Test that we generate a certificate matching the connection's context.
(self, tdata)
| 163 | ) in caplog.text |
| 164 | |
| 165 | def test_get_cert(self, tdata): |
| 166 | """Test that we generate a certificate matching the connection's context.""" |
| 167 | ta = tlsconfig.TlsConfig() |
| 168 | with taddons.context(ta) as tctx: |
| 169 | ta.configure(["confdir"]) |
| 170 | |
| 171 | ctx = _ctx(tctx.options) |
| 172 | |
| 173 | # Edge case first: We don't have _any_ idea about the server nor is there a SNI, |
| 174 | # so we just return our local IP as subject. |
| 175 | entry = ta.get_cert(ctx) |
| 176 | assert entry.cert.cn == "127.0.0.1" |
| 177 | |
| 178 | # Here we have an existing server connection... |
| 179 | ctx.server.address = ("server-address.example", 443) |
| 180 | with open( |
| 181 | tdata.path("mitmproxy/net/data/verificationcerts/trusted-leaf.crt"), |
| 182 | "rb", |
| 183 | ) as f: |
| 184 | ctx.server.certificate_list = [certs.Cert.from_pem(f.read())] |
| 185 | entry = ta.get_cert(ctx) |
| 186 | assert entry.cert.cn == "example.mitmproxy.org" |
| 187 | assert entry.cert.altnames == x509.GeneralNames( |
| 188 | [ |
| 189 | x509.DNSName("example.mitmproxy.org"), |
| 190 | x509.IPAddress(ipaddress.ip_address("127.0.0.1")), |
| 191 | x509.DNSName("server-address.example"), |
| 192 | ] |
| 193 | ) |
| 194 | |
| 195 | # And now we also incorporate SNI. |
| 196 | ctx.client.sni = "🌈.sni.example" |
| 197 | entry = ta.get_cert(ctx) |
| 198 | assert entry.cert.altnames == x509.GeneralNames( |
| 199 | [ |
| 200 | x509.DNSName("example.mitmproxy.org"), |
| 201 | x509.DNSName("xn--og8h.sni.example"), |
| 202 | x509.DNSName("server-address.example"), |
| 203 | ] |
| 204 | ) |
| 205 | |
| 206 | with open(tdata.path("mitmproxy/data/invalid-subject.pem"), "rb") as f: |
| 207 | ctx.server.certificate_list = [certs.Cert.from_pem(f.read())] |
| 208 | with pytest.warns(UserWarning): |
| 209 | assert ta.get_cert(ctx) # does not raise |
| 210 | |
| 211 | def test_tls_clienthello(self): |
| 212 | # only really testing for coverage here, there's no point in mirroring the individual conditions |