Merging in fixes for subject alt name handling

Author: philipkershaw

.pydevproject

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <?eclipse-pydev version="1.0"?><pydev_project>
-<pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">ndg-httpsclient-py3</pydev_property>
-<pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 3.0</pydev_property>
+<pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">ndg-httpsclient-py3.6</pydev_property>
+<pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 3.6</pydev_property>
 <pydev_pathproperty name="org.python.pydev.PROJECT_SOURCE_PATH">
 <path>/ndg_httpsclient</path>
 </pydev_pathproperty>

ndg/httpsclient/https.py

@@ -48,7 +48,7 @@ class HTTPSConnection(HTTPConnection):
     @type default_ssl_method: int
     """
     default_port = HTTPS_PORT
-    default_ssl_method = SSL.SSLv23_METHOD
+    default_ssl_method = SSL.TLSv1_2_METHOD
 
     def __init__(self, host, port=None, strict=None,
                  timeout=socket._GLOBAL_DEFAULT_TIMEOUT, ssl_context=None):
@@ -100,6 +100,8 @@ class HTTPSContextHandler(AbstractHTTPHandler):
     '''
     https_request = AbstractHTTPHandler.do_request_
 
+    SSL_METHOD = SSL.TLSv1_2_METHOD
+    
     def __init__(self, ssl_context, debuglevel=0):
         """
         @param ssl_context:SSL context
@@ -116,7 +118,7 @@ def __init__(self, ssl_context, debuglevel=0):
                                 ssl_context)
             self.ssl_context = ssl_context
         else:
-            self.ssl_context = SSL.Context(SSL.TLSv1_METHOD)
+            self.ssl_context = SSL.Context(self.__class__.SSL_METHOD)
 
     def https_open(self, req):
         """Opens HTTPS request

ndg/httpsclient/ssl_context_util.py

@@ -41,7 +41,7 @@ def make_ssl_context_from_config(ssl_config=False, url=None):
 
 
 def make_ssl_context(key_file=None, cert_file=None, pem_file=None, ca_dir=None,
-                     verify_peer=False, url=None, method=SSL.TLSv1_METHOD,
+                     verify_peer=False, url=None, method=SSL.TLSv1_2_METHOD,
                      key_file_passphrase=None):
     """
     Creates SSL context containing certificate and key file locations.
@@ -64,6 +64,8 @@ def make_ssl_context(key_file=None, cert_file=None, pem_file=None, ca_dir=None,
 
     if pem_file or ca_dir:
         ssl_context.load_verify_locations(pem_file, ca_dir)
+    else:
+        ssl_context.set_default_verify_paths() # Use OS CA bundle
 
     def _callback(conn, x509, errnum, errdepth, preverify_ok):
         """Default certification verification callback.

ndg/httpsclient/ssl_peer_verification.py

@@ -40,7 +40,7 @@ class ServerSSLCertVerification(object):
         'domainComponent':          'DC',
         'userid':                   'UID'
     }
-    SUBJ_ALT_NAME_EXT_NAME = 'subjectAltName'
+    SUBJ_ALT_NAME_EXT_NAME = b'subjectAltName'
     PARSER_RE_STR = '/(%s)=' % '|'.join(list(DN_LUT.keys()) + \
                                         list(DN_LUT.values()))
     PARSER_RE = re.compile(PARSER_RE_STR)

ndg/httpsclient/subj_alt_name.py

@@ -20,12 +20,13 @@
                         'is: %s' % e)
     import warnings
     warnings.warn(import_error_msg)
+    barp
     class Pyasn1ImportError(ImportError):
         "Raise for pyasn1 import error"
     raise Pyasn1ImportError(import_error_msg)
 
 
-MAX = 64
+MAX = 1024
 
 
 class DirectoryString(univ.Choice):

ndg/httpsclient/test/__init__.py

@@ -16,11 +16,13 @@ class Constants(object):
     '''Convenience base class from which other unit tests can extend.  Its
     sets the generic data directory path'''
     PORT = 4443
+#     PORT = 443
     PORT2 = 4444
     HOSTNAME = 'localhost'
+#    HOSTNAME = 'files.pythonhosted.org'
     TEST_URI = 'https://%s:%d' % (HOSTNAME, PORT)
     TEST_URI2 = 'https://%s:%d' % (HOSTNAME, PORT2)
-
+    
     UNITTEST_DIR = os.path.dirname(os.path.abspath(__file__))
     CACERT_DIR = os.path.join(UNITTEST_DIR, 'pki', 'ca')
     SSL_CERT_FILENAME = 'localhost.crt'

ndg/httpsclient/test/test_https.py

@@ -38,7 +38,7 @@ def test02_open_fails(self):
         self.assertRaises(socket.error, conn.connect)
 
     def test03_ssl_verification_of_peer_fails(self):
-        ctx = SSL.Context(SSL.TLSv1_METHOD)
+        ctx = SSL.Context(SSL.TLSv1_2_METHOD)
 
         def verify_callback(conn, x509, errnum, errdepth, preverify_ok): 
             log.debug('SSL peer certificate verification failed for %r',
@@ -57,7 +57,7 @@ def verify_callback(conn, x509, errnum, errdepth, preverify_ok):
         self.assertRaises(SSL.Error, conn.request, 'GET', '/')
 
     def test03_ssl_verification_of_peer_succeeds(self):
-        ctx = SSL.Context(SSL.TLSv1_METHOD)
+        ctx = SSL.Context(SSL.TLSv1_2_METHOD)
 
         verify_callback = lambda conn, x509, errnum, errdepth, preverify_ok: \
             preverify_ok 
@@ -76,7 +76,7 @@ def test03_ssl_verification_of_peer_succeeds(self):
         print('Response = %s' % resp.read())
 
     def test04_ssl_verification_with_subj_alt_name(self):
-        ctx = SSL.Context(SSL.TLSv1_METHOD)
+        ctx = SSL.Context(SSL.TLSv1_2_METHOD)
 
         verification = ServerSSLCertVerification(hostname='localhost')
         verify_callback = verification.get_verify_server_cert_func()
@@ -95,7 +95,7 @@ def test04_ssl_verification_with_subj_alt_name(self):
         print('Response = %s' % resp.read())
 
     def test04_ssl_verification_with_subj_common_name(self):
-        ctx = SSL.Context(SSL.TLSv1_METHOD)
+        ctx = SSL.Context(SSL.TLSv1_2_METHOD)
 
         # Explicitly set verification of peer hostname using peer certificate
         # subject common name

ndg/httpsclient/test/test_urllib2.py

@@ -12,15 +12,16 @@
 import sys
 
 if sys.version_info[0] > 2:
-    from urllib.error import URLError as URLError_
+    from urllib.error import URLError as URLError
 else:
-    from urllib2 import URLError as URLError_
+    from urllib2 import URLError as URLError
 
 import unittest
 
 from OpenSSL import SSL
 from ndg.httpsclient.test import Constants
 from ndg.httpsclient.urllib2_build_opener import build_opener
+from ndg.httpsclient.ssl_peer_verification import ServerSSLCertVerification
 
 
 class Urllib2TestCase(unittest.TestCase):
@@ -36,21 +37,53 @@ def test02_open(self):
         self.assertTrue(res)
         print("res = %s" % res.read())
 
+    # Skip this test for remote service as it can take a long time to timeout
+    @unittest.skipIf(Constants.HOSTNAME != 'localhost', 'Skip non-local host')
     def test03_open_fails_unknown_loc(self):
         opener = build_opener()
-        self.assertRaises(URLError_, opener.open, Constants.TEST_URI2)
+        self.assertRaises(URLError, opener.open, Constants.TEST_URI2)
 
     def test04_open_peer_cert_verification_fails(self):
         # Explicitly set empty CA directory to make verification fail
-        ctx = SSL.Context(SSL.TLSv1_METHOD)
+        ctx = SSL.Context(SSL.TLSv1_2_METHOD)
         verify_callback = lambda conn, x509, errnum, errdepth, preverify_ok: \
             preverify_ok 
 
         ctx.set_verify(SSL.VERIFY_PEER, verify_callback)
         ctx.load_verify_locations(None, './')
         opener = build_opener(ssl_context=ctx)
         self.assertRaises(SSL.Error, opener.open, Constants.TEST_URI)
+      
+    def test05_open_with_subj_alt_names_verification(self):
+        ctx = SSL.Context(SSL.TLSv1_2_METHOD)
+                
+        # Set wildcard hostname for subject alternative name matching - 
+        # setting a minimum of two name components for hostname
+        split_hostname = Constants.HOSTNAME.split('.', 1)
+        if len(split_hostname) > 1:
+            _hostname = '*.' + split_hostname[-1]
+        else:
+            _hostname = Constants.HOSTNAME
+            
+        server_ssl_verify = ServerSSLCertVerification(hostname=_hostname)
+        verify_callback_ = server_ssl_verify.get_verify_server_cert_func()
+        ctx.set_verify(SSL.VERIFY_PEER, verify_callback_)
+        
+        # Set default verify paths if testing with peer that has corresponding
+        # CA cert in bundle provided with the OS.  In this case, load verify
+        # locations is not needed.
+        #ctx.set_default_verify_paths()
 
+        ctx.set_verify_depth(9)
+        
+        # Set correct location for CA certs to verify with
+        ctx.load_verify_locations(None, Constants.CACERT_DIR)
+                            
+        opener = build_opener(ssl_context=ctx)
+        res = opener.open(Constants.TEST_URI)
+        self.assertTrue(res)
+        print("res = %s" % res.read())
+                  
 
 if __name__ == "__main__":
     unittest.main()

ndg/httpsclient/test/test_utils.py

@@ -23,17 +23,17 @@ class TestUtilsModule(unittest.TestCase):
     '''Test ndg.httpsclient.utils module'''
 
     def test01_configuration(self):
-        config = Configuration(SSL.Context(SSL.TLSv1_METHOD), True)
+        config = Configuration(SSL.Context(SSL.TLSv1_2_METHOD), True)
         self.assertTrue(config.ssl_context)
         self.assertEqual(config.debug, True)
 
     def test02_fetch_from_url(self):
-        config = Configuration(SSL.Context(SSL.TLSv1_METHOD), True)
+        config = Configuration(SSL.Context(SSL.TLSv1_2_METHOD), True)
         res = fetch_from_url(Constants.TEST_URI, config)
         self.assertTrue(res)
 
     def test03_open_url(self):
-        config = Configuration(SSL.Context(SSL.TLSv1_METHOD), True)
+        config = Configuration(SSL.Context(SSL.TLSv1_2_METHOD), True)
         res = open_url(Constants.TEST_URI, config)
         self.assertEqual(res[0], 200, 
                          'open_url for %r failed' % Constants.TEST_URI)

setup.py

@@ -18,6 +18,15 @@
 
 Releases
 ========
+0.5.0
+-----
+ * Fix to Subject Alternative Name verification to handle certificates with up
+   to 1024 names (previously it was 64).  Tested with 
+   https://files.pythonhosted.org.  Thanks to Matt Pegler for flagging up
+ * Fix defaults in SSL context objects and in tests to use TLS 1.2
+ * Use byte type for ``subjectAltName`` field matching
+ * Added additional Subject Alternative Name test - in ``test_urlib2``
+ 
 0.4.4
 -----
  * Update test certificate files.