ยปCore Development>Code coverage>Lib/test/make_ssl_certs.py

Python code coverage for Lib/test/make_ssl_certs.py

#countcontent
1n/a"""Make the custom certificate and private key files used by test_ssl
2n/aand friends."""
3n/a
4n/aimport os
5n/aimport shutil
6n/aimport tempfile
7n/afrom subprocess import *
8n/a
9n/areq_template = """
10n/a [req]
11n/a distinguished_name = req_distinguished_name
12n/a x509_extensions = req_x509_extensions
13n/a prompt = no
14n/a
15n/a [req_distinguished_name]
16n/a C = XY
17n/a L = Castle Anthrax
18n/a O = Python Software Foundation
19n/a CN = {hostname}
20n/a
21n/a [req_x509_extensions]
22n/a subjectAltName = @san
23n/a
24n/a [san]
25n/a DNS.1 = {hostname}
26n/a {extra_san}
27n/a
28n/a [dir_sect]
29n/a C = XY
30n/a L = Castle Anthrax
31n/a O = Python Software Foundation
32n/a CN = dirname example
33n/a
34n/a [princ_name]
35n/a realm = EXP:0, GeneralString:KERBEROS.REALM
36n/a principal_name = EXP:1, SEQUENCE:principal_seq
37n/a
38n/a [principal_seq]
39n/a name_type = EXP:0, INTEGER:1
40n/a name_string = EXP:1, SEQUENCE:principals
41n/a
42n/a [principals]
43n/a princ1 = GeneralString:username
44n/a
45n/a [ ca ]
46n/a default_ca = CA_default
47n/a
48n/a [ CA_default ]
49n/a dir = cadir
50n/a database = $dir/index.txt
51n/a crlnumber = $dir/crl.txt
52n/a default_md = sha1
53n/a default_days = 3600
54n/a default_crl_days = 3600
55n/a certificate = pycacert.pem
56n/a private_key = pycakey.pem
57n/a serial = $dir/serial
58n/a RANDFILE = $dir/.rand
59n/a
60n/a policy = policy_match
61n/a
62n/a [ policy_match ]
63n/a countryName = match
64n/a stateOrProvinceName = optional
65n/a organizationName = match
66n/a organizationalUnitName = optional
67n/a commonName = supplied
68n/a emailAddress = optional
69n/a
70n/a [ policy_anything ]
71n/a countryName = optional
72n/a stateOrProvinceName = optional
73n/a localityName = optional
74n/a organizationName = optional
75n/a organizationalUnitName = optional
76n/a commonName = supplied
77n/a emailAddress = optional
78n/a
79n/a
80n/a [ v3_ca ]
81n/a
82n/a subjectKeyIdentifier=hash
83n/a authorityKeyIdentifier=keyid:always,issuer
84n/a basicConstraints = CA:true
85n/a
86n/a """
87n/a
88n/ahere = os.path.abspath(os.path.dirname(__file__))
89n/a
90n/adef make_cert_key(hostname, sign=False, extra_san=''):
91n/a print("creating cert for " + hostname)
92n/a tempnames = []
93n/a for i in range(3):
94n/a with tempfile.NamedTemporaryFile(delete=False) as f:
95n/a tempnames.append(f.name)
96n/a req_file, cert_file, key_file = tempnames
97n/a try:
98n/a req = req_template.format(hostname=hostname, extra_san=extra_san)
99n/a with open(req_file, 'w') as f:
100n/a f.write(req)
101n/a args = ['req', '-new', '-days', '3650', '-nodes',
102n/a '-newkey', 'rsa:1024', '-keyout', key_file,
103n/a '-config', req_file]
104n/a if sign:
105n/a with tempfile.NamedTemporaryFile(delete=False) as f:
106n/a tempnames.append(f.name)
107n/a reqfile = f.name
108n/a args += ['-out', reqfile ]
109n/a
110n/a else:
111n/a args += ['-x509', '-out', cert_file ]
112n/a check_call(['openssl'] + args)
113n/a
114n/a if sign:
115n/a args = ['ca', '-config', req_file, '-out', cert_file, '-outdir', 'cadir',
116n/a '-policy', 'policy_anything', '-batch', '-infiles', reqfile ]
117n/a check_call(['openssl'] + args)
118n/a
119n/a
120n/a with open(cert_file, 'r') as f:
121n/a cert = f.read()
122n/a with open(key_file, 'r') as f:
123n/a key = f.read()
124n/a return cert, key
125n/a finally:
126n/a for name in tempnames:
127n/a os.remove(name)
128n/a
129n/aTMP_CADIR = 'cadir'
130n/a
131n/adef unmake_ca():
132n/a shutil.rmtree(TMP_CADIR)
133n/a
134n/adef make_ca():
135n/a os.mkdir(TMP_CADIR)
136n/a with open(os.path.join('cadir','index.txt'),'a+') as f:
137n/a pass # empty file
138n/a with open(os.path.join('cadir','crl.txt'),'a+') as f:
139n/a f.write("00")
140n/a with open(os.path.join('cadir','index.txt.attr'),'w+') as f:
141n/a f.write('unique_subject = no')
142n/a
143n/a with tempfile.NamedTemporaryFile("w") as t:
144n/a t.write(req_template.format(hostname='our-ca-server', extra_san=''))
145n/a t.flush()
146n/a with tempfile.NamedTemporaryFile() as f:
147n/a args = ['req', '-new', '-days', '3650', '-extensions', 'v3_ca', '-nodes',
148n/a '-newkey', 'rsa:2048', '-keyout', 'pycakey.pem',
149n/a '-out', f.name,
150n/a '-subj', '/C=XY/L=Castle Anthrax/O=Python Software Foundation CA/CN=our-ca-server']
151n/a check_call(['openssl'] + args)
152n/a args = ['ca', '-config', t.name, '-create_serial',
153n/a '-out', 'pycacert.pem', '-batch', '-outdir', TMP_CADIR,
154n/a '-keyfile', 'pycakey.pem', '-days', '3650',
155n/a '-selfsign', '-extensions', 'v3_ca', '-infiles', f.name ]
156n/a check_call(['openssl'] + args)
157n/a args = ['ca', '-config', t.name, '-gencrl', '-out', 'revocation.crl']
158n/a check_call(['openssl'] + args)
159n/a
160n/aif __name__ == '__main__':
161n/a os.chdir(here)
162n/a cert, key = make_cert_key('localhost')
163n/a with open('ssl_cert.pem', 'w') as f:
164n/a f.write(cert)
165n/a with open('ssl_key.pem', 'w') as f:
166n/a f.write(key)
167n/a print("password protecting ssl_key.pem in ssl_key.passwd.pem")
168n/a check_call(['openssl','rsa','-in','ssl_key.pem','-out','ssl_key.passwd.pem','-des3','-passout','pass:somepass'])
169n/a check_call(['openssl','rsa','-in','ssl_key.pem','-out','keycert.passwd.pem','-des3','-passout','pass:somepass'])
170n/a
171n/a with open('keycert.pem', 'w') as f:
172n/a f.write(key)
173n/a f.write(cert)
174n/a
175n/a with open('keycert.passwd.pem', 'a+') as f:
176n/a f.write(cert)
177n/a
178n/a # For certificate matching tests
179n/a make_ca()
180n/a cert, key = make_cert_key('fakehostname')
181n/a with open('keycert2.pem', 'w') as f:
182n/a f.write(key)
183n/a f.write(cert)
184n/a
185n/a cert, key = make_cert_key('localhost', True)
186n/a with open('keycert3.pem', 'w') as f:
187n/a f.write(key)
188n/a f.write(cert)
189n/a
190n/a cert, key = make_cert_key('fakehostname', True)
191n/a with open('keycert4.pem', 'w') as f:
192n/a f.write(key)
193n/a f.write(cert)
194n/a
195n/a extra_san = [
196n/a 'otherName.1 = 1.2.3.4;UTF8:some other identifier',
197n/a 'otherName.2 = 1.3.6.1.5.2.2;SEQUENCE:princ_name',
198n/a 'email.1 = user@example.org',
199n/a 'DNS.2 = www.example.org',
200n/a # GEN_X400
201n/a 'dirName.1 = dir_sect',
202n/a # GEN_EDIPARTY
203n/a 'URI.1 = https://www.python.org/',
204n/a 'IP.1 = 127.0.0.1',
205n/a 'IP.2 = ::1',
206n/a 'RID.1 = 1.2.3.4.5',
207n/a ]
208n/a
209n/a cert, key = make_cert_key('allsans', extra_san='\n'.join(extra_san))
210n/a with open('allsans.pem', 'w') as f:
211n/a f.write(key)
212n/a f.write(cert)
213n/a
214n/a unmake_ca()
215n/a print("\n\nPlease change the values in test_ssl.py, test_parse_cert function related to notAfter,notBefore and serialNumber")
216n/a check_call(['openssl','x509','-in','keycert.pem','-dates','-serial','-noout'])