re6st-conf: new --fingerprint option

demo/demo

@@ -160,11 +160,16 @@ nodes = []
 gateway1.screen('miniupnpd -d -f miniupnpd.conf -P miniupnpd.pid'
                 ' -a %s -i %s' % (g1_if_1.name, g1_if_0_name))
 if 1:
-    import sqlite3
+    from OpenSSL import crypto
+    import hashlib, sqlite3
     os.path.exists('ca.crt') or subprocess.check_call(
         "openssl req -nodes -new -x509 -key registry/ca.key -out ca.crt"
         " -subj /CN=re6st.example.com/emailAddress=re6st@example.com"
         " -set_serial 0x120010db80042 -days %u" % CA_DAYS, shell=True)
+    with open('ca.crt') as f:
+        ca = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
+    fingerprint = "sha1:" + hashlib.sha1(
+        crypto.dump_certificate(crypto.FILETYPE_ASN1, ca)).hexdigest()
     db_path = 'registry/registry.db'
     registry.screen('./py re6st-registry @registry/re6st-registry.conf'
         ' --db %s --mailhost %s -v%u --control-socket registry/babeld.socket'
@@ -189,7 +194,8 @@ if 1:
                 os.symlink('../dh2048.pem', dh_path)
             email = node.name + '@example.com'
             p = node.Popen(('../py', 're6st-conf', '--registry', registry,
-                '--email', email), stdin=subprocess.PIPE, cwd=folder)
+                            '--email', email, '--fingerprint', fingerprint),
+                stdin=subprocess.PIPE, cwd=folder)
             token = None
             while not token:
                 time.sleep(.1)

re6st-conf

 #!/usr/bin/python
-import argparse, atexit, errno, os, subprocess, sqlite3, sys, time
+import argparse, atexit, binascii, errno, hashlib
+import os, subprocess, sqlite3, sys, time
 from OpenSSL import crypto
 from re6st import registry, utils, x509
 
@@ -18,6 +19,8 @@ def main():
         description="Setup script for re6stnet.",
         formatter_class=utils.HelpFormatter)
     _ = parser.add_argument
+    _('--fingerprint', metavar='ALG:FINGERPRINT',
+        help="Check CA fingerprint to protect against MITM.")
     _('--registry', required=True, metavar='URL',
         help="HTTP URL of the server delivering certificates.")
     _('--is-needed', action='store_true',
@@ -53,8 +56,20 @@ def main():
     s = registry.RegistryClient(config.registry)
 
     # Get CA
-    ca = s.getCa()
-    network = x509.networkFromCa(loadCert(ca))
+    ca = loadCert(s.getCa())
+    if config.fingerprint:
+        try:
+            alg, fingerprint = config.fingerprint.split(':', 1)
+            fingerprint = binascii.a2b_hex(fingerprint)
+            if hashlib.new(alg).digest_size != len(fingerprint):
+                raise ValueError("wrong size")
+        except StandardError, e:
+            parser.error("invalid fingerprint: %s" % e)
+        if x509.fingerprint(ca, alg).digest() != fingerprint:
+            sys.exit("CA fingerprint doesn't match")
+    else:
+        print "WARNING: it is strongly recommended to use --fingerprint option."
+    network = x509.networkFromCa(ca)
     if config.is_needed:
         route, err = subprocess.Popen(('ip', '-6', '-o', 'route', 'get',
                                        utils.ipFromBin(network)),
@@ -62,7 +77,7 @@ def main():
         sys.exit(err or route and
             utils.binFromIp(route.split()[8]).startswith(network))
 
-    create(ca_path, ca)
+    create(ca_path, crypto.dump_certificate(crypto.FILETYPE_PEM, ca))
     if config.ca_only:
         sys.exit()
 

re6st/x509.py

@@ -31,6 +31,9 @@ def encrypt(cert, data):
         raise subprocess.CalledProcessError(p.returncode, 'openssl', err)
     return out
 
+def fingerprint(cert, alg='sha1'):
+    return hashlib.new(alg, crypto.dump_certificate(crypto.FILETYPE_ASN1, cert))
+
 def maybe_renew(path, cert, info, renew):
     from .registry import RENEW_PERIOD
     while True: