Beispiel #1
0
def check_cert(host, cert):
    try:
        b = pem.dePem(cert, 'CERTIFICATE')
        x = x509.X509(b)
    except:
        traceback.print_exc(file=sys.stdout)
        return

    try:
        x.check_date()
        expired = False
    except:
        expired = True

    m = "host: %s\n" % host
    m += "has_expired: %s\n" % expired
    util.print_msg(m)
Beispiel #2
0
    def get_socket(self):
        if self.use_ssl:
            cert_path = os.path.join(self.config_path, 'certs', self.host)
            if not os.path.exists(cert_path):
                is_new = True
                s = self.get_simple_socket()
                if s is None:
                    return
                # try with CA first
                try:
                    context = self.get_ssl_context(cert_reqs=ssl.CERT_REQUIRED,
                                                   ca_certs=ca_path)
                    s = context.wrap_socket(s, do_handshake_on_connect=True)
                except ssl.SSLError as e:
                    self.print_error(e)
                except:
                    return
                else:
                    try:
                        peer_cert = s.getpeercert()
                    except OSError:
                        return
                    if self.check_host_name(peer_cert, self.host):
                        self.print_error("SSL certificate signed by CA")
                        return s
                # get server certificate.
                # Do not use ssl.get_server_certificate because it does not work with proxy
                s = self.get_simple_socket()
                if s is None:
                    return
                try:
                    context = self.get_ssl_context(cert_reqs=ssl.CERT_NONE,
                                                   ca_certs=None)
                    s = context.wrap_socket(s)
                except ssl.SSLError as e:
                    self.print_error("SSL error retrieving SSL certificate:",
                                     e)
                    return
                except:
                    return

                try:
                    dercert = s.getpeercert(True)
                except OSError:
                    return
                s.close()
                cert = ssl.DER_cert_to_PEM_cert(dercert)
                # workaround android bug
                cert = re.sub("([^\n])-----END CERTIFICATE-----",
                              "\\1\n-----END CERTIFICATE-----", cert)
                temporary_path = cert_path + '.temp'
                util.assert_datadir_available(self.config_path)
                with open(temporary_path, "w", encoding='utf-8') as f:
                    f.write(cert)
                    f.flush()
                    os.fsync(f.fileno())
            else:
                is_new = False

        s = self.get_simple_socket()
        if s is None:
            return

        if self.use_ssl:
            try:
                context = self.get_ssl_context(
                    cert_reqs=ssl.CERT_REQUIRED,
                    ca_certs=(temporary_path if is_new else cert_path))
                s = context.wrap_socket(s, do_handshake_on_connect=True)
            except socket.timeout:
                self.print_error('timeout')
                return
            except ssl.SSLError as e:
                self.print_error("SSL error:", e)
                if e.errno != 1:
                    return
                if is_new:
                    rej = cert_path + '.rej'
                    if os.path.exists(rej):
                        os.unlink(rej)
                    os.rename(temporary_path, rej)
                else:
                    util.assert_datadir_available(self.config_path)
                    with open(cert_path, encoding='utf-8') as f:
                        cert = f.read()
                    try:
                        b = pem.dePem(cert, 'CERTIFICATE')
                        x = x509.X509(b)
                    except:
                        traceback.print_exc(file=sys.stderr)
                        self.print_error("wrong certificate")
                        return
                    try:
                        x.check_date()
                    except:
                        self.print_error("certificate has expired:", cert_path)
                        os.unlink(cert_path)
                        return
                    self.print_error("wrong certificate")
                if e.errno == 104:
                    return
                return
            except BaseException as e:
                self.print_error(e)
                traceback.print_exc(file=sys.stderr)
                return

            if is_new:
                self.print_error("saving certificate")
                os.rename(temporary_path, cert_path)

        return s
Beispiel #3
0
                         ca_certs=(temporary_path if is_new else cert_path),
                         do_handshake_on_connect=True)
 except ssl.SSLError, e:
     self.print_error("SSL error:", e)
     if e.errno != 1:
         return
     if is_new:
         rej = cert_path + '.rej'
         if os.path.exists(rej):
             os.unlink(rej)
         os.rename(temporary_path, rej)
     else:
         with open(cert_path) as f:
             cert = f.read()
         try:
             b = pem.dePem(cert, 'CERTIFICATE')
             x = x509.X509(b)
         except:
             traceback.print_exc(file=sys.stderr)
             self.print_error("wrong certificate")
             return
         try:
             x.check_date()
         except:
             self.print_error("certificate has expired:", cert_path)
             os.unlink(cert_path)
             return
         self.print_error("wrong certificate")
     return
 except BaseException, e:
     self.print_error(e)
Beispiel #4
0
         do_handshake_on_connect=True,
     )
 except ssl.SSLError, e:
     self.print_error("SSL error:", e)
     if e.errno != 1:
         return
     if is_new:
         rej = cert_path + ".rej"
         if os.path.exists(rej):
             os.unlink(rej)
         os.rename(temporary_path, rej)
     else:
         with open(cert_path) as f:
             cert = f.read()
         try:
             b = pem.dePem(cert, "CERTIFICATE")
             x = x509.X509(b)
         except:
             traceback.print_exc(file=sys.stderr)
             self.print_error("wrong certificate")
             return
         try:
             x.check_date()
         except:
             self.print_error("certificate has expired:", cert_path)
             os.unlink(cert_path)
             return
         self.print_error("wrong certificate")
     return
 except BaseException, e:
     self.print_error(e)