File 0001-pyVmomi-pinned-certificates-support.patch of Package python-pyvmomi

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-pyVmomi-pinned-certificates-support.patch of Package python-pyvmomi

From 9a8956f7b4a91b491e63454b3eb3c59d4abb8a31 Mon Sep 17 00:00:00 2001
From: ddraganov <ddraganov@vmware.com>
Date: Wed, 31 Jul 2024 10:56:55 +0300
Subject: [PATCH] pyVmomi pinned certificates support

New:
SoapStubAdapter and the connect.py wrappers now allows passing a serverPemCert parameter.
serverPemCert is an ASCII string of a PEM-encoded SSL certificate of the host to which a connection is attempted. A replacement of thumbprint. If both fields are set, thumbprint should match serverPemCert.
CertificateMismatchException is thrown when there's a mismatch.

If the standard SSL verifications fails
	if serverPemCert or thumbprint is provided try to connect with an unverified connection and try to match the peer certificate
	else fail

pyVmomi now has a single point of establishing a server connection SoapAdapter._Connect()

Breaking changes in SoapAdapter.py:
	HTTPProxyConnection is removed because it is unnecessary as the connection logic is now streamlined
	SSLTunnelConnection is removed and replaced by _SSLTunnelConnection which inherits Python's standard HTTPSConnection.
	UnixSocketConnection is removed and replaced by _UnixSocketConnection which inherits Python's standard HTTPConnection.
---
 pyVim/connect.py       |  41 +++++++-
 pyVmomi/Security.py    |  38 ++++++++
 pyVmomi/SoapAdapter.py | 214 +++++++++++++++++++++++++----------------
 3 files changed, 207 insertions(+), 86 deletions(-)

diff --git a/pyVim/connect.py b/pyVim/connect.py
index 0609040..437065c 100644
--- a/pyVim/connect.py
+++ b/pyVim/connect.py
@@ -211,6 +211,7 @@ def Connect(host='localhost',
             httpProxyHost=None,
             httpProxyPort=80,
             thumbprint=None,
+            serverPemCert=None,
             sslContext=None,
             httpConnectionTimeout=None,
             connectionPoolTimeout=CONNECTION_POOL_IDLE_TIMEOUT_SEC,
@@ -260,8 +261,17 @@ def Connect(host='localhost',
     @type  httpProxyHost: string
     @param httpProxyPort The proxy server port.
     @type  httpProxyPort: int
-    @param thumbprint: host cert thumbprint
+    @param thumbprint: **** Deprecated. Use serverPemCert instead.
+                        If both fields are set, thumbprint should match
+                        serverPemCert.
+                        The SHA1/SHA256/SHA512 thumbprint of the server's
+                        SSL certificate.
+                        Some use a thumbprint of the form xx:xx:xx..:xx.
+                        We ignore the ":" characters.
     @type  thumbprint: string
+    @param serverPemCert: PEM-encoded SSL certificate of the
+                            host to which we are connecting.
+    @type  serverPemCert: string
     @param sslContext: SSL Context describing the various SSL options. It is only
                         supported in Python 2.7.9 or higher.
     @type  sslContext: SSL.Context
@@ -324,6 +334,7 @@ def Connect(host='localhost',
                        httpProxyHost,
                        httpProxyPort,
                        thumbprint,
+                       serverPemCert,
                        sslContext,
                        httpConnectionTimeout,
                        connectionPoolTimeout,
@@ -395,6 +406,7 @@ def __Login(host,
             httpProxyHost,
             httpProxyPort,
             thumbprint,
+            serverPemCert,
             sslContext,
             httpConnectionTimeout,
             connectionPoolTimeout,
@@ -430,8 +442,17 @@ def __Login(host,
     @type  httpProxyHost: string
     @param httpProxyPort The proxy server port.
     @type  httpProxyPort: int
-    @param thumbprint: host cert thumbprint
+    @param thumbprint: **** Deprecated. Use serverPemCert instead.
+                        If both fields are set, thumbprint should match
+                        serverPemCert.
+                        The SHA1/SHA256/SHA512 thumbprint of the server's
+                        SSL certificate.
+                        Some use a thumbprint of the form xx:xx:xx..:xx.
+                        We ignore the ":" characters.
     @type  thumbprint: string
+    @param serverPemCert: PEM-encoded SSL certificate of the
+                            host to which we are connecting.
+    @type  serverPemCert: string
     @param sslContext: SSL Context describing the various SSL options. It is only
                         supported in Python 2.7.9 or higher.
     @type  sslContext: SSL.Context
@@ -479,6 +500,7 @@ def __Login(host,
         httpProxyHost=httpProxyHost,
         httpProxyPort=httpProxyPort,
         thumbprint=thumbprint,
+        serverPemCert=serverPemCert,
         sslContext=sslContext,
         httpConnectionTimeout=httpConnectionTimeout,
         connectionPoolTimeout=connectionPoolTimeout,
@@ -814,6 +836,7 @@ def SmartStubAdapter(host='localhost',
                      httpProxyPort=80,
                      sslProxyPath=None,
                      thumbprint=None,
+                     serverPemCert=None,
                      cacertsFile=None,
                      preferredApiVersions=None,
                      acceptCompressedResponses=True,
@@ -872,6 +895,7 @@ def SmartStubAdapter(host='localhost',
                            httpProxyPort=httpProxyPort,
                            sslProxyPath=sslProxyPath,
                            thumbprint=thumbprint,
+                           serverPemCert=serverPemCert,
                            cacertsFile=cacertsFile,
                            version=supportedVersion,
                            acceptCompressedResponses=acceptCompressedResponses,
@@ -896,6 +920,7 @@ def SmartConnect(protocol='https',
                  httpProxyHost=None,
                  httpProxyPort=80,
                  thumbprint=None,
+                 serverPemCert=None,
                  sslContext=None,
                  httpConnectionTimeout=None,
                  connectionPoolTimeout=CONNECTION_POOL_IDLE_TIMEOUT_SEC,
@@ -948,8 +973,17 @@ def SmartConnect(protocol='https',
     @type  httpProxyHost: string
     @param httpProxyPort The proxy server port.
     @type  httpProxyPort: int
-    @param thumbprint: host cert thumbprint
+    @param thumbprint: **** Deprecated. Use serverPemCert instead.
+                        If both fields are set, thumbprint should match
+                        serverPemCert.
+                        The SHA1/SHA256/SHA512 thumbprint of the server's
+                        SSL certificate.
+                        Some use a thumbprint of the form xx:xx:xx..:xx.
+                        We ignore the ":" characters.
     @type  thumbprint: string
+    @param serverPemCert: PEM-encoded SSL certificate of the
+                            host to which we are connecting.
+    @type  serverPemCert: string
     @param sslContext: SSL Context describing the various SSL options. It is only
                         supported in Python 2.7.9 or higher.
     @type  sslContext: SSL.Context
@@ -1005,6 +1039,7 @@ def SmartConnect(protocol='https',
                    httpProxyHost=httpProxyHost,
                    httpProxyPort=httpProxyPort,
                    thumbprint=thumbprint,
+                   serverPemCert=serverPemCert,
                    sslContext=sslContext,
                    httpConnectionTimeout=httpConnectionTimeout,
                    connectionPoolTimeout=connectionPoolTimeout,
diff --git a/pyVmomi/Security.py b/pyVmomi/Security.py
index 15309ce..a0e69fc 100644
--- a/pyVmomi/Security.py
+++ b/pyVmomi/Security.py
@@ -4,6 +4,7 @@
 # Client security module.
 
 import hashlib
+import ssl
 
 _isSha1Enabled = True
 _isSha256Enabled = True
@@ -25,6 +26,17 @@ def SetSha512Enabled(state):
     _isSha512Enabled = state
 
 
+"""
+Verify that a thumbprint matches a certificate
+
+:param derCert: DER-encoded SSL certificate
+:type derCert: str
+:param thumbprint: SHA1/SHA256/SHA512 thumbprint
+                   of an SSL certificate
+:type thumbprint: str
+:returns: None
+:raises ThumbprintMismatchException
+"""
 def VerifyCertThumbprint(derCert, thumbprint):
     thumbprint_len = len(thumbprint)
     if thumbprint_len == 40 and _isSha1Enabled:
@@ -49,3 +61,29 @@ class ThumbprintMismatchException(Exception):
 
         self.expected = expected
         self.actual = actual
+
+
+"""
+Verify that two PEM certificates match
+
+:param actualCert: PEM-encoded SSL certificate
+:type actualCert: str
+:param expectedCert: PEM-encoded SSL certificate
+:type actualCert: str
+:returns: None
+:raises CertificateMismatchException
+"""
+def VerifyCert(actualCert, expectedCert):
+    actualCert = actualCert.strip()
+    expectedCert = expectedCert.strip()
+    if actualCert != expectedCert:
+        raise CertificateMismatchException(expectedCert, actualCert)
+
+
+class CertificateMismatchException(Exception):
+    def __init__(self, expected, actual):
+        Exception.__init__(self, "Certificate mismatch. Expected: \n{0}, "
+                                 "actual: \n{1}".format(expected, actual))
+
+        self.expected = expected
+        self.actual = actual
diff --git a/pyVmomi/SoapAdapter.py b/pyVmomi/SoapAdapter.py
index 64835d5..22c81f6 100644
--- a/pyVmomi/SoapAdapter.py
+++ b/pyVmomi/SoapAdapter.py
@@ -34,7 +34,7 @@ from .VmomiSupport import (
     GetWsdlName, GetWsdlNamespace, GetWsdlType, GuessWsdlMethod, GuessWsdlType,
     IsChildVersion, ManagedMethod, UnknownManagedMethod, ManagedObject,
     Object, PropertyPath, Type, binary, versionIdMap, versionMap)
-from .Security import VerifyCertThumbprint
+from .Security import VerifyCert, VerifyCertThumbprint
 from .Version import kind
 from . import version_info_str
 
@@ -1054,18 +1054,19 @@ class SoapStubAdapterBase(StubAdapterBase):
 
 
 # Subclass of HTTPConnection that connects over a Unix domain socket
-# instead of a TCP port.  The path of the socket is passed in place of
-# the hostname.  Fairly gross but does the job.
-class UnixSocketConnection(HTTPConnection):
-    # The HTTPConnection ctor expects a single argument, which it interprets
-    # as the host to connect to; for UnixSocketConnection, we instead interpret
+# instead of a TCP port. The path of the socket is passed in place of
+# the hostname. Fairly gross but does the job.
+class _UnixSocketConnection(HTTPConnection):
+    # The HTTPConnection constructor expects a single argument, which it interprets
+    # as the host to connect to; for _UnixSocketConnection, we instead interpret
     # the parameter as the filesystem path of the Unix domain socket.
-    def __init__(self, path):
+    def __init__(self, host, **kwargs):
         # Pass '' as the host to HTTPConnection; it doesn't really matter
         # what we pass (since we've overridden the connect method) as long
         # as it's a valid string.
-        HTTPConnection.__init__(self, '')
-        self.path = path
+        # kwargs allows to pass all other HTTPConnection constructor arguments
+        self.path = host
+        HTTPConnection.__init__(self, '', **kwargs)
 
     def connect(self):
         # Hijack the connect method of HTTPConnection to connect to the
@@ -1076,76 +1077,90 @@ class UnixSocketConnection(HTTPConnection):
         self.sock = sock
 
 
-def _VerifyThumbprint(thumbprint, connection):
-    """If there is a thumbprint, connect to the server and verify that the
-    SSL certificate matches the given thumbprint.  An exception is thrown
-    if there is a mismatch.
+def _VerifyPinnedIdentity(connection, certificate, thumbprint):
     """
-    if thumbprint and isinstance(connection, HTTPSConnection):
-        if not connection.sock:
-            connection.connect()
-        derCert = connection.sock.getpeercert(True)
+    Verify that the server connection SSL certificate
+    matches the given certificate or thumbprint.
+
+    :param connection: Server connection
+    :type connection: HTTPSConnection
+    :param certificate: PEM-encoded SSL certificate of the server
+    :type certificate: str
+    :param thumbprint: SHA1/SHA256/SHA512 thumbprint
+                       of an SSL certificate
+    :type thumbprint: str
+    :returns: None
+    :raises ThumbprintMismatchException or CertificateMismatchException
+    """
+    derCert = connection.sock.getpeercert(True)
+    if certificate:
+        pemCert = ssl.DER_cert_to_PEM_cert(derCert)
+        VerifyCert(pemCert, certificate)
+    elif thumbprint:
         VerifyCertThumbprint(derCert, thumbprint)
 
 
-# Stand-in for the HTTPSConnection class that will connect to a regular HTTP
-# proxy.
-class HTTPProxyConnection(object):
-    # @param proxyPath The path to pass to the CONNECT command.
-    # @param customHeaders Dictionary with custom HTTP headers.
-    def __init__(self, proxyPath, customHeaders=None):
-        self.proxyPath = proxyPath
-        self.customHeaders = customHeaders if customHeaders else {}
 
-    # Connects to an HTTP proxy server and initiates a tunnel to the destination
-    # specified by self.proxyPath.
-    #
-    # @param addr Address in the form of host:port
-    # @param port If no port number is passed,
-    #             the port is extracted from the addr string
-    # @param timeout Connection timeout in seconds
-    # @param context SSL Context with the desired SSL options
-    # @return HTTPSConnection to the destination
-    def __call__(self, addr, port, timeout, context):
-        conn = HTTPSConnection(host=addr, port=port,
-                               timeout=timeout, context=context)
-        conn.set_tunnel(self.proxyPath, headers=self.customHeaders)
-        return conn
+def _Connect(connection, serverPemCert=None, thumbprint=None):
+    """
+    Connect to the server specified when the connection object was created.
+
+    serverPemCert and thumbprint denote a pre-defined pinned
+    certificate/thumbprint which has been trusted by the user.
+    Whenever provided if that certificate/thumbprint of the peer exactly
+    matches the pinned certificate/thumbprint, then the connection is established.
+
+    :param connection: Server connection
+    :type connection: HTTPConnection
+    :param serverPemCert: PEM-encoded SSL certificate of the server
+    :type serverPemCert: str
+    :param thumbprint: SHA1/SHA256/SHA512 thumbprint
+                       of an SSL certificate
+    :type thumbprint: str
+    :returns: HTTPConnection
+    """
+    try:
+        connection.connect()
+    except ssl.SSLCertVerificationError as ex:
+        if serverPemCert or thumbprint:
+            connection._context.check_hostname = False
+            connection._context.verify_mode = ssl.CERT_NONE
+            connection.connect()
+            _VerifyPinnedIdentity(connection, serverPemCert, thumbprint)
+        else:
+            raise ex
+    return connection
 
 
-# Stand-in for the HTTPSConnection class that will connect to a proxy and
-# issue a CONNECT command to start an SSL tunnel.
-class SSLTunnelConnection(HTTPProxyConnection):
-    # Connects to a proxy server and initiates a tunnel to the destination
-    # specified by self.proxyPath.
-    # For Python Version < 2.7.9. cert_reqs=CERT_OPTIONAL to verify
-    # server certificate
-    #
-    # @param addr Address in the form of host:port
-    # @param port If no port number is passed,
-    #             the port is extracted from the addr string
-    # @param timeout Connection timeout in seconds
-    # @param context SSL Context with the desired SSL options
-    # @return HTTPSConnection to the destination
-    def __call__(self, addr, port=None, timeout=None, context=None):
-        tunnelConn = HTTPConnection(host=addr, port=port, timeout=timeout)
-        tunnelConn.request('CONNECT', self.proxyPath)
+# A subclass of HTTPConnection that uses SSL through an HTTP proxy tunnel
+class _SSLTunnelConnection(HTTPSConnection):
+
+    def connect(self):
+        tunnelConn = HTTPConnection(host=self.host,
+                                    port=self.port,
+                                    timeout=self.timeout)
+        tunnelConn.request('CONNECT', self._proxyPath)
         resp = tunnelConn.getresponse()
         if resp.status != 200:
             raise HTTPException(
                 "{0} {1}".format(resp.status, resp.reason))
 
-        conn = HTTPSConnection(host=tunnelConn.host,
-                               port=tunnelConn.port,
-                               context=context,
-                               timeout=timeout)
-        if conn.host in ('localhost', '127.0.0.1', '::1'):
-            conn._context.check_hostname = False
-            conn._context.verify_mode = ssl.CERT_NONE
+        if self.host in ('localhost', '127.0.0.1', '::1'):
+            self._context.check_hostname = False
+            self._context.verify_mode = ssl.CERT_NONE
 
-        conn.sock = conn._context.wrap_socket(sock=tunnelConn.sock,
+        self.sock = self._context.wrap_socket(sock=tunnelConn.sock,
                                               server_hostname=tunnelConn.host)
-        return conn
+
+    def setVcTunnel(self, proxyPath):
+        """
+        Set the path to use when tunneling through VC's reverse proxy
+        ex: /sdkTunnel
+
+        :param proxyPath: Tunnel path
+        :type proxyPath: str
+        """
+        self._proxyPath = proxyPath
 
 
 class GzipReader:
@@ -1244,10 +1259,21 @@ class SoapStubAdapter(SoapStubAdapterBase):
     # @param httpProxyHost The host name of the proxy server.
     # @param httpProxyPort The proxy server port.
     # @param sslProxyPath Path to use when tunneling through VC's reverse proxy
-    # @param thumbprint The SHA1/SHA256/SHA512 thumbprint of the server's
+    # @param thumbprint **** Deprecated. Use serverPemCert instead.
+    #                   If both fields are set, thumbprint should match
+    #                   serverPemCert.
+    #                   The SHA1/SHA256/SHA512 thumbprint of the server's
     #                   SSL certificate.
-    #   Some use a thumbprint of the form xx:xx:xx..:xx.  We ignore the ":"
-    #   characters.  If set to None, any thumbprint is accepted.
+    #                   Whenever provided if that thumbprint of the peer's
+    #                   certificate exactly matches the pinned thumbprint
+    #                   the connection is established.
+    #                   Some use a thumbprint of the form xx:xx:xx..:xx.
+    #                   We ignore the ":" characters.
+    # @param serverPemCert PEM-encoded SSL certificate of the
+    #                       host to which we are connecting.
+    #                       Whenever provided if that certificate of the peer
+    #                       exactly matches the pinned certificate
+    #                       the connection is established.
     # @param cacertsFile **** Deprecated. Please load cert to context and pass
     #                    context instread ****
     #                    sslContext.load_verify_locations(cafile=ca_cert_file)
@@ -1278,6 +1304,7 @@ class SoapStubAdapter(SoapStubAdapterBase):
                  httpProxyPort=80,
                  sslProxyPath=None,
                  thumbprint=None,
+                 serverPemCert=None,
                  cacertsFile=None,
                  version=None,
                  acceptCompressedResponses=True,
@@ -1297,12 +1324,16 @@ class SoapStubAdapter(SoapStubAdapterBase):
             version = 'vim.version.version9'
         SoapStubAdapterBase.__init__(self, version=version, sessionId=sessionId)
         if sock:
-            self.scheme = UnixSocketConnection
+            self.scheme = _UnixSocketConnection
             # Store sock in the host member variable because that's where
-            # the UnixSocketConnection ctor expects to find it -- see above
+            # the _UnixSocketConnection ctor expects to find it -- see above
             self.host = sock
         elif url:
-            url_scheme_specifier, self.host, urlpath = urlparse(url)[:3]
+            parse_result = urlparse(url)
+            url_scheme_specifier = parse_result.scheme
+            self.host = parse_result.netloc
+            port = parse_result.port
+            urlpath = parse_result.path
             # Only use the URL path if it's sensible, otherwise use the path
             # keyword argument as passed in.
             if urlpath not in ('', '/'):
@@ -1317,8 +1348,10 @@ class SoapStubAdapter(SoapStubAdapterBase):
             if host.find(':') != -1 and host[0] != '[':  # is IPv6?
                 host = '[' + host + ']'
             self.host = '{0}:{1}'.format(host, port)
+        self.port = port
 
         self.path = path
+        self.serverPemCert = serverPemCert
         if thumbprint:
             self.thumbprint = thumbprint.replace(":", "").lower()
             if len(self.thumbprint) not in (40, 64, 128):
@@ -1329,18 +1362,17 @@ class SoapStubAdapter(SoapStubAdapterBase):
 
         self.is_tunnel = False
         if sslProxyPath:
-            self.scheme = SSLTunnelConnection(sslProxyPath, customHeaders)
+            self.sslProxyPath = sslProxyPath
+            self.scheme = _SSLTunnelConnection
             self.is_tunnel = True
         elif httpProxyHost:
-            self.scheme = HTTPProxyConnection(self.host, customHeaders)
-            self.is_tunnel = True
-
             # Is httpProxyHost IPv6
             if httpProxyHost.find(':') != -1 and httpProxyHost[0] != '[':
-                httpProxyHost = '[' + httpProxyHost + ']'
-
-            # Swap the actual host with the proxy.
-            self.host = "{0}:{1}".format(httpProxyHost, httpProxyPort)
+                self.httpProxyHost = '[' + httpProxyHost + ']'
+            else:
+                self.httpProxyHost = httpProxyHost
+            self.httpProxyPort = httpProxyPort
+            self.is_tunnel = True
         self.poolSize = poolSize
         self.pool = []
         self.connectionPoolTimeout = connectionPoolTimeout
@@ -1499,15 +1531,31 @@ class SoapStubAdapter(SoapStubAdapterBase):
         self.lock.acquire()
         self._CloseIdleConnections()
         if self.pool:
-            result, _ = self.pool.pop(0)
+            conn, _ = self.pool.pop(0)
             self.lock.release()
         else:
             self.lock.release()
-            result = self.scheme(self.host, **self.schemeArgs)
 
-            _VerifyThumbprint(self.thumbprint, result)
+            # Python fails if both host:port pair
+            # and port are used for HTTPConnection
+            host = getattr(self, 'httpProxyHost', self.host.rsplit(":", 1)[0])
+            port = getattr(self, 'httpProxyPort', self.port)
+
+            # Fix for gh-100985 which is fixed
+            # in Python 3.11.9 and Python 3.12.4
+            if host and host[0] == '[' and host[-1] == ']':
+               host = host[1:-1]
+
+            conn = self.scheme(host=host, port=port, **self.schemeArgs)
+            if self.is_tunnel:
+                if hasattr(self, 'sslProxyPath'):
+                    conn.setVcTunnel(self.sslProxyPath)
+                elif hasattr(self, 'httpProxyHost'):
+                    customHeaders = self._customHeaders if self._customHeaders else {}
+                    conn.set_tunnel(host, port, customHeaders)
+            _Connect(connection=conn, serverPemCert=self.serverPemCert, thumbprint=self.thumbprint)
 
-        return result
+        return conn
 
     # Drop all cached connections to the server.
     def DropConnections(self):
-- 
2.46.0

Places

File 0001-pyVmomi-pinned-certificates-support.patch of Package python-pyvmomi

Places