From af0d0006f143353f7ef096390883a8070cf0aca4 Mon Sep 17 00:00:00 2001 From: Alberto Sottile Date: Sat, 5 Nov 2022 23:45:51 +0100 Subject: [PATCH] SyncplayClient: explicitly pass `certifi` as trustRoot for Twisted - py2app: include pem in the bundle - requirements: add pem - SyncplayClient.start: explicitly use certifi store as trustRoot --- buildPy2app.py | 2 +- requirements.txt | 1 + syncplay/client.py | 15 ++++++++------- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/buildPy2app.py b/buildPy2app.py index 76be1de..462036d 100755 --- a/buildPy2app.py +++ b/buildPy2app.py @@ -17,7 +17,7 @@ DATA_FILES = [ OPTIONS = { 'iconfile': 'syncplay/resources/icon.icns', 'extra_scripts': 'syncplayServer.py', - 'includes': {'PySide2.QtCore', 'PySide2.QtUiTools', 'PySide2.QtGui', 'PySide2.QtWidgets', 'certifi', 'cffi'}, + 'includes': {'PySide2.QtCore', 'PySide2.QtUiTools', 'PySide2.QtGui', 'PySide2.QtWidgets', 'certifi', 'cffi', 'pem'}, 'excludes': {'PySide', 'PySide.QtCore', 'PySide.QtUiTools', 'PySide.QtGui', 'tkinter'}, 'qt_plugins': [ 'platforms/libqcocoa.dylib', diff --git a/requirements.txt b/requirements.txt index 506c59c..0d61f2f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,5 @@ certifi>=2018.11.29 +pem>=21.2.0 twisted[tls]>=16.4.0 appnope>=0.1.0; sys_platform == 'darwin' pypiwin32>=223; sys_platform == 'win32' diff --git a/syncplay/client.py b/syncplay/client.py index 20a7134..0b105e0 100755 --- a/syncplay/client.py +++ b/syncplay/client.py @@ -19,11 +19,13 @@ from twisted.internet.protocol import ClientFactory from twisted.internet import reactor, task, defer, threads try: + SSL_CERT_FILE = None import certifi - from twisted.internet.ssl import Certificate, optionsForClientTLS + import pem + from twisted.internet.ssl import Certificate, optionsForClientTLS, trustRootFromCertificates certPath = certifi.where() if os.path.exists(certPath): - os.environ['SSL_CERT_FILE'] = certPath + SSL_CERT_FILE = certPath elif 'zip' in certPath: import tempfile import zipfile @@ -32,7 +34,7 @@ try: archive = zipfile.ZipFile(zipPath, 'r') tmpDir = tempfile.gettempdir() extractedPath = archive.extract(memberPath, tmpDir) - os.environ['SSL_CERT_FILE'] = extractedPath + SSL_CERT_FILE = extractedPath except: pass @@ -831,10 +833,9 @@ class SyncplayClient(object): port = int(port) self._endpoint = HostnameEndpoint(reactor, host, port) try: - caCertFP = open(os.environ['SSL_CERT_FILE']) - caCertTwisted = Certificate.loadPEM(caCertFP.read().encode('utf-8')) - caCertFP.close() - self.protocolFactory.options = optionsForClientTLS(hostname=host) + certs = pem.parse_file(SSL_CERT_FILE) + trustRoot = trustRootFromCertificates([Certificate.loadPEM(str(cert)) for cert in certs]) + self.protocolFactory.options = optionsForClientTLS(hostname=host, trustRoot=trustRoot) self._clientSupportsTLS = True except Exception as e: self.ui.showDebugMessage(str(e))