summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorkali <kali@leap.se>2013-01-24 20:07:06 +0900
committerkali <kali@leap.se>2013-01-24 20:07:06 +0900
commit19da34c598ce6db172c1e1a8978bf031fc6db89b (patch)
tree076b8fdcd485faf1c9959c32d88431fcb98ab6b4 /src
parent9cdc193c587631986e579c1ba37a8b982be01238 (diff)
check cert time_boundaries uses pyOpenSSL
I had missed this one while deprecating gnutls
Diffstat (limited to 'src')
-rw-r--r--src/leap/crypto/certs.py15
-rw-r--r--src/leap/eip/checks.py13
-rwxr-xr-xsrc/leap/gui/firstrun/tests/integration/fake_provider.py6
3 files changed, 19 insertions, 15 deletions
diff --git a/src/leap/crypto/certs.py b/src/leap/crypto/certs.py
index c2835878..cbb5725a 100644
--- a/src/leap/crypto/certs.py
+++ b/src/leap/crypto/certs.py
@@ -2,7 +2,9 @@ import logging
import os
from StringIO import StringIO
import ssl
+import time
+from dateutil.parser import parse
from OpenSSL import crypto
from leap.util.misc import null_check
@@ -33,7 +35,7 @@ def get_https_cert_from_domain(domain, port=443):
def get_cert_from_file(_file):
null_check(_file, "pem file")
- if isinstance(_file, str):
+ if isinstance(_file, (str, unicode)):
if not os.path.isfile(_file):
raise NoCertError
with open(_file) as f:
@@ -97,3 +99,14 @@ def get_cert_fingerprint(domain=None, port=443, filepath=None,
cert = get_cert_from_file(filepath)
hex_fpr = cert.digest(hash_type)
return hex_fpr
+
+
+def get_time_boundaries(certfile):
+ cert = get_cert_from_file(certfile)
+ null_check(cert, 'certificate')
+
+ fromts, tots = (cert.get_notBefore(), cert.get_notAfter())
+ from_, to_ = map(
+ lambda ts: time.gmtime(time.mktime(parse(ts).timetuple())),
+ (fromts, tots))
+ return from_, to_
diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index de738de6..9a34a428 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -1,13 +1,8 @@
import logging
-#import ssl
-#import platform
import time
import os
import sys
-import gnutls.crypto
-#import netifaces
-#import ping
import requests
from leap import __branding as BRANDING
@@ -24,7 +19,6 @@ from leap.eip import specs as eipspecs
from leap.util.certs import get_mac_cabundle
from leap.util.fileutil import mkdir_p
from leap.util.web import get_https_domain_and_port
-from leap.util.misc import null_check
logger = logging.getLogger(name=__name__)
@@ -276,11 +270,8 @@ class ProviderCertChecker(object):
def is_cert_not_expired(self, certfile=None, now=time.gmtime):
if certfile is None:
certfile = self._get_client_cert_path()
- with open(certfile) as cf:
- cert_s = cf.read()
- cert = gnutls.crypto.X509Certificate(cert_s)
- from_ = time.gmtime(cert.activation_time)
- to_ = time.gmtime(cert.expiration_time)
+ from_, to_ = certs.get_time_boundaries(certfile)
+
return from_ < now() < to_
def is_valid_pemfile(self, cert_s=None):
diff --git a/src/leap/gui/firstrun/tests/integration/fake_provider.py b/src/leap/gui/firstrun/tests/integration/fake_provider.py
index 445b4487..668db5d1 100755
--- a/src/leap/gui/firstrun/tests/integration/fake_provider.py
+++ b/src/leap/gui/firstrun/tests/integration/fake_provider.py
@@ -25,9 +25,9 @@ import sys
import srp
# GnuTLS Example -- is not working as expected
-from gnutls import crypto
-from gnutls.constants import COMP_LZO, COMP_DEFLATE, COMP_NULL
-from gnutls.interfaces.twisted import X509Credentials
+#from gnutls import crypto
+#from gnutls.constants import COMP_LZO, COMP_DEFLATE, COMP_NULL
+#from gnutls.interfaces.twisted import X509Credentials
# Going with OpenSSL as a workaround instead
# But we DO NOT want to introduce this dependency.