Pinned root cert (#1137)

* typo

* pin cert

* depricated warnning

* don't require 0x

* Fix lint issue w black and update GUI pin

Co-authored-by: Gene Hoffman <hoffmang@hoffmang.com>

build_scripts/daemon.spec

@@ -89,7 +89,7 @@ full_node = Analysis([f"{root}/src/server/start_full_node.py"],
 wallet = Analysis([f"{root}/src/server/start_wallet.py"],
              pathex=[f"{root}/venv/lib/python3.7/site-packages/aiter/", f"{root}"],
              binaries = [],
-             datas=[(f"../src/ssl/chia_ca.key", f"./src/ssl/"), (f"../src/ssl/chia_ca.crt", f"./src/ssl/"), (f"../src/util/english.txt", f"./src/util/"), version_data ] + hex_puzzles,
+             datas=[(f"../src/ssl/dst_root_ca.pem", f"./src/ssl/"), (f"../src/ssl/chia_ca.key", f"./src/ssl/"), (f"../src/ssl/chia_ca.crt", f"./src/ssl/"), (f"../src/util/english.txt", f"./src/util/"), version_data ] + hex_puzzles,
              hiddenimports=subcommand_modules,
              hookspath=[],
              runtime_hooks=[],

build_scripts/daemon_windows.spec

@@ -87,7 +87,7 @@ full_node = Analysis([f"../src/server/start_full_node.py"],
 wallet = Analysis([f"../src/server/start_wallet.py"],
              pathex=[f"../venv/lib/python3.7/site-packages/aiter/", f"../"],
              binaries = [],
-             datas=[(f"../src/ssl/chia_ca.key", f"./src/ssl/"), (f"../src/ssl/chia_ca.crt", f"./src/ssl/"), (f"../src/util/english.txt", f"./src/util/"), version_data ] + hex_puzzles,
+             datas=[(f"../src/ssl/dst_root_ca.pem", f"./src/ssl/"), (f"../src/ssl/chia_ca.key", f"./src/ssl/"), (f"../src/ssl/chia_ca.crt", f"./src/ssl/"), (f"../src/util/english.txt", f"./src/util/"), version_data ] + hex_puzzles,
              hiddenimports=subcommand_modules,
              hookspath=[],
              runtime_hooks=[],

chia-blockchain-gui

@@ -1 +1 @@
-Subproject commit b845aafba7843a07ddb2ed936d88bd39a46e060d
+Subproject commit 52dd1b3875e70b0010c492283e6c08cf96848630

setup.py

@@ -91,7 +91,10 @@ kwargs = dict(
             "chia_full_node_simulator = src.simulator.start_simulator:main",
         ]
     },
-    package_data={"src.util": ["initial-*.yaml", "english.txt"], "src.ssl": ["chia_ca.crt", "chia_ca.key"]},
+    package_data={
+        "src.util": ["initial-*.yaml", "english.txt"],
+        "src.ssl": ["chia_ca.crt", "chia_ca.key", "dst_root_ca.pem"],
+    },
     use_scm_version={"fallback_version": "unknown-no-.git-directory"},
     long_description=open("README.md").read(),
     long_description_content_type="text/markdown",

src/consensus/constants.py

@@ -72,7 +72,7 @@ class ConsensusConstants:
         """
 
         for k, v in changes.items():
-            if isinstance(v, str) and v.startswith("0x"):
+            if isinstance(v, str):
                 changes[k] = hexstr_to_bytes(v)
 
         return dataclasses.replace(self, **changes)

src/daemon/server.py

@@ -12,11 +12,11 @@ import uuid
 import time
 from typing import Dict, Any, List, Tuple, Optional, TextIO, cast
 from concurrent.futures import ThreadPoolExecutor
-
 from websockets import serve, ConnectionClosedOK, WebSocketException, WebSocketServerProtocol
 from src.cmds.init import chia_init
 from src.daemon.windows_signal import kill
-from src.server.server import ssl_context_for_server
+from src.server.server import ssl_context_for_server, ssl_context_for_root
+from src.ssl.create_ssl import get_dst_ca_crt
 from src.util.setproctitle import setproctitle
 from src.util.validate_alert import validate_alert
 from src.util.ws_message import format_response, create_payload
@@ -49,7 +49,9 @@ service_plotter = "chia plots create"
 async def fetch(url: str):
     session = ClientSession()
     try:
-        response = await session.get(url)
+        dst_root = get_dst_ca_crt()
+        ssl_context = ssl_context_for_root(dst_root.decode())
+        response = await session.get(url, ssl=ssl_context)
         await session.close()
         return await response.text()
     except Exception as e:

src/server/server.py

@@ -37,6 +37,13 @@ def ssl_context_for_server(
     return ssl_context
 
 
+def ssl_context_for_root(
+    ca_cert: str,
+) -> Optional[ssl.SSLContext]:
+    ssl_context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cadata=ca_cert)
+    return ssl_context
+
+
 def ssl_context_for_client(
     ca_cert: Path,
     ca_key: Path,

src/ssl/create_ssl.py

@@ -17,6 +17,11 @@ def get_chia_ca_crt_key() -> Tuple[Any, Any]:
     return crt, key
 
 
+def get_dst_ca_crt() -> bytes:
+    crt = pkg_resources.resource_string(__name__, "dst_root_ca.pem")
+    return crt
+
+
 def generate_ca_signed_cert(ca_crt: bytes, ca_key: bytes, cert_out: Path, key_out: Path):
     one_day = datetime.timedelta(1, 0, 0)
     root_cert = x509.load_pem_x509_certificate(ca_crt, default_backend())

src/ssl/dst_root_ca.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----