save certificate for use in tests

news/13750-test-certificate

@@ -0,0 +1,19 @@
+### Enhancements
+
+* <news item>
+
+### Bug fixes
+
+* <news item>
+
+### Deprecations
+
+* <news item>
+
+### Docs
+
+* <news item>
+
+### Other
+
+* Use static ssl certificate in test suite to save time (#13750)

tests/adhoc.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUOltp6qcixXu2GXHosGVaVMNNAU8wDQYJKoZIhvcNAQEL
+BQAwKDEaMBgGA1UECgwRRHVtbXkgQ2VydGlmaWNhdGUxCjAIBgNVBAMMASowHhcN
+MjQwNDAxMjA1NjAwWhcNMjUwNDAxMjA1NjAwWjAoMRowGAYDVQQKDBFEdW1teSBD
+ZXJ0aWZpY2F0ZTEKMAgGA1UEAwwBKjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALIbig7b7bdziPcA17D90tCJcWCG4h3F+sn1b10k2Lyf+0HRdgmdm5sl
+NC1WxqFFBafBvDUjc8KfHNLIThlnZ+DfErbi9jUCZ1y8JI/ML0tWqDPp9N28fr/9
+TBkum2TkgLt2TMEj+QAGlATKVRK3UP8sPJa8lE5CrKcY0AOiKsTRUkUgINMTjIxj
+tG35+JlX9+gx/+vBAftL1y96CSTSXwAnfmyY08uQS03Oy9XozIqYY4Q3aHFXcXmd
+UBGtZcoEr5WWyy3Q6hO9lGFWLCn5HmDMQ6kMbh8LCI6JvG3E3FcV4SpRCkxLPRKf
+gG8IeM8d3xzevcRsZ0tNWwZbl9AAqPUCAwEAAaMlMCMwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwDAYDVR0RBAUwA4IBKjANBgkqhkiG9w0BAQsFAAOCAQEAph46ox0FO2OK
+J9+EOGllJMzXgf91oULpslYuCGXi1VrPyw5sTP5kauL65JkPRCPBwsfavJ6Rt9li
+oSdhZqCWWRg7p/bTRRZuWMT0irE0PFO0kcRf+yCkWVAU7vtLDHCJVWv6MN9VCHUc
++e+9M6NhC3mKt+2j1LlcHZ7hOnYC54VzX8KK5rgrAGAC6y4wob5ZxKKwjAhGxZih
+Iu58etj5liY4VGpMWW2gA9HGStCe8SqEiz2UJcPT4YG8k4dlUPLyw3vZhQmBer7U
+oceya7nhGjFFmtPMZkZ3V9Q8DdemFHZ/wKDyX+vEmNunx5CtfhsMDjh3+p64Grjs
+xaq7ngoR+w==
+-----END CERTIFICATE-----

tests/adhoc.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAshuKDtvtt3OI9wDXsP3S0IlxYIbiHcX6yfVvXSTYvJ/7QdF2
+CZ2bmyU0LVbGoUUFp8G8NSNzwp8c0shOGWdn4N8StuL2NQJnXLwkj8wvS1aoM+n0
+3bx+v/1MGS6bZOSAu3ZMwSP5AAaUBMpVErdQ/yw8lryUTkKspxjQA6IqxNFSRSAg
+0xOMjGO0bfn4mVf36DH/68EB+0vXL3oJJNJfACd+bJjTy5BLTc7L1ejMiphjhDdo
+cVdxeZ1QEa1lygSvlZbLLdDqE72UYVYsKfkeYMxDqQxuHwsIjom8bcTcVxXhKlEK
+TEs9Ep+Abwh4zx3fHN69xGxnS01bBluX0ACo9QIDAQABAoIBABbgER0D87XkZaK9
+zbYaf5VPlct9P3Tt/N4sAvPeW+TsEj/7mFK3Vqk4P8mT89p6LDYF3LeheEh2maPb
+3KYIITAhTnzFTTR1PNPNCVAbvDZLqLpUMeI5x7i+XmP8l7I/Y+ZP1R9YUK6HacLs
+vrzy5PkFFDoS+eRMTXL/rZXN4frZpb0LC6q0+i6pgPacejBAIcOSBlWD1GB1QnSk
+uQLibUW1QtjFwqpGmQ/8dJPgejhw+08uaNhzq/UthZxjg8eQoXKRjYr7hs5Cv85H
+Enew4CXd/2QXiSZxq5aUfQsEwiQRSdUPa2prRsZrJyLq9msraJgSZJKN2dakxhtu
+/1/xToECgYEA28ZGaXp6pgnulJ2x9kvKaKf2ojMbqWZ7hdG0pD/Lyi6uG/WHrwyv
+SGGQEQAaxPaFlwhFschEAkL0A6phA4MroeqoWb+0sVd1EuxYL0PiWyOGR4vtiGfa
+euk5ju8d1aV6IV1C0rrJdQvs6Yhg9so6Az4D3Knqn9A/Ouzn6mKC5oECgYEAz3cQ
+QcBViZGPVFmOM89ADLtYc79JS2dFyyNi8K408yw6TBo16HT3MB12Jjk7tMeM1Xdp
+2sQJg8M4ESMwyyQQnH38zXYEBMuYSVfErGDGbA0OOoUfaDDtFFcvgnaAAB9CeQZ2
+HmQGZQAvBJnm+o1kZP3PGOJKHDLEE1WlItGlUHUCgYACemri15m4c5Y4IMsX7uTa
+Z0J1s8PVFi3AZYv26i0/G2WlNRCRncAAPfFk765dmDYLbPF0PsDdkam0vOAZLQp5
+6e56DJpaAZV1YCriZY6Q3oauGdrU1e71wdl/Thz1AsesxqNxQt/wrPC/9WS6g69B
+yBo9C8F0ieGcpX07/F5jgQKBgB/B6gsmlfFpBreyvcHQh81rIC8XqPCR7m0aDZsq
+D5DpxELCAF6FCRGkcOGJAUq7ASPsE5gZShuRVpPI/z8ZVjGeV4Rb/GF/iOAxPznj
+1nvTw8nRdu1MD/59GhiuawmZv2MnSg184j2zuX7K0ECqRCPxdjIo8Y8/diQ/h/e8
+f8HBAoGBAKXV90UWGArZoxpQFKX3Bg5OYpe7t/4y4Q/qiiUEBdM6WxwO5fq6G8Cx
+BYPeUIz51yTIh+J1jvKAq1nJOJGWzuczdMbc6+n+yMqIx4u06Fw6YoOMAU1WyQyb
+CuQTnKaN7o8wQxG6TqziLeKHDcgBzTPWvfMhfOhUooHJNZKJETJb
+-----END RSA PRIVATE KEY-----

tests/adhoc_cert.py

@@ -0,0 +1,122 @@
+# Copyright (C) 2012 Anaconda, Inc
+# SPDX-License-Identifier: BSD-3-Clause
+"""
+Save adhoc ssl certificate locally to avoid per-test-run overhead.
+
+Based on werkzeug.serving (RSA implementation).
+"""
+# Copyright 2007 Pallets
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#     Redistributions of source code must retain the above copyright notice,
+#     this list of conditions and the following disclaimer.
+#
+#     Redistributions in binary form must reproduce the above copyright notice,
+#     this list of conditions and the following disclaimer in the documentation
+#     and/or other materials provided with the distribution.
+#
+#     Neither the name of the copyright holder nor the names of its contributors
+#     may be used to endorse or promote products derived from this software
+#     without specific prior written permission.
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+from __future__ import annotations
+
+import os
+import typing
+from datetime import datetime as dt
+from datetime import timedelta, timezone
+
+if typing.TYPE_CHECKING:
+    from cryptography.x509 import Certificate
+
+
+def generate_adhoc_ssl_pair(
+    cn: str | None = None,
+) -> tuple[Certificate, typing.Any]:
+    try:
+        from cryptography import x509
+        from cryptography.hazmat.backends import default_backend
+        from cryptography.hazmat.primitives import hashes
+        from cryptography.hazmat.primitives.asymmetric import rsa
+        from cryptography.x509.oid import NameOID
+    except ImportError:
+        raise TypeError(
+            "Using ad-hoc certificates requires the cryptography library."
+        ) from None
+
+    backend = default_backend()
+    pkey = rsa.generate_private_key(
+        public_exponent=65537, key_size=2048, backend=backend
+    )
+
+    # pretty damn sure that this is not actually accepted by anyone
+    if cn is None:
+        cn = "*"
+
+    subject = x509.Name(
+        [
+            x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Dummy Certificate"),
+            x509.NameAttribute(NameOID.COMMON_NAME, cn),
+        ]
+    )
+
+    backend = default_backend()
+    cert = (
+        x509.CertificateBuilder()
+        .subject_name(subject)
+        .issuer_name(subject)
+        .public_key(pkey.public_key())
+        .serial_number(x509.random_serial_number())
+        .not_valid_before(dt.now(timezone.utc))
+        .not_valid_after(dt.now(timezone.utc) + timedelta(days=365))
+        .add_extension(x509.ExtendedKeyUsage([x509.OID_SERVER_AUTH]), critical=False)
+        .add_extension(x509.SubjectAlternativeName([x509.DNSName(cn)]), critical=False)
+        .sign(pkey, hashes.SHA256(), backend)
+    )
+    return cert, pkey
+
+
+def generate_adhoc_certificate():
+    """Generates an adhoc SSL context for the development server."""
+    import atexit
+    import tempfile
+
+    cert, pkey = generate_adhoc_ssl_pair()
+
+    from cryptography.hazmat.primitives import serialization
+
+    cert_handle, cert_file = tempfile.mkstemp()
+    pkey_handle, pkey_file = tempfile.mkstemp()
+    atexit.register(os.remove, pkey_file)
+    atexit.register(os.remove, cert_file)
+
+    os.write(cert_handle, cert.public_bytes(serialization.Encoding.PEM))
+    os.write(
+        pkey_handle,
+        pkey.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption(),
+        ),
+    )
+
+    from pathlib import Path
+
+    Path(cert_file).rename(Path(__file__).parent / "adhoc.crt")
+    Path(pkey_file).rename(Path(__file__).parent / "adhoc.key")
+
+
+if __name__ == "__main__":
+    generate_adhoc_certificate()

tests/fixtures_jlap.py

@@ -18,7 +18,7 @@
 
 import flask
 import pytest
-from werkzeug.serving import WSGIRequestHandler, generate_adhoc_ssl_context, make_server
+from werkzeug.serving import WSGIRequestHandler, load_ssl_context, make_server
 
 app = flask.Flask(__name__)
 
@@ -66,7 +66,10 @@ def make_server_with_socket(socket: socket.socket, base_: Path = base, ssl=False
 
     if ssl:
         # openssl may fail when mixing defaults + conda-forge
-        ssl_context = generate_adhoc_ssl_context()
+        cert = Path(__file__).parent / "adhoc"
+        ssl_context = load_ssl_context(
+            str(cert.with_suffix(".crt")), str(cert.with_suffix(".key"))
+        )
 
     server = make_server(
         "127.0.0.1",