From 2a01c969e0f8dff575007043996c3b0489e20e75 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Fri, 19 Oct 2012 08:18:34 +0900
Subject: download ca cert from provider

---
 src/leap/eip/checks.py         | 53 +++++++++++++++++++++++-----
 src/leap/gui/firstrunwizard.py | 80 +++++++++++++++++++++++++++++-------------
 2 files changed, 99 insertions(+), 34 deletions(-)

(limited to 'src/leap')

diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index 560f7f53..e925e11c 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -4,13 +4,14 @@ import ssl
 import time
 import os
 
-from gnutls import crypto
+import gnutls.crypto
 #import netifaces
 #import ping
 import requests
 
 from leap import __branding as BRANDING
 from leap import certs
+from leap.base import config as baseconfig
 from leap.base import constants as baseconstants
 from leap.base import providers
 from leap.eip import config as eipconfig
@@ -54,18 +55,25 @@ class ProviderCertChecker(object):
     client certs and checking tls connection
     with provider.
     """
-    def __init__(self, fetcher=requests):
+    def __init__(self, fetcher=requests,
+                 domain=None):
+
         self.fetcher = fetcher
+        self.domain = domain
         self.cacert = get_ca_cert()
 
-    def run_all(self, checker=None, skip_download=False, skip_verify=False):
+    def run_all(
+            self, checker=None,
+            skip_download=False, skip_verify=False):
+
         if not checker:
             checker = self
 
         do_verify = not skip_verify
         logger.debug('do_verify: %s', do_verify)
-        # For MVS+
         # checker.download_ca_cert()
+
+        # For MVS+
         # checker.download_ca_signature()
         # checker.get_ca_signatures()
         # checker.is_there_trust_path()
@@ -77,9 +85,19 @@ class ProviderCertChecker(object):
         checker.is_https_working(verify=do_verify)
         checker.check_new_cert_needed(verify=do_verify)
 
-    def download_ca_cert(self):
-        # MVS+
-        raise NotImplementedError
+    def download_ca_cert(self, uri=None, verify=True):
+        req = self.fetcher.get(uri, verify=verify)
+        req.raise_for_status()
+
+        # should check domain exists
+        capath = self._get_ca_cert_path(self.domain)
+        with open(capath, 'w') as f:
+            f.write(req.content)
+
+    def check_ca_cert_fingerprint(
+            self, hash_type="SHA256",
+            fingerprint=None):
+        pass
 
     def download_ca_signature(self):
         # MVS+
@@ -94,11 +112,12 @@ class ProviderCertChecker(object):
         raise NotImplementedError
 
     def is_there_provider_ca(self):
-        # XXX remove for generic build
+        # XXX modify for generic build
         from leap import certs
         logger.debug('do we have provider_ca?')
         cacert_path = BRANDING.get('provider_ca_file', None)
         if not cacert_path:
+            # XXX look from the domain
             logger.debug('False')
             return False
         self.cacert = certs.where(cacert_path)
@@ -212,7 +231,7 @@ class ProviderCertChecker(object):
             certfile = self._get_client_cert_path()
         with open(certfile) as cf:
             cert_s = cf.read()
-        cert = crypto.X509Certificate(cert_s)
+        cert = gnutls.crypto.X509Certificate(cert_s)
         from_ = time.gmtime(cert.activation_time)
         to_ = time.gmtime(cert.expiration_time)
         return from_ < now() < to_
@@ -247,6 +266,10 @@ class ProviderCertChecker(object):
             raise
         return True
 
+    @property
+    def ca_cert_path(self):
+        return self._get_ca_cert_path()
+
     def _get_root_uri(self):
         return u"https://%s/" % baseconstants.DEFAULT_PROVIDER
 
@@ -258,6 +281,18 @@ class ProviderCertChecker(object):
         # MVS+ : get provider path
         return eipspecs.client_cert_path()
 
+    def _get_ca_cert_path(self, domain):
+        # XXX this folder path will be broken for win
+        # and this should be moved to eipspecs.ca_path
+
+        capath = baseconfig.get_config_file(
+            'cacert.pem',
+            folder='providers/%s/certs/ca' % domain)
+        folder, fname = os.path.split(capath)
+        if not os.path.isdir(folder):
+            mkdir_p(folder)
+        return capath
+
     def write_cert(self, pemfile_content, to=None):
         folder, filename = os.path.split(to)
         if not os.path.isdir(folder):
diff --git a/src/leap/gui/firstrunwizard.py b/src/leap/gui/firstrunwizard.py
index f3356b70..e4293cf6 100755
--- a/src/leap/gui/firstrunwizard.py
+++ b/src/leap/gui/firstrunwizard.py
@@ -367,12 +367,9 @@ class SelectProviderPage(QtGui.QWizardPage):
         self.certWarning.setText(
             "Do you want to <b>trust this provider certificate?</b>")
         self.certInfo.setText(
-            'Sha1 fingerprint: <i>%s</i><br>' % certinfo)
-        #self.trustProviderCertCheckBox.show()
+            'SHA-256 fingerprint: <i>%s</i><br>' % certinfo)
+        self.certInfo.setWordWrap(True)
         self.certinfoGroup.show()
-        # XXX when checkbox is marked, remove
-        # the red warning.
-        # XXX also, disable the next button!
 
     # pagewizard methods
 
@@ -384,9 +381,7 @@ class SelectProviderPage(QtGui.QWizardPage):
         return False
 
     def initializePage(self):
-        self.certWarning.setText('')
-        self.certInfo.setText('')
-        #self.trustProviderCertCheckBox.hide()
+        self.certinfoGroup.hide()
 
     def validatePage(self):
         wizard = self.wizard()
@@ -417,7 +412,7 @@ class SelectProviderPage(QtGui.QWizardPage):
             else:
                 self.set_validation_status(exc.usermessage)
                 fingerprint = certs.get_https_cert_fingerprint(
-                    domain)
+                    domain, sep=" ")
                 self.add_cert_info(fingerprint)
                 self.did_cert_check = True
                 self.completeChanged.emit()
@@ -456,7 +451,9 @@ class ProviderInfoPage(QtGui.QWizardPage):
         displayName = QtGui.QLabel("")
         description = QtGui.QLabel("")
         enrollment_policy = QtGui.QLabel("")
-        # stylesheet...
+        # XXX set stylesheet...
+        # prettify a little bit.
+        # bigger fonts and so on...
         self.displayName = displayName
         self.description = description
         self.enrollment_policy = enrollment_policy
@@ -521,33 +518,66 @@ class ProviderSetupPage(QtGui.QWizardPage):
 
     def set_status(self, status):
         self.status.setText(status)
+        self.status.setWordWrap(True)
 
-    def initializePage(self):
-        self.set_status('')
-        self.progress.setValue(0)
-        self.progress.hide()
-
-    def validatePage(self):
+    def fetch_and_validate(self):
+        # Fake... till you make it...
         import time
-        self.progress.show()
-
-        self.set_status('fetching cert...')
-        self.progress.setValue(20)
-        time.sleep(2)
-
-        self.set_status('fetching cert another time...')
+        domain = self.field('provider_domain')
+        wizard = self.wizard()
+        pconfig = wizard.providerconfig
+        pCertChecker = wizard.providercertchecker
+        certchecker = pCertChecker(domain=domain)
+
+        self.set_status('Fetching CA certificate')
+        self.progress.setValue(30)
+        ca_cert_uri = pconfig.get('ca_cert_uri').geturl()
+
+        # XXX check scheme == "https"
+        # XXX passing verify == False because
+        # we have trusted right before.
+        # We should check it's the same domain!!!
+        # (Check with the trusted fingerprints dict
+        # or something smart)
+
+        certchecker.download_ca_cert(
+            uri=ca_cert_uri,
+            verify=False)
+
+        self.set_status('Checking CA fingerprint')
         self.progress.setValue(40)
+        ca_cert_fingerprint = pconfig.get('ca_cert_fingerprint')
+
+        # XXX get fingerprint dict (types)
+        certchecker.check_ca_cert_fingerprint(
+            fingerprint=ca_cert_fingerprint)
         time.sleep(2)
 
-        self.set_status('validating cert')
+        self.set_status('Fetching api https certificate')
         self.progress.setValue(60)
         time.sleep(2)
 
-        self.set_status('validating CA cert...')
+        self.set_status('Validating api certificate')
         self.progress.setValue(80)
         time.sleep(2)
+        #ca_cert_path = checker.ca_cert_path
 
         self.progress.setValue(100)
+
+    # pagewizard methods
+
+    def initializePage(self):
+        self.set_status(
+            'We are going to contact the provider to get '
+            'the certificates that will be used to stablish '
+            'a secure connection.<br><br>Click <i>next</i> to continue.')
+        self.progress.setValue(0)
+        self.progress.hide()
+
+    def validatePage(self):
+        self.progress.show()
+        self.fetch_and_validate()
+
         return True
 
     def nextId(self):
-- 
cgit v1.2.3