Allow accessing a connection's verfied certificate chain (#894)

* Allow accessing a connection's verfied certificate chain Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain. Add Connection.get_verified_chain using SSL_get0_verified_chain if available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain otherwise. Fixes #740. * TLSv1_METHOD -> SSLv23_METHOD * Use X509_up_ref instead of X509_dup * Add _openssl_assert where appropriate * SSL_get_peer_cert_chain should not be null * Reformat with black * Fix <OpenSSL.crypto.X509 object at 0x7fdbb59e8050> != <OpenSSL.crypto.X509 object at 0x7fdbb59daad0> * Add Changelog entry * Remove _add_chain
author: Shane Harvey <shane.harvey@mongodb.com> 2020-08-05 16:48:51 -0700
committer: GitHub <noreply@github.com> 2020-08-05 18:48:51 -0500
commit: 33c5499ce34f5e1c7c2630c6a1446353eee31755 (patch)
tree: 45f4871892c7b5e29e46fca2009e5cf77dc9eaa8 /tests/test_crypto.py
parent: bb971ae935059b73830ea2abe3f66391125b2bfb (diff)
download: pyopenssl-git-33c5499ce34f5e1c7c2630c6a1446353eee31755.tar.gz
1 files changed, 35 insertions, 0 deletions
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index 3802d9a..ac4e729 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -3849,6 +3849,41 @@ class TestX509StoreContext(object):
 
         assert exc.value.args[0][2] == "certificate has expired"
 
+    def test_get_verified_chain(self):
+        """
+        `get_verified_chain` returns the verified chain.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        store.add_cert(self.intermediate_cert)
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        chain = store_ctx.get_verified_chain()
+        assert len(chain) == 3
+        intermediate_subject = self.intermediate_server_cert.get_subject()
+        assert chain[0].get_subject() == intermediate_subject
+        assert chain[1].get_subject() == self.intermediate_cert.get_subject()
+        assert chain[2].get_subject() == self.root_cert.get_subject()
+        # Test reuse
+        chain = store_ctx.get_verified_chain()
+        assert len(chain) == 3
+        assert chain[0].get_subject() == intermediate_subject
+        assert chain[1].get_subject() == self.intermediate_cert.get_subject()
+        assert chain[2].get_subject() == self.root_cert.get_subject()
+
+    def test_get_verified_chain_invalid_chain_no_root(self):
+        """
+        `get_verified_chain` raises error when cert verification fails.
+        """
+        store = X509Store()
+        store.add_cert(self.intermediate_cert)
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+
+        with pytest.raises(X509StoreContextError) as exc:
+            store_ctx.get_verified_chain()
+
+        assert exc.value.args[0][2] == "unable to get issuer certificate"
+        assert exc.value.certificate.get_subject().CN == "intermediate"
+
 
 class TestSignVerify(object):
     """
author	Shane Harvey <shane.harvey@mongodb.com>	2020-08-05 16:48:51 -0700
committer	GitHub <noreply@github.com>	2020-08-05 18:48:51 -0500
commit	33c5499ce34f5e1c7c2630c6a1446353eee31755 (patch)
tree	45f4871892c7b5e29e46fca2009e5cf77dc9eaa8 /tests/test_crypto.py
parent	bb971ae935059b73830ea2abe3f66391125b2bfb (diff)
download	pyopenssl-git-33c5499ce34f5e1c7c2630c6a1446353eee31755.tar.gz