xref: /unit/test/unit/applications/tls.py (revision 1843)
11100Szelenkov@nginx.comimport os
21019Szelenkov@nginx.comimport ssl
31019Szelenkov@nginx.comimport subprocess
41477Szelenkov@nginx.com
51019Szelenkov@nginx.comfrom unit.applications.proto import TestApplicationProto
61730Szelenkov@nginx.comfrom unit.option import option
71019Szelenkov@nginx.com
81019Szelenkov@nginx.com
91019Szelenkov@nginx.comclass TestApplicationTLS(TestApplicationProto):
101596Szelenkov@nginx.com    def setup_method(self):
111019Szelenkov@nginx.com        self.context = ssl.create_default_context()
121019Szelenkov@nginx.com        self.context.check_hostname = False
131019Szelenkov@nginx.com        self.context.verify_mode = ssl.CERT_NONE
141019Szelenkov@nginx.com
151019Szelenkov@nginx.com    def certificate(self, name='default', load=True):
161100Szelenkov@nginx.com        self.openssl_conf()
171100Szelenkov@nginx.com
181019Szelenkov@nginx.com        subprocess.call(
191019Szelenkov@nginx.com            [
201019Szelenkov@nginx.com                'openssl',
211019Szelenkov@nginx.com                'req',
221019Szelenkov@nginx.com                '-x509',
231019Szelenkov@nginx.com                '-new',
241019Szelenkov@nginx.com                '-subj',    '/CN=' + name + '/',
251654Szelenkov@nginx.com                '-config',  option.temp_dir + '/openssl.conf',
261654Szelenkov@nginx.com                '-out',     option.temp_dir + '/' + name + '.crt',
271654Szelenkov@nginx.com                '-keyout',  option.temp_dir + '/' + name + '.key',
281388Szelenkov@nginx.com            ],
291388Szelenkov@nginx.com            stderr=subprocess.STDOUT,
301019Szelenkov@nginx.com        )
311019Szelenkov@nginx.com
321019Szelenkov@nginx.com        if load:
331019Szelenkov@nginx.com            self.certificate_load(name)
341019Szelenkov@nginx.com
351019Szelenkov@nginx.com    def certificate_load(self, crt, key=None):
361019Szelenkov@nginx.com        if key is None:
371019Szelenkov@nginx.com            key = crt
381019Szelenkov@nginx.com
391654Szelenkov@nginx.com        key_path = option.temp_dir + '/' + key + '.key'
401654Szelenkov@nginx.com        crt_path = option.temp_dir + '/' + crt + '.crt'
411019Szelenkov@nginx.com
421019Szelenkov@nginx.com        with open(key_path, 'rb') as k, open(crt_path, 'rb') as c:
431019Szelenkov@nginx.com            return self.conf(k.read() + c.read(), '/certificates/' + crt)
441019Szelenkov@nginx.com
451019Szelenkov@nginx.com    def get_ssl(self, **kwargs):
461019Szelenkov@nginx.com        return self.get(wrapper=self.context.wrap_socket, **kwargs)
471019Szelenkov@nginx.com
481019Szelenkov@nginx.com    def post_ssl(self, **kwargs):
491019Szelenkov@nginx.com        return self.post(wrapper=self.context.wrap_socket, **kwargs)
501019Szelenkov@nginx.com
511019Szelenkov@nginx.com    def get_server_certificate(self, addr=('127.0.0.1', 7080)):
521019Szelenkov@nginx.com
531019Szelenkov@nginx.com        ssl_list = dir(ssl)
541019Szelenkov@nginx.com
551019Szelenkov@nginx.com        if 'PROTOCOL_TLS' in ssl_list:
561019Szelenkov@nginx.com            ssl_version = ssl.PROTOCOL_TLS
571019Szelenkov@nginx.com
581019Szelenkov@nginx.com        elif 'PROTOCOL_TLSv1_2' in ssl_list:
591019Szelenkov@nginx.com            ssl_version = ssl.PROTOCOL_TLSv1_2
601019Szelenkov@nginx.com
611019Szelenkov@nginx.com        else:
621019Szelenkov@nginx.com            ssl_version = ssl.PROTOCOL_TLSv1_1
631019Szelenkov@nginx.com
641019Szelenkov@nginx.com        return ssl.get_server_certificate(addr, ssl_version=ssl_version)
651019Szelenkov@nginx.com
66*1843Szelenkov@nginx.com    def openssl_conf(self, rewrite=False, alt_names=[]):
671654Szelenkov@nginx.com        conf_path = option.temp_dir + '/openssl.conf'
681019Szelenkov@nginx.com
69*1843Szelenkov@nginx.com        if not rewrite and os.path.exists(conf_path):
701100Szelenkov@nginx.com            return
711019Szelenkov@nginx.com
72*1843Szelenkov@nginx.com        # Generates alt_names section with dns names
73*1843Szelenkov@nginx.com        a_names = "[alt_names]\n"
74*1843Szelenkov@nginx.com        for i, k in enumerate(alt_names, 1):
75*1843Szelenkov@nginx.com            a_names += "DNS.%d = %s\n" % (i, k)
76*1843Szelenkov@nginx.com
77*1843Szelenkov@nginx.com            # Generates section for sign request extension
78*1843Szelenkov@nginx.com        a_sec  = """req_extensions = myca_req_extensions
79*1843Szelenkov@nginx.com
80*1843Szelenkov@nginx.com[ myca_req_extensions ]
81*1843Szelenkov@nginx.comsubjectAltName = @alt_names
82*1843Szelenkov@nginx.com
83*1843Szelenkov@nginx.com{a_names}""".format(a_names=a_names)
84*1843Szelenkov@nginx.com
851100Szelenkov@nginx.com        with open(conf_path, 'w') as f:
861019Szelenkov@nginx.com            f.write(
871019Szelenkov@nginx.com                """[ req ]
881093Szelenkov@nginx.comdefault_bits = 2048
891019Szelenkov@nginx.comencrypt_key = no
901019Szelenkov@nginx.comdistinguished_name = req_distinguished_name
91*1843Szelenkov@nginx.com
92*1843Szelenkov@nginx.com{a_sec}
93*1843Szelenkov@nginx.com[ req_distinguished_name ]""".format(a_sec=a_sec if alt_names else "")
941019Szelenkov@nginx.com            )
951019Szelenkov@nginx.com
961100Szelenkov@nginx.com    def load(self, script, name=None):
971100Szelenkov@nginx.com        if name is None:
981100Szelenkov@nginx.com            name = script
991100Szelenkov@nginx.com
1001596Szelenkov@nginx.com        script_path = option.test_dir + '/python/' + script
1011019Szelenkov@nginx.com
1021099Szelenkov@nginx.com        self._load_conf(
1031019Szelenkov@nginx.com            {
1041041Svbart@nginx.com                "listeners": {"*:7080": {"pass": "applications/" + name}},
1051019Szelenkov@nginx.com                "applications": {
1061019Szelenkov@nginx.com                    name: {
1071019Szelenkov@nginx.com                        "type": "python",
1081019Szelenkov@nginx.com                        "processes": {"spare": 0},
1091019Szelenkov@nginx.com                        "path": script_path,
1101019Szelenkov@nginx.com                        "working_directory": script_path,
1111019Szelenkov@nginx.com                        "module": "wsgi",
1121019Szelenkov@nginx.com                    }
1131019Szelenkov@nginx.com                },
1141019Szelenkov@nginx.com            }
1151019Szelenkov@nginx.com        )
116