def handleArgs(argv, argString, flagsList=[]): # Convert to getopt argstring format: # Add ":" after each arg, ie "abc" -> "a:b:c:" getOptArgString = ":".join(argString) + ":" try: opts, argv = getopt.getopt(argv, getOptArgString, flagsList) except getopt.GetoptError as e: printError(e) # Default values if arg not present privateKey = None certChain = None username = None password = None tack = None breakSigs = None verifierDB = None reqCert = False directory = None for opt, arg in opts: if opt == "-k": s = open(arg, "rb").read() privateKey = parsePEMKey(s, private=True) elif opt == "-c": s = open(arg, "rb").read() x509 = X509() x509.parse(s) certChain = X509CertChain([x509]) elif opt == "-u": username = arg elif opt == "-p": password = arg elif opt == "-t": if tackpyLoaded: s = open(arg, "rU").read() tack = TACK() tack.parsePem(s) elif opt == "-b": if tackpyLoaded: s = open(arg, "rU").read() breakSigs = TACK_Break_Sig.parsePemList(s) elif opt == "-v": verifierDB = VerifierDB(arg) verifierDB.open() elif opt == "-d": directory = arg elif opt == "--reqcert": reqCert = True else: assert(False) if not argv: printError("Missing address") if len(argv)>1: printError("Too many arguments") #Split address into hostname/port tuple address = argv[0] address = address.split(":") if len(address) != 2: raise SyntaxError("Must specify <host>:<port>") address = ( address[0], int(address[1]) ) # Populate the return list retList = [address] if "k" in argString: retList.append(privateKey) if "c" in argString: retList.append(certChain) if "u" in argString: retList.append(username) if "p" in argString: retList.append(password) if "t" in argString: retList.append(tack) if "b" in argString: retList.append(breakSigs) if "v" in argString: retList.append(verifierDB) if "d" in argString: retList.append(directory) if "reqcert" in flagsList: retList.append(reqCert) return retList
def serverTestCmd(argv): address = argv[0] dir = argv[1] #Split address into hostname/port tuple address = address.split(":") address = ( address[0], int(address[1]) ) #Connect to server lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) lsock.bind(address) lsock.listen(5) def connect(): return TLSConnection(lsock.accept()[0]) print "Test 0 - Anonymous server handshake" connection = connect() connection.handshakeServer(anon=True) testConnServer(connection) connection.close() print "Test 1 - good X.509" x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "serverX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key) testConnServer(connection) connection.close() print "Test 1.a - good X.509, SSL v3" connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) testConnServer(connection) connection.close() if tackpyLoaded: # TACK1 and TACK2 are both "good" TACKs, one targetting, the key, # one the hash tack1 = TACK() tack1.parsePem(open("./TACK1.pem", "rU").read()) tack2 = TACK() tack2.parsePem(open("./TACK2.pem", "rU").read()) tackUnrelated = TACK() tackUnrelated.parsePem(open("./TACKunrelated.pem", "rU").read()) breakSigs = TACK_Break_Sig.parsePemList( open("./TACK_Break_Sigs.pem").read()) breakSigsActual = TACK_Break_Sig.parsePemList( open("./TACK_Break_Sigs_TACK1.pem").read()) print "Test 2.a - good X.509, good TACK" connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, tack=tack1, breakSigs=breakSigs) testConnServer(connection) connection.close() print "Test 2.b - good X.509, \"wrong\" TACK" connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, tack=tack1) connection.close() print "Test 2.c - good X.509, \"wrong\" TACK but break signature (hardTack)" connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, tack=tack2, breakSigs=breakSigsActual) print "Test 2.d - good X.509, \"wrong\" TACK but break signature (not hardTack)" connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, tack=tack2, breakSigs=breakSigsActual) testConnServer(connection) connection.close() print "Test 2.e - good X.509, TACK unrelated to cert chain" connection = connect() try: connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, tack=tackUnrelated) except TLSRemoteAlert as alert: assert(alert.description == AlertDescription.handshake_failure) print "Test 2.f - good X.509, no TACK but expected" connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key) connection.close() print "Test 3 - good SRP" verifierDB = VerifierDB() verifierDB.create() entry = VerifierDB.makeVerifier("test", "password", 1536) verifierDB["test"] = entry connection = connect() connection.handshakeServer(verifierDB=verifierDB) testConnServer(connection) connection.close() print "Test 4 - SRP faults" for fault in Fault.clientSrpFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeServer(verifierDB=verifierDB) assert() except: pass connection.close() print "Test 6 - good SRP: with X.509 cert" connection = connect() connection.handshakeServer(verifierDB=verifierDB, \ certChain=x509Chain, privateKey=x509Key) testConnServer(connection) connection.close() print "Test 7 - X.509 with SRP faults" for fault in Fault.clientSrpFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeServer(verifierDB=verifierDB, \ certChain=x509Chain, privateKey=x509Key) assert() except: pass connection.close() print "Test 11 - X.509 faults" for fault in Fault.clientNoAuthFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeServer(certChain=x509Chain, privateKey=x509Key) assert() except: pass connection.close() print "Test 14 - good mutual X.509" connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True) testConnServer(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print "Test 14a - good mutual X.509, SSLv3" connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings) testConnServer(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print "Test 15 - mutual X.509 faults" for fault in Fault.clientCertFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True) assert() except: pass connection.close() print "Test 18 - good SRP, prepare to resume" sessionCache = SessionCache() connection = connect() connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache) testConnServer(connection) connection.close() print "Test 19 - resumption" connection = connect() connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache) testConnServer(connection) #Don't close! -- see next test print "Test 20 - invalidated resumption" try: connection.read(min=1, max=1) assert() #Client is going to close the socket without a close_notify except TLSAbruptCloseError, e: pass