diff options
| author | kali <kali@leap.se> | 2012-11-14 00:38:20 +0900 |
|---|---|---|
| committer | kali <kali@leap.se> | 2012-11-14 00:38:20 +0900 |
| commit | 21875404282522a9c83bfb9c85d6a24fa59d20f8 (patch) | |
| tree | ae0409bd742ce3a6f994ae9bb31fc5ab7225f1c6 /src/leap/crypto/certs.py | |
| parent | f6e900f024074435349eb778a2d89baed55e1e6c (diff) | |
| parent | d24c7328fa845737dbb83d512e4b3f287634c4cc (diff) | |
Merge branch 'feature/generic-wizard' into develop
The generic wizard (big) branch is now stabilised.
A bunch of refactors have gone together with this topic branch:
- client does not have any info included for default service providers.
- user has to run the first-run wizard and manually entry domain for sample provider.
- remove all remains of the older branding strategy for default provider.
- srp registration + authentication are integrated with the signup process.
Diffstat (limited to 'src/leap/crypto/certs.py')
| -rw-r--r-- | src/leap/crypto/certs.py | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/src/leap/crypto/certs.py b/src/leap/crypto/certs.py new file mode 100644 index 00000000..8908865d --- /dev/null +++ b/src/leap/crypto/certs.py @@ -0,0 +1,71 @@ +import ctypes +import socket + +import gnutls.connection +import gnutls.crypto +import gnutls.library + + +def get_https_cert_from_domain(domain): + """ + @param domain: a domain name to get a certificate from. + """ + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + cred = gnutls.connection.X509Credentials() + + session = gnutls.connection.ClientSession(sock, cred) + session.connect((domain, 443)) + session.handshake() + cert = session.peer_certificate + return cert + + +def get_cert_from_file(filepath): + with open(filepath) as f: + cert = gnutls.crypto.X509Certificate(f.read()) + return cert + + +def get_cert_fingerprint(domain=None, filepath=None, + hash_type="SHA256", sep=":"): + """ + @param domain: a domain name to get a fingerprint from + @type domain: str + @param filepath: path to a file containing a PEM file + @type filepath: str + @param hash_type: the hash function to be used in the fingerprint. + must be one of SHA1, SHA224, SHA256, SHA384, SHA512 + @type hash_type: str + @rparam: hex_fpr, a hexadecimal representation of a bytestring + containing the fingerprint. + @rtype: string + """ + if domain: + cert = get_https_cert_from_domain(domain) + if filepath: + cert = get_cert_from_file(filepath) + + _buffer = ctypes.create_string_buffer(64) + buffer_length = ctypes.c_size_t(64) + + SUPPORTED_DIGEST_FUN = ("SHA1", "SHA224", "SHA256", "SHA384", "SHA512") + if hash_type in SUPPORTED_DIGEST_FUN: + digestfunction = getattr( + gnutls.library.constants, + "GNUTLS_DIG_%s" % hash_type) + else: + # XXX improperlyconfigured or something + raise Exception("digest function not supported") + + gnutls.library.functions.gnutls_x509_crt_get_fingerprint( + cert._c_object, digestfunction, + ctypes.byref(_buffer), ctypes.byref(buffer_length)) + + # deinit + #server_cert._X509Certificate__deinit(server_cert._c_object) + # needed? is segfaulting + + fpr = ctypes.string_at(_buffer, buffer_length.value) + hex_fpr = sep.join(u"%02X" % ord(char) for char in fpr) + + return hex_fpr |