def test_intermediate(): ca = CA() ca_cert = x509.load_pem_x509_certificate(ca.cert_pem.bytes(), default_backend()) assert_is_ca(ca_cert) assert ca_cert.issuer == ca_cert.subject assert _path_length(ca_cert) == 9 child_ca = ca.create_child_ca() child_ca_cert = x509.load_pem_x509_certificate(child_ca.cert_pem.bytes(), default_backend()) assert_is_ca(child_ca_cert) assert child_ca_cert.issuer == ca_cert.subject assert _path_length(child_ca_cert) == 8 child_server = child_ca.issue_cert(u"test-host.example.org") assert len(child_server.cert_chain_pems) == 2 child_server_cert = x509.load_pem_x509_certificate( child_server.cert_chain_pems[0].bytes(), default_backend()) assert child_server_cert.issuer == child_ca_cert.subject
def check_connection_end_to_end(wrap_client, wrap_server): # Client side def fake_ssl_client(ca, raw_client_sock, hostname): try: wrapped_client_sock = wrap_client(ca, raw_client_sock, hostname) # Send and receive some data to prove the connection is good wrapped_client_sock.send(b"x") assert wrapped_client_sock.recv(1) == b"y" except: # pragma: no cover sys.excepthook(*sys.exc_info()) raise finally: raw_client_sock.close() # Server side def fake_ssl_server(server_cert, raw_server_sock): try: wrapped_server_sock = wrap_server(server_cert, raw_server_sock) # Prove that we're connected assert wrapped_server_sock.recv(1) == b"x" wrapped_server_sock.send(b"y") except: # pragma: no cover sys.excepthook(*sys.exc_info()) raise finally: raw_server_sock.close() def doit(ca, hostname, server_cert): # socketpair and ssl don't work together on py2, because... reasons. # So we need to do this the hard way. listener = socket.socket() listener.bind(("127.0.0.1", 0)) listener.listen(1) raw_client_sock = socket.socket() raw_client_sock.connect(listener.getsockname()) raw_server_sock, _ = listener.accept() listener.close() with ThreadPoolExecutor(2) as tpe: f1 = tpe.submit(fake_ssl_client, ca, raw_client_sock, hostname) f2 = tpe.submit(fake_ssl_server, server_cert, raw_server_sock) f1.result() f2.result() ca = CA() intermediate_ca = ca.create_child_ca() hostname = u"my-test-host.example.org" # Should work doit(ca, hostname, ca.issue_cert(hostname)) # Should work doit(ca, hostname, intermediate_ca.issue_cert(hostname)) # To make sure that the above success actually required that the # CA and cert logic is all working, make sure that the same code # fails if the certs or CA aren't right: # Bad hostname fails with pytest.raises(Exception): doit(ca, u"asdf.example.org", ca.issue_cert(hostname)) # Bad CA fails bad_ca = CA() with pytest.raises(Exception): doit(bad_ca, hostname, ca.issue_cert(hostname))