U

s�@g��
�@s�dZd
dl
mZmZ
d
dlZd
dlZd
dlZd
dlmZ
d
dl	m
Z

dZdZdZ
dZe
d�
�
rxd
dlZd
dlmZ
d
dlmZ
d
d	lmZ
d
d
lmZmZ
d
dlmZmZ
d
dlmZ
d
d
lmZ
d
dlmZ
d
dl m!Z!
d
dl"m#Z#m$Z$
d
dl%m&Z&
d
dl"m'Z'
ze�(ej)�
Z*e*�+dd��

Wne,k
�
r:


dZ
YnXze�(ej)�
Z*e*�-dd��

Wne,k
�
rt


dZYnXndZeZeZ
eZd
dl.m/Z/
d
dl0m1Z1
d
dl2m3Z3
d
dl4m5Z5
d
dl6m7Z7
d
dl8m9Z9
d
dl:m;Z;m<Z<
d
d lm=Z=m>Z>m?Z?
d
d!l@mAZA
d
d"l2mBZBmCZC
d
d#lmDZD
d
d$lEmFZF
e�sVd
d%lGmHZHmIZI
d
d&lmJZK
d
d'lLmMZM
d(ZNd)ZOe9eP�
jQ�Rd*�
�S�ZTe�U�f
d+d,�
ZVd-d.�ZWdzd0d1�
ZXd2d3�ZYd{d4d5�
ZZd|d6d7�
Z[d8d9�Z\Gd:d;�d;e=j]�Z^Gd<d=�d=e=j]�Z_Gd>d?�d?e`�ZaGd@dA�dAe;jb�ZcGdBdC�dCe`�ZdGdDdE�dEe`�ZeGdFdG�dGeee;jf�ZgGdHdI�dIe;jb�ZhGdJdK�dKe;jf�ZiGdLdM�dMe;jb�Zjd}dNdO�
ZkGdPdQ�dQe;jf�ZlGdRdS�dSe;jf�ZmGdTdU�dUe;jf�ZnGdVdW�dW�ZoGdXdY�dY�ZpGdZd[�d[�ZqGd\d]�d]e;jf�ZrGd^d_�d_e;jf�ZsGd`da�dae;jf�ZtGdbdc�dce;jf�ZuGddde�dee;jf�ZvGdfdg�dge;jf�ZwGdhdi�die`�ZxGdjdk�dke`�ZyGdldm�dme;jf�ZzGdndo�doe`�Z{Gdpdq�dqe`�Z|Gdrds�dse;jb�Z}Gdtdu�due;jb�Z~Gdvdw�dwe;jf�ZGdxdy�dye;jb�Z�dS)~z+
Tests for L{twisted.internet._sslverify}.
�)�division�absolute_importN)
�implementer)
�
requireModule�OpenSSL)
�ssl)
�SSL)
�get_elliptic_curves)�PKey�X509)�TYPE_RSA�FILETYPE_PEM)
�x509)
�default_backend)
�hashes)
�rsa)�
PrivateFormat�NoEncryption)
�NameOID)
�Encodingc


CsdS�
N��
�
crr�=/usr/lib/python3/dist-packages/twisted/test/test_sslverify.py�<lambda>.�rz1OpenSSL 1.0.1 or greater required for NPN supportc


CsdSrrrrrrr4rz2OpenSSL 1.0.2 or greater required for ALPN supportz"OpenSSL is required for SSL tests.)
�SetAsideModule)
�connectedServerAndClient)
�ConnectionClosed)
�nativeString)
�FilePath)
�	getModule)�unittest�util)�protocol�defer�reactor)
�	_idnaText)�CertificateError�ConnectionLost)
�
interfaces)
�Version)�
platformTrust�VerificationError)
�
_sslverify)
�TLSMemoryBIOFactorya�
-----BEGIN CERTIFICATE-----
        MIIC2jCCAkMCAjA5MA0GCSqGSIb3DQEBBAUAMIG0MQswCQYDVQQGEwJVUzEiMCAG
        A1UEAxMZZXhhbXBsZS50d2lzdGVkbWF0cml4LmNvbTEPMA0GA1UEBxMGQm9zdG9u
        MRwwGgYDVQQKExNUd2lzdGVkIE1hdHJpeCBMYWJzMRYwFAYDVQQIEw1NYXNzYWNo
        dXNldHRzMScwJQYJKoZIhvcNAQkBFhhub2JvZHlAdHdpc3RlZG1hdHJpeC5jb20x
        ETAPBgNVBAsTCFNlY3VyaXR5MB4XDTA2MDgxNjAxMDEwOFoXDTA3MDgxNjAxMDEw
        OFowgbQxCzAJBgNVBAYTAlVTMSIwIAYDVQQDExlleGFtcGxlLnR3aXN0ZWRtYXRy
        aXguY29tMQ8wDQYDVQQHEwZCb3N0b24xHDAaBgNVBAoTE1R3aXN0ZWQgTWF0cml4
        IExhYnMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxJzAlBgkqhkiG9w0BCQEWGG5v
        Ym9keUB0d2lzdGVkbWF0cml4LmNvbTERMA8GA1UECxMIU2VjdXJpdHkwgZ8wDQYJ
        KoZIhvcNAQEBBQADgY0AMIGJAoGBAMzH8CDF/U91y/bdbdbJKnLgnyvQ9Ig9ZNZp
        8hpsu4huil60zF03+Lexg2l1FIfURScjBuaJMR6HiMYTMjhzLuByRZ17KW4wYkGi
        KXstz03VIKy4Tjc+v4aXFI4XdRw10gGMGQlGGscXF/RSoN84VoDKBfOMWdXeConJ
        VyC4w3iJAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAviMT4lBoxOgQy32LIgZ4lVCj
        JNOiZYg8GMQ6y0ugp86X80UjOvkGtNf/R7YgED/giKRN/q/XJiLJDEhzknkocwmO
        S+4b2XpiaZYxRyKWwL221O7CGmtWYyZl2+92YYmmCiNzWQPfP6BOMlfax0AGLHls
        fXzCWdG0O/3Lk2SRM0I=
-----END CERTIFICATE-----
a�
-----BEGIN CERTIFICATE-----
        MIIC3jCCAkcCAjA6MA0GCSqGSIb3DQEBBAUAMIG2MQswCQYDVQQGEwJVUzEiMCAG
        A1UEAxMZZXhhbXBsZS50d2lzdGVkbWF0cml4LmNvbTEPMA0GA1UEBxMGQm9zdG9u
        MRwwGgYDVQQKExNUd2lzdGVkIE1hdHJpeCBMYWJzMRYwFAYDVQQIEw1NYXNzYWNo
        dXNldHRzMSkwJwYJKoZIhvcNAQkBFhpzb21lYm9keUB0d2lzdGVkbWF0cml4LmNv
        bTERMA8GA1UECxMIU2VjdXJpdHkwHhcNMDYwODE2MDEwMTU2WhcNMDcwODE2MDEw
        MTU2WjCBtjELMAkGA1UEBhMCVVMxIjAgBgNVBAMTGWV4YW1wbGUudHdpc3RlZG1h
        dHJpeC5jb20xDzANBgNVBAcTBkJvc3RvbjEcMBoGA1UEChMTVHdpc3RlZCBNYXRy
        aXggTGFiczEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEpMCcGCSqGSIb3DQEJARYa
        c29tZWJvZHlAdHdpc3RlZG1hdHJpeC5jb20xETAPBgNVBAsTCFNlY3VyaXR5MIGf
        MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnm+WBlgFNbMlHehib9ePGGDXF+Nz4
        CjGuUmVBaXCRCiVjg3kSDecwqfb0fqTksBZ+oQ1UBjMcSh7OcvFXJZnUesBikGWE
        JE4V8Bjh+RmbJ1ZAlUPZ40bAkww0OpyIRAGMvKG+4yLFTO4WDxKmfDcrOb6ID8WJ
        e1u+i3XGkIf/5QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAD4Oukm3YYkhedUepBEA
        vvXIQhVDqL7mk6OqYdXmNj6R7ZMC8WWvGZxrzDI1bZuB+4aIxxd1FXC3UOHiR/xg
        i9cDl1y8P/qRp4aEBNF6rI0D4AxTbfnHQx4ERDAOShJdYZs/2zifPJ6va6YvrEyr
        yqDtGhklsWW3ZwBzEh5VEOUp
-----END CERTIFICATE-----
z
server.pemc

Cst|�
S)
zQ
    Each time we're called, return the next integer in the natural numbers.
    )
�next)
�counterrrrr2�sr2cKs�t�}
|
�
td
�
t�}|�d�

|�d�

|��|��fD]&}|��D]\}}t	||t
|�
�
qHq<|�t��

|�
|
�

|�|
d�
|
|fS)Nir
i�3�
Zmd5)r
Zgenerate_keyrrZgmtime_adj_notBeforeZgmtime_adj_notAfterZ
get_issuer�get_subject�items�setattrr Zset_serial_numberr2Z
set_pubkey�sign)�kwZkeypair�certificateZxname�
k�
vrrr�makeCertificate�s











r;�example.comc
	Cs�
t�
t�tjd
�g
�
}
t�
t�tjd�g
�
}t�ddd�}tjddt	�d�}|�
�}t���|
�
�
|
�
�tj��|�
�tj��|�
�t���
�
|�
jtjdd	d
�dd�j|t��t	�d�}tjddt	�d�}|�
�}zt�|�
}	Wn"tk
�
r


t�|�
g
}
YnXt�|	�
g
}
t���|�
�
|
�
�tj��|�
�tj��|�
�t���
�
|�
jtjd
dd
�dd�jt�|
�
dd�j|t��t	�d�}tj� |�!t"j#�
�
}tj$� d�%|�&t"j#t'j(t)��|�!t"j#�
g�
�
}
||
fS)a~

    Create a self-signed CA certificate and server certificate signed by the
    CA.

    @param serviceIdentity: The identity (hostname) of the server.
    @type serviceIdentity: L{unicode}

    @return: a 2-tuple of C{(certificate_authority_certificate,
        server_certificate)}
    @rtype: L{tuple} of (L{sslverify.Certificate},
        L{sslverify.PrivateCertificate})
    zTesting Example CAzTesting Example Server�
r
i

i)Zpublic_exponentZkey_size�backendT�	)ZcaZpath_length)
Zcritical)Zprivate_key�	algorithmr>FN�

)*r�NameZ
NameAttributerZCOMMON_NAME�datetimeZ	timedeltarZgenerate_private_keyrZ
public_keyZCertificateBuilderZsubject_nameZissuer_nameZnot_valid_beforeZtodayZnot_valid_afterZ
serial_numberZrandom_serial_number�
add_extensionZBasicConstraintsr6rZSHA256�	ipaddressZ
ip_address�
ValueErrorZDNSNameZ	IPAddressZSubjectAlternativeName�	sslverify�Certificate�loadPEMZpublic_bytesrZPEM�PrivateCertificate�joinZ
private_bytesrZTraditionalOpenSSLr)ZserviceIdentityZcommonNameForCAZcommonNameForServerZoneDayZprivateKeyForCAZpublicKeyForCA�
caCertificateZprivateKeyForServerZpublicKeyForServerZ	ipAddressZsubjectAlternativeNames�serverCertificate�
caSelfCert�
serverCertrrr�!certificatesForAuthorityAndServer�s�

�
�



�
�������
��


�



�������
��
��

�



�
��	rPc	s�Gd
d�dtj
�}Gdd�dtj
�}|��
|��t��}�
f
dd�|_t��}�f
dd�|_t|
d|d	��t|d
|d	��t�f
dd��f
dd��\}}}||��
|fS)
a�
    Common implementation code for both L{loopbackTLSConnection} and
    L{loopbackTLSConnectionInMemory}. Creates a loopback TLS connection
    using the provided server and client context factories.

    @param serverOpts: An OpenSSL context factory for the server.
    @type serverOpts: C{OpenSSLCertificateOptions}, or any class with an
        equivalent API.

    @param clientOpts: An OpenSSL context factory for the client.
    @type clientOpts: C{OpenSSLCertificateOptions}, or any class with an
        equivalent API.

    @return: 5-tuple of server-tls-protocol, server-inner-protocol,
        client-tls-protocol, client-inner-protocol and L{IOPump}
    @rtype: L{tuple}
    c@seZ
dZd
Zdd�ZdS)z._loopbackTLSConnection.<locals>.GreetingServer�
greetings!c

Ss|j�
|j�

dSr��	transport�write�greeting�
�selfrrr�connectionMade
s
z=_loopbackTLSConnection.<locals>.GreetingServer.connectionMadeN)�__name__�
__module__�__qualname__rUrXrrrr�GreetingServer

s

r\c@s$eZ
dZd
ZdZdd�Zdd�ZdS)z/_loopbackTLSConnection.<locals>.ListeningClientrNcSs|j|
7_dSr�
�data�rWr^rrr�dataReceived
s
z<_loopbackTLSConnection.<locals>.ListeningClient.dataReceivedcSs
|
|_dSr�
�
lostReason�rW�reasonrrr�connectionLost
s
z>_loopbackTLSConnection.<locals>.ListeningClient.connectionLost)rYrZr[r^rbr`rerrrr�ListeningClient
s


rfc
s�Srrr�
�clientWrappedProtorrr
rz(_loopbackTLSConnection.<locals>.<lambda>c
s�Srrr�
�serverWrappedProtorrr 
rT�ZisClientZwrappedFactoryFcs
��d�
Sr�
Z
buildProtocolr)
�
serverFactoryrrr,
rcs
��d�
Srrlr)
�
clientFactoryrrr-
r)r%�Protocol�Factoryr0r)	�
serverOpts�
clientOptsr\rfZplainClientFactoryZplainServerFactory�sProto�cProto�pumpr)rnrhrmrjr�_loopbackTLSConnection�s.





�

�



�
rvcs2G��
fd
d�dt�}|�}t
j|d�
}t||�S)aF
    Create a loopback TLS connection with the given trust and keys.

    @param trustRoot: the C{trustRoot} argument for the client connection's
        context.
    @type trustRoot: L{sslverify.IOpenSSLTrustRoot}

    @param privateKeyFile: The name of the file containing the private key.
    @type privateKeyFile: L{str} (native string; file name)

    @param chainedCertFile: The name of the chained certificate file.
    @type chainedCertFile: L{str} (native string; file name)

    @return: 3-tuple of server-protocol, client-protocol, and L{IOPump}
    @rtype: L{tuple}
    cseZ
dZ��
fd
d�ZdS)z-loopbackTLSConnection.<locals>.ContextFactoryc
s4t�
tj�
}
�d
k	r|
���

|
��
�

|
��
|
S)z�
            Create a context for the server side of the connection.

            @return: an SSL context using a certificate and key.
            @rtype: C{OpenSSL.SSL.Context}
            N)r�Context�TLSv1_METHODZuse_certificate_chain_fileZuse_privatekey_file�check_privatekey�rW�ctx��chainedCertFile�privateKeyFilerr�
getContextE
s





z8loopbackTLSConnection.<locals>.ContextFactory.getContextN)rYrZr[rrr|rr�ContextFactoryD
s
r��
�	trustRoot)�objectrG�OpenSSLCertificateOptionsrv)r�r~r}r�rqrrrr|r�loopbackTLSConnection3
s
r�cCs4|d
krtj
}|||d�}tj
|
||d�}t||�S)a�
    Create a loopback TLS connection with the given trust and keys. Like
    L{loopbackTLSConnection}, but using in-memory certificates and keys rather
    than writing them to disk.

    @param trustRoot: the C{trustRoot} argument for the client connection's
        context.
    @type trustRoot: L{sslverify.IOpenSSLTrustRoot}

    @param privateKey: The private key.
    @type privateKey: L{str} (native string)

    @param serverCertificate: The certificate used by the server.
    @type chainedCertFile: L{str} (native string)

    @param clientProtocols: The protocols the client is willing to negotiate
        using NPN/ALPN.

    @param serverProtocols: The protocols the server is willing to negotiate
        using NPN/ALPN.

    @param clientOptions: The type of C{OpenSSLCertificateOptions} class to
        use for the client. Defaults to C{OpenSSLCertificateOptions}.

    @return: 3-tuple of server-protocol, client-protocol, and L{IOPump}
    @rtype: L{tuple}
    N)r��acceptableProtocols)�
privateKeyr8r�)rGr�rv)r�r�rM�clientProtocols�serverProtocols�
clientOptions�clientCertOpts�serverCertOptsrrr�loopbackTLSConnectionInMemory[
s


�


�r�c
	Gs<|��}t
|d
�� }|
D]}|�|�t�
�

qW5QRX|S)a�
    Create a temporary file to store some serializable-as-PEM objects in, and
    return its name.

    @param testCase: a test case to use for generating a temporary directory.
    @type testCase: L{twisted.trial.unittest.TestCase}

    @param dumpables: arguments are objects from pyOpenSSL with a C{dump}
        method, taking a pyOpenSSL file-type constant, such as
        L{OpenSSL.crypto.FILETYPE_PEM} or L{OpenSSL.crypto.FILETYPE_ASN1}.
    @type dumpables: L{tuple} of L{object} with C{dump} method taking L{int}
        returning L{bytes}

    @return: the path to a file where all of the dumpables were dumped in PEM
        format.
    @rtype: L{str}
    �wb)Zmktemp�openrT�dumpr
)ZtestCaseZ	dumpables�fname�
fZdumpablerrr�pathContainingDumpOf�
s




r�c@seZ
dZd
d�Zdd�ZdS)�DataCallbackProtocolcCs(|jj
d}|j_
|dk	r$|�|
�

dSr)�factory�onData�callback)rWr^�
drrrr`�
s


z!DataCallbackProtocol.dataReceivedcCs(|jj
d}|j_
|dk	r$|�|
�

dSr�r��onLostZerrback)rWrdr�rrrre�
s


z#DataCallbackProtocol.connectionLostN)rYrZr[r`rerrrrr��
s
r�c@s eZ
dZd
Zdd�Zdd�ZdS)�WritingProtocol�
xc

Cs|j�
|j�

dSr)rSrT�byterVrrrrX�
s
zWritingProtocol.connectionMadecCs|jj
�|
�

dSrr�rcrrrre�
s
zWritingProtocol.connectionLostN)rYrZr[r�rXrerrrrr��
s

r�c@s�eZ
dZd
ZdZdd�Zdd�Zdd�Zd	d
�Zdd�Z	d
d�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd�ZdS) �FakeContexta�
    Introspectable fake of an C{OpenSSL.SSL.Context}.

    Saves call arguments for later introspection.

    Necessary because C{Context} offers poor introspection.  cf. this
    U{pyOpenSSL bug<https://bugs.launchpad.net/pyopenssl/+bug/1173899>}.

    @ivar _method: See C{method} parameter of L{__init__}.

    @ivar _options: L{int} of C{OR}ed values from calls of L{set_options}.

    @ivar _certificate: Set by L{use_certificate}.

    @ivar _privateKey: Set by L{use_privatekey}.

    @ivar _verify: Set by L{set_verify}.

    @ivar _verifyDepth: Set by L{set_verify_depth}.

    @ivar _mode: Set by L{set_mode}.

    @ivar _sessionID: Set by L{set_session_id}.

    @ivar _extraCertChain: Accumulated L{list} of all extra certificates added
        by L{add_extra_chain_cert}.

    @ivar _cipherList: Set by L{set_cipher_list}.

    @ivar _dhFilename: Set by L{load_tmp_dh}.

    @ivar _defaultVerifyPathsSet: Set by L{set_default_verify_paths}

    @ivar _ecCurve: Set by L{set_tmp_ecdh}
    r
cCs|
|_g|_
d
|_d|_dS)NF)�_method�_extraCertChain�_defaultVerifyPathsSet�_ecCurve)rW�methodrrr�__init__�
s



zFakeContext.__init__cCs|j|
O_dSr)
�_options�rW�optionsrrr�set_options�
s
zFakeContext.set_optionscCs
|
|_dSr)
�_certificate)rWr8rrr�use_certificate�
s
zFakeContext.use_certificatecCs
|
|_dSr)
�_privateKey)rWr�rrr�use_privatekey�
s
zFakeContext.use_privatekeyc


CsdSrrrVrrrry�
s
zFakeContext.check_privatekeycCs
|
|_d
S)zo
        Set the mode. See L{SSL.Context.set_mode}.

        @param mode: See L{SSL.Context.set_mode}.
        N)
�_mode)rW�moderrr�set_mode�
szFakeContext.set_modecCs|
|f|_dSr)
Z_verify)rW�flagsr�rrr�
set_verifys
zFakeContext.set_verifycCs
|
|_dSr)
Z_verifyDepth)rWZdepthrrr�set_verify_depths
zFakeContext.set_verify_depthcCs
|
|_dSr)
Z
_sessionID)rWZ	sessionIDrrr�set_session_ids
zFakeContext.set_session_idcCs|j�
|
�

dSr)r��append�rW�certrrr�add_extra_chain_certs
z FakeContext.add_extra_chain_certcCs
|
|_dSr)
�_cipherList)rWZ
cipherListrrr�set_cipher_lists
zFakeContext.set_cipher_listcCs
|
|_dSr)
�_dhFilename)rWZ
dhfilenamerrr�load_tmp_dhs
zFakeContext.load_tmp_dhc

Cs
d
|_dS)z9
        Set the default paths for the platform.
        TN)
r�rVrrr�set_default_verify_pathssz$FakeContext.set_default_verify_pathscCs
|
|_d
S)z�
        Set an ECDH curve.  Should only be called by OpenSSL 1.0.1
        code.

        @param curve: See L{OpenSSL.SSL.Context.set_tmp_ecdh}
        N)
r��rW�curverrr�set_tmp_ecdhszFakeContext.set_tmp_ecdhN)rYrZr[�__doc__r�r�r�r�r�ryr�r�r�r�r�r�r�r�r�rrrrr��
s 
#	r�c@s@eZ
dZd
ZereZdd�Zdd�Zdd�Zdd	�Z	d
d�Z
dS)
�ClientOptionsTestsz5
    Tests for L{sslverify.optionsForClientTLS}.
    c
Cs(|jt
tjd
dd�}
|�t|
�
d�
dS)z�
        When passed a keyword parameter other than C{extraCertificateOptions},
        L{sslverify.optionsForClientTLS} raises an exception just like a
        normal Python function would.
        ZalphaZbeta)�hostnameZsomeRandomThingzJoptionsForClientTLS() got an unexpected keyword argument 'someRandomThing'N)�assertRaises�	TypeErrorrG�optionsForClientTLS�assertEqual�str)rW�errorrrr�test_extraKeywords1s


�

�z%ClientOptionsTests.test_extraKeywordsc
Cs.|�t
tjd
�}
dtj}|�t|
�
|�
dS)z�
        If you pass L{bytes} as the hostname to
        L{sslverify.optionsForClientTLS} it immediately raises a L{TypeError}.
        snot-actually-a-hostname.comz6optionsForClientTLS requires text for host names, not N)r�r�rGr��bytesrYr�r�)rWr�ZexpectedTextrrr�test_bytesFailFastCs

�
��z%ClientOptionsTests.test_bytesFailFastc
Cst�
d
�
}
|�|
j�

dS)zl
        If you pass a dNSName to L{sslverify.optionsForClientTLS}
        L{_sendSNI} will be True
        r<N)rGr��
assertTrue�_sendSNIr�rrr�test_dNSNameHostnameSs

z'ClientOptionsTests.test_dNSNameHostnamec
Cst�
d
�
}
|�|
j�

dS)zs
        If you pass an IPv4 address to L{sslverify.optionsForClientTLS}
        L{_sendSNI} will be False
        �	127.0.0.1N�rGr��assertFalser�r�rrr�test_IPv4AddressHostname\s

z+ClientOptionsTests.test_IPv4AddressHostnamec
Cst�
d
�
}
|�|
j�

dS)zs
        If you pass an IPv6 address to L{sslverify.optionsForClientTLS}
        L{_sendSNI} will be False
        z::1Nr�r�rrr�test_IPv6AddressHostnamees

z+ClientOptionsTests.test_IPv6AddressHostnameN)rYrZr[r��skipSSL�skipr�r�r�r�r�rrrrr�*s

		r�c@s eZ
dZd
Zdd�Zdd�ZdS)�$FakeChooseDiffieHellmanEllipticCurvezG
    A fake implementation of L{_ChooseDiffieHellmanEllipticCurve}
    c
Csd
S)z&
        A no-op constructor.
        Nr)rWZ
versionNumber�
openSSLlib�
openSSLcryptorrrr�ts
z-FakeChooseDiffieHellmanEllipticCurve.__init__c
Csd
S)z|
        A null configuration.

        @param ctx: An L{OpenSSL.SSL.Context} that would be
            configured.
        Nrrzrrr�configureECDHCurvezs
z7FakeChooseDiffieHellmanEllipticCurve.configureECDHCurveN)rYrZr[r�r�r�rrrrr�os
r�c@sBeZ
dZd
ZereZdZZdZZ	dd�Z
dd�Zd	dd�
ZdS)
�OpenSSLOptionsTestsMixinz�
    A mixin for L{OpenSSLOptions} test cases creates client and server
    certificates, signs them with a CA, and provides a L{loopback}
    that creates TLS a connections with them.
    Nc

Csftd
dd�\|_
|_tddd�\|_|_tddd�d|_td	d
d�d|_|j|jg|_|j|_dS)zK
        Create class variables of client and server certificates.
        �Server Test Certificate�server��
O�CNsClient Test CertificatesclientsCA Test Certificate 1sca1r=�CA Test Certificatesca2N)	r;�sKey�sCert�cKey�cCertZcaCert1ZcaCert2�caCerts�extraCertChainrVrrr�setUp�s,

�

�

��

��
zOpenSSLOptionsTestsMixin.setUpc
Csf|jdk	r|j�
�
|jdk	r(|j��
g}
|jdk	rB|
�|j�

|jdk	rX|
�|j�

tj|
d
d�S)NT�
Z
consumeErrors)	�
serverPortZ
stopListening�
clientConnZ
disconnect�onServerLostr��onClientLostr&�DeferredList)rW�
Lrrr�tearDown�s













z!OpenSSLOptionsTestsMixin.tearDowncCs�|dkrt�
�|_}|dkr,t�
�|_}|dkr<t�
�}t��}t|_||_||_t�	�}t
|_||_t�d
||
�|_
t�d|j
��j||�|_dS)Nr
r�)r&�Deferredr�r�r%Z
ServerFactoryr�r�r�Z
ClientFactoryr�r'Z	listenSSLr�Z
connectSSLZgetHostZportr�)rWr�r�r�r�r�rmrnrrr�loopback�s&












�z!OpenSSLOptionsTestsMixin.loopback)NNN)
rYrZr[r�r�r�r�r�r�r�r�r�r�rrrrr��s


�r�cs�
eZ
dZd
Z�f
dd�Zdd�Zdd�Zdd	�Zd
d�Zdd
�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Zd*d+�Zd,d-�Zd.d/�Zd0d1�Zd2d3�Zd4d5�Zd6d7�Zd8d9�Zd:d;�Z d<d=�Z!d>d?�Z"d@dA�Z#dBdC�Z$dDdE�Z%dFdG�Z&dHdI�Z'dJdK�Z(dLdM�Z)dNdO�Z*dPdQ�Z+dRdS�Z,dTdU�Z-e.j/e0dVdW�g
e-_/dXdY�Z1dZd[�Z2d\d]�Z3d^d_�Z4d`da�Z5dbdc�Z6ddde�Z7dfdg�Z8�Z9S)h�OpenSSLOptionsTestsz0
    Tests for L{sslverify.OpenSSLOptions}.
    c

s tt
|���
|�td
t�
dS)z�
        Same as L{OpenSSLOptionsTestsMixin.setUp}, but it also patches
        L{sslverify._ChooseDiffieHellmanEllipticCurve}.
        �!_ChooseDiffieHellmanEllipticCurveN)�superr�r��patchrGr�rV�
�	__class__rrr��s

�zOpenSSLOptionsTests.setUpc

Cs|jt
tj|jd
�
dS)�S
        C{privateKey} and C{certificate} make only sense if both are set.
        )
r�N)r�rFrGr�r�rVrrr�"test_constructorWithOnlyPrivateKey�s


�z6OpenSSLOptionsTests.test_constructorWithOnlyPrivateKeyc

Cs|jt
tj|jd
�
dS)r�)
r8N)r�rFrGr�r�rVrrr�#test_constructorWithOnlyCertificate�s


�z7OpenSSLOptionsTests.test_constructorWithOnlyCertificatec
CsDtj
|j|jd
�}
|�|
j|j�
|�|
j|j�
|�|
jg�
dS)zT
        Specifying C{privateKey} and C{certificate} initializes correctly.
        �r�r8N)rGr�r�r�r�r�r8r��rW�optsrrr�,test_constructorWithCertificateAndPrivateKey�s
�

z@OpenSSLOptionsTests.test_constructorWithCertificateAndPrivateKeyc

Cs|jt
tj|j|jd
d�
dS)zN
        C{verify} must not be C{True} without specifying C{caCerts}.
        T)r�r8�verifyN)r�rFrGr�r�r�rVrrr�0test_constructorDoesNotAllowVerifyWithoutCACerts�s


�zDOpenSSLOptionsTests.test_constructorDoesNotAllowVerifyWithoutCACertsc

	Cs@|jt
tj|j|jd
d|jd�
|jt
tj|j|jdd
d�
dS)z�
        C{verify}, C{requireCertificate}, and C{caCerts} must not be specified
        by the caller (to be I{any} value, even the default!) when specifying
        C{trustRoot}.
        TN)r�r8r�r�r�)r�r8r��requireCertificate)r�r�rGr�r�r�r�rVrrr�/test_constructorDoesNotAllowLegacyWithTrustRoots"



�



�zCOpenSSLOptionsTests.test_constructorDoesNotAllowLegacyWithTrustRootc
Cs6tj
|j|j|jd
�}
|�|
j�

|�|j|
j�
dS)z2
        It's currently a NOP, but valid.
        )r�r8r�N)rGr�r�r�r�r�r�r�r�rrr�*test_constructorAllowsCACertsWithoutVerifys

�
z>OpenSSLOptionsTests.test_constructorAllowsCACertsWithoutVerifyc
Cs8tj
|j|jd
|jd�}
|�|
j�

|�|j|
j�
dS)zL
        Specifying C{verify} and C{caCerts} initializes correctly.
        T)r�r8r�r�N)rGr�r�r�r�r�r�r�r�rrr�$test_constructorWithVerifyAndCACerts$s


�
z8OpenSSLOptionsTests.test_constructorWithVerifyAndCACertsc
Cs*tj
|j|j|jd
�}
|�|j|
j�
dS)zt
        Setting C{extraCertChain} works if C{certificate} and C{privateKey} are
        set along with it.
        �r�r8r�N)rGr�r�r�r�r�r�rrr�test_constructorSetsExtraChain0s


�z2OpenSSLOptionsTests.test_constructorSetsExtraChainc

Cs|jt
tj|j|jd
�
dS)zl
        A C{extraCertChain} without C{privateKey} doesn't make sense and is
        thus rejected.
        )r8r�N)r�rFrGr�r�r�rVrrr�7test_constructorDoesNotAllowExtraChainWithoutPrivateKey=s



�zKOpenSSLOptionsTests.test_constructorDoesNotAllowExtraChainWithoutPrivateKeyc

Cs|jt
tj|j|jd
�
dS)zm
        A C{extraCertChain} without C{certificate} doesn't make sense and is
        thus rejected.
        )r�r�N)r�rFrGr�r�r�rVrrr�7test_constructorDoesNotAllowExtraChainWithOutPrivateKeyJs



�zKOpenSSLOptionsTests.test_constructorDoesNotAllowExtraChainWithOutPrivateKeyc
CsXtj
|j|j|jd
�}
t|
_|
��}|�|j|j	�
|�|j|j
�
|�|j|j�
dS)z�
        If C{extraCertChain} is set and all prerequisites are met, the
        specified chain certificates are added to C{Context}s that get
        created.
        r
N)rGr�r�r�r�r��_contextFactoryrr�r�r�r��rWr�r{rrr�&test_extraChainFilesAreAddedIfSuppliedWs


�



z:OpenSSLOptionsTests.test_extraChainFilesAreAddedIfSuppliedc
Cs0tj
|j|j|jd
�}
|
��}|�|tj�
dS)zR
        C{extraCertChain} doesn't break C{OpenSSL.SSL.Context} creation.
        r
N)	rGr�r�r�r�r�assertIsInstancerrwr

rrr�$test_extraChainDoesNotBreakPyOpenSSLis


�
z8OpenSSLOptionsTests.test_extraChainDoesNotBreakPyOpenSSLc
Cs:tj
|j|jd
�}
t|
_|
��}|�|
j�	d�
|j
�
dS)z�
        If the user doesn't supply custom acceptable ciphers, a shipped secure
        default is used.  We can't check directly for it because the effective
        cipher string we set varies with platforms.
        r��asciiN)rGr�r�r�r�r	
rr�Z
_cipherString�encoder�r

rrr�"test_acceptableCiphersAreAlwaysSetvs

�

z6OpenSSLOptionsTests.test_acceptableCiphersAreAlwaysSetc
CsPtt
j�
Gd
d�dt��
}
tj|j|j|
�d�}t|_	|�
�}|�d|j�
dS)zB
        If acceptable ciphers are passed, they are used.
        c@seZ
dZd
d�ZdS)zWOpenSSLOptionsTests.test_honorsAcceptableCiphersArgument.<locals>.FakeAcceptableCipherscSst�
d
�
g
S)N�sentinel)rG�
OpenSSLCipher)rW�
_rrr�
selectCiphers�s
zeOpenSSLOptionsTests.test_honorsAcceptableCiphersArgument.<locals>.FakeAcceptableCiphers.selectCiphersN)rYrZr[r
rrrr�FakeAcceptableCiphers�sr
)r�r8ZacceptableCiphersssentinelN)
rr+ZIAcceptableCiphersr�rGr�r�r�r�r	
rr�r�)rWr
r�r{rrr�$test_honorsAcceptableCiphersArgument�s



�

z8OpenSSLOptionsTests.test_honorsAcceptableCiphersArgumentc
CsHtj
|j|jd
�}
t|
_|
��}tjtj	Btj
B}|�||j|@�
dS)z
        Every context must have C{OP_NO_SSLv2}, C{OP_NO_COMPRESSION}, and
        C{OP_CIPHER_SERVER_PREFERENCE} set.
        r�N)
rGr�r�r�r�r	
rr�OP_NO_SSLv2�OP_NO_COMPRESSION�OP_CIPHER_SERVER_PREFERENCEr�r��rWr�r{r�rrr�test_basicSecurityOptionsAreSet�s

�



�z3OpenSSLOptionsTests.test_basicSecurityOptionsAreSetc
Cs4tj
|j|jd
�}
t|
_|
��}|�tj	|j
�
dS)zH
        Every context must be in C{MODE_RELEASE_BUFFERS} mode.
        r�N)rGr�r�r�r�r	
rr�rZMODE_RELEASE_BUFFERSr�r

rrr�test_modeIsSet�s

�

z"OpenSSLOptionsTests.test_modeIsSetc
CsDtj
|j|jd
d�}
t|
_|
��}tjtj	B}|�
||j|@�
dS)z�
        If C{singleUseKeys} is set, every context must have
        C{OP_SINGLE_DH_USE} and C{OP_SINGLE_ECDH_USE} set.
        T)r�r8�enableSingleUseKeysN)rGr�r�r�r�r	
rrZOP_SINGLE_DH_USEZOP_SINGLE_ECDH_USEr�r�r
rrr�test_singleUseKeys�s


�


z&OpenSSLOptionsTests.test_singleUseKeysc
Csdtj
|j|jtjd
�
d}
|�|jg
�
}|�dt	|�
�
|�t
|dd�
|�|
|dd�
dS)zd
        Passing C{method} to L{sslverify.OpenSSLCertificateOptions} is
        deprecated.
        )r�r8r�z�Passing method to twisted.internet.ssl.CertificateOptions was deprecated in Twisted 17.1.0. Please use a combination of insecurelyLowerMinimumTo, raiseMinimumTo, and lowerMaximumSecurityTo instead, as Twisted will correctly configure the method.r=r
�category�messageN)rGr�r�r�r�
SSLv23_METHOD�
flushWarnings�test_methodIsDeprecatedr��len�DeprecationWarning)rWr 
�warningsrrrr#
�s


�


z+OpenSSLOptionsTests.test_methodIsDeprecatedc
CsNtj
|j|jd
�}
t|
_|
��}tjtj	Btj
BtjB}|�||j
|@�
dS)z�
        L{sslverify.OpenSSLCertificateOptions} will make the default minimum
        TLS version v1.0, if no C{method}, or C{insecurelyLowerMinimumTo} is
        given.
        r�N)rGr�r�r�r�r	
rrr
r
r
�OP_NO_SSLv3r�r�r
rrr�test_tlsv1ByDefault�s

�



�
�z'OpenSSLOptionsTests.test_tlsv1ByDefaultc
	CsH|�t
�
�$}
tj|j|jtjjtjjd
�
W5QRX|�|
j	j
d�
dS)z�
        Passing C{insecurelyLowerMinimumTo} along with C{raiseMinimumTo} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�r8�raiseMinimumTo�insecurelyLowerMinimumTo�
ZnopeN)r�r�rGr�r�r��
TLSVersion�TLSv1_2r��	exception�args�rW�
errr�#test_tlsProtocolsAtLeastWithMinimum�s




�z7OpenSSLOptionsTests.test_tlsProtocolsAtLeastWithMinimumc
	CsF|�t
�
�"}
tj|j|jtjtjj	d
�
W5QRX|�
|
jjd�
dS)z�
        Passing C{raiseMinimumTo} along with C{method} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�r8r�r)
r+
N�
r�r�rGr�r�r�rr!
r,
r-
r�r.
r/
r0
rrr�$test_tlsProtocolsNoMethodWithAtLeast�s




�z8OpenSSLOptionsTests.test_tlsProtocolsNoMethodWithAtLeastc
	CsF|�t
�
�"}
tj|j|jtjtjj	d
�
W5QRX|�
|
jjd�
dS)z�
        Passing C{insecurelyLowerMinimumTo} along with C{method} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�r8r�r*
r+
Nr3
r0
rrr�$test_tlsProtocolsNoMethodWithMinimums




�z8OpenSSLOptionsTests.test_tlsProtocolsNoMethodWithMinimumc
	CsF|�t
�
�"}
tj|j|jtjtjj	d
�
W5QRX|�
|
jjd�
dS)z�
        Passing C{lowerMaximumSecurityTo} along with C{method} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�r8r��lowerMaximumSecurityTor+
Nr3
r0
rrr�$test_tlsProtocolsNoMethodWithMaximum#s




�z8OpenSSLOptionsTests.test_tlsProtocolsNoMethodWithMaximumc
	CsH|�t
�
�$}
tj|j|jtjjtjjd
�
W5QRX|�	|
j
jd�
dS)z�
        Passing out of order TLS versions to C{insecurelyLowerMinimumTo} and
        C{lowerMaximumSecurityTo} will cause it to raise an exception.
        �r�r8r*
r6
)
zFinsecurelyLowerMinimumTo needs to be lower than lowerMaximumSecurityToN�r�rFrGr�r�r�r,
�TLSv1_0�SSLv3r�r.
r/
r0
rrr�test_tlsVersionRangeInOrder5s




�z/OpenSSLOptionsTests.test_tlsVersionRangeInOrderc
	CsH|�t
�
�$}
tj|j|jtjjtjjd
�
W5QRX|�	|
j
jd�
dS)z�
        Passing out of order TLS versions to C{raiseMinimumTo} and
        C{lowerMaximumSecurityTo} will cause it to raise an exception.
        )r�r8r)
r6
)
z<raiseMinimumTo needs to be lower than lowerMaximumSecurityToNr9
r0
rrr�"test_tlsVersionRangeInOrderAtLeastFs




�z6OpenSSLOptionsTests.test_tlsVersionRangeInOrderAtLeastc
Csftj
|j|jtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
Bt	jBt	jB|
jB}|�||j|@�
dS)a

        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{lowerMaximumSecurityTo} but no C{raiseMinimumTo} or
        C{insecurelyLowerMinimumTo} set, and C{lowerMaximumSecurityTo} is
        below the minimum default, the minimum will be made the new maximum.
        )r�r8r6
N�rGr�r�r�r,
r;
r�r	
rrr
r
r
�OP_NO_TLSv1�
OP_NO_TLSv1_1�
OP_NO_TLSv1_2�_OP_NO_TLSv1_3r�r�r
rrr�&test_tlsProtocolsreduceToMaxWithoutMinWs&


�



�
����z:OpenSSLOptionsTests.test_tlsProtocolsreduceToMaxWithoutMinc
Csltj
|j|jtjjtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
Bt	jBt	jB|
jB}|�||j|@�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to
        SSLv3, it will exclude all others.
        r8
Nr>
r
rrr�test_tlsProtocolsSSLv3Onlyks(



�



�
����z.OpenSSLOptionsTests.test_tlsProtocolsSSLv3Onlyc
Csltj
|j|jtjjtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
Bt	jBt	jB|
jB}|�||j|@�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.0,
        it will exclude all others.
        r8
N)rGr�r�r�r,
r:
r�r	
rrr
r
r
r'
r@
rA
rB
r�r�r
rrr� test_tlsProtocolsTLSv1Point0Onlys(



�



�
����z4OpenSSLOptionsTests.test_tlsProtocolsTLSv1Point0Onlyc
Csltj
|j|jtjjtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
Bt	jBt	jB|
jB}|�||j|@�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.1,
        it will exclude all others.
        r8
N)rGr�r�r�r,
ZTLSv1_1r�r	
rrr
r
r
r'
r?
rA
rB
r�r�r
rrr� test_tlsProtocolsTLSv1Point1Only�s(



�



�
����z4OpenSSLOptionsTests.test_tlsProtocolsTLSv1Point1Onlyc
Csltj
|j|jtjjtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
Bt	jBt	jB|
jB}|�||j|@�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.2,
        it will exclude all others.
        r8
N)rGr�r�r�r,
r-
r�r	
rrr
r
r
r'
r?
r@
rB
r�r�r
rrr� test_tlsProtocolsTLSv1Point2Only�s(



�



�
����z4OpenSSLOptionsTests.test_tlsProtocolsTLSv1Point2Onlyc
Cs`tj
|j|jtjjtjjd
�}
t|
_|
�	�}t
jt
jBt
j
Bt
jB|
jB}|�||j|@�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} set to TLSv1.0 and
        C{lowerMaximumSecurityTo} to TLSv1.2, it will exclude both SSLs and
        the (unreleased) TLSv1.3.
        r8
N)rGr�r�r�r,
r:
r-
r�r	
rrr
r
r
r'
rB
r�r�r
rrr�test_tlsProtocolsAllModernTLS�s 



�



�
��z1OpenSSLOptionsTests.test_tlsProtocolsAllModernTLSc
Cs`tj
|j|jtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
Bt	jBt	jB}|�||j|@�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{raiseMinimumTo} set to TLSv1.2, it will ignore all TLSs below
        1.2 and SSL.
        �r�r8r)
N�rGr�r�r�r,
r-
r�r	
rrr
r
r
r'
r?
r@
r�r�r
rrr�$test_tlsProtocolsAtLeastAllSecureTLS�s"


�



�
���z8OpenSSLOptionsTests.test_tlsProtocolsAtLeastAllSecureTLSc
Csftj
|j|jtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
B}|�||j|@�
|�|
jtjj�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{raiseMinimumTo} set to a value lower than Twisted's default will
        cause it to use the more secure default.
        rI
N)rGr�r�r�r,
r;
r�r	
rrr
r
r
r'
r�r�Z_defaultMinimumTLSVersionr:
r
rrr�/test_tlsProtocolsAtLeastWillAcceptHigherDefault�s 


�


�
�

�zCOpenSSLOptionsTests.test_tlsProtocolsAtLeastWillAcceptHigherDefaultc
Cs`tj
|j|jtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
Bt	jBt	jB}|�||j|@�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} set to TLSv1.2, it will ignore all TLSs below
        1.2 and SSL.
        )r�r8r*
NrJ
r
rrr�test_tlsProtocolsAllSecureTLS�s"


�



�
���z1OpenSSLOptionsTests.test_tlsProtocolsAllSecureTLSc
CsNGd
d�dt�}
|
�}t
j|j|j|d�}t|_|��}|�|
j	j
|j�
dS)zO
        If C{dhParams} is set, they are loaded into each new context.
        c@seZ
dZed
�
ZdS)zFOpenSSLOptionsTests.test_dhParams.<locals>.FakeDiffieHellmanParameters�	dh.paramsN)rYrZr[r!�_dhFilerrrr�FakeDiffieHellmanParameterss
rP
)r�r8ZdhParametersN)r�rGr�r�r�r�r	
rr�rO
�pathr�)rWrP
ZdhParamsr�r{rrr�
test_dhParams
s



�



�z!OpenSSLOptionsTests.test_dhParamsc
Cs�|�t
jd
dd�t
jd
dd��
|�t
jd
dd�t
jd
ddd��
t
jdd�
}
|�tt|
d	d
�
|�|
j|
j	�
d|
_|�|
j|
j	�
dS)
zh
        Check that abbreviations used in certificates correctly map to
        complete names.
        �
ashello)r��OU)�
commonName�organizationalUnitNamesxxx)r�rT
�emailAddresssabcdefg)
r�ZCnr�sbcdefgaN)
r�rG�DN�DistinguishedName�assertNotEqualr��AttributeErrorr5r�rU
)rW�dnrrr�#test_abbreviatingDistinguishedNames"s


��

�



z7OpenSSLOptionsTests.test_abbreviatingDistinguishedNamesc
	CsZtj
d
ddddddd�}
|
��}d	D]0}|�||d
|f
�
|�|��|d
|f
�
q$dS)Nscommon namesorganization namesorganizational unit name�
locality namesstate or province namescountry names
email address)rU
ZorganizationNamerV
�localityNameZstateOrProvinceNameZcountryNamerW
)�common name�organization name�organizational unit name�
locality name�state or province name�country name�
email addressz%r was not in inspect output.)rGrX
�inspect�assertIn�title�rW�
n�
sr9rrr�testInspectDistinguishedName5s






�

z0OpenSSLOptionsTests.testInspectDistinguishedNamec
Csftj
d
d�
}
|
��}dD]0}|�||d|f
�
|�|��|d|f
�
q|�d|�
|�d|�
dS)Nr^
)
r_
)r`
ra
rb
rd
re
rf
z%r was in inspect output.rc
z
Locality Name)rGrX
rg
�assertNotInri
rh
rj
rrr�,testInspectDistinguishedNameWithoutAllFieldsJs





z@OpenSSLOptionsTests.testInspectDistinguishedNameWithoutAllFieldsc
Csdtj
�t�
}
|
��}|��}|�|
���d
�
dddddddd	d
dddddddd	d
dd
d|g�
dS)z�
        Test that the C{inspect} method of L{sslverify.Certificate} returns
        a human-readable string containing some basic information about the
        certificate.
        �

zCertificate For Subject:z5               Common Name: example.twistedmatrix.comz              Country Name: USz4             Email Address: nobody@twistedmatrix.comz"             Locality Name: Bostonz/         Organization Name: Twisted Matrix Labsz$  Organizational Unit Name: Securityz)    State Or Province Name: Massachusetts�zIssuer:zSerial Number: 12345z7Digest: C4:96:11:00:30:C3:EC:EE:A3:55:AA:ED:8C:84:85:18zPublic Key with Hash: N)	rGrHrI�A_HOST_CERTIFICATE_PEM�getPublicKey�keyHashr�rg
�split)rWrZpkrt
rrr�test_inspectCertificateZs8























��z+OpenSSLOptionsTests.test_inspectCertificatec
CsXtj
�t�
}
tj
�t�
}tj
�t�
}|�|
���|���
�

|�|���|
���
�

d
S)z�
        L{PublicKey.matches} returns L{True} for keys from certificates with
        the same key, and L{False} for keys from certificates with different
        keys.
        N)	rGrHrIrr
�A_PEER_CERTIFICATE_PEMr�rs
Zmatchesr�)rWZhostAZhostBZpeerArrr�test_publicKeyMatching�s



z*OpenSSLOptionsTests.test_publicKeyMatchingc
Cs
tj
|j|jtjd
|jg
dddddd
d
d�}
|
��}|�||
j�
|�	|�

|
�
�}|�d|�
t�
�}|�|�

|�
|j|j�
|�
|j|j�
|�
|jtj�
|�|j�

|�
|j|jg
�
|�
|jd�
|�|j�

|�|j�

|�|j�

|�|j�

|�|j�

|�|j�

dS)zN
        Test that __setstate__(__getstate__()) round-trips properly.
        T�F)r�r8r�r�r��verifyDepthr

�
verifyOncer
�enableSessions�fixBrokenPeers�enableSessionTickets�_contextN)rGr�r�r�rr!
r�assertIsr
ZassertIsNotNone�__getstate__rn
�__setstate__r�r�r8r�r�r�r�rz
r�r

r{
r
r|
r}
r~
)rWZ	firstOpts�context�stater�rrr�$test_certificateOptionsSerialization�sB











�



















z8OpenSSLOptionsTests.test_certificateOptionsSerializationz/twisted\.internet\._sslverify\.*__[gs]etstate__)r
r 
c
Cs.tj
d
d�
}
|
��}|�d|�d�
d@�
dS)zR
        Enabling session tickets should not set the OP_NO_TICKET option.
        T�
r~
r
�@N�rGr�rr�r�r

rrr�%test_certificateOptionsSessionTickets�s

z9OpenSSLOptionsTests.test_certificateOptionsSessionTicketsc
Cs.tj
d
d�
}
|
��}|�d|�d�
d@�
dS)zN
        Enabling session tickets should set the OP_NO_TICKET option.
        Fr�
r�
r
Nr�
r

rrr�-test_certificateOptionsSessionTicketsDisabled�s

zAOpenSSLOptionsTests.test_certificateOptionsSessionTicketsDisabledc
sBt�
�}
�jtj�j�jd
d�tjd
d�
|
d�
|
��f
dd��
S)zw
        Check that anonymous connections are allowed when certificates aren't
        required on the server.
        F)r�r8r

�
r

�
r�c

s��|t
j�Sr�r�r�r��
�resultrVrrr�rzKOpenSSLOptionsTests.test_allowedAnonymousClientConnection.<locals>.<lambda>�r&r�r�rGr�r�r��addCallback�rWr�rrVr�%test_allowedAnonymousClientConnection�s

�
��

�z9OpenSSLOptionsTests.test_allowedAnonymousClientConnectionc
sjt�
�}
t�
�}�jtj�j�jd
�jg
d
d�tjdd�
|
|d�
tj||
gd
d�}�f
dd�}|�|�
S)	zt
        Check that anonymous connections are refused when certificates are
        required on the server.
        T)r�r8r�r�r

Fr�
�r�r�r�c
sL|\\}
}\}}��|
�

��|�

��
|jtjtf�
��
|jtj�
dSr)r�r
�valuer�Errorr*�r�
ZcSuccessZcResultZsSuccessZsResultrVrr�	afterLost�s






zLOpenSSLOptionsTests.test_refusedAnonymousClientConnection.<locals>.afterLost)	r&r�r�rGr�r�r�r�r�
�rWr�r�r�r�
rrVr�%test_refusedAnonymousClientConnection�s&



�
�
�

�
z9OpenSSLOptionsTests.test_refusedAnonymousClientConnectionc
slt�
�}
t�
�}�jtj�j�jd
d
d�tjdd
�jg
d�|
|d�
tj||
gdd�}�f
dd�}|�	|�
S)	zg
        Check that connecting with a certificate not accepted by the server CA
        fails.
        F�r�r8r�r

T�r�r

r�r�
r�c
s(|\\}
}\}}��|
�

��|�

dSr)
r�r�
rVrrr�
s



zIOpenSSLOptionsTests.test_failedCertificateVerification.<locals>.afterLost)
r&r�r�rGr�r�r�r�r�r�
r�
rrVr�"test_failedCertificateVerification�s&



�
�
�

�z6OpenSSLOptionsTests.test_failedCertificateVerificationc
sLt�
�}
�jtj�j�jd
d
d�tjdd�jg
d�|
d�
|
��f
dd��
S)zi
        Test a successful connection with client certificate validation on
        server side.
        Fr�
Tr�
r�
c

s��|t
j�Srr�
r�
rVrrr#rzLOpenSSLOptionsTests.test_successfulCertificateVerification.<locals>.<lambda>r�
r�
rrVr�&test_successfulCertificateVerifications


�
��

�z:OpenSSLOptionsTests.test_successfulCertificateVerificationc
	sZt�
�}
�jtj�j�jd
d
�jg
d�tj�j�jd
d
�jg
d�|
d�
|
�	�f
dd��
S)zg
        Test a successful connection with validation on both server and client
        sides.
        T)r�r8r�r

r�r�
c

s��|t
j�Srr�
r�
rVrrr4rz_OpenSSLOptionsTests.test_successfulSymmetricSelfSignedCertificateVerification.<locals>.<lambda>)
r&r�r�rGr�r�r�r�r�r�
r�
rrVr�9test_successfulSymmetricSelfSignedCertificateVerification%s$


�

��

�zMOpenSSLOptionsTests.test_successfulSymmetricSelfSignedCertificateVerificationc
s

tj
d
d�
}
tj��}|�|
�
}tj
dd�
}tj��}|�|�
}|�|
�
}|�|
|dd�d�}|�|�
}	|�|�
}
|�||
dd�d�}|�|�
}|�||d	d�d
�}
|�|
�
}|�|
|dd�d�}|�|�
}t��}|�	|�
}|�	|	�
}�j
|||d
�
|��f
dd��
S)zT
        Check certificates verification building custom certificates data.
        �client)
rU
Zserverc


Ssd
S�NTr�
r\
rrrrDrz7OpenSSLOptionsTests.test_verification.<locals>.<lambda>�c


Ssd
Sr�
rr�
rrrrIric


Ssd
Sr�
rr�
rrrrMr�c


Ssd
Sr�
rr�
rrrrQr�*r�
c

s��|t
j�Srr�
r�
rVrrr^r)rGrY
�KeyPairZgenerateZcertificateRequestZsignCertificateRequestZnewCertificater&r�r�r�r�
)rWZclientDNZ	clientKeyZ
clientCertReqZserverDNZ	serverKeyZ
serverCertReqZclientSelfCertReqZclientSelfCertDataZclientSelfCertZserverSelfCertReqZserverSelfCertDataZserverSelfCertZclientCertData�
clientCertZserverCertDatarOr�rqrrrrVr�test_verification6s\










�



�

�

�





�

�z%OpenSSLOptionsTests.test_verification):rYrZr[r�r�r�r�r�r
r
r
r
r
r
r
r
r

r
r
r
r
r
r#
r(
r2
r4
r5
r7
r<
r=
rC
rD
rE
rF
rG
rH
rK
rL
rM
rR
r]
rm
ro
rv
rx
r�
r$�suppressr%
r�
r�
r�
r�
r�
r�
r�
r�
�
__classcell__rrr�rr��sn








)'
��		r�c@s(eZ
dZd
ZereZdd�Zdd�ZdS)�DeprecationTestszo
    Tests for deprecation of L{sslverify.OpenSSLCertificateOptions}'s support
    of the pickle protocol.
    c

Cs$|�t
d
ddd�dft��j�
dS)zT
        L{sslverify.OpenSSLCertificateOptions.__getstate__} is deprecated.
        �Twisted�r
�a real persistence systemN)�callDeprecatedr,rGr�r�
rVrrr�test_getstateDeprecationjs

�z)DeprecationTests.test_getstateDeprecationc

Cs&|�t
d
ddd�dft��ji�
dS)zT
        L{sslverify.OpenSSLCertificateOptions.__setstate__} is deprecated.
        r�
r�
r
r�
N)r�
r,rGr�r�
rVrrr�test_setstateDeprecationss


�z)DeprecationTests.test_setstateDeprecationN)rYrZr[r�r�r�r�
r�
rrrrr�
bs


	r�
c@s8eZ
dZd
ZereZdd�Zdd�Zdd�Zdd	�Z	d
S)�TrustRootTestsz�
    Tests for L{sslverify.OpenSSLCertificateOptions}' C{trustRoot} argument,
    L{sslverify.platformTrust}, and their interactions.
    c

Cs|�t
d
t�
dS)zG
        Patch L{sslverify._ChooseDiffieHellmanEllipticCurve}.
        r�N)r�rGr�rVrrrr��s
�zTrustRootTests.setUpc
s@tj
t��d
�
}
ttj�
��f
dd�|
_|
��
|��j	�

dS)z�
        Specifying a C{trustRoot} of L{sslverify.OpenSSLDefaultPaths} when
        initializing L{sslverify.OpenSSLCertificateOptions} loads the
        platform-provided trusted certificates via C{set_default_verify_paths}.
        r�c


s�Srr)
r��
Zfcrrr�rz=TrustRootTests.test_caCertsPlatformDefaults.<locals>.<lambda>N)
rGr�ZOpenSSLDefaultPathsr�rrxr	
rr�r�r�rr�
r�test_caCertsPlatformDefaults�s
�



z+TrustRootTests.test_caCertsPlatformDefaultsc
Cs�t�\}
}t
|||
�}t
||j�}tt�||d
�\}}}}}	|�|jd�
|�|jjt	j
�
|jj}
|�|
jdddd�
dS)a-
        Specifying a C{trustRoot} of L{platformTrust} when initializing
        L{sslverify.OpenSSLCertificateOptions} causes certificates issued by a
        newly created CA to be rejected by an SSL connection using these
        options.

        Note that this test should I{always} pass, even on platforms where the
        CA certificates are not installed, as long as L{platformTrust} rejects
        completely invalid / unknown root CA certificates.  This is simply a
        smoke test to make sure that verification is happening at all.
        �r�r~r}rr
ry
�tlsv1 alert unknown caN)
rPr�r�r�r-r�r^rb�typerr�
r�
r/
)rWrNrOZchainedCertr�rsrt�sWrapped�cWrappedru�errrrr�(test_trustRootPlatformRejectsUntrustedCA�s





�
z7TrustRootTests.test_trustRootPlatformRejectsUntrustedCAc

Csbt�\}
}t�\}}t
|
t||j�t||�d
�\}}}}}	|	��
|�|j�

|�|j|j	�
dS)z�
        Specifying a L{Certificate} object for L{trustRoot} will result in that
        certificate being the only trust root for a client.
        r�
N)
rPr�r�r��flush�assertIsNonerbr�r^rU)
rW�caCertrOZotherCa�otherServerrsrtr�
r�
rurrr�!test_trustRootSpecificCertificate�s







�


�z0TrustRootTests.test_trustRootSpecificCertificateN)
rYrZr[r�r�r�r�r�
r�
r�
rrrrr�
}s

 r�
c@s�eZ
dZd
ZereZdd�dddddddfdd�
Zdd	�Zd
d�Zdd
�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zedk	r�ee_dd�Zedk	r�ee_dd�Zdd�ZdS)�ServiceIdentityTestsz�
    Tests for the verification of the peer's service's identity via the
    C{hostname} argument to L{sslverify.OpenSSLCertificateOptions}.
    c


CsdSrr�
r{rrrr�rzServiceIdentityTests.<lambda>TFcs�
t|�
\�}i}d
}
td�
\}}|r0|j
|d�

|rN|r>|}
ntd�
\}}|}
tjf|jj|jd�|��
}||���

|s�t|�
\�}|r�dd�}|�tjd|�
d|
i
}|
r�|j
|
d	�

|
s�|j
�d�

|	r�|�td
�f
dd��
tj	f|�
}Gd
d�dt
j�}Gdd�dt
j�}|��|��
t
��}�
f
dd�|_
t
��}�f
dd�|_
||_
||_t|d|d��t|d|d��t�f
dd��f
dd��\}}}||�
�|fS)a�	
        Connect a server and a client.

        @param clientHostname: The I{client's idea} of the server's hostname;
            passed as the C{hostname} to the
            L{sslverify.OpenSSLCertificateOptions} instance.
        @type clientHostname: L{unicode}

        @param serverHostname: The I{server's own idea} of the server's
            hostname; present in the certificate presented by the server.
        @type serverHostname: L{unicode}

        @param serverContextSetup: a 1-argument callable invoked with the
            L{OpenSSL.SSL.Context} after it's produced.
        @type serverContextSetup: L{callable} taking L{OpenSSL.SSL.Context}
            returning L{None}.

        @param validCertificate: Is the server's certificate valid?  L{True} if
            so, L{False} otherwise.
        @type validCertificate: L{bool}

        @param clientPresentsCertificate: Should the client present a
            certificate to the server?  Defaults to 'no'.
        @type clientPresentsCertificate: L{bool}

        @param validClientCertificate: If the client presents a certificate,
            should it actually be a valid one, i.e. signed by the same CA that
            the server is checking?  Defaults to 'yes'.
        @type validClientCertificate: L{bool}

        @param serverVerifies: Should the server verify the client's
            certificate?  Defaults to 'no'.
        @type serverVerifies: L{bool}

        @param buggyInfoCallback: Should we patch the implementation so that
            the C{info_callback} passed to OpenSSL to have a bug and raise an
            exception (L{ZeroDivisionError})?  Defaults to 'no'.
        @type buggyInfoCallback: L{bool}

        @param fakePlatformTrust: Should we fake the platformTrust to be the
            same as our fake server certificate authority, so that we can test
            it's being used?  Defaults to 'no' and we just pass platform trust.
        @type fakePlatformTrust: L{bool}

        @param useDefaultTrust: Should we avoid passing the C{trustRoot} to
            L{ssl.optionsForClientTLS}?  Defaults to 'no'.
        @type useDefaultTrust: L{bool}

        @return: the client TLS protocol, the client wrapped protocol,
            the server TLS protocol, the server wrapped protocol and
            an L{IOPump} which, when its C{pump} and C{flush} methods are
            called, will move data between the created client and server
            protocol instances
        @rtype: 5-L{tuple} of 4 L{IProtocol}s and L{IOPump}
        Nr�
r�r�c_sd
d
dS)z�
                Raise an exception.

                @param a: Arguments for an C{info_callback}

                @param k: Keyword arguments for an C{info_callback}
                r=r
Nr)�
ar9rrr�broken4sz9ServiceIdentityTests.serviceIdentitySetup.<locals>.brokenZ_identityVerifyingInfoCallbackr�)
ZclientCertificater-c
s�Srrr)
�serverCArrrHrz;ServiceIdentityTests.serviceIdentitySetup.<locals>.<lambda>c@s0eZ
dZd
ZdZdZdd�Zdd�Zdd	�ZdS)
zAServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServerrQNrc

Ss|j�
|j�

dSrrRrVrrrrXPs
zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServer.connectionMadecSs|j|
7_dSrr]r_rrrr`Rs
zNServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServer.dataReceivedcSs
|
|_dSrrarcrrrreTs
zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServer.connectionLost)	rYrZr[rUrbr^rXr`rerrrrr\Ls



r\c@s0eZ
dZd
ZdZdZdd�Zdd�Zdd	�ZdS)
zAServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClientscheerio!rNc

Ss|j�
|j�

dSrrRrVrrrrX[s
zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClient.connectionMadecSs|j|
7_dSrr]r_rrrr`]s
zNServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClient.dataReceivedcSs
|
|_dSrrarcrrrre_s
zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClient.connectionLost)	rYrZr[rUr^rbrXr`rerrrr�GreetingClientWs



r�
c
s�Srrrrgrrrfrc
s�SrrrrirrrhrTrkFcs
��d�
Srrlr)
�serverTLSFactoryrrrwrcs
��d�
Srrlr)
�clientTLSFactoryrrrxr)rP�updaterGr�r��originalrr�ZClientTLSOptionsr�r%rorprqrrr0r)rWZclientHostnameZserverHostnameZserverContextSetup�validCertificate�clientPresentsCertificate�validClientCertificate�serverVerifies�buggyInfoCallback�fakePlatformTrust�useDefaultTrustrO�otherZpassClientCertZclientCAr�
ZbogusCA�bogusrqr�
r�
Z	signaturerrr\r�
rnrmrtrsrur)r�
rhr�
r�
rjr�serviceIdentitySetup�s�@
�








��


�
	

�












�

�



�
z)ServiceIdentityTests.serviceIdentitySetupc
Cs^|�d
d�\}
}}}}|�
|jd�
|�
|jd�
|jj}|jj}|�|t�
|�|t�
dS)z�
        When a certificate containing an invalid hostname is received from the
        server, the connection is immediately dropped.
        zwrong-host.example.com�correct-host.example.comrN)r�
r�r^rbr�
r
r.r�rWrtrsr�
r�
ru�cErr�sErrrrr�test_invalidHostname}s

�


z)ServiceIdentityTests.test_invalidHostnamec
CsH|�d
d
�\}
}}}}|�
|jd�
|j}|j}|�|�

|�|�

dS)z}
        Whenever a valid certificate containing a valid hostname is received,
        connection proceeds normally.
        �valid.example.comrQN�r�
r�r^rbr�
r�
rrr�test_validHostname�s

�
�



z'ServiceIdentityTests.test_validHostnamec
Csf|jd
d
dd�\}
}}}}|�
|jd�
|�
|jd�
|jj}|jj}|�|tj�
|�|tj�
dS)z�
        When an invalid certificate containing a perfectly valid hostname is
        received, the connection is aborted with an OpenSSL error.
        r�
F)
r�
rN�r�
r�r^rbr�
r
rr�
r�
rrr�$test_validHostnameInvalidCertificate�s


�


z9ServiceIdentityTests.test_validHostnameInvalidCertificatec
Csh|jd
d
ddd�\}
}}}}|�
|jd�
|�
|jd�
|jj}|jj}|�|tj�
|�|tj�
dS)zu
        If we use the default trust from the platform, our dinky certificate
        should I{really} fail.
        r�
FT)r�
r�
rNr�
r�
rrr�*test_realCAsBetterNotSignOurBogusTestCerts�s



�


z?ServiceIdentityTests.test_realCAsBetterNotSignOurBogusTestCertsc
CsN|jd
d
ddd�\}
}}}}|�
|jd�
|j}|j}|�|�

|�|�

dS)z�
        L{ssl.optionsForClientTLS} should be using L{ssl.platformTrust} by
        default, so if we fake that out then it should trust ourselves again.
        r�
T)r�
r�
rQNr�
r�
rrr�test_butIfTheyDidItWouldWork�s



�
�



z1ServiceIdentityTests.test_butIfTheyDidItWouldWorkc
CsP|jd
d
dddd�\}
}}}}|�
|jd�
|j}|j}|�|�

|�|�

dS)z�
        When the server verifies and the client presents a valid certificate
        for that verification by passing it to
        L{sslverify.optionsForClientTLS}, communication proceeds.
        r�
T)r�
r�
r�
rQNr�
r�
rrr�test_clientPresentsCertificate�s




�
�



z3ServiceIdentityTests.test_clientPresentsCertificatec
Cs^|jd
d
ddddd�\}
}}}}|�
|jd�
|jj}|jj}|�|tj�
|�|tj�
dS)z�
        When the server verifies and the client presents an invalid certificate
        for that verification by passing it to
        L{sslverify.optionsForClientTLS}, the connection cannot be established
        with an SSL error.
        r�
TF)r�
r�
r�
r�
rNr�
r�
rrr�!test_clientPresentsBadCertificate�s





�	
�

z6ServiceIdentityTests.test_clientPresentsBadCertificatec
s:g��f
d
d�}
|�dd|
�\}}}}}|�
�dg
�
dS)z�
        Specifying the C{hostname} argument to L{CertificateOptions} also sets
        the U{Server Name Extension
        <https://en.wikipedia.org/wiki/Server_Name_Indication>} TLS indication
        field to the correct value.
        c
s�f
d
d�}
|�|
�

dS)Nc

s��|�
��d
�
�

dS)Nr
)r��get_servername�decode)
�conn�
�namesrr�servername_receiveds
zfServiceIdentityTests.test_hostnameIsIndicated.<locals>.setupServerContext.<locals>.servername_received�
Zset_tlsext_servername_callback�r{r�
r�
rr�setupServerContexts
zIServiceIdentityTests.test_hostnameIsIndicated.<locals>.setupServerContextr�
N)r�
r�)rWr�
rtrsr�
r�
rurr�
r�test_hostnameIsIndicateds



�z-ServiceIdentityTests.test_hostnameIsIndicatedNc

slg�d
}
�f
dd�}|�|
|
|�\}}}}}|�
�|
g
�
|�
|jd�
|j}|j}	|�|�

|�|	�

dS)z0
        Hostnames are encoded as IDNA.
        uhállo.example.comc
s�f
d
d�}
|�|
�

dS)Nc
st|�
��
}
��|
�

dSr)r(r�
r�)r�
Z
serverIDNAr�
rrr�
0s

zcServiceIdentityTests.test_hostnameEncoding.<locals>.setupServerContext.<locals>.servername_receivedr�
r�
r�
rrr�
/s
zFServiceIdentityTests.test_hostnameEncoding.<locals>.setupServerContextrQNr�
)
rWZhellor�
rtrsr�
r�
rur�
r�
rr�
r�test_hostnameEncoding)s 


�

�



z*ServiceIdentityTests.test_hostnameEncodingc
sJd
�G�f
dd�dt�}
|
�}|�
t�|d
�d�
|�tjtj|d�
dS)z�
        L{sslverify.simpleVerifyHostname} checks string equality on the
        commonName of a connection's certificate's subject, doing nothing if it
        matches and raising L{VerificationError} if it doesn't.
        zsomething.example.comcseZ
dZ�f
d
d�ZdS)z6ServiceIdentityTests.test_fallback.<locals>.Connectionc
st�}
�|
�
�_|
S)
z�
                Fake of L{OpenSSL.SSL.Connection.get_peer_certificate}.

                @return: A certificate with a known common name.
                @rtype: L{OpenSSL.crypto.X509}
                )rr3rU
r��
�namerr�get_peer_certificateLs


zKServiceIdentityTests.test_fallback.<locals>.Connection.get_peer_certificateN)rYrZr[r�
rr�
rr�
ConnectionKs
r�
NZnonsense)r�r�
rG�simpleVerifyHostnamer��SimpleVerificationError)rWr�
r�
rr�
r�
test_fallbackDs




�

�z"ServiceIdentityTests.test_fallbackc
	Cs||jd
d
dd�\}
}}}}|�
|jd�
|�
|jd�
|jj}|jj}|�|t�
|�|ttj	f�
|�
t�
}|�|�

dS)a,

        pyOpenSSL isn't always so great about reporting errors.  If one occurs
        in the verification info callback, it should be logged and the
        connection should be shut down (if possible, anyway; the app_data could
        be clobbered but there's no point testing for that).
        r�
T)
r�
rN)r�
r�r^rbr�
r
�ZeroDivisionErrorrrr�
ZflushLoggedErrorsr�)	rWrtrsr�
r�
rur�
r�
�errorsrrr�test_surpriseFromInfoCallback`s


�





z2ServiceIdentityTests.test_surpriseFromInfoCallback)rYrZr[r�r�r�r�
r�
r�
r�
r�
r�
r�
r�
r�
�skipSNIr�
r�
r�
rrrrr�
�s8








�
%

r�
cCsPt�\}}t
�|jg
�
}t||jj|j|
||d
�\}}}}	}
|
��
|j|	jfS)a�

    Create the TLS connection and negotiate a next protocol.

    @param serverProtocols: The protocols the server is willing to negotiate.
    @param clientProtocols: The protocols the client is willing to negotiate.
    @param clientOptions: The type of C{OpenSSLCertificateOptions} class to
        use for the client. Defaults to C{OpenSSLCertificateOptions}.
    @return: A L{tuple} of the negotiated protocol and the reason the
        connection was lost.
    )r�r�rMr�r�r�)	rPrGZOpenSSLCertificateAuthoritiesr�
r�r�r�
�negotiatedProtocolrb)r�r�r�rLrMr�rsrtr�
r�
rurrr�negotiateProtocolzs


�





�r�
c@sJeZ
dZd
ZereZnereZdd�Zdd�Zdd�Z	dd	�Z
d
d�ZdS)
�NPNOrALPNTestsz�
    NPN and ALPN protocol selection.

    These tests only run on platforms that have a PyOpenSSL version >= 0.15,
    and OpenSSL version 1.0.1 or later.
    c
Cst�
�}
|�tjj|
k�

d
S)z
        When at least NPN is available on the platform, NPN is in the set of
        supported negotiation protocols.
        N)rG�protocolNegotiationMechanismsr��ProtocolNegotiationSupportZNPN�rWZsupportedProtocolsrrr�)test_nextProtocolMechanismsNPNIsSupported�s


�z8NPNOrALPNTests.test_nextProtocolMechanismsNPNIsSupportedc
Cs2d
dg}
t|
|
d�\}}|�
|d
�
|�|�

dS)z�
        When both ALPN and NPN are used, and both the client and server have
        overlapping protocol choices, a protocol is successfully negotiated.
        Further, the negotiated protocol is the first one in the list.
        �h2�http/1.1�r�r�N�r�
r�r�
�rW�	protocolsr�
rbrrr�test_NPNAndALPNSuccess�s


�

z%NPNOrALPNTests.test_NPNAndALPNSuccessc
Cs<d
ddg}
ddg}t||
d�\}}|�
|d�
|�|�

dS)zm
        Client and server have different protocol lists: only the common
        element is chosen.
        rr
sspdy/2�spdy/3rNr�rWr�r�r�
rbrrr�test_NPNAndALPNDifferent�s




�

z'NPNOrALPNTests.test_NPNAndALPNDifferentc
Cs0d
dg}
t|
gd�\}}|�
|�

|�
|�

dS)zy
        When one peer does not advertise any protocols, the connection is set
        up with no next protocol.
        rr
rN�r�
r�
rrrr�test_NPNAndALPNNoAdvertise�s


�


z)NPNOrALPNTests.test_NPNAndALPNNoAdvertisec
Cs<d
dg}
dg
}t|
|d�\}}|�
|�

|�|jtj�
dS)zh
        When the client and server have no overlap of protocols, the connection
        fails.
        rr
r�r�r�N)r�
r�
r�r�
rr�
)rWr�r�r�
rbrrr�test_NPNAndALPNNoOverlap�s



�


z'NPNOrALPNTests.test_NPNAndALPNNoOverlapN)rYrZr[r�r�r��skipNPNr�
rr	rr
rrrrr�
�s



r�
c@s*eZ
dZd
ZereZnereZdd�ZdS)�	ALPNTestsa.

    ALPN protocol selection.

    These tests only run on platforms that have a PyOpenSSL version >= 0.15,
    and OpenSSL version 1.0.2 or later.

    This covers only the ALPN specific logic, as any platform that has ALPN
    will also have NPN and so will run the NPNAndALPNTest suite as well.
    c
Cst�
�}
|�tjj|
k�

d
S)z�
        When ALPN is available on a platform, protocolNegotiationMechanisms
        includes ALPN in the suported protocols.
        N)rGr�
r�r�
ZALPNr�
rrr�*test_nextProtocolMechanismsALPNIsSupported�s


��z4ALPNTests.test_nextProtocolMechanismsALPNIsSupportedN)rYrZr[r�r�r��skipALPNrrrrrr�s
	


rc@s:eZ
dZd
ZereZnesdZdd�Zdd�Zdd�Z	d	S)
�NPNAndALPNAbsentTestsz�
    NPN/ALPN operations fail on platforms that do not support them.

    These tests only run on platforms that have a PyOpenSSL version < 0.15,
    or an OpenSSL version earlier than 1.0.1
    z$NPN/ALPN is present on this platformc
Cst�
�}
|�|
�

d
S)z}
        When neither NPN or ALPN are available on a platform, there are no
        supported negotiation protocols.
        N)rGr�
r�r�
rrr�1test_nextProtocolMechanismsNoNegotiationSupported	s
zGNPNAndALPNAbsentTests.test_nextProtocolMechanismsNoNegotiationSupportedc
Csd
dg}
|jt
t|
|
d�
dS)z�
        A NotImplementedError is raised when using acceptableProtocols on a
        platform that does not support either NPN or ALPN.
        rr
rN)r��NotImplementedErrorr�
)rWrrrr�test_NPNAndALPNNotImplemented 	s




�z3NPNAndALPNAbsentTests.test_NPNAndALPNNotImplementedc
Cs0d
}
d
}t||
d�\}}|�
|�

|�
|�

d
S)z�
        negotiatedProtocol return L{None} even when NPN/ALPN aren't supported.
        This works because, as neither are supported, negotiation isn't even
        attempted.
        Nrr
rrrr�"test_NegotiatedProtocolReturnsNone.	s



�


z8NPNAndALPNAbsentTests.test_NegotiatedProtocolReturnsNoneN)
rYrZr[r�r�r�rrrrrrrrr
	s



	rc@seZ
dZd
d�ZdS)�_NotSSLTransportc


Cs|SrrrVrrr�	getHandle@	s
z_NotSSLTransport.getHandleN)rYrZr[rrrrrr?	s
rc@s$eZ
dZd
d�Zdd�Zdd�ZdS)�_MaybeSSLTransportc


Cs|SrrrVrrrrF	s
z_MaybeSSLTransport.getHandlec


CsdSrrrVrrrr�
I	s
z'_MaybeSSLTransport.get_peer_certificatec


CsdSrrrVrrr�get_host_certificateL	s
z'_MaybeSSLTransport.get_host_certificateN)rYrZr[rr�
rrrrrrE	s
rc@s$eZ
dZd
d�Zdd�Zdd�ZdS)�_ActualSSLTransportc


Cs|SrrrVrrrrR	s
z_ActualSSLTransport.getHandlec

Cstj
�t�
jSr)rGrHrIrr
r�
rVrrrrU	s
z(_ActualSSLTransport.get_host_certificatec

Cstj
�t�
jSr)rGrHrIrw
r�
rVrrrr�
X	s
z(_ActualSSLTransport.get_peer_certificateN)rYrZr[rrr�
rrrrrQ	s
rc@sDeZ
dZereZd
d�Zdd�Zdd�Zdd�Zd	d
�Z	dd�Z
d
S)�ConstructorsTestsc
Cs,|�t
tjjt��}
|�t|
�
�d
�
�

dS)z�
        Verify that peerFromTransport raises an exception if the transport
        passed is not actually an SSL transport.
        �non-TLSN)	r�r)rGrH�peerFromTransportrr�r��
startswith�rW�
xrrr�test_peerFromNonSSLTransporta	s


�z.ConstructorsTests.test_peerFromNonSSLTransportc
Cs,|�t
tjjt��}
|�t|
�
�d
�
�

dS)z�
        Verify that peerFromTransport raises an exception if the transport
        passed is an SSL transport, but doesn't have a peer certificate.
        �TLSN)	r�r)rGrHrrr�r�rr rrr�test_peerFromBlankSSLTransportl	s


�z0ConstructorsTests.test_peerFromBlankSSLTransportc
Cs,|�t
tjjt��}
|�t|
�
�d
�
�

dS)z�
        Verify that hostFromTransport raises an exception if the transport
        passed is not actually an SSL transport.
        rN)	r�r)rGrH�hostFromTransportrr�r�rr rrr�test_hostFromNonSSLTransportw	s


�z.ConstructorsTests.test_hostFromNonSSLTransportc
Cs,|�t
tjjt��}
|�t|
�
�d
�
�

dS)z�
        Verify that hostFromTransport raises an exception if the transport
        passed is an SSL transport, but doesn't have a host certificate.
        r#N)	r�r)rGrHr%rr�r�rr rrr�test_hostFromBlankSSLTransport�	s


�z0ConstructorsTests.test_hostFromBlankSSLTransportc

Cs|�t
j�t��
��d
�
dS)z�
        Verify that hostFromTransport successfully creates the correct
        certificate if passed a valid SSL transport.
        i90N)r�rGrHr%r�serialNumberrVrrr�test_hostFromSSLTransport�	s

��z+ConstructorsTests.test_hostFromSSLTransportc

Cs|�t
j�t��
��d
�
dS)z�
        Verify that peerFromTransport successfully creates the correct
        certificate if passed a valid SSL transport.
        i:0N)r�rGrHrrr(rVrrr�test_peerFromSSLTransport�	s

��z+ConstructorsTests.test_peerFromSSLTransportN)rYrZr[r�r�r"r$r&r'r)r*rrrrr]	s

rc@s@eZ
dZd
ZereZdd�Zdd�Zdd�Zdd	�Z	d
d�Z
dS)
�!MultipleCertificateTrustRootTestszH
    Test the behavior of the trustRootFromCertificates() API call.
    c
	Csbtj
�t�
}
tj�t�
}t�|
|g�
}t||
jj	|
j	d
�\}}}}}|�
|jd�
|�|j
�

dS)z�
        L{trustRootFromCertificates} accepts either a L{sslverify.Certificate}
        or a L{sslverify.PrivateCertificate} instance.
        �r�r�rMrQN)rGrJrI�	A_KEYPAIRrHrr
�trustRootFromCertificatesr�r�r�
r�r^r�
rb)	rWZprivateCertr�Zmtrsrt�sWrap�cWraprurrr�+test_trustRootFromCertificatesPrivatePublic�	s



�
zMMultipleCertificateTrustRootTests.test_trustRootFromCertificatesPrivatePublicc

Csrtd
dd�\}
}t
j�t
�|�
t
�|
�
�}t
�|g
�
}t||jj	|j	d�\}}}}}	|�
|jd�
|�|j
�

dS)z�
        L{trustRootFromCertificates} called with a single self-signed
        certificate will cause L{optionsForClientTLS} to accept client
        connections to a server with that certificate.
        r�r�r�r,rQN)r;rGrJ�fromCertificateAndKeyPairrHr�
r.r�r�r�
r�r^r�
rb)
rW�keyr�Z
selfSigned�trustrsrtr/r0rurrr�)test_trustRootSelfSignedServerCertificate�	s


�


�
zKMultipleCertificateTrustRootTests.test_trustRootSelfSignedServerCertificatec
	CsRt�\}
}t
�|
g
�
}t||jj|jd
�\}}}}}|�|jd�
|�|j	�

dS)z�
        L{trustRootFromCertificates} called with certificate A will cause
        L{optionsForClientTLS} to accept client connections to a server with
        certificate B where B is signed by A.
        r,rQN)
rPrGr.r�r�r�
r�r^r�
rb)	rWr�
rOr4rsrtr/r0rurrr�2test_trustRootCertificateAuthorityTrustsConnection�	s



�
zTMultipleCertificateTrustRootTests.test_trustRootCertificateAuthorityTrustsConnectionc
Cs�td
dd�\}
}t
j�t
�|�
t
�|
�
�}t
�tddd�d�
}t
�|g
�
}t||jj	|j	d�\}}}}	}
|�
|	jd�
|�
|	jj
tj�
|	jj}|�
|jd	d	d
d�
dS)
z�
        L{trustRootFromCertificates} called with certificate A will cause
        L{optionsForClientTLS} to disallow any connections to a server with
        certificate B where B is not signed by A.
        r�r�r�r�s
unknown CAr=r,rr
ry
r�
N)r;rGrJr2rHr�
r.r�r�r�
r�r^rbr�
rr�
r�
r/
)rWr3r�rOZ
untrustedCertr4rsrtr/r0rur�
rrr�'test_trustRootFromCertificatesUntrusted�	s$


�
�


�
zIMultipleCertificateTrustRootTests.test_trustRootFromCertificatesUntrustedc
Cs:tj
�t�
}
|
j}|�ttj|g
�}|�d
|j	d�
dS)z}
        L{trustRootFromCertificates} rejects any L{OpenSSL.crypto.X509}
        instances in the list passed to it.
        zBcertificates items must be twisted.internet.ssl.CertBase instancesr
N)
rGrJrIr-r�
r�r�r.r�r/
)rWZprivateZcertX509r.
rrr�,test_trustRootFromCertificatesOpenSSLObjects
s


�
�zNMultipleCertificateTrustRootTests.test_trustRootFromCertificatesOpenSSLObjectsN)rYrZr[r�r�r�r1r5r6r7r8rrrrr+�	s

$r+c@s<eZ
dZd
ZereZdZdd�Zdd�Zdd�Z	d	d
�Z
dS)�OpenSSLCipherTestsz>
    Tests for twisted.internet._sslverify.OpenSSLCipher.
    z
CIPHER-STRINGc

Cs|�|j
t�|j
�
j�
d
S)zU
        The first argument passed to the constructor becomes the full name.
        N)r��
cipherNamerGr
�fullNamerVrrr�test_constructorSetsFullName3
s

�z/OpenSSLCipherTests.test_constructorSetsFullNamec
Cs,t�
|j�
}
|�|
tt|
�
d
tj
i
��
dS)zC
        C{repr(cipher)} returns a valid constructor call.
        r
N)rGr
r:r��eval�repr)rWZcipherrrr�	test_repr=
s



�zOpenSSLCipherTests.test_reprc
Cs(t�
|j�
}
t�
|j�
}|�|
|�
d
S)zN
        Equal type and C{fullName} means that the objects are equal.
        N)rGr
r:r�)rWZcipher1Zcipher2rrr�test_eqSameClassH
s

z#OpenSSLCipherTests.test_eqSameClassc
s.G�f
d
d�dt�}
��
t��j�
|
��
dS)ze
        If ciphers have the same name but different types, they're still
        different.
        c
seZ
dZ�jZd
S)zHOpenSSLCipherTests.test_eqSameNameDifferentType.<locals>.DifferentCipherN)rYrZr[r:r;rrVrr�DifferentCipherV
s
rAN)r�rZ
rGr
r:)rWrArrVr�test_eqSameNameDifferentTypeQ
s



�z/OpenSSLCipherTests.test_eqSameNameDifferentTypeN)rYrZr[r�r�r�r:r<r?r@rBrrrrr9*
s


	r9c@s0eZ
dZd
ZereZdd�Zdd�Zdd�ZdS)	�ExpandCipherStringTestszD
    Tests for twisted.internet._sslverify._expandCipherString.
    c

Cs|�gt
�d
tjd��
dS)zU
        If the expanded cipher list is empty, an empty L{list} is returned.
        rq
r
N)r�rG�_expandCipherStringrr!
rVrrr�!_test_doesNotStumbleOverEmptyListg
s

�z9ExpandCipherStringTests._test_doesNotStumbleOverEmptyListc
sLd
d�}
tt
j�
�|
�_|�tj
d�f
dd��
|�t
jtjdt
jd�
dS)	zf
        Only no cipher matches get swallowed, every other SSL error gets
        propagated.
        c

Sst�
d
d
d
gg
�
�
dS)Nrq
)rr�
�
r
rrr�raiserv
szIExpandCipherStringTests.test_doesNotSwallowOtherSSLErrors.<locals>.raiserrwc


s�SrrrFr�
rrr|
rzKExpandCipherStringTests.test_doesNotSwallowOtherSSLErrors.<locals>.<lambda>�ALLr
N)	r�rr!
r�r�rGr�r�
rD)rWrGrr�
r�!test_doesNotSwallowOtherSSLErrorsq
s





�z9ExpandCipherStringTests.test_doesNotSwallowOtherSSLErrorsc
CsPt�
d
tjd�}
|�|
t�
g}|
D]}tj�|�
s$|�	|�

q$|�
g|�
dS)zm
        L{sslverify._expandCipherString} always returns a L{list} of
        L{interfaces.ICipher}.
        rHr
N)rGrDrr!
r
�listr+�ICipher�
providedByr�r�)rWZciphersr�
rrrr�test_returnsListOfICiphers�
s




z2ExpandCipherStringTests.test_returnsListOfICiphersN)	rYrZr[r�r�r�rErIrMrrrrrC`
s


rCc@s0eZ
dZd
ZereZdd�Zdd�Zdd�ZdS)	�AcceptableCiphersTestszI
    Tests for twisted.internet._sslverify.OpenSSLAcceptableCiphers.
    c
Cs t�
g�
}
|�g|
�g�
�
d
S)zG
        If no ciphers are available, nothing can be selected.
        N)rG�OpenSSLAcceptableCiphersr�r
�rWZacrrr�&test_selectOnEmptyListReturnsEmptyList�
s

z=AcceptableCiphersTests.test_selectOnEmptyListReturnsEmptyListc
	CsHt�
t�d
�
t�d�
g�
}
|�t�d�
g
|
�t�d�
t�d�
g�
�
dS)zi
        Select only returns a cross section of what is available and what is
        desirable.
        �
A�
B�
CN)rGrOr
r�r
rPrrr�#test_selectReturnsOnlyFromAvailable�
s

�

��z:AcceptableCiphersTests.test_selectReturnsOnlyFromAvailablec
Cs8tj
�d
�
}
|�|
jt�
|�tdd�|
jD�
�
�

dS)z�
        If L{sslverify.OpenSSLAcceptableCiphers.fromOpenSSLCipherString} is
        called it expands the string to a list of ciphers.
        rHc
ss|]}
tj
�|
�
V
qdSr)rGrKrL)�.0rrrr�	<genexpr>�
s
�z\AcceptableCiphersTests.test_fromOpenSSLCipherStringExpandsToListOfCiphers.<locals>.<genexpr>N)rGrOZfromOpenSSLCipherStringr
Z_ciphersrJr��allrPrrr�2test_fromOpenSSLCipherStringExpandsToListOfCiphers�
s



�zIAcceptableCiphersTests.test_fromOpenSSLCipherStringExpandsToListOfCiphersN)	rYrZr[r�r�r�rQrUrYrrrrrN�
s

rNc@s(eZ
dZd
ZereZed�
Zdd�ZdS)�DiffieHellmanParametersTestszD
    Tests for twisted.internet._sslverify.OpenSSLDHParameters.
    rN
c
Cs"tj
�|j�
}
|�|j|
j�
d
S)zl
        Calling C{fromFile} with a filename returns an instance with that file
        name saved.
        N)rGZOpenSSLDiffieHellmanParametersZfromFile�filePathr�rO
)rWZparamsrrr�
test_fromFile�
s
�z*DiffieHellmanParametersTests.test_fromFileN)	rYrZr[r�r�r�r!r[r\rrrrrZ�
s



rZc@seZ
dZd
ZdZdd�ZdS)�FakeLibStatea�

    State for L{FakeLib}

    @param setECDHAutoRaises: An exception
        L{FakeLib.SSL_CTX_set_ecdh_auto} should raise; if L{None},
        nothing is raised.

    @ivar ecdhContexts: A list of SSL contexts with which
        L{FakeLib.SSL_CTX_set_ecdh_auto} was called
    @type ecdhContexts: L{list} of L{OpenSSL.SSL.Context}s

    @ivar ecdhValues: A list of boolean values with which
        L{FakeLib.SSL_CTX_set_ecdh_auto} was called
    @type ecdhValues: L{list} of L{boolean}s
    ��setECDHAutoRaises�ecdhContexts�
ecdhValuescCs|
|_g|_
g|_dSrr^)rWr_rrrr��
s


zFakeLibState.__init__N�rYrZr[r��	__slots__r�rrrrr]�
s
r]c@s eZ
dZd
Zdd�Zdd�ZdS)�FakeLibz�
    An introspectable fake of cryptography's lib object.

    @param state: A L{FakeLibState} instance that contains this fake's
        state.
    cCs
|
|_dSr�
�_state�rWr�
rrrr��
s
zFakeLib.__init__cCs4|jj
�|
�

|jj�|�

|jjd
k	r0|jj�
d
S)a

        Record the context and value under in the C{_state} instance
        variable.

        @see: L{FakeLibState}

        @param ctx: An SSL context.
        @type ctx: L{OpenSSL.SSL.Context}

        @param value: A boolean value
        @type value: L{bool}
        N)rfr`r�rar_)rWr{r�
rrr�SSL_CTX_set_ecdh_auto�
s



zFakeLib.SSL_CTX_set_ecdh_autoN)rYrZr[r�r�rhrrrrrd�
s
rdc@s eZ
dZd
Zdd�Zdd�ZdS)�FakeLibTestsz
    Tests for L{FakeLib}.
    c
Csbtd
d�
}
t
|
�
}|�|
j�

|�|
j�

d\}}|�||�
|�|
j|g
�
|�|
jdg
�
d
S)zh
        L{FakeLib.SSL_CTX_set_ecdh_auto} records context and value it
        was called with.
        N�
r_�ZCONTEXTTT)r]rd�	assertNotr`rarhr��rWr�
�libr�
r�
rrr�test_SSL_CTX_set_ecdh_auto
s






z'FakeLibTests.test_SSL_CTX_set_ecdh_autoc
Cshtt
d
�
}
t|
�
}|�|
j�

|�|
j�

d\}}|�t
|j||�
|�|
j|g
�
|�|
jdg
�
dS)z�
        L{FakeLib.SSL_CTX_set_ecdh_auto} raises the exception provided
        by its state, while still recording its arguments.
        rjrkTN)	r]rFrdrlr`rar�rhr�rmrrr� test_SSL_CTX_set_ecdh_autoRaisess





�
z-FakeLibTests.test_SSL_CTX_set_ecdh_autoRaisesN)rYrZr[r�rorprrrrris
ric@seZ
dZd
ZdZdd�ZdS)�FakeCryptoStatea�

    State for L{FakeCrypto}

    @param getEllipticCurveRaises: What
        L{FakeCrypto.get_elliptic_curve} should raise; L{None} and it
        won't raise anything

    @param getEllipticCurveReturns: What
        L{FakeCrypto.get_elliptic_curve} should return.

    @ivar getEllipticCurveCalls: The arguments with which
        L{FakeCrypto.get_elliptic_curve} has been called.
    @type getEllipticCurveCalls: L{list}
    ��getEllipticCurveRaises�getEllipticCurveReturns�getEllipticCurveCallscCs|
|_||_
g|_dSrrr)rWrsrtrrrr�Es

zFakeCryptoState.__init__Nrbrrrrrq0s
rqc@s eZ
dZd
Zdd�Zdd�ZdS)�
FakeCryptozy
    An introspectable fake of pyOpenSSL's L{OpenSSL.crypto} module.

    @ivar state: A L{FakeCryptoState} instance
    cCs
|
|_dSrrergrrrr�Ws
zFakeCrypto.__init__cCs*|jj
�|
�

|jjd
k	r"|jj�
|jjS)a


        A fake that records the curve with which it was called.

        @param curve: see L{crypto.get_elliptic_curve}

        @return: see L{FakeCryptoState.getEllipticCurveReturns}
        @raises: see L{FakeCryptoState.getEllipticCurveRaises}
        N)rfrur�rsrtr�rrr�get_elliptic_curve[s	


zFakeCrypto.get_elliptic_curveN)rYrZr[r�r�rwrrrrrvPs
rvc@s(eZ
dZd
Zdd�Zdd�Zdd�ZdS)	�FakeCryptoTestsz"
    Tests for L{FakeCrypto}.
    c
Cs2td
d
d�}
t
|
�
}|�d�

|�|
jdg
�
d
S)zk
        L{FakeCrypto.test_get_elliptic_curve} records the curve with
        which it was called.
        N�rsrtza curve name)rqrvrwr�ru�rWr�
�cryptorrr�&test_get_elliptic_curveRecordsArgumentps

�


z6FakeCryptoTests.test_get_elliptic_curveRecordsArgumentc
Cs>d
}
td|
d�}t
|�
}|�|�d�
|
�
|�|jdg
�
dS)z�
        L{FakeCrypto.test_get_elliptic_curve} returns the value
        specified by its state object and records what it was called
        with.
        r�Nryzanother curve name)rqrvr�
rwr�ru)rWZreturnValuer�
r{rrr�test_get_elliptic_curveReturns~s


�


�

�z.FakeCryptoTests.test_get_elliptic_curveReturnsc
Cs8tt
d
d�}
t|
�
}|�t
|jd�
|�|
jdg
�
d
S)zs
        L{FakeCrypto.test_get_elliptic_curve} raises the exception
        specified by its state object.
        Nryzyet another curve name)rqrFrvr�rwr�rurzrrr�test_get_elliptic_curveRaises�s

�


�

�z-FakeCryptoTests.test_get_elliptic_curveRaisesN)rYrZr[r�r|r}r~rrrrrxks
rxc@s\eZ
dZd
ZereZdZdZdZdd�Z	dd�Z
d	d
�Zdd�Zd
d�Z
dd�Zdd�ZdS)�%ChooseDiffieHellmanEllipticCurveTestsaN

    Tests for L{sslverify._ChooseDiffieHellmanEllipticCurve}.

    @cvar OPENSSL_110: A version number for OpenSSL 1.1.0

    @cvar OPENSSL_102: A version number for OpenSSL 1.0.2

    @cvar OPENSSL_101: A version number for OpenSSL 1.0.1

    @see:
        U{https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)}
    ii� iOc

CsBtd
d�
|_
t|j
�
|_tddd�|_t|j�
|_tt	j
�
|_dS)NFrj)rtrs)r]�libStaterdrnrq�cryptoStatervr{r�rr!
r�
rVrrrr��s



�
z+ChooseDiffieHellmanEllipticCurveTests.setUpc
Cs^tj
|j|j|jd
�}
|
�|j�

|�|jj	�

|�|jj
�

|�|jj�

|�
|jj�

dS)z�
        No configuration of contexts occurs under OpenSSL 1.1.0 and
        later, because they create contexts with secure ECDH curves.

        @see: U{http://twistedmatrix.com/trac/ticket/9210}
        �r�r�N)rGr��OPENSSL_110rnr{r�r�
r�r�r`rar�rur�
r��rW�chooserrrr�test_openSSL110�s


�


z5ChooseDiffieHellmanEllipticCurveTests.test_openSSL110c
Csrt�
tj�
}
tj|j|j|jd
�}|�|
�

|�	|j
j|
jg
�
|�	|j
j
dg
�
|�|jj�

|�|jj�

dS)z�
        OpenSSL 1.0.2 does not set ECDH curves by default, but
        C{SSL_CTX_set_ecdh_auto} requests that a context choose a
        secure set curves automatically.
        r�TN)rrwr!
rGr��OPENSSL_102rnr{r�r�r�r`r
rar�r�rur�
r�
r��rWr�
r�rrr�test_openSSL102�s



�



z5ChooseDiffieHellmanEllipticCurveTests.test_openSSL102c
Cslt|j
_t�tj�
}
tj|j|j	|j
d
�}|�|
�

|�|j
j
|
jg
�
|�|j
jdg
�
|�|jj�

dS)z�
        An exception raised by C{SSL_CTX_set_ecdh_auto} under OpenSSL
        1.0.2 is suppressed because ECDH is best-effort.
        r�TN)�
BaseExceptionr�r_rrwr!
rGr�r�rnr{r�r�r`r
rar�r�rur�rrr� test_openSSL102SetECDHAutoRaises�s




�


zFChooseDiffieHellmanEllipticCurveTests.test_openSSL102SetECDHAutoRaisesc
Csrd
|j_
}
tj|j|j|jd�}|�|j�

|�	|j
j�

|�	|j
j�

|�
|jjtjg
�
|�|jj|
�
dS)z�
        OpenSSL 1.0.1 does not set ECDH curves by default, nor does
        it expose L{SSL_CTX_set_ecdh_auto}.  Instead, a single ECDH
        curve can be set with L{OpenSSL.SSL.Context.set_tmp_ecdh}.
        zcurve objectr�N)r�rtrGr��OPENSSL_101rnr{r�r�
r�r�r`rar�ru�_defaultCurveNamer�
r�)rWr�r�rrr�test_openSSL101s



�



�z5ChooseDiffieHellmanEllipticCurveTests.test_openSSL101c
Csfd
d�}
|
|j_
tj|j|j|jd�}|�|j�

|�|j	j
�

|�|j	j�

|�|j
jtjg
�
dS)z�
        An exception raised by L{OpenSSL.SSL.Context.set_tmp_ecdh}
        under OpenSSL 1.0.1 is suppressed because ECHDE is best-effort.
        c


Sst�
dSr)
r�r�
rrrr�!s
zXChooseDiffieHellmanEllipticCurveTests.test_openSSL101SetECDHRaises.<locals>.set_tmp_ecdhr�N)r�
r�rGr�r�rnr{r�r�r�r`rar�r�rur�)rWr�r�rrr�test_openSSL101SetECDHRaisess


�



�zBChooseDiffieHellmanEllipticCurveTests.test_openSSL101SetECDHRaisesc
CsXt|j
_tj|j|j|jd
�}
|
�|j	�

|�
|jj�

|�
|jj
�

|�|j	j�

dS)zy
        Contexts created under an OpenSSL 1.0.1 that doesn't support
        ECC have no configuration applied.
        r�N)rFr�rsrGr�r�rnr{r�r�
r�r�r`rar�
r�r�rrr�test_openSSL101NoECC5s



�

z:ChooseDiffieHellmanEllipticCurveTests.test_openSSL101NoECCN)rYrZr[r�r�r�r�r�r�r�r�r�r�r�r�r�rrrrr�s



rc@s8eZ
dZd
ZereZdd�Zdd�Zdd�Zdd	�Z	d
S)�KeyPairTestsz)
    Tests for L{sslverify.KeyPair}.
    c

Cstd
dd�d|_
dS)z*
        Create test certificate.
        r�r�r�r
N)r;r�rVrrrr�Os

��zKeyPairTests.setUpc

Cs(|�t
d
ddd�dft�|j�
j�
dS)zB
        L{sslverify.KeyPair.__getstate__} is deprecated.
        r�
r�
r
r�
N)r�
r,rGr�
r�r�
rVrrrr�
Xs

�z%KeyPairTests.test_getstateDeprecationc
Cs:t�
|j�
��}
|�td
ddd�dft�
|j�
j|
�
dS)zA
        {sslverify.KeyPair.__setstate__} is deprecated.
        r�
r�
r
r�
N)rGr�
r�r�r�
r,r�
rgrrrr�
as


�z%KeyPairTests.test_setstateDeprecationc
Cs(td
�
j
�d�
}
|
��}tj�|�

dS)Nztwisted.testzcert.pem.no_trailing_newline)r"r[�sibling�
getContentrrHrI)rWZnoTrailingNewlineKeyPemPathZcertPEMrrr�test_noTrailingNewlinePemCertks

��
z*KeyPairTests.test_noTrailingNewlinePemCertN)
rYrZr[r�r�r�r�r�
r�
r�rrrrr�Hs

		
r�c@s<eZ
dZd
Zedk	reZdd�Zejdd�
g
e_dd�Z	dS)	�SelectVerifyImplementationTestsz3
    Tests for L{_selectVerifyImplementation}.
    Nc
	CsBtd
�
�0
dt
jd
<t��}
tjtjf}|�||
�
W5QRXdS)z�
        If I{service_identity} cannot be imported then
        L{_selectVerifyImplementation} returns L{simpleVerifyHostname} and
        L{SimpleVerificationError}.
        �service_identityN)r�sys�modulesrG�_selectVerifyImplementationr�
r�
r�)rWr�
Zexpectedrrr�test_dependencyMissing}s



�z6SelectVerifyImplementationTests.test_dependencyMissingzEYou do not have a working installation of the service_identity module�
r 
c
	Cs�td
�
�
dt
jd
<t��
W5QRXtdd�|��D�
�
\
}
dddg}g}|D]}|�dj|d	�
�

qP|�	|
d
|�
|�
|
dd�
|�
|
d
d�
dS)z�
        If I{service_identity} cannot be imported then
        L{_selectVerifyImplementation} emits a L{UserWarning} advising the user
        of the exact error.
        r�Nc
ss|]}
|
dtkr|
V
qd
S)r
N)
�UserWarning)rV�warningrrrrW�s�zPSelectVerifyImplementationTests.test_dependencyMissingWarning.<locals>.<genexpr>z8'import of service_identity halted; None in sys.modules'z:'import of 'service_identity' halted; None in sys.modules'z"'No module named service_identity'av
You do not have a working installation of the service_identity module: {message}.  Please install it from <https://pypi.python.org/pypi/service_identity> and make sure all of its dependencies are satisfied.  Without the service_identity module, Twisted can perform only rudimentary TLS client hostname verification.  Many valid certificate/hostname mappings may be rejected.r�r 
�filenamerq
�linenor
)rr�r�rGr�rJr"
r��formatrh
r�)rWr�ZimportErrorsZexpectedMessagesZimportErrorrrr�test_dependencyMissingWarning�s(


�
�	


��

z=SelectVerifyImplementationTests.test_dependencyMissingWarning)
rYrZr[r�r�r�r�r$r�
r�rrrrr�us

��	r�)
r<)
N)NNN)
N)�r�Z
__future__rrr��	itertoolsrCZzope.interfacerZtwisted.python.reflectrr�r�
rrrEZtwisted.internetrrrZOpenSSL.cryptor	r
rrr
ZcryptographyrZcryptography.hazmat.backendsrZcryptography.hazmat.primitivesrZ)cryptography.hazmat.primitives.asymmetricrZ,cryptography.hazmat.primitives.serializationrrZcryptography.x509.oidrrrwr!
r{Zset_npn_advertise_callbackrZset_alpn_select_callbackZtwisted.test.test_twistedrZtwisted.test.iosimrZtwisted.internet.errorrZtwisted.python.compatr Ztwisted.python.filepathr!Ztwisted.python.modulesr"Z
twisted.trialr#r$r%r&r'Ztwisted.internet._idnar(r)r*r+Zincrementalr,Ztwisted.internet.sslr-r.r/rGZtwisted.protocols.tlsr0rr
rw
rYr[r�r�r-�countr2r;rPrvr�r�r�ror�r�r�r�ZSynchronousTestCaser�r�r�ZTestCaser�r�
r�
r�
r�
r�
rrrrrrr+r9rCrNrZr]rdrirqrvrxrr�r�rrrr�<module>s�







































_8
)

�
0
pEHS/�
 S5G63)( > -