From 634030e5bba3fe7c2ea3632fff252a60b471487a Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Fri, 19 Oct 2012 09:05:14 +0900
Subject: ca cert fingerprint check + api cert verification

---
 src/leap/gui/firstrunwizard.py | 48 ++++++++++++++++++++++++++++++------------
 1 file changed, 35 insertions(+), 13 deletions(-)

(limited to 'src/leap/gui/firstrunwizard.py')

diff --git a/src/leap/gui/firstrunwizard.py b/src/leap/gui/firstrunwizard.py
index e4293cf6..55338090 100755
--- a/src/leap/gui/firstrunwizard.py
+++ b/src/leap/gui/firstrunwizard.py
@@ -3,6 +3,8 @@ import logging
 import json
 import socket
 
+import requests
+
 import sip
 sip.setapi('QString', 2)
 sip.setapi('QVariant', 2)
@@ -411,8 +413,8 @@ class SelectProviderPage(QtGui.QWizardPage):
                 pass
             else:
                 self.set_validation_status(exc.usermessage)
-                fingerprint = certs.get_https_cert_fingerprint(
-                    domain, sep=" ")
+                fingerprint = certs.get_cert_fingerprint(
+                    domain=domain, sep=" ")
                 self.add_cert_info(fingerprint)
                 self.did_cert_check = True
                 self.completeChanged.emit()
@@ -545,24 +547,44 @@ class ProviderSetupPage(QtGui.QWizardPage):
             verify=False)
 
         self.set_status('Checking CA fingerprint')
-        self.progress.setValue(40)
-        ca_cert_fingerprint = pconfig.get('ca_cert_fingerprint')
+        self.progress.setValue(66)
+        ca_cert_fingerprint = pconfig.get('ca_cert_fingerprint', None)
 
         # XXX get fingerprint dict (types)
-        certchecker.check_ca_cert_fingerprint(
-            fingerprint=ca_cert_fingerprint)
-        time.sleep(2)
-
-        self.set_status('Fetching api https certificate')
-        self.progress.setValue(60)
-        time.sleep(2)
+        sha256_fpr = ca_cert_fingerprint.split('=')[1]
+
+        validate_fpr = certchecker.check_ca_cert_fingerprint(
+            fingerprint=sha256_fpr)
+        time.sleep(0.5)
+        if not validate_fpr:
+            # XXX update validationMsg
+            # should catch exception
+            return False
 
         self.set_status('Validating api certificate')
-        self.progress.setValue(80)
-        time.sleep(2)
+        self.progress.setValue(90)
+
+        api_uri = pconfig.get('api_uri', None)
+        try:
+            api_cert_verified = certchecker.verify_api_https(api_uri)
+        except requests.exceptions.SSLError as exc:
+            logger.error('BUG #638. %s' % exc.message)
+            # XXX RAISE! See #638
+            # bypassing until the hostname is fixed.
+            # We probably should raise yet-another-warning
+            # here saying user that the hostname "XX.XX.XX.XX' does not
+            # match 'foo.bar.baz'
+            api_cert_verified = True
+
+        if not api_cert_verified:
+            # XXX update validationMsg
+            # should catch exception
+            return False
+        time.sleep(0.5)
         #ca_cert_path = checker.ca_cert_path
 
         self.progress.setValue(100)
+        time.sleep(0.2)
 
     # pagewizard methods
 
-- 
cgit v1.2.3