mitmproxy/test/test_certutils.py

import os
from netlib import certutils, certffi
import OpenSSL
import tutils

class TestDNTree:
    def test_simple(self):
        d = certutils.DNTree()
        d.add("foo.com", "foo")
        d.add("bar.com", "bar")
        assert d.get("foo.com") == "foo"
        assert d.get("bar.com") == "bar"
        assert not d.get("oink.com")
        assert not d.get("oink")
        assert not d.get("")
        assert not d.get("oink.oink")

        d.add("*.match.org", "match")
        assert not d.get("match.org")
        assert d.get("foo.match.org") == "match"
        assert d.get("foo.foo.match.org") == "match"

    def test_wildcard(self):
        d = certutils.DNTree()
        d.add("foo.com", "foo")
        assert not d.get("*.foo.com")
        d.add("*.foo.com", "wild")

        d = certutils.DNTree()
        d.add("*", "foo")
        assert d.get("foo.com") == "foo"
        assert d.get("*.foo.com") == "foo"
        assert d.get("com") == "foo"


class TestCertStore:
    def test_create_explicit(self):
        with tutils.tmpdir() as d:
            ca = certutils.CertStore.from_store(d, "test")
            assert ca.get_cert("foo", [])

            ca2 = certutils.CertStore.from_store(d, "test")
            assert ca2.get_cert("foo", [])

            assert ca.cacert.get_serial_number() == ca2.cacert.get_serial_number()

    def test_create_tmp(self):
        with tutils.tmpdir() as d:
            ca = certutils.CertStore.from_store(d, "test")
            assert ca.get_cert("foo.com", [])
            assert ca.get_cert("foo.com", [])
            assert ca.get_cert("*.foo.com", [])

            r = ca.get_cert("*.foo.com", [])
            assert r[1] == ca.privkey

    def test_add_cert(self):
        with tutils.tmpdir() as d:
            ca = certutils.CertStore.from_store(d, "test")

    def test_sans(self):
        with tutils.tmpdir() as d:
            ca = certutils.CertStore.from_store(d, "test")
            c1 = ca.get_cert("foo.com", ["*.bar.com"])
            c2 = ca.get_cert("foo.bar.com", [])
            assert c1 == c2
            c3 = ca.get_cert("bar.com", [])
            assert not c1 == c3

    def test_overrides(self):
        with tutils.tmpdir() as d:
            ca1 = certutils.CertStore.from_store(os.path.join(d, "ca1"), "test")
            ca2 = certutils.CertStore.from_store(os.path.join(d, "ca2"), "test")
            assert not ca1.cacert.get_serial_number() == ca2.cacert.get_serial_number()

            dc = ca2.get_cert("foo.com", [])
            dcp = os.path.join(d, "dc")
            f = open(dcp, "wb")
            f.write(dc[0].to_pem())
            f.close()
            ca1.add_cert_file("foo.com", dcp)

            ret = ca1.get_cert("foo.com", [])
            assert ret[0].serial == dc[0].serial

    def test_gen_pkey(self):
        try:
            with tutils.tmpdir() as d:
                ca1 = certutils.CertStore.from_store(os.path.join(d, "ca1"), "test")
                ca2 = certutils.CertStore.from_store(os.path.join(d, "ca2"), "test")
                cert = ca1.get_cert("foo.com", [])
                assert certffi.get_flags(ca2.gen_pkey(cert[0])) == 1
        finally:
            certffi.set_flags(ca2.privkey, 0)


class TestDummyCert:
    def test_with_ca(self):
        with tutils.tmpdir() as d:
            ca = certutils.CertStore.from_store(d, "test")
            r = certutils.dummy_cert(
                ca.privkey,
                ca.cacert,
                "foo.com",
                ["one.com", "two.com", "*.three.com"]
            )
            assert r.cn == "foo.com"


class TestSSLCert:
    def test_simple(self):
        c = certutils.SSLCert.from_pem(file(tutils.test_data.path("data/text_cert"), "rb").read())
        assert c.cn == "google.com"
        assert len(c.altnames) == 436

        c = certutils.SSLCert.from_pem(file(tutils.test_data.path("data/text_cert_2"), "rb").read())
        assert c.cn == "www.inode.co.nz"
        assert len(c.altnames) == 2
        assert c.digest("sha1")
        assert c.notbefore
        assert c.notafter
        assert c.subject
        assert c.keyinfo == ("RSA", 2048)
        assert c.serial
        assert c.issuer
        assert c.to_pem()
        c.has_expired

    def test_err_broken_sans(self):
        c = certutils.SSLCert.from_pem(file(tutils.test_data.path("data/text_cert_weird1"), "rb").read())
        # This breaks unless we ignore a decoding error.
        c.altnames

    def test_der(self):
        d = file(tutils.test_data.path("data/dercert"),"rb").read()
        s = certutils.SSLCert.from_der(d)
        assert s.cn
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`import os`
Certificate flags 2014-03-10 04:29:27 +00:00			`from netlib import certutils, certffi`
Much more sophisticated certificate store - Handle wildcard lookup - Handle lookup of SANs - Provide hooks for registering override certs and keys for specific domains (including wildcard specifications) 2014-03-05 00:19:16 +00:00			`import OpenSSL`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`import tutils`

Much more sophisticated certificate store - Handle wildcard lookup - Handle lookup of SANs - Provide hooks for registering override certs and keys for specific domains (including wildcard specifications) 2014-03-05 00:19:16 +00:00			`class TestDNTree:`
			`def test_simple(self):`
			`d = certutils.DNTree()`
			`d.add("foo.com", "foo")`
			`d.add("bar.com", "bar")`
			`assert d.get("foo.com") == "foo"`
			`assert d.get("bar.com") == "bar"`
			`assert not d.get("oink.com")`
			`assert not d.get("oink")`
			`assert not d.get("")`
			`assert not d.get("oink.oink")`

			`d.add("*.match.org", "match")`
			`assert not d.get("match.org")`
			`assert d.get("foo.match.org") == "match"`
			`assert d.get("foo.foo.match.org") == "match"`

			`def test_wildcard(self):`
			`d = certutils.DNTree()`
			`d.add("foo.com", "foo")`
			`assert not d.get("*.foo.com")`
			`d.add("*.foo.com", "wild")`

			`d = certutils.DNTree()`
			`d.add("*", "foo")`
			`assert d.get("foo.com") == "foo"`
			`assert d.get("*.foo.com") == "foo"`
			`assert d.get("com") == "foo"`

Add certutils to netlib. 2012-06-27 04:42:00 +00:00
Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00			`class TestCertStore:`
			`def test_create_explicit(self):`
			`with tutils.tmpdir() as d:`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`ca = certutils.CertStore.from_store(d, "test")`
			`assert ca.get_cert("foo", [])`

			`ca2 = certutils.CertStore.from_store(d, "test")`
			`assert ca2.get_cert("foo", [])`

Much more sophisticated certificate store - Handle wildcard lookup - Handle lookup of SANs - Provide hooks for registering override certs and keys for specific domains (including wildcard specifications) 2014-03-05 00:19:16 +00:00			`assert ca.cacert.get_serial_number() == ca2.cacert.get_serial_number()`
Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00
			`def test_create_tmp(self):`
			`with tutils.tmpdir() as d:`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`ca = certutils.CertStore.from_store(d, "test")`
			`assert ca.get_cert("foo.com", [])`
			`assert ca.get_cert("foo.com", [])`
			`assert ca.get_cert("*.foo.com", [])`
Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00
Much more sophisticated certificate store - Handle wildcard lookup - Handle lookup of SANs - Provide hooks for registering override certs and keys for specific domains (including wildcard specifications) 2014-03-05 00:19:16 +00:00			`r = ca.get_cert("*.foo.com", [])`
			`assert r[1] == ca.privkey`

			`def test_add_cert(self):`
			`with tutils.tmpdir() as d:`
			`ca = certutils.CertStore.from_store(d, "test")`

			`def test_sans(self):`
			`with tutils.tmpdir() as d:`
			`ca = certutils.CertStore.from_store(d, "test")`
			`c1 = ca.get_cert("foo.com", ["*.bar.com"])`
			`c2 = ca.get_cert("foo.bar.com", [])`
			`assert c1 == c2`
			`c3 = ca.get_cert("bar.com", [])`
			`assert not c1 == c3`

			`def test_overrides(self):`
			`with tutils.tmpdir() as d:`
			`ca1 = certutils.CertStore.from_store(os.path.join(d, "ca1"), "test")`
			`ca2 = certutils.CertStore.from_store(os.path.join(d, "ca2"), "test")`
			`assert not ca1.cacert.get_serial_number() == ca2.cacert.get_serial_number()`

			`dc = ca2.get_cert("foo.com", [])`
			`dcp = os.path.join(d, "dc")`
			`f = open(dcp, "wb")`
			`f.write(dc[0].to_pem())`
			`f.close()`
			`ca1.add_cert_file("foo.com", dcp)`

			`ret = ca1.get_cert("foo.com", [])`
			`assert ret[0].serial == dc[0].serial`

Certificate flags 2014-03-10 04:29:27 +00:00			`def test_gen_pkey(self):`
			`try:`
			`with tutils.tmpdir() as d:`
			`ca1 = certutils.CertStore.from_store(os.path.join(d, "ca1"), "test")`
			`ca2 = certutils.CertStore.from_store(os.path.join(d, "ca2"), "test")`
			`cert = ca1.get_cert("foo.com", [])`
			`assert certffi.get_flags(ca2.gen_pkey(cert[0])) == 1`
			`finally:`
			`certffi.set_flags(ca2.privkey, 0)`

Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`class TestDummyCert:`
			`def test_with_ca(self):`
			`with tutils.tmpdir() as d:`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`ca = certutils.CertStore.from_store(d, "test")`
Revamp dummy cert generation. We no longer use on-disk storage - we just keep the certs in memory. 2013-08-12 04:03:29 +00:00			`r = certutils.dummy_cert(`
Much more sophisticated certificate store - Handle wildcard lookup - Handle lookup of SANs - Provide hooks for registering override certs and keys for specific domains (including wildcard specifications) 2014-03-05 00:19:16 +00:00			`ca.privkey,`
			`ca.cacert,`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`"foo.com",`
			`["one.com", "two.com", "*.three.com"]`
			`)`
Revamp dummy cert generation. We no longer use on-disk storage - we just keep the certs in memory. 2013-08-12 04:03:29 +00:00			`assert r.cn == "foo.com"`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00

			`class TestSSLCert:`
			`def test_simple(self):`
always read files in binary mode 2013-06-15 22:28:21 +00:00			`c = certutils.SSLCert.from_pem(file(tutils.test_data.path("data/text_cert"), "rb").read())`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`assert c.cn == "google.com"`
			`assert len(c.altnames) == 436`

always read files in binary mode 2013-06-15 22:28:21 +00:00			`c = certutils.SSLCert.from_pem(file(tutils.test_data.path("data/text_cert_2"), "rb").read())`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`assert c.cn == "www.inode.co.nz"`
			`assert len(c.altnames) == 2`
			`assert c.digest("sha1")`
			`assert c.notbefore`
			`assert c.notafter`
			`assert c.subject`
			`assert c.keyinfo == ("RSA", 2048)`
			`assert c.serial`
			`assert c.issuer`
Add utility function for converstion to PEM. 2012-06-28 02:56:21 +00:00			`assert c.to_pem()`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`c.has_expired`

Ignore SAN entries that we don't understand. 2012-07-24 02:55:54 +00:00			`def test_err_broken_sans(self):`
always read files in binary mode 2013-06-15 22:28:21 +00:00			`c = certutils.SSLCert.from_pem(file(tutils.test_data.path("data/text_cert_weird1"), "rb").read())`
Ignore SAN entries that we don't understand. 2012-07-24 02:55:54 +00:00			`# This breaks unless we ignore a decoding error.`
			`c.altnames`

Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`def test_der(self):`
always read files in binary mode 2013-06-15 22:28:21 +00:00			`d = file(tutils.test_data.path("data/dercert"),"rb").read()`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`s = certutils.SSLCert.from_der(d)`
			`assert s.cn`
Certificate flags 2014-03-10 04:29:27 +00:00