[Pkg-privacy-commits] [torbrowser-launcher] 77/476: first hack at verifying pinned SSL certificate

Ximin Luo infinity0 at moszumanska.debian.org
Sat Aug 22 13:21:24 UTC 2015 

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch debian
in repository torbrowser-launcher.

commit 918044f152596039510cc0da01eb8c380b5e5df0
Author: meejah <meejah at meejah.ca>
Date:   Thu Feb 28 00:40:49 2013 -0700

    first hack at verifying pinned SSL certificate
---
 torbrowser-launcher | 25 +++++++++++++++++++++++--
 torproject.pem      | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 2 deletions(-)

diff --git a/torbrowser-launcher b/torbrowser-launcher
index 498bc66..b15e649 100755
--- a/torbrowser-launcher
+++ b/torbrowser-launcher
@@ -13,6 +13,23 @@ import os, sys, subprocess, locale, urllib2, gobject, time
 from twisted.web.client import Agent, ResponseDone
 from twisted.web.http_headers import Headers
 from twisted.internet.protocol import Protocol
+from twisted.internet.ssl import ClientContextFactory
+
+from OpenSSL.SSL import Context, VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT
+from OpenSSL.crypto import load_certificate, FILETYPE_PEM
+
+class VerifyTorProjectCert(ClientContextFactory):
+
+    torproject_ca = load_certificate(FILETYPE_PEM, open('torproject.pem', 'r').read())
+
+    def getContext(self, host, port):
+        ctx = ClientContextFactory.getContext(self)
+        ctx.set_verify_depth(0)
+        ctx.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, self.verifyHostname)
+        return ctx
+
+    def verifyHostname(self, connection, cert, errno, depth, preverifyOK):
+        return cert.digest('sha256') == self.torproject_ca.digest('sha256')
 
 
 class TorBrowserLauncher:
@@ -321,6 +338,10 @@ class TorBrowserLauncher:
       ## FIXME handle errors
 
 
+  def error(self, f):
+      print "FAIL", f
+
+
   def download(self, name, url, path):
     # initialize the progress bar
     self.progressbar.set_fraction(0) 
@@ -328,13 +349,13 @@ class TorBrowserLauncher:
     self.progressbar.show()
     self.refresh_gtk()
 
-    agent = Agent(reactor)
+    agent = Agent(reactor, VerifyTorProjectCert())
     d = agent.request('GET', url,
                       Headers({'User-Agent': ['torbrowser-launcher']}),
                       None)
 
     self.file_download = open(path, 'w')
-    d.addCallback(self.response_received)
+    d.addCallback(self.response_received).addErrback(self.error)
 
   def download_chunk(self, name):
     # download 10kb a time
diff --git a/torproject.pem b/torproject.pem
new file mode 100644
index 0000000..12cf79b
--- /dev/null
+++ b/torproject.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGujCCBaKgAwIBAgIQBt6X5R3DncJkjaxy3UEB/DANBgkqhkiG9w0BAQsFADBm
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBDQS0zMB4XDTEzMDEyOTAwMDAwMFoXDTE2MDUwMzEyMDAwMFowcjELMAkGA1UE
+BhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB1dhbHBvbGUx
+HjAcBgNVBAoTFVRoZSBUb3IgUHJvamVjdCwgSW5jLjEZMBcGA1UEAwwQKi50b3Jw
+cm9qZWN0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN1oOe8B
+0kT0l6MXsIOWiBiXqLfGCk8nIeX+GXc0TNez14HBWPOzLMmA6Kfj3h9kJ0hLCzlS
+Gui3xsT1ca5ZXONP/2beDkIoxwF+7/MCS8gOu4Cyua0CjR0ce6YWemKYVKxoqJvY
+H/S2UnzMHaBI/bhJ+QK5kMYg/JXoMx9IMIJnjl9clFt3TE34UR5/NZTsytXAtCjI
+5qMSpzKRE31RREGv1kxwTqJq/g5UFJWzZEwISDEhTeFTVOru0qjbEAqaip4hQH9D
+ITjDOFw7Upgdab4TN4gLwDaZuo+Qcz+CQR6vCSlP2KziQAH9nlU+qT81eYVv+NOf
+jogvdu/Atl/q+z0CAwEAAaOCA1YwggNSMB8GA1UdIwQYMBaAFFDqc4nbKfsQj57l
+ASDU3nmZSIP3MB0GA1UdDgQWBBSx87Iq0fmAeNURYjYpnSG8riduZjArBgNVHREE
+JDAighAqLnRvcnByb2plY3Qub3Jngg50b3Jwcm9qZWN0Lm9yZzAOBgNVHQ8BAf8E
+BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdHwRaMFgw
+KqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9jYTMtZzE4LmNybDAqoCig
+JoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1nMTguY3JsMIIBxAYDVR0g
+BIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8v
+d3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYB
+BQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMA
+ZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEA
+YwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIA
+dAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcA
+IABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwA
+aQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkA
+bgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUA
+ZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAkBggrBgEFBQcwAYYYaHR0
+cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0
+cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlQ0EtMy5jcnQwDAYD
+VR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAFfAsIxhBxzSVi5a9FpEp9JGc
+0wL5/4BVFv0lKYjHkRVoBdvN3gnAfGt2YXrAJZb7OCVwW3KFdSaTwm8T10eCVSXX
+ASTrp6DWs6mHxw9HGIkVF9YESq6x5/ZGHDTovuRMCeHuIwn+nBL21z1WDqwozwcQ
+AxNXeRXJvXO4bOj301+26as9cOWjonGzkW9uc3WTWp89+YOpRo6RQ59Yc3UJlxjW
+HZR3Oqp/GM1jo2NPHnFeMpnFtVj+uuQBtNj7D7jiWhGtNxFIePizOBs8k+ao9lWO
+E2UHK5iM17YISRhBPNwi4YL+nf+jo5untE6WgvFYhEH2pwmCSKrIYBdGatbxfw==
+-----END CERTIFICATE-----

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git

More information about the Pkg-privacy-commits mailing list