SyncplayClient: explicitly pass `certifi` as trustRoot for Twisted

- py2app: include pem in the bundle - requirements: add pem - SyncplayClient.start: explicitly use certifi store as trustRoot
2022-11-05 23:45:51 +01:00 · 2022-11-05 23:45:51 +01:00 · af0d0006f1
parent 2aa73122ab
commit af0d0006f1
3 changed files with 10 additions and 8 deletions
--- a/buildPy2app.py
+++ b/buildPy2app.py
@ -17,7 +17,7 @@ DATA_FILES = [
 OPTIONS = {
    'iconfile': 'syncplay/resources/icon.icns',
    'extra_scripts': 'syncplayServer.py',
-    'includes': {'PySide2.QtCore', 'PySide2.QtUiTools', 'PySide2.QtGui', 'PySide2.QtWidgets', 'certifi', 'cffi'},
+    'includes': {'PySide2.QtCore', 'PySide2.QtUiTools', 'PySide2.QtGui', 'PySide2.QtWidgets', 'certifi', 'cffi', 'pem'},
    'excludes': {'PySide', 'PySide.QtCore', 'PySide.QtUiTools', 'PySide.QtGui', 'tkinter'},
    'qt_plugins': [
        'platforms/libqcocoa.dylib',
--- a/requirements.txt
+++ b/requirements.txt
@ -1,4 +1,5 @@
 certifi>=2018.11.29
+pem>=21.2.0
 twisted[tls]>=16.4.0
 appnope>=0.1.0; sys_platform == 'darwin'
 pypiwin32>=223; sys_platform == 'win32'
--- a/syncplay/client.py
+++ b/syncplay/client.py
@ -19,11 +19,13 @@ from twisted.internet.protocol import ClientFactory
 from twisted.internet import reactor, task, defer, threads

 try:
+    SSL_CERT_FILE = None
    import certifi
-    from twisted.internet.ssl import Certificate, optionsForClientTLS
+    import pem
+    from twisted.internet.ssl import Certificate, optionsForClientTLS, trustRootFromCertificates
    certPath = certifi.where()
    if os.path.exists(certPath):
-        os.environ['SSL_CERT_FILE'] = certPath
+        SSL_CERT_FILE = certPath
    elif 'zip' in certPath:
        import tempfile
        import zipfile
@ -32,7 +34,7 @@ try:
        archive = zipfile.ZipFile(zipPath, 'r')
        tmpDir = tempfile.gettempdir()
        extractedPath = archive.extract(memberPath, tmpDir)
-        os.environ['SSL_CERT_FILE'] = extractedPath
+        SSL_CERT_FILE = extractedPath
 except:
    pass

@ -831,10 +833,9 @@ class SyncplayClient(object):
        port = int(port)
        self._endpoint = HostnameEndpoint(reactor, host, port)
        try:
-            caCertFP = open(os.environ['SSL_CERT_FILE'])
-            caCertTwisted = Certificate.loadPEM(caCertFP.read().encode('utf-8'))
-            caCertFP.close()
-            self.protocolFactory.options = optionsForClientTLS(hostname=host)
+            certs = pem.parse_file(SSL_CERT_FILE)
+            trustRoot = trustRootFromCertificates([Certificate.loadPEM(str(cert)) for cert in certs])
+            self.protocolFactory.options = optionsForClientTLS(hostname=host, trustRoot=trustRoot)
            self._clientSupportsTLS = True
        except Exception as e:
            self.ui.showDebugMessage(str(e))