Merge aa2a55c into 7736fdd

seanbudd · web-flow · commit 3384603aa556 · 2025-07-10T03:16:08.000Z
diff --git a/pyproject.toml b/pyproject.toml
@@ -29,6 +29,8 @@ dependencies = [
 	# pinned to a commit in tool.uv.sources
 	"configobj",
 	"requests==2.32.3",
+	# Overrides certifi so that requests uses system certificates instead
+	"pip_system_certs==5.2",
 	"url-normalize==1.4.3",
 	"schedule==1.2.2",
 	# NVDA_DMP requires diff-match-patch
@@ -122,6 +124,7 @@ only_licenses = ["BSD", "MIT", "Python", "LGPLV3+", "Apache"]
 ignore_packages = [
 	# Compatible licenses:
 	"certifi",  # Mozilla Public License 2.0
+	"pip_system_certs",  # BSD 2-Clause "Simplified" License, but not in PyPI
 	"markdown-link-attr-modifier",  # GPLV3 license, but not in PyPI correctly
 	"pycaw",  # MIT license, but not in PyPI
 	"urllib3",  # MIT license, but not in PyPI
diff --git a/source/_remoteClient/server.py b/source/_remoteClient/server.py
@@ -33,6 +33,7 @@
 from select import select
 from itertools import count
 from typing import Any, Final
+from unittest import mock
 
 import cffi  # noqa # required for cryptography
 from cryptography import x509
@@ -294,7 +295,13 @@ def createServerSocket(self, family: int, type: int, bindAddress: tuple[str, int
 		"""
 		serverSocket = socket.socket(family, type)
 		sslContext = self.certManager.createSSLContext()
-		serverSocket = sslContext.wrap_socket(serverSocket, server_side=True)
+
+		# Prevent pip_system_certs from patching wrap_socket due to a bug.
+		with mock.patch(
+			"pip._vendor.truststore._api._verify_peercerts",
+			lambda *a, **kw: None,
+		):
+			serverSocket = sslContext.wrap_socket(serverSocket, server_side=True)
 		serverSocket.bind(bindAddress)
 		serverSocket.listen(5)  # Set the maximum number of queued connections
 		return serverSocket
diff --git a/source/_remoteClient/transport.py b/source/_remoteClient/transport.py
@@ -36,6 +36,7 @@
 from logHandler import log
 from queue import Queue
 from typing import Any, Literal, Optional, Self
+from unittest import mock
 
 import wx
 from extensionPoints import Action, HandlerRegistrar
@@ -433,14 +434,21 @@ def createOutboundSocket(
 			serverSock.settimeout(self.timeout)
 		serverSock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
 		serverSock.ioctl(socket.SIO_KEEPALIVE_VALS, (1, 60000, 2000))
-		ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+		ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+		ctx.minimum_version = ssl.TLSVersion.TLSv1_2
+		ctx.maximum_version = ssl.TLSVersion.TLSv1_3
 		if insecure:
 			ctx.verify_mode = ssl.CERT_NONE
 			log.warn(f"Skipping certificate verification for {host}:{port}")
 		ctx.check_hostname = not insecure
 		ctx.load_default_certs()
 
-		serverSock = ctx.wrap_socket(sock=serverSock, server_hostname=host)
+		# Prevent pip_system_certs from patching wrap_socket due to a bug.
+		with mock.patch(
+			"pip._vendor.truststore._api._verify_peercerts",
+			lambda *a, **kw: None,
+		):
+			serverSock = ctx.wrap_socket(sock=serverSock, server_hostname=host)
 		return serverSock
 
 	def getpeercert(
diff --git a/source/addonStore/dataManager.py b/source/addonStore/dataManager.py
@@ -125,7 +125,7 @@ def _getLatestAddonsDataForVersion(self, apiVersion: str) -> Optional[bytes]:
 		url = _getAddonStoreURL(self._preferredChannel, self._lang, apiVersion)
 		try:
 			log.debug(f"Fetching add-on data from {url}")
-			response = requests.get(url, timeout=FETCH_TIMEOUT_S)
+			response = _fetchUrlAndUpdateRootCertificates(url)
 		except requests.exceptions.RequestException as e:
 			log.debugWarning(f"Unable to fetch addon data: {e}")
 			return None
diff --git a/source/addonStore/network.py b/source/addonStore/network.py
@@ -1,12 +1,13 @@
 # A part of NonVisual Desktop Access (NVDA)
-# Copyright (C) 2022-2024 NV Access Limited
+# Copyright (C) 2022-2025 NV Access Limited
 # This file is covered by the GNU General Public License.
 # See the file COPYING for more details.
 
 from concurrent.futures import (
 	Future,
 	ThreadPoolExecutor,
 )
+import hashlib
 import os
 import pathlib
 import shutil
@@ -18,6 +19,7 @@
 	Optional,
 	Tuple,
 )
+from urllib.parse import urlparse
 
 import requests
 
@@ -28,6 +30,11 @@
 from NVDAState import WritePaths
 import threading
 from utils.security import sha256_checksum
+from utils.networking import (
+	_getCertificate,
+	_is_cert_verification_error,
+	_updateWindowsRootCertificates,
+)
 from config import conf
 
 from .models.addon import (
@@ -216,7 +223,11 @@ def _downloadAddonToPath(
 		# Some add-ons are quite large, so we need to allow for a long download time.
 		# 1GB at 0.5 MB/s takes 4.5hr to download.
 		MAX_ADDON_DOWNLOAD_TIME = 60 * 60 * 6  # 6 hours
-		with requests.get(addonData.model.URL, stream=True, timeout=MAX_ADDON_DOWNLOAD_TIME) as r:
+		with requests.get(
+			addonData.model.URL,
+			stream=True,
+			timeout=MAX_ADDON_DOWNLOAD_TIME,
+		) as r:
 			with open(downloadFilePath, "wb") as fd:
 				# Most add-ons are small. This value was chosen quite arbitrarily, but with the intention to allow
 				# interrupting the download. This is particularly important on a slow connection, to provide
@@ -236,11 +247,56 @@ def _downloadAddonToPath(
 							return False  # The download was cancelled
 		return True
 
-	def _download(self, listItem: "AddonListItemVM[_AddonStoreModel]") -> Optional[os.PathLike]:
-		from gui.message import DisplayableError
+	# Translators: A title for a dialog notifying a user of an add-on download failure.
+	_addonDownloadFailureMessageTitle = pgettext("addonStore", "Add-on download failure")
 
-		# Translators: A title for a dialog notifying a user of an add-on download failure.
-		_addonDownloadFailureMessageTitle = pgettext("addonStore", "Add-on download failure")
+	def _handleCertVerificationError(
+		self,
+		exception: requests.exceptions.SSLError,
+		listItem: "AddonListItemVM[_AddonStoreModel]",
+	) -> os.PathLike | None:
+		import wx
+		from gui.message import messageBox, DisplayableError
+
+		if _is_cert_verification_error(exception):
+			cert = _getCertificate(listItem.model.URL)
+			certFingerprint = hashlib.sha256(cert).hexdigest()
+
+			if (
+				messageBox(
+					message=pgettext(
+						"addonStore",
+						# Translators: A message to the user if an add-on download fails.
+						# url is replaced with the base URL of the add-on download e.g. (github.com).
+						# fingerprint is replaced with the SHA256 fingerprint of the certificate.
+						"The website where you are downloading the add-on from has a certificate that is not trusted. "
+						"Do you want to trust the root certificate for {url}? "
+						"This will allow you to download add-ons from this website in the future. "
+						"Only do this if you trust the website. "
+						"The certificate's SHA256 fingerprint is: {fingerprint}. ",
+					).format(url=urlparse(listItem.model.URL).netloc, fingerprint=certFingerprint),
+					caption=self._addonDownloadFailureMessageTitle,
+					style=wx.OK | wx.CANCEL | wx.CENTRE | wx.ICON_WARNING,
+				)
+				== wx.OK
+			):
+				_updateWindowsRootCertificates(cert)
+				return self._download(listItem)
+			else:
+				return None  # The download was cancelled
+		else:
+			log.debugWarning(f"Unable to download addon file: {exception}")
+			raise DisplayableError(
+				pgettext(
+					"addonStore",
+					# Translators: A message to the user if an add-on download fails
+					"Unable to download add-on: {name}",
+				).format(name=listItem.model.displayName),
+				self._addonDownloadFailureMessageTitle,
+			)
+
+	def _download(self, listItem: "AddonListItemVM[_AddonStoreModel]") -> os.PathLike | None:
+		from gui.message import DisplayableError
 
 		addonData = listItem.model
 		log.debug(f"starting download: {addonData.addonId}")
@@ -257,6 +313,8 @@ def _download(self, listItem: "AddonListItemVM[_AddonStoreModel]") -> Optional[o
 		try:
 			if not self._downloadAddonToPath(listItem, inProgressFilePath):
 				return None  # The download was cancelled
+		except requests.exceptions.SSLError as e:
+			return self._handleCertVerificationError(e, listItem)
 		except requests.exceptions.RequestException as e:
 			log.debugWarning(f"Unable to download addon file: {e}")
 			raise DisplayableError(
@@ -265,7 +323,7 @@ def _download(self, listItem: "AddonListItemVM[_AddonStoreModel]") -> Optional[o
 					# Translators: A message to the user if an add-on download fails
 					"Unable to download add-on: {name}",
 				).format(name=addonData.displayName),
-				_addonDownloadFailureMessageTitle,
+				self._addonDownloadFailureMessageTitle,
 			)
 		except OSError as e:
 			log.debugWarning(f"Unable to save addon file ({inProgressFilePath}): {e}")
@@ -275,7 +333,7 @@ def _download(self, listItem: "AddonListItemVM[_AddonStoreModel]") -> Optional[o
 					# Translators: A message to the user if an add-on download fails
 					"Unable to save add-on as a file: {name}",
 				).format(name=addonData.displayName),
-				_addonDownloadFailureMessageTitle,
+				self._addonDownloadFailureMessageTitle,
 			)
 		if not self._checkChecksum(inProgressFilePath, addonData):
 			with self.DOWNLOAD_LOCK:
@@ -287,7 +345,7 @@ def _download(self, listItem: "AddonListItemVM[_AddonStoreModel]") -> Optional[o
 					# Translators: A message to the user if an add-on download is not safe
 					"Add-on download not safe: checksum failed for {name}",
 				).format(name=addonData.displayName),
-				_addonDownloadFailureMessageTitle,
+				self._addonDownloadFailureMessageTitle,
 			)
 		log.debug(f"Download complete: {inProgressFilePath}")
 		with self.DOWNLOAD_LOCK:
diff --git a/source/core.py b/source/core.py
@@ -32,6 +32,8 @@
 import NVDAState
 from NVDAState import WritePaths
 
+import pip_system_certs.wrapt_requests
+
 if TYPE_CHECKING:
 	import wx
 
@@ -672,6 +674,10 @@ def main():
 	Finally, it starts the wx main loop.
 	"""
 	log.debug("Core starting")
+
+	# Use Windows root certificates for requests rather than certifi.
+	pip_system_certs.wrapt_requests.inject_truststore()
+
 	if NVDAState.isRunningAsSource():
 		# When running as packaged version, DPI awareness is set via the app manifest.
 		from winAPI.dpiAwareness import setDPIAwareness
@@ -694,6 +700,7 @@ def main():
 		WritePaths.configDir = config.getUserDefaultConfigPath(
 			useInstalledPathIfExists=globalVars.appArgs.launcher,
 		)
+
 	# Initialize the config path (make sure it exists)
 	config.initConfigPath()
 	log.info(f"Config dir: {WritePaths.configDir}")
diff --git a/source/utils/networking.py b/source/utils/networking.py
@@ -41,10 +41,9 @@ class _CERT_CHAIN_PARA(ctypes.Structure):
 	)
 
 
-def _updateWindowsRootCertificates(url: str) -> None:
-	"""Updates the Windows root certificates by fetching the latest certificate from the server."""
-	log.debug("Updating Windows root certificates")
-	crypt = ctypes.windll.crypt32
+def _getCertificate(url: str) -> bytes:
+	"""Gets the certificate from the server."""
+	log.debug(f"Getting certificate from: {url}")
 	with requests.get(
 		url,
 		timeout=_FETCH_TIMEOUT_S,
@@ -53,7 +52,13 @@ def _updateWindowsRootCertificates(url: str) -> None:
 		stream=True,
 	) as response:
 		# Get the server certificate.
-		cert = response.raw.connection.sock.getpeercert(True)
+		return response.raw.connection.sock.getpeercert(True)
+
+
+def _updateWindowsRootCertificates(cert: bytes) -> None:
+	"""Adds the certificate to the Windows root certificates."""
+	log.debug("Updating Windows root certificates")
+	crypt = ctypes.windll.crypt32
 	# Convert to a form usable by Windows.
 	certCont = crypt.CertCreateCertificateContext(
 		0x00000001,  # X509_ASN_ENCODING
@@ -87,6 +92,7 @@ def _is_cert_verification_error(exception: requests.exceptions.SSLError) -> bool
 		and exception.__context__.__cause__
 		and exception.__context__.__cause__.__context__
 		and isinstance(exception.__context__.__cause__.__context__, ssl.SSLCertVerificationError)
+		and hasattr(exception.__context__.__cause__.__context__, "reason")
 		and exception.__context__.__cause__.__context__.reason == "CERTIFICATE_VERIFY_FAILED"
 	)
 
@@ -106,7 +112,8 @@ def _fetchUrlAndUpdateRootCertificates(url: str, certFetchUrl: str | None = None
 		if _is_cert_verification_error(e):
 			# #4803: Windows fetches trusted root certificates on demand.
 			# Python doesn't trigger this fetch (PythonIssue:20916), so try it ourselves.
-			_updateWindowsRootCertificates(certFetchUrl or url)
+			cert = _getCertificate(certFetchUrl or url)
+			_updateWindowsRootCertificates(cert)
 			log.debug(f"Retrying fetching data from: {url}")
 			result = requests.get(url, timeout=_FETCH_TIMEOUT_S)
 		else:
diff --git a/user_docs/en/changes.md b/user_docs/en/changes.md
@@ -70,6 +70,7 @@ There have also been a number of other fixes and improvements, including to mous
 * In focus mode in web browsers, it is now possible to review and spell the labels of controls when those labels are specifically provided for accessibility; e.g. via `aria-label` or `aria-labelledby`. (#15159, @jcsteh)
 * It is now possible to review and spell the labels of controls in Google Chrome menus and dialogs. (#11285, @jcsteh)
 * When typing into a cell in Microsoft Excel, the braille display is now correctly updated to show the new content. (#18391)
+* Fixed bug when trying to access the Add-on Store from certain environments such as corporates. (#18354)
 * Fixed bug where NLS eReader Zoomax driver did not work with all devices. (#18406, @florin-trutiu)
 
 ### Changes for Developers
diff --git a/uv.lock b/uv.lock
