time
 
     def is_valid_pemfile(self, cert_s=None):
         """
@@ -244,6 +247,9 @@ class ProviderCertChecker(object):
             # XXX get a real cert validation
             # so far this is only checking begin/end
             # delimiters :)
+            # XXX use gnutls for get proper
+            # validation.
+            # crypto.X509Certificate(cert_s)
             ssl.PEM_cert_to_DER_cert(cert_s)
         except:
             # XXX raise proper exception
diff --git a/src/leap/eip/tests/test_checks.py b/src/leap/eip/tests/test_checks.py
index bc7db79c..952b10d2 100644
--- a/src/leap/eip/tests/test_checks.py
+++ b/src/leap/eip/tests/test_checks.py
@@ -6,6 +6,7 @@ try:
 except ImportError:
     import unittest
 import os
+import time
 import urlparse
 
 from StringIO import StringIO
@@ -372,10 +373,22 @@ class ProviderCertCheckerHTTPSTests(BaseHTTPSServerTestCase, BaseLeapTest):
     def test_is_cert_valid(self):
         checker = eipchecks.ProviderCertChecker()
         # TODO: better exception catching
+        # should raise eipexceptions.BadClientCertificate, and give reasons
+        # on msg.
         with self.assertRaises(Exception) as exc:
             self.assertFalse(checker.is_cert_valid())
             exc.message = "missing cert"
 
+    def test_bad_validity_certs(self):
+        checker = eipchecks.ProviderCertChecker()
+        certfile = where_cert('leaptestscert.pem')
+        self.assertFalse(checker.is_cert_not_expired(
+            certfile=certfile,
+            now=lambda: time.mktime((2038, 1, 1, 1, 1, 1, 1, 1, 1))))
+        self.assertFalse(checker.is_cert_not_expired(
+            certfile=certfile,
+            now=lambda: time.mktime((1970, 1, 1, 1, 1, 1, 1, 1, 1))))
+
     def test_check_new_cert_needed(self):
         # check: missing cert
         checker = eipchecks.ProviderCertChecker()
-- 
cgit v1.2.3