Generate bad CA with trustme (#1794)

author: Quentin Pradet <quentin.pradet@gmail.com> 2020-01-27 18:33:15 +0400
committer: Seth Michael Larson <sethmichaellarson@gmail.com> 2020-01-27 08:33:15 -0600
commit: 672eaabf3c84f6b6b8fec5f2b4d4f3d30ae84416 (patch)
tree: 19e46d2d576aeff8a6cd22d8175e745d7472e3ec /test/with_dummyserver
parent: a9776d15013a7a4f2b92e4d7d1be2b5fe18d43d4 (diff)
download: urllib3-672eaabf3c84f6b6b8fec5f2b4d4f3d30ae84416.tar.gz
2 files changed, 28 insertions, 12 deletions
diff --git a/test/with_dummyserver/test_https.py b/test/with_dummyserver/test_https.py
index 3bf0e2e9..0f993469 100644
--- a/test/with_dummyserver/test_https.py
+++ b/test/with_dummyserver/test_https.py
@@ -17,7 +17,6 @@ from dummyserver.server import (
     encrypt_key_pem,
     DEFAULT_CA,
     DEFAULT_CA_KEY,
-    DEFAULT_CA_BAD,
     DEFAULT_CERTS,
 )
 
@@ -96,6 +95,11 @@ class TestHTTPS(HTTPSDummyServerTestCase):
         with open(DEFAULT_CA, "rb") as crt, open(DEFAULT_CA_KEY, "rb") as key:
             root_ca = trustme.CA.from_pem(crt.read(), key.read())
 
+        # Generate another CA to test verification failure
+        bad_ca = trustme.CA()
+        cls.bad_ca_path = os.path.join(cls.certs_dir, "ca_bad.pem")
+        bad_ca.cert_pem.write_to_path(cls.bad_ca_path)
+
         # client cert chain
         intermediate_ca = root_ca.create_child_ca()
         cert = intermediate_ca.issue_cert(u"example.com")
@@ -340,7 +344,7 @@ class TestHTTPS(HTTPSDummyServerTestCase):
 
     def test_verified_with_bad_ca_certs(self):
         with HTTPSConnectionPool(
-            self.host, self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA_BAD
+            self.host, self.port, cert_reqs="CERT_REQUIRED", ca_certs=self.bad_ca_path
         ) as https_pool:
             with pytest.raises(MaxRetryError) as e:
                 https_pool.request("GET", "/")
@@ -396,7 +400,7 @@ class TestHTTPS(HTTPSDummyServerTestCase):
 
     def test_ssl_unverified_with_ca_certs(self):
         with HTTPSConnectionPool(
-            self.host, self.port, cert_reqs="CERT_NONE", ca_certs=DEFAULT_CA_BAD
+            self.host, self.port, cert_reqs="CERT_NONE", ca_certs=self.bad_ca_path
         ) as pool:
             with mock.patch("warnings.warn") as warn:
                 r = pool.request("GET", "/")
@@ -508,7 +512,7 @@ class TestHTTPS(HTTPSDummyServerTestCase):
 
     def test_verify_none_and_bad_fingerprint(self):
         with HTTPSConnectionPool(
-            "127.0.0.1", self.port, cert_reqs="CERT_NONE", ca_certs=DEFAULT_CA_BAD
+            "127.0.0.1", self.port, cert_reqs="CERT_NONE", ca_certs=self.bad_ca_path
         ) as https_pool:
             https_pool.assert_fingerprint = (
                 "AA:AA:AA:AA:AA:AAAA:AA:AAAA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA"
@@ -519,7 +523,7 @@ class TestHTTPS(HTTPSDummyServerTestCase):
 
     def test_verify_none_and_good_fingerprint(self):
         with HTTPSConnectionPool(
-            "127.0.0.1", self.port, cert_reqs="CERT_NONE", ca_certs=DEFAULT_CA_BAD
+            "127.0.0.1", self.port, cert_reqs="CERT_NONE", ca_certs=self.bad_ca_path
         ) as https_pool:
             https_pool.assert_fingerprint = (
                 "92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A"
diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py
index fe02f23d..063ab360 100644
--- a/test/with_dummyserver/test_proxy_poolmanager.py
+++ b/test/with_dummyserver/test_proxy_poolmanager.py
@@ -1,15 +1,15 @@
 import json
+import os.path
+import shutil
 import socket
+import tempfile
+
 
 import pytest
+import trustme
 
 from dummyserver.testcase import HTTPDummyProxyTestCase, IPv6HTTPDummyProxyTestCase
-from dummyserver.server import (
-    DEFAULT_CA,
-    DEFAULT_CA_BAD,
-    HAS_IPV6,
-    get_unreachable_address,
-)
+from dummyserver.server import DEFAULT_CA, HAS_IPV6, get_unreachable_address
 from .. import TARPIT_HOST, requires_network
 
 from urllib3._collections import HTTPHeaderDict
@@ -33,6 +33,18 @@ class TestHTTPProxyManager(HTTPDummyProxyTestCase):
         cls.https_url_alt = "https://%s:%d" % (cls.https_host_alt, cls.https_port)
         cls.proxy_url = "http://%s:%d" % (cls.proxy_host, cls.proxy_port)
 
+        # Generate another CA to test verification failure
+        cls.certs_dir = tempfile.mkdtemp()
+        bad_ca = trustme.CA()
+
+        cls.bad_ca_path = os.path.join(cls.certs_dir, "ca_bad.pem")
+        bad_ca.cert_pem.write_to_path(cls.bad_ca_path)
+
+    @classmethod
+    def teardown_class(cls):
+        super(TestHTTPProxyManager, cls).teardown_class()
+        shutil.rmtree(cls.certs_dir)
+
     def test_basic_proxy(self):
         with proxy_from_url(self.proxy_url, ca_certs=DEFAULT_CA) as http:
             r = http.request("GET", "%s/" % self.http_url)
@@ -84,7 +96,7 @@ class TestHTTPProxyManager(HTTPDummyProxyTestCase):
 
     def test_proxy_verified(self):
         with proxy_from_url(
-            self.proxy_url, cert_reqs="REQUIRED", ca_certs=DEFAULT_CA_BAD
+            self.proxy_url, cert_reqs="REQUIRED", ca_certs=self.bad_ca_path
         ) as http:
             https_pool = http._new_pool("https", self.https_host, self.https_port)
             with pytest.raises(MaxRetryError) as e:
author	Quentin Pradet <quentin.pradet@gmail.com>	2020-01-27 18:33:15 +0400
committer	Seth Michael Larson <sethmichaellarson@gmail.com>	2020-01-27 08:33:15 -0600
commit	672eaabf3c84f6b6b8fec5f2b4d4f3d30ae84416 (patch)
tree	19e46d2d576aeff8a6cd22d8175e745d7472e3ec /test/with_dummyserver
parent	a9776d15013a7a4f2b92e4d7d1be2b5fe18d43d4 (diff)
download	urllib3-672eaabf3c84f6b6b8fec5f2b4d4f3d30ae84416.tar.gz