Generate bad CA with trustme (#1794)

urllib3 · Jan 27, 2020 · 672eaab · 672eaab
1 parent a9776d1
commit 672eaab
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 30 deletions.
diff --git a/dummyserver/certs/client_bad.pem b/dummyserver/certs/client_bad.pem
diff --git a/dummyserver/server.py b/dummyserver/server.py
@@ -38,7 +38,6 @@
 }
 DEFAULT_CA = os.path.join(CERTS_PATH, "cacert.pem")
 DEFAULT_CA_KEY = os.path.join(CERTS_PATH, "cacert.key")
-DEFAULT_CA_BAD = os.path.join(CERTS_PATH, "client_bad.pem")
 
 
 def _has_ipv6(host):

diff --git a/test/with_dummyserver/test_https.py b/test/with_dummyserver/test_https.py
@@ -17,7 +17,6 @@
     encrypt_key_pem,
     DEFAULT_CA,
     DEFAULT_CA_KEY,
-    DEFAULT_CA_BAD,
     DEFAULT_CERTS,
 )
 
@@ -96,6 +95,11 @@ def setup_class(cls):
         with open(DEFAULT_CA, "rb") as crt, open(DEFAULT_CA_KEY, "rb") as key:
             root_ca = trustme.CA.from_pem(crt.read(), key.read())
 
+        # Generate another CA to test verification failure
+        bad_ca = trustme.CA()
+        cls.bad_ca_path = os.path.join(cls.certs_dir, "ca_bad.pem")
+        bad_ca.cert_pem.write_to_path(cls.bad_ca_path)
+
         # client cert chain
         intermediate_ca = root_ca.create_child_ca()
         cert = intermediate_ca.issue_cert(u"example.com")
@@ -340,7 +344,7 @@ def test_invalid_common_name(self):
 
     def test_verified_with_bad_ca_certs(self):
         with HTTPSConnectionPool(
-            self.host, self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA_BAD
+            self.host, self.port, cert_reqs="CERT_REQUIRED", ca_certs=self.bad_ca_path
         ) as https_pool:
             with pytest.raises(MaxRetryError) as e:
                 https_pool.request("GET", "/")
@@ -396,7 +400,7 @@ def test_unverified_ssl(self):
 
     def test_ssl_unverified_with_ca_certs(self):
         with HTTPSConnectionPool(
-            self.host, self.port, cert_reqs="CERT_NONE", ca_certs=DEFAULT_CA_BAD
+            self.host, self.port, cert_reqs="CERT_NONE", ca_certs=self.bad_ca_path
         ) as pool:
             with mock.patch("warnings.warn") as warn:
                 r = pool.request("GET", "/")
@@ -508,7 +512,7 @@ def _test_request(pool):
 
     def test_verify_none_and_bad_fingerprint(self):
         with HTTPSConnectionPool(
-            "127.0.0.1", self.port, cert_reqs="CERT_NONE", ca_certs=DEFAULT_CA_BAD
+            "127.0.0.1", self.port, cert_reqs="CERT_NONE", ca_certs=self.bad_ca_path
         ) as https_pool:
             https_pool.assert_fingerprint = (
                 "AA:AA:AA:AA:AA:AAAA:AA:AAAA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA"
@@ -519,7 +523,7 @@ def test_verify_none_and_bad_fingerprint(self):
 
     def test_verify_none_and_good_fingerprint(self):
         with HTTPSConnectionPool(
-            "127.0.0.1", self.port, cert_reqs="CERT_NONE", ca_certs=DEFAULT_CA_BAD
+            "127.0.0.1", self.port, cert_reqs="CERT_NONE", ca_certs=self.bad_ca_path
         ) as https_pool:
             https_pool.assert_fingerprint = (
                 "92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A"

diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py
@@ -1,15 +1,15 @@
 import json
+import os.path
+import shutil
 import socket
+import tempfile
+
 
 import pytest
+import trustme
 
 from dummyserver.testcase import HTTPDummyProxyTestCase, IPv6HTTPDummyProxyTestCase
-from dummyserver.server import (
-    DEFAULT_CA,
-    DEFAULT_CA_BAD,
-    HAS_IPV6,
-    get_unreachable_address,
-)
+from dummyserver.server import DEFAULT_CA, HAS_IPV6, get_unreachable_address
 from .. import TARPIT_HOST, requires_network
 
 from urllib3._collections import HTTPHeaderDict
@@ -33,6 +33,18 @@ def setup_class(cls):
         cls.https_url_alt = "https://%s:%d" % (cls.https_host_alt, cls.https_port)
         cls.proxy_url = "http://%s:%d" % (cls.proxy_host, cls.proxy_port)
 
+        # Generate another CA to test verification failure
+        cls.certs_dir = tempfile.mkdtemp()
+        bad_ca = trustme.CA()
+
+        cls.bad_ca_path = os.path.join(cls.certs_dir, "ca_bad.pem")
+        bad_ca.cert_pem.write_to_path(cls.bad_ca_path)
+
+    @classmethod
+    def teardown_class(cls):
+        super(TestHTTPProxyManager, cls).teardown_class()
+        shutil.rmtree(cls.certs_dir)
+
     def test_basic_proxy(self):
         with proxy_from_url(self.proxy_url, ca_certs=DEFAULT_CA) as http:
             r = http.request("GET", "%s/" % self.http_url)
@@ -84,7 +96,7 @@ def test_oldapi(self):
 
     def test_proxy_verified(self):
         with proxy_from_url(
-            self.proxy_url, cert_reqs="REQUIRED", ca_certs=DEFAULT_CA_BAD
+            self.proxy_url, cert_reqs="REQUIRED", ca_certs=self.bad_ca_path
         ) as http:
             https_pool = http._new_pool("https", self.https_host, self.https_port)
             with pytest.raises(MaxRetryError) as e: