Use cryptography library to do better certificate checking, if it's available.
This commit is contained in:
parent
ca1a0a62e6
commit
9ce8d2481a
29
av98.py
29
av98.py
|
@ -25,6 +25,7 @@ import shutil
|
||||||
import socket
|
import socket
|
||||||
import sqlite3
|
import sqlite3
|
||||||
import ssl
|
import ssl
|
||||||
|
from ssl import CertificateError
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
import tempfile
|
import tempfile
|
||||||
|
@ -38,6 +39,14 @@ try:
|
||||||
except ModuleNotFoundError:
|
except ModuleNotFoundError:
|
||||||
import textwrap
|
import textwrap
|
||||||
|
|
||||||
|
try:
|
||||||
|
from cryptography import x509
|
||||||
|
from cryptography.hazmat.backends import default_backend
|
||||||
|
_HAS_CRYPTOGRAPHY = True
|
||||||
|
_BACKEND = default_backend()
|
||||||
|
except ModuleNotFoundError:
|
||||||
|
_HAS_CRYPTOGRAPHY = False
|
||||||
|
|
||||||
_VERSION = "0.0.1"
|
_VERSION = "0.0.1"
|
||||||
|
|
||||||
_MAX_REDIRECTS = 5
|
_MAX_REDIRECTS = 5
|
||||||
|
@ -642,10 +651,28 @@ Slow internet connection? Use 'set timeout' to be more patient.""")
|
||||||
return addresses
|
return addresses
|
||||||
|
|
||||||
def _validate_cert(self, address, host, cert):
|
def _validate_cert(self, address, host, cert):
|
||||||
|
|
||||||
|
now = datetime.datetime.now()
|
||||||
|
if _HAS_CRYPTOGRAPHY:
|
||||||
|
# Using the cryptography module we can get detailed access
|
||||||
|
# to the properties of even self-signed certs, unlike in
|
||||||
|
# the standard ssl library...
|
||||||
|
c = x509.load_der_x509_certificate(cert, _BACKEND)
|
||||||
|
|
||||||
|
# Check certificate validity dates
|
||||||
|
if c.not_valid_before >= now:
|
||||||
|
raise CertificateError("Certificate is not yet valid!")
|
||||||
|
elif c.not_valid_after <= now:
|
||||||
|
raise CertificateError("Certificate has expired!")
|
||||||
|
|
||||||
|
# Check certificate hostname
|
||||||
|
# TODO: Check alternative names too
|
||||||
|
common_name = c.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value
|
||||||
|
ssl._dnsname_match(common_name, host)
|
||||||
|
|
||||||
sha = hashlib.sha256()
|
sha = hashlib.sha256()
|
||||||
sha.update(cert)
|
sha.update(cert)
|
||||||
fingerprint = sha.hexdigest()
|
fingerprint = sha.hexdigest()
|
||||||
now = datetime.datetime.now()
|
|
||||||
|
|
||||||
# Have we been here before?
|
# Have we been here before?
|
||||||
self.db_cur.execute("""SELECT fingerprint, first_seen, last_seen, count
|
self.db_cur.execute("""SELECT fingerprint, first_seen, last_seen, count
|
||||||
|
|
Loading…
Reference in New Issue