use x509 to check if server certificate has expired

11 years ago · f9985ae233
3 changed files with 59 additions and 46 deletions
--- a/lib/interface.py
+++ b/lib/interface.py
@ -27,48 +27,12 @@ from version import ELECTRUM_VERSION, PROTOCOL_VERSION
 from util import print_error, print_msg
 from simple_config import SimpleConfig

+import x509

 DEFAULT_TIMEOUT = 5
 proxy_modes = ['socks4', 'socks5', 'http']


-def check_cert(host, cert):
-    from OpenSSL import crypto as c
-    _cert = c.load_certificate(c.FILETYPE_PEM, cert)
-
-    m = "host: %s\n"%host
-    m += "has_expired: %s\n"% _cert.has_expired()
-    m += "pubkey: %s bits\n" % _cert.get_pubkey().bits()
-    m += "serial number: %s\n"% _cert.get_serial_number() 
-    #m += "issuer: %s\n"% _cert.get_issuer()
-    #m += "algo: %s\n"% _cert.get_signature_algorithm() 
-    m += "version: %s\n"% _cert.get_version()
-    print_msg(m)
-
-
-def cert_has_expired(cert_path):
-    try:
-        import OpenSSL
-    except Exception:
-        print_error("Warning: cannot import OpenSSL")
-        return False
-    from OpenSSL import crypto as c
-    with open(cert_path) as f:
-        cert = f.read()
-    _cert = c.load_certificate(c.FILETYPE_PEM, cert)
-    return _cert.has_expired()
-
-
-def check_certificates():
-    config = SimpleConfig()
-    mydir = os.path.join(config.path, "certs")
-    certs = os.listdir(mydir)
-    for c in certs:
-        print c
-        p = os.path.join(mydir,c)
-        with open(p) as f:
-            cert = f.read()
-        check_cert(c, cert)
    

 def cert_verify_hostname(s):
@ -392,11 +356,23 @@ class Interface(threading.Thread):
                        os.unlink(rej)
                    os.rename(temporary_path, rej)
                else:
-                    if cert_has_expired(cert_path):
+                    with open(cert_path) as f:
+                        cert = f.read()
+                    try:
+                        x = x509.X509()
+                        x.parse(cert)
+                        x.slow_parse()
+                    except:
+                        traceback.print_exc(file=sys.stdout)
+                        print_error("wrong certificate", self.host)
+                        return
+                    try:
+                        x.check_date()
+                    except:
                        print_error("certificate has expired:", cert_path)
                        os.unlink(cert_path)
-                    else:
-                        print_error("wrong certificate", self.host)
+                        return
+                    print_error("wrong certificate", self.host)
                return
            except Exception:
                print_error("wrap_socket failed", self.host)
@ -614,6 +590,38 @@ class Interface(threading.Thread):
        return out


-if __name__ == "__main__":

-    check_certificates()
+
+def check_cert(host, cert):
+    try:
+        x = x509.X509()
+        x.parse(cert)
+        x.slow_parse()
+    except:
+        traceback.print_exc(file=sys.stdout)
+        return
+
+    try:
+        x.check_date()
+        expired = False
+    except:
+        expired = True
+
+    m = "host: %s\n"%host
+    m += "has_expired: %s\n"% expired
+    print_msg(m)
+
+
+def test_certificates():
+    config = SimpleConfig()
+    mydir = os.path.join(config.path, "certs")
+    certs = os.listdir(mydir)
+    for c in certs:
+        print c
+        p = os.path.join(mydir,c)
+        with open(p) as f:
+            cert = f.read()
+        check_cert(c, cert)
+
+if __name__ == "__main__":
+    test_certificates()
--- a/lib/paymentrequest.py
+++ b/lib/paymentrequest.py
@ -169,8 +169,11 @@ class PaymentRequest:
            x.slow_parse()
            x509_chain.append(x)
            if i == 0:
-                if not x.check_name(self.domain):
-                    self.error = "Certificate Domain Mismatch"
+                try:
+                    x.check_date()
+                    x.check_name(self.domain)
+                except Exception as e:
+                    self.error = str(e)
                    return
            else:
                if not x.check_ca():
--- a/lib/x509.py
+++ b/lib/x509.py
@ -170,9 +170,8 @@ class X509(tlslite.X509):
            return None
        return not_after - datetime.utcnow()

-    def check_name(self, expected):
+    def check_date(self):
        not_before, not_after = self.extract_dates()
-        cert_names = self.extract_names()
        now = datetime.utcnow()
        if not_before > now:
            raise CertificateError(
@ -180,6 +179,9 @@ class X509(tlslite.X509):
        if not_after <= now:
            raise CertificateError(
                'Certificate has expired.')
+
+    def check_name(self, expected):
+        cert_names = self.extract_names()
        if '.' in expected:
            expected_wild = expected[expected.index('.'):]
        else: