Mercurial > hg
annotate tests/sslcerts/README @ 45095:8e04607023e5
procutil: ensure that procutil.std{out,err}.write() writes all bytes
Python 3 offers different kind of streams and it’s not guaranteed for all of
them that calling write() writes all bytes.
When Python is started in unbuffered mode, sys.std{out,err}.buffer are
instances of io.FileIO, whose write() can write less bytes for
platform-specific reasons (e.g. Linux has a 0x7ffff000 bytes maximum and could
write less if interrupted by a signal; when writing to Windows consoles, it’s
limited to 32767 bytes to avoid the "not enough space" error). This can lead to
silent loss of data, both when using sys.std{out,err}.buffer (which may in fact
not be a buffered stream) and when using the text streams sys.std{out,err}
(I’ve created a CPython bug report for that:
https://bugs.python.org/issue41221).
Python may fix the problem at some point. For now, we implement our own wrapper
for procutil.std{out,err} that calls the raw stream’s write() method until all
bytes have been written. We don’t use sys.std{out,err} for larger writes, so I
think it’s not worth the effort to patch them.
| author | Manuel Jacob <me@manueljacob.de> |
|---|---|
| date | Fri, 10 Jul 2020 12:27:58 +0200 |
| parents | 43f3c0df2fab |
| children |
| rev | line source |
|---|---|
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
1 Generate a private key (priv.pem): |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
2 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
3 $ openssl genrsa -out priv.pem 2048 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
4 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
5 Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem): |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
6 |
|
29579
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
7 $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
8 -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
9 $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
10 -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
11 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
12 Now generate an expired certificate by turning back the system time: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
13 |
|
29579
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
14 $ faketime 2016-01-01T00:00:00Z \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
15 openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
16 -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
17 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
18 Generate a certificate not yet active by advancing the system time: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
19 |
|
29579
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
20 $ faketime 2030-01-1T00:00:00Z \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
21 openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
22 -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
23 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
24 Generate a passphrase protected client certificate private key: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
25 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
26 $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
27 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
28 Create a copy of the private key without a passphrase: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
29 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
30 $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
31 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
32 Create a CSR and sign the key using the server keypair: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
33 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
34 $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
35 openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
36 $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
37 -set_serial 01 -out client-cert.pem |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
38 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
39 When replacing the certificates, references to certificate fingerprints will |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
40 need to be updated in test files. |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
41 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
42 Fingerprints for certs can be obtained by running: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
43 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
44 $ openssl x509 -in pub.pem -noout -sha1 -fingerprint |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
45 $ openssl x509 -in pub.pem -noout -sha256 -fingerprint |