1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
import datetime
import mock
import pytest
from urllib3.connection import RECENT_DATE, CertificateError, _match_hostname
class TestConnection(object):
"""
Tests in this suite should not make any network requests or connections.
"""
def test_match_hostname_no_cert(self):
cert = None
asserted_hostname = "foo"
with pytest.raises(ValueError):
_match_hostname(cert, asserted_hostname)
def test_match_hostname_empty_cert(self):
cert = {}
asserted_hostname = "foo"
with pytest.raises(ValueError):
_match_hostname(cert, asserted_hostname)
def test_match_hostname_match(self):
cert = {"subjectAltName": [("DNS", "foo")]}
asserted_hostname = "foo"
_match_hostname(cert, asserted_hostname)
def test_match_hostname_ipaddress_none(self):
cert = {"subjectAltName": [("DNS", "foo")]}
asserted_hostname = "foo"
with mock.patch("urllib3.util.ssl_match_hostname.ipaddress", None):
assert _match_hostname(cert, asserted_hostname) is None
def test_match_hostname_mismatch(self):
cert = {"subjectAltName": [("DNS", "foo")]}
asserted_hostname = "bar"
try:
with mock.patch("urllib3.connection.log.warning") as mock_log:
_match_hostname(cert, asserted_hostname)
except CertificateError as e:
assert "hostname 'bar' doesn't match 'foo'" in str(e)
mock_log.assert_called_once_with(
"Certificate did not match expected hostname: %s. Certificate: %s",
"bar",
{"subjectAltName": [("DNS", "foo")]},
)
assert e._peer_cert == cert
def test_match_hostname_ip_address_ipv6(self):
cert = {"subjectAltName": (("IP Address", "1:2::2:1"),)}
asserted_hostname = "1:2::2:2"
try:
with mock.patch("urllib3.connection.log.warning") as mock_log:
_match_hostname(cert, asserted_hostname)
except CertificateError as e:
assert "hostname '1:2::2:2' doesn't match '1:2::2:1'" in str(e)
mock_log.assert_called_once_with(
"Certificate did not match expected hostname: %s. Certificate: %s",
"1:2::2:2",
{"subjectAltName": (("IP Address", "1:2::2:1"),)},
)
assert e._peer_cert == cert
def test_match_hostname_dns_with_brackets_doesnt_match(self):
cert = {
"subjectAltName": (
("DNS", "localhost"),
("IP Address", "localhost"),
)
}
asserted_hostname = "[localhost]"
with pytest.raises(CertificateError) as e:
_match_hostname(cert, asserted_hostname)
assert (
"hostname '[localhost]' doesn't match either of 'localhost', 'localhost'"
in str(e.value)
)
def test_match_hostname_ip_address_ipv6_brackets(self):
cert = {"subjectAltName": (("IP Address", "1:2::2:1"),)}
asserted_hostname = "[1:2::2:1]"
# Assert no error is raised
_match_hostname(cert, asserted_hostname)
def test_match_hostname_ip_address(self):
cert = {"subjectAltName": [("IP Address", "1.1.1.1")]}
asserted_hostname = "1.1.1.2"
try:
with mock.patch("urllib3.connection.log.warning") as mock_log:
_match_hostname(cert, asserted_hostname)
except CertificateError as e:
assert "hostname '1.1.1.2' doesn't match '1.1.1.1'" in str(e)
mock_log.assert_called_once_with(
"Certificate did not match expected hostname: %s. Certificate: %s",
"1.1.1.2",
{"subjectAltName": [("IP Address", "1.1.1.1")]},
)
assert e._peer_cert == cert
def test_match_hostname_no_dns(self):
cert = {"subjectAltName": [("DNS", "")]}
asserted_hostname = "bar"
try:
with mock.patch("urllib3.connection.log.warning") as mock_log:
_match_hostname(cert, asserted_hostname)
except CertificateError as e:
assert "hostname 'bar' doesn't match ''" in str(e)
mock_log.assert_called_once_with(
"Certificate did not match expected hostname: %s. Certificate: %s",
"bar",
{"subjectAltName": [("DNS", "")]},
)
assert e._peer_cert == cert
def test_match_hostname_startwith_wildcard(self):
cert = {"subjectAltName": [("DNS", "*")]}
asserted_hostname = "foo"
_match_hostname(cert, asserted_hostname)
def test_match_hostname_dnsname(self):
cert = {"subjectAltName": [("DNS", "xn--p1b6ci4b4b3a*.xn--11b5bs8d")]}
asserted_hostname = "xn--p1b6ci4b4b3a*.xn--11b5bs8d"
_match_hostname(cert, asserted_hostname)
def test_match_hostname_include_wildcard(self):
cert = {"subjectAltName": [("DNS", "foo*")]}
asserted_hostname = "foobar"
_match_hostname(cert, asserted_hostname)
def test_recent_date(self):
# This test is to make sure that the RECENT_DATE value
# doesn't get too far behind what the current date is.
# When this test fails update urllib3.connection.RECENT_DATE
# according to the rules defined in that file.
two_years = datetime.timedelta(days=365 * 2)
assert RECENT_DATE > (datetime.datetime.today() - two_years).date()
|
