Mercurial > hg
annotate tests/test-url.py @ 13249:75d0c38a0bca stable
url: check subjectAltName when verifying ssl certificate
Now it verifies certificate in the same manner as py3k implementation:
http://svn.python.org/view/python/branches/py3k/Lib/ssl.py?view=markup#match_hostname
| author | Yuya Nishihara <yuya@tcha.org> |
|---|---|
| date | Sun, 09 Jan 2011 00:35:36 +0900 |
| parents | 00411a4fa1bb |
| children | 4e8f2310f310 |
| rev | line source |
|---|---|
|
12737
7adb1274a4f9
test-url: skip test when ssl module is unavailable
Augie Fackler <durin42@gmail.com>
parents:
12592
diff
changeset
|
1 import sys |
|
12592
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
2 |
|
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
3 def check(a, b): |
|
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
4 if a != b: |
|
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
5 print (a, b) |
|
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
6 |
|
12606
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
7 def cert(cn): |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
8 return dict(subject=((('commonName', cn),),)) |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
9 |
|
12592
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
10 from mercurial.url import _verifycert |
|
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
11 |
|
12724
66e7ba85585b
test-url: remove trailing whitespace
Augie Fackler <durin42@gmail.com>
parents:
12606
diff
changeset
|
12 # Test non-wildcard certificates |
|
12606
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
13 check(_verifycert(cert('example.com'), 'example.com'), |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
14 None) |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
15 check(_verifycert(cert('example.com'), 'www.example.com'), |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
16 'certificate is for example.com') |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
17 check(_verifycert(cert('www.example.com'), 'example.com'), |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
18 'certificate is for www.example.com') |
|
12592
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
19 |
|
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
20 # Test wildcard certificates |
|
12606
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
21 check(_verifycert(cert('*.example.com'), 'www.example.com'), |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
22 None) |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
23 check(_verifycert(cert('*.example.com'), 'example.com'), |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
24 'certificate is for *.example.com') |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
25 check(_verifycert(cert('*.example.com'), 'w.w.example.com'), |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
26 'certificate is for *.example.com') |
|
12592
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
27 |
|
13249
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
28 # Test subjectAltName |
|
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
29 san_cert = {'subject': ((('commonName', 'example.com'),),), |
|
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
30 'subjectAltName': (('DNS', '*.example.net'), |
|
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
31 ('DNS', 'example.net'))} |
|
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
32 check(_verifycert(san_cert, 'example.net'), |
|
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
33 None) |
|
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
34 check(_verifycert(san_cert, 'foo.example.net'), |
|
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
35 None) |
|
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
36 # subject is only checked when subjectAltName is empty |
|
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
37 check(_verifycert(san_cert, 'example.com'), |
|
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
38 'certificate is for *.example.net, example.net') |
|
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
39 |
|
12592
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
40 # Avoid some pitfalls |
|
12606
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
41 check(_verifycert(cert('*.foo'), 'foo'), |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
42 'certificate is for *.foo') |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
43 check(_verifycert(cert('*o'), 'foo'), |
|
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
44 'certificate is for *o') |
|
12592
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
45 |
|
12742
6ab4a7d3c179
url: validity (notBefore/notAfter) is checked by OpenSSL (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
12738
diff
changeset
|
46 check(_verifycert({'subject': ()}, |
|
12606
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
47 'example.com'), |
|
13249
75d0c38a0bca
url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents:
13248
diff
changeset
|
48 'no commonName or subjectAltName found in certificate') |
|
12592
f2937d6492c5
url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff
changeset
|
49 check(_verifycert(None, 'example.com'), |
|
12606
5c8353692123
test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents:
12592
diff
changeset
|
50 'no certificate received') |
|
13248
00411a4fa1bb
url: fix UnicodeDecodeError on certificate verification error
Yuya Nishihara <yuya@tcha.org>
parents:
12865
diff
changeset
|
51 |
|
00411a4fa1bb
url: fix UnicodeDecodeError on certificate verification error
Yuya Nishihara <yuya@tcha.org>
parents:
12865
diff
changeset
|
52 # Unicode (IDN) certname isn't supported |
|
00411a4fa1bb
url: fix UnicodeDecodeError on certificate verification error
Yuya Nishihara <yuya@tcha.org>
parents:
12865
diff
changeset
|
53 check(_verifycert(cert(u'\u4f8b.jp'), 'example.jp'), |
|
00411a4fa1bb
url: fix UnicodeDecodeError on certificate verification error
Yuya Nishihara <yuya@tcha.org>
parents:
12865
diff
changeset
|
54 'IDN in certificate not supported') |