From 6d3286acd031f2490ba3d246087d5c080440b18b Mon Sep 17 00:00:00 2001
From: lars <lars@systemausfall.org>
Date: Thu, 25 Jan 2007 01:18:35 +0000
Subject: [PATCH] the plugin 'encrypted_webinterface' creates a valid
 certificate now fixed some pylint warnings for 'date' plugin fixed a syntax
 mistake in the 'date' plugin

---
 plugins/date/date.py                          | 13 ++--
 .../encrypted_webinterface.py                 | 59 +++++++++++++++----
 2 files changed, 54 insertions(+), 18 deletions(-)

diff --git a/plugins/date/date.py b/plugins/date/date.py
index e233452..d3b2408 100644
--- a/plugins/date/date.py
+++ b/plugins/date/date.py
@@ -52,13 +52,13 @@ class date(cryptobox.plugins.base.CryptoBoxPlugin):
 			except ValueError:
 				self.hdf["Data.Warning"] = "Plugins.date.InvalidDate"
 			else:
-				date = "%02d%02d%02d%02d%d" % (month, day, hour, minute, year)
-				if self.__set_date(date):
-					self.cbox.log.info("changed date to: %s" % date)
+				new_date = "%02d%02d%02d%02d%d" % (month, day, hour, minute, year)
+				if self.__set_date(new_date):
+					self.cbox.log.info("changed date to: %s" % new_date)
 					self.hdf["Data.Success"] = "Plugins.date.DateChanged"
 				else:
 					## a failure should usually be an invalid date (we do not check it really)
-					self.cbox.log.info("failed to set date: %s" % date)
+					self.cbox.log.info("failed to set date: %s" % new_date)
 					self.hdf["Data.Warning"] = "Plugins.date.InvalidDate"
 		self.__prepare_form_data()
 		return "form_date"
@@ -73,6 +73,7 @@ class date(cryptobox.plugins.base.CryptoBoxPlugin):
 
 
 	def get_warnings(self):
+		import os
 		warnings = []
 		if not os.path.isfile(self.root_action.DATE_BIN):
 			warnings.append((48, "Plugins.%s.MissingProgramDate" % self.get_name()))
@@ -97,7 +98,7 @@ class date(cryptobox.plugins.base.CryptoBoxPlugin):
 		return datetime.datetime(2000, 1, 1).now()
 	
 
-	def __set_date(self, date):
+	def __set_date(self, new_date):
 		"""Set a new date and time.
 		"""
 		import subprocess
@@ -109,7 +110,7 @@ class date(cryptobox.plugins.base.CryptoBoxPlugin):
 				self.cbox.prefs["Programs"]["CryptoBoxRootActions"],
 				"plugin",
 				os.path.join(self.plugin_dir, "root_action.py"),
-				date])
+				new_date])
 		proc.wait()
 		return proc.returncode == 0
 
diff --git a/plugins/encrypted_webinterface/encrypted_webinterface.py b/plugins/encrypted_webinterface/encrypted_webinterface.py
index 9223111..364a84c 100644
--- a/plugins/encrypted_webinterface/encrypted_webinterface.py
+++ b/plugins/encrypted_webinterface/encrypted_webinterface.py
@@ -33,17 +33,23 @@ import os
 import cherrypy
 
 CERT_FILENAME = 'cryptobox-ssl-certificate.pem'
-KEY_BITS = 409
+KEY_BITS = 1024
+ISSUER_INFOS = {
+		"ST": "SomeIssuerState",
+		"L": "SomeIssuerLocality",
+		"O": "SomeIssuerOrganization",
+		"OU": "CryptoBox-ServerIssuer",
+		"CN": "cryptoboxIssuer",
+		"emailAddress": "infoIssuer@cryptobox.org"}
 CERT_INFOS = {
-		"C": "SomeCountry",
 		"ST": "SomeState",
 		"L": "SomeLocality",
 		"O": "SomeOrganization",
 		"OU": "CryptoBox-Server",
 		"CN": "*",
-		"emailAddress": ""}
-EXPIRE_TIME = 60*60*24*365*20	# 20 years
-SIGN_DIGEST = "sha256"
+		"emailAddress": "info@cryptobox.org"}
+EXPIRE_TIME = 60*60*24*365*20	# 20 years forward and backward
+SIGN_DIGEST = "md5"
 PID_FILE = os.path.join("/tmp/cryptobox-stunnel.pid")
 
 
@@ -81,9 +87,12 @@ class encrypted_webinterface(cryptobox.plugins.base.CryptoBoxPlugin):
 			warnings.append((44, "Plugins.%s.MissingProgramStunnel" % self.get_name()))
 		## perform some checks for encrypted connections
 		## check an environment setting - this is quite common behind proxies
+		## check if it is a local connection (or via stunnel)
 		## the arbitrarily chosen header is documented in README.proxy
 		if (cherrypy.request.scheme != "https") \
 				and (not os.environ.has_key("HTTPS")) \
+				and (not (cherrypy.request.headers.has_key("Remote-Host") \
+						and (cherrypy.request.headers["Remote-Host"] == "127.0.0.1"))) \
 				and (not (cherrypy.request.headers.has_key("X-SSL-Request") \
 						and (cherrypy.request.headers["X-SSL-Request"] == "1"))):
 			## plaintext connection -> "heavy security risk" (priority=20..39)
@@ -114,7 +123,8 @@ class encrypted_webinterface(cryptobox.plugins.base.CryptoBoxPlugin):
 		"""try to kill a running stunnel daemon
 		"""
 		if not os.path.isfile(PID_FILE):
-			self.cbox.log.warn("Could not find the pid file of a running stunnel daemon: %s" % PID_FILE)
+			self.cbox.log.warn("Could not find the pid file of a running stunnel " \
+					+ "daemon: %s" % PID_FILE)
 			return
 		try:
 			pfile = open(PID_FILE, "r")
@@ -135,8 +145,15 @@ class encrypted_webinterface(cryptobox.plugins.base.CryptoBoxPlugin):
 		try:
 			## SIGTERM = 15
 			os.kill(pid, 15)
-		except OSError:
-			pass
+			self.cbox.log.info("Successfully stopped stunnel")
+			try:
+				os.remove(PID_FILE)
+			except OSError, err_msg:
+				self.cbox.log.warn("Failed to remove the pid file (%s) of stunnel: %s" \
+						% (PID_FILE, err_msg))
+		except OSError, err_msg:
+			self.cbox.log.warn("Failed to kill stunnel process (PID: %d): %s" % \
+					(pid, err_msg))
 
 
 	def __run_stunnel(self, cert_name, dest_port=443):
@@ -165,28 +182,46 @@ class encrypted_webinterface(cryptobox.plugins.base.CryptoBoxPlugin):
 
 
 	def __create_certificate(self, filename):
+		"""Create a self-signed certificate and store it in a file
+		
+		The code is mainly inspired by:
+		https://dev.tribler.org/browser/m2crypto/trunk/contrib/SimpleX509create.py
+		"""
 		import M2Crypto
 		import time
 		string_type = 0x1000 | 1	# see http://www.koders.com/python/..
 				# ../fid07A99E089F55187896A06CD4E0B6F21B9B8F5B0B.aspx?s=bavaria
 		key_gen_number = 0x10001	# commonly used for key generation: 65537
 		rsa_key = M2Crypto.RSA.gen_key(KEY_BITS, key_gen_number, callback=lambda: None)
+		rsa_key2 = M2Crypto.RSA.gen_key(KEY_BITS, key_gen_number, callback=lambda: None)
 		pkey = M2Crypto.EVP.PKey(md=SIGN_DIGEST)
 		pkey.assign_rsa(rsa_key)
-		issuer = M2Crypto.X509.X509_Name()
+		sign_key = M2Crypto.EVP.PKey(md=SIGN_DIGEST)
+		sign_key.assign_rsa(rsa_key2)
+		subject = M2Crypto.X509.X509_Name()
 		for (key, value) in CERT_INFOS.items():
-			issuer.add_entry_by_txt(key, string_type, value, 1, 1, 0)
+			subject.add_entry_by_txt(key, string_type, value, -1, -1, 0)
+		issuer = M2Crypto.X509.X509_Name(M2Crypto.m2.x509_name_new())
+		for (key, value) in ISSUER_INFOS.items():
+			issuer.add_entry_by_txt(key, string_type, value, -1, -1, 0)
 		## time object
 		asn_time1 = M2Crypto.ASN1.ASN1_UTCTIME()
 		asn_time1.set_time(long(time.time()) - EXPIRE_TIME)
 		asn_time2 = M2Crypto.ASN1.ASN1_UTCTIME()
 		asn_time2.set_time(long(time.time()) + EXPIRE_TIME)
+		request = M2Crypto.X509.Request()
+		request.set_subject_name(subject)
+		request.set_pubkey(pkey)
+		request.sign(pkey=pkey, md=SIGN_DIGEST)
 		cert = M2Crypto.X509.X509()
-		cert.set_issuer(issuer)
-		cert.set_subject(issuer)
+		## always create a unique version number
+		cert.set_version(0)
+		cert.set_serial_number(long(time.time()))
 		cert.set_pubkey(pkey)
 		cert.set_not_before(asn_time1)
 		cert.set_not_after(asn_time2)
+		cert.set_subject_name(request.get_subject())
+		cert.set_issuer_name(issuer)
 		cert.sign(pkey, SIGN_DIGEST)
 		result = ""
 		result += cert.as_pem()