commit eccf3f46188d2b60f93128ab76218f07e9965698 Author: David Fifield <david@bamsoftware.com> Date: Fri Nov 8 12:32:13 2013 -0800 Rename PIN_GOOGLE_CERT to PIN_GOOGLE_CA_CERT. I think this makes it more clear that this certificate belongs to a CA (i.e., Equifax), not to Google. --- flashproxy-reg-appspot | 4 ++-- flashproxy-reg-email | 4 ++-- flashproxy/keys.py | 2 +- flashproxy/test/test_keys.py | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/flashproxy-reg-appspot b/flashproxy-reg-appspot index a261f10..884c112 100755 --- a/flashproxy-reg-appspot +++ b/flashproxy-reg-appspot @@ -13,7 +13,7 @@ import tempfile import urlparse import urllib2 -from flashproxy.keys import PIN_GOOGLE_CERT, PIN_GOOGLE_PUBKEY_SHA1, check_certificate_pin, temp_cert +from flashproxy.keys import PIN_GOOGLE_CA_CERT, PIN_GOOGLE_PUBKEY_SHA1, check_certificate_pin, temp_cert from flashproxy.util import parse_addr_spec, format_addr try: @@ -141,7 +141,7 @@ class PinHTTPSConnection(httplib.HTTPSConnection): ctx = SSL.Context("tlsv1") ctx.set_verify(SSL.verify_peer, 3) - with temp_cert(PIN_GOOGLE_CERT) as ca_file: + with temp_cert(PIN_GOOGLE_CA_CERT) as ca_file: ret = ctx.load_verify_locations(ca_file.name) assert ret == 1 diff --git a/flashproxy-reg-email b/flashproxy-reg-email index 4f4599c..fa08d9f 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -11,7 +11,7 @@ import sys import tempfile import urllib -from flashproxy.keys import PIN_GOOGLE_CERT, PIN_GOOGLE_PUBKEY_SHA1, DEFAULT_FACILITATOR_PUBKEY_PEM, check_certificate_pin, temp_cert +from flashproxy.keys import PIN_GOOGLE_CA_CERT, PIN_GOOGLE_PUBKEY_SHA1, DEFAULT_FACILITATOR_PUBKEY_PEM, check_certificate_pin, temp_cert from flashproxy.util import parse_addr_spec, format_addr try: @@ -184,7 +184,7 @@ try: ctx = SSL.Context("tlsv1") ctx.set_verify(SSL.verify_peer, 3) - with temp_cert(PIN_GOOGLE_CERT) as ca_file: + with temp_cert(PIN_GOOGLE_CA_CERT) as ca_file: # We roll our own initial EHLO/STARTTLS because smtplib.SMTP.starttls # doesn't allow enough certificate validation. code, msg = smtp.docmd("EHLO", EHLO_FQDN) diff --git a/flashproxy/keys.py b/flashproxy/keys.py index 5b4b9fa..28b4406 100644 --- a/flashproxy/keys.py +++ b/flashproxy/keys.py @@ -7,7 +7,7 @@ from hashlib import sha1 # To find the certificate to copy here, # $ strace openssl s_client -connect FRONT_DOMAIN:443 -verify 10 -CApath /etc/ssl/certs 2>&1 | grep /etc/ssl/certs # stat("/etc/ssl/certs/XXXXXXXX.0", {st_mode=S_IFREG|0644, st_size=YYYY, ...}) = 0 -PIN_GOOGLE_CERT = """\ +PIN_GOOGLE_CA_CERT = """\ subject=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -----BEGIN CERTIFICATE----- diff --git a/flashproxy/test/test_keys.py b/flashproxy/test/test_keys.py index 4488118..00b82a7 100644 --- a/flashproxy/test/test_keys.py +++ b/flashproxy/test/test_keys.py @@ -1,12 +1,12 @@ import os.path import unittest -from flashproxy.keys import PIN_GOOGLE_CERT, PIN_GOOGLE_PUBKEY_SHA1, check_certificate_pin, temp_cert +from flashproxy.keys import PIN_GOOGLE_CA_CERT, PIN_GOOGLE_PUBKEY_SHA1, check_certificate_pin, temp_cert class TempCertTest(unittest.TestCase): def test_temp_cert_success(self): fn = None - with temp_cert(PIN_GOOGLE_CERT) as ca_file: + with temp_cert(PIN_GOOGLE_CA_CERT) as ca_file: fn = ca_file.name self.assertTrue(os.path.exists(fn)) self.assertFalse(os.path.exists(fn)) @@ -14,7 +14,7 @@ class TempCertTest(unittest.TestCase): def test_temp_cert_raise(self): fn = None try: - with temp_cert(PIN_GOOGLE_CERT) as ca_file: + with temp_cert(PIN_GOOGLE_CA_CERT) as ca_file: fn = ca_file.name raise ValueError() self.fail()