Python code coverage for Lib/test/make_ssl_certs.py

#	count	content
1	n/a	"""Make the custom certificate and private key files used by test_ssl
2	n/a	and friends."""
3	n/a
4	n/a	import os
5	n/a	import shutil
6	n/a	import tempfile
7	n/a	from subprocess import *
8	n/a
9	n/a	req_template = """
10	n/a	[req]
11	n/a	distinguished_name = req_distinguished_name
12	n/a	x509_extensions = req_x509_extensions
13	n/a	prompt = no
14	n/a
15	n/a	[req_distinguished_name]
16	n/a	C = XY
17	n/a	L = Castle Anthrax
18	n/a	O = Python Software Foundation
19	n/a	CN = {hostname}
20	n/a
21	n/a	[req_x509_extensions]
22	n/a	subjectAltName = @san
23	n/a
24	n/a	[san]
25	n/a	DNS.1 = {hostname}
26	n/a	{extra_san}
27	n/a
28	n/a	[dir_sect]
29	n/a	C = XY
30	n/a	L = Castle Anthrax
31	n/a	O = Python Software Foundation
32	n/a	CN = dirname example
33	n/a
34	n/a	[princ_name]
35	n/a	realm = EXP:0, GeneralString:KERBEROS.REALM
36	n/a	principal_name = EXP:1, SEQUENCE:principal_seq
37	n/a
38	n/a	[principal_seq]
39	n/a	name_type = EXP:0, INTEGER:1
40	n/a	name_string = EXP:1, SEQUENCE:principals
41	n/a
42	n/a	[principals]
43	n/a	princ1 = GeneralString:username
44	n/a
45	n/a	[ ca ]
46	n/a	default_ca = CA_default
47	n/a
48	n/a	[ CA_default ]
49	n/a	dir = cadir
50	n/a	database = $dir/index.txt
51	n/a	crlnumber = $dir/crl.txt
52	n/a	default_md = sha1
53	n/a	default_days = 3600
54	n/a	default_crl_days = 3600
55	n/a	certificate = pycacert.pem
56	n/a	private_key = pycakey.pem
57	n/a	serial = $dir/serial
58	n/a	RANDFILE = $dir/.rand
59	n/a
60	n/a	policy = policy_match
61	n/a
62	n/a	[ policy_match ]
63	n/a	countryName = match
64	n/a	stateOrProvinceName = optional
65	n/a	organizationName = match
66	n/a	organizationalUnitName = optional
67	n/a	commonName = supplied
68	n/a	emailAddress = optional
69	n/a
70	n/a	[ policy_anything ]
71	n/a	countryName = optional
72	n/a	stateOrProvinceName = optional
73	n/a	localityName = optional
74	n/a	organizationName = optional
75	n/a	organizationalUnitName = optional
76	n/a	commonName = supplied
77	n/a	emailAddress = optional
78	n/a
79	n/a
80	n/a	[ v3_ca ]
81	n/a
82	n/a	subjectKeyIdentifier=hash
83	n/a	authorityKeyIdentifier=keyid:always,issuer
84	n/a	basicConstraints = CA:true
85	n/a
86	n/a	"""
87	n/a
88	n/a	here = os.path.abspath(os.path.dirname(__file__))
89	n/a
90	n/a	def make_cert_key(hostname, sign=False, extra_san=''):
91	n/a	print("creating cert for " + hostname)
92	n/a	tempnames = []
93	n/a	for i in range(3):
94	n/a	with tempfile.NamedTemporaryFile(delete=False) as f:
95	n/a	tempnames.append(f.name)
96	n/a	req_file, cert_file, key_file = tempnames
97	n/a	try:
98	n/a	req = req_template.format(hostname=hostname, extra_san=extra_san)
99	n/a	with open(req_file, 'w') as f:
100	n/a	f.write(req)
101	n/a	args = ['req', '-new', '-days', '3650', '-nodes',
102	n/a	'-newkey', 'rsa:1024', '-keyout', key_file,
103	n/a	'-config', req_file]
104	n/a	if sign:
105	n/a	with tempfile.NamedTemporaryFile(delete=False) as f:
106	n/a	tempnames.append(f.name)
107	n/a	reqfile = f.name
108	n/a	args += ['-out', reqfile ]
109	n/a
110	n/a	else:
111	n/a	args += ['-x509', '-out', cert_file ]
112	n/a	check_call(['openssl'] + args)
113	n/a
114	n/a	if sign:
115	n/a	args = ['ca', '-config', req_file, '-out', cert_file, '-outdir', 'cadir',
116	n/a	'-policy', 'policy_anything', '-batch', '-infiles', reqfile ]
117	n/a	check_call(['openssl'] + args)
118	n/a
119	n/a
120	n/a	with open(cert_file, 'r') as f:
121	n/a	cert = f.read()
122	n/a	with open(key_file, 'r') as f:
123	n/a	key = f.read()
124	n/a	return cert, key
125	n/a	finally:
126	n/a	for name in tempnames:
127	n/a	os.remove(name)
128	n/a
129	n/a	TMP_CADIR = 'cadir'
130	n/a
131	n/a	def unmake_ca():
132	n/a	shutil.rmtree(TMP_CADIR)
133	n/a
134	n/a	def make_ca():
135	n/a	os.mkdir(TMP_CADIR)
136	n/a	with open(os.path.join('cadir','index.txt'),'a+') as f:
137	n/a	pass # empty file
138	n/a	with open(os.path.join('cadir','crl.txt'),'a+') as f:
139	n/a	f.write("00")
140	n/a	with open(os.path.join('cadir','index.txt.attr'),'w+') as f:
141	n/a	f.write('unique_subject = no')
142	n/a
143	n/a	with tempfile.NamedTemporaryFile("w") as t:
144	n/a	t.write(req_template.format(hostname='our-ca-server', extra_san=''))
145	n/a	t.flush()
146	n/a	with tempfile.NamedTemporaryFile() as f:
147	n/a	args = ['req', '-new', '-days', '3650', '-extensions', 'v3_ca', '-nodes',
148	n/a	'-newkey', 'rsa:2048', '-keyout', 'pycakey.pem',
149	n/a	'-out', f.name,
150	n/a	'-subj', '/C=XY/L=Castle Anthrax/O=Python Software Foundation CA/CN=our-ca-server']
151	n/a	check_call(['openssl'] + args)
152	n/a	args = ['ca', '-config', t.name, '-create_serial',
153	n/a	'-out', 'pycacert.pem', '-batch', '-outdir', TMP_CADIR,
154	n/a	'-keyfile', 'pycakey.pem', '-days', '3650',
155	n/a	'-selfsign', '-extensions', 'v3_ca', '-infiles', f.name ]
156	n/a	check_call(['openssl'] + args)
157	n/a	args = ['ca', '-config', t.name, '-gencrl', '-out', 'revocation.crl']
158	n/a	check_call(['openssl'] + args)
159	n/a
160	n/a	if __name__ == '__main__':
161	n/a	os.chdir(here)
162	n/a	cert, key = make_cert_key('localhost')
163	n/a	with open('ssl_cert.pem', 'w') as f:
164	n/a	f.write(cert)
165	n/a	with open('ssl_key.pem', 'w') as f:
166	n/a	f.write(key)
167	n/a	print("password protecting ssl_key.pem in ssl_key.passwd.pem")
168	n/a	check_call(['openssl','rsa','-in','ssl_key.pem','-out','ssl_key.passwd.pem','-des3','-passout','pass:somepass'])
169	n/a	check_call(['openssl','rsa','-in','ssl_key.pem','-out','keycert.passwd.pem','-des3','-passout','pass:somepass'])
170	n/a
171	n/a	with open('keycert.pem', 'w') as f:
172	n/a	f.write(key)
173	n/a	f.write(cert)
174	n/a
175	n/a	with open('keycert.passwd.pem', 'a+') as f:
176	n/a	f.write(cert)
177	n/a
178	n/a	# For certificate matching tests
179	n/a	make_ca()
180	n/a	cert, key = make_cert_key('fakehostname')
181	n/a	with open('keycert2.pem', 'w') as f:
182	n/a	f.write(key)
183	n/a	f.write(cert)
184	n/a
185	n/a	cert, key = make_cert_key('localhost', True)
186	n/a	with open('keycert3.pem', 'w') as f:
187	n/a	f.write(key)
188	n/a	f.write(cert)
189	n/a
190	n/a	cert, key = make_cert_key('fakehostname', True)
191	n/a	with open('keycert4.pem', 'w') as f:
192	n/a	f.write(key)
193	n/a	f.write(cert)
194	n/a
195	n/a	extra_san = [
196	n/a	'otherName.1 = 1.2.3.4;UTF8:some other identifier',
197	n/a	'otherName.2 = 1.3.6.1.5.2.2;SEQUENCE:princ_name',
198	n/a	'email.1 = user@example.org',
199	n/a	'DNS.2 = www.example.org',
200	n/a	# GEN_X400
201	n/a	'dirName.1 = dir_sect',
202	n/a	# GEN_EDIPARTY
203	n/a	'URI.1 = https://www.python.org/',
204	n/a	'IP.1 = 127.0.0.1',
205	n/a	'IP.2 = ::1',
206	n/a	'RID.1 = 1.2.3.4.5',
207	n/a	]
208	n/a
209	n/a	cert, key = make_cert_key('allsans', extra_san='\n'.join(extra_san))
210	n/a	with open('allsans.pem', 'w') as f:
211	n/a	f.write(key)
212	n/a	f.write(cert)
213	n/a
214	n/a	unmake_ca()
215	n/a	print("\n\nPlease change the values in test_ssl.py, test_parse_cert function related to notAfter,notBefore and serialNumber")
216	n/a	check_call(['openssl','x509','-in','keycert.pem','-dates','-serial','-noout'])