| Srikanth Vavilapalli | 1725e49 | 2014-12-01 17:50:52 -0800 | [diff] [blame^] | 1 | #!/usr/bin/env python |
| 2 | # |
| 3 | # Copyright 2007 Google Inc. |
| 4 | # |
| 5 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | # you may not use this file except in compliance with the License. |
| 7 | # You may obtain a copy of the License at |
| 8 | # |
| 9 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | # |
| 11 | # Unless required by applicable law or agreed to in writing, software |
| 12 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | # See the License for the specific language governing permissions and |
| 15 | # limitations under the License. |
| 16 | # |
| 17 | |
| 18 | """Extensions to allow HTTPS requests with SSL certificate validation.""" |
| 19 | |
| 20 | |
| 21 | import httplib |
| 22 | import re |
| 23 | import socket |
| 24 | import urllib2 |
| 25 | import ssl |
| 26 | |
| 27 | |
| 28 | class InvalidCertificateException(httplib.HTTPException): |
| 29 | """Raised when a certificate is provided with an invalid hostname.""" |
| 30 | |
| 31 | def __init__(self, host, cert, reason): |
| 32 | """Constructor. |
| 33 | |
| 34 | Args: |
| 35 | host: The hostname the connection was made to. |
| 36 | cert: The SSL certificate (as a dictionary) the host returned. |
| 37 | """ |
| 38 | httplib.HTTPException.__init__(self) |
| 39 | self.host = host |
| 40 | self.cert = cert |
| 41 | self.reason = reason |
| 42 | |
| 43 | def __str__(self): |
| 44 | return ('Host %s returned an invalid certificate (%s): %s\n' |
| 45 | 'To learn more, see ' |
| 46 | 'http://code.google.com/appengine/kb/general.html#rpcssl' % |
| 47 | (self.host, self.reason, self.cert)) |
| 48 | |
| 49 | class CertValidatingHTTPSConnection(httplib.HTTPConnection): |
| 50 | """An HTTPConnection that connects over SSL and validates certificates.""" |
| 51 | |
| 52 | default_port = httplib.HTTPS_PORT |
| 53 | |
| 54 | def __init__(self, host, port=None, key_file=None, cert_file=None, |
| 55 | ca_certs=None, strict=None, **kwargs): |
| 56 | """Constructor. |
| 57 | |
| 58 | Args: |
| 59 | host: The hostname. Can be in 'host:port' form. |
| 60 | port: The port. Defaults to 443. |
| 61 | key_file: A file containing the client's private key |
| 62 | cert_file: A file containing the client's certificates |
| 63 | ca_certs: A file contianing a set of concatenated certificate authority |
| 64 | certs for validating the server against. |
| 65 | strict: When true, causes BadStatusLine to be raised if the status line |
| 66 | can't be parsed as a valid HTTP/1.0 or 1.1 status line. |
| 67 | """ |
| 68 | httplib.HTTPConnection.__init__(self, host, port, strict, **kwargs) |
| 69 | self.key_file = key_file |
| 70 | self.cert_file = cert_file |
| 71 | self.ca_certs = ca_certs |
| 72 | if self.ca_certs: |
| 73 | self.cert_reqs = ssl.CERT_REQUIRED |
| 74 | else: |
| 75 | self.cert_reqs = ssl.CERT_NONE |
| 76 | |
| 77 | def _GetValidHostsForCert(self, cert): |
| 78 | """Returns a list of valid host globs for an SSL certificate. |
| 79 | |
| 80 | Args: |
| 81 | cert: A dictionary representing an SSL certificate. |
| 82 | Returns: |
| 83 | list: A list of valid host globs. |
| 84 | """ |
| 85 | if 'subjectAltName' in cert: |
| 86 | return [x[1] for x in cert['subjectAltName'] if x[0].lower() == 'dns'] |
| 87 | else: |
| 88 | return [x[0][1] for x in cert['subject'] |
| 89 | if x[0][0].lower() == 'commonname'] |
| 90 | |
| 91 | def _ValidateCertificateHostname(self, cert, hostname): |
| 92 | """Validates that a given hostname is valid for an SSL certificate. |
| 93 | |
| 94 | Args: |
| 95 | cert: A dictionary representing an SSL certificate. |
| 96 | hostname: The hostname to test. |
| 97 | Returns: |
| 98 | bool: Whether or not the hostname is valid for this certificate. |
| 99 | """ |
| 100 | hosts = self._GetValidHostsForCert(cert) |
| 101 | for host in hosts: |
| 102 | host_re = host.replace('.', '\.').replace('*', '[^.]*') |
| 103 | if re.search('^%s$' % (host_re,), hostname, re.I): |
| 104 | return True |
| 105 | return False |
| 106 | |
| 107 | def connect(self): |
| 108 | "Connect to a host on a given (SSL) port." |
| 109 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
| 110 | sock.connect((self.host, self.port)) |
| 111 | self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, |
| 112 | certfile=self.cert_file, |
| 113 | cert_reqs=self.cert_reqs, |
| 114 | ca_certs=self.ca_certs) |
| 115 | if self.cert_reqs & ssl.CERT_REQUIRED: |
| 116 | cert = self.sock.getpeercert() |
| 117 | hostname = self.host.split(':', 0)[0] |
| 118 | if not self._ValidateCertificateHostname(cert, hostname): |
| 119 | raise InvalidCertificateException(hostname, cert, 'hostname mismatch') |
| 120 | |
| 121 | |
| 122 | class CertValidatingHTTPSHandler(urllib2.HTTPSHandler): |
| 123 | """An HTTPHandler that validates SSL certificates.""" |
| 124 | |
| 125 | def __init__(self, **kwargs): |
| 126 | """Constructor. Any keyword args are passed to the httplib handler.""" |
| 127 | urllib2.AbstractHTTPHandler.__init__(self) |
| 128 | self._connection_args = kwargs |
| 129 | |
| 130 | def https_open(self, req): |
| 131 | def http_class_wrapper(host, **kwargs): |
| 132 | full_kwargs = dict(self._connection_args) |
| 133 | full_kwargs.update(kwargs) |
| 134 | return CertValidatingHTTPSConnection(host, **full_kwargs) |
| 135 | try: |
| 136 | return self.do_open(http_class_wrapper, req) |
| 137 | except urllib2.URLError, e: |
| 138 | if type(e.reason) == ssl.SSLError and e.reason.args[0] == 1: |
| 139 | raise InvalidCertificateException(req.host, '', |
| 140 | e.reason.args[1]) |
| 141 | raise |
| 142 | |
| 143 | https_request = urllib2.AbstractHTTPHandler.do_request_ |