Remove fingerprint and verify_fingerprint from Connection

The fingerprint will change from time to time and hard-coding it in this
library we cannot forcibly deploy (unlike e.g. the Threema apps) is a
surprising footgun since your services may suddenly fail (when Threema changes
the fingerprint). As pointed out in #17, hard-coding the fingerprint (over the
public key) is also undesirable. Furthermore, we want users to use their
custom `aiohttp.ClientSession` instance. Therefore, we have decided to remove
it. If you want to retain this feature, all you have to do is provide your own
`aiohttp.ClientSession` in the following way:

    Connection(session=aiohttp.ClientSession(
        connector=aiohttp.TCPConnector(ssl=<fingerprint>)))

See the aiohttp docs for details.

Closes #17
Resolves #13 (by providing your own `SSLContext`)

Author: lgrahl

examples/e2e.py

@@ -136,7 +136,6 @@ async def main():
         identity='*YOUR_GATEWAY_THREEMA_ID',
         secret='YOUR_GATEWAY_THREEMA_ID_SECRET',
         key='private:YOUR_PRIVATE_KEY',
-        verify_fingerprint=True,
     )
     try:
         async with connection:

examples/e2e_blocking.py

@@ -134,7 +134,6 @@ def main():
         identity='*YOUR_GATEWAY_THREEMA_ID',
         secret='YOUR_GATEWAY_THREEMA_ID_SECRET',
         key='private:YOUR_PRIVATE_KEY',
-        verify_fingerprint=True,
         blocking=True,
     )
     try:

examples/lookup.py

@@ -19,7 +19,6 @@ async def main():
     connection = Connection(
         identity='*YOUR_GATEWAY_THREEMA_ID',
         secret='YOUR_GATEWAY_THREEMA_ID_SECRET',
-        verify_fingerprint=True,
     )
     try:
         async with connection:

examples/lookup_blocking.py

@@ -17,7 +17,6 @@ def main():
     connection = Connection(
         identity='*YOUR_GATEWAY_THREEMA_ID',
         secret='YOUR_GATEWAY_THREEMA_ID_SECRET',
-        verify_fingerprint=True,
         blocking=True,
     )
     try:

examples/simple.py

@@ -55,7 +55,6 @@ async def main():
     connection = Connection(
         identity='*YOUR_GATEWAY_THREEMA_ID',
         secret='YOUR_GATEWAY_THREEMA_ID_SECRET',
-        verify_fingerprint=True,
     )
     try:
         async with connection:

examples/simple_blocking.py

@@ -53,7 +53,6 @@ def main():
     connection = Connection(
         identity='*YOUR_GATEWAY_THREEMA_ID',
         secret='YOUR_GATEWAY_THREEMA_ID_SECRET',
-        verify_fingerprint=True,
         blocking=True,
     )
     try:

threema/gateway/_gateway.py

@@ -1,4 +1,3 @@
-import binascii
 import enum
 
 import aiohttp
@@ -69,14 +68,9 @@ class Connection(AioRunMixin):
           end-to-end mode.
         - `key_file`: A file where the private key is stored
           in. Can be used instead of passing the key directly.
-        - `fingerprint`: A binary fingerprint of an DER-encoded TLS
-          certificate. Will fall back to a stored fingerprint which will
-          be invalid as soon as the certificate expires.
-        - `verify_fingerprint`: Set to `True` if you want to verify the
-          TLS certificate of the Threema Gateway Server by a
-          fingerprint. (Recommended)
         - `blocking`: Whether to use a blocking API, without the need
           for an explicit event loop.
+        - `session`: An optional :class:`aiohttp.ClientSession`.
     """
     async_functions = {
         '__exit__',
@@ -89,8 +83,6 @@ class Connection(AioRunMixin):
         'upload',
         'download',
     }
-    fingerprint = binascii.unhexlify(
-        b'42b1038e72f00c8c4dad78a3ebdc6d7a50c5ef288da9019b9171e4d675c08a17')
     urls = {
         'get_public_key': 'https://msgapi.threema.ch/pubkeys/{}',
         'get_id_by_phone': 'https://msgapi.threema.ch/lookup/phone/{}',
@@ -108,15 +100,10 @@ class Connection(AioRunMixin):
     def __init__(
             self, identity, secret,
             key=None, key_file=None,
-            fingerprint=None, verify_fingerprint=False, blocking=False,
+            blocking=False, session=None,
     ):
         super().__init__(blocking=blocking)
-        if fingerprint is None and verify_fingerprint:
-            fingerprint = self.fingerprint
-        if fingerprint is not None:
-            fingerprint = aiohttp.Fingerprint(fingerprint)
-        connector = aiohttp.TCPConnector(ssl=fingerprint)
-        self._session = aiohttp.ClientSession(connector=connector)
+        self._session = session if session is not None else aiohttp.ClientSession()
         self._key = None
         self._key_file = None
         self.id = identity

threema/gateway/bin/gateway_client.py

@@ -5,7 +5,6 @@
 import os
 import re
 
-import aiohttp
 import click
 import logbook
 import logbook.more
@@ -60,11 +59,8 @@ async def get_public_key(self, _):
 @click.option('-v', '--verbosity', type=click.IntRange(0, len(_logging_levels)),
               default=0, help="Logging verbosity.")
 @click.option('-c', '--colored', is_flag=True, help='Colourise logging output.')
-@click.option('-vf', '--verify-fingerprint', is_flag=True,
-              help='Verify the certificate fingerprint.')
-@click.option('--fingerprint', type=str, help='A hex-encoded fingerprint.')
 @click.pass_context
-def cli(ctx, verbosity, colored, verify_fingerprint, fingerprint):
+def cli(ctx, verbosity, colored):
     """
     Command Line Interface. Use --help for details.
     """
@@ -84,15 +80,8 @@ def cli(ctx, verbosity, colored, verify_fingerprint, fingerprint):
         global _logging_handler
         _logging_handler = handler
 
-    # Fingerprint
-    if fingerprint is not None:
-        fingerprint = binascii.unhexlify(fingerprint)
-
     # Store on context
-    ctx.obj = {
-        'verify_fingerprint': verify_fingerprint,
-        'fingerprint': fingerprint
-    }
+    ctx.obj = {}
 
 
 @cli.command(short_help='Show version information.', help="""
@@ -516,8 +505,6 @@ def main():
     exc = None
     try:
         cli()
-    except aiohttp.client_exceptions.ServerFingerprintMismatch:
-        error = 'Fingerprints did not match!'
     except Exception as exc_:
         error = str(exc_)
         exc = exc_