SSL certificate verification.

MANIFEST.in

@@ -2,6 +2,7 @@ include AUTHORS.txt
 include LICENSE.txt
 include CHANGES.txt
 include PROJECT.txt
+include pip/cacert.pem
 recursive-include docs *.txt
 recursive-include docs *.html
 recursive-exclude docs/_build *.txt

pip/backwardcompat.py

@@ -110,3 +110,15 @@ def home_lib(home):
     else:
         lib = os.path.join('lib', 'python')
     return os.path.join(home, lib)
+
+
+## py25 has no builtin ssl module
+## only >=py32 has ssl.match_hostname and ssl.CertificateError
+try:
+    import ssl
+    try:
+        from ssl import match_hostname, CertificateError
+    except ImportError:
+        from backwardcompat_ssl import match_hostname, CertificateError
+except ImportError:
+    ssl = None

pip/backwardcompat_ssl.py

@@ -0,0 +1,60 @@
+"""The match_hostname() function from Python 3.2, essential when using SSL."""
+
+import re
+
+__version__ = '3.2a3'
+
+class CertificateError(ValueError):
+    pass
+
+def _dnsname_to_pat(dn):
+    pats = []
+    for frag in dn.split(r'.'):
+        if frag == '*':
+            # When '*' is a fragment by itself, it matches a non-empty dotless
+            # fragment.
+            pats.append('[^.]+')
+        else:
+            # Otherwise, '*' matches any dotless fragment.
+            frag = re.escape(frag)
+            pats.append(frag.replace(r'\*', '[^.]*'))
+    return re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
+
+def match_hostname(cert, hostname):
+    """Verify that *cert* (in decoded format as returned by
+    SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 rules
+    are mostly followed, but IP addresses are not accepted for *hostname*.
+
+    CertificateError is raised on failure. On success, the function
+    returns nothing.
+    """
+    if not cert:
+        raise ValueError("empty or no certificate")
+    dnsnames = []
+    san = cert.get('subjectAltName', ())
+    for key, value in san:
+        if key == 'DNS':
+            if _dnsname_to_pat(value).match(hostname):
+                return
+            dnsnames.append(value)
+    if not san:
+        # The subject is only checked when subjectAltName is empty
+        for sub in cert.get('subject', ()):
+            for key, value in sub:
+                # XXX according to RFC 2818, the most specific Common Name
+                # must be used.
+                if key == 'commonName':
+                    if _dnsname_to_pat(value).match(hostname):
+                        return
+                    dnsnames.append(value)
+    if len(dnsnames) > 1:
+        raise CertificateError("hostname %r "
+            "doesn't match either of %s"
+            % (hostname, ', '.join(map(repr, dnsnames))))
+    elif len(dnsnames) == 1:
+        raise CertificateError("hostname %r "
+            "doesn't match %r"
+            % (hostname, dnsnames[0]))
+    else:
+        raise CertificateError("no appropriate commonName or "
+            "subjectAltName fields were found")

pip/cmdoptions.py

@@ -21,7 +21,7 @@ def make_option_group(group, parser):
     '-i', '--index-url', '--pypi-url',
     dest='index_url',
     metavar='URL',
-    default='http://pypi.python.org/simple/',
+    default='https://pypi.python.org/simple/',
     help='Base URL of Python Package Index (default %default).')
 
 extra_index_url = make_option(

pip/commands/install.py

@@ -12,6 +12,7 @@
 from pip.exceptions import InstallationError, CommandError
 from pip.backwardcompat import home_lib
 from pip.cmdoptions import make_option_group, index_group
+from pip.util import warn_if_no_ssl
 
 
 class InstallCommand(Command):
@@ -196,6 +197,7 @@ def _build_package_finder(self, options, index_urls):
                              mirrors=options.mirrors)
 
     def run(self, options, args):
+        warn_if_no_ssl()
         if options.download_dir:
             options.no_install = True
             options.ignore_installed = True

pip/download.py

@@ -5,17 +5,20 @@
 import os
 import re
 import shutil
+import socket
 import sys
 import tempfile
-from pip.backwardcompat import (xmlrpclib, urllib, urllib2,
-                                urlparse, string_types)
+from pip.backwardcompat import (xmlrpclib, urllib, urllib2, httplib,
+                                urlparse, string_types, ssl)
+if ssl:
+    from pip.backwardcompat import match_hostname
 from pip.exceptions import InstallationError
 from pip.util import (splitext, rmtree, format_size, display_path,
                       backup_dir, ask_path_exists, unpack_file,
                       create_download_cache_folder, cache_download)
 from pip.vcs import vcs
 from pip.log import logger
-
+from pip.locations import cert_path
 
 __all__ = ['xmlrpclib_transport', 'get_file_content', 'urlopen',
            'is_url', 'url_to_path', 'path_to_url', 'path_to_url2',
@@ -65,6 +68,32 @@ def get_file_content(url, comes_from=None):
 _scheme_re = re.compile(r'^(http|https|file):', re.I)
 _url_slash_drive_re = re.compile(r'/*([a-z])\|', re.I)
 
+class VerifiedHTTPSConnection(httplib.HTTPSConnection):
+    def connect(self):
+        # overrides the version in httplib so that we do
+        #    certificate verification
+        sock = socket.create_connection((self.host, self.port), self.timeout)
+        if self._tunnel_host:
+            self.sock = sock
+            self._tunnel()
+        # wrap the socket using verification with the root
+        #    certs in trusted_root_certs
+        self.sock = ssl.wrap_socket(sock,
+                                self.key_file,
+                                self.cert_file,
+                                cert_reqs=ssl.CERT_REQUIRED,
+                                ca_certs=cert_path)
+        match_hostname(self.sock.getpeercert(), self.host)
+
+
+# wraps https connections with ssl certificate verification
+class VerifiedHTTPSHandler(urllib2.HTTPSHandler):
+    def __init__(self, connection_class = VerifiedHTTPSConnection):
+        self.specialized_conn_class = connection_class
+        urllib2.HTTPSHandler.__init__(self)
+    def https_open(self, req):
+        return self.do_open(self.specialized_conn_class, req)
+
 
 class URLOpener(object):
     """
@@ -83,7 +112,7 @@ def __call__(self, url):
         url, username, password = self.extract_credentials(url)
         if username is None:
             try:
-                response = urllib2.urlopen(self.get_request(url))
+                response = self.get_opener().open(url)
             except urllib2.HTTPError:
                 e = sys.exc_info()[1]
                 if e.code != 401:
@@ -120,10 +149,21 @@ def get_response(self, url, username=None, password=None):
                 self.passman.add_password(None, netloc, username, password)
             stored_username, stored_password = self.passman.find_user_password(None, netloc)
         authhandler = urllib2.HTTPBasicAuthHandler(self.passman)
-        opener = urllib2.build_opener(authhandler)
+        opener = self.get_opener(authhandler)
         # FIXME: should catch a 401 and offer to let the user reenter credentials
         return opener.open(req)
 
+    def get_opener(self, *args):
+        """
+        If ssl module is available, will return secure (verified HTTPS) opener
+        Otherwise, standard.
+        """
+        if ssl:
+            https_handler = VerifiedHTTPSHandler()
+            return urllib2.build_opener(https_handler, *args)
+        else:
+            return urllib2.build_opener(*args)
+
     def setup(self, proxystr='', prompting=True):
         """
         Sets the proxy handler given the option passed on the command

pip/index.py

@@ -22,7 +22,9 @@
 from pip.backwardcompat import (WindowsError, BytesIO,
                                 Queue, urlparse,
                                 URLError, HTTPError, u,
-                                product, url2pathname)
+                                product, url2pathname, ssl)
+if ssl:
+    from pip.backwardcompat import CertificateError
 from pip.backwardcompat import Empty as QueueEmpty
 from pip.download import urlopen, path_to_url2, url_to_path, geturl, Urllib2HeadRequest
 
@@ -485,6 +487,9 @@ def get_page(cls, link, req, cache=None, skip_archives=True):
                 level =1
                 desc = 'timed out'
             elif isinstance(e, URLError):
+                #ssl/certificate error
+                if ssl and hasattr(e, 'reason') and (isinstance(e.reason, ssl.SSLError) or isinstance(e.reason, CertificateError)):
+                    desc = 'there was a problem confirming the ssl certificate %s' % e
                 log_meth = logger.info
                 if hasattr(e, 'reason') and isinstance(e.reason, socket.timeout):
                     desc = 'timed out'

pip/locations.py

@@ -8,6 +8,7 @@
 from pip.backwardcompat import get_python_lib
 import pip.exceptions
 
+cert_path = os.path.join(os.path.dirname(__file__), 'cacert.pem')
 
 def running_under_virtualenv():
     """

pip/util.py

@@ -8,8 +8,10 @@
 import zipfile
 import tarfile
 import subprocess
+import textwrap
 from pip.exceptions import InstallationError, BadCommand
-from pip.backwardcompat import WindowsError, string_types, raw_input, console_to_str, user_site
+from pip.backwardcompat import(WindowsError, string_types, raw_input,
+                                console_to_str, user_site, ssl)
 from pip.locations import site_packages, running_under_virtualenv, virtualenv_no_global
 from pip.log import logger
 
@@ -664,3 +666,18 @@ def call_subprocess(cmd, show_stdout=True,
                 % (command_desc, proc.returncode, cwd))
     if stdout is not None:
         return ''.join(all_output)
+
+
+def warn_if_no_ssl():
+    """Warn when there's no ssl"""
+    if not ssl:
+        logger.warn(textwrap.dedent("""
+            #############################################################
+            ##  WARNING!!                                              ##
+            ##  You don't have an importable ssl module.               ##
+            ##  We can not provide ssl certified downloads from PyPI.  ##
+            ##  Install this: http://pypi.python.org/pypi/ssl/         ##
+            ##  It provides ssl support for older Pythons.             ##
+            #############################################################
+            """))
+

setup.py

@@ -48,6 +48,7 @@ def find_version(*file_paths):
       url='http://www.pip-installer.org',
       license='MIT',
       packages=['pip', 'pip.commands', 'pip.vcs'],
+      package_data={'pip': ['*.pem']},
       entry_points=dict(console_scripts=['pip=pip:main', 'pip-%s=pip:main' % sys.version[:3]]),
       test_suite='nose.collector',
       tests_require=tests_require,