upstream/mercurial-mirror Files · hgext/convert/transport.py

win32: add a method to trigger the Crypto API to complete a certificate chain...

win32: add a method to trigger the Crypto API to complete a certificate chain I started a thread[1] on the mailing list awhile ago, but the short version is that Windows doesn't ship with a full list of certificates[2]. Even if the server sends the whole chain, if Windows doesn't have the appropriate certificate pre-installed in its "Third-Party Root Certification Authorities" store, connections mysteriously fail with: abort: error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) Windows expects the application to call the methods invoked here as part of the certificate verification, triggering a call out to Windows update if necessary, to complete the trust chain. The python bug to add this support[3] hasn't had any recent activity, and isn't targeting py27 anyway. The only work around that I could find (besides figuring out the certificate and walking through the import wizard) is to browse to the site in Internet Explorer. Opening the page with FireFox or Chrome didn't work. That's a pretty obscure way to fix a pretty obscure problem. We go to great lengths to demystify various SSL errors, but this case is clearly lacking. Let's try to make things easier to diagnose and fix. When I had trouble figuring out how to get ctypes to work with all of the API pointers, I found that there are other python projects[4] using this API to achieve the same thing. [1] https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-April/096501.html [2] https://support.microsoft.com/en-us/help/931125/how-to-get-a-root-certificate-update-for-windows [3] https://bugs.python.org/issue20916 [4] https://github.com/nvaccess/nvda/blob/3b86bce2066b1934df14b96f2e83369900860ecf/source/updateCheck.py#L511

Augie Fackler - - Load All Authors

File last commit:

r33368:ffb30661 default


                r33492:14af0439

default

Download file

             transport.py
        
                    132 lines
            
             | 4.9 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / hgext / convert / transport.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      # -*- coding: utf-8 -*-

      # Copyright (C) 2007 Daniel Holth <dholth@fastmail.fm>

      # This is a stripped-down version of the original bzr-svn transport.py,

      # Copyright (C) 2006 Jelmer Vernooij <jelmer@samba.org>

      # This program is free software; you can redistribute it and/or modify

      # it under the terms of the GNU General Public License as published by

      # the Free Software Foundation; either version 2 of the License, or

      # (at your option) any later version.

      # This program is distributed in the hope that it will be useful,

      # but WITHOUT ANY WARRANTY; without even the implied warranty of

      # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

      # GNU General Public License for more details.

      # You should have received a copy of the GNU General Public License

      # along with this program; if not, see <http://www.gnu.org/licenses/>.

      from __future__ import absolute_import

      import svn.client

      import svn.core

      import svn.ra

      Pool = svn.core.Pool

      SubversionException = svn.core.SubversionException

      from mercurial import (

          util,

      )

      # Some older versions of the Python bindings need to be

      # explicitly initialized. But what we want to do probably

      # won't work worth a darn against those libraries anyway!

      svn.ra.initialize()

      svn_config = None

      def _create_auth_baton(pool):

          """Create a Subversion authentication baton. """

          import svn.client

          # Give the client context baton a suite of authentication

          # providers.h

          providers = [

              svn.client.get_simple_provider(pool),

              svn.client.get_username_provider(pool),

              svn.client.get_ssl_client_cert_file_provider(pool),

              svn.client.get_ssl_client_cert_pw_file_provider(pool),

              svn.client.get_ssl_server_trust_file_provider(pool),

              ]

          # Platform-dependent authentication methods

          getprovider = getattr(svn.core, 'svn_auth_get_platform_specific_provider',

                                None)

          if getprovider:

              # Available in svn >= 1.6

              for name in ('gnome_keyring', 'keychain', 'kwallet', 'windows'):

                  for type in ('simple', 'ssl_client_cert_pw', 'ssl_server_trust'):

                      p = getprovider(name, type, pool)

                      if p:

                          providers.append(p)

          else:

              if util.safehasattr(svn.client, 'get_windows_simple_provider'):

                  providers.append(svn.client.get_windows_simple_provider(pool))

          return svn.core.svn_auth_open(providers, pool)

      class NotBranchError(SubversionException):

          pass

      class SvnRaTransport(object):

          """

          Open an ra connection to a Subversion repository.

          """

          def __init__(self, url="", ra=None):

              self.pool = Pool()

              self.svn_url = url

              self.username = ''

              self.password = ''

              # Only Subversion 1.4 has reparent()

              if ra is None or not util.safehasattr(svn.ra, 'reparent'):

                  self.client = svn.client.create_context(self.pool)

                  ab = _create_auth_baton(self.pool)

                  self.client.auth_baton = ab

                  global svn_config

                  if svn_config is None:

                      svn_config = svn.core.svn_config_get_config(None)

                  self.client.config = svn_config

                  try:

                      self.ra = svn.client.open_ra_session(

                          self.svn_url,

                          self.client, self.pool)

                  except SubversionException as xxx_todo_changeme:

                      (inst, num) = xxx_todo_changeme.args

                      if num in (svn.core.SVN_ERR_RA_ILLEGAL_URL,

                                 svn.core.SVN_ERR_RA_LOCAL_REPOS_OPEN_FAILED,

                                 svn.core.SVN_ERR_BAD_URL):

                          raise NotBranchError(url)

                      raise

              else:

                  self.ra = ra

                  svn.ra.reparent(self.ra, self.svn_url.encode('utf8'))

          class Reporter(object):

              def __init__(self, reporter_data):

                  self._reporter, self._baton = reporter_data

              def set_path(self, path, revnum, start_empty, lock_token, pool=None):

                  svn.ra.reporter2_invoke_set_path(self._reporter, self._baton,

                              path, revnum, start_empty, lock_token, pool)

              def delete_path(self, path, pool=None):

                  svn.ra.reporter2_invoke_delete_path(self._reporter, self._baton,

                          path, pool)

              def link_path(self, path, url, revision, start_empty, lock_token,

                            pool=None):

                  svn.ra.reporter2_invoke_link_path(self._reporter, self._baton,

                          path, url, revision, start_empty, lock_token,

                          pool)

              def finish_report(self, pool=None):

                  svn.ra.reporter2_invoke_finish_report(self._reporter,

                          self._baton, pool)

              def abort_report(self, pool=None):

                  svn.ra.reporter2_invoke_abort_report(self._reporter,

                          self._baton, pool)

          def do_update(self, revnum, path, *args, **kwargs):

              return self.Reporter(svn.ra.do_update(self.ra, revnum, path,

                                                    *args, **kwargs))

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				# -- coding: utf-8 --

				# Copyright (C) 2007 Daniel Holth <dholth@fastmail.fm>
				# This is a stripped-down version of the original bzr-svn transport.py,
				# Copyright (C) 2006 Jelmer Vernooij <jelmer@samba.org>

				# This program is free software; you can redistribute it and/or modify
				# it under the terms of the GNU General Public License as published by
				# the Free Software Foundation; either version 2 of the License, or
				# (at your option) any later version.

				# This program is distributed in the hope that it will be useful,
				# but WITHOUT ANY WARRANTY; without even the implied warranty of
				# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				# GNU General Public License for more details.

				# You should have received a copy of the GNU General Public License
				# along with this program; if not, see <http://www.gnu.org/licenses/>.
				from __future__ import absolute_import

				import svn.client
				import svn.core
				import svn.ra

				Pool = svn.core.Pool
				SubversionException = svn.core.SubversionException

				from mercurial import (
				util,
				)

				# Some older versions of the Python bindings need to be
				# explicitly initialized. But what we want to do probably
				# won't work worth a darn against those libraries anyway!
				svn.ra.initialize()

				svn_config = None

				def _create_auth_baton(pool):
				"""Create a Subversion authentication baton. """
				import svn.client
				# Give the client context baton a suite of authentication
				# providers.h
				providers = [
				svn.client.get_simple_provider(pool),
				svn.client.get_username_provider(pool),
				svn.client.get_ssl_client_cert_file_provider(pool),
				svn.client.get_ssl_client_cert_pw_file_provider(pool),
				svn.client.get_ssl_server_trust_file_provider(pool),
				]
				# Platform-dependent authentication methods
				getprovider = getattr(svn.core, 'svn_auth_get_platform_specific_provider',
				None)
				if getprovider:
				# Available in svn >= 1.6
				for name in ('gnome_keyring', 'keychain', 'kwallet', 'windows'):
				for type in ('simple', 'ssl_client_cert_pw', 'ssl_server_trust'):
				p = getprovider(name, type, pool)
				if p:
				providers.append(p)
				else:
				if util.safehasattr(svn.client, 'get_windows_simple_provider'):
				providers.append(svn.client.get_windows_simple_provider(pool))

				return svn.core.svn_auth_open(providers, pool)

				class NotBranchError(SubversionException):
				pass

				class SvnRaTransport(object):
				"""
				Open an ra connection to a Subversion repository.
				"""
				def __init__(self, url="", ra=None):
				self.pool = Pool()
				self.svn_url = url
				self.username = ''
				self.password = ''

				# Only Subversion 1.4 has reparent()
				if ra is None or not util.safehasattr(svn.ra, 'reparent'):
				self.client = svn.client.create_context(self.pool)
				ab = _create_auth_baton(self.pool)
				self.client.auth_baton = ab
				global svn_config
				if svn_config is None:
				svn_config = svn.core.svn_config_get_config(None)
				self.client.config = svn_config
				try:
				self.ra = svn.client.open_ra_session(
				self.svn_url,
				self.client, self.pool)
				except SubversionException as xxx_todo_changeme:
				(inst, num) = xxx_todo_changeme.args
				if num in (svn.core.SVN_ERR_RA_ILLEGAL_URL,
				svn.core.SVN_ERR_RA_LOCAL_REPOS_OPEN_FAILED,
				svn.core.SVN_ERR_BAD_URL):
				raise NotBranchError(url)
				raise
				else:
				self.ra = ra
				svn.ra.reparent(self.ra, self.svn_url.encode('utf8'))

				class Reporter(object):
				def __init__(self, reporter_data):
				self._reporter, self._baton = reporter_data

				def set_path(self, path, revnum, start_empty, lock_token, pool=None):
				svn.ra.reporter2_invoke_set_path(self._reporter, self._baton,
				path, revnum, start_empty, lock_token, pool)

				def delete_path(self, path, pool=None):
				svn.ra.reporter2_invoke_delete_path(self._reporter, self._baton,
				path, pool)

				def link_path(self, path, url, revision, start_empty, lock_token,
				pool=None):
				svn.ra.reporter2_invoke_link_path(self._reporter, self._baton,
				path, url, revision, start_empty, lock_token,
				pool)

				def finish_report(self, pool=None):
				svn.ra.reporter2_invoke_finish_report(self._reporter,
				self._baton, pool)

				def abort_report(self, pool=None):
				svn.ra.reporter2_invoke_abort_report(self._reporter,
				self._baton, pool)

				def do_update(self, revnum, path, args, *kwargs):
				return self.Reporter(svn.ra.do_update(self.ra, revnum, path,
				args, *kwargs))