summaryrefslogblamecommitdiffhomepage
path: root/test/test_tls_sni.py
blob: 09e212bd03a2dca0b4987e2206fd1afc1ef73faf (plain) (tree) 
e8577afc

6c97a1a0

e8577afc

18fcc07c

e8577afc







18fcc07c


e8577afc








e8577afc


6c97a1a0

e8577afc







7934dcab

e8577afc

7934dcab

e8577afc



7934dcab


e8577afc


7934dcab

e8577afc









e8577afc


7934dcab

e8577afc


7934dcab

e8577afc







7934dcab

e8577afc

ae035852

e8577afc







7934dcab

e8577afc

7934dcab

e8577afc

7934dcab

e8577afc







7934dcab

e8577afc

ae035852

e8577afc







7934dcab

e8577afc

7934dcab

e8577afc

7934dcab

e8577afc

7934dcab

e8577afc

7934dcab

e8577afc







7934dcab

e8577afc







7934dcab

e8577afc
















6c97a1a0

e8577afc
















960ffc99












0f725346


960ffc99







e8577afc
































6c97a1a0

e8577afc







































6c97a1a0

e8577afc













0f725346

e8577afc

















1

2

3

4

5
6
7
8
9
10
11

12
13

14
15
16
17
18
19
20
21

22
23

24

25
26
27
28
29
30
31

32

33

34

35
36
37

38
39

40
41

42

43
44
45
46
47
48
49
50
51

52
53

54

55
56

57

58
59
60
61
62
63
64

65

66

67

68
69
70
71
72
73
74

75

76

77

78

79

80
81
82
83
84
85
86

87

88

89

90
91
92
93
94
95
96

97

98

99

100

101

102

103

104

105

106
107
108
109
110
111
112

113

114
115
116
117
118
119
120

121

122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

138

139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

155
156
157
158
159
160
161
162
163
164
165
166

167
168

169
170
171
172
173
174
175

176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207

208

209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247

248

249
250
251
252
253
254
255
256
257
258
259
260
261

262

263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279

          
                 
 
             






                                                    

                                   







                                                            

                                      
                                                             






                                                                             
                                                          
                    
                          


                 

                                      

                    
                                     








                                      

             
                                                             

                           
                                                            






                                                                              
                                                                                
 
                                    






                              
                                                      
                           
                                                 
                              
                                                 






                                         
                                                                                
 
                                    






                              
                                                 
                               
                                                  
                            
                                                  
                          
                                                 
                           
                                                 






                                                    
                                                                         






                                                      
                                                     















                                                               
                                                                     















                                                                               











                                                                        

                                                                   






                                                  































                                                                               
                                                                        






































                                                                               
                                                                     












                                      
                                                                                
















                                                                              
import ssl
import subprocess

import pytest
from unit.applications.tls import TestApplicationTLS
from unit.option import option


class TestTLSSNI(TestApplicationTLS):
    prerequisites = {'modules': {'openssl': 'any'}}

    @pytest.fixture(autouse=True)
    def setup_method_fixture(self):
        self._load_conf(
            {
                "listeners": {"*:7080": {"pass": "routes"}},
                "routes": [{"action": {"return": 200}}],
                "applications": {},
            }
        )

    def add_tls(self, cert='default'):
        assert 'success' in self.conf(
            {"pass": "routes", "tls": {"certificate": cert}},
            'listeners/*:7080',
        )

    def remove_tls(self):
        assert 'success' in self.conf({"pass": "routes"}, 'listeners/*:7080')

    def generate_ca_conf(self):
        with open(f'{option.temp_dir}/ca.conf', 'w') as f:
            f.write(
                f"""[ ca ]
default_ca = myca

[ myca ]
new_certs_dir = {option.temp_dir}
database = {option.temp_dir}/certindex
default_md = sha256
policy = myca_policy
serial = {option.temp_dir}/certserial
default_days = 1
x509_extensions = myca_extensions
copy_extensions = copy

[ myca_policy ]
commonName = optional

[ myca_extensions ]
basicConstraints = critical,CA:TRUE"""
            )

        with open(f'{option.temp_dir}/certserial', 'w') as f:
            f.write('1000')

        with open(f'{option.temp_dir}/certindex', 'w') as f:
            f.write('')

    def config_bundles(self, bundles):
        self.certificate('root', False)

        for b in bundles:
            self.openssl_conf(rewrite=True, alt_names=bundles[b]['alt_names'])
            subj = f'/CN={bundles[b]["subj"]}/' if 'subj' in bundles[b] else '/'

            subprocess.check_output(
                [
                    'openssl',
                    'req',
                    '-new',
                    '-subj',
                    subj,
                    '-config',
                    f'{option.temp_dir}/openssl.conf',
                    '-out',
                    f'{option.temp_dir}/{b}.csr',
                    '-keyout',
                    f'{option.temp_dir}/{b}.key',
                ],
                stderr=subprocess.STDOUT,
            )

        self.generate_ca_conf()

        for b in bundles:
            subj = f'/CN={bundles[b]["subj"]}/' if 'subj' in bundles[b] else '/'

            subprocess.check_output(
                [
                    'openssl',
                    'ca',
                    '-batch',
                    '-subj',
                    subj,
                    '-config',
                    f'{option.temp_dir}/ca.conf',
                    '-keyfile',
                    f'{option.temp_dir}/root.key',
                    '-cert',
                    f'{option.temp_dir}/root.crt',
                    '-in',
                    f'{option.temp_dir}/{b}.csr',
                    '-out',
                    f'{option.temp_dir}/{b}.crt',
                ],
                stderr=subprocess.STDOUT,
            )

        self.context = ssl.create_default_context()
        self.context.check_hostname = False
        self.context.verify_mode = ssl.CERT_REQUIRED
        self.context.load_verify_locations(f'{option.temp_dir}/root.crt')

        self.load_certs(bundles)

    def load_certs(self, bundles):
        for bname, bvalue in bundles.items():
            assert 'success' in self.certificate_load(
                bname, bname
            ), f'certificate {bvalue["subj"]} upload'

    def check_cert(self, host, expect):
        resp, sock = self.get_ssl(
            headers={
                'Host': host,
                'Content-Length': '0',
                'Connection': 'close',
            },
            start=True,
        )

        assert resp['status'] == 200
        assert sock.getpeercert()['subject'][0][0][1] == expect

    def test_tls_sni(self):
        bundles = {
            "default": {"subj": "default", "alt_names": ["default"]},
            "localhost.com": {
                "subj": "localhost.com",
                "alt_names": ["alt1.localhost.com"],
            },
            "example.com": {
                "subj": "example.com",
                "alt_names": ["alt1.example.com", "alt2.example.com"],
            },
        }
        self.config_bundles(bundles)
        self.add_tls(["default", "localhost.com", "example.com"])

        self.check_cert('alt1.localhost.com', bundles['localhost.com']['subj'])
        self.check_cert('alt2.example.com', bundles['example.com']['subj'])
        self.check_cert('blah', bundles['default']['subj'])

    def test_tls_sni_no_hostname(self):
        bundles = {
            "localhost.com": {"subj": "localhost.com", "alt_names": []},
            "example.com": {
                "subj": "example.com",
                "alt_names": ["example.com"],
            },
        }
        self.config_bundles(bundles)
        self.add_tls(["localhost.com", "example.com"])

        resp, sock = self.get_ssl(
            headers={'Content-Length': '0', 'Connection': 'close'},
            start=True,
        )
        assert resp['status'] == 200
        assert (
            sock.getpeercert()['subject'][0][0][1]
            == bundles['localhost.com']['subj']
        )

    def test_tls_sni_upper_case(self):
        bundles = {
            "localhost.com": {"subj": "LOCALHOST.COM", "alt_names": []},
            "example.com": {
                "subj": "example.com",
                "alt_names": ["ALT1.EXAMPLE.COM", "*.ALT2.EXAMPLE.COM"],
            },
        }
        self.config_bundles(bundles)
        self.add_tls(["localhost.com", "example.com"])

        self.check_cert('localhost.com', bundles['localhost.com']['subj'])
        self.check_cert('LOCALHOST.COM', bundles['localhost.com']['subj'])
        self.check_cert('EXAMPLE.COM', bundles['localhost.com']['subj'])
        self.check_cert('ALT1.EXAMPLE.COM', bundles['example.com']['subj'])
        self.check_cert('WWW.ALT2.EXAMPLE.COM', bundles['example.com']['subj'])

    def test_tls_sni_only_bundle(self):
        bundles = {
            "localhost.com": {
                "subj": "localhost.com",
                "alt_names": ["alt1.localhost.com", "alt2.localhost.com"],
            }
        }
        self.config_bundles(bundles)
        self.add_tls(["localhost.com"])

        self.check_cert('domain.com', bundles['localhost.com']['subj'])
        self.check_cert('alt1.domain.com', bundles['localhost.com']['subj'])

    def test_tls_sni_wildcard(self):
        bundles = {
            "localhost.com": {"subj": "localhost.com", "alt_names": []},
            "example.com": {
                "subj": "example.com",
                "alt_names": ["*.example.com", "*.alt.example.com"],
            },
        }
        self.config_bundles(bundles)
        self.add_tls(["localhost.com", "example.com"])

        self.check_cert('example.com', bundles['localhost.com']['subj'])
        self.check_cert('www.example.com', bundles['example.com']['subj'])
        self.check_cert('alt.example.com', bundles['example.com']['subj'])
        self.check_cert('www.alt.example.com', bundles['example.com']['subj'])
        self.check_cert('www.alt.example.ru', bundles['localhost.com']['subj'])

    def test_tls_sni_duplicated_bundle(self):
        bundles = {
            "localhost.com": {
                "subj": "localhost.com",
                "alt_names": ["localhost.com", "alt2.localhost.com"],
            }
        }
        self.config_bundles(bundles)
        self.add_tls(["localhost.com", "localhost.com"])

        self.check_cert('localhost.com', bundles['localhost.com']['subj'])
        self.check_cert('alt2.localhost.com', bundles['localhost.com']['subj'])

    def test_tls_sni_same_alt(self):
        bundles = {
            "localhost": {"subj": "subj1", "alt_names": "same.altname.com"},
            "example": {"subj": "subj2", "alt_names": "same.altname.com"},
        }
        self.config_bundles(bundles)
        self.add_tls(["localhost", "example"])

        self.check_cert('localhost', bundles['localhost']['subj'])
        self.check_cert('example', bundles['localhost']['subj'])

    def test_tls_sni_empty_cn(self):
        bundles = {"localhost": {"alt_names": ["alt.localhost.com"]}}
        self.config_bundles(bundles)
        self.add_tls(["localhost"])

        resp, sock = self.get_ssl(
            headers={
                'Host': 'domain.com',
                'Content-Length': '0',
                'Connection': 'close',
            },
            start=True,
        )

        assert resp['status'] == 200
        assert sock.getpeercert()['subjectAltName'][0][1] == 'alt.localhost.com'

    def test_tls_sni_invalid(self):
        self.config_bundles({"localhost": {"subj": "subj1", "alt_names": ''}})
        self.add_tls(["localhost"])

        def check_certificate(cert):
            assert 'error' in self.conf(
                {"pass": "routes", "tls": {"certificate": cert}},
                'listeners/*:7080',
            )

        check_certificate('')
        check_certificate('blah')
        check_certificate([])
        check_certificate(['blah'])
        check_certificate(['localhost', 'blah'])
        check_certificate(['localhost', []])
generated by cgit (git 2.34.1) at 2024-11-16 23:42:57 +0000