SyncplayClient: explicitly pass certifi as trustRoot for Twisted

- py2app: include pem in the bundle - requirements: add pem - SyncplayClient.start: explicitly use certifi store as trustRoot
Syncplay · Nov 5, 2022 · af0d000 · af0d000
1 parent 2aa7312
commit af0d000
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/buildPy2app.py b/buildPy2app.py
@@ -17,7 +17,7 @@
 OPTIONS = {
     'iconfile': 'syncplay/resources/icon.icns',
     'extra_scripts': 'syncplayServer.py',
-    'includes': {'PySide2.QtCore', 'PySide2.QtUiTools', 'PySide2.QtGui', 'PySide2.QtWidgets', 'certifi', 'cffi'},
+    'includes': {'PySide2.QtCore', 'PySide2.QtUiTools', 'PySide2.QtGui', 'PySide2.QtWidgets', 'certifi', 'cffi', 'pem'},
     'excludes': {'PySide', 'PySide.QtCore', 'PySide.QtUiTools', 'PySide.QtGui', 'tkinter'},
     'qt_plugins': [
         'platforms/libqcocoa.dylib',

diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,5 @@
 certifi>=2018.11.29
+pem>=21.2.0
 twisted[tls]>=16.4.0
 appnope>=0.1.0; sys_platform == 'darwin'
 pypiwin32>=223; sys_platform == 'win32'

diff --git a/syncplay/client.py b/syncplay/client.py
@@ -19,11 +19,13 @@
 from twisted.internet import reactor, task, defer, threads
 
 try:
+    SSL_CERT_FILE = None
     import certifi
-    from twisted.internet.ssl import Certificate, optionsForClientTLS
+    import pem
+    from twisted.internet.ssl import Certificate, optionsForClientTLS, trustRootFromCertificates
     certPath = certifi.where()
     if os.path.exists(certPath):
-        os.environ['SSL_CERT_FILE'] = certPath
+        SSL_CERT_FILE = certPath
     elif 'zip' in certPath:
         import tempfile
         import zipfile
@@ -32,7 +34,7 @@
         archive = zipfile.ZipFile(zipPath, 'r')
         tmpDir = tempfile.gettempdir()
         extractedPath = archive.extract(memberPath, tmpDir)
-        os.environ['SSL_CERT_FILE'] = extractedPath
+        SSL_CERT_FILE = extractedPath
 except:
     pass
 
@@ -831,10 +833,9 @@ def start(self, host, port):
         port = int(port)
         self._endpoint = HostnameEndpoint(reactor, host, port)
         try:
-            caCertFP = open(os.environ['SSL_CERT_FILE'])
-            caCertTwisted = Certificate.loadPEM(caCertFP.read().encode('utf-8'))
-            caCertFP.close()
-            self.protocolFactory.options = optionsForClientTLS(hostname=host)
+            certs = pem.parse_file(SSL_CERT_FILE)
+            trustRoot = trustRootFromCertificates([Certificate.loadPEM(str(cert)) for cert in certs])
+            self.protocolFactory.options = optionsForClientTLS(hostname=host, trustRoot=trustRoot)
             self._clientSupportsTLS = True
         except Exception as e:
             self.ui.showDebugMessage(str(e))