[bridgedb/master] Change TLS cert checking in txrecaptcha to work with Twisted>=14.0.0. - tor-commits

25 Mar 2015

commit 6be3a91e82f80cdc6c19f55d021580a65b64f115
Author: Isis Lovecruft isis@torproject.org
Date:   Wed Mar 25 01:46:25 2015 +0000
Change TLS cert checking in txrecaptcha to work with Twisted>=14.0.0.
---
 lib/bridgedb/txrecaptcha.py |   55 +++++++++++++++++++++++++++++++++++++++----
 1 file changed, 50 insertions(+), 5 deletions(-)

diff --git a/lib/bridgedb/txrecaptcha.py b/lib/bridgedb/txrecaptcha.py
index a8a0532..3666904 100644
--- a/lib/bridgedb/txrecaptcha.py
+++ b/lib/bridgedb/txrecaptcha.py
@@ -25,6 +25,8 @@ which are copyright the authors of the recaptcha-client_ package.
 import logging
 import urllib
+from OpenSSL.crypto import FILETYPE_PEM
+from OpenSSL.crypto import load_certificate
from twisted import version as _twistedversion
 from twisted.internet import defer
@@ -40,13 +42,33 @@ from zope.interface import implements
from bridgedb.crypto import SSLVerifyingContextFactory
-
 #: This was taken from  recaptcha.client.captcha.API_SSL_SERVER.
 API_SSL_SERVER = API_SERVER = "https://www.google.com/recaptcha/api"
 API_SSL_VERIFY_URL = "%s/verify" % API_SSL_SERVER
-# `t.w.client.HTTPConnectionPool` isn't available in Twisted-12.0.0 (see
-# ticket #11219):
+#: (type: `OpenSSL.crypto.X509`) Only trust certificate for the reCAPTCHA
+#: :data:`API_SSL_SERVER` which were signed by the Google Internet Authority CA.
+GOOGLE_INTERNET_AUTHORITY_CA_CERT = load_certificate(FILETYPE_PEM, bytes("""\
+-----BEGIN CERTIFICATE-----
+MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
+MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
+aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw
+WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
+R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
+NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
+qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
+oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw
+6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
+Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF
+ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+
+ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
+vZqhEFBfurZkX0eTANq98ZvVfpg=
+-----END CERTIFICATE-----"""))
+
+# `t.w.client.HTTPConnectionPool` isn't available in Twisted-12.0.0
+# (see ticket #11219: https://bugs.torproject.org/11219):
 _connectionPoolAvailable = _twistedversion >= Version('twisted', 12, 1, 0)
 if _connectionPoolAvailable:
     logging.info("Using HTTPConnectionPool for reCaptcha API server.")
@@ -61,6 +83,23 @@ else:
     _agent = client.Agent(reactor)
+# Twisted>=14.0.0 changed the way in which hostname verification works.
+if _twistedversion >= Version('twisted', 14, 0, 0):
+    from twisted.internet._sslverify import OpenSSLCertificateAuthorities
+
+    class RecaptchaOpenSSLCertificateAuthorities(OpenSSLCertificateAuthorities):
+        """The trusted CAs for connecting to reCAPTCHA servers."""
+        #: A list of `OpenSSL.crypto.X509` objects.
+        caCerts = [GOOGLE_INTERNET_AUTHORITY_CA_CERT,]
+        def __init__(self):
+            super(RecaptchaOpenSSLCertificateAuthorities, self).__init__(self.caCerts)
+
+    class RecaptchaPolicyForHTTPS(client.BrowserLikePolicyForHTTPS):
+        _trustRoot = RecaptchaOpenSSLCertificateAuthorities()
+        def __init__(self):
+            super(RecaptchaPolicyForHTTPS, self).__init__(trustRoot=self._trustRoot)
+
+
 def _setAgent(agent):
     """Set the global :attr:`agent`.
@@ -86,15 +125,21 @@ def _getAgent(reactor=reactor, url=API_SSL_VERIFY_URL, connectTimeout=30,
         :api:`twisted.internet.reactor.connectSSL` for specifying the
         connection timeout. (default: ``30``)
     """
+    # Twisted>=14.0.0 changed the way in which hostname verification works.
+    if _twistedversion >= Version('twisted', 14, 0, 0):
+        contextFactory = RecaptchaPolicyForHTTPS()
+    else:
+        contextFactory = SSLVerifyingContextFactory(url)
+
     if _connectionPoolAvailable:
         return client.Agent(reactor,
-                            contextFactory=SSLVerifyingContextFactory(url),
+                            contextFactory=contextFactory,
                             connectTimeout=connectTimeout,
                             pool=_pool,
                             **kwargs)
     else:
         return client.Agent(reactor,
-                            contextFactory=SSLVerifyingContextFactory(url),
+                            contextFactory=contextFactory,
                             connectTimeout=connectTimeout,
                             **kwargs)

    