From 4984f2c966d11f529a2a8b722814b748b6a524d2 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 12 Dec 2012 09:16:53 +0900
Subject: changed some values in new style eipconfig

---
 src/leap/eip/checks.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src/leap/eip/checks.py')

diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index 8d615b94..92964a9d 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -242,7 +242,9 @@ class ProviderCertChecker(object):
             raise
         try:
             pemfile_content = req.content
-            self.is_valid_pemfile(pemfile_content)
+            valid = self.is_valid_pemfile(pemfile_content)
+            if not valid:
+                return False
             cert_path = self._get_client_cert_path()
             self.write_cert(pemfile_content, to=cert_path)
         except:
@@ -303,6 +305,10 @@ class ProviderCertChecker(object):
             if len(certparts) > 1:
                 cert_s = sep + certparts[1]
             ssl.PEM_cert_to_DER_cert(cert_s)
+        except ValueError:
+            # valid_pemfile raises a value error if not BEGIN_CERTIFICATE in
+            # there...
+            return False
         except:
             # XXX raise proper exception
             raise
-- 
cgit v1.2.3


From d71e05fdefa7cb9699804bc93adba97921ca923f Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Sat, 15 Dec 2012 02:23:36 +0900
Subject: workaround for not-yet-valid certs

skipping valid_from ts on cert
---
 src/leap/eip/checks.py | 29 ++++++-----------------------
 1 file changed, 6 insertions(+), 23 deletions(-)

(limited to 'src/leap/eip/checks.py')

diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index 92964a9d..d7f4402b 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -160,7 +160,6 @@ class ProviderCertChecker(object):
         if autocacert and verify is True and self.cacert is not None:
             logger.debug('verify cert: %s', self.cacert)
             verify = self.cacert
-        #import pdb4qt; pdb4qt.set_trace()
         logger.debug('is https working?')
         logger.debug('uri: %s (verify:%s)', uri, verify)
         try:
@@ -278,7 +277,10 @@ class ProviderCertChecker(object):
         cert = gnutls.crypto.X509Certificate(cert_s)
         from_ = time.gmtime(cert.activation_time)
         to_ = time.gmtime(cert.expiration_time)
-        return from_ < now() < to_
+        # FIXME BUG ON LEAP_CLI, certs are not valid on gmtime
+        # See #1153
+        #return from_ < now() < to_
+        return now() < to_
 
     def is_valid_pemfile(self, cert_s=None):
         """
@@ -292,27 +294,8 @@ class ProviderCertChecker(object):
             certfile = self._get_client_cert_path()
             with open(certfile) as cf:
                 cert_s = cf.read()
-        try:
-            # XXX get a real cert validation
-            # so far this is only checking begin/end
-            # delimiters :)
-            # XXX use gnutls for get proper
-            # validation.
-            # crypto.X509Certificate(cert_s)
-            sep = "-" * 5 + "BEGIN CERTIFICATE" + "-" * 5
-            # we might have private key and cert in the same file
-            certparts = cert_s.split(sep)
-            if len(certparts) > 1:
-                cert_s = sep + certparts[1]
-            ssl.PEM_cert_to_DER_cert(cert_s)
-        except ValueError:
-            # valid_pemfile raises a value error if not BEGIN_CERTIFICATE in
-            # there...
-            return False
-        except:
-            # XXX raise proper exception
-            raise
-        return True
+        valid = certs.can_load_cert_and_pkey(cert_s)
+        return valid
 
     @property
     def ca_cert_path(self):
-- 
cgit v1.2.3