def test_intermediate():
ca = CA()
ca_cert = x509.load_pem_x509_certificate(ca.cert_pem.bytes(),
default_backend())
assert_is_ca(ca_cert)
assert ca_cert.issuer == ca_cert.subject
assert _path_length(ca_cert) == 9
child_ca = ca.create_child_ca()
child_ca_cert = x509.load_pem_x509_certificate(child_ca.cert_pem.bytes(),
default_backend())
assert_is_ca(child_ca_cert)
assert child_ca_cert.issuer == ca_cert.subject
assert _path_length(child_ca_cert) == 8
child_server = child_ca.issue_cert(u"test-host.example.org")
assert len(child_server.cert_chain_pems) == 2
child_server_cert = x509.load_pem_x509_certificate(
child_server.cert_chain_pems[0].bytes(), default_backend())
assert child_server_cert.issuer == child_ca_cert.subject
def check_connection_end_to_end(wrap_client, wrap_server):
# Client side
def fake_ssl_client(ca, raw_client_sock, hostname):
try:
wrapped_client_sock = wrap_client(ca, raw_client_sock, hostname)
# Send and receive some data to prove the connection is good
wrapped_client_sock.send(b"x")
assert wrapped_client_sock.recv(1) == b"y"
except: # pragma: no cover
sys.excepthook(*sys.exc_info())
raise
finally:
raw_client_sock.close()
# Server side
def fake_ssl_server(server_cert, raw_server_sock):
try:
wrapped_server_sock = wrap_server(server_cert, raw_server_sock)
# Prove that we're connected
assert wrapped_server_sock.recv(1) == b"x"
wrapped_server_sock.send(b"y")
except: # pragma: no cover
sys.excepthook(*sys.exc_info())
raise
finally:
raw_server_sock.close()
def doit(ca, hostname, server_cert):
# socketpair and ssl don't work together on py2, because... reasons.
# So we need to do this the hard way.
listener = socket.socket()
listener.bind(("127.0.0.1", 0))
listener.listen(1)
raw_client_sock = socket.socket()
raw_client_sock.connect(listener.getsockname())
raw_server_sock, _ = listener.accept()
listener.close()
with ThreadPoolExecutor(2) as tpe:
f1 = tpe.submit(fake_ssl_client, ca, raw_client_sock, hostname)
f2 = tpe.submit(fake_ssl_server, server_cert, raw_server_sock)
f1.result()
f2.result()
ca = CA()
intermediate_ca = ca.create_child_ca()
hostname = u"my-test-host.example.org"
# Should work
doit(ca, hostname, ca.issue_cert(hostname))
# Should work
doit(ca, hostname, intermediate_ca.issue_cert(hostname))
# To make sure that the above success actually required that the
# CA and cert logic is all working, make sure that the same code
# fails if the certs or CA aren't right:
# Bad hostname fails
with pytest.raises(Exception):
doit(ca, u"asdf.example.org", ca.issue_cert(hostname))
# Bad CA fails
bad_ca = CA()
with pytest.raises(Exception):
doit(bad_ca, hostname, ca.issue_cert(hostname))
