tests/test-url.py
author Markus F.X.J. Oberhumer <markus@oberhumer.com>
Wed, 23 Mar 2011 02:33:22 +0100
changeset 13730 df978f28a259
parent 13249 75d0c38a0bca
child 13770 4e8f2310f310
permissions -rw-r--r--
bdiff.c: cast to unsigned char when computing hash value
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
12737
7adb1274a4f9 test-url: skip test when ssl module is unavailable
Augie Fackler <durin42@gmail.com>
parents: 12592
diff changeset
     1
import sys
12592
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
     2
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
     3
def check(a, b):
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
     4
    if a != b:
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
     5
        print (a, b)
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
     6
12606
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
     7
def cert(cn):
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
     8
    return dict(subject=((('commonName', cn),),))
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
     9
12592
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
    10
from mercurial.url import _verifycert
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
    11
12724
66e7ba85585b test-url: remove trailing whitespace
Augie Fackler <durin42@gmail.com>
parents: 12606
diff changeset
    12
# Test non-wildcard certificates
12606
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    13
check(_verifycert(cert('example.com'), 'example.com'),
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    14
      None)
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    15
check(_verifycert(cert('example.com'), 'www.example.com'),
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    16
      'certificate is for example.com')
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    17
check(_verifycert(cert('www.example.com'), 'example.com'),
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    18
      'certificate is for www.example.com')
12592
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
    19
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
    20
# Test wildcard certificates
12606
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    21
check(_verifycert(cert('*.example.com'), 'www.example.com'),
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    22
      None)
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    23
check(_verifycert(cert('*.example.com'), 'example.com'),
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    24
      'certificate is for *.example.com')
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    25
check(_verifycert(cert('*.example.com'), 'w.w.example.com'),
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    26
      'certificate is for *.example.com')
12592
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
    27
13249
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    28
# Test subjectAltName
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    29
san_cert = {'subject': ((('commonName', 'example.com'),),),
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    30
            'subjectAltName': (('DNS', '*.example.net'),
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    31
                               ('DNS', 'example.net'))}
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    32
check(_verifycert(san_cert, 'example.net'),
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    33
      None)
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    34
check(_verifycert(san_cert, 'foo.example.net'),
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    35
      None)
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    36
# subject is only checked when subjectAltName is empty
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    37
check(_verifycert(san_cert, 'example.com'),
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    38
      'certificate is for *.example.net, example.net')
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    39
12592
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
    40
# Avoid some pitfalls
12606
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    41
check(_verifycert(cert('*.foo'), 'foo'),
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    42
      'certificate is for *.foo')
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    43
check(_verifycert(cert('*o'), 'foo'),
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    44
      'certificate is for *o')
12592
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
    45
12742
6ab4a7d3c179 url: validity (notBefore/notAfter) is checked by OpenSSL (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents: 12738
diff changeset
    46
check(_verifycert({'subject': ()},
12606
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    47
                  'example.com'),
13249
75d0c38a0bca url: check subjectAltName when verifying ssl certificate
Yuya Nishihara <yuya@tcha.org>
parents: 13248
diff changeset
    48
      'no commonName or subjectAltName found in certificate')
12592
f2937d6492c5 url: verify correctness of https server certificates (issue2407)
Mads Kiilerich <mads@kiilerich.com>
parents:
diff changeset
    49
check(_verifycert(None, 'example.com'),
12606
5c8353692123 test-url: refactor with shorter lines
Martin Geisler <mg@aragost.com>
parents: 12592
diff changeset
    50
      'no certificate received')
13248
00411a4fa1bb url: fix UnicodeDecodeError on certificate verification error
Yuya Nishihara <yuya@tcha.org>
parents: 12865
diff changeset
    51
00411a4fa1bb url: fix UnicodeDecodeError on certificate verification error
Yuya Nishihara <yuya@tcha.org>
parents: 12865
diff changeset
    52
# Unicode (IDN) certname isn't supported
00411a4fa1bb url: fix UnicodeDecodeError on certificate verification error
Yuya Nishihara <yuya@tcha.org>
parents: 12865
diff changeset
    53
check(_verifycert(cert(u'\u4f8b.jp'), 'example.jp'),
00411a4fa1bb url: fix UnicodeDecodeError on certificate verification error
Yuya Nishihara <yuya@tcha.org>
parents: 12865
diff changeset
    54
      'IDN in certificate not supported')