From e1dbfc454180a77ebb38ecae6244ac4abe6d0ac5 Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 18 Oct 2012 09:30:53 +0900 Subject: catch cert verification errors and ask user for trust with a little helper function using gnutls --- src/leap/crypto/certs.py | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 src/leap/crypto/certs.py (limited to 'src/leap/crypto') diff --git a/src/leap/crypto/certs.py b/src/leap/crypto/certs.py new file mode 100644 index 00000000..aa1fc9e9 --- /dev/null +++ b/src/leap/crypto/certs.py @@ -0,0 +1,31 @@ +import ctypes +import socket + +import gnutls.connection +import gnutls.library + + +def get_https_cert_fingerprint(domain): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + cred = gnutls.connection.X509Credentials() + + session = gnutls.connection.ClientSession(sock, cred) + session.connect((domain, 443)) + session.handshake() + cert = session.peer_certificate + + _buffer = ctypes.create_string_buffer(20) + buffer_length = ctypes.c_size_t(20) + + gnutls.library.functions.gnutls_x509_crt_get_fingerprint( + cert._c_object, gnutls.library.constants.GNUTLS_DIG_SHA1, # 3 + ctypes.byref(_buffer), ctypes.byref(buffer_length)) + + # deinit + #server_cert._X509Certificate__deinit(server_cert._c_object) + # needed? is segfaulting + + fpr = ctypes.string_at(_buffer, buffer_length.value) + hex_fpr = u":".join(u"%02X" % ord(char) for char in fpr) + + return hex_fpr -- cgit v1.2.3 From 7fa82fb4744ee5cc2c859c75cfd05cc3304c9282 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 19 Oct 2012 08:17:49 +0900 Subject: add more digest functions separate get_cert and get_fingerprint functions added separator --- src/leap/crypto/certs.py | 42 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) (limited to 'src/leap/crypto') diff --git a/src/leap/crypto/certs.py b/src/leap/crypto/certs.py index aa1fc9e9..ac9bd357 100644 --- a/src/leap/crypto/certs.py +++ b/src/leap/crypto/certs.py @@ -5,7 +5,10 @@ import gnutls.connection import gnutls.library -def get_https_cert_fingerprint(domain): +def get_https_cert_from_domain(domain): + """ + @param domain: a domain name to get a certificate from. + """ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) cred = gnutls.connection.X509Credentials() @@ -13,12 +16,36 @@ def get_https_cert_fingerprint(domain): session.connect((domain, 443)) session.handshake() cert = session.peer_certificate - - _buffer = ctypes.create_string_buffer(20) - buffer_length = ctypes.c_size_t(20) + return cert + + +def get_https_cert_fingerprint(domain, hash_type="SHA256", sep=":"): + """ + @param domain: a domain name to get a fingerprint from + @type domain: str + @param hash_type: the hash function to be used in the fingerprint. + must be one of SHA1, SHA224, SHA256, SHA384, SHA512 + @type hash_type: str + @rparam: hex_fpr, a hexadecimal representation of a bytestring + containing the fingerprint. + @rtype: string + """ + cert = get_https_cert_from_domain(domain) + + _buffer = ctypes.create_string_buffer(64) + buffer_length = ctypes.c_size_t(64) + + SUPPORTED_DIGEST_FUN = ("SHA1", "SHA224", "SHA256", "SHA384", "SHA512") + if hash_type in SUPPORTED_DIGEST_FUN: + digestfunction = getattr( + gnutls.library.constants, + "GNUTLS_DIG_%s" % hash_type) + else: + # XXX improperlyconfigured or something + raise Exception("digest function not supported") gnutls.library.functions.gnutls_x509_crt_get_fingerprint( - cert._c_object, gnutls.library.constants.GNUTLS_DIG_SHA1, # 3 + cert._c_object, digestfunction, ctypes.byref(_buffer), ctypes.byref(buffer_length)) # deinit @@ -26,6 +53,9 @@ def get_https_cert_fingerprint(domain): # needed? is segfaulting fpr = ctypes.string_at(_buffer, buffer_length.value) - hex_fpr = u":".join(u"%02X" % ord(char) for char in fpr) + hex_fpr = sep.join(u"%02X" % ord(char) for char in fpr) return hex_fpr + +#if __name__ == "__main__": + #print get_https_cert_fingerprint('springbok') -- cgit v1.2.3 From 634030e5bba3fe7c2ea3632fff252a60b471487a Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 19 Oct 2012 09:05:14 +0900 Subject: ca cert fingerprint check + api cert verification --- src/leap/crypto/certs.py | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) (limited to 'src/leap/crypto') diff --git a/src/leap/crypto/certs.py b/src/leap/crypto/certs.py index ac9bd357..8908865d 100644 --- a/src/leap/crypto/certs.py +++ b/src/leap/crypto/certs.py @@ -2,6 +2,7 @@ import ctypes import socket import gnutls.connection +import gnutls.crypto import gnutls.library @@ -19,10 +20,19 @@ def get_https_cert_from_domain(domain): return cert -def get_https_cert_fingerprint(domain, hash_type="SHA256", sep=":"): +def get_cert_from_file(filepath): + with open(filepath) as f: + cert = gnutls.crypto.X509Certificate(f.read()) + return cert + + +def get_cert_fingerprint(domain=None, filepath=None, + hash_type="SHA256", sep=":"): """ @param domain: a domain name to get a fingerprint from @type domain: str + @param filepath: path to a file containing a PEM file + @type filepath: str @param hash_type: the hash function to be used in the fingerprint. must be one of SHA1, SHA224, SHA256, SHA384, SHA512 @type hash_type: str @@ -30,7 +40,10 @@ def get_https_cert_fingerprint(domain, hash_type="SHA256", sep=":"): containing the fingerprint. @rtype: string """ - cert = get_https_cert_from_domain(domain) + if domain: + cert = get_https_cert_from_domain(domain) + if filepath: + cert = get_cert_from_file(filepath) _buffer = ctypes.create_string_buffer(64) buffer_length = ctypes.c_size_t(64) @@ -56,6 +69,3 @@ def get_https_cert_fingerprint(domain, hash_type="SHA256", sep=":"): hex_fpr = sep.join(u"%02X" % ord(char) for char in fpr) return hex_fpr - -#if __name__ == "__main__": - #print get_https_cert_fingerprint('springbok') -- cgit v1.2.3 From 0590991d7777de473a7df21ed32e1fa7caa9cf4b Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 26 Oct 2012 00:12:08 +0900 Subject: user credentials saved on login/signup branches. cert request is using magick decorator that retrieves the certificates using srp. --- src/leap/crypto/leapkeyring.py | 1 + 1 file changed, 1 insertion(+) (limited to 'src/leap/crypto') diff --git a/src/leap/crypto/leapkeyring.py b/src/leap/crypto/leapkeyring.py index bceadc75..d4be7bf9 100644 --- a/src/leap/crypto/leapkeyring.py +++ b/src/leap/crypto/leapkeyring.py @@ -59,6 +59,7 @@ def leap_set_password(key, value, seed="xxx"): def leap_get_password(key, seed="xxx"): keyring.set_keyring(LeapCryptedFileKeyring(seed=seed)) + #import ipdb;ipdb.set_trace() return keyring.get_password('leap', key) -- cgit v1.2.3