Added server cert verification

Author: hlainchb

paypal/https_connection.py

@@ -0,0 +1,141 @@
+# Copyright 2007,2011 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# This file is derived from
+# http://googleappengine.googlecode.com/svn-history/r136/trunk/python/google/appengine/tools/https_wrapper.py
+
+
+"""Extensions to allow HTTPS requests with SSL certificate validation."""
+
+import httplib
+import re
+import socket
+import ssl
+import urllib2
+
+class InvalidCertificateException(httplib.HTTPException):
+  """Raised when a certificate is provided with an invalid hostname."""
+
+  def __init__(self, host, cert, reason):
+    """Constructor.
+
+    Args:
+      host: The hostname the connection was made to.
+      cert: The SSL certificate (as a dictionary) the host returned.
+    """
+    httplib.HTTPException.__init__(self)
+    self.host = host
+    self.cert = cert
+    self.reason = reason
+
+  def __str__(self):
+    return ('Host %s returned an invalid certificate (%s): %s' %
+            (self.host, self.reason, self.cert))
+
+def GetValidHostsForCert(cert):
+  """Returns a list of valid host globs for an SSL certificate.
+
+  Args:
+    cert: A dictionary representing an SSL certificate.
+  Returns:
+    list: A list of valid host globs.
+  """
+  if 'subjectAltName' in cert:
+    return [x[1] for x in cert['subjectAltName'] if x[0].lower() == 'dns']
+  else:
+    return [x[0][1] for x in cert['subject']
+            if x[0][0].lower() == 'commonname']
+
+def ValidateCertificateHostname(cert, hostname):
+  """Validates that a given hostname is valid for an SSL certificate.
+
+  Args:
+    cert: A dictionary representing an SSL certificate.
+    hostname: The hostname to test.
+  Returns:
+    bool: Whether or not the hostname is valid for this certificate.
+  """
+  hosts = GetValidHostsForCert(cert)
+  for host in hosts:
+    host_re = host.replace('.', '\.').replace('*', '[^.]*')
+    if re.search('^%s$' % (host_re,), hostname, re.I):
+      return True
+  return False
+
+
+class CertValidatingHTTPSConnection(httplib.HTTPConnection):
+  """An HTTPConnection that connects over SSL and validates certificates."""
+
+  default_port = httplib.HTTPS_PORT
+
+  def __init__(self, host, port=None, key_file=None, cert_file=None,
+               ca_certs=None, strict=None, **kwargs):
+    """Constructor.
+
+    Args:
+      host: The hostname. Can be in 'host:port' form.
+      port: The port. Defaults to 443.
+      key_file: A file containing the client's private key
+      cert_file: A file containing the client's certificates
+      ca_certs: A file contianing a set of concatenated certificate authority
+          certs for validating the server against.
+      strict: When true, causes BadStatusLine to be raised if the status line
+          can't be parsed as a valid HTTP/1.0 or 1.1 status line.
+    """
+    httplib.HTTPConnection.__init__(self, host, port, strict, **kwargs)
+    self.key_file = key_file
+    self.cert_file = cert_file
+    self.ca_certs = ca_certs
+
+  def connect(self):
+    "Connect to a host on a given (SSL) port."
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.connect((self.host, self.port))
+    self.sock = ssl.wrap_socket(sock, keyfile=self.key_file,
+                                certfile=self.cert_file,
+                                cert_reqs=ssl.CERT_REQUIRED,
+                                ca_certs=self.ca_certs)
+    cert = self.sock.getpeercert()
+    hostname = self.host.split(':', 0)[0]
+    if not ValidateCertificateHostname(cert, hostname):
+      raise InvalidCertificateException(hostname,
+                                        cert,
+                                        'remote hostname "%s" does not match '\
+                                        'certificate' % hostname)
+
+
+class CertValidatingHTTPSHandler(urllib2.HTTPSHandler):
+  """An HTTPHandler that validates SSL certificates."""
+
+  def __init__(self, **kwargs):
+    """Constructor. Any keyword args are passed to the httplib handler."""
+    urllib2.HTTPSHandler.__init__(self)
+    self._connection_args = kwargs
+
+  def https_open(self, req):
+    def http_class_wrapper(host, **kwargs):
+      full_kwargs = dict(self._connection_args)
+      full_kwargs.update(kwargs)
+      return CertValidatingHTTPSConnection(host, **full_kwargs)
+    try:
+      return self.do_open(http_class_wrapper, req)
+    except urllib2.URLError, e:
+      if type(e.reason) == ssl.SSLError and e.reason.args[0] == 1:
+        raise InvalidCertificateException(req.host, '',
+                                          e.reason.args[1])
+      raise
+
+  https_request = urllib2.HTTPSHandler.do_request_
+

paypal/interface.py

@@ -15,6 +15,7 @@
 from paypal.settings import PayPalConfig
 from paypal.response import PayPalResponse
 from paypal.exceptions import PayPalError, PayPalAPIResponseError
+from paypal.https_connection import CertValidatingHTTPSHandler
 
 logger = logging.getLogger('paypal.interface')
 
@@ -40,7 +41,7 @@ def __init__(self , config=None, **kwargs):
         else:
             # Take the kwargs and stuff them in a new PayPalConfig object.
             self.config = PayPalConfig(**kwargs)
-        
+
     def _encode_utf8(self, **kwargs):
         """
         UTF8 encodes all of the NVP values.
@@ -99,7 +100,20 @@ def _call(self, method, **kwargs):
         url = self._encode_utf8(**url_values)
         data = urllib.urlencode(url).encode('utf-8')
         req = urllib2.Request(self.config.API_ENDPOINT, data)
-        response = PayPalResponse(urllib2.urlopen(req).read().decode('utf-8'),
+
+        # If certificate provided build an opener that will validate PayPal server cert
+        if self.config.API_CA_CERTS:
+            handler = CertValidatingHTTPSHandler(ca_certs=self.config.API_CA_CERTS)
+            opener = urllib2.build_opener(handler)
+            if logger.isEnabledFor(logging.DEBUG):
+                logger.debug('Validating PayPal server with certificate:\n%s\n' % self.config.API_CA_CERTS)
+        else:
+            opener = urllib2.build_opener()
+            if logger.isEnabledFor(logging.DEBUG):
+                logger.debug('Skipping PayPal server certificate validation')
+
+        # Call paypal API
+        response = PayPalResponse(opener.open(req).read().decode('utf-8'),
                                   self.config)
 
         logger.debug('PayPal NVP API Endpoint: %s'% self.config.API_ENDPOINT)

paypal/settings.py

@@ -5,6 +5,7 @@
 is instantiated by the PayPalInterface object.
 """
 import logging
+import os
 from pprint import pformat
 
 from paypal.exceptions import PayPalConfigError, PayPalError
@@ -54,6 +55,10 @@ class PayPalConfig(object):
     # API Endpoints are just API server addresses.
     API_ENDPOINT = None
     PAYPAL_URL_BASE = None
+
+    # API Endpoint CA certificate chain
+    # (filename with path e.g. '/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem')
+    API_CA_CERTS = None
 
     # UNIPAY credentials
     UNIPAY_SUBJECT = None
@@ -92,6 +97,13 @@ def __init__(self, **kwargs):
         self.API_ENDPOINT= self._API_ENDPOINTS[self.API_AUTHENTICATION_MODE][self.API_ENVIRONMENT]
         self.PAYPAL_URL_BASE= self._PAYPAL_URL_BASE[self.API_ENVIRONMENT]        
 
+        # Set the CA_CERTS location
+        if 'API_CA_CERTS' not in kwargs:
+            kwargs['API_CA_CERTS']= self.API_CA_CERTS
+        if kwargs['API_CA_CERTS'] and not os.path.exists(kwargs['API_CA_CERTS']):
+            raise PayPalConfigError('Invalid API_CA_CERTS')
+        self.API_CA_CERTS = kwargs['API_CA_CERTS']
+
         # set the 3TOKEN required fields
         if self.API_AUTHENTICATION_MODE == '3TOKEN':
             for arg in ('API_USERNAME','API_PASSWORD','API_SIGNATURE'):