def x509_name_entry2tuple(entry):
bio = BIO.MemoryBuffer()
m2.asn1_string_print(bio._ptr(), m2.x509_name_entry_get_data(entry._ptr()))
return (
six.ensure_text(m2.obj_obj2txt(
m2.x509_name_entry_get_object(entry._ptr()), 0)),
six.ensure_text(bio.getvalue()))
def get_error():
# type: () -> Optional[str]
err = BIO.MemoryBuffer()
m2.err_print_errors(err.bio_ptr())
err_msg = err.read()
if err_msg:
return six.ensure_text(err_msg)
def get_error():
# type: () -> Optional[str]
err = BIO.MemoryBuffer()
m2.err_print_errors(err.bio_ptr())
err_msg = err.read()
if err_msg:
return six.ensure_text(err_msg)
def __str__(self):
# type: () -> str
assert m2.asn1_time_type_check(self.asn1_time), \
"'asn1_time' type error'"
buf = BIO.MemoryBuffer()
m2.asn1_time_print(buf.bio_ptr(), self.asn1_time)
return six.ensure_text(buf.read_all())
def __str__(self):
# type: () -> str
assert m2.asn1_time_type_check(self.asn1_time), \
"'asn1_time' type error'"
buf = BIO.MemoryBuffer()
m2.asn1_time_print(buf.bio_ptr(), self.asn1_time)
return six.ensure_text(buf.read_all())
def test_HTTPSConnection(self):
pid = self.start_server(self.args)
try:
c = httpslib.HTTPSConnection(srv_host, self.srv_port)
c.request('GET', '/')
data = c.getresponse().read()
c.close()
finally:
self.stop_server(pid)
self.assertIn('s_server -quiet -www', six.ensure_text(data))
def as_text(self):
# type: () -> str
"""
Return CRL in PEM format in a string.
:return: String containing the CRL in PEM format.
"""
buf = BIO.MemoryBuffer()
m2.x509_crl_print(buf.bio_ptr(), self.crl)
return six.ensure_text(buf.read_all())
def as_text(self):
# type: () -> str
"""
Return CRL in PEM format in a string.
:return: String containing the CRL in PEM format.
"""
buf = BIO.MemoryBuffer()
m2.x509_crl_print(buf.bio_ptr(), self.crl)
return six.ensure_text(buf.read_all())
def test_HTTPSConnection(self):
pid = self.start_server(self.args)
try:
c = httpslib.HTTPSConnection(srv_host, self.srv_port)
c.request('GET', '/')
data = c.getresponse().read()
c.close()
finally:
self.stop_server(pid)
self.assertIn('s_server -quiet -www', six.ensure_text(data))
def rand_file_name():
# type: () -> str
"""
Generate a default path for the random seed file.
:return: string with the filename.
The seed file is $RANDFILE if that environment variable
is set, $HOME/.rnd otherwise. If $HOME is not set either,
an error occurs.
"""
return six.ensure_text(m2.rand_file_name()) # pylint: disable=no-member
def __getattr__(self, attr):
# type: (str) -> str
if attr in self.nid:
assert m2.x509_name_type_check(self.x509_name), \
"'x509_name' type error"
return six.ensure_text(m2.x509_name_by_nid(self.x509_name, self.nid[attr]))
if attr in self.__dict__:
return self.__dict__[attr]
raise AttributeError(self, attr)
def rand_file_name():
# type: () -> str
"""
Generate a default path for the random seed file.
:return: string with the filename.
The seed file is $RANDFILE if that environment variable
is set, $HOME/.rnd otherwise. If $HOME is not set either,
an error occurs.
"""
return six.ensure_text(m2.rand_file_name()) # pylint: disable=no-member
def get_value(self, flag=0, indent=0):
# type: (int, int) -> str
"""
Get the extension value, for example 'DNS:www.example.com'.
:param flag: Flag to control what and how to print.
:param indent: How many spaces to print before actual value.
"""
buf = BIO.MemoryBuffer()
m2.x509_ext_print(buf.bio_ptr(), self.x509_ext, flag, indent)
return six.ensure_text(buf.read_all())
def __getattr__(self, attr):
# type: (str) -> str
if attr in self.nid:
assert m2.x509_name_type_check(self.x509_name), \
"'x509_name' type error"
return six.ensure_text(m2.x509_name_by_nid(self.x509_name, self.nid[attr]))
if attr in self.__dict__:
return self.__dict__[attr]
raise AttributeError(self, attr)
def get_value(self, flag=0, indent=0):
# type: (int, int) -> str
"""
Get the extension value, for example 'DNS:www.example.com'.
:param flag: Flag to control what and how to print.
:param indent: How many spaces to print before actual value.
"""
buf = BIO.MemoryBuffer()
m2.x509_ext_print(buf.bio_ptr(), self.x509_ext, flag, indent)
return six.ensure_text(buf.read_all())
def http_get(self, s):
s.send(b'GET / HTTP/1.0\n\n')
resp = b''
while 1:
try:
r = s.recv(4096)
if not r:
break
except SSL.SSLError: # s_server throws an 'unexpected eof'...
break
resp = resp + r
return six.ensure_text(resp)
def as_text(self, flags=0):
# type: (int) -> str
"""Output an ASN1_STRING structure according to the set flags.
:param flags: determine the format of the output by using
predetermined constants, see ASN1_STRING_print_ex(3)
manpage for their meaning.
:return: output an ASN1_STRING structure.
"""
buf = BIO.MemoryBuffer()
m2.asn1_string_print_ex(buf.bio_ptr(), self.asn1str, flags)
return six.ensure_text(buf.read_all())
def as_text(self, flags=0):
# type: (int) -> str
"""Output an ASN1_STRING structure according to the set flags.
:param flags: determine the format of the output by using
predetermined constants, see ASN1_STRING_print_ex(3)
manpage for their meaning.
:return: output an ASN1_STRING structure.
"""
buf = BIO.MemoryBuffer()
m2.asn1_string_print_ex(buf.bio_ptr(), self.asn1str, flags)
return six.ensure_text(buf.read_all())
def http_get(self, s):
s.send(b'GET / HTTP/1.0\n\n')
resp = b''
while 1:
try:
r = s.recv(4096)
if not r:
break
except SSL.SSLError: # s_server throws an 'unexpected eof'...
break
resp = resp + r
return six.ensure_text(resp)
def test_HTTPSConnection_secure_context(self):
pid = self.start_server(self.args)
try:
self.ctx.set_verify(
SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9)
self.ctx.load_verify_locations('tests/ca.pem')
c = httpslib.HTTPSConnection(srv_host, self.srv_port,
ssl_context=self.ctx)
c.request('GET', '/')
data = six.ensure_text(c.getresponse().read())
c.close()
finally:
self.stop_server(pid)
self.assertIn('s_server -quiet -www', data)
def test_HTTPSConnection_secure_context(self):
pid = self.start_server(self.args)
try:
self.ctx.set_verify(
SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9)
self.ctx.load_verify_locations('tests/ca.pem')
c = httpslib.HTTPSConnection(srv_host, self.srv_port,
ssl_context=self.ctx)
c.request('GET', '/')
data = six.ensure_text(c.getresponse().read())
c.close()
finally:
self.stop_server(pid)
self.assertIn('s_server -quiet -www', data)
def as_text(self, indent=0, flags=m2.XN_FLAG_COMPAT):
# type: (int, int) -> str
"""
as_text returns the name as a string.
:param indent: Each line in multiline format is indented
by this many spaces.
:param flags: Flags that control how the output should be formatted.
"""
assert m2.x509_name_type_check(self.x509_name), \
"'x509_name' type error"
buf = BIO.MemoryBuffer()
m2.x509_name_print_ex(buf.bio_ptr(), self.x509_name, indent, flags)
return six.ensure_text(buf.read_all())
def get_fingerprint(self, md='md5'):
# type: (str) -> str
"""
Get the fingerprint of the certificate.
:param md: Message digest algorithm to use.
:return: String containing the fingerprint in hex format.
"""
der = self.as_der()
md = EVP.MessageDigest(md)
md.update(der)
digest = md.final()
return six.ensure_text(binascii.hexlify(digest).upper())
def as_text(self, indent=0, flags=m2.XN_FLAG_COMPAT):
# type: (int, int) -> str
"""
as_text returns the name as a string.
:param indent: Each line in multiline format is indented
by this many spaces.
:param flags: Flags that control how the output should be formatted.
"""
assert m2.x509_name_type_check(self.x509_name), \
"'x509_name' type error"
buf = BIO.MemoryBuffer()
m2.x509_name_print_ex(buf.bio_ptr(), self.x509_name, indent, flags)
return six.ensure_text(buf.read_all())
def get_fingerprint(self, md='md5'):
# type: (str) -> str
"""
Get the fingerprint of the certificate.
:param md: Message digest algorithm to use.
:return: String containing the fingerprint in hex format.
"""
der = self.as_der()
md = EVP.MessageDigest(md)
md.update(der)
digest = md.final()
return six.ensure_text(binascii.hexlify(digest).upper())
def test_HTTPSConnection_resume_session(self):
pid = self.start_server(self.args)
try:
self.ctx.load_verify_locations(cafile='tests/ca.pem')
self.ctx.load_cert('tests/x509.pem')
self.ctx.set_verify(
SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 1)
self.ctx.set_session_cache_mode(m2.SSL_SESS_CACHE_CLIENT)
c = httpslib.HTTPSConnection(srv_host,
self.srv_port,
ssl_context=self.ctx)
c.request('GET', '/')
ses = c.get_session()
t = ses.as_text()
data = c.getresponse().read()
# Appearently closing connection here screws session; Ali Polatel?
# c.close()
ctx2 = SSL.Context()
ctx2.load_verify_locations(cafile='tests/ca.pem')
ctx2.load_cert('tests/x509.pem')
ctx2.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert,
1)
ctx2.set_session_cache_mode(m2.SSL_SESS_CACHE_CLIENT)
c2 = httpslib.HTTPSConnection(srv_host,
self.srv_port,
ssl_context=ctx2)
c2.set_session(ses)
c2.request('GET', '/')
ses2 = c2.get_session()
t2 = ses2.as_text()
data = six.ensure_text(c2.getresponse().read())
c.close()
c2.close()
self.assertEqual(
t, t2, "Sessions did not match: t = %s, t2 = %s" % (
t,
t2,
))
finally:
self.stop_server(pid)
self.assertIn('s_server -quiet -www', data)
def test_HTTPSConnection_resume_session(self):
pid = self.start_server(self.args)
try:
self.ctx.load_verify_locations(cafile='tests/ca.pem')
self.ctx.load_cert('tests/x509.pem')
self.ctx.set_verify(
SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 1)
self.ctx.set_session_cache_mode(m2.SSL_SESS_CACHE_CLIENT)
c = httpslib.HTTPSConnection(srv_host, self.srv_port,
ssl_context=self.ctx)
c.request('GET', '/')
ses = c.get_session()
t = ses.as_text()
data = c.getresponse().read()
# Appearently closing connection here screws session; Ali Polatel?
# c.close()
ctx2 = SSL.Context()
ctx2.load_verify_locations(cafile='tests/ca.pem')
ctx2.load_cert('tests/x509.pem')
ctx2.set_verify(
SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 1)
ctx2.set_session_cache_mode(m2.SSL_SESS_CACHE_CLIENT)
c2 = httpslib.HTTPSConnection(srv_host, self.srv_port,
ssl_context=ctx2)
c2.set_session(ses)
c2.request('GET', '/')
ses2 = c2.get_session()
t2 = ses2.as_text()
data = six.ensure_text(c2.getresponse().read())
c.close()
c2.close()
self.assertEqual(t, t2,
"Sessions did not match: t = %s, t2 = %s" % (t, t2,))
finally:
self.stop_server(pid)
self.assertIn('s_server -quiet -www', data)
def get_error_func(err):
# type: (int) -> str
return six.ensure_text(m2.err_func_error_string(err))
def get_x509_verify_error(err):
# type: (Optional[int]) -> str
err_str = m2.x509_get_verify_error(err)
return six.ensure_text(err_str) if err_str else ''
def name(self):
# type: () -> str
return six.ensure_text(m2.ssl_cipher_get_name(self.cipher))
def as_text(self):
# type: () -> str
assert m2.x509_type_check(self.x509), "'x509' type error"
buf = BIO.MemoryBuffer()
m2.x509_print(buf.bio_ptr(), self.x509)
return six.ensure_text(buf.read_all())
def __str__(self):
# type: () -> str
return six.ensure_text(self.__bytes__())
def stop_server(self, pid):
pid.terminate()
out, err = pid.communicate()
return six.ensure_text(out), six.ensure_text(err)
def test_py3str_None(self):
with self.assertRaises(TypeError):
six.ensure_text(None)
def get_name(self):
# type: () -> str
"""
Get the extension name, for example 'subjectAltName'.
"""
return six.ensure_text(m2.x509_extension_get_name(self.x509_ext))
def test_py3str_str(self):
self.assertIsInstance(six.ensure_text(u'test'), six.string_types)
def get_error_message():
# type: () -> str
return six.ensure_text(get_error_reason(get_error_code()))
def as_text(self):
# type: () -> str
buf = BIO.MemoryBuffer()
m2.x509_req_print(buf.bio_ptr(), self.req)
return six.ensure_text(buf.read_all())
def test_py3str_bytes(self):
self.assertIsInstance(six.ensure_text(b'test'), six.text_type)
def get_x509_verify_error(err):
# type: (int) -> str
return six.ensure_text(m2.x509_get_verify_error(err))
def as_text(self):
# type: () -> str
assert m2.x509_type_check(self.x509), "'x509' type error"
buf = BIO.MemoryBuffer()
m2.x509_print(buf.bio_ptr(), self.x509)
return six.ensure_text(buf.read_all())
def get_name(self):
# type: () -> str
"""
Get the extension name, for example 'subjectAltName'.
"""
return six.ensure_text(m2.x509_extension_get_name(self.x509_ext))
def get_error_message():
# type: () -> str
return six.ensure_text(get_error_reason(get_error_code()))
def get_version(self):
# type: () -> str
"""Return the TLS/SSL protocol version for this connection."""
return six.ensure_text(m2.ssl_get_version(self.ssl))
def get_error_reason(err):
# type: (Optional[int]) -> str
err_str = m2.err_reason_error_string(err)
return six.ensure_text(err_str) if err_str else ''
def get_error_reason(err):
# type: (int) -> str
return six.ensure_text(m2.err_reason_error_string(err))
def name(self):
# type: () -> str
return six.ensure_text(m2.ssl_cipher_get_name(self.cipher))
def as_text(self):
# type: () -> str
buf = BIO.MemoryBuffer()
m2.x509_req_print(buf.bio_ptr(), self.req)
return six.ensure_text(buf.read_all())
def get_cipher_list(self, idx=0):
# type: (int) -> str
"""Return the cipher suites for this connection as a string object."""
return six.ensure_text(m2.ssl_get_cipher_list(self.ssl, idx))
def __str__(self):
# type: () -> str
s = 'Peer certificate %s does not match host, expected %s, got %s' \
% (self.fieldName, self.expectedHost, self.actualHost)
return six.ensure_text(s)
def test_py3str_str(self):
self.assertIsInstance(six.ensure_text(u'test'), six.string_types)
def test_py3str_bytes(self):
self.assertIsInstance(six.ensure_text(b'test'), six.text_type)
def test_py3str_None(self):
with self.assertRaises(TypeError):
six.ensure_text(None)
def __str__(self):
# type: () -> str
return six.ensure_text(self.__bytes__())
def __call__(self, peerCert, host=None):
# type: (X509.X509, Optional[str]) -> bool
if peerCert is None:
raise NoCertificate('peer did not return certificate')
if host is not None:
self.host = host # type: str
if self.fingerprint:
if self.digest not in ('sha1', 'md5'):
raise ValueError('unsupported digest "%s"' % self.digest)
if self.digest == 'sha1':
expected_len = 40
elif self.digest == 'md5':
expected_len = 32
else:
raise ValueError('Unexpected digest {0}'.format(self.digest))
if len(self.fingerprint) != expected_len:
raise WrongCertificate(
('peer certificate fingerprint length does not match\n' +
'fingerprint: {0}\nexpected = {1}\n' +
'observed = {2}').format(self.fingerprint,
expected_len,
len(self.fingerprint)))
expected_fingerprint = six.ensure_text(self.fingerprint)
observed_fingerprint = peerCert.get_fingerprint(md=self.digest)
if observed_fingerprint != expected_fingerprint:
raise WrongCertificate(
('peer certificate fingerprint does not match\n' +
'expected = {0},\n' +
'observed = {1}').format(expected_fingerprint,
observed_fingerprint))
if self.host:
hostValidationPassed = False
self.useSubjectAltNameOnly = False
# subjectAltName=DNS:somehost[, ...]*
try:
subjectAltName = peerCert.get_ext('subjectAltName').get_value()
if self._splitSubjectAltName(self.host, subjectAltName):
hostValidationPassed = True
elif self.useSubjectAltNameOnly:
raise WrongHost(expectedHost=self.host,
actualHost=subjectAltName,
fieldName='subjectAltName')
except LookupError:
pass
# commonName=somehost[, ...]*
if not hostValidationPassed:
hasCommonName = False
commonNames = ''
for entry in peerCert.get_subject().get_entries_by_nid(
m2.NID_commonName):
hasCommonName = True
commonName = entry.get_data().as_text()
if not commonNames:
commonNames = commonName
else:
commonNames += ',' + commonName
if self._match(self.host, commonName):
hostValidationPassed = True
break
if not hasCommonName:
raise WrongCertificate('no commonName in peer certificate')
if not hostValidationPassed:
raise WrongHost(expectedHost=self.host,
actualHost=commonNames,
fieldName='commonName')
return True
def stop_server(self, pid):
pid.terminate()
out, err = pid.communicate()
return six.ensure_text(out), six.ensure_text(err)
