upstream/mercurial-mirror Commit - r12592:f2937d64

url: verify correctness of https server certificates (issue2407)...

Mads Kiilerich -

r12592:f2937d64 stable

parent child

tests/test-url.py

0 created 644 +41 0

			@@ -0,0 +1,41 b''
		1	#!/usr/bin/env python
		2
		3	def check(a, b):
		4	if a != b:
		5	print (a, b)
		6
		7	from mercurial.url import _verifycert
		8
		9	# Test non-wildcard certificates
		10	check(_verifycert({'subject': ((('commonName', 'example.com'),),)}, 'example.com'),
		11	None)
		12	check(_verifycert({'subject': ((('commonName', 'example.com'),),)}, 'www.example.com'),
		13	'certificate is for example.com')
		14	check(_verifycert({'subject': ((('commonName', 'www.example.com'),),)}, 'example.com'),
		15	'certificate is for www.example.com')
		16
		17	# Test wildcard certificates
		18	check(_verifycert({'subject': ((('commonName', '*.example.com'),),)}, 'www.example.com'),
		19	None)
		20	check(_verifycert({'subject': ((('commonName', '*.example.com'),),)}, 'example.com'),
		21	'certificate is for *.example.com')
		22	check(_verifycert({'subject': ((('commonName', '*.example.com'),),)}, 'w.w.example.com'),
		23	'certificate is for *.example.com')
		24
		25	# Avoid some pitfalls
		26	check(_verifycert({'subject': ((('commonName', '*.foo'),),)}, 'foo'),
		27	'certificate is for *.foo')
		28	check(_verifycert({'subject': ((('commonName', '*o'),),)}, 'foo'),
		29	'certificate is for *o')
		30
		31	import time
		32	lastyear = time.gmtime().tm_year - 1
		33	nextyear = time.gmtime().tm_year + 1
		34	check(_verifycert({'notAfter': 'May 9 00:00:00 %s GMT' % lastyear}, 'example.com'),
		35	'certificate expired May 9 00:00:00 %s GMT' % lastyear)
		36	check(_verifycert({'notBefore': 'May 9 00:00:00 %s GMT' % nextyear}, 'example.com'),
		37	'certificate not valid before May 9 00:00:00 %s GMT' % nextyear)
		38	check(_verifycert({'notAfter': 'Sep 29 15:29:48 %s GMT' % nextyear, 'subject': ()}, 'example.com'),
		39	'no commonName found in certificate')
		40	check(_verifycert(None, 'example.com'),
		41	'no certificate received')

mercurial/url.py

0 +31 -2

              # This software may be used and distributed according to the terms of the
              # GNU General Public License version 2 or any later version.
-             import urllib, urllib2, urlparse, httplib, os, re, socket, cStringIO
+             import urllib, urllib2, urlparse, httplib, os, re, socket, cStringIO, time
              from i18n import _
              import keepalive, util
                      _generic_start_transaction(self, h, req)
                      return keepalive.HTTPHandler._start_transaction(self, h, req)
+             def _verifycert(cert, hostname):
+                 '''Verify that cert (in socket.getpeercert() format) matches hostname and is
+                 valid at this time. CRLs and subjectAltName are not handled.
+                 Returns error message if any problems are found and None on success.
+                 '''
+                 if not cert:
+                     return _('no certificate received')
+                 notafter = cert.get('notAfter')
+                 if notafter and time.time() > ssl.cert_time_to_seconds(notafter):
+                     return _('certificate expired %s') % notafter
+                 notbefore = cert.get('notBefore')
+                 if notbefore and time.time() < ssl.cert_time_to_seconds(notbefore):
+                     return _('certificate not valid before %s') % notbefore
+                 dnsname = hostname.lower()
+                 for s in cert.get('subject', []):
+                     key, value = s[0]
+                     if key == 'commonName':
+                         certname = value.lower()
+                         if (certname == dnsname or
+                             '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]):
+                             return None
+                         return _('certificate is for %s') % certname
+                 return _('no commonName found in certificate')
              if has_https:
                  class BetterHTTPS(httplib.HTTPSConnection):
                      send = keepalive.safesend
                              self.sock = _ssl_wrap_socket(sock, self.key_file,
                                      self.cert_file, cert_reqs=CERT_REQUIRED,
                                      ca_certs=cacerts)
-                             self.ui.debug(_('server identity verification succeeded\n'))
+                             msg = _verifycert(self.sock.getpeercert(), self.host)
+                             if msg:
+                                 raise util.Abort('%s certificate error: %s' % (self.host, msg))
+                             self.ui.debug(_('%s certificate successfully verified\n') %
+                                 self.host)
                          else:
                              httplib.HTTPSConnection.connect(self)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages