Ubuntu One storage protocol

Merge lp:~alecu/ubuntuone-storage-protocol/validate-ssl-cert into lp:ubuntuone-storage-protocol

  1. validate-ssl-cert
  2. Merge into trunk
Proposed by Alejandro J. Cura
Status: Superseded
Proposed branch: lp:~alecu/ubuntuone-storage-protocol/validate-ssl-cert
Merge into: lp:ubuntuone-storage-protocol
Diff against target: 86 lines (+45/-11) (has conflicts)
2 files modified
setup.py (+4/-0)
ubuntuone/storageprotocol/context.py (+41/-11)
Text conflict in setup.py
To merge this branch: bzr merge lp:~alecu/ubuntuone-storage-protocol/validate-ssl-cert
Reviewer Review Type Date Requested Status
Ubuntu One hackers Pending
Review via email: mp+108954@code.launchpad.net

This proposal has been superseded by a proposal from 2012-06-06.

Commit message

- Validate SSL certificates (LP: #882062).

To post a comment you must log in.
lp:~alecu/ubuntuone-storage-protocol/validate-ssl-cert updated
159. By Alejandro J. Cura

The forgotten tests

Unmerged revisions

159. By Alejandro J. Cura

The forgotten tests

158. By Alejandro J. Cura

Validate SSL certificates

157. By dobey

[release] 3.0.1

156. By dobey

[release] 3.0.0

155. By Natalia Bidart

- Release v2.99.92.

154. By dobey

- Updating from trunk up to revno 145:

[ Rodney Dawes <email address hidden> ]
  - License exception for use of OpenSSL (LP: #968555).

153. By dobey

[release] 2.99.91

152. By Natalia Bidart

- Release v2.99.90.

151. By dobey

[release] 2.99.5

150. By dobey

[release] 2.99.4

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'setup.py'
2--- setup.py 2012-05-24 19:10:04 +0000
3+++ setup.py 2012-06-06 14:31:18 +0000
4@@ -70,7 +70,11 @@
5
6
7 setup(name='ubuntuone-storage-protocol',
8+<<<<<<< TREE
9 version='4.1',
10+=======
11+ version='3.0.1',
12+>>>>>>> MERGE-SOURCE
13 packages=['ubuntuone',
14 'ubuntuone.storageprotocol'],
15 extra_path='ubuntuone-storage-protocol',
16
17=== modified file 'ubuntuone/storageprotocol/context.py'
18--- ubuntuone/storageprotocol/context.py 2012-03-29 20:28:09 +0000
19+++ ubuntuone/storageprotocol/context.py 2012-06-06 14:31:18 +0000
20@@ -34,6 +34,7 @@
21
22 from OpenSSL import SSL
23 from twisted.internet import ssl
24+from twisted.python import log
25
26 if sys.platform == "win32":
27 # diable pylint warning, as it may be the wrong platform
28@@ -58,18 +59,47 @@
29 ssl_cert_location = '/etc/ssl/certs'
30
31
32-def get_ssl_context(no_verify):
33- """ Get the ssl context """
34+class HostnameVerifyContextFactory(ssl.CertificateOptions):
35+ """Does hostname checks in addition to certificate checks."""
36+
37+ def __init__(self, hostname, *args, **kwargs):
38+ """Initialize this instance."""
39+ super(HostnameVerifyContextFactory, self).__init__(*args, **kwargs)
40+ self.expected_hostname = hostname
41+
42+ def verify_server_hostname(self, conn, cert, errno, depth, preverifyOK):
43+ """Verify the server hostname."""
44+ if depth == 0:
45+ # No extra checks because U1 certs have the right commonName
46+ if self.expected_hostname != cert.get_subject().commonName:
47+ log.err("Host name does not match certificate. "
48+ "Expected %s but got %s." % (self.expected_hostname,
49+ cert.get_subject().commonName))
50+ return False
51+ return preverifyOK
52+
53+ def getContext(self):
54+ """The context returned will verify the hostname too."""
55+ ctx = super(HostnameVerifyContextFactory, self).getContext()
56+ flags = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
57+ ctx.set_verify(flags, self.verify_server_hostname)
58+ return ctx
59+
60+
61+def get_certificates():
62+ """Get a list of certificate paths."""
63+ ca_file = ssl.Certificate.loadPEM(file(os.path.join(ssl_cert_location,
64+ 'UbuntuOne-Go_Daddy_Class_2_CA.pem'), 'r').read())
65+ ca_file_2 = ssl.Certificate.loadPEM(file(os.path.join(ssl_cert_location,
66+ 'UbuntuOne-Go_Daddy_CA.pem'), 'r').read())
67+ return [ca_file.original, ca_file_2.original]
68+
69+
70+def get_ssl_context(no_verify, hostname):
71+ """Get the ssl context."""
72 if no_verify:
73 ctx = ssl.ClientContextFactory()
74 else:
75- ca_file = ssl.Certificate.loadPEM(file(
76- os.path.join(ssl_cert_location,
77- 'UbuntuOne-Go_Daddy_Class_2_CA.pem'), 'r').read())
78- ca_file_2 = ssl.Certificate.loadPEM(file(
79- os.path.join(ssl_cert_location,
80- 'UbuntuOne-Go_Daddy_CA.pem'), 'r').read())
81- ctx = ssl.CertificateOptions(verify=True,
82- caCerts=[ca_file.original, ca_file_2.original],
83- method=SSL.SSLv23_METHOD)
84+ ctx = HostnameVerifyContextFactory(hostname, verify=True,
85+ caCerts=get_certificates(), method=SSL.SSLv23_METHOD)
86 return ctx

Subscribers

People subscribed via source and target branches