summaryrefslogtreecommitdiff
path: root/src/leap/eip
diff options
context:
space:
mode:
authorkali <kali@leap.se>2012-10-19 08:18:34 +0900
committerkali <kali@leap.se>2012-10-19 08:18:34 +0900
commit2a01c969e0f8dff575007043996c3b0489e20e75 (patch)
tree3beb3ea1b119de1bb0022be8d7d2f35ea8e87785 /src/leap/eip
parent7fa82fb4744ee5cc2c859c75cfd05cc3304c9282 (diff)
download ca cert from provider
Diffstat (limited to 'src/leap/eip')
-rw-r--r--src/leap/eip/checks.py53
1 files changed, 44 insertions, 9 deletions
diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index 560f7f53..e925e11c 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -4,13 +4,14 @@ import ssl
import time
import os
-from gnutls import crypto
+import gnutls.crypto
#import netifaces
#import ping
import requests
from leap import __branding as BRANDING
from leap import certs
+from leap.base import config as baseconfig
from leap.base import constants as baseconstants
from leap.base import providers
from leap.eip import config as eipconfig
@@ -54,18 +55,25 @@ class ProviderCertChecker(object):
client certs and checking tls connection
with provider.
"""
- def __init__(self, fetcher=requests):
+ def __init__(self, fetcher=requests,
+ domain=None):
+
self.fetcher = fetcher
+ self.domain = domain
self.cacert = get_ca_cert()
- def run_all(self, checker=None, skip_download=False, skip_verify=False):
+ def run_all(
+ self, checker=None,
+ skip_download=False, skip_verify=False):
+
if not checker:
checker = self
do_verify = not skip_verify
logger.debug('do_verify: %s', do_verify)
- # For MVS+
# checker.download_ca_cert()
+
+ # For MVS+
# checker.download_ca_signature()
# checker.get_ca_signatures()
# checker.is_there_trust_path()
@@ -77,9 +85,19 @@ class ProviderCertChecker(object):
checker.is_https_working(verify=do_verify)
checker.check_new_cert_needed(verify=do_verify)
- def download_ca_cert(self):
- # MVS+
- raise NotImplementedError
+ def download_ca_cert(self, uri=None, verify=True):
+ req = self.fetcher.get(uri, verify=verify)
+ req.raise_for_status()
+
+ # should check domain exists
+ capath = self._get_ca_cert_path(self.domain)
+ with open(capath, 'w') as f:
+ f.write(req.content)
+
+ def check_ca_cert_fingerprint(
+ self, hash_type="SHA256",
+ fingerprint=None):
+ pass
def download_ca_signature(self):
# MVS+
@@ -94,11 +112,12 @@ class ProviderCertChecker(object):
raise NotImplementedError
def is_there_provider_ca(self):
- # XXX remove for generic build
+ # XXX modify for generic build
from leap import certs
logger.debug('do we have provider_ca?')
cacert_path = BRANDING.get('provider_ca_file', None)
if not cacert_path:
+ # XXX look from the domain
logger.debug('False')
return False
self.cacert = certs.where(cacert_path)
@@ -212,7 +231,7 @@ class ProviderCertChecker(object):
certfile = self._get_client_cert_path()
with open(certfile) as cf:
cert_s = cf.read()
- cert = crypto.X509Certificate(cert_s)
+ cert = gnutls.crypto.X509Certificate(cert_s)
from_ = time.gmtime(cert.activation_time)
to_ = time.gmtime(cert.expiration_time)
return from_ < now() < to_
@@ -247,6 +266,10 @@ class ProviderCertChecker(object):
raise
return True
+ @property
+ def ca_cert_path(self):
+ return self._get_ca_cert_path()
+
def _get_root_uri(self):
return u"https://%s/" % baseconstants.DEFAULT_PROVIDER
@@ -258,6 +281,18 @@ class ProviderCertChecker(object):
# MVS+ : get provider path
return eipspecs.client_cert_path()
+ def _get_ca_cert_path(self, domain):
+ # XXX this folder path will be broken for win
+ # and this should be moved to eipspecs.ca_path
+
+ capath = baseconfig.get_config_file(
+ 'cacert.pem',
+ folder='providers/%s/certs/ca' % domain)
+ folder, fname = os.path.split(capath)
+ if not os.path.isdir(folder):
+ mkdir_p(folder)
+ return capath
+
def write_cert(self, pemfile_content, to=None):
folder, filename = os.path.split(to)
if not os.path.isdir(folder):