ExternalVendorCode/tahoe-lafs
1
0
Fork 0
mirror of https://github.com/tahoe-lafs/tahoe-lafs.git synced 2025-05-02 00:53:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Extend testing.

Browse Source
This commit is contained in:
Itamar Turner-Trauring 2022-04-06 11:35:05 -04:00
parent 5a82ea880b
commit 22ebbba5ac
1 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/allmydata/test/test_storage_https.py
View File

@ -134,12 +134,17 @@ class PinningHTTPSValidation(AsyncTestCase):
return rsa.generate_private_key(public_exponent=65537, key_size=2048) return rsa.generate_private_key(public_exponent=65537, key_size=2048)
def generate_certificate( def generate_certificate(
self, private_key, expires_days: int = 10, org_name: str = "Yoyodyne" self,
private_key,
expires_days: int = 10,
valid_in_days: int = 0,
org_name: str = "Yoyodyne",
): ):
"""Generate a certificate from a RSA private key.""" """Generate a certificate from a RSA private key."""
subject = issuer = x509.Name( subject = issuer = x509.Name(
[x509.NameAttribute(NameOID.ORGANIZATION_NAME, org_name)] [x509.NameAttribute(NameOID.ORGANIZATION_NAME, org_name)]
) )
starts = datetime.datetime.utcnow() + datetime.timedelta(days=valid_in_days)
expires = datetime.datetime.utcnow() + datetime.timedelta(days=expires_days) expires = datetime.datetime.utcnow() + datetime.timedelta(days=expires_days)
return ( return (
x509.CertificateBuilder() x509.CertificateBuilder()
@ -147,7 +152,7 @@ class PinningHTTPSValidation(AsyncTestCase):
.issuer_name(issuer) .issuer_name(issuer)
.public_key(private_key.public_key()) .public_key(private_key.public_key())
.serial_number(x509.random_serial_number()) .serial_number(x509.random_serial_number())
.not_valid_before(min(datetime.datetime.utcnow(), expires)) .not_valid_before(min(starts, expires))
.not_valid_after(expires) .not_valid_after(expires)
.add_extension( .add_extension(
x509.SubjectAlternativeName([x509.DNSName("localhost")]), x509.SubjectAlternativeName([x509.DNSName("localhost")]),
@ -246,6 +251,25 @@ class PinningHTTPSValidation(AsyncTestCase):
response = await self.request(url, certificate) response = await self.request(url, certificate)
self.assertEqual(await response.content(), b"YOYODYNE") self.assertEqual(await response.content(), b"YOYODYNE")
# TODO an obvious attack is a private key that doesn't match the @async_to_deferred
async def test_server_certificate_not_valid_yet(self):
"""
If the server's certificate is only valid starting in The Future, the
request to the server succeeds if the hash matches the one the client
expects; start time has no effect.
"""
private_key = self.generate_private_key()
certificate = self.generate_certificate(
private_key, expires_days=10, valid_in_days=5
)
async with self.listen(
self.private_key_to_file(private_key), self.cert_to_file(certificate)
) as url:
response = await self.request(url, certificate)
self.assertEqual(await response.content(), b"YOYODYNE")
# A potential attack to test is a private key that doesn't match the
# certificate... but OpenSSL (quite rightly) won't let you listen with that # certificate... but OpenSSL (quite rightly) won't let you listen with that
# so I don't know how to test that! # so I don't know how to test that! See
# https://tahoe-lafs.org/trac/tahoe-lafs/ticket/3884