Ignore certifi.where() passed to load_verify_locations()

sethmlarson · Mar 10, 2022 · 93df4b4 · 93df4b4
1 parent c3c250d
commit 93df4b4
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
-# truststore
+# Truststore
 
-[![CI](https://github.com/sethmlarson/python-truststore/actions/workflows/ci.yml/badge.svg)](https://github.com/sethmlarson/python-truststore/actions/workflows/ci.yml)
+[![CI](https://github.com/sethmlarson/truststore/actions/workflows/ci.yml/badge.svg)](https://github.com/sethmlarson/truststore/actions/workflows/ci.yml)
 
 Verify certificates using OS trust stores. Supports macOS, Windows, and Linux (with OpenSSL). **This project should be considered experimental.**
 
@@ -25,7 +25,7 @@ http.request("GET", "https://example.com")
 import aiohttp
 
 http = aiohttp.ClientSession()
-http.request("GET", "https://example.com", ssl=ctx)
+await http.request("GET", "https://example.com", ssl=ctx)
 ```
 
 ## Platforms

diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -1,4 +1,5 @@
 aiohttp
+certifi
 pytest
 pytest-asyncio
 urllib3
diff --git a/truststore.py b/truststore.py
@@ -6,15 +6,15 @@
 import re
 import socket
 import ssl
-from typing import Any, Dict, List, Match, Optional, Tuple, Union
+from typing import Any, List, Match, Optional, Tuple, Union
 
 from _ssl import ENCODING_DER
 
-__all__ = ["Truststore"]
+__all__ = ["TruststoreSSLContext"]
 __version__ = "0.1.0"
 
 try:
-    # Grab this value so we know which paths to ignore.
+    # Grab this value so we know which path we can ignore.
     import certifi
 
     _CERTIFI_WHERE = certifi.where()
@@ -431,8 +431,9 @@ def _verify_peercerts_impl(
 class TruststoreSSLContext(ssl.SSLContext):
     """SSLContext API that uses system certificates on all platforms"""
 
-    def __init__(self):
-        self._ctx = ssl.create_default_context()
+    def __init__(self, protocol: int = None):
+        self._ctx = ssl.SSLContext(protocol)
+        _configure_context(self._ctx)
 
         class TruststoreSSLObject(ssl.SSLObject):
             # This object exists because wrap_bio() doesn't
@@ -448,7 +449,6 @@ def do_handshake(self) -> None:
                 return ret
 
         self._ctx.sslobject_class = TruststoreSSLObject
-        _configure_context(self._ctx)
 
     def wrap_socket(self, sock: socket.socket, server_hostname: Optional[str] = None):
         ssl_sock = self._ctx.wrap_socket(sock, server_hostname=server_hostname)
@@ -476,9 +476,9 @@ def load_verify_locations(
         # Ignore certifi.where() being used as a default, otherwise we raise an error.
         if (
             _CERTIFI_WHERE
-            and cafile == _CERTIFI_WHERE
-            or capath == _CERTIFI_WHERE
             and not cadata
+            and (cafile is None or cafile == _CERTIFI_WHERE)
+            and (capath is None or capath == _CERTIFI_WHERE)
         ):
             return
         raise NotImplementedError(