openmedialibrary/oml/ssl_request.py

# -*- coding: utf-8 -*-

import ssl
import http.client
import urllib.request, urllib.error, urllib.parse
import hashlib
import logging
import base64
from OpenSSL import crypto

logger = logging.getLogger(__name__)

def get_service_id(cert):
    # compute sha1 of public key and encode first half in base32
    key = crypto.load_certificate(crypto.FILETYPE_ASN1, cert).get_pubkey()
    public_key = crypto.dump_privatekey(crypto.FILETYPE_ASN1, key)[22:]
    service_id = base64.b32encode(hashlib.sha1(public_key).digest()[:10]).lower()
    return service_id

class InvalidCertificateException(http.client.HTTPException, urllib.error.URLError):
    def __init__(self, service_id, cert, reason):
        http.client.HTTPException.__init__(self)
        self._service_id = service_id
        self._cert_service_id = get_service_id(cert)
        self.reason = reason

    def __str__(self):
        return ('%s (local) != %s (remote) (%s)\n' %
                (self._service_id, self._cert_service_id, self.reason))

class ServiceIdHTTPSConnection(http.client.HTTPSConnection):

    def __init__(self, host, port=None, service_id=None, check_hostname=None, context=None, **kwargs):
        self._service_id = service_id
        if self._service_id:
            check_hostname = False
            # dont fial for older verions of python
            # without ssl._create_default_https_context
            # that also don't check by default
            try:
                context = ssl._create_default_https_context()
                context.check_hostname = False
                context.verify_mode = ssl.CERT_NONE
            except:
                pass
        http.client.HTTPSConnection.__init__(self, host, port,
                check_hostname=check_hostname, context=context, **kwargs)

    def _check_service_id(self, cert):
        service_id = get_service_id(cert)
        logger.debug('ssl service_id: %s (match: %s)', service_id, service_id == self._service_id)
        if service_id != self._service_id:
            logger.debug('expected service_id: %s', self._service_id)
        return service_id == self._service_id

    def connect(self):
        http.client.HTTPSConnection.connect(self)
        if self._service_id:
            cert = self.sock.getpeercert(binary_form=True)
            if not self._check_service_id(cert):
                raise InvalidCertificateException(self._service_id, cert,
                                                  'service_id mismatch')
        #logger.debug('CIPHER %s VERSION %s', self.sock.cipher(), self.sock.ssl_version)

class ServiceIdHTTPSHandler(urllib.request.HTTPSHandler):

    def __init__(self, debuglevel=0, context=None, check_hostname=None, service_id=None):
        urllib.request.AbstractHTTPHandler.__init__(self, debuglevel)
        self._context = context
        self._check_hostname = check_hostname
        self._service_id = service_id

    def https_open(self, req):
        return self.do_open(ServiceIdHTTPSConnection, req,
            context=self._context, check_hostname=self._check_hostname,
            service_id=self._service_id)

def get_opener(service_id):
    handler = ServiceIdHTTPSHandler(service_id=service_id)
    opener = urllib.request.build_opener(handler)
    return opener
cleanup tls fingerprint check 2014-09-09 14:29:31 +00:00			`# -- coding: utf-8 --`

only verify fingerprint, dont do ca verification 2015-02-22 14:23:40 +00:00			`import ssl`
port to python3 2014-09-02 22:32:44 +00:00			`import http.client`
			`import urllib.request, urllib.error, urllib.parse`
meta 2014-05-14 09:57:11 +00:00			`import hashlib`
use python logging 2014-05-17 14:26:59 +00:00			`import logging`
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`import base64`
			`from OpenSSL import crypto`

use logging.getLogger(__name__) 2015-11-29 14:56:38 +00:00			`logger = logging.getLogger(__name__)`
meta 2014-05-14 09:57:11 +00:00
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`def get_service_id(cert):`
			`# compute sha1 of public key and encode first half in base32`
			`key = crypto.load_certificate(crypto.FILETYPE_ASN1, cert).get_pubkey()`
			`public_key = crypto.dump_privatekey(crypto.FILETYPE_ASN1, key)[22:]`
			`service_id = base64.b32encode(hashlib.sha1(public_key).digest()[:10]).lower()`
			`return service_id`

port to python3 2014-09-02 22:32:44 +00:00			`class InvalidCertificateException(http.client.HTTPException, urllib.error.URLError):`
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`def __init__(self, service_id, cert, reason):`
port to python3 2014-09-02 22:32:44 +00:00			`http.client.HTTPException.__init__(self)`
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`self._service_id = service_id`
			`self._cert_service_id = get_service_id(cert)`
meta 2014-05-14 09:57:11 +00:00			`self.reason = reason`

			`def __str__(self):`
			`return ('%s (local) != %s (remote) (%s)\n' %`
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`(self._service_id, self._cert_service_id, self.reason))`
meta 2014-05-14 09:57:11 +00:00
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`class ServiceIdHTTPSConnection(http.client.HTTPSConnection):`
meta 2014-05-14 09:57:11 +00:00
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`def __init__(self, host, port=None, service_id=None, check_hostname=None, context=None, **kwargs):`
			`self._service_id = service_id`
			`if self._service_id:`
only verify fingerprint, dont do ca verification 2015-02-22 14:23:40 +00:00			`check_hostname = False`
bundled python on osx fails with ssl._create_default_https_context 2015-02-22 20:42:43 +00:00			`# dont fial for older verions of python`
			`# without ssl._create_default_https_context`
			`# that also don't check by default`
			`try:`
			`context = ssl._create_default_https_context()`
			`context.check_hostname = False`
			`context.verify_mode = ssl.CERT_NONE`
			`except:`
			`pass`
cleanup tls fingerprint check 2014-09-09 14:29:31 +00:00			`http.client.HTTPSConnection.__init__(self, host, port,`
only verify fingerprint, dont do ca verification 2015-02-22 14:23:40 +00:00			`check_hostname=check_hostname, context=context, **kwargs)`
meta 2014-05-14 09:57:11 +00:00
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`def _check_service_id(self, cert):`
			`service_id = get_service_id(cert)`
			`logger.debug('ssl service_id: %s (match: %s)', service_id, service_id == self._service_id)`
			`if service_id != self._service_id:`
			`logger.debug('expected service_id: %s', self._service_id)`
			`return service_id == self._service_id`
meta 2014-05-14 09:57:11 +00:00
			`def connect(self):`
cleanup tls fingerprint check 2014-09-09 14:29:31 +00:00			`http.client.HTTPSConnection.connect(self)`
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`if self._service_id:`
meta 2014-05-14 09:57:11 +00:00			`cert = self.sock.getpeercert(binary_form=True)`
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`if not self._check_service_id(cert):`
			`raise InvalidCertificateException(self._service_id, cert,`
			`'service_id mismatch')`
nodes 2014-05-19 15:00:33 +00:00			`#logger.debug('CIPHER %s VERSION %s', self.sock.cipher(), self.sock.ssl_version)`
meta 2014-05-14 09:57:11 +00:00
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`class ServiceIdHTTPSHandler(urllib.request.HTTPSHandler):`
meta 2014-05-14 09:57:11 +00:00
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`def __init__(self, debuglevel=0, context=None, check_hostname=None, service_id=None):`
cleanup tls fingerprint check 2014-09-09 14:29:31 +00:00			`urllib.request.AbstractHTTPHandler.__init__(self, debuglevel)`
			`self._context = context`
			`self._check_hostname = check_hostname`
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`self._service_id = service_id`
meta 2014-05-14 09:57:11 +00:00
cleanup tls fingerprint check 2014-09-09 14:29:31 +00:00			`def https_open(self, req):`
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`return self.do_open(ServiceIdHTTPSConnection, req,`
cleanup tls fingerprint check 2014-09-09 14:29:31 +00:00			`context=self._context, check_hostname=self._check_hostname,`
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`service_id=self._service_id)`
meta 2014-05-14 09:57:11 +00:00
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`def get_opener(service_id):`
			`handler = ServiceIdHTTPSHandler(service_id=service_id)`
port to python3 2014-09-02 22:32:44 +00:00			`opener = urllib.request.build_opener(handler)`
meta 2014-05-14 09:57:11 +00:00			`return opener`