... allow cafile list ...

danilobellini · Jun 2, 2024 · 3b3f635 · 3b3f635
1 parent 3b1a69a
commit 3b3f635
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 9 deletions.
diff --git a/aia.py b/aia.py
@@ -170,20 +170,38 @@ def __init__(
         """
         logger.debug("creating AIASession")
         self.user_agent = user_agent
-        self.cafile = cafile
-        if cafile:
-            if not os.path.exists(cafile):
-                raise FileNotFoundError(cafile)
-        else:
-            import certifi
-
-            self.cafile = cafile = certifi.where()
         self.cache_db = cache_db
         self.cache_db_con = None
         self.cache_db_cur = None
         self.cache_dir = cache_dir
         self._context = OpenSSL.SSL.Context(method=OpenSSL.SSL.TLS_CLIENT_METHOD)
-        self._context.load_verify_locations(cafile=self.cafile)
+        self.cafile = None
+        if cafile:
+            cafile_list = cafile if isinstance(cafile, list) else [cafile]
+        else:
+            import certifi
+
+            cafile_list = [certifi.where()]
+        for cafile in cafile_list:
+            if not os.path.exists(cafile):
+                logger.debug(f"cafile is missing: {cafile}")
+                continue
+            if os.path.getsize(cafile) == 0:
+                logger.debug(f"cafile is empty: {cafile}")
+                continue
+            try:
+                self._context.load_verify_locations(cafile)
+                logger.debug(f"loaded cafile {cafile}")
+                self.cafile = cafile
+                break
+            except OpenSSL.SSL.Error as exc:
+                logger.debug(f"failed to load cafile {cafile}: {exc}")
+        if self.cafile is None:
+            import certifi
+
+            self.cafile = certifi.where()
+            logger.debug(f"failed to load cafile. using default cafile {self.cafile}")
+            self._context.load_verify_locations(self.cafile)
         self._cadata_from_host_regex = dict()
         self._trusted_root_certs = list()
 

diff --git a/test/test.py b/test/test.py
@@ -599,6 +599,38 @@ def handle_exit():
 
     print("-" * 80)
 
+    test_name = "aia_session.aia_chase with cafile list"
+    print(f"{test_name} ...")
+    # create new session with cafile list
+    print("destroying aia_session")
+    del aia_session
+    print("creating aia_session")
+    # note: use same ca-bundle.crt for curl and aia
+    aia_session = aia.AIASession(
+        cafile=[
+            "/no/such/file",
+            "/",
+            cert0_path,
+        ],
+    )
+    url = https_server_url
+    url_parsed = urlsplit(url)
+    host = url_parsed.netloc  # note: netloc is host and port
+    # print(f"parsed host {repr(host)} from url {repr(url)}")
+    try:
+        verified_cert_chain, missing_certs = aia_session.aia_chase(
+            host,
+            timeout=1,
+            max_chain_depth=100,
+        )
+        # print("verified_cert_chain"); aia.print_chain(verified_cert_chain)
+        # print("missing_certs"); aia.print_chain(missing_certs)
+    except Exception:
+        raise
+    print(f"{test_name} ok")
+
+    print("-" * 80)
+
     # TODO test max_chain_depth=1
 
     # curl does not-yet support AIA