def test_catchesMissingKey(self, tmpdir):
pytest.importorskip('twisted')
certFile = tmpdir.join('cert_and_chain.pem')
certFile.write(''.join(CERT_PEMS))
with pytest.raises(ValueError):
pem.certificateOptionsFromFiles(
str(certFile)
)
def test_catchesMissingCertificate(self, tmpdir):
pytest.importorskip('twisted')
keyFile = tmpdir.join('key.pem')
keyFile.write(KEY_PEM)
with pytest.raises(ValueError):
pem.certificateOptionsFromFiles(
str(keyFile)
)
def test_catchesMultipleKeys(self, tmpdir):
pytest.importorskip('twisted')
allFile = tmpdir.join('key_cert_and_chain.pem')
allFile.write(KEY_PEM + ''.join(CERT_PEMS) + KEY_PEM2)
with pytest.raises(ValueError):
pem.certificateOptionsFromFiles(
str(allFile)
)
def test_catchesMissingCertificate(self, tmpdir):
pytest.importorskip('twisted')
keyFile = tmpdir.join('key.pem')
keyFile.write(KEY_PEM)
with pytest.raises(ValueError):
pem.certificateOptionsFromFiles(
str(keyFile)
)
def test_catchesMultipleKeys(self, tmpdir):
pytest.importorskip('twisted')
allFile = tmpdir.join('key_cert_and_chain.pem')
allFile.write(KEY_PEM + ''.join(CERT_PEMS) + KEY_PEM2)
with pytest.raises(ValueError):
pem.certificateOptionsFromFiles(
str(allFile)
)
def test_catchesMissingKey(self, tmpdir):
pytest.importorskip('twisted')
certFile = tmpdir.join('cert_and_chain.pem')
certFile.write(''.join(CERT_PEMS))
with pytest.raises(ValueError):
pem.certificateOptionsFromFiles(
str(certFile)
)
def test_certificateOptionsFromFiles(self, monkeypatch, recwarn):
"""
pem.certificateOptionsFromFiles raises a deprecation warning and calls
the original method with the same arguments.
"""
cr = call_recorder(lambda *a, **kw: None)
monkeypatch.setattr(pem, "certificateOptionsFromFilesOriginal", cr)
pem.certificateOptionsFromFiles("foo", bar="baz")
assert [call("foo", bar="baz")] == cr.calls
w = recwarn.pop(DeprecationWarning)
assert "certificateOptionsFromFiles" in str(w.message)
def test_certificateOptionsFromFiles(self, monkeypatch, recwarn):
"""
pem.certificateOptionsFromFiles raises a deprecation warning and calls
the original method with the same arguments.
"""
cr = call_recorder(lambda *a, **kw: None)
monkeypatch.setattr(pem, "certificateOptionsFromFilesOriginal", cr)
pem.certificateOptionsFromFiles("foo", bar="baz")
assert [call("foo", bar="baz")] == cr.calls
w = recwarn.pop(DeprecationWarning)
assert "certificateOptionsFromFiles" in str(w.message)
def test_catchesKeyCertificateMismatch(self, tmpdir):
"""
A ValueError is raised when some certificates are present in the pem,
but no certificate in the pem matches the key.
"""
pytest.importorskip('twisted')
keyFile = tmpdir.join('key.pem')
keyFile.write(KEY_PEM + "".join(CERT_PEMS[1:]))
with pytest.raises(ValueError) as excinfo:
pem.certificateOptionsFromFiles(str(keyFile))
assert str(excinfo.value) == ("No certificate matching " +
KEY_PEM_HASH + " found.")
def test_catchesKeyCertificateMismatch(self, tmpdir):
"""
A ValueError is raised when some certificates are present in the pem,
but no certificate in the pem matches the key.
"""
pytest.importorskip('twisted')
keyFile = tmpdir.join('key.pem')
keyFile.write(KEY_PEM + "".join(CERT_PEMS[1:]))
with pytest.raises(ValueError) as excinfo:
pem.certificateOptionsFromFiles(
str(keyFile)
)
assert str(excinfo.value) == ("No certificate matching "
+ KEY_PEM_HASH + " found.")
def test_certificateOptionsFromFiles(self, tmpdir, recwarn):
"""
pem.certificateOptionsFromFiles raises a deprecation warning.
"""
keyFile = tmpdir.join("key.pem")
keyFile.write(KEY_PEM)
certFile = tmpdir.join("cert.pem")
certFile.write(CERT_PEMS[0])
with pytest.warns(DeprecationWarning) as ws:
pem.certificateOptionsFromFiles(
str(keyFile), str(certFile),
)
assert "certificateOptionsFromFiles" in str(ws[0].message)
def test_certificateOptionsFromFiles(self, tmpdir, recwarn):
"""
pem.certificateOptionsFromFiles raises a deprecation warning.
"""
keyFile = tmpdir.join("key.pem")
keyFile.write(KEY_PEM)
certFile = tmpdir.join("cert.pem")
certFile.write(CERT_PEMS[0])
with pytest.warns(DeprecationWarning) as ws:
pem.certificateOptionsFromFiles(
str(keyFile), str(certFile),
)
assert "certificateOptionsFromFiles" in str(ws[0].message)
def createSSLContext_(**kwargs):
privateKey = kwargs.get('privateKey', None)
assert privateKey is not None, '`tls:` endpoint requires `privateKey` option.'
certKey = kwargs.get('certKey', privateKey)
extraCertChain = kwargs.get('extraCertChain', None)
sslmethod = kwargs.get('sslmethod', None)
dhParameters = kwargs.get('dhParameters', None)
authorities_file = kwargs.get('authorities', None)
if authorities_file is not None:
verify_client = True
else:
verify_client = False
pem_files = [privateKey, certKey]
if extraCertChain is not None:
pem_files.append(extraCertChain)
kwds = {'method': SSL.SSLv23_METHOD}
if verify_client:
authorities = [
pem_cert_to_x509(cert) for cert in pem.parse_file(authorities_file)
]
kwds['caCerts'] = authorities
kwds['verify'] = verify_client
if dhParameters is not None:
kwds['dhParameters'] = pem.DiffieHellmanParameters.fromFile(
dhParameters)
ctxFactory = pem.certificateOptionsFromFiles(*pem_files, **kwds)
ssl_context = ctxFactory.getContext()
ssl_context.set_options(SSL.OP_NO_SSLv2)
if sslmethod is not None:
ssl_method_options = sslmethod.split('+')
for ssl_opt in ssl_method_options:
ssl_context.set_options(ssl_opt)
return (verify_client, ctxFactory)
def createSSLContext_(**kwargs):
privateKey = kwargs.get('privateKey', None)
assert privateKey is not None, '`tls:` endpoint requires `privateKey` option.'
certKey = kwargs.get('certKey', privateKey)
extraCertChain = kwargs.get('extraCertChain', None)
sslmethod = kwargs.get('sslmethod', None)
dhParameters = kwargs.get('dhParameters', None)
authorities_file = kwargs.get('authorities', None)
if authorities_file is not None:
verify_client = True
else:
verify_client = False
pem_files = [privateKey, certKey]
if extraCertChain is not None:
pem_files.append(extraCertChain)
kwds = {'method': SSL.SSLv23_METHOD}
if verify_client:
authorities = [pem_cert_to_x509(cert)
for cert in pem.parse_file(authorities_file)]
kwds['caCerts'] = authorities
kwds['verify'] = verify_client
if dhParameters is not None:
kwds['dhParameters'] = pem.DiffieHellmanParameters.fromFile(dhParameters)
ctxFactory = pem.certificateOptionsFromFiles(
*pem_files,
**kwds)
ssl_context = ctxFactory.getContext()
ssl_context.set_options(SSL.OP_NO_SSLv2)
if sslmethod is not None:
ssl_method_options = sslmethod.split('+')
for ssl_opt in ssl_method_options:
ssl_context.set_options(ssl_opt)
return (verify_client, ctxFactory)
def test_forwardsKWargs(self, allFile):
pytest.importorskip('twisted')
ssl = pytest.importorskip('OpenSSL.SSL')
ctxFactory = pem.certificateOptionsFromFiles(
str(allFile),
method=ssl.SSLv2_METHOD,
)
assert ssl.SSLv2_METHOD == ctxFactory.method
def test_forwardsKWargs(self, allFile):
pytest.importorskip('twisted')
ssl = pytest.importorskip('OpenSSL.SSL')
ctxFactory = pem.certificateOptionsFromFiles(
str(allFile),
method=ssl.SSLv2_METHOD,
)
assert ssl.SSLv2_METHOD == ctxFactory.method
def test_passesCertsInCorrectFormat(self, allFile):
pytest.importorskip('twisted')
crypto = pytest.importorskip('OpenSSL.crypto')
ctxFactory = pem.certificateOptionsFromFiles(str(allFile))
assert isinstance(ctxFactory.privateKey, crypto.PKey)
assert isinstance(ctxFactory.certificate, crypto.X509)
assert all(isinstance(cert, crypto.X509)
for cert in ctxFactory.extraCertChain)
def test_passesCertsInCorrectFormat(self, allFile):
pytest.importorskip('twisted')
crypto = pytest.importorskip('OpenSSL.crypto')
ctxFactory = pem.certificateOptionsFromFiles(str(allFile))
assert isinstance(ctxFactory.privateKey, crypto.PKey)
assert isinstance(ctxFactory.certificate, crypto.X509)
assert all(isinstance(cert, crypto.X509)
for cert in ctxFactory.extraCertChain)
def _getCtxFactory(self):
dhParamPath = FilePath(self._environ["DH_PARAMETERS_PATH"])
dhParameters = DiffieHellmanParameters.fromFile(dhParamPath)
ctxFactory = certificateOptionsFromFiles(
self._environ["CERTIFICATE_PATH"],
dhParameters=dhParameters)
return ctxFactory
def test_worksWithChainInSameFile(self, tmpdir):
pytest.importorskip('twisted')
keyFile = tmpdir.join('key.pem')
keyFile.write(KEY_PEM)
certFile = tmpdir.join('cert_and_chain.pem')
certFile.write(''.join(CERT_PEMS))
ctxFactory = pem.certificateOptionsFromFiles(str(keyFile),
str(certFile))
assert 2 == len(ctxFactory.extraCertChain)
def test_worksWithoutChain(self, tmpdir):
pytest.importorskip('twisted')
keyFile = tmpdir.join('key.pem')
keyFile.write(KEY_PEM)
certFile = tmpdir.join('cert.pem')
certFile.write(CERT_PEMS[0])
ctxFactory = pem.certificateOptionsFromFiles(
str(keyFile), str(certFile),
)
assert [] == ctxFactory.extraCertChain
def test_worksWithoutChain(self, tmpdir):
pytest.importorskip('twisted')
keyFile = tmpdir.join('key.pem')
keyFile.write(KEY_PEM)
certFile = tmpdir.join('cert.pem')
certFile.write(CERT_PEMS[0])
ctxFactory = pem.certificateOptionsFromFiles(
str(keyFile), str(certFile),
)
assert [] == ctxFactory.extraCertChain
def test_worksWithChainInSameFile(self, tmpdir):
pytest.importorskip('twisted')
keyFile = tmpdir.join('key.pem')
keyFile.write(KEY_PEM)
certFile = tmpdir.join('cert_and_chain.pem')
certFile.write(''.join(CERT_PEMS))
ctxFactory = pem.certificateOptionsFromFiles(
str(keyFile), str(certFile)
)
assert 2 == len(ctxFactory.extraCertChain)
def test_useTypesNotOrdering(self, tmpdir):
"""
L{pem.certificateOptionsFromFiles} identifies the chain, key, and
certificate for Twisted's L{CertificateOptions} based on their types
and certificate fingerprints, not their order within the file.
"""
pytest.importorskip('twisted')
keyFile = tmpdir.join('key.pem')
keyFile.write(KEY_PEM)
certFile = tmpdir.join('cert_and_chain.pem')
certFile.write(''.join(reversed(CERT_PEMS)))
ctxFactory = pem.certificateOptionsFromFiles(str(keyFile),
str(certFile))
assert 2 == len(ctxFactory.extraCertChain)
def test_useTypesNotOrdering(self, tmpdir):
"""
L{pem.certificateOptionsFromFiles} identifies the chain, key, and
certificate for Twisted's L{CertificateOptions} based on their types
and certificate fingerprints, not their order within the file.
"""
pytest.importorskip('twisted')
keyFile = tmpdir.join('key.pem')
keyFile.write(KEY_PEM)
certFile = tmpdir.join('cert_and_chain.pem')
certFile.write(''.join(reversed(CERT_PEMS)))
ctxFactory = pem.certificateOptionsFromFiles(
str(keyFile), str(certFile)
)
assert 2 == len(ctxFactory.extraCertChain)
def test_realDHParameterSupport(self, monkeypatch, allFile):
"""
Pass DH parameters directly to CertificateOptions if the installed
version of Twisted supports it.
"""
ssl = pytest.importorskip('twisted.internet.ssl')
fakeCtxFactory = object()
recorder = call_recorder(lambda *a, **kw: fakeCtxFactory)
monkeypatch.setattr(ssl, "CertificateOptions", recorder)
monkeypatch.setattr(pem, "_DH_PARAMETERS_SUPPORTED", True)
fakeParameters = object()
ctxFactory = pem.certificateOptionsFromFiles(
str(allFile), dhParameters=fakeParameters)
assert ctxFactory is fakeCtxFactory
assert recorder.calls[0].kwargs["dhParameters"] == fakeParameters
def test_fakeDHParameterSupport(self, monkeypatch, allFile):
"""
Fake DH parameter support if Twisted doesn't support it.
"""
ssl = pytest.importorskip('twisted.internet.ssl')
fakeCtxFactory = object()
recorder = call_recorder(lambda *a, **kw: fakeCtxFactory)
monkeypatch.setattr(ssl, "CertificateOptions", recorder)
monkeypatch.setattr(pem, "_DH_PARAMETERS_SUPPORTED", False)
fakeParameters = object()
ctxFactory = pem.certificateOptionsFromFiles(
str(allFile), dhParameters=fakeParameters)
assert isinstance(ctxFactory, pem._DHParamContextFactory)
assert ctxFactory.ctxFactory is fakeCtxFactory
assert "dhParameters" not in recorder.calls[0].kwargs
def test_realDHParameterSupport(self, monkeypatch, allFile):
"""
Pass DH parameters directly to CertificateOptions if the installed
version of Twisted supports it.
"""
ssl = pytest.importorskip('twisted.internet.ssl')
fakeCtxFactory = object()
recorder = call_recorder(lambda *a, **kw: fakeCtxFactory)
monkeypatch.setattr(ssl, "CertificateOptions", recorder)
monkeypatch.setattr(pem, "_DH_PARAMETERS_SUPPORTED", True)
fakeParameters = object()
ctxFactory = pem.certificateOptionsFromFiles(
str(allFile),
dhParameters=fakeParameters
)
assert ctxFactory is fakeCtxFactory
assert recorder.calls[0].kwargs["dhParameters"] == fakeParameters
def test_fakeDHParameterSupport(self, monkeypatch, allFile):
"""
Fake DH parameter support if Twisted doesn't support it.
"""
ssl = pytest.importorskip('twisted.internet.ssl')
fakeCtxFactory = object()
recorder = call_recorder(lambda *a, **kw: fakeCtxFactory)
monkeypatch.setattr(ssl, "CertificateOptions", recorder)
monkeypatch.setattr(pem, "_DH_PARAMETERS_SUPPORTED", False)
fakeParameters = object()
ctxFactory = pem.certificateOptionsFromFiles(
str(allFile),
dhParameters=fakeParameters
)
assert isinstance(ctxFactory, pem._DHParamContextFactory)
assert ctxFactory.ctxFactory is fakeCtxFactory
assert "dhParameters" not in recorder.calls[0].kwargs
def test_worksWithEverythingInOneFile(self, allFile):
pytest.importorskip('twisted')
ctxFactory = pem.certificateOptionsFromFiles(str(allFile))
assert 2 == len(ctxFactory.extraCertChain)
def test_worksWithEverythingInOneFile(self, allFile):
pytest.importorskip('twisted')
ctxFactory = pem.certificateOptionsFromFiles(str(allFile))
assert 2 == len(ctxFactory.extraCertChain)
