def askTrustServerCertificate(host, pem, reconnect): """ Ask user if they would like to trust the certificate that was returned by the server. This will only happen if the certificate is not already trusted, either by trust chain or explicitly. @note: If you want to reconnect on background thread, pass in a dummy reconnect and reconnect manually after receiving True. @param host: The host we think we are connected with. @param pem: The certificate in PEM format. @param reconnect: The reconnect callback that will be called if the user chooses to trust the certificate. @return: True if user chose to trust, False otherwise. """ from osaf.framework.certstore import dialogs, certificate global trusted_until_shutdown_site_certs repositoryView = wx.GetApp().UIRepositoryView x509 = X509.load_cert_string(pem) untrustedCertificate = certificate.findCertificate(repositoryView, pem) dlg = dialogs.TrustServerCertificateDialog(wx.GetApp().mainFrame, x509, host, untrustedCertificate) try: if dlg.ShowModal() == wx.ID_OK: selection = dlg.GetSelection() if selection == 0: trusted_until_shutdown_site_certs += [pem] else: if untrustedCertificate is not None: untrustedCertificate.trust |= constants.TRUST_AUTHENTICITY else: fingerprint = utils.fingerprint(x509) certificate.importCertificate(x509, fingerprint, constants.TRUST_AUTHENTICITY, repositoryView) # In either case here (a known, untrusted cert, or a # completely untrusted cert), we have made a change # and we need to commit so other views can see it. repositoryView.commit() reconnect() return True finally: dlg.Destroy() return False
def askTrustServerCertificate(host, pem, reconnect): """ Ask user if they would like to trust the certificate that was returned by the server. This will only happen if the certificate is not already trusted, either by trust chain or explicitly. @note: If you want to reconnect on background thread, pass in a dummy reconnect and reconnect manually after receiving True. @param host: The host we think we are connected with. @param pem: The certificate in PEM format. @param reconnect: The reconnect callback that will be called if the user chooses to trust the certificate. @return: True if user chose to trust, False otherwise. """ from osaf.framework.certstore import dialogs, certificate global trusted_until_shutdown_site_certs repositoryView = wx.GetApp().UIRepositoryView x509 = X509.load_cert_string(pem) untrustedCertificate = certificate.findCertificate(repositoryView, pem) dlg = dialogs.TrustServerCertificateDialog(wx.GetApp().mainFrame, x509, host, untrustedCertificate) try: if dlg.ShowModal() == wx.ID_OK: selection = dlg.GetSelection() if selection == 0: trusted_until_shutdown_site_certs += [pem] else: if untrustedCertificate is not None: untrustedCertificate.trust |= constants.TRUST_AUTHENTICITY else: fingerprint = utils.fingerprint(x509) certificate.importCertificate(x509, fingerprint, constants.TRUST_AUTHENTICITY, repositoryView) # In either case here (a known, untrusted cert, or a # completely untrusted cert), we have made a change # and we need to commit so other views can see it. repositoryView.commit() reconnect() return True finally: dlg.Destroy() return False
def _importAndFind(self, pem, trust): x509 = X509.load_cert_string(pem) fingerprint = utils.fingerprint(x509) certificate.importCertificate(x509, fingerprint, trust, self.view) view = self.view matchingCerts = FilteredCollection( 'fpCertQuery' + fingerprint, itsView=view, source=utils.getExtent(certificate.Certificate, view, exact=True), filterExpression=u"view.findValue(uuid, 'fingerprint') == '%s'" % fingerprint, filterAttributes=['fingerprint']) self.assert_(len(matchingCerts) == 1) return iter(matchingCerts).next()
def _importAndFind(self, pem, trust): x509 = X509.load_cert_string(pem) fingerprint = utils.fingerprint(x509) certificate.importCertificate(x509, fingerprint, trust, self.view) view = self.view matchingCerts = FilteredCollection('fpCertQuery' + fingerprint, itsView=view, source=utils.getExtent(certificate.Certificate, view, exact=True), filterExpression=u"view.findValue(uuid, 'fingerprint') == '%s'" % fingerprint, filterAttributes=['fingerprint']) self.assert_(len(matchingCerts) == 1) return iter(matchingCerts).next()
def testCertificateCache(self): pemRoot = '''-----BEGIN CERTIFICATE----- MIIDpzCCAxCgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmjELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQKExFv c2Fmb3VuZGF0aW9uLm9yZzELMAkGA1UECxMCQ0ExEDAOBgNVBAMTB09TQUYgQ0Ex KzApBgkqhkiG9w0BCQEWHGhvc3RtYXN0ZXJAb3NhZm91bmRhdGlvbi5vcmcwHhcN MDQwNjAyMjEzNTIzWhcNMjkwNTI3MjEzNTIzWjCBmjELMAkGA1UEBhMCVVMxCzAJ BgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQKExFvc2Fm b3VuZGF0aW9uLm9yZzELMAkGA1UECxMCQ0ExEDAOBgNVBAMTB09TQUYgQ0ExKzAp BgkqhkiG9w0BCQEWHGhvc3RtYXN0ZXJAb3NhZm91bmRhdGlvbi5vcmcwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAMvKQY9ElPz4UOhYwKPhbHpSzxxGXxQHiOGu QDV9HuTaTD53cs4xhTau5nLrbqR6qkOpaxgq4+xGZGXwwdrl6vABXGamBAIS8U+C IoxMZmdi1zNCHpALjrUOr5zG+l5lbxKMzzfbBgz0EvnxdyUW3JzWlFA7gtKwNeq9 8BbIVNIRAgMBAAGjgfowgfcwHQYDVR0OBBYEFFAUmTv7d1YAmmssTPTcaE3FWgdL MIHHBgNVHSMEgb8wgbyAFFAUmTv7d1YAmmssTPTcaE3FWgdLoYGgpIGdMIGaMQsw CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x GjAYBgNVBAoTEW9zYWZvdW5kYXRpb24ub3JnMQswCQYDVQQLEwJDQTEQMA4GA1UE AxMHT1NBRiBDQTErMCkGCSqGSIb3DQEJARYcaG9zdG1hc3RlckBvc2Fmb3VuZGF0 aW9uLm9yZ4IBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAAdPk2l4 bQBw41mQvTLGFVUx89oEqmlW8fMh06/PhNyKPvA+Ip/HL4fl71A8aGYINA2KGQeE Mi6jbcmKpkTked0C7KzayFkggv/SZtmeibzOjQJbO5WQCRgYuF9t7Rijk7oiAt3U 3rOIG1GsNPeKaSKyc+Bpqd9phY+fPNsZf8b4 -----END CERTIFICATE-----''' self.assert_(ssl.certificateCache == [], 'cache should start empty') ssl.getContext(self.view) # set cache self.assert_(ssl.certificateCache != [], 'cache should have an entry after getting a context') x509 = X509.load_cert_string(pemRoot) fingerprint = utils.fingerprint(x509) cert = certificate.importCertificate(x509, fingerprint, constants.TRUST_AUTHENTICITY | constants.TRUST_SERVER, self.view) self.assert_(ssl.certificateCache == [], 'cache should have been cleared after adding a cert') ssl.getContext(self.view) # set cache cert.trust = 0 self.assert_(ssl.certificateCache == [], 'cache should have been cleared after changing cert.trust attribute') ssl.getContext(self.view) # set cache del cert.trust self.assert_(ssl.certificateCache == [], 'cache should have been cleared after deleting cert.trust attribute') ssl.getContext(self.view) # set cache cert.delete() self.assert_(ssl.certificateCache == [], 'cache should have been cleared after removing a cert')