diff --git a/lib/interface.py b/lib/interface.py index 0b1cba430..4424a0cce 100644 --- a/lib/interface.py +++ b/lib/interface.py @@ -27,48 +27,12 @@ from version import ELECTRUM_VERSION, PROTOCOL_VERSION from util import print_error, print_msg from simple_config import SimpleConfig +import x509 DEFAULT_TIMEOUT = 5 proxy_modes = ['socks4', 'socks5', 'http'] -def check_cert(host, cert): - from OpenSSL import crypto as c - _cert = c.load_certificate(c.FILETYPE_PEM, cert) - - m = "host: %s\n"%host - m += "has_expired: %s\n"% _cert.has_expired() - m += "pubkey: %s bits\n" % _cert.get_pubkey().bits() - m += "serial number: %s\n"% _cert.get_serial_number() - #m += "issuer: %s\n"% _cert.get_issuer() - #m += "algo: %s\n"% _cert.get_signature_algorithm() - m += "version: %s\n"% _cert.get_version() - print_msg(m) - - -def cert_has_expired(cert_path): - try: - import OpenSSL - except Exception: - print_error("Warning: cannot import OpenSSL") - return False - from OpenSSL import crypto as c - with open(cert_path) as f: - cert = f.read() - _cert = c.load_certificate(c.FILETYPE_PEM, cert) - return _cert.has_expired() - - -def check_certificates(): - config = SimpleConfig() - mydir = os.path.join(config.path, "certs") - certs = os.listdir(mydir) - for c in certs: - print c - p = os.path.join(mydir,c) - with open(p) as f: - cert = f.read() - check_cert(c, cert) def cert_verify_hostname(s): @@ -392,11 +356,23 @@ class Interface(threading.Thread): os.unlink(rej) os.rename(temporary_path, rej) else: - if cert_has_expired(cert_path): + with open(cert_path) as f: + cert = f.read() + try: + x = x509.X509() + x.parse(cert) + x.slow_parse() + except: + traceback.print_exc(file=sys.stdout) + print_error("wrong certificate", self.host) + return + try: + x.check_date() + except: print_error("certificate has expired:", cert_path) os.unlink(cert_path) - else: - print_error("wrong certificate", self.host) + return + print_error("wrong certificate", self.host) return except Exception: print_error("wrap_socket failed", self.host) @@ -614,6 +590,38 @@ class Interface(threading.Thread): return out -if __name__ == "__main__": - check_certificates() + +def check_cert(host, cert): + try: + x = x509.X509() + x.parse(cert) + x.slow_parse() + except: + traceback.print_exc(file=sys.stdout) + return + + try: + x.check_date() + expired = False + except: + expired = True + + m = "host: %s\n"%host + m += "has_expired: %s\n"% expired + print_msg(m) + + +def test_certificates(): + config = SimpleConfig() + mydir = os.path.join(config.path, "certs") + certs = os.listdir(mydir) + for c in certs: + print c + p = os.path.join(mydir,c) + with open(p) as f: + cert = f.read() + check_cert(c, cert) + +if __name__ == "__main__": + test_certificates() diff --git a/lib/paymentrequest.py b/lib/paymentrequest.py index 8f96966ab..9d4138a5e 100644 --- a/lib/paymentrequest.py +++ b/lib/paymentrequest.py @@ -169,8 +169,11 @@ class PaymentRequest: x.slow_parse() x509_chain.append(x) if i == 0: - if not x.check_name(self.domain): - self.error = "Certificate Domain Mismatch" + try: + x.check_date() + x.check_name(self.domain) + except Exception as e: + self.error = str(e) return else: if not x.check_ca(): diff --git a/lib/x509.py b/lib/x509.py index 0656820ae..31d5c8066 100644 --- a/lib/x509.py +++ b/lib/x509.py @@ -170,9 +170,8 @@ class X509(tlslite.X509): return None return not_after - datetime.utcnow() - def check_name(self, expected): + def check_date(self): not_before, not_after = self.extract_dates() - cert_names = self.extract_names() now = datetime.utcnow() if not_before > now: raise CertificateError( @@ -180,6 +179,9 @@ class X509(tlslite.X509): if not_after <= now: raise CertificateError( 'Certificate has expired.') + + def check_name(self, expected): + cert_names = self.extract_names() if '.' in expected: expected_wild = expected[expected.index('.'):] else: