Skip to content

Commit 3da945d

Browse files
tomasstupkatomasstupka
committed
added ssl test_verify_mode
1 parent 39b7ade commit 3da945d

File tree

3 files changed

+257
-14
lines changed

3 files changed

+257
-14
lines changed

graalpython/com.oracle.graal.python.test/src/tests/ssldata/keycertecc.pem

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
-----BEGIN PRIVATE KEY-----
2+
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBL2Y5JfpzbgHw+t4Q+
3+
c5SHhsZcD9ylEtUMg7OyF9xW6j+3VIVORGaokcOtE0Z2Y5ehZANiAASzz/rInKUz
4+
onpxP5bLxmq8fmrtgRSS0jRPUOU16XKX+KtifnLbmLHQtPrctdkRRROCxnURz2fB
5+
ihQTJkXyBMSswNTRCs+4DUKbMAfihigMVYgdWbZPFBDleo5aeFw4/FM=
6+
-----END PRIVATE KEY-----
7+
Certificate:
8+
Data:
9+
Version: 3 (0x2)
10+
Serial Number:
11+
cb:2d:80:99:5a:69:52:5e
12+
Signature Algorithm: sha256WithRSAEncryption
13+
Issuer: C=XY, O=Python Software Foundation CA, CN=our-ca-server
14+
Validity
15+
Not Before: Aug 29 14:23:16 2018 GMT
16+
Not After : Jul 7 14:23:16 2028 GMT
17+
Subject: C=XY, L=Castle Anthrax, O=Python Software Foundation, CN=localhost-ecc
18+
Subject Public Key Info:
19+
Public Key Algorithm: id-ecPublicKey
20+
Public-Key: (384 bit)
21+
pub:
22+
04:b3:cf:fa:c8:9c:a5:33:a2:7a:71:3f:96:cb:c6:
23+
6a:bc:7e:6a:ed:81:14:92:d2:34:4f:50:e5:35:e9:
24+
72:97:f8:ab:62:7e:72:db:98:b1:d0:b4:fa:dc:b5:
25+
d9:11:45:13:82:c6:75:11:cf:67:c1:8a:14:13:26:
26+
45:f2:04:c4:ac:c0:d4:d1:0a:cf:b8:0d:42:9b:30:
27+
07:e2:86:28:0c:55:88:1d:59:b6:4f:14:10:e5:7a:
28+
8e:5a:78:5c:38:fc:53
29+
ASN1 OID: secp384r1
30+
NIST CURVE: P-384
31+
X509v3 extensions:
32+
X509v3 Subject Alternative Name:
33+
DNS:localhost-ecc
34+
X509v3 Key Usage: critical
35+
Digital Signature, Key Encipherment
36+
X509v3 Extended Key Usage:
37+
TLS Web Server Authentication, TLS Web Client Authentication
38+
X509v3 Basic Constraints: critical
39+
CA:FALSE
40+
X509v3 Subject Key Identifier:
41+
C6:82:22:BF:4F:3D:40:AD:9B:16:AD:E7:C5:ED:C4:82:EB:35:97:98
42+
X509v3 Authority Key Identifier:
43+
keyid:DD:BF:CA:DA:E6:D1:34:BA:37:75:21:CA:6F:9A:08:28:F2:35:B6:48
44+
DirName:/C=XY/O=Python Software Foundation CA/CN=our-ca-server
45+
serial:CB:2D:80:99:5A:69:52:5B
46+
47+
Authority Information Access:
48+
CA Issuers - URI:http://testca.pythontest.net/testca/pycacert.cer
49+
OCSP - URI:http://testca.pythontest.net/testca/ocsp/
50+
51+
X509v3 CRL Distribution Points:
52+
53+
Full Name:
54+
URI:http://testca.pythontest.net/testca/revocation.crl
55+
56+
Signature Algorithm: sha256WithRSAEncryption
57+
76:e3:19:4d:34:78:50:3e:fa:63:53:d6:3f:01:87:e8:f4:a3:
58+
a9:81:5b:31:d6:de:3a:98:f3:bb:70:4d:29:35:1f:b0:6a:b3:
59+
9d:bf:03:2b:79:c4:f2:0b:32:f8:fc:f6:cb:13:47:28:81:fa:
60+
96:b3:1a:1d:bd:4b:f6:35:df:87:ef:6e:74:63:87:3d:7e:2b:
61+
c6:78:d4:8e:ef:03:e6:01:11:22:4e:1b:ef:2c:c1:c5:4e:3f:
62+
4a:07:ae:92:ef:d3:ac:79:59:7c:60:89:4b:3d:39:08:ef:c4:
63+
9a:dc:b0:8b:ee:5f:30:40:d3:c2:f3:f8:90:77:9d:8c:a7:07:
64+
b9:5f:62:83:4d:37:fa:36:e1:1d:26:2b:cc:8f:7c:6f:f1:23:
65+
87:71:48:40:ad:6b:30:16:47:4c:d7:98:bb:f5:9b:63:c8:66:
66+
47:65:58:d2:c1:07:81:14:0c:25:20:87:b9:1d:ab:0b:56:db:
67+
2c:ab:36:db:7f:c7:42:52:af:91:d6:fb:18:cf:94:f7:1e:25:
68+
99:ce:20:78:c6:f8:69:6e:9c:53:f3:fe:90:3e:4d:ca:d5:d6:
69+
ac:6e:02:17:be:4a:0f:fe:e6:14:d4:ce:25:df:17:8f:6f:b9:
70+
d3:28:dc:b4:98:ef:05:6f:eb:20:14:1c:c1:e9:9d:02:7b:0e:
71+
0f:e4:a8:bc:3b:62:e0:42:0c:b0:f7:a1:63:fe:98:d7:aa:b0:
72+
f6:ed:ff:ab:4f:1a:9a:8f:eb:f0:86:61:d2:d3:a5:08:d0:db:
73+
e4:d6:a9:0e:ec:08:6f:af:fb:ef:73:3f:47:69:97:90:b2:5a:
74+
6f:31:66:a7:4c:32:0c:e9:ea:18:ce:a9:79:9c:f5:c4:42:f5:
75+
68:53:b2:a4:8c:98:3f:97:34:62:61:41:0a:54:d7:0b:cd:33:
76+
c8:62:62:da:f7:07:c6:c6:3b:fa:68:ca:5f:62:3e:57:db:bd:
77+
cb:16:94:07:9a:b5:31:55:b8:f8:cb:b0:7f:a0:d1:82:df:71:
78+
c8:90:60:b3:88:b0
79+
-----BEGIN CERTIFICATE-----
80+
MIIEyzCCAzOgAwIBAgIJAMstgJlaaVJeMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
81+
BAYTAlhZMSYwJAYDVQQKDB1QeXRob24gU29mdHdhcmUgRm91bmRhdGlvbiBDQTEW
82+
MBQGA1UEAwwNb3VyLWNhLXNlcnZlcjAeFw0xODA4MjkxNDIzMTZaFw0yODA3MDcx
83+
NDIzMTZaMGMxCzAJBgNVBAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEj
84+
MCEGA1UECgwaUHl0aG9uIFNvZnR3YXJlIEZvdW5kYXRpb24xFjAUBgNVBAMMDWxv
85+
Y2FsaG9zdC1lY2MwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASzz/rInKUzonpxP5bL
86+
xmq8fmrtgRSS0jRPUOU16XKX+KtifnLbmLHQtPrctdkRRROCxnURz2fBihQTJkXy
87+
BMSswNTRCs+4DUKbMAfihigMVYgdWbZPFBDleo5aeFw4/FOjggHEMIIBwDAYBgNV
88+
HREEETAPgg1sb2NhbGhvc3QtZWNjMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
89+
BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUxoIi
90+
v089QK2bFq3nxe3Egus1l5gwfQYDVR0jBHYwdIAU3b/K2ubRNLo3dSHKb5oIKPI1
91+
tkihUaRPME0xCzAJBgNVBAYTAlhZMSYwJAYDVQQKDB1QeXRob24gU29mdHdhcmUg
92+
Rm91bmRhdGlvbiBDQTEWMBQGA1UEAwwNb3VyLWNhLXNlcnZlcoIJAMstgJlaaVJb
93+
MIGDBggrBgEFBQcBAQR3MHUwPAYIKwYBBQUHMAKGMGh0dHA6Ly90ZXN0Y2EucHl0
94+
aG9udGVzdC5uZXQvdGVzdGNhL3B5Y2FjZXJ0LmNlcjA1BggrBgEFBQcwAYYpaHR0
95+
cDovL3Rlc3RjYS5weXRob250ZXN0Lm5ldC90ZXN0Y2Evb2NzcC8wQwYDVR0fBDww
96+
OjA4oDagNIYyaHR0cDovL3Rlc3RjYS5weXRob250ZXN0Lm5ldC90ZXN0Y2EvcmV2
97+
b2NhdGlvbi5jcmwwDQYJKoZIhvcNAQELBQADggGBAHbjGU00eFA++mNT1j8Bh+j0
98+
o6mBWzHW3jqY87twTSk1H7Bqs52/Ayt5xPILMvj89ssTRyiB+pazGh29S/Y134fv
99+
bnRjhz1+K8Z41I7vA+YBESJOG+8swcVOP0oHrpLv06x5WXxgiUs9OQjvxJrcsIvu
100+
XzBA08Lz+JB3nYynB7lfYoNNN/o24R0mK8yPfG/xI4dxSECtazAWR0zXmLv1m2PI
101+
ZkdlWNLBB4EUDCUgh7kdqwtW2yyrNtt/x0JSr5HW+xjPlPceJZnOIHjG+GlunFPz
102+
/pA+TcrV1qxuAhe+Sg/+5hTUziXfF49vudMo3LSY7wVv6yAUHMHpnQJ7Dg/kqLw7
103+
YuBCDLD3oWP+mNeqsPbt/6tPGpqP6/CGYdLTpQjQ2+TWqQ7sCG+v++9zP0dpl5Cy
104+
Wm8xZqdMMgzp6hjOqXmc9cRC9WhTsqSMmD+XNGJhQQpU1wvNM8hiYtr3B8bGO/po
105+
yl9iPlfbvcsWlAeatTFVuPjLsH+g0YLfcciQYLOIsA==
106+
-----END CERTIFICATE-----

graalpython/com.oracle.graal.python.test/src/tests/ssldata/signing_ca.pem

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIEbTCCAtWgAwIBAgIJAMstgJlaaVJbMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
3+
BAYTAlhZMSYwJAYDVQQKDB1QeXRob24gU29mdHdhcmUgRm91bmRhdGlvbiBDQTEW
4+
MBQGA1UEAwwNb3VyLWNhLXNlcnZlcjAeFw0xODA4MjkxNDIzMTZaFw0yODA4MjYx
5+
NDIzMTZaME0xCzAJBgNVBAYTAlhZMSYwJAYDVQQKDB1QeXRob24gU29mdHdhcmUg
6+
Rm91bmRhdGlvbiBDQTEWMBQGA1UEAwwNb3VyLWNhLXNlcnZlcjCCAaIwDQYJKoZI
7+
hvcNAQEBBQADggGPADCCAYoCggGBAJftVUG6NheV23Ec0+FhrFhz48aWzysfuAj1
8+
nUtLxzD2uAuzUnKgu8lNO47fIo4BV4HJknPMAMbscLA6F0DB3/KMNkzEp4HntiRo
9+
4qB+NQcvoFv5RUb3HvBGEf7KGjxQ8SapX5winPhB4d9PEpUZL1yQARdufj59z+kJ
10+
ryX4+EJ3LW1fNvJ4Hn1Kh2hjbAZxG436Jf7U0/WlF7Hv6hfLVMgnmYDLPEXxLFIc
11+
3R9RRSBQHl6rV3MbQXiW3oSket2PMIU2WHl2oNJhyBuplJljxu74FL+0UlYxl/rr
12+
rFOelc5MxFpKt8oDJ1s1V84C3OzKafiKWjnLFiAVAyRhbPR6/LZI5VkQXEnQI5/7
13+
cV466WifNHKAJ7Y/TLHZ22N/Z2hKbhH46MD0WhY5Uwto3nf6Ref4kc14zSiUl3FU
14+
+8/wN97JJsXcG56JbQmsyERxy23xlzHVTCAzv3VKoODcaRHtKrRkEBEwiw6wpxDY
15+
isWqG8gmiiXnZp+lahovfF+DxnhPHwIDAQABo1AwTjAdBgNVHQ4EFgQU3b/K2ubR
16+
NLo3dSHKb5oIKPI1tkgwHwYDVR0jBBgwFoAU3b/K2ubRNLo3dSHKb5oIKPI1tkgw
17+
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAYEAM2pU02vA1wFfnfQFwZNm
18+
kFDQtxjpsB5KoLbadpOvhNutFVQxFRPk3n5ODNUJHDQ1tuVM1m9lfTJf6/ypawf3
19+
SYLlgX4HgJpj+CzDQLyP1CraPtHuCLdNp4TK9D+hmEW+sQVp59/Xmasb7oswzPf8
20+
59QLF66Xv+R7/Q+ntIV541niFoe/HylFLCOTdr7Ahx3e7CtCauW7yPQKSggKjFzY
21+
fU3RuL/V9yntktGUBOg1Bld/LCOXh6U1jSbTGkfyFtfZxtQfI0PTJpk5yiD0cSNv
22+
DEp2dvd2H7P+v0ew/CpWgeHS3e4I2PT/WtwlYYqRArmGHPJQc3YlNfy2JSYVy+vE
23+
K2EMHOfuLxeb7PDUoYTn0q/e5BskFKcBh+OrKVhGoNnACuCN11nTG/hUID54paXI
24+
T4sDxJaf7PtHz3YtjWU0J7/6rgEFivOSCt2JbJehx+dgUees60t9LLhlyf5dakhV
25+
juTH+WpA4bhkRem1WSmlX899WH1keeWkCawedmU9lMRo
26+
-----END CERTIFICATE-----

graalpython/com.oracle.graal.python.test/src/tests/test_ssl.py

Lines changed: 125 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -217,21 +217,14 @@ def test_load_default_verify_paths(self):
217217
os.environ["SSL_CERT_FILE"] = certFile
218218
if certDir is not None:
219219
os.environ["SSL_CERT_DIR"] = certDir
220-
221-
def test_verify_error(self):
222-
hostname = 'localhost'
223-
SIGNED_CERTFILE = data_file("signed_cert.pem")
224-
225-
server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
226-
server_context.load_cert_chain(SIGNED_CERTFILE)
227-
228-
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
229220

221+
def check_handshake(self, server_context, client_context, err = None):
222+
hostname = 'localhost'
230223
c_in = ssl.MemoryBIO()
231224
c_out = ssl.MemoryBIO()
232225
s_in = ssl.MemoryBIO()
233226
s_out = ssl.MemoryBIO()
234-
client = context.wrap_bio(c_in, c_out, server_hostname=hostname)
227+
client = client_context.wrap_bio(c_in, c_out, server_hostname=hostname)
235228
server = server_context.wrap_bio(s_in, s_out, server_side=True)
236229

237230
try:
@@ -248,12 +241,130 @@ def test_verify_error(self):
248241
pass
249242
if s_out.pending:
250243
c_in.write(s_out.read())
251-
except ssl.SSLCertVerificationError as e:
252-
self.assertIsNotNone(e.verify_code)
253-
self.assertIsNotNone(e.verify_message)
244+
except Exception as e:
245+
if err is None:
246+
assert False
247+
else:
248+
assert isinstance(e, err)
254249
else:
250+
if err is not None:
255251
assert False
256-
252+
253+
def test_verify_mode(self):
254+
signed_cert = data_file("signed_cert.pem")
255+
signed_cert2 = data_file("keycertecc.pem")
256+
signing_ca = data_file("signing_ca.pem")
257+
258+
########################################################################
259+
# verify_mode - client
260+
########################################################################
261+
262+
server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
263+
client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
264+
265+
server_context.verify_mode = ssl.CERT_NONE
266+
267+
client_context.check_hostname = False
268+
269+
# no cert chain on server
270+
# openssl SSLError: [SSL: NO_SHARED_CIPHER] / jdk javax.net.ssl.SSLHandshakeException: No available authentication scheme
271+
client_context.verify_mode = ssl.CERT_NONE
272+
self.check_handshake(server_context, client_context, ssl.SSLError)
273+
client_context.verify_mode = ssl.CERT_REQUIRED
274+
self.check_handshake(server_context, client_context, ssl.SSLError)
275+
client_context.verify_mode = ssl.CERT_OPTIONAL
276+
self.check_handshake(server_context, client_context, ssl.SSLError)
277+
278+
# server provides cert, but client has noverify locations
279+
server_context.load_cert_chain(signed_cert)
280+
281+
client_context.verify_mode = ssl.CERT_NONE
282+
self.check_handshake(server_context, client_context)
283+
client_context.verify_mode = ssl.CERT_REQUIRED
284+
self.check_handshake(server_context, client_context, ssl.SSLCertVerificationError)
285+
client_context.verify_mode = ssl.CERT_OPTIONAL
286+
# CERT_OPTIONAL in client mode has the same meaning as CERT_REQUIRED
287+
self.check_handshake(server_context, client_context, ssl.SSLCertVerificationError)
288+
289+
client_context.check_hostname = True
290+
291+
with self.assertRaisesRegex(ValueError, "Cannot set verify_mode to CERT_NONE when check_hostname is enabled"):
292+
client_context.verify_mode = ssl.CERT_NONE
293+
294+
client_context.verify_mode = ssl.CERT_REQUIRED
295+
self.check_handshake(server_context, client_context, ssl.SSLCertVerificationError)
296+
297+
client_context.verify_mode = ssl.CERT_OPTIONAL
298+
# CERT_OPTIONAL in client mode has the same meaning as CERT_REQUIRED
299+
self.check_handshake(server_context, client_context, ssl.SSLCertVerificationError)
300+
301+
# client provides cert, server verifies
302+
client_context.load_verify_locations(signing_ca)
303+
304+
client_context.verify_mode = ssl.CERT_REQUIRED
305+
self.check_handshake(server_context, client_context)
306+
client_context.verify_mode = ssl.CERT_OPTIONAL
307+
self.check_handshake(server_context, client_context)
308+
309+
# server provides wrong cert for CERT_OPTIONAL client
310+
server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
311+
server_context.load_cert_chain(signed_cert2)
312+
self.check_handshake(server_context, client_context, ssl.SSLCertVerificationError)
313+
314+
########################################################################
315+
# verify_mode - server
316+
########################################################################
317+
318+
server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
319+
client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
320+
321+
client_context.check_hostname = False
322+
client_context.verify_mode = ssl.CERT_NONE
323+
324+
# no cert chain on server and client
325+
# openssl SSLError: [SSL: NO_SHARED_CIPHER] / jdk javax.net.ssl.SSLHandshakeException: No available authentication scheme
326+
server_context.verify_mode = ssl.CERT_NONE
327+
self.check_handshake(server_context, client_context, ssl.SSLError)
328+
server_context.verify_mode = ssl.CERT_REQUIRED
329+
self.check_handshake(server_context, client_context, ssl.SSLError)
330+
server_context.verify_mode = ssl.CERT_OPTIONAL
331+
self.check_handshake(server_context, client_context, ssl.SSLError)
332+
333+
# no cert from client
334+
server_context.load_cert_chain(signed_cert)
335+
336+
server_context.verify_mode = ssl.CERT_NONE
337+
self.check_handshake(server_context, client_context)
338+
server_context.verify_mode = ssl.CERT_REQUIRED
339+
self.check_handshake(server_context, client_context, ssl.SSLError)
340+
server_context.verify_mode = ssl.CERT_OPTIONAL
341+
self.check_handshake(server_context, client_context)
342+
343+
# client provides cert, but server has nothing to verify with
344+
client_context.load_cert_chain(signed_cert)
345+
346+
server_context.verify_mode = ssl.CERT_NONE
347+
self.check_handshake(server_context, client_context)
348+
server_context.verify_mode = ssl.CERT_REQUIRED
349+
self.check_handshake(server_context, client_context, ssl.SSLError)
350+
server_context.verify_mode = ssl.CERT_OPTIONAL
351+
self.check_handshake(server_context, client_context, ssl.SSLCertVerificationError)
352+
353+
# client provides cert, server verifies
354+
server_context.load_verify_locations(signing_ca)
355+
356+
server_context.verify_mode = ssl.CERT_NONE
357+
self.check_handshake(server_context, client_context)
358+
server_context.verify_mode = ssl.CERT_REQUIRED
359+
self.check_handshake(server_context, client_context)
360+
server_context.verify_mode = ssl.CERT_OPTIONAL
361+
self.check_handshake(server_context, client_context)
362+
363+
# client provides wrong cert for CERT_OPTIONAL server
364+
client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
365+
client_context.load_cert_chain(signed_cert2)
366+
self.check_handshake(server_context, client_context, ssl.SSLCertVerificationError)
367+
257368
def get_cipher_list(cipher_string):
258369
context = ssl.SSLContext()
259370
context.set_ciphers(cipher_string)

0 commit comments

Comments
 (0)