From 00bfb22368c788bfc5de458e9159ee73cf3e66c7 Mon Sep 17 00:00:00 2001 From: Ivan Alejandro Date: Wed, 20 May 2015 18:39:10 -0300 Subject: [bug] get certificate times as UTC, add tests The certificate validity times were converted to local time and later on compared with UTC time, which caused the certificate not being updated at the right times. Add tests to be sure this is not happenning again. Add a joint pem file for the existing cert and key files to ease test. - Resolves: #6994 --- src/leap/common/certs.py | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'src/leap/common/certs.py') diff --git a/src/leap/common/certs.py b/src/leap/common/certs.py index 4fe563b..db513f6 100644 --- a/src/leap/common/certs.py +++ b/src/leap/common/certs.py @@ -128,22 +128,23 @@ def is_valid_pemfile(cert): return can_load_cert_and_pkey(cert) -def get_cert_time_boundaries(certfile): +def get_cert_time_boundaries(certdata): """ - Returns the time boundaries for the certificate saved in certfile + Return the time boundaries for the given certificate. + The returned values are UTC/GMT time.struct_time objects - :param certfile: path to certificate - :type certfile: str + :param certdata: the certificate contents + :type certdata: str :rtype: tuple (from, to) """ - cert = get_cert_from_string(certfile) + cert = get_cert_from_string(certdata) leap_assert(cert, 'There was a problem loading the certificate') fromts, tots = (cert.get_notBefore(), cert.get_notAfter()) - from_, to_ = map( - lambda ts: time.gmtime(time.mktime(dateparse(ts).timetuple())), - (fromts, tots)) + from_ = dateparse(fromts).timetuple() + to_ = dateparse(tots).timetuple() + return from_, to_ -- cgit v1.2.3 From c071c69e1b5a0d897674a1f7adc6ff32f19400ff Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Wed, 27 May 2015 12:49:44 -0300 Subject: [bug] Use BrowserLikePolicyForHTTPS for checking While testing the way that its implemented now, I found out that no check is being made on certificate attributes against the host. I found this simple way of creating a BrowserLikePolicyForHTTPS using a self signed cert and it worked on my test. I used test_https from Soledad for checking this (which we are fixing on another branch). Also, we don't want to depend on twisted for other things than leap.common.http. --- src/leap/common/certs.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'src/leap/common/certs.py') diff --git a/src/leap/common/certs.py b/src/leap/common/certs.py index db513f6..c8e0743 100644 --- a/src/leap/common/certs.py +++ b/src/leap/common/certs.py @@ -178,3 +178,20 @@ def should_redownload(certfile, now=time.gmtime): return True return False + + +def get_compatible_ssl_context_factory(cert_path=None): + import twisted + cert = None + if twisted.version.base() > '14.0.1': + from twisted.web.client import BrowserLikePolicyForHTTPS + from twisted.internet import ssl + if cert_path: + cert = ssl.Certificate.loadPEM(open(cert_path).read()) + policy = BrowserLikePolicyForHTTPS(cert) + return policy + else: + raise Exception((""" + Twisted 14.0.2 is needed in order to have secure Client Web SSL Contexts, not %s + See: http://twistedmatrix.com/trac/ticket/7647 + """) % (twisted.version.base())) -- cgit v1.2.3 From a119dd4fa2fc4a14577fd2d6e32dff950d934193 Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Tue, 28 Jul 2015 11:41:32 -0400 Subject: [style] more pep8 cleanup --- src/leap/common/certs.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/leap/common/certs.py') diff --git a/src/leap/common/certs.py b/src/leap/common/certs.py index c8e0743..37ede8e 100644 --- a/src/leap/common/certs.py +++ b/src/leap/common/certs.py @@ -192,6 +192,7 @@ def get_compatible_ssl_context_factory(cert_path=None): return policy else: raise Exception((""" - Twisted 14.0.2 is needed in order to have secure Client Web SSL Contexts, not %s + Twisted 14.0.2 is needed in order to have secure + Client Web SSL Contexts, not %s See: http://twistedmatrix.com/trac/ticket/7647 """) % (twisted.version.base())) -- cgit v1.2.3