summaryrefslogtreecommitdiff
path: root/src/leap/bitmask/crypto
diff options
context:
space:
mode:
Diffstat (limited to 'src/leap/bitmask/crypto')
-rw-r--r--src/leap/bitmask/crypto/certs.py80
-rw-r--r--src/leap/bitmask/crypto/srpauth.py14
2 files changed, 88 insertions, 6 deletions
diff --git a/src/leap/bitmask/crypto/certs.py b/src/leap/bitmask/crypto/certs.py
new file mode 100644
index 00000000..244decfd
--- /dev/null
+++ b/src/leap/bitmask/crypto/certs.py
@@ -0,0 +1,80 @@
+# -*- coding: utf-8 -*-
+# certs.py
+# Copyright (C) 2013 LEAP
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+"""
+Utilities for dealing with client certs
+"""
+import logging
+import os
+
+from leap.bitmask.crypto.srpauth import SRPAuth
+from leap.bitmask.util.constants import REQUEST_TIMEOUT
+from leap.common.files import check_and_fix_urw_only
+from leap.common.files import mkdir_p
+
+from leap.common import certs as leap_certs
+
+logger = logging.getLogger(__name__)
+
+
+def download_client_cert(provider_config, path, session):
+ """
+ Downloads the client certificate for each service.
+
+ :param provider_config: instance of a ProviderConfig
+ :type provider_config: ProviderConfig
+ :param path: the path to download the cert to.
+ :type path: str
+ :param session: a fetcher.session instance. For the moment we only
+ support requests.sessions
+ :type session: requests.sessions.Session
+ """
+ # TODO we should implement the @with_srp_auth decorator
+ # again.
+ srp_auth = SRPAuth(provider_config)
+ session_id = srp_auth.get_session_id()
+ cookies = None
+ if session_id:
+ cookies = {"_session_id": session_id}
+ cert_uri = "%s/%s/cert" % (
+ provider_config.get_api_uri(),
+ provider_config.get_api_version())
+ logger.debug('getting cert from uri: %s' % cert_uri)
+
+ res = session.get(cert_uri,
+ verify=provider_config
+ .get_ca_cert_path(),
+ cookies=cookies,
+ timeout=REQUEST_TIMEOUT)
+ res.raise_for_status()
+ client_cert = res.content
+
+ if not leap_certs.is_valid_pemfile(client_cert):
+ # XXX raise more specific exception.
+ raise Exception("The downloaded certificate is not a "
+ "valid PEM file")
+
+ mkdir_p(os.path.dirname(path))
+
+ try:
+ with open(path, "w") as f:
+ f.write(client_cert)
+ except IOError as exc:
+ logger.error(
+ "Error saving client cert: %r" % (exc,))
+ raise
+
+ check_and_fix_urw_only(path)
diff --git a/src/leap/bitmask/crypto/srpauth.py b/src/leap/bitmask/crypto/srpauth.py
index 41ce130a..bf85f75c 100644
--- a/src/leap/bitmask/crypto/srpauth.py
+++ b/src/leap/bitmask/crypto/srpauth.py
@@ -171,6 +171,9 @@ class SRPAuth(QtCore.QObject):
self._srp_user = None
self._srp_a = None
+ # Error msg displayed if the username or the password is invalid
+ self._WRONG_USER_PASS = self.tr("Invalid username or password.")
+
# User credentials stored for password changing checks
self._username = None
self._password = None
@@ -200,8 +203,6 @@ class SRPAuth(QtCore.QObject):
"""
logger.debug("Authentication preprocessing...")
- username = username.lower()
-
self._srp_user = self._srp.User(username,
password,
self._hashfun,
@@ -265,7 +266,7 @@ class SRPAuth(QtCore.QObject):
"Status code = %r. Content: %r" %
(init_session.status_code, content))
if init_session.status_code == 422:
- raise SRPAuthUnknownUser(self.tr("Unknown user"))
+ raise SRPAuthUnknownUser(self._WRONG_USER_PASS)
raise SRPAuthBadStatusCode(self.tr("There was a problem with"
" authentication"))
@@ -354,7 +355,7 @@ class SRPAuth(QtCore.QObject):
"received: %s", (content,))
logger.error("[%s] Wrong password (HAMK): [%s]" %
(auth_result.status_code, error))
- raise SRPAuthBadPassword(self.tr("Wrong password"))
+ raise SRPAuthBadPassword(self._WRONG_USER_PASS)
if auth_result.status_code not in (200,):
logger.error("No valid response (HAMK): "
@@ -506,7 +507,7 @@ class SRPAuth(QtCore.QObject):
leap_assert(self.get_session_id() is None, "Already logged in")
# User credentials stored for password changing checks
- self._username = username.lower()
+ self._username = username
self._password = password
d = threads.deferToThread(self._authentication_preprocessing,
@@ -553,6 +554,7 @@ class SRPAuth(QtCore.QObject):
except Exception as e:
logger.warning("Something went wrong with the logout: %r" %
(e,))
+ raise
else:
self.set_session_id(None)
self.set_uid(None)
@@ -614,7 +616,7 @@ class SRPAuth(QtCore.QObject):
:param password: password for this user
:type password: str
"""
-
+ username = username.lower()
d = self.__instance.authenticate(username, password)
d.addCallback(self._gui_notify)
d.addErrback(self._errback)