| Nobuaki Sukegawa | f32bae7 | 2016-02-20 08:51:33 +0900 | [diff] [blame] | 1 | # |
| 2 | # licensed to the apache software foundation (asf) under one |
| 3 | # or more contributor license agreements. see the notice file |
| 4 | # distributed with this work for additional information |
| 5 | # regarding copyright ownership. the asf licenses this file |
| 6 | # to you under the apache license, version 2.0 (the |
| 7 | # "license"); you may not use this file except in compliance |
| 8 | # with the license. you may obtain a copy of the license at |
| 9 | # |
| 10 | # http://www.apache.org/licenses/license-2.0 |
| 11 | # |
| 12 | # unless required by applicable law or agreed to in writing, |
| 13 | # software distributed under the license is distributed on an |
| 14 | # "as is" basis, without warranties or conditions of any |
| 15 | # KIND, either express or implied. See the License for the |
| 16 | # specific language governing permissions and limitations |
| 17 | # under the License. |
| 18 | # |
| 19 | |
| Nobuaki Sukegawa | d9b4425 | 2016-03-01 02:09:11 +0900 | [diff] [blame^] | 20 | import sys |
| 21 | |
| Nobuaki Sukegawa | f32bae7 | 2016-02-20 08:51:33 +0900 | [diff] [blame] | 22 | from thrift.transport.TTransport import TTransportException |
| 23 | |
| 24 | |
| 25 | def legacy_validate_callback(self, cert, hostname): |
| 26 | """legacy method to validate the peer's SSL certificate, and to check |
| 27 | the commonName of the certificate to ensure it matches the hostname we |
| 28 | used to make this connection. Does not support subjectAltName records |
| 29 | in certificates. |
| 30 | |
| 31 | raises TTransportException if the certificate fails validation. |
| 32 | """ |
| 33 | if 'subject' not in cert: |
| 34 | raise TTransportException( |
| 35 | TTransportException.NOT_OPEN, |
| 36 | 'No SSL certificate found from %s:%s' % (self.host, self.port)) |
| 37 | fields = cert['subject'] |
| 38 | for field in fields: |
| 39 | # ensure structure we get back is what we expect |
| 40 | if not isinstance(field, tuple): |
| 41 | continue |
| 42 | cert_pair = field[0] |
| 43 | if len(cert_pair) < 2: |
| 44 | continue |
| 45 | cert_key, cert_value = cert_pair[0:2] |
| 46 | if cert_key != 'commonName': |
| 47 | continue |
| 48 | certhost = cert_value |
| 49 | # this check should be performed by some sort of Access Manager |
| 50 | if certhost == hostname: |
| 51 | # success, cert commonName matches desired hostname |
| 52 | return |
| 53 | else: |
| 54 | raise TTransportException( |
| 55 | TTransportException.UNKNOWN, |
| 56 | 'Hostname we connected to "%s" doesn\'t match certificate ' |
| 57 | 'provided commonName "%s"' % (self.host, certhost)) |
| 58 | raise TTransportException( |
| 59 | TTransportException.UNKNOWN, |
| 60 | 'Could not validate SSL certificate from host "%s". Cert=%s' |
| 61 | % (hostname, cert)) |
| 62 | |
| 63 | |
| 64 | try: |
| 65 | import ipaddress # noqa |
| 66 | _match_has_ipaddress = True |
| 67 | except ImportError: |
| 68 | _match_has_ipaddress = False |
| 69 | |
| 70 | try: |
| 71 | from backports.ssl_match_hostname import match_hostname |
| 72 | _match_hostname = match_hostname |
| 73 | except ImportError: |
| Nobuaki Sukegawa | d9b4425 | 2016-03-01 02:09:11 +0900 | [diff] [blame^] | 74 | if sys.hexversion < 0x030500F0: |
| 75 | _match_has_ipaddress = False |
| Nobuaki Sukegawa | f32bae7 | 2016-02-20 08:51:33 +0900 | [diff] [blame] | 76 | try: |
| 77 | from ssl import match_hostname |
| 78 | _match_hostname = match_hostname |
| 79 | except ImportError: |
| 80 | _match_hostname = legacy_validate_callback |