use cryptography module

[milahu]

make aia 30x faster

$ time python -c "import aia; aia_session = aia.AIASession(); url = 'https://www788.ucdn.to:183/'; cadata = aia_session.cadata_from_url(url); # print(cadata)"

real    0m2.561s
user    0m1.183s
sys     0m0.154s

before

$ time python -c "import aia; aia_session = aia.AIASession(); url = 'https://www788.ucdn.to:183/'; cadata = aia_session.cadata_from_url(url); # print(cadata)"

real    1m7.455s
user    0m56.139s
sys     0m6.182s

downstream PR: pyload/pyload#4478

cache cadata by host regex

save memory and time

in this example, target_name is *.ucdn.to
so cadata is computed only for the first request with www788.ucdn.to
and the cached value is used for www123.UCDN.to

$ python -c "import aia; import time; aia_session = aia.AIASession(); url = 'https://www788.ucdn.to:183/'; t1 = time.time(); cadata = aia_session.cadata_from_url(url); print(time.time() - t1); url = 'https://www123.UCDN.to:183/';  t1 = time.time(); cadata = aia_session.cadata_from_url(url); print(time.time() - t1);"
0.7428784370422363
0.00014781951904296875

custom caching

the new method cadata_and_host_regex_from_host
is useful to implement custom caching
without having to re-parse the leaf cert for the host regex

for example, pycurl loads cacert from a file
so the certs for *.ucdn.to can be stored in cache/certs/_.ucdn.to.crt
and host_regex can be used to select the cert file

caching fetched certs

allow the user to cache fetched certs to disk

so for example, when fetching the cert from
http://secure.globalsign.com/cacert/gsgccr6alphasslca2023.crt
then store the cert in
/tmp/aia-certs/secure.globalsign.com/cacert/gsgccr6alphasslca2023.crt

aia_session = aia.AIASession(cert_cache='/tmp/aia-certs')

this is useful to address the privacy concerns with AIA

AIA by itself isn’t posing any risk to the security aspects of TLS, but there might be privacy implications with the hosting service of the intermediate certificates getting requests from the client which it otherwise would not have.

todo: fetch all certs from server

currently we fetch only the first cert = leaf cert
ss.getpeercert(True)

to fetch all certs:
see also Getting certificate chain with Python 3.3 SSL module

for example, www.google.com:443 returns 3 certs

0 subject: <X509Name object '/CN=www.google.com'>
  issuer: <X509Name object '/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3'>)
  fingerprint: b'B3:22:59:5F:56:F1:86:51:9F:ED:50:13:3E:AA:BD:6B:DD:16:3B:04'
1 subject: <X509Name object '/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3'>
  issuer: <X509Name object '/C=US/O=Google Trust Services LLC/CN=GTS Root R1'>)
  fingerprint: b'1E:7E:F6:47:CB:A1:50:28:1C:60:89:72:57:10:28:78:C4:BD:8C:DC'
2 subject: <X509Name object '/C=US/O=Google Trust Services LLC/CN=GTS Root R1'>
  issuer: <X509Name object '/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA'>)
  fingerprint: b'08:74:54:87:E8:91:C1:9E:30:78:C1:F2:A0:7E:45:29:50:EF:36:F6'

cert 2 is signed by GlobalSign Root CA which is in the default ca-bundle.crt
so the full chain is valid, and there is no need to fetch certs

to compare: www788.ucdn.to:183 returns 2 certs
but for cert 0, the issuer GlobalSign GCC R6 AlphaSSL CA is missing
so this cert must be fetched from
http://secure.globalsign.com/cacert/gsgccr6alphasslca2023.crt
... which is issued by CN = GlobalSign which is in the default ca-bundle.crt

0 subject: <X509Name object '/CN=*.ucdn.to'>
  issuer: <X509Name object '/C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R6 AlphaSSL CA 2023'>)
  fingerprint: b'F0:65:DF:D9:14:1B:89:95:5F:85:B5:B3:39:5C:ED:CA:7E:F5:AC:2C'
1 subject: <X509Name object '/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA'>
  issuer: <X509Name object '/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA'>)
  fingerprint: b'B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C'