1
# Copyright (C) 2011, 2012, 2013, 2016 Canonical Ltd
3
# This program is free software; you can redistribute it and/or modify
4
# it under the terms of the GNU General Public License as published by
5
# the Free Software Foundation; either version 2 of the License, or
6
# (at your option) any later version.
8
# This program is distributed in the hope that it will be useful,
9
# but WITHOUT ANY WARRANTY; without even the implied warranty of
10
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11
# GNU General Public License for more details.
13
# You should have received a copy of the GNU General Public License
14
# along with this program; if not, write to the Free Software
15
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17
"""Tests for the SSL support in the urllib HTTP transport.
29
from ..transport.http import _urllib2_wrappers
30
from ..transport.http._urllib2_wrappers import ssl
33
class CaCertsConfigTests(tests.TestCaseInTempDir):
35
def get_stack(self, content):
36
return config.MemoryStack(content.encode('utf-8'))
38
def test_default_exists(self):
39
"""Check that the default we provide exists for the tested platform."""
40
stack = self.get_stack("")
41
self.assertPathExists(stack.get('ssl.ca_certs'))
43
def test_specified(self):
44
self.build_tree(['cacerts.pem'])
45
path = os.path.join(self.test_dir, "cacerts.pem")
46
stack = self.get_stack("ssl.ca_certs = %s\n" % path)
47
self.assertEqual(path, stack.get('ssl.ca_certs'))
49
def test_specified_doesnt_exist(self):
50
stack = self.get_stack('')
51
# Disable the default value mechanism to force the behavior we want
52
self.overrideAttr(_urllib2_wrappers.opt_ssl_ca_certs, 'default',
53
os.path.join(self.test_dir, u"nonexisting.pem"))
57
self.warnings.append(args[0] % args[1:])
58
self.overrideAttr(trace, 'warning', warning)
59
self.assertEqual(None, stack.get('ssl.ca_certs'))
60
self.assertLength(1, self.warnings)
61
self.assertContainsRe(self.warnings[0],
62
"is not valid for \"ssl.ca_certs\"")
65
class CertReqsConfigTests(tests.TestCaseInTempDir):
67
def test_default(self):
68
stack = config.MemoryStack("")
69
self.assertEqual(ssl.CERT_REQUIRED, stack.get("ssl.cert_reqs"))
71
def test_from_string(self):
72
stack = config.MemoryStack("ssl.cert_reqs = none\n")
73
self.assertEqual(ssl.CERT_NONE, stack.get("ssl.cert_reqs"))
74
stack = config.MemoryStack("ssl.cert_reqs = required\n")
75
self.assertEqual(ssl.CERT_REQUIRED, stack.get("ssl.cert_reqs"))
76
stack = config.MemoryStack("ssl.cert_reqs = invalid\n")
77
self.assertRaises(config.ConfigOptionValueError, stack.get,
81
class MatchHostnameTests(tests.TestCase):
84
super(MatchHostnameTests, self).setUp()
85
if sys.version_info < (2, 7, 9):
86
raise tests.TestSkipped(
87
'python version too old to provide proper'
88
' https hostname verification')
90
def test_no_certificate(self):
91
self.assertRaises(ValueError,
92
ssl.match_hostname, {}, "example.com")
94
def test_wildcards_in_cert(self):
95
def ok(cert, hostname):
96
ssl.match_hostname(cert, hostname)
98
def not_ok(cert, hostname):
100
ssl.CertificateError,
101
ssl.match_hostname, cert, hostname)
103
# Python Issue #17980: avoid denials of service by refusing more than
104
# one wildcard per fragment.
105
ok({'subject': ((('commonName', 'a*b.com'),),)}, 'axxb.com')
106
not_ok({'subject': ((('commonName', 'a*b.co*'),),)}, 'axxb.com')
107
not_ok({'subject': ((('commonName', 'a*b*.com'),),)}, 'axxbxxc.com')
109
def test_no_valid_attributes(self):
110
self.assertRaises(ssl.CertificateError, ssl.match_hostname,
111
{"Problem": "Solved"}, "example.com")
113
def test_common_name(self):
114
cert = {'subject': ((('commonName', 'example.com'),),)}
116
ssl.match_hostname(cert, "example.com"))
117
self.assertRaises(ssl.CertificateError, ssl.match_hostname,