60 'no certificate received') |
61 'no certificate received') |
61 |
62 |
62 # Unicode (IDN) certname isn't supported |
63 # Unicode (IDN) certname isn't supported |
63 check(_verifycert(cert(u'\u4f8b.jp'), 'example.jp'), |
64 check(_verifycert(cert(u'\u4f8b.jp'), 'example.jp'), |
64 'IDN in certificate not supported') |
65 'IDN in certificate not supported') |
|
66 |
|
67 # The following tests are from CPython's test_ssl.py. |
|
68 check(_verifycert(cert('example.com'), 'example.com'), None) |
|
69 check(_verifycert(cert('example.com'), 'ExAmple.cOm'), None) |
|
70 check(_verifycert(cert('example.com'), 'www.example.com'), |
|
71 'certificate is for example.com') |
|
72 check(_verifycert(cert('example.com'), '.example.com'), |
|
73 'certificate is for example.com') |
|
74 check(_verifycert(cert('example.com'), 'example.org'), |
|
75 'certificate is for example.com') |
|
76 check(_verifycert(cert('example.com'), 'exampleXcom'), |
|
77 'certificate is for example.com') |
|
78 check(_verifycert(cert('*.a.com'), 'foo.a.com'), None) |
|
79 check(_verifycert(cert('*.a.com'), 'bar.foo.a.com'), |
|
80 'certificate is for *.a.com') |
|
81 check(_verifycert(cert('*.a.com'), 'a.com'), |
|
82 'certificate is for *.a.com') |
|
83 check(_verifycert(cert('*.a.com'), 'Xa.com'), |
|
84 'certificate is for *.a.com') |
|
85 check(_verifycert(cert('*.a.com'), '.a.com'), None) |
|
86 |
|
87 # only match one left-most wildcard |
|
88 check(_verifycert(cert('f*.com'), 'foo.com'), |
|
89 'certificate is for f*.com') |
|
90 check(_verifycert(cert('f*.com'), 'f.com'), |
|
91 'certificate is for f*.com') |
|
92 check(_verifycert(cert('f*.com'), 'bar.com'), |
|
93 'certificate is for f*.com') |
|
94 check(_verifycert(cert('f*.com'), 'foo.a.com'), |
|
95 'certificate is for f*.com') |
|
96 check(_verifycert(cert('f*.com'), 'bar.foo.com'), |
|
97 'certificate is for f*.com') |
|
98 |
|
99 # NULL bytes are bad, CVE-2013-4073 |
|
100 check(_verifycert(cert('null.python.org\x00example.org'), |
|
101 'null.python.org\x00example.org'), None) |
|
102 check(_verifycert(cert('null.python.org\x00example.org'), |
|
103 'example.org'), |
|
104 'certificate is for null.python.org\x00example.org') |
|
105 check(_verifycert(cert('null.python.org\x00example.org'), |
|
106 'null.python.org'), |
|
107 'certificate is for null.python.org\x00example.org') |
|
108 |
|
109 # error cases with wildcards |
|
110 check(_verifycert(cert('*.*.a.com'), 'bar.foo.a.com'), |
|
111 'certificate is for *.*.a.com') |
|
112 check(_verifycert(cert('*.*.a.com'), 'a.com'), |
|
113 'certificate is for *.*.a.com') |
|
114 check(_verifycert(cert('*.*.a.com'), 'Xa.com'), |
|
115 'certificate is for *.*.a.com') |
|
116 check(_verifycert(cert('*.*.a.com'), '.a.com'), |
|
117 'certificate is for *.*.a.com') |
|
118 |
|
119 check(_verifycert(cert('a.*.com'), 'a.foo.com'), |
|
120 'certificate is for a.*.com') |
|
121 check(_verifycert(cert('a.*.com'), 'a..com'), |
|
122 'certificate is for a.*.com') |
|
123 check(_verifycert(cert('a.*.com'), 'a.com'), |
|
124 'certificate is for a.*.com') |
|
125 |
|
126 # wildcard doesn't match IDNA prefix 'xn--' |
|
127 idna = u'püthon.python.org'.encode('idna').decode('ascii') |
|
128 check(_verifycert(cert(idna), idna), None) |
|
129 check(_verifycert(cert('x*.python.org'), idna), |
|
130 'certificate is for x*.python.org') |
|
131 check(_verifycert(cert('xn--p*.python.org'), idna), |
|
132 'certificate is for xn--p*.python.org') |
|
133 |
|
134 # wildcard in first fragment and IDNA A-labels in sequent fragments |
|
135 # are supported. |
|
136 idna = u'www*.pythön.org'.encode('idna').decode('ascii') |
|
137 check(_verifycert(cert(idna), |
|
138 u'www.pythön.org'.encode('idna').decode('ascii')), |
|
139 'certificate is for www*.xn--pythn-mua.org') |
|
140 check(_verifycert(cert(idna), |
|
141 u'www1.pythön.org'.encode('idna').decode('ascii')), |
|
142 'certificate is for www*.xn--pythn-mua.org') |
|
143 check(_verifycert(cert(idna), |
|
144 u'ftp.pythön.org'.encode('idna').decode('ascii')), |
|
145 'certificate is for www*.xn--pythn-mua.org') |
|
146 check(_verifycert(cert(idna), |
|
147 u'pythön.org'.encode('idna').decode('ascii')), |
|
148 'certificate is for www*.xn--pythn-mua.org') |
|
149 |
|
150 c = { |
|
151 'notAfter': 'Jun 26 21:41:46 2011 GMT', |
|
152 'subject': (((u'commonName', u'linuxfrz.org'),),), |
|
153 'subjectAltName': ( |
|
154 ('DNS', 'linuxfr.org'), |
|
155 ('DNS', 'linuxfr.com'), |
|
156 ('othername', '<unsupported>'), |
|
157 ) |
|
158 } |
|
159 check(_verifycert(c, 'linuxfr.org'), None) |
|
160 check(_verifycert(c, 'linuxfr.com'), None) |
|
161 # Not a "DNS" entry |
|
162 check(_verifycert(c, '<unsupported>'), |
|
163 'certificate is for linuxfr.org, linuxfr.com') |
|
164 # When there is a subjectAltName, commonName isn't used |
|
165 check(_verifycert(c, 'linuxfrz.org'), |
|
166 'certificate is for linuxfr.org, linuxfr.com') |
|
167 |
|
168 # A pristine real-world example |
|
169 c = { |
|
170 'notAfter': 'Dec 18 23:59:59 2011 GMT', |
|
171 'subject': ( |
|
172 ((u'countryName', u'US'),), |
|
173 ((u'stateOrProvinceName', u'California'),), |
|
174 ((u'localityName', u'Mountain View'),), |
|
175 ((u'organizationName', u'Google Inc'),), |
|
176 ((u'commonName', u'mail.google.com'),), |
|
177 ), |
|
178 } |
|
179 check(_verifycert(c, 'mail.google.com'), None) |
|
180 check(_verifycert(c, 'gmail.com'), 'certificate is for mail.google.com') |
|
181 |
|
182 # Only commonName is considered |
|
183 check(_verifycert(c, 'California'), 'certificate is for mail.google.com') |
|
184 |
|
185 # Neither commonName nor subjectAltName |
|
186 c = { |
|
187 'notAfter': 'Dec 18 23:59:59 2011 GMT', |
|
188 'subject': ( |
|
189 ((u'countryName', u'US'),), |
|
190 ((u'stateOrProvinceName', u'California'),), |
|
191 ((u'localityName', u'Mountain View'),), |
|
192 ((u'organizationName', u'Google Inc'),), |
|
193 ), |
|
194 } |
|
195 check(_verifycert(c, 'mail.google.com'), |
|
196 'no commonName or subjectAltName found in certificate') |
|
197 |
|
198 # No DNS entry in subjectAltName but a commonName |
|
199 c = { |
|
200 'notAfter': 'Dec 18 23:59:59 2099 GMT', |
|
201 'subject': ( |
|
202 ((u'countryName', u'US'),), |
|
203 ((u'stateOrProvinceName', u'California'),), |
|
204 ((u'localityName', u'Mountain View'),), |
|
205 ((u'commonName', u'mail.google.com'),), |
|
206 ), |
|
207 'subjectAltName': (('othername', 'blabla'),), |
|
208 } |
|
209 check(_verifycert(c, 'mail.google.com'), None) |
|
210 |
|
211 # No DNS entry subjectAltName and no commonName |
|
212 c = { |
|
213 'notAfter': 'Dec 18 23:59:59 2099 GMT', |
|
214 'subject': ( |
|
215 ((u'countryName', u'US'),), |
|
216 ((u'stateOrProvinceName', u'California'),), |
|
217 ((u'localityName', u'Mountain View'),), |
|
218 ((u'organizationName', u'Google Inc'),), |
|
219 ), |
|
220 'subjectAltName': (('othername', 'blabla'),), |
|
221 } |
|
222 check(_verifycert(c, 'google.com'), |
|
223 'no commonName or subjectAltName found in certificate') |
|
224 |
|
225 # Empty cert / no cert |
|
226 check(_verifycert(None, 'example.com'), 'no certificate received') |
|
227 check(_verifycert({}, 'example.com'), 'no certificate received') |
|
228 |
|
229 # avoid denials of service by refusing more than one |
|
230 # wildcard per fragment. |
|
231 check(_verifycert({'subject': (((u'commonName', u'a*b.com'),),)}, |
|
232 'axxb.com'), 'certificate is for a*b.com') |
|
233 check(_verifycert({'subject': (((u'commonName', u'a*b.co*'),),)}, |
|
234 'axxb.com'), 'certificate is for a*b.co*') |
|
235 check(_verifycert({'subject': (((u'commonName', u'a*b*.com'),),)}, |
|
236 'axxbxxc.com'), 'certificate is for a*b*.com') |
65 |
237 |
66 def test_url(): |
238 def test_url(): |
67 """ |
239 """ |
68 >>> from mercurial.util import url |
240 >>> from mercurial.util import url |
69 |
241 |