summaryrefslogtreecommitdiff
path: root/src/leap
diff options
context:
space:
mode:
authorkali <kali@leap.se>2012-10-19 08:18:34 +0900
committerkali <kali@leap.se>2012-10-19 08:18:34 +0900
commit2a01c969e0f8dff575007043996c3b0489e20e75 (patch)
tree3beb3ea1b119de1bb0022be8d7d2f35ea8e87785 /src/leap
parent7fa82fb4744ee5cc2c859c75cfd05cc3304c9282 (diff)
download ca cert from provider
Diffstat (limited to 'src/leap')
-rw-r--r--src/leap/eip/checks.py53
-rwxr-xr-xsrc/leap/gui/firstrunwizard.py80
2 files changed, 99 insertions, 34 deletions
diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index 560f7f53..e925e11c 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -4,13 +4,14 @@ import ssl
import time
import os
-from gnutls import crypto
+import gnutls.crypto
#import netifaces
#import ping
import requests
from leap import __branding as BRANDING
from leap import certs
+from leap.base import config as baseconfig
from leap.base import constants as baseconstants
from leap.base import providers
from leap.eip import config as eipconfig
@@ -54,18 +55,25 @@ class ProviderCertChecker(object):
client certs and checking tls connection
with provider.
"""
- def __init__(self, fetcher=requests):
+ def __init__(self, fetcher=requests,
+ domain=None):
+
self.fetcher = fetcher
+ self.domain = domain
self.cacert = get_ca_cert()
- def run_all(self, checker=None, skip_download=False, skip_verify=False):
+ def run_all(
+ self, checker=None,
+ skip_download=False, skip_verify=False):
+
if not checker:
checker = self
do_verify = not skip_verify
logger.debug('do_verify: %s', do_verify)
- # For MVS+
# checker.download_ca_cert()
+
+ # For MVS+
# checker.download_ca_signature()
# checker.get_ca_signatures()
# checker.is_there_trust_path()
@@ -77,9 +85,19 @@ class ProviderCertChecker(object):
checker.is_https_working(verify=do_verify)
checker.check_new_cert_needed(verify=do_verify)
- def download_ca_cert(self):
- # MVS+
- raise NotImplementedError
+ def download_ca_cert(self, uri=None, verify=True):
+ req = self.fetcher.get(uri, verify=verify)
+ req.raise_for_status()
+
+ # should check domain exists
+ capath = self._get_ca_cert_path(self.domain)
+ with open(capath, 'w') as f:
+ f.write(req.content)
+
+ def check_ca_cert_fingerprint(
+ self, hash_type="SHA256",
+ fingerprint=None):
+ pass
def download_ca_signature(self):
# MVS+
@@ -94,11 +112,12 @@ class ProviderCertChecker(object):
raise NotImplementedError
def is_there_provider_ca(self):
- # XXX remove for generic build
+ # XXX modify for generic build
from leap import certs
logger.debug('do we have provider_ca?')
cacert_path = BRANDING.get('provider_ca_file', None)
if not cacert_path:
+ # XXX look from the domain
logger.debug('False')
return False
self.cacert = certs.where(cacert_path)
@@ -212,7 +231,7 @@ class ProviderCertChecker(object):
certfile = self._get_client_cert_path()
with open(certfile) as cf:
cert_s = cf.read()
- cert = crypto.X509Certificate(cert_s)
+ cert = gnutls.crypto.X509Certificate(cert_s)
from_ = time.gmtime(cert.activation_time)
to_ = time.gmtime(cert.expiration_time)
return from_ < now() < to_
@@ -247,6 +266,10 @@ class ProviderCertChecker(object):
raise
return True
+ @property
+ def ca_cert_path(self):
+ return self._get_ca_cert_path()
+
def _get_root_uri(self):
return u"https://%s/" % baseconstants.DEFAULT_PROVIDER
@@ -258,6 +281,18 @@ class ProviderCertChecker(object):
# MVS+ : get provider path
return eipspecs.client_cert_path()
+ def _get_ca_cert_path(self, domain):
+ # XXX this folder path will be broken for win
+ # and this should be moved to eipspecs.ca_path
+
+ capath = baseconfig.get_config_file(
+ 'cacert.pem',
+ folder='providers/%s/certs/ca' % domain)
+ folder, fname = os.path.split(capath)
+ if not os.path.isdir(folder):
+ mkdir_p(folder)
+ return capath
+
def write_cert(self, pemfile_content, to=None):
folder, filename = os.path.split(to)
if not os.path.isdir(folder):
diff --git a/src/leap/gui/firstrunwizard.py b/src/leap/gui/firstrunwizard.py
index f3356b70..e4293cf6 100755
--- a/src/leap/gui/firstrunwizard.py
+++ b/src/leap/gui/firstrunwizard.py
@@ -367,12 +367,9 @@ class SelectProviderPage(QtGui.QWizardPage):
self.certWarning.setText(
"Do you want to <b>trust this provider certificate?</b>")
self.certInfo.setText(
- 'Sha1 fingerprint: <i>%s</i><br>' % certinfo)
- #self.trustProviderCertCheckBox.show()
+ 'SHA-256 fingerprint: <i>%s</i><br>' % certinfo)
+ self.certInfo.setWordWrap(True)
self.certinfoGroup.show()
- # XXX when checkbox is marked, remove
- # the red warning.
- # XXX also, disable the next button!
# pagewizard methods
@@ -384,9 +381,7 @@ class SelectProviderPage(QtGui.QWizardPage):
return False
def initializePage(self):
- self.certWarning.setText('')
- self.certInfo.setText('')
- #self.trustProviderCertCheckBox.hide()
+ self.certinfoGroup.hide()
def validatePage(self):
wizard = self.wizard()
@@ -417,7 +412,7 @@ class SelectProviderPage(QtGui.QWizardPage):
else:
self.set_validation_status(exc.usermessage)
fingerprint = certs.get_https_cert_fingerprint(
- domain)
+ domain, sep=" ")
self.add_cert_info(fingerprint)
self.did_cert_check = True
self.completeChanged.emit()
@@ -456,7 +451,9 @@ class ProviderInfoPage(QtGui.QWizardPage):
displayName = QtGui.QLabel("")
description = QtGui.QLabel("")
enrollment_policy = QtGui.QLabel("")
- # stylesheet...
+ # XXX set stylesheet...
+ # prettify a little bit.
+ # bigger fonts and so on...
self.displayName = displayName
self.description = description
self.enrollment_policy = enrollment_policy
@@ -521,33 +518,66 @@ class ProviderSetupPage(QtGui.QWizardPage):
def set_status(self, status):
self.status.setText(status)
+ self.status.setWordWrap(True)
- def initializePage(self):
- self.set_status('')
- self.progress.setValue(0)
- self.progress.hide()
-
- def validatePage(self):
+ def fetch_and_validate(self):
+ # Fake... till you make it...
import time
- self.progress.show()
-
- self.set_status('fetching cert...')
- self.progress.setValue(20)
- time.sleep(2)
-
- self.set_status('fetching cert another time...')
+ domain = self.field('provider_domain')
+ wizard = self.wizard()
+ pconfig = wizard.providerconfig
+ pCertChecker = wizard.providercertchecker
+ certchecker = pCertChecker(domain=domain)
+
+ self.set_status('Fetching CA certificate')
+ self.progress.setValue(30)
+ ca_cert_uri = pconfig.get('ca_cert_uri').geturl()
+
+ # XXX check scheme == "https"
+ # XXX passing verify == False because
+ # we have trusted right before.
+ # We should check it's the same domain!!!
+ # (Check with the trusted fingerprints dict
+ # or something smart)
+
+ certchecker.download_ca_cert(
+ uri=ca_cert_uri,
+ verify=False)
+
+ self.set_status('Checking CA fingerprint')
self.progress.setValue(40)
+ ca_cert_fingerprint = pconfig.get('ca_cert_fingerprint')
+
+ # XXX get fingerprint dict (types)
+ certchecker.check_ca_cert_fingerprint(
+ fingerprint=ca_cert_fingerprint)
time.sleep(2)
- self.set_status('validating cert')
+ self.set_status('Fetching api https certificate')
self.progress.setValue(60)
time.sleep(2)
- self.set_status('validating CA cert...')
+ self.set_status('Validating api certificate')
self.progress.setValue(80)
time.sleep(2)
+ #ca_cert_path = checker.ca_cert_path
self.progress.setValue(100)
+
+ # pagewizard methods
+
+ def initializePage(self):
+ self.set_status(
+ 'We are going to contact the provider to get '
+ 'the certificates that will be used to stablish '
+ 'a secure connection.<br><br>Click <i>next</i> to continue.')
+ self.progress.setValue(0)
+ self.progress.hide()
+
+ def validatePage(self):
+ self.progress.show()
+ self.fetch_and_validate()
+
return True
def nextId(self):