def askTrustServerCertificate(host, pem, reconnect):
"""
Ask user if they would like to trust the certificate that was returned by
the server. This will only happen if the certificate is not already
trusted, either by trust chain or explicitly.
@note: If you want to reconnect on background thread, pass in a dummy
reconnect and reconnect manually after receiving True.
@param host: The host we think we are connected with.
@param pem: The certificate in PEM format.
@param reconnect: The reconnect callback that will be called if the
user chooses to trust the certificate.
@return: True if user chose to trust, False otherwise.
"""
from osaf.framework.certstore import dialogs, certificate
global trusted_until_shutdown_site_certs
repositoryView = wx.GetApp().UIRepositoryView
x509 = X509.load_cert_string(pem)
untrustedCertificate = certificate.findCertificate(repositoryView, pem)
dlg = dialogs.TrustServerCertificateDialog(wx.GetApp().mainFrame,
x509,
host,
untrustedCertificate)
try:
if dlg.ShowModal() == wx.ID_OK:
selection = dlg.GetSelection()
if selection == 0:
trusted_until_shutdown_site_certs += [pem]
else:
if untrustedCertificate is not None:
untrustedCertificate.trust |= constants.TRUST_AUTHENTICITY
else:
fingerprint = utils.fingerprint(x509)
certificate.importCertificate(x509, fingerprint,
constants.TRUST_AUTHENTICITY,
repositoryView)
# In either case here (a known, untrusted cert, or a
# completely untrusted cert), we have made a change
# and we need to commit so other views can see it.
repositoryView.commit()
reconnect()
return True
finally:
dlg.Destroy()
return False
def askTrustServerCertificate(host, pem, reconnect):
"""
Ask user if they would like to trust the certificate that was returned by
the server. This will only happen if the certificate is not already
trusted, either by trust chain or explicitly.
@note: If you want to reconnect on background thread, pass in a dummy
reconnect and reconnect manually after receiving True.
@param host: The host we think we are connected with.
@param pem: The certificate in PEM format.
@param reconnect: The reconnect callback that will be called if the
user chooses to trust the certificate.
@return: True if user chose to trust, False otherwise.
"""
from osaf.framework.certstore import dialogs, certificate
global trusted_until_shutdown_site_certs
repositoryView = wx.GetApp().UIRepositoryView
x509 = X509.load_cert_string(pem)
untrustedCertificate = certificate.findCertificate(repositoryView, pem)
dlg = dialogs.TrustServerCertificateDialog(wx.GetApp().mainFrame, x509,
host, untrustedCertificate)
try:
if dlg.ShowModal() == wx.ID_OK:
selection = dlg.GetSelection()
if selection == 0:
trusted_until_shutdown_site_certs += [pem]
else:
if untrustedCertificate is not None:
untrustedCertificate.trust |= constants.TRUST_AUTHENTICITY
else:
fingerprint = utils.fingerprint(x509)
certificate.importCertificate(x509, fingerprint,
constants.TRUST_AUTHENTICITY,
repositoryView)
# In either case here (a known, untrusted cert, or a
# completely untrusted cert), we have made a change
# and we need to commit so other views can see it.
repositoryView.commit()
reconnect()
return True
finally:
dlg.Destroy()
return False
def _importAndFind(self, pem, trust):
x509 = X509.load_cert_string(pem)
fingerprint = utils.fingerprint(x509)
certificate.importCertificate(x509, fingerprint, trust, self.view)
view = self.view
matchingCerts = FilteredCollection(
'fpCertQuery' + fingerprint,
itsView=view,
source=utils.getExtent(certificate.Certificate, view, exact=True),
filterExpression=u"view.findValue(uuid, 'fingerprint') == '%s'" %
fingerprint,
filterAttributes=['fingerprint'])
self.assert_(len(matchingCerts) == 1)
return iter(matchingCerts).next()
def _importAndFind(self, pem, trust):
x509 = X509.load_cert_string(pem)
fingerprint = utils.fingerprint(x509)
certificate.importCertificate(x509,
fingerprint,
trust,
self.view)
view = self.view
matchingCerts = FilteredCollection('fpCertQuery' + fingerprint,
itsView=view,
source=utils.getExtent(certificate.Certificate, view, exact=True),
filterExpression=u"view.findValue(uuid, 'fingerprint') == '%s'" % fingerprint,
filterAttributes=['fingerprint'])
self.assert_(len(matchingCerts) == 1)
return iter(matchingCerts).next()
def testCertificateCache(self):
pemRoot = '''-----BEGIN CERTIFICATE-----
MIIDpzCCAxCgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQKExFv
c2Fmb3VuZGF0aW9uLm9yZzELMAkGA1UECxMCQ0ExEDAOBgNVBAMTB09TQUYgQ0Ex
KzApBgkqhkiG9w0BCQEWHGhvc3RtYXN0ZXJAb3NhZm91bmRhdGlvbi5vcmcwHhcN
MDQwNjAyMjEzNTIzWhcNMjkwNTI3MjEzNTIzWjCBmjELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQKExFvc2Fm
b3VuZGF0aW9uLm9yZzELMAkGA1UECxMCQ0ExEDAOBgNVBAMTB09TQUYgQ0ExKzAp
BgkqhkiG9w0BCQEWHGhvc3RtYXN0ZXJAb3NhZm91bmRhdGlvbi5vcmcwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMvKQY9ElPz4UOhYwKPhbHpSzxxGXxQHiOGu
QDV9HuTaTD53cs4xhTau5nLrbqR6qkOpaxgq4+xGZGXwwdrl6vABXGamBAIS8U+C
IoxMZmdi1zNCHpALjrUOr5zG+l5lbxKMzzfbBgz0EvnxdyUW3JzWlFA7gtKwNeq9
8BbIVNIRAgMBAAGjgfowgfcwHQYDVR0OBBYEFFAUmTv7d1YAmmssTPTcaE3FWgdL
MIHHBgNVHSMEgb8wgbyAFFAUmTv7d1YAmmssTPTcaE3FWgdLoYGgpIGdMIGaMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
GjAYBgNVBAoTEW9zYWZvdW5kYXRpb24ub3JnMQswCQYDVQQLEwJDQTEQMA4GA1UE
AxMHT1NBRiBDQTErMCkGCSqGSIb3DQEJARYcaG9zdG1hc3RlckBvc2Fmb3VuZGF0
aW9uLm9yZ4IBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAAdPk2l4
bQBw41mQvTLGFVUx89oEqmlW8fMh06/PhNyKPvA+Ip/HL4fl71A8aGYINA2KGQeE
Mi6jbcmKpkTked0C7KzayFkggv/SZtmeibzOjQJbO5WQCRgYuF9t7Rijk7oiAt3U
3rOIG1GsNPeKaSKyc+Bpqd9phY+fPNsZf8b4
-----END CERTIFICATE-----'''
self.assert_(ssl.certificateCache == [], 'cache should start empty')
ssl.getContext(self.view) # set cache
self.assert_(ssl.certificateCache != [], 'cache should have an entry after getting a context')
x509 = X509.load_cert_string(pemRoot)
fingerprint = utils.fingerprint(x509)
cert = certificate.importCertificate(x509,
fingerprint,
constants.TRUST_AUTHENTICITY | constants.TRUST_SERVER,
self.view)
self.assert_(ssl.certificateCache == [], 'cache should have been cleared after adding a cert')
ssl.getContext(self.view) # set cache
cert.trust = 0
self.assert_(ssl.certificateCache == [], 'cache should have been cleared after changing cert.trust attribute')
ssl.getContext(self.view) # set cache
del cert.trust
self.assert_(ssl.certificateCache == [], 'cache should have been cleared after deleting cert.trust attribute')
ssl.getContext(self.view) # set cache
cert.delete()
self.assert_(ssl.certificateCache == [], 'cache should have been cleared after removing a cert')
