3 files changed, 140 insertions, 0 deletions

diff --git a/src/leap/crypto/__init__.py b/src/leap/crypto/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/src/leap/crypto/__init__.py
diff --git a/src/leap/crypto/certs.py b/src/leap/crypto/certs.py
new file mode 100644
index 00000000..8908865d
--- /dev/null
+++ b/src/leap/crypto/certs.py
@@ -0,0 +1,71 @@
+import ctypes
+import socket
+
+import gnutls.connection
+import gnutls.crypto
+import gnutls.library
+
+
+def get_https_cert_from_domain(domain):
+    """
+    @param domain: a domain name to get a certificate from.
+    """
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    cred = gnutls.connection.X509Credentials()
+
+    session = gnutls.connection.ClientSession(sock, cred)
+    session.connect((domain, 443))
+    session.handshake()
+    cert = session.peer_certificate
+    return cert
+
+
+def get_cert_from_file(filepath):
+    with open(filepath) as f:
+        cert = gnutls.crypto.X509Certificate(f.read())
+    return cert
+
+
+def get_cert_fingerprint(domain=None, filepath=None,
+                         hash_type="SHA256", sep=":"):
+    """
+    @param domain: a domain name to get a fingerprint from
+    @type domain: str
+    @param filepath: path to a file containing a PEM file
+    @type filepath: str
+    @param hash_type: the hash function to be used in the fingerprint.
+        must be one of SHA1, SHA224, SHA256, SHA384, SHA512
+    @type hash_type: str
+    @rparam: hex_fpr, a hexadecimal representation of a bytestring
+             containing the fingerprint.
+    @rtype: string
+    """
+    if domain:
+        cert = get_https_cert_from_domain(domain)
+    if filepath:
+        cert = get_cert_from_file(filepath)
+
+    _buffer = ctypes.create_string_buffer(64)
+    buffer_length = ctypes.c_size_t(64)
+
+    SUPPORTED_DIGEST_FUN = ("SHA1", "SHA224", "SHA256", "SHA384", "SHA512")
+    if hash_type in SUPPORTED_DIGEST_FUN:
+        digestfunction = getattr(
+            gnutls.library.constants,
+            "GNUTLS_DIG_%s" % hash_type)
+    else:
+        # XXX improperlyconfigured or something
+        raise Exception("digest function not supported")
+
+    gnutls.library.functions.gnutls_x509_crt_get_fingerprint(
+        cert._c_object, digestfunction,
+        ctypes.byref(_buffer), ctypes.byref(buffer_length))
+
+    # deinit
+    #server_cert._X509Certificate__deinit(server_cert._c_object)
+    # needed? is segfaulting
+
+    fpr = ctypes.string_at(_buffer, buffer_length.value)
+    hex_fpr = sep.join(u"%02X" % ord(char) for char in fpr)
+
+    return hex_fpr
diff --git a/src/leap/crypto/leapkeyring.py b/src/leap/crypto/leapkeyring.py
new file mode 100644
index 00000000..d4be7bf9
--- /dev/null
+++ b/src/leap/crypto/leapkeyring.py
@@ -0,0 +1,69 @@
+import keyring
+
+from leap.base.config import get_config_file
+
+#############
+# Disclaimer
+#############
+# This currently is not a keyring, it's more like a joke.
+# No, seriously.
+# We're affected by this **bug**
+
+# https://bitbucket.org/kang/python-keyring-lib/
+# issue/65/dbusexception-method-opensession-with
+
+# so using the gnome keyring does not seem feasible right now.
+# I thought this was the next best option to store secrets in plain sight.
+
+# in the future we should move to use the gnome/kde/macosx/win keyrings.
+
+
+class LeapCryptedFileKeyring(keyring.backend.CryptedFileKeyring):
+
+    filename = ".secrets"
+
+    @property
+    def file_path(self):
+        return get_config_file(self.filename)
+
+    def __init__(self, seed=None):
+        self.seed = seed
+
+    def _get_new_password(self):
+        # XXX every time this method is called,
+        # $deity kills a kitten.
+        return "secret%s" % self.seed
+
+    def _init_file(self):
+        self.keyring_key = self._get_new_password()
+        self.set_password('keyring_setting', 'pass_ref', 'pass_ref_value')
+
+    def _unlock(self):
+        self.keyring_key = self._get_new_password()
+        print 'keyring key ', self.keyring_key
+        try:
+            ref_pw = self.get_password(
+                'keyring_setting',
+                'pass_ref')
+            print 'ref pw ', ref_pw
+            assert ref_pw == "pass_ref_value"
+        except AssertionError:
+            self._lock()
+            raise ValueError('Incorrect password')
+
+
+def leap_set_password(key, value, seed="xxx"):
+    keyring.set_keyring(LeapCryptedFileKeyring(seed=seed))
+    keyring.set_password('leap', key, value)
+
+
+def leap_get_password(key, seed="xxx"):
+    keyring.set_keyring(LeapCryptedFileKeyring(seed=seed))
+    #import ipdb;ipdb.set_trace()
+    return keyring.get_password('leap', key)
+
+
+if __name__ == "__main__":
+    leap_set_password('test', 'bar')
+    passwd = leap_get_password('test')
+    assert passwd == 'bar'