commit 6be3a91e82f80cdc6c19f55d021580a65b64f115 Author: Isis Lovecruft <isis@torproject.org> Date: Wed Mar 25 01:46:25 2015 +0000 Change TLS cert checking in txrecaptcha to work with Twisted>=14.0.0. --- lib/bridgedb/txrecaptcha.py | 55 +++++++++++++++++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 5 deletions(-) diff --git a/lib/bridgedb/txrecaptcha.py b/lib/bridgedb/txrecaptcha.py index a8a0532..3666904 100644 --- a/lib/bridgedb/txrecaptcha.py +++ b/lib/bridgedb/txrecaptcha.py @@ -25,6 +25,8 @@ which are copyright the authors of the recaptcha-client_ package. import logging import urllib +from OpenSSL.crypto import FILETYPE_PEM +from OpenSSL.crypto import load_certificate from twisted import version as _twistedversion from twisted.internet import defer @@ -40,13 +42,33 @@ from zope.interface import implements from bridgedb.crypto import SSLVerifyingContextFactory - #: This was taken from recaptcha.client.captcha.API_SSL_SERVER. API_SSL_SERVER = API_SERVER = "https://www.google.com/recaptcha/api" API_SSL_VERIFY_URL = "%s/verify" % API_SSL_SERVER -# `t.w.client.HTTPConnectionPool` isn't available in Twisted-12.0.0 (see -# ticket #11219): +#: (type: `OpenSSL.crypto.X509`) Only trust certificate for the reCAPTCHA +#: :data:`API_SSL_SERVER` which were signed by the Google Internet Authority CA. +GOOGLE_INTERNET_AUTHORITY_CA_CERT = load_certificate(FILETYPE_PEM, bytes("""\ +-----BEGIN CERTIFICATE----- +MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw +WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ +R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw +gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf +NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb +qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB +oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw +6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E +BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v +Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF +ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+ +ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl +vZqhEFBfurZkX0eTANq98ZvVfpg= +-----END CERTIFICATE-----""")) + +# `t.w.client.HTTPConnectionPool` isn't available in Twisted-12.0.0 +# (see ticket #11219: https://bugs.torproject.org/11219): _connectionPoolAvailable = _twistedversion >= Version('twisted', 12, 1, 0) if _connectionPoolAvailable: logging.info("Using HTTPConnectionPool for reCaptcha API server.") @@ -61,6 +83,23 @@ else: _agent = client.Agent(reactor) +# Twisted>=14.0.0 changed the way in which hostname verification works. +if _twistedversion >= Version('twisted', 14, 0, 0): + from twisted.internet._sslverify import OpenSSLCertificateAuthorities + + class RecaptchaOpenSSLCertificateAuthorities(OpenSSLCertificateAuthorities): + """The trusted CAs for connecting to reCAPTCHA servers.""" + #: A list of `OpenSSL.crypto.X509` objects. + caCerts = [GOOGLE_INTERNET_AUTHORITY_CA_CERT,] + def __init__(self): + super(RecaptchaOpenSSLCertificateAuthorities, self).__init__(self.caCerts) + + class RecaptchaPolicyForHTTPS(client.BrowserLikePolicyForHTTPS): + _trustRoot = RecaptchaOpenSSLCertificateAuthorities() + def __init__(self): + super(RecaptchaPolicyForHTTPS, self).__init__(trustRoot=self._trustRoot) + + def _setAgent(agent): """Set the global :attr:`agent`. @@ -86,15 +125,21 @@ def _getAgent(reactor=reactor, url=API_SSL_VERIFY_URL, connectTimeout=30, :api:`twisted.internet.reactor.connectSSL` for specifying the connection timeout. (default: ``30``) """ + # Twisted>=14.0.0 changed the way in which hostname verification works. + if _twistedversion >= Version('twisted', 14, 0, 0): + contextFactory = RecaptchaPolicyForHTTPS() + else: + contextFactory = SSLVerifyingContextFactory(url) + if _connectionPoolAvailable: return client.Agent(reactor, - contextFactory=SSLVerifyingContextFactory(url), + contextFactory=contextFactory, connectTimeout=connectTimeout, pool=_pool, **kwargs) else: return client.Agent(reactor, - contextFactory=SSLVerifyingContextFactory(url), + contextFactory=contextFactory, connectTimeout=connectTimeout, **kwargs)