def test_with_TLS1_2_and_no_overlap(self):
certificate_request = CertificateRequest((3, 3))
certificate_request.create([CertificateType.x509],
[],
[(HashAlgorithm.sha256,
SignatureAlgorithm.rsa),
(HashAlgorithm.sha224,
SignatureAlgorithm.rsa)])
certVerify = KeyExchange.makeCertificateVerify((3, 3),
self.handshake_hashes,
[(HashAlgorithm.sha1,
SignatureAlgorithm.rsa),
(HashAlgorithm.sha512,
SignatureAlgorithm.rsa)],
self.clnt_private_key,
certificate_request,
None, None, None)
self.assertIsNotNone(certVerify)
self.assertEqual(certVerify.version, (3, 3))
# when there's no overlap, we select the most wanted from our side
self.assertEqual(certVerify.signatureAlgorithm, (HashAlgorithm.sha1,
SignatureAlgorithm.rsa))
self.assertEqual(certVerify.signature, bytearray(
b'.\x03\xa2\xf0\xa0\xfb\xbeUs\xdb\x9b\xea\xcc(\xa6:l\x84\x8e\x13'
b'\xa1\xaa\xdb1P\xe9\x06\x876\xbe+\xe92\x89\xaa\xa5EU\x07\x9a\xde'
b'\xd37\xafGCR\xdam\xa2v\xde\xceeFI\x80:ZtL\x96\xafZ\xe2\xe2\xce/'
b'\x9f\x82\xfe\xdb*\x94\xa8\xbd\xd9Hl\xdc\xc8\xbf\x9b=o\xda\x06'
b'\xfa\x9e\xbfB+05\xc6\xda\xdf\x05\xf2m[\x18\x11\xaf\x184\x12\x9d'
b'\xb4:\x9b\xc1U\x1c\xba\xa3\x05\xceOn\x0fY\xcaK*\x0b\x04\xa5'
))
def test_with_TLS1_2_and_no_overlap(self):
certificate_request = CertificateRequest((3, 3))
certificate_request.create([CertificateType.x509],
[],
[(HashAlgorithm.sha256,
SignatureAlgorithm.rsa),
(HashAlgorithm.sha224,
SignatureAlgorithm.rsa)])
certVerify = KeyExchange.makeCertificateVerify((3, 3),
self.handshake_hashes,
[(HashAlgorithm.sha1,
SignatureAlgorithm.rsa),
(HashAlgorithm.sha512,
SignatureAlgorithm.rsa)],
self.clnt_private_key,
certificate_request,
None, None, None)
self.assertIsNotNone(certVerify)
self.assertEqual(certVerify.version, (3, 3))
# when there's no overlap, we select the most wanted from our side
self.assertEqual(certVerify.signatureAlgorithm, (HashAlgorithm.sha1,
SignatureAlgorithm.rsa))
self.assertEqual(certVerify.signature, bytearray(
b'.\x03\xa2\xf0\xa0\xfb\xbeUs\xdb\x9b\xea\xcc(\xa6:l\x84\x8e\x13'
b'\xa1\xaa\xdb1P\xe9\x06\x876\xbe+\xe92\x89\xaa\xa5EU\x07\x9a\xde'
b'\xd37\xafGCR\xdam\xa2v\xde\xceeFI\x80:ZtL\x96\xafZ\xe2\xe2\xce/'
b'\x9f\x82\xfe\xdb*\x94\xa8\xbd\xd9Hl\xdc\xc8\xbf\x9b=o\xda\x06'
b'\xfa\x9e\xbfB+05\xc6\xda\xdf\x05\xf2m[\x18\x11\xaf\x184\x12\x9d'
b'\xb4:\x9b\xc1U\x1c\xba\xa3\x05\xceOn\x0fY\xcaK*\x0b\x04\xa5'
))
def test_process(self):
exp = ExpectCertificateRequest()
state = ConnectionState()
msg = CertificateRequest((3, 3))
msg.create([ClientCertificateType.rsa_sign,
ClientCertificateType.rsa_fixed_dh],
[],
[(HashAlgorithm.sha1, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa)])
msg = Message(ContentType.handshake,
msg.write())
exp.process(state, msg)
def parse(self, parser):
"""Parse a handshake message."""
hs_type = parser.get(1)
if hs_type == HandshakeType.server_hello:
msg = ServerHello().parse(parser)
self.version = msg.server_version
self.cipher_suite = msg.cipher_suite
self.certificate_type = msg.certificate_type
return msg
elif hs_type == HandshakeType.certificate:
msg = Certificate(self.certificate_type)
elif hs_type == HandshakeType.server_key_exchange:
msg = ServerKeyExchange(self.cipher_suite, self.version)
elif hs_type == HandshakeType.certificate_request:
msg = CertificateRequest(self.version)
elif hs_type == HandshakeType.next_protocol:
msg = NextProtocol().parse(parser)
elif hs_type == HandshakeType.server_hello_done:
msg = ServerHelloDone()
elif hs_type == HandshakeType.session_ticket:
msg = NewSessionTicket()
elif hs_type == HandshakeType.certificate_status:
msg = CertificateStatus()
else:
raise ValueError("Unknown handshake type: {0}".format(hs_type))
# don't abort when we can't parse a message, save it as unparsed
try:
msg.parse(parser)
except SyntaxError:
msg = Message(ContentType.handshake, parser.bytes)
return msg
def process(state, msg):
"""
Check received Certificate Request
@type state: ConnectionState
"""
assert msg.contentType == ContentType.handshake
parser = Parser(msg.write())
hs_type = parser.get(1)
assert hs_type == HandshakeType.certificate_request
cert_request = CertificateRequest(state.version)
cert_request.parse(parser)
state.handshake_messages.append(cert_request)
state.handshake_hashes.update(msg.write())
def process(self, state, msg):
"""
Check received Certificate Request
@type state: ConnectionState
"""
assert msg.contentType == ContentType.handshake
parser = Parser(msg.write())
hs_type = parser.get(1)
assert hs_type == HandshakeType.certificate_request
cert_request = CertificateRequest(state.version)
cert_request.parse(parser)
if self.sig_algs is not None and \
cert_request.supported_signature_algs != self.sig_algs:
raise AssertionError("Unexpected algorithms found: {0}".format(
cert_request.supported_signature_algs))
state.handshake_messages.append(cert_request)
state.handshake_hashes.update(msg.write())
def test_with_TLS1_1(self):
certificate_request = CertificateRequest((3, 2))
certificate_request.create([CertificateType.x509],
[],
None)
certVerify = KeyExchange.makeCertificateVerify((3, 2),
self.handshake_hashes,
None,
self.clnt_private_key,
certificate_request,
None, None, None)
self.assertIsNotNone(certVerify)
self.assertEqual(certVerify.version, (3, 2))
self.assertIsNone(certVerify.signatureAlgorithm)
self.assertEqual(certVerify.signature, bytearray(
b'=X\x14\xf3\r6\x0b\x84\xde&J\x15\xa02M\xc8\xf1?\xa0\x10U\x1e\x0b'
b'\x95^\xa19\x14\xf5\xf1$\xe3U[\xb4/\xe7AY(\xee]\xff\x97H\xb8\xa9'
b'\x8b\x96n\xa6\xf5\x0f\xffd\r\x08/Hs6`wi8\xc4\x02\xa4}a\xcbS\x99'
b'\x01;\x0e\x88oj\x9a\x02\x98Y\xb5\x00$f@>\xd8\x0cS\x95\xa8\x9e'
b'\x14uU\\Z\xd0.\xe7\x01_y\x1d\xea\xad\x1b\xf8c\xa6\xc9@\xc6\x90'
b'\x19~&\xd9\xaa\xc2\t,s\xde\xb1'
))
def test_with_TLS1_1(self):
certificate_request = CertificateRequest((3, 2))
certificate_request.create([CertificateType.x509],
[],
None)
certVerify = KeyExchange.makeCertificateVerify((3, 2),
self.handshake_hashes,
None,
self.clnt_private_key,
certificate_request,
None, None, None)
self.assertIsNotNone(certVerify)
self.assertEqual(certVerify.version, (3, 2))
self.assertIsNone(certVerify.signatureAlgorithm)
self.assertEqual(certVerify.signature, bytearray(
b'=X\x14\xf3\r6\x0b\x84\xde&J\x15\xa02M\xc8\xf1?\xa0\x10U\x1e\x0b'
b'\x95^\xa19\x14\xf5\xf1$\xe3U[\xb4/\xe7AY(\xee]\xff\x97H\xb8\xa9'
b'\x8b\x96n\xa6\xf5\x0f\xffd\r\x08/Hs6`wi8\xc4\x02\xa4}a\xcbS\x99'
b'\x01;\x0e\x88oj\x9a\x02\x98Y\xb5\x00$f@>\xd8\x0cS\x95\xa8\x9e'
b'\x14uU\\Z\xd0.\xe7\x01_y\x1d\xea\xad\x1b\xf8c\xa6\xc9@\xc6\x90'
b'\x19~&\xd9\xaa\xc2\t,s\xde\xb1'
))
def test_process(self):
exp = ExpectCertificateRequest()
state = ConnectionState()
msg = CertificateRequest((3, 3))
msg.create([
ClientCertificateType.rsa_sign, ClientCertificateType.rsa_fixed_dh
], [], [(HashAlgorithm.sha1, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa)])
msg = Message(ContentType.handshake, msg.write())
exp.process(state, msg)
def test_sig_algs_mismatched(self):
sig_algs = [(HashAlgorithm.sha1, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa)]
exp = ExpectCertificateRequest(sig_algs=sig_algs[0:0])
state = ConnectionState()
msg = CertificateRequest((3, 3))
msg.create([
ClientCertificateType.rsa_sign, ClientCertificateType.rsa_fixed_dh
], [], sig_algs)
msg = Message(ContentType.handshake, msg.write())
with self.assertRaises(AssertionError):
exp.process(state, msg)
