Ticket #6371: windows-trust-root-6371-2.patch

File windows-trust-root-6371-2.patch, 4.4 KB (added by aronbierbaum, 5 years ago)
  • twisted/test/test_sslverify.py

     
    2727    if getattr(SSL.Context, "set_tlsext_servername_callback", None) is None:
    2828        skipSNI = "PyOpenSSL 0.13 or greater required for SNI support."
    2929
     30skipWincertstore = False
     31try:
     32   import wincertstore
     33except ImportError:
     34   skipWincertstore = True
     35
    3036from twisted.test.test_twisted import SetAsideModule
    3137from twisted.test.iosim import connectedServerAndClient
    3238
     
    289295        self.factory.onLost.errback(reason)
    290296
    291297
     298class FakeCertStore(object):
     299    def __init__(self):
     300        self._certs = []
     301    def add_cert(self, cert):
     302        self._certs.append(cert)
    292303
    293304class FakeContext(object):
    294305    """
     
    328339        self._method = method
    329340        self._extraCertChain = []
    330341        self._defaultVerifyPathsSet = False
     342        self._store = FakeCertStore()
    331343
    332344
    333345    def set_options(self, options):
     
    376388        """
    377389        self._defaultVerifyPathsSet = True
    378390
     391    def get_cert_store(self):
     392        return self._store
    379393
    380394
     395
    381396class ClientOptions(unittest.SynchronousTestCase):
    382397    """
    383398    Tests for L{sslverify.optionsForClientTLS}.
     
    12571272        opts.getContext()
    12581273        self.assertTrue(fc._defaultVerifyPathsSet)
    12591274
     1275    def test_caCertsWindows(self):
     1276        """
     1277        Specifying a C{trustRoot} of L{sslverify.OpenSSLDefaultPaths} when
     1278        initializing L{sslverify.OpenSSLCertificateOptions} loads the
     1279        platform-provided trusted certificates via C{set_default_verify_paths}.
     1280        """
     1281        opts = sslverify.OpenSSLCertificateOptions(
     1282            trustRoot=platformTrust()
     1283        )
     1284        fc = FakeContext(SSL.TLSv1_METHOD)
     1285        opts._contextFactory = lambda method: fc
     1286        opts.getContext()
     1287        self.assertTrue(len(fc._store._certs) > 0)
     1288    test_caCertsWindows.skip = skipWincertstore
    12601289
    12611290    def test_trustRootPlatformRejectsUntrustedCA(self):
    12621291        """
  • twisted/internet/_sslverify.py

     
    66from __future__ import division, absolute_import
    77
    88import itertools
     9import sys
    910import warnings
    1011
    1112from binascii import a2b_base64
     
    1920    SSL_CB_HANDSHAKE_START = 0x10
    2021    SSL_CB_HANDSHAKE_DONE = 0x20
    2122
     23wincertstore = None
     24if "win32" == sys.platform:
     25    try:
     26        import wincertstore
     27    except ImportError as e:
     28        whatsWrong = (
     29            "Without the wincertstore module Twisted can not automatically verify "
     30            " SSL/TLS certificates on Windows"
     31        )
     32
     33        warnings.warn_explicit("You do not have a working installation of the "
     34                               "wincertstore module: '" + str(e) + "'.  "
     35                               "Please install it from "
     36                               "<https://pypi.python.org/pypi/wincertstore> and make "
     37                               "sure all of its dependencies are satisfied.  "
     38                               + whatsWrong,
     39                               # Unfortunately the lineno is required.
     40                               category = UserWarning, filename = "", lineno = 0)
     41
    2242from twisted.python import log
    2343
    2444
     
    958978        context.set_default_verify_paths()
    959979
    960980
     981@implementer(IOpenSSLTrustRoot)
     982class OpenSSLWindowsCertificateAuthorities(object):
     983    """
     984    Use wincertstore package to interface with the Windows CA certificates.
     985    """
     986    def _addCACertsToContext(self, context):
     987        # Get all certificates and store them in a set to remove duplicates.
     988        win_store = wincertstore.CertSystemStore("ROOT")
     989        encoded = {cert.get_encoded() for cert in win_store.itercerts()}
    961990
     991        for cert in encoded:
     992           store = context.get_cert_store()
     993           store.add_cert(Certificate.load(cert).original)
     994
     995
    962996def platformTrust():
    963997    """
    964998    Attempt to discover a set of trusted certificate authority certificates
     
    10261060    @raise NotImplementedError: if this platform is not yet supported by
    10271061        Twisted.  At present, only OpenSSL is supported.
    10281062    """
     1063    if wincertstore:
     1064        return OpenSSLWindowsCertificateAuthorities()
    10291065    return OpenSSLDefaultPaths()
    10301066
    10311067