[tor-commits] [bridgedb/develop] Change TLS cert checking in txrecaptcha to work with Twisted>=14.0.0.
isis at torproject.org
isis at torproject.org
Wed Mar 25 09:49:43 UTC 2015
commit 6be3a91e82f80cdc6c19f55d021580a65b64f115
Author: Isis Lovecruft <isis at torproject.org>
Date: Wed Mar 25 01:46:25 2015 +0000
Change TLS cert checking in txrecaptcha to work with Twisted>=14.0.0.
---
lib/bridgedb/txrecaptcha.py | 55 +++++++++++++++++++++++++++++++++++++++----
1 file changed, 50 insertions(+), 5 deletions(-)
diff --git a/lib/bridgedb/txrecaptcha.py b/lib/bridgedb/txrecaptcha.py
index a8a0532..3666904 100644
--- a/lib/bridgedb/txrecaptcha.py
+++ b/lib/bridgedb/txrecaptcha.py
@@ -25,6 +25,8 @@ which are copyright the authors of the recaptcha-client_ package.
import logging
import urllib
+from OpenSSL.crypto import FILETYPE_PEM
+from OpenSSL.crypto import load_certificate
from twisted import version as _twistedversion
from twisted.internet import defer
@@ -40,13 +42,33 @@ from zope.interface import implements
from bridgedb.crypto import SSLVerifyingContextFactory
-
#: This was taken from recaptcha.client.captcha.API_SSL_SERVER.
API_SSL_SERVER = API_SERVER = "https://www.google.com/recaptcha/api"
API_SSL_VERIFY_URL = "%s/verify" % API_SSL_SERVER
-# `t.w.client.HTTPConnectionPool` isn't available in Twisted-12.0.0 (see
-# ticket #11219):
+#: (type: `OpenSSL.crypto.X509`) Only trust certificate for the reCAPTCHA
+#: :data:`API_SSL_SERVER` which were signed by the Google Internet Authority CA.
+GOOGLE_INTERNET_AUTHORITY_CA_CERT = load_certificate(FILETYPE_PEM, bytes("""\
+-----BEGIN CERTIFICATE-----
+MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
+MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
+aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw
+WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
+R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
+NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
+qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
+oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw
+6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
+Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF
+ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+
+ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
+vZqhEFBfurZkX0eTANq98ZvVfpg=
+-----END CERTIFICATE-----"""))
+
+# `t.w.client.HTTPConnectionPool` isn't available in Twisted-12.0.0
+# (see ticket #11219: https://bugs.torproject.org/11219):
_connectionPoolAvailable = _twistedversion >= Version('twisted', 12, 1, 0)
if _connectionPoolAvailable:
logging.info("Using HTTPConnectionPool for reCaptcha API server.")
@@ -61,6 +83,23 @@ else:
_agent = client.Agent(reactor)
+# Twisted>=14.0.0 changed the way in which hostname verification works.
+if _twistedversion >= Version('twisted', 14, 0, 0):
+ from twisted.internet._sslverify import OpenSSLCertificateAuthorities
+
+ class RecaptchaOpenSSLCertificateAuthorities(OpenSSLCertificateAuthorities):
+ """The trusted CAs for connecting to reCAPTCHA servers."""
+ #: A list of `OpenSSL.crypto.X509` objects.
+ caCerts = [GOOGLE_INTERNET_AUTHORITY_CA_CERT,]
+ def __init__(self):
+ super(RecaptchaOpenSSLCertificateAuthorities, self).__init__(self.caCerts)
+
+ class RecaptchaPolicyForHTTPS(client.BrowserLikePolicyForHTTPS):
+ _trustRoot = RecaptchaOpenSSLCertificateAuthorities()
+ def __init__(self):
+ super(RecaptchaPolicyForHTTPS, self).__init__(trustRoot=self._trustRoot)
+
+
def _setAgent(agent):
"""Set the global :attr:`agent`.
@@ -86,15 +125,21 @@ def _getAgent(reactor=reactor, url=API_SSL_VERIFY_URL, connectTimeout=30,
:api:`twisted.internet.reactor.connectSSL` for specifying the
connection timeout. (default: ``30``)
"""
+ # Twisted>=14.0.0 changed the way in which hostname verification works.
+ if _twistedversion >= Version('twisted', 14, 0, 0):
+ contextFactory = RecaptchaPolicyForHTTPS()
+ else:
+ contextFactory = SSLVerifyingContextFactory(url)
+
if _connectionPoolAvailable:
return client.Agent(reactor,
- contextFactory=SSLVerifyingContextFactory(url),
+ contextFactory=contextFactory,
connectTimeout=connectTimeout,
pool=_pool,
**kwargs)
else:
return client.Agent(reactor,
- contextFactory=SSLVerifyingContextFactory(url),
+ contextFactory=contextFactory,
connectTimeout=connectTimeout,
**kwargs)
More information about the tor-commits
mailing list