Hypothetically fixes pyOpenSSL tests (#805)
* fix openssl CLI testing for 1.1.1
* various 1.1.1 related fixes
some of which are just admitting TLS 1.3 is fundamentally different and
pinning the tests to TLS 1.2
* flake8 fixes
* allow travis_infra env var through
* fix twisted
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index eb4590d..ec632d9 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -3156,20 +3156,20 @@
representing a serial number, a revoked reason, and certificate issuer
information.
"""
- crl = self._get_crl()
# PEM format
- dumped_crl = crl.export(
+ dumped_crl = self._get_crl().export(
self.cert, self.pkey, days=20, digest=b"sha256"
)
- text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
-
- # These magic values are based on the way the CRL above was constructed
- # and with what certificate it was exported.
- text.index(b'Serial Number: 03AB')
- text.index(b'Superseded')
- text.index(
- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA'
- )
+ crl = x509.load_pem_x509_crl(dumped_crl, backend)
+ revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
+ assert revoked is not None
+ assert crl.issuer == x509.Name([
+ x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"),
+ x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"),
+ x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"),
+ x509.NameAttribute(x509.NameOID.COMMON_NAME, u"Testing Root CA"),
+ ])
def test_export_der(self):
"""
@@ -3180,17 +3180,19 @@
crl = self._get_crl()
# DER format
- dumped_crl = crl.export(
+ dumped_crl = self._get_crl().export(
self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
)
- text = _runopenssl(
- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
- )
- text.index(b'Serial Number: 03AB')
- text.index(b'Superseded')
- text.index(
- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA'
- )
+ crl = x509.load_der_x509_crl(dumped_crl, backend)
+ revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
+ assert revoked is not None
+ assert crl.issuer == x509.Name([
+ x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"),
+ x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"),
+ x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"),
+ x509.NameAttribute(x509.NameOID.COMMON_NAME, u"Testing Root CA"),
+ ])
# Flaky because we compare the output of running commands which sometimes
# varies by 1 second
@@ -3207,7 +3209,8 @@
self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
)
text = _runopenssl(
- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
+ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER",
+ b"-nameopt", b""
)
# text format
@@ -3778,7 +3781,7 @@
class TestEllipticCurveEquality(EqualityTestsMixin):
"""
- Tests `_EllipticCurve`\ 's implementation of ``==`` and ``!=``.
+ Tests `_EllipticCurve`'s implementation of ``==`` and ``!=``.
"""
curve_factory = EllipticCurveFactory()
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index fbf0760..bddeaa9 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -216,14 +216,14 @@
return [(cakey, cacert), (ikey, icert), (skey, scert)]
-def loopback_client_factory(socket):
- client = Connection(Context(SSLv23_METHOD), socket)
+def loopback_client_factory(socket, version=SSLv23_METHOD):
+ client = Connection(Context(version), socket)
client.set_connect_state()
return client
-def loopback_server_factory(socket):
- ctx = Context(SSLv23_METHOD)
+def loopback_server_factory(socket, version=SSLv23_METHOD):
+ ctx = Context(version)
ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
server = Connection(ctx, socket)
@@ -1307,13 +1307,13 @@
exception, verification fails and the exception is propagated to the
caller of `Connection.do_handshake`.
"""
- serverContext = Context(TLSv1_METHOD)
+ serverContext = Context(TLSv1_2_METHOD)
serverContext.use_privatekey(
load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
serverContext.use_certificate(
load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
- clientContext = Context(TLSv1_METHOD)
+ clientContext = Context(TLSv1_2_METHOD)
def verify_callback(*args):
raise Exception("silly verify failure")
@@ -2539,7 +2539,7 @@
"""
key = load_privatekey(FILETYPE_PEM, server_key_pem)
cert = load_certificate(FILETYPE_PEM, server_cert_pem)
- ctx = Context(SSLv23_METHOD)
+ ctx = Context(TLSv1_2_METHOD)
ctx.use_privatekey(key)
ctx.use_certificate(cert)
ctx.set_session_id("unity-test")
@@ -3193,7 +3193,10 @@
"""
Go through a complete renegotiation cycle.
"""
- server, client = loopback()
+ server, client = loopback(
+ lambda s: loopback_server_factory(s, TLSv1_2_METHOD),
+ lambda s: loopback_client_factory(s, TLSv1_2_METHOD),
+ )
server.send(b"hello world")