From 79764a5624acee85bcd03cd315c3d834a9a25a02 Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 12 Sep 2012 10:00:29 +0900 Subject: time boundary check of certificate using gnutls --- src/leap/eip/checks.py | 18 ++++++++++++------ src/leap/eip/tests/test_checks.py | 13 +++++++++++++ 2 files changed, 25 insertions(+), 6 deletions(-) (limited to 'src/leap') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 4dd4a95c..f368c551 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,8 +1,10 @@ import logging import ssl import platform +import time import os +from gnutls import crypto import netifaces import ping import requests @@ -221,12 +223,13 @@ class ProviderCertChecker(object): certfile = self._get_client_cert_path() return os.path.isfile(certfile) - def is_cert_not_expired(self): - return True - # XXX TODO - # waiting on #507. If we're not using PyOpenSSL or anything alike - # we will have to roll our own x509 parsing to extract time info. - # XXX use gnutls + def is_cert_not_expired(self, certfile=None, now=time.gmtime): + if certfile is None: + certfile = self._get_client_cert_path() + with open(certfile) as cf: + cert_s = cf.read() + cert = crypto.X509Certificate(cert_s) + return cert.activation_time < now() < cert.expiration_time def is_valid_pemfile(self, cert_s=None): """ @@ -244,6 +247,9 @@ class ProviderCertChecker(object): # XXX get a real cert validation # so far this is only checking begin/end # delimiters :) + # XXX use gnutls for get proper + # validation. + # crypto.X509Certificate(cert_s) ssl.PEM_cert_to_DER_cert(cert_s) except: # XXX raise proper exception diff --git a/src/leap/eip/tests/test_checks.py b/src/leap/eip/tests/test_checks.py index bc7db79c..952b10d2 100644 --- a/src/leap/eip/tests/test_checks.py +++ b/src/leap/eip/tests/test_checks.py @@ -6,6 +6,7 @@ try: except ImportError: import unittest import os +import time import urlparse from StringIO import StringIO @@ -372,10 +373,22 @@ class ProviderCertCheckerHTTPSTests(BaseHTTPSServerTestCase, BaseLeapTest): def test_is_cert_valid(self): checker = eipchecks.ProviderCertChecker() # TODO: better exception catching + # should raise eipexceptions.BadClientCertificate, and give reasons + # on msg. with self.assertRaises(Exception) as exc: self.assertFalse(checker.is_cert_valid()) exc.message = "missing cert" + def test_bad_validity_certs(self): + checker = eipchecks.ProviderCertChecker() + certfile = where_cert('leaptestscert.pem') + self.assertFalse(checker.is_cert_not_expired( + certfile=certfile, + now=lambda: time.mktime((2038, 1, 1, 1, 1, 1, 1, 1, 1)))) + self.assertFalse(checker.is_cert_not_expired( + certfile=certfile, + now=lambda: time.mktime((1970, 1, 1, 1, 1, 1, 1, 1, 1)))) + def test_check_new_cert_needed(self): # check: missing cert checker = eipchecks.ProviderCertChecker() -- cgit v1.2.3