commit 614254d037c411ee4ca87226ed9834849f5bfc1a
parent 36b61fccfd406cc873524bacbbc8dabe1cc4fe38
Author: ThomasV <thomasv@gitorious>
Date: Wed, 2 Oct 2013 10:21:25 +0200
scripts to check certificates
Diffstat:
| M | lib/interface.py | | | 70 | +++++++++++++++++++++++++++++++++++++++------------------------------- |
1 file changed, 39 insertions(+), 31 deletions(-)
diff --git a/lib/interface.py b/lib/interface.py
@@ -25,25 +25,49 @@ import ssl
from version import ELECTRUM_VERSION, PROTOCOL_VERSION
from util import print_error, print_msg
+from simple_config import SimpleConfig
DEFAULT_TIMEOUT = 5
proxy_modes = ['socks4', 'socks5', 'http']
-def is_expired(cert):
+def check_cert(host, cert):
from OpenSSL import crypto as c
_cert = c.load_certificate(c.FILETYPE_PEM, cert)
- notAfter = _cert.get_notAfter()
- notBefore = _cert.get_notBefore()
- now = time.time()
- if now > time.mktime( time.strptime(notAfter[:-1] + "GMT", "%Y%m%d%H%M%S%Z") ):
- print "deprecated cert", self.host, notAfter
- return True
- if now < time.mktime( time.strptime(notBefore[:-1] + "GMT", "%Y%m%d%H%M%S%Z") ):
- print "notbefore", self.host, notBefore
- return True
- return False
+
+ m = "host: %s\n"%host
+ m += "has_expired: %s\n"% _cert.has_expired()
+ m += "pubkey: %s bits\n" % _cert.get_pubkey().bits()
+ m += "serial number: %s\n"% _cert.get_serial_number()
+ #m += "issuer: %s\n"% _cert.get_issuer()
+ #m += "algo: %s\n"% _cert.get_signature_algorithm()
+ m += "version: %s\n"% _cert.get_version()
+ print_msg(m)
+
+
+
+def check_certificates():
+ config = SimpleConfig()
+ mydir = os.path.join(config.path, "certs")
+ certs = os.listdir(mydir)
+ for c in certs:
+ print c
+ p = os.path.join(mydir,c)
+ with open(p) as f:
+ cert = f.read()
+ check_cert(c, cert)
+
+
+def cert_verify_hostname(s):
+ # hostname verification (disabled)
+ from backports.ssl_match_hostname import match_hostname, CertificateError
+ try:
+ match_hostname(s.getpeercert(True), host)
+ print_error("hostname matches", host)
+ except CertificateError, ce:
+ print_error("hostname did not match", host)
+
class Interface(threading.Thread):
@@ -52,7 +76,6 @@ class Interface(threading.Thread):
def __init__(self, config=None):
if config is None:
- from simple_config import SimpleConfig
config = SimpleConfig()
threading.Thread.__init__(self)
@@ -288,10 +311,10 @@ class Interface(threading.Thread):
dercert = s.getpeercert(True)
s.close()
cert = ssl.DER_cert_to_PEM_cert(dercert)
-
temporary_path = cert_path + '.temp'
with open(temporary_path,"w") as f:
f.write(cert)
+
else:
is_new = False
@@ -316,27 +339,18 @@ class Interface(threading.Thread):
except ssl.SSLError, e:
print_error("SSL error:", self.host, e)
if is_new:
- os.unlink(temporary_path)
+ check_cert(self.host, cert)
+ os.rename(temporary_path, cert_path + '.rej')
return
except:
print_error("wrap_socket failed", self.host)
traceback.print_exc(file=sys.stdout)
- if is_new:
- os.unlink(temporary_path)
return
if is_new:
print_error("saving certificate for", self.host)
os.rename(temporary_path, cert_path)
- # hostname verification (disabled)
- #from backports.ssl_match_hostname import match_hostname, CertificateError
- #try:
- # match_hostname(s.getpeercert(), self.host)
- # print_error("hostname matches", self.host)
- #except CertificateError, ce:
- # print_error("hostname does not match", self.host, s.getpeercert())
- # return
s.settimeout(60)
self.s = s
@@ -538,11 +552,5 @@ class Interface(threading.Thread):
if __name__ == "__main__":
-
- q = Queue.Queue()
- i = Interface({'server':'btc.it-zone.org:50002:s', 'path':'/extra/key/wallet', 'verbose':True})
- i.start(q)
- time.sleep(1)
- exit()
-
+ check_certificates()
