diff options
| author | Carlosgg <carlosgilglez@gmail.com> | 2023-06-27 03:00:00 +0100 |
|---|---|---|
| committer | Damien George <damien@micropython.org> | 2023-12-12 16:25:07 +1100 |
| commit | f3f215e9bdf138fa6f94fb376ed72c25641aa298 (patch) | |
| tree | da216dfa978c229fba319f97eebe2cca6ee5a24e /tests/multi_net/sslcontext_verify_error.py | |
| parent | 4365edb810aa0e54eb91d201eb5bf0436c86c4b3 (diff) | |
| download | micropython-f3f215e9bdf138fa6f94fb376ed72c25641aa298.tar.gz micropython-f3f215e9bdf138fa6f94fb376ed72c25641aa298.zip | |
extmod/modssl_mbedtls: Add SSLContext certificate methods.
This commit adds:
1) Methods to SSLContext class that match CPython signature:
- `SSLContext.load_cert_chain(certfile, keyfile)`
- `SSLContext.load_verify_locations(cafile=, cadata=)`
- `SSLContext.get_ciphers()` --> ["CIPHERSUITE"]
- `SSLContext.set_ciphers(["CIPHERSUITE"])`
2) `sslsocket.cipher()` to get current ciphersuite and protocol
version.
3) `ssl.MBEDTLS_VERSION` string constant.
4) Certificate verification errors info instead of
`MBEDTLS_ERR_X509_CERT_VERIFY_FAILED`.
5) Tests in `net_inet` and `multi_net` to test these new methods.
`SSLContext.load_cert_chain` method allows loading key and cert from disk
passing a filepath in `certfile` or `keyfile` options.
`SSLContext.load_verify_locations`'s `cafile` option enables the same
functionality for ca files.
Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
Diffstat (limited to 'tests/multi_net/sslcontext_verify_error.py')
| -rw-r--r-- | tests/multi_net/sslcontext_verify_error.py | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/tests/multi_net/sslcontext_verify_error.py b/tests/multi_net/sslcontext_verify_error.py new file mode 100644 index 0000000000..4feb4ce983 --- /dev/null +++ b/tests/multi_net/sslcontext_verify_error.py @@ -0,0 +1,58 @@ +# Test creating an SSL connection with an invalid certificate. + +try: + import os + import socket + import ssl +except ImportError: + print("SKIP") + raise SystemExit + +PORT = 8000 + +# These are test certificates. See tests/README.md for details. +cert = cafile = "multi_net/rsa_cert.der" +key = "multi_net/rsa_key.der" + +try: + os.stat(cafile) + os.stat(key) +except OSError: + print("SKIP") + raise SystemExit + + +# Server +def instance0(): + multitest.globals(IP=multitest.get_network_ip()) + s = socket.socket() + s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1]) + s.listen(1) + multitest.next() + s2, _ = s.accept() + server_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) + server_ctx.load_cert_chain(cert, key) + try: + s2 = server_ctx.wrap_socket(s2, server_side=True) + except Exception as e: + print(e) + multitest.broadcast("finished") + s.close() + + +# Client +def instance1(): + multitest.next() + s = socket.socket() + s.connect(socket.getaddrinfo(IP, PORT)[0][-1]) + client_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + client_ctx.verify_mode = ssl.CERT_REQUIRED + client_ctx.load_verify_locations(cafile=cafile) + try: + s = client_ctx.wrap_socket(s, server_hostname="foobar.local") + except Exception as e: + print(e) + # Don't close the socket until the server has seen our SSL rejection. + multitest.wait("finished") + s.close() |