diff options
author | Ruben Pollan <meskio@sindominio.net> | 2017-05-29 21:39:02 +0200 |
---|---|---|
committer | Ruben Pollan <meskio@sindominio.net> | 2017-06-05 19:42:12 +0200 |
commit | 0edc6cf6a4270e94443fc6c8bfa73c5ca1ad5d92 (patch) | |
tree | 0e2937b6b320573fffdbab99dd61903d67f56a13 /src | |
parent | 878a206db60278066a7f962a5d3a75eed232ed84 (diff) |
[feat] check ca cert fingreprint against provider.json
Diffstat (limited to 'src')
-rw-r--r-- | src/leap/bitmask/bonafide/config.py | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/src/leap/bitmask/bonafide/config.py b/src/leap/bitmask/bonafide/config.py index 7db6260..5f3bff9 100644 --- a/src/leap/bitmask/bonafide/config.py +++ b/src/leap/bitmask/bonafide/config.py @@ -17,6 +17,7 @@ """ Configuration for a LEAP provider. """ +import binascii import datetime import json import os @@ -25,6 +26,9 @@ import shutil import sys from collections import defaultdict +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import hashes +from cryptography.x509 import load_pem_x509_certificate from urlparse import urlparse from twisted.internet import defer, reactor @@ -337,9 +341,23 @@ class Provider(object): return d def validate_ca_cert(self, ignored): - # TODO Need to verify fingerprint against the one in provider.json expected = self._get_expected_ca_cert_fingerprint() - print "EXPECTED FINGERPRINT:", expected + algo, expectedfp = expected.split(':') + expectedfp = expectedfp.replace(' ', '') + backend = default_backend() + + with open(self._get_ca_cert_path(), 'r') as f: + certstr = f.read() + cert = load_pem_x509_certificate(certstr, backend) + hasher = getattr(hashes, algo)() + fpbytes = cert.fingerprint(hasher) + fp = binascii.hexlify(fpbytes) + + if fp != expectedfp: + os.unlink(self._get_ca_cert_path()) + self.log.error("Fingerprint of CA cert doesn't match: %s <-> %s" + % (fp, expectedfp)) + raise NetworkError("The provider's CA fingerprint doesn't match") def _get_expected_ca_cert_fingerprint(self): try: |