%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python3/dist-packages/twisted/test/__pycache__/
Upload File :
Create Path :
Current File : //lib/python3/dist-packages/twisted/test/__pycache__/test_sslverify.cpython-312.pyc

�

Ϫ�fY���p�dZddlZddlZddlZddlmZddlmZddlm	Z	ddl
mZmZm
Z
mZddlmZddlmZmZmZdd	lmZdd
lmZddlmZddlmZdd
lmZddlm Z ddl!m"Z"ddl#m$Z$ddl%m&Z&m'Z'm(Z(dZ)dZ*dZ+dZ,ed�r�ddl-Z-ddl.m/Z/ddl0m1Z1m2Z2m3Z3m4Z4m5Z5ddl6m7Z7ddl8m9Z9ddl:m;Z;ddl<m=Z=ddl>m?Z?m@Z@mAZAddlBmCZCddl
mDZD	e/j�e/j��ZGeGj�d��	e/j�e/j��ZGeGj�d��nd!Z)e)Z*e)Z+e)Z,e)sdd"l
mLZMdd#lNmOZOmPZPdd$lQmRZRd%ZSd&ZTeeU�j�j�d'�j��ZYej��fd(�Z[d)�Z\dpd*�Z]d+�Z^dqd,�Z_			drd-�Z`d.�ZaGd/�d0e
j��ZcGd1�d2e
j��ZdGd3�d4�ZeGd5�d6e'�ZfGd7�d8�ZgGd9�d:�ZhGd;�d<ehe(�ZiGd=�d>ehe(�ZjGd?�d@e'�ZkGdA�dBe(�ZlGdC�dDe'�ZmdqdE�ZnGdF�dGe(�ZoGdH�dIe(�ZpGdJ�dKe(�ZqGdL�dM�ZrGdN�dO�ZsGdP�dQ�ZtGdR�dSe(�ZuGdT�dUe(�ZvGdV�dWe(�ZwGdX�dYe(�ZxGdZ�d[e(�ZyGd\�d]e(�ZzGd^�d_�Z{Gd`�da�Z|Gdb�dce(�Z}Gdd�de�Z~Gdf�dg�ZGdh�die'�Z�Gdj�dke'�Z�Gdl�dme(�Z�Gdn�doe'�Z�y#eIeJf$rdZ+Y��*wxYw#eI$rd Z,Y��wxYw)sz+
Tests for L{twisted.internet._sslverify}.
�N)�skipIf)�implementer)�Version)�defer�
interfaces�protocol�reactor)�	_idnaText)�CertificateError�ConnectionClosed�ConnectionLost)�Clock)�nativeString)�FilePath)�	getModule)�
requireModule)�connectedServerAndClient)�SetAsideModule)�util)�SkipTest�SynchronousTestCase�TestCase��OpenSSL)�SSL)�FILETYPE_PEM�TYPE_RSA�X509�PKey�get_elliptic_curves)�x509)�default_backend)�hashes)�rsa)�Encoding�NoEncryption�
PrivateFormat)�NameOID)�sslc��y�N���cs �=/usr/lib/python3/dist-packages/twisted/test/test_sslverify.py�<lambda>r0:���zINPN is deprecated (and OpenSSL 1.0.1 or greater required for NPN support)c��yr+r,r-s r/r0r0Cr1r2z2OpenSSL 1.0.2 or greater required for ALPN supportz"OpenSSL is required for SSL tests.)�
_sslverify)�VerificationError�
platformTrust)�TLSMemoryBIOFactorya�
-----BEGIN CERTIFICATE-----
        MIIC2jCCAkMCAjA5MA0GCSqGSIb3DQEBBAUAMIG0MQswCQYDVQQGEwJVUzEiMCAG
        A1UEAxMZZXhhbXBsZS50d2lzdGVkbWF0cml4LmNvbTEPMA0GA1UEBxMGQm9zdG9u
        MRwwGgYDVQQKExNUd2lzdGVkIE1hdHJpeCBMYWJzMRYwFAYDVQQIEw1NYXNzYWNo
        dXNldHRzMScwJQYJKoZIhvcNAQkBFhhub2JvZHlAdHdpc3RlZG1hdHJpeC5jb20x
        ETAPBgNVBAsTCFNlY3VyaXR5MB4XDTA2MDgxNjAxMDEwOFoXDTA3MDgxNjAxMDEw
        OFowgbQxCzAJBgNVBAYTAlVTMSIwIAYDVQQDExlleGFtcGxlLnR3aXN0ZWRtYXRy
        aXguY29tMQ8wDQYDVQQHEwZCb3N0b24xHDAaBgNVBAoTE1R3aXN0ZWQgTWF0cml4
        IExhYnMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxJzAlBgkqhkiG9w0BCQEWGG5v
        Ym9keUB0d2lzdGVkbWF0cml4LmNvbTERMA8GA1UECxMIU2VjdXJpdHkwgZ8wDQYJ
        KoZIhvcNAQEBBQADgY0AMIGJAoGBAMzH8CDF/U91y/bdbdbJKnLgnyvQ9Ig9ZNZp
        8hpsu4huil60zF03+Lexg2l1FIfURScjBuaJMR6HiMYTMjhzLuByRZ17KW4wYkGi
        KXstz03VIKy4Tjc+v4aXFI4XdRw10gGMGQlGGscXF/RSoN84VoDKBfOMWdXeConJ
        VyC4w3iJAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAviMT4lBoxOgQy32LIgZ4lVCj
        JNOiZYg8GMQ6y0ugp86X80UjOvkGtNf/R7YgED/giKRN/q/XJiLJDEhzknkocwmO
        S+4b2XpiaZYxRyKWwL221O7CGmtWYyZl2+92YYmmCiNzWQPfP6BOMlfax0AGLHls
        fXzCWdG0O/3Lk2SRM0I=
-----END CERTIFICATE-----
a�
-----BEGIN CERTIFICATE-----
        MIIC3jCCAkcCAjA6MA0GCSqGSIb3DQEBBAUAMIG2MQswCQYDVQQGEwJVUzEiMCAG
        A1UEAxMZZXhhbXBsZS50d2lzdGVkbWF0cml4LmNvbTEPMA0GA1UEBxMGQm9zdG9u
        MRwwGgYDVQQKExNUd2lzdGVkIE1hdHJpeCBMYWJzMRYwFAYDVQQIEw1NYXNzYWNo
        dXNldHRzMSkwJwYJKoZIhvcNAQkBFhpzb21lYm9keUB0d2lzdGVkbWF0cml4LmNv
        bTERMA8GA1UECxMIU2VjdXJpdHkwHhcNMDYwODE2MDEwMTU2WhcNMDcwODE2MDEw
        MTU2WjCBtjELMAkGA1UEBhMCVVMxIjAgBgNVBAMTGWV4YW1wbGUudHdpc3RlZG1h
        dHJpeC5jb20xDzANBgNVBAcTBkJvc3RvbjEcMBoGA1UEChMTVHdpc3RlZCBNYXRy
        aXggTGFiczEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEpMCcGCSqGSIb3DQEJARYa
        c29tZWJvZHlAdHdpc3RlZG1hdHJpeC5jb20xETAPBgNVBAsTCFNlY3VyaXR5MIGf
        MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnm+WBlgFNbMlHehib9ePGGDXF+Nz4
        CjGuUmVBaXCRCiVjg3kSDecwqfb0fqTksBZ+oQ1UBjMcSh7OcvFXJZnUesBikGWE
        JE4V8Bjh+RmbJ1ZAlUPZ40bAkww0OpyIRAGMvKG+4yLFTO4WDxKmfDcrOb6ID8WJ
        e1u+i3XGkIf/5QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAD4Oukm3YYkhedUepBEA
        vvXIQhVDqL7mk6OqYdXmNj6R7ZMC8WWvGZxrzDI1bZuB+4aIxxd1FXC3UOHiR/xg
        i9cDl1y8P/qRp4aEBNF6rI0D4AxTbfnHQx4ERDAOShJdYZs/2zifPJ6va6YvrEyr
        yqDtGhklsWW3ZwBzEh5VEOUp
-----END CERTIFICATE-----
z
server.pemc��t|�S)zQ
    Each time we're called, return the next integer in the natural numbers.
    )�next)�counters r/r:r:�s����=�r2c	��t�}|jtd�t�}|j	d�|jd�|j
�|j�fD]0}|j�D]\}}t||t|����2|jt��|j|�|j|d�||fS)Niri�3��md5)r�generate_keyrr�gmtime_adj_notBefore�gmtime_adj_notAfter�
get_issuer�get_subject�items�setattrr�set_serial_numberr:�
set_pubkey�sign)�kw�keypair�certificate�xname�k�vs      r/�makeCertificaterM�s����f�G�����4�(��&�K��$�$�Q�'��#�#�$6�7��'�'�)�;�+B�+B�+D�D�/���H�H�J�	/�D�A�q��E�1�l�1�o�.�	/�/��!�!�'�)�,����7�#����W�e�$��K��r2c
��tjtjtjd�g�}tjtjtjd�g�}tjddd�}tjddt���}|j�}tj�j|�j|�jt
j
j�|z
�j!t
j
j�|z�j#tj$��j|�j'tj(dd	�
�d��j+|t-j.�t���}tjddt���}|j�}	t1j2|�}	tj4|	�g}
tj�j|�j|�jt
j
j�|z
�j!t
j
j�|z�j#tj$��j|�j'tj(dd�
�d��j'tj>|
�d��j+|t-j.�t���}t@jBjE|jGtHjJ��}t@jLjEdjO|jQtHjJtRjTtW��|jGtHjJ�g��}
||
fS#t6$r8tj8|j;d
�j=d��g}
Y��6wxYw)a~
    Create a self-signed CA certificate and server certificate signed by the
    CA.

    @param serviceIdentity: The identity (hostname) of the server.
    @type serviceIdentity: L{unicode}

    @return: a 2-tuple of C{(certificate_authority_certificate,
        server_certificate)}
    @rtype: L{tuple} of (L{sslverify.Certificate},
        L{sslverify.PrivateCertificate})
    zTesting Example CAzTesting Example Server�rii)�public_exponent�key_size�backendT�	)�ca�path_length)�critical)�private_key�	algorithmrR�idna�asciiFN�
),r!�Name�
NameAttributer(�COMMON_NAME�datetime�	timedeltar$�generate_private_keyr"�
public_key�CertificateBuilder�subject_name�issuer_name�not_valid_before�today�not_valid_after�
serial_number�random_serial_number�
add_extension�BasicConstraintsrFr#�SHA256�	ipaddress�
ip_address�	IPAddress�
ValueError�DNSName�encode�decode�SubjectAlternativeName�	sslverify�Certificate�loadPEM�public_bytesr%�PEM�PrivateCertificate�join�
private_bytesr'�TraditionalOpenSSLr&)�serviceIdentity�commonNameForCA�commonNameForServer�oneDay�privateKeyForCA�publicKeyForCA�
caCertificate�privateKeyForServer�publicKeyForServer�	ipAddress�subjectAlternativeNames�serverCertificate�
caSelfCert�
serverCerts              r/�!certificatesForAuthorityAndServerr��sk���i�i�	
�	�	�G�/�/�1E�	F�G��O��)�)�	
�	�	�G�/�/�1I�	J�K����
�
��1�a�
(�F��.�.���o�6G��O�%�/�/�1�N����!�	��o�	&�	��_�	%�	�	�(�+�+�1�1�3�f�<�	=�	���*�*�0�0�2�V�;�	<�	��t�0�0�2�	3�	��N�	#�	���!�!�T�q�9��
�

�
��'��m�m�o�#�%�
�

��&�2�2���o�6G���-�7�7�9��>��(�(��9�	�$(�>�>�)�#<�"=��	
���!�	��)�	*�	��_�	%�	�	�(�+�+�1�1�3�f�<�	=�	���*�*�0�0�2�V�;�	<�	��t�0�0�2�	3�	��&�	'�	���!�!�U��=��
�

�
���'�'�(?�@��
�

�
��'��m�m�o�#�%�
�

�!�,�&�&�.�.�}�/I�/I�(�,�,�/W�X�J��-�-�5�5�
�
�
�#�1�1��L�L�!�4�4� �N��
"�.�.�x�|�|�<�

�		
��J��z�!�!��W�
��L�L��/�/��7�>�>�w�G�H�#
��
�s�9P�=Q�Qc��
���
�Gd�dtj�}Gd�dtj�}|��|��
tj�}�fd�|_tj�}�
fd�|_t�}t	|d||���
t	|d	||���t�fd
��
fd�|��\}}}	|	j
�||�
�|	fS)
a�
    Common implementation code for both L{loopbackTLSConnection} and
    L{loopbackTLSConnectionInMemory}. Creates a loopback TLS connection
    using the provided server and client context factories.

    @param serverOpts: An OpenSSL context factory for the server.
    @type serverOpts: C{OpenSSLCertificateOptions}, or any class with an
        equivalent API.

    @param clientOpts: An OpenSSL context factory for the client.
    @type clientOpts: C{OpenSSLCertificateOptions}, or any class with an
        equivalent API.

    @return: 5-tuple of server-tls-protocol, server-inner-protocol,
        client-tls-protocol, client-inner-protocol and L{IOPump}
    @rtype: L{tuple}
    c��eZdZdZd�Zy)�._loopbackTLSConnection.<locals>.GreetingServer�
greetings!c�N�|jj|j�yr+��	transport�write�greeting��selfs r/�connectionMadez=_loopbackTLSConnection.<locals>.GreetingServer.connectionMades���N�N� � ����/r2N)�__name__�
__module__�__qualname__r�r�r,r2r/�GreetingServerr�s�� ��	0r2r�c� �eZdZdZdZd�Zd�Zy)�/_loopbackTLSConnection.<locals>.ListeningClientr2Nc�.�|xj|z
c_yr+��data�r�r�s  r/�dataReceivedz<_loopbackTLSConnection.<locals>.ListeningClient.dataReceiveds���I�I���Ir2c��||_yr+��
lostReason�r��reasons  r/�connectionLostz>_loopbackTLSConnection.<locals>.ListeningClient.connectionLosts	��$�D�Or2)r�r�r�r�r�r�r�r,r2r/�ListeningClientr�s�����
�	�	%r2r�c����Sr+r,��clientWrappedProtos�r/r0z(_loopbackTLSConnection.<locals>.<lambda> ����*<�r2c����Sr+r,��serverWrappedProtos�r/r0z(_loopbackTLSConnection.<locals>.<lambda>"r�r2T��isClient�wrappedFactory�clockFc�&���jd�Sr+��
buildProtocol)�
serverFactorys�r/r0z(_loopbackTLSConnection.<locals>.<lambda>-����
�+�+�D�1�r2c�&���jd�Sr+r�)�
clientFactorys�r/r0z(_loopbackTLSConnection.<locals>.<lambda>.r�r2�r�)r�Protocol�Factoryrr7r�flush)�
serverOpts�
clientOptsr�r��plainClientFactory�plainServerFactoryr��sProto�cProto�pumpr�r�r�r�s          @@@@r/�_loopbackTLSConnectionr��s����&0��*�*�0�%�(�+�+�%�)�*��'�)��!�)�)�+��"<���!�)�)�+��"<����G�E�'��T�2D�E��M�(��U�3E�U��M�4�1�1����F�F�D�
	�J�J�L��6�-�/A�4�G�Gr2c�r���G��fd�d�}|�}tj|��}t||�S)aF
    Create a loopback TLS connection with the given trust and keys.

    @param trustRoot: the C{trustRoot} argument for the client connection's
        context.
    @type trustRoot: L{sslverify.IOpenSSLTrustRoot}

    @param privateKeyFile: The name of the file containing the private key.
    @type privateKeyFile: L{str} (native string; file name)

    @param chainedCertFile: The name of the chained certificate file.
    @type chainedCertFile: L{str} (native string; file name)

    @return: 3-tuple of server-protocol, client-protocol, and L{IOPump}
    @rtype: L{tuple}
    c���eZdZ��fd�Zy)�-loopbackTLSConnection.<locals>.ContextFactoryc���tjtj�}��|j��|j	��|j�|S)z�
            Create a context for the server side of the connection.

            @return: an SSL context using a certificate and key.
            @rtype: C{OpenSSL.SSL.Context}
            )r�Context�
SSLv23_METHOD�use_certificate_chain_file�use_privatekey_file�check_privatekey)r��ctx�chainedCertFile�privateKeyFiles  ��r/�
getContextz8loopbackTLSConnection.<locals>.ContextFactory.getContextIsL����+�+�c�/�/�0�C��*��.�.��?��#�#�N�3�� � �"��Jr2N)r�r�r�r�)r�r�s��r/�ContextFactoryr�Hs���
	r2r���	trustRoot�rv�OpenSSLCertificateOptionsr�)r�r�r�r�r�r�s ``   r/�loopbackTLSConnectionr�6s4���$��  �!�J��4�4�y�I�J�!�*�j�9�9r2c��|�tj}|||��}tj|||��}t||�S)a�
    Create a loopback TLS connection with the given trust and keys. Like
    L{loopbackTLSConnection}, but using in-memory certificates and keys rather
    than writing them to disk.

    @param trustRoot: the C{trustRoot} argument for the client connection's
        context.
    @type trustRoot: L{sslverify.IOpenSSLTrustRoot}

    @param privateKey: The private key.
    @type privateKey: L{str} (native string)

    @param serverCertificate: The certificate used by the server.
    @type chainedCertFile: L{str} (native string)

    @param clientProtocols: The protocols the client is willing to negotiate
        using NPN/ALPN.

    @param serverProtocols: The protocols the server is willing to negotiate
        using NPN/ALPN.

    @param clientOptions: The type of C{OpenSSLCertificateOptions} class to
        use for the client. Defaults to C{OpenSSLCertificateOptions}.

    @return: 3-tuple of server-protocol, client-protocol, and L{IOPump}
    @rtype: L{tuple}
    )r��acceptableProtocols)�
privateKeyrIr�r�)r�r�r��clientProtocols�serverProtocols�
clientOptions�clientCertOpts�serverCertOptss        r/�loopbackTLSConnectionInMemoryr�^sO��F��!�;�;�
�"����N��8�8��%�+��N�"�.�.�A�Ar2c���|j�}t|d�5}|D]&}|j|jt���(	ddd�|S#1swY|SxYw)a�
    Create a temporary file to store some serializable-as-PEM objects in, and
    return its name.

    @param testCase: a test case to use for generating a temporary directory.
    @type testCase: L{twisted.trial.unittest.TestCase}

    @param dumpables: arguments are objects from pyOpenSSL with a C{dump}
        method, taking a pyOpenSSL file-type constant, such as
        L{OpenSSL.crypto.FILETYPE_PEM} or L{OpenSSL.crypto.FILETYPE_ASN1}.
    @type dumpables: L{tuple} of L{object} with C{dump} method taking L{int}
        returning L{bytes}

    @return: the path to a file where all of the dumpables were dumped in PEM
        format.
    @rtype: L{str}
    �wbN)�mktemp�openr��dumpr)�testCase�	dumpables�fname�f�dumpables     r/�pathContainingDumpOfr��s^��$
�O�O��E�	
�e�T�	�1�a�!�	1�H�
�G�G�H�M�M�,�/�0�	1�1��L�1��L�s�,A�Ac��eZdZd�Zd�Zy)�DataCallbackProtocolc�|�|jjdc}|j_|�|j|�yyr+)�factory�onData�callback)r�r��ds   r/r�z!DataCallbackProtocol.dataReceived�s5��!%���!4�!4�d���4�<�<���=�
�J�J�t��r2c�|�|jjdc}|j_|�|j|�yyr+�r��onLost�errback)r�r�r�s   r/r�z#DataCallbackProtocol.connectionLost�s5��!%���!4�!4�d���4�<�<���=�
�I�I�f��r2N)r�r�r�r�r�r,r2r/r�r��s���
r2r�c��eZdZdZd�Zd�Zy)�WritingProtocol�xc�N�|jj|j�yr+)r�r��byter�s r/r�zWritingProtocol.connectionMade�s�������T�Y�Y�'r2c�N�|jjj|�yr+r�r�s  r/r�zWritingProtocol.connectionLost�s�������#�#�F�+r2N)r�r�r�rr�r�r,r2r/r�r��s���D�(�,r2r�c�v�eZdZdZdZd�Zd�Zd�Zd�Zd�Z	d�Z
dd
�Zd�Zd�Z
d
�Zd�Zd�Zd�Zd�Zd�Zd�Zy	)�FakeContexta�
    Introspectable fake of an C{OpenSSL.SSL.Context}.

    Saves call arguments for later introspection.

    Necessary because C{Context} offers poor introspection.  cf. this
    U{pyOpenSSL bug<https://bugs.launchpad.net/pyopenssl/+bug/1173899>}.

    @ivar _method: See C{method} parameter of L{__init__}.

    @ivar _options: L{int} of C{OR}ed values from calls of L{set_options}.

    @ivar _certificate: Set by L{use_certificate}.

    @ivar _privateKey: Set by L{use_privatekey}.

    @ivar _verify: Set by L{set_verify}.

    @ivar _verifyDepth: Set by L{set_verify_depth}.

    @ivar _mode: Set by L{set_mode}.

    @ivar _sessionID: Set by L{set_session_id}.

    @ivar _extraCertChain: Accumulated L{list} of all extra certificates added
        by L{add_extra_chain_cert}.

    @ivar _cipherList: Set by L{set_cipher_list}.

    @ivar _dhFilename: Set by L{load_tmp_dh}.

    @ivar _defaultVerifyPathsSet: Set by L{set_default_verify_paths}

    @ivar _ecCurve: Set by L{set_tmp_ecdh}
    rc�f�||_g|_d|_d|_tj
|_y)NF)�_method�_extraCertChain�_defaultVerifyPathsSet�_ecCurver�SESS_CACHE_SERVER�_sessionCacheMode)r��methods  r/�__init__zFakeContext.__init__�s0�����!���&+��#���
�
"%�!6�!6��r2c�.�|xj|zc_yr+)�_options�r��optionss  r/�set_optionszFakeContext.set_options�s���
�
�� �
r2c��||_yr+)�_certificate)r�rIs  r/�use_certificatezFakeContext.use_certificate�s
��'��r2c��||_yr+)�_privateKey)r�r�s  r/�use_privatekeyzFakeContext.use_privatekey��
��%��r2c��yr+r,r�s r/r�zFakeContext.check_privatekey����r2c��||_y)zo
        Set the mode. See L{SSL.Context.set_mode}.

        @param mode: See L{SSL.Context.set_mode}.
        N)�_mode)r��modes  r/�set_modezFakeContext.set_mode�s����
r2Nc��||f|_yr+)�_verify)r��flagsr�s   r/�
set_verifyzFakeContext.set_verifys
���h���r2c��||_yr+)�_verifyDepth)r��depths  r/�set_verify_depthzFakeContext.set_verify_depths
��!��r2c��||_yr+)�_sessionIDContext)r��sessionIDContexts  r/�set_session_idzFakeContext.set_session_ids��"2��r2c��||_y)zr
        Set the session cache mode on the context, as per
        L{SSL.Context.set_session_cache_mode}.
        N�r
)r��	cacheModes  r/�set_session_cache_modez"FakeContext.set_session_cache_modes��
"+��r2c��|jS)zy
        Retrieve the session cache mode from the context, as per
        L{SSL.Context.get_session_cache_mode}.
        r,r�s r/�get_session_cache_modez"FakeContext.get_session_cache_modes��
�%�%�%r2c�:�|jj|�yr+)r�append)r��certs  r/�add_extra_chain_certz FakeContext.add_extra_chain_certs�����#�#�D�)r2c��||_yr+)�_cipherList)r��
cipherLists  r/�set_cipher_listzFakeContext.set_cipher_list!rr2c��||_yr+)�_dhFilename)r��
dhfilenames  r/�load_tmp_dhzFakeContext.load_tmp_dh$rr2c��d|_y)z9
        Set the default paths for the platform.
        TN)rr�s r/�set_default_verify_pathsz$FakeContext.set_default_verify_paths's��'+��#r2c��||_y)z�
        Set an ECDH curve.  Should only be called by OpenSSL 1.0.1
        code.

        @param curve: See L{OpenSSL.SSL.Context.set_tmp_ecdh}
        N)r�r��curves  r/�set_tmp_ecdhzFakeContext.set_tmp_ecdh-s����
r2r+)r�r�r��__doc__rrrrrr�rr"r&r*r.r0r4r8r<r>rBr,r2r/rr�s_��"�H�H�	7�!�(�&���'�"�2�
+�&�*�&�&�+�r2rc�6�eZdZdZereZd�Zd�Zd�Zd�Z	d�Z
y)�ClientOptionsTestsz5
    Tests for L{sslverify.optionsForClientTLS}.
    c��|jttjdd��}|j	t|�d�y)z�
        When passed a keyword parameter other than C{extraCertificateOptions},
        L{sslverify.optionsForClientTLS} raises an exception just like a
        normal Python function would.
        �alpha�beta)�hostname�someRandomThingzJoptionsForClientTLS() got an unexpected keyword argument 'someRandomThing'N)�assertRaises�	TypeErrorrv�optionsForClientTLS�assertEqual�str)r��errors  r/�test_extraKeywordsz%ClientOptionsTests.test_extraKeywords?sG���!�!���)�)��"�	"�
��	
�����J�
 �	
r2c��|jttjd�}dtj
z}|j
t|�|�y)z�
        If you pass L{bytes} as the hostname to
        L{sslverify.optionsForClientTLS} it immediately raises a L{TypeError}.
        snot-actually-a-hostname.comz6optionsForClientTLS requires text for host names, not N)rKrLrvrM�bytesr�rNrO)r�rP�expectedTexts   r/�test_bytesFailFastz%ClientOptionsTests.test_bytesFailFastQsL��
�!�!��y�4�4�6T�
��
E�u�~�~�U�	�	
����U��\�2r2c�d�tjd�}|j|j�y)zv
        If you pass a dNSName to L{sslverify.optionsForClientTLS}
        L{_hostnameIsDnsName} will be True
        �example.comN)rvrM�
assertTrue�_hostnameIsDnsNamers  r/�test_dNSNameHostnamez'ClientOptionsTests.test_dNSNameHostname^s&��
�/�/�
�>������2�2�3r2c�d�tjd�}|j|j�y)z}
        If you pass an IPv4 address to L{sslverify.optionsForClientTLS}
        L{_hostnameIsDnsName} will be False
        �	127.0.0.1N�rvrM�assertFalserYrs  r/�test_IPv4AddressHostnamez+ClientOptionsTests.test_IPv4AddressHostnamefs(��
�/�/��<������3�3�4r2c�d�tjd�}|j|j�y)z}
        If you pass an IPv6 address to L{sslverify.optionsForClientTLS}
        L{_hostnameIsDnsName} will be False
        z::1Nr]rs  r/�test_IPv6AddressHostnamez+ClientOptionsTests.test_IPv6AddressHostnamens(��
�/�/��6������3�3�4r2N)r�r�r�rC�skipSSL�skiprQrUrZr_rar,r2r/rErE7s*������
�$3�4�5�5r2rEc��eZdZdZd�Zd�Zy)�$FakeChooseDiffieHellmanEllipticCurvezG
    A fake implementation of L{_ChooseDiffieHellmanEllipticCurve}
    c��y)z&
        A no-op constructor.
        Nr,)r��
versionNumber�
openSSLlib�
openSSLcryptos    r/rz-FakeChooseDiffieHellmanEllipticCurve.__init__|r1r2c��y)z|
        A null configuration.

        @param ctx: An L{OpenSSL.SSL.Context} that would be
            configured.
        Nr,)r�r�s  r/�configureECDHCurvez7FakeChooseDiffieHellmanEllipticCurve.configureECDHCurve�r1r2N)r�r�r�rCrrkr,r2r/rerews����
r2rec�B�eZdZdZereZdxZZdxZZ	d�Z
d�Z			dd�Zy)�OpenSSLOptionsTestsMixinz�
    A mixin for L{OpenSSLOptions} test cases creates client and server
    certificates, signs them with a CA, and provides a L{loopback}
    that creates TLS a connections with them.
    Nc��tdd��\|_|_tdd��\|_|_tdd��d|_td	d
��d|_|j
|jg|_|j|_y)zK
        Create class variables of client and server certificates.
        �Server Test Certificate�server��O�CNsClient Test CertificatesclientsCA Test Certificate 1sca1rO�CA Test Certificatesca2N)	rM�sKey�sCert�cKey�cCert�caCert1�caCert2�caCerts�extraCertChainr�s r/�setUpzOpenSSLOptionsTestsMixin.setUp�s���!0�(�Y�!
���	�4�:�!0�(�Y�!
���	�4�:�'�)A�f�M�a�P���&�)?�F�K�A�N������d�l�l�3���"�l�l��r2c�h�|j�|jj�|j�|jj�g}|j�|j|j�|j�|j|j�tj|d��S)NT��
consumeErrors)	�
serverPort�
stopListening�
clientConn�
disconnect�onServerLostr2�onClientLostr�DeferredList)r��Ls  r/�tearDownz!OpenSSLOptionsTestsMixin.tearDown�s����?�?�&��O�O�)�)�+��?�?�&��O�O�&�&�(������(�
�H�H�T�&�&�'����(�
�H�H�T�&�&�'��!�!�!�4�8�8r2c��|�tj�x|_}|�tj�x|_}|�tj�}t	j
�}t|_||_||_t	j�}t|_||_tjd||�|_
tjd|jj�j ||�|_y)Nrr\)r�Deferredr�r�r�
ServerFactoryr�r�r��
ClientFactoryr�r	�	listenSSLr��
connectSSL�getHost�portr�)r�r�r�r�r�r�r�r�s        r/�loopbackz!OpenSSLOptionsTestsMixin.loopback�s�����/4�~�~�/?�?�D�����/4�~�~�/?�?�D����>��^�^�%�F� �.�.�0�
�!5�
��+�
��%�
�� �.�.�0�
�!0�
��+�
��!�+�+�A�}�n�M���!�,�,�����0�0�2�7�7���
��r2�NNN)
r�r�r�rCrbrcr�r�r�r�r}r�r�r,r2r/rmrm�s?������"�"�J��"&�&�L�<�
+�9�$���

r2rmc���eZdZdZ�fd�Zd�Zd�Zd�Zd�Zd�Z	d�Z
d	�Zd
�Zd�Z
d�Zd
�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Z d�Z!d �Z"d!�Z#d"�Z$d#�Z%d$�Z&d%�Z'd&�Z(d'�Z)d(�Z*d)�Z+d*�Z,d+�Z-d,�Z.e/j`e1d-�.�ge._0d/�Z2d0�Z3d1�Z4d2�Z5d3�Z6d4�Z7d5�Z8d6�Z9�xZ:S)7�OpenSSLOptionsTestsz0
    Tests for L{sslverify.OpenSSLOptions}.
    c�X��t�|��|jtdt�y)z�
        Same as L{OpenSSLOptionsTestsMixin.setUp}, but it also patches
        L{sslverify._ChooseDiffieHellmanEllipticCurve}.
        �!_ChooseDiffieHellmanEllipticCurveN)�superr}�patchrvre)r��	__class__s �r/r}zOpenSSLOptionsTests.setUp�s#���
	��
���
�
��/�0�	
r2c�d�|jttj|j��y)�S
        C{privateKey} and C{certificate} make only sense if both are set.
        )r�N)rKrqrvr�rur�s r/�"test_constructorWithOnlyPrivateKeyz6OpenSSLOptionsTests.test_constructorWithOnlyPrivateKey�s(��	
����	�;�;��	�	�	�	
r2c�d�|jttj|j��y)r�)rIN)rKrqrvr�rvr�s r/�#test_constructorWithOnlyCertificatez7OpenSSLOptionsTests.test_constructorWithOnlyCertificate�s(��	
����	�;�;����	�	
r2c�*�tj|j|j��}|j	|j
|j�|j	|j|j�|j	|jg�y)zT
        Specifying C{privateKey} and C{certificate} initializes correctly.
        �r�rIN)rvr�rurvrNr�rIr|�r��optss  r/�,test_constructorWithCertificateAndPrivateKeyz@OpenSSLOptionsTests.test_constructorWithCertificateAndPrivateKey�sk���2�2��y�y�d�j�j�
��	
������$�)�)�4�����)�)�4�:�:�6�����,�,�b�1r2c�|�|jttj|j|j
d��y)zN
        C{verify} must not be C{True} without specifying C{caCerts}.
        T)r�rI�verifyN)rKrqrvr�rurvr�s r/�0test_constructorDoesNotAllowVerifyWithoutCACertszDOpenSSLOptionsTests.test_constructorDoesNotAllowVerifyWithoutCACerts�s4��	
�����/�/��y�y��
�
��	�	
r2c	��|jttj|j|j
dd|j��|jttj|j|j
dd��y)z�
        C{verify}, C{requireCertificate}, and C{caCerts} must not be specified
        by the caller (to be I{any} value, even the default!) when specifying
        C{trustRoot}.
        TN)r�rIr�r�r{)r�rIr��requireCertificate)rKrLrvr�rurvr{r�s r/�/test_constructorDoesNotAllowLegacyWithTrustRootzCOpenSSLOptionsTests.test_constructorDoesNotAllowLegacyWithTrustRoot
ss��	
�����/�/��y�y��
�
����L�L�	�	
�	
�����/�/��y�y��
�
��#�
	�	
r2c���tj|j|j|j��}|j|j�|j|j|j�y)z2
        It's currently a NOP, but valid.
        )r�rIr{N)rvr�rurvr{r^r�rNr�s  r/�*test_constructorAllowsCACertsWithoutVerifyz>OpenSSLOptionsTests.test_constructorAllowsCACertsWithoutVerify"sS���2�2��y�y�d�j�j�$�,�,�
��	
������%�������t�|�|�4r2c���tj|j|jd|j��}|j|j�|j|j|j�y)zL
        Specifying C{verify} and C{caCerts} initializes correctly.
        T)r�rIr�r{N)rvr�rurvr{rXr�rNr�s  r/�$test_constructorWithVerifyAndCACertsz8OpenSSLOptionsTests.test_constructorWithVerifyAndCACerts,sV���2�2��y�y��
�
���L�L�	
��	
������$�������t�|�|�4r2c��tj|j|j|j��}|j|j|j�y)zt
        Setting C{extraCertChain} works if C{certificate} and C{privateKey} are
        set along with it.
        �r�rIr|N)rvr�rurvr|rNr�s  r/�test_constructorSetsExtraChainz2OpenSSLOptionsTests.test_constructorSetsExtraChain9sI��
�2�2��y�y��
�
��.�.�
��
	
����,�,�d�.A�.A�Br2c�z�|jttj|j|j
��y)zl
        A C{extraCertChain} without C{privateKey} doesn't make sense and is
        thus rejected.
        )rIr|N)rKrqrvr�rvr|r�s r/�7test_constructorDoesNotAllowExtraChainWithoutPrivateKeyzKOpenSSLOptionsTests.test_constructorDoesNotAllowExtraChainWithoutPrivateKeyEs3��
	
�����/�/��
�
��.�.�		�	
r2c�z�|jttj|j|j
��y)zm
        A C{extraCertChain} without C{certificate} doesn't make sense and is
        thus rejected.
        )r�r|N)rKrqrvr�rur|r�s r/�7test_constructorDoesNotAllowExtraChainWithOutPrivateKeyzKOpenSSLOptionsTests.test_constructorDoesNotAllowExtraChainWithOutPrivateKeyQs3��
	
�����/�/��y�y��.�.�		�	
r2c��tj|j|j|j��}t
|_|j�}|j|j|j�|j|j|j�|j|j|j�y)z�
        If C{extraCertChain} is set and all prerequisites are met, the
        specified chain certificates are added to C{Context}s that get
        created.
        r�N)rvr�rurvr|r�_contextFactoryr�rNrrr�r�r�r�s   r/�&test_extraChainFilesAreAddedIfSuppliedz:OpenSSLOptionsTests.test_extraChainFilesAreAddedIfSupplied]s����2�2��y�y��
�
��.�.�
��
 +����o�o���������C�O�O�4�������S�%5�%5�6�����,�,�c�.A�.A�Br2c���tj|j|j|j��}|j�}|j
|tj�y)zR
        C{extraCertChain} doesn't break C{OpenSSL.SSL.Context} creation.
        r�N)	rvr�rurvr|r��assertIsInstancerr�r�s   r/�$test_extraChainDoesNotBreakPyOpenSSLz8OpenSSLOptionsTests.test_extraChainDoesNotBreakPyOpenSSLnsM���2�2��y�y��
�
��.�.�
��
�o�o������c�3�;�;�/r2c��tj|j|j��}t|_|j
�}|j|jjd�|j�y)z�
        If the user doesn't supply custom acceptable ciphers, a shipped secure
        default is used.  We can't check directly for it because the effective
        cipher string we set varies with platforms.
        r�rZN)rvr�rurvrr�r�rN�
_cipherStringrsr6r�s   r/�"test_acceptableCiphersAreAlwaysSetz6OpenSSLOptionsTests.test_acceptableCiphersAreAlwaysSetzs]���2�2��y�y��
�
�
�� +����o�o�������+�+�2�2�7�;�S�_�_�Mr2c� �ttj�Gd�d��}tj|j
|j|���}t|_|j�}|jd|j�y)zB
        If acceptable ciphers are passed, they are used.
        c��eZdZd�Zy)�WOpenSSLOptionsTests.test_honorsAcceptableCiphersArgument.<locals>.FakeAcceptableCiphersc�.�tjd�gS)N�sentinel)rv�
OpenSSLCipher)r��_s  r/�
selectCipherszeOpenSSLOptionsTests.test_honorsAcceptableCiphersArgument.<locals>.FakeAcceptableCiphers.selectCiphers�s��!�/�/�
�;�<�<r2N)r�r�r�r�r,r2r/�FakeAcceptableCiphersr��s��
=r2r�)r�rI�acceptableCiphersssentinelN)rr�IAcceptableCiphersrvr�rurvrr�r�rNr6)r�r�r�r�s    r/�$test_honorsAcceptableCiphersArgumentz8OpenSSLOptionsTests.test_honorsAcceptableCiphersArgument�sv��

�Z�2�2�	3�	=�	=�
4�	=��2�2��y�y��
�
�3�5�
��
 +����o�o�������c�o�o�6r2c�2�tj|j|j��}t|_|j
�}tjtjztjz}|j||j|z�y)z
        Every context must have C{OP_NO_SSLv2}, C{OP_NO_COMPRESSION}, and
        C{OP_CIPHER_SERVER_PREFERENCE} set.
        r�N)
rvr�rurvrr�r�r�OP_NO_SSLv2�OP_NO_COMPRESSION�OP_CIPHER_SERVER_PREFERENCErNr�r�r�r�rs    r/�test_basicSecurityOptionsAreSetz3OpenSSLOptionsTests.test_basicSecurityOptionsAreSet�su��
�2�2��y�y��
�
�
�� +����o�o����O�O�c�3�3�3�c�6U�6U�U�	�	
����#�,�,��"8�9r2c���tj|j|j��}t|_|j
�}|jtj|j�y)zH
        Every context must be in C{MODE_RELEASE_BUFFERS} mode.
        r�N)rvr�rurvrr�r�rNr�MODE_RELEASE_BUFFERSrr�s   r/�test_modeIsSetz"OpenSSLOptionsTests.test_modeIsSet�sR���2�2��y�y��
�
�
�� +����o�o�������1�1�3�9�9�=r2c��tj|j|jd��}t|_|j
�}tjtjz}|j||j|z�y)z�
        If C{singleUseKeys} is set, every context must have
        C{OP_SINGLE_DH_USE} and C{OP_SINGLE_ECDH_USE} set.
        T)r�rI�enableSingleUseKeysN)rvr�rurvrr�r�r�OP_SINGLE_DH_USE�OP_SINGLE_ECDH_USErNrr�s    r/�test_singleUseKeysz&OpenSSLOptionsTests.test_singleUseKeys�sj��
�2�2��y�y��
�
� $�
��
 +����o�o����&�&��)?�)?�?������#�,�,��"8�9r2c�R�tj|j|jtj
��d}|j
|jg�}|jdt|��|jt|dd�|j||dd�y)zd
        Passing C{method} to L{sslverify.OpenSSLCertificateOptions} is
        deprecated.
        )r�rIrz�Passing method to twisted.internet.ssl.CertificateOptions was deprecated in Twisted 17.1.0. Please use a combination of insecurelyLowerMinimumTo, raiseMinimumTo, and lowerMaximumSecurityTo instead, as Twisted will correctly configure the method.rOr�category�messageN)rvr�rurvrr��
flushWarnings�test_methodIsDeprecatedrN�len�DeprecationWarning)r�r��warningss   r/r�z+OpenSSLOptionsTests.test_methodIsDeprecated�s���
	�+�+��y�y��
�
��$�$�	
�
.�	��%�%�t�'C�'C�&D�E������C��M�*����+�X�a�[��-D�E�����(�1�+�i�"8�9r2c��tj|j|j��}t|_|j
�}tjtjztjztjztjztjz}|j||j|z�y)z�
        L{sslverify.OpenSSLCertificateOptions} will make the default minimum
        TLS version v1.2, if no C{method}, or C{insecurelyLowerMinimumTo} is
        given.
        r�N)rvr�rurvrr�r�rr�r�r��OP_NO_SSLv3�OP_NO_TLSv1�
OP_NO_TLSv1_1rNrr�s    r/�test_tlsv12ByDefaultz(OpenSSLOptionsTests.test_tlsv12ByDefault�s����2�2��y�y�d�j�j�
�� +����o�o����O�O��#�#�
$��-�-�
.��o�o�
��o�o�	
�
���
 �	�	
����#�,�,��"8�9r2c��|jt�5}tj|j|j
tjjtjj��ddd�|jdjjd�|jd|jjd�|jd|jjd�y#1swY��xYw)z�
        Passing C{insecurelyLowerMinimumTo} along with C{raiseMinimumTo} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�rI�raiseMinimumTo�insecurelyLowerMinimumToNr�rr��	exclusive)rKrLrvr�rurv�
TLSVersion�TLSv1_2�assertIn�	exception�args�r��es  r/�#test_tlsProtocolsAtLeastWithMinimumz7OpenSSLOptionsTests.test_tlsProtocolsAtLeastWithMinimum�s����
�
�y�
)�	�Q��/�/��9�9� �J�J�(�3�3�;�;�)2�)=�)=�)E�)E�	
�	�	
�
�
�&����(8�(8��(;�<��
�
�0�!�+�+�2B�2B�1�2E�F��
�
�k�1�;�;�#3�#3�A�#6�7�	�	�s�AC8�8Dc���|jt�5}tj|j|j
tjtjj��ddd�|jdjjd�|jd|jjd�|jd|jjd�y#1swY��xYw)z�
        Passing C{raiseMinimumTo} along with C{method} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�rIrr�Nrrr�r��
rKrLrvr�rurvrr�r�r�r�r�r�r�s  r/�$test_tlsProtocolsNoMethodWithAtLeastz8OpenSSLOptionsTests.test_tlsProtocolsNoMethodWithAtLeasts����
�
�y�
)�	�Q��/�/��9�9� �J�J��(�(�(�3�3�;�;�	
�	�	
�
�
�h���� 0� 0�� 3�4��
�
�&����(8�(8��(;�<��
�
�k�1�;�;�#3�#3�A�#6�7�	�	���AC.�.C7c���|jt�5}tj|j|j
tjtjj��ddd�|jdjjd�|jd|jjd�|jd|jjd�y#1swY��xYw)z�
        Passing C{insecurelyLowerMinimumTo} along with C{method} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�rIrr�Nrrr�r�r�r�s  r/�$test_tlsProtocolsNoMethodWithMinimumz8OpenSSLOptionsTests.test_tlsProtocolsNoMethodWithMinimums����
�
�y�
)�	�Q��/�/��9�9� �J�J��(�(�)2�)=�)=�)E�)E�	
�	�	
�
�
�h���� 0� 0�� 3�4��
�
�0�!�+�+�2B�2B�1�2E�F��
�
�k�1�;�;�#3�#3�A�#6�7�	�	�r�c���|jt�5}tj|j|j
tjtjj��ddd�|jdjjd�|jd|jjd�|jd|jjd�y#1swY��xYw)z�
        Passing C{lowerMaximumSecurityTo} along with C{method} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�rIr�lowerMaximumSecurityToNrrr�r�)
rKrLrvr�rurvr�
TLS_METHODr�r�r�r�r�r�s  r/�$test_tlsProtocolsNoMethodWithMaximumz8OpenSSLOptionsTests.test_tlsProtocolsNoMethodWithMaximum)s����
�
�y�
)�	�Q��/�/��9�9� �J�J��~�~�'0�';�';�'C�'C�	
�	�	
�
�
�h���� 0� 0�� 3�4��
�
�.����0@�0@��0C�D��
�
�k�1�;�;�#3�#3�A�#6�7�	�	�r�c�^�|jt�5}tj|j|j
tjjtjj��ddd�|jjjd�y#1swY�0xYw)z�
        Passing out of order TLS versions to C{insecurelyLowerMinimumTo} and
        C{lowerMaximumSecurityTo} will cause it to raise an exception.
        �r�rIr�r�N)zFinsecurelyLowerMinimumTo needs to be lower than lowerMaximumSecurityTo�rKrqrvr�rurvr��TLSv1_0�SSLv3rNr�r�r�s  r/�test_tlsVersionRangeInOrderz/OpenSSLOptionsTests.test_tlsVersionRangeInOrder;s���
�
�
�z�
*�	�a��/�/��9�9� �J�J�)2�)=�)=�)E�)E�'0�';�';�'A�'A�	
�	�	
���
�K�K���
�	
�	�	���AB#�#B,c�^�|jt�5}tj|j|j
tjjtjj��ddd�|jjjd�y#1swY�0xYw)z�
        Passing out of order TLS versions to C{raiseMinimumTo} and
        C{lowerMaximumSecurityTo} will cause it to raise an exception.
        )r�rIr�r�N)z<raiseMinimumTo needs to be lower than lowerMaximumSecurityTor�r�s  r/�"test_tlsVersionRangeInOrderAtLeastz6OpenSSLOptionsTests.test_tlsVersionRangeInOrderAtLeastRs���
�
�
�z�
*�	�a��/�/��9�9� �J�J�(�3�3�;�;�'0�';�';�'A�'A�	
�	�	
���
�K�K���R�	
�	�	�rc���tj|j|jtjj
��}t|_|j�}tjtjztjztjztjztjz|j z}|j#||j$|z�y)a
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{lowerMaximumSecurityTo} but no C{raiseMinimumTo} or
        C{insecurelyLowerMinimumTo} set, and C{lowerMaximumSecurityTo} is
        below the minimum default, the minimum will be made the new maximum.
        )r�rIr�N�rvr�rurvr�rrr�r�rr�r�r�r�r��
OP_NO_TLSv1_2�_OP_NO_TLSv1_3rNrr�s    r/�&test_tlsProtocolsreduceToMaxWithoutMinz:OpenSSLOptionsTests.test_tlsProtocolsreduceToMaxWithoutMinds����2�2��y�y��
�
�#,�#7�#7�#=�#=�
��
 +����o�o����O�O��#�#�
$��-�-�
.��o�o�
����	
 �
���
 ��!�!�

"�	�	
����#�,�,��"8�9r2c��tj|j|jtjj
tjj
��}t|_|j�}tjtjztjztjztjztjz|j z}|j#||j$|z�y)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to
        SSLv3, it will exclude all others.
        r�Nrr�s    r/�test_tlsProtocolsSSLv3Onlyz.OpenSSLOptionsTests.test_tlsProtocolsSSLv3Only}s����2�2��y�y��
�
�%.�%9�%9�%?�%?�#,�#7�#7�#=�#=�	
�� +����o�o����O�O��#�#�
$��-�-�
.��o�o�
����	
 �
���
 ��!�!�

"�	�	
����#�,�,��"8�9r2c��tj|j|jtjj
tjj
��}t|_|j�}tjtjztjztjztjztjz|j z}|j#||j$|z�y)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.0,
        it will exclude all others.
        r�N)rvr�rurvr�rrr�r�rr�r�r�r�r�rr	rNrr�s    r/� test_tlsProtocolsTLSv1Point0Onlyz4OpenSSLOptionsTests.test_tlsProtocolsTLSv1Point0Only�s����2�2��y�y��
�
�%.�%9�%9�%A�%A�#,�#7�#7�#?�#?�	
�� +����o�o����O�O��#�#�
$��-�-�
.��o�o�
����	
 �
���
 ��!�!�

"�	�	
����#�,�,��"8�9r2c��tj|j|jtjj
tjj
��}t|_|j�}tjtjztjztjztjztjz|j z}|j#||j$|z�y)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.1,
        it will exclude all others.
        r�N)rvr�rurvr��TLSv1_1rr�r�rr�r�r�r�r�rr	rNrr�s    r/� test_tlsProtocolsTLSv1Point1Onlyz4OpenSSLOptionsTests.test_tlsProtocolsTLSv1Point1Only������2�2��y�y��
�
�%.�%9�%9�%A�%A�#,�#7�#7�#?�#?�	
�� +����o�o����O�O��#�#�
$��-�-�
.��o�o�
��o�o�	
�
���
 ��!�!�

"�	�	
����#�,�,��"8�9r2c��tj|j|jtjj
tjj
��}t|_|j�}tjtjztjztjztjztjz|j z}|j#||j$|z�y)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.2,
        it will exclude all others.
        r�N)rvr�rurvr�r�rr�r�rr�r�r�r�r�r�r	rNrr�s    r/� test_tlsProtocolsTLSv1Point2Onlyz4OpenSSLOptionsTests.test_tlsProtocolsTLSv1Point2Only�rr2c���tj|j|jtjj
tjj��}t|_|j�}tjtjztjztjz|jz}|j!||j"|z�y)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} set to TLSv1.0 and
        C{lowerMaximumSecurityTo} to TLSv1.2, it will exclude both SSLs and
        the (unreleased) TLSv1.3.
        r�N)rvr�rurvr�rr�rr�r�rr�r�r�r�r	rNrr�s    r/�test_tlsProtocolsAllModernTLSz1OpenSSLOptionsTests.test_tlsProtocolsAllModernTLS�s����2�2��y�y��
�
�%.�%9�%9�%A�%A�#,�#7�#7�#?�#?�	
�� +����o�o����O�O��#�#�
$��-�-�
.��o�o�
��!�!�	
"�	�	
����#�,�,��"8�9r2c���tj|j|jtjj
��}t|_|j�}tjtjztjztjztjztjz}|j!||j"|z�y)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{raiseMinimumTo} set to TLSv1.2, it will ignore all TLSs below
        1.2 and SSL.
        �r�rIr�N�rvr�rurvr�r�rr�r�rr�r�r�r�r�r�rNrr�s    r/�$test_tlsProtocolsAtLeastAllSecureTLSz8OpenSSLOptionsTests.test_tlsProtocolsAtLeastAllSecureTLS�s����2�2��y�y��
�
�$�/�/�7�7�
��
 +����o�o����O�O��#�#�
$��-�-�
.��o�o�
��o�o�	
�
���
 �	�	
����#�,�,��"8�9r2c�2�tj|j|jtjj
��}t|_|j�}tjtjztjztjztjztjz}|j!||j"|z�|j!|j$tjj&�y)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{raiseMinimumTo} set to a value lower than Twisted's default will
        cause it to use the more secure default.
        rN)rvr�rurvr�rrr�r�rr�r�r�r�r�r�rNr�_defaultMinimumTLSVersionr�r�s    r/�/test_tlsProtocolsAtLeastWillAcceptHigherDefaultzCOpenSSLOptionsTests.test_tlsProtocolsAtLeastWillAcceptHigherDefaults����2�2��y�y��
�
�$�/�/�5�5�
��
 +����o�o���

�O�O��#�#�
$��-�-�
.��o�o�
��o�o�	
�
���
 �	�	
����#�,�,��"8�9�����7�7��9M�9M�9U�9U�Vr2c���tj|j|jtjj
��}t|_|j�}tjtjztjztjztjztjz}|j!||j"|z�y)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} set to TLSv1.2, it will ignore all TLSs below
        1.2 and SSL.
        )r�rIr�Nrr�s    r/�test_tlsProtocolsAllSecureTLSz1OpenSSLOptionsTests.test_tlsProtocolsAllSecureTLS+s����2�2��y�y��
�
�%.�%9�%9�%A�%A�
��
 +����o�o����O�O��#�#�
$��-�-�
.��o�o�
��o�o�	
�
���
 �	�	
����#�,�,��"8�9r2c��Gd�d�}|�}tj|j|j|��}t|_|j
�}|j|jj|j�y)zO
        If C{dhParams} is set, they are loaded into each new context.
        c��eZdZed�Zy)�FOpenSSLOptionsTests.test_dhParams.<locals>.FakeDiffieHellmanParameters�	dh.paramsN)r�r�r�r�_dhFiler,r2r/�FakeDiffieHellmanParametersr"Gs���|�,�Gr2r%)r�rI�dhParametersN)rvr�rurvrr�r�rNr$�pathr:)r�r%�dhParamsr�r�s     r/�
test_dhParamsz!OpenSSLOptionsTests.test_dhParamsBsn��
	-�	-�/�0���2�2��y�y��
�
�!�
��
 +����o�o������4�<�<�A�A�3�?�?�Sr2c��|jtjdd��tjdd���|j	tjdd��tjddd���tjd��}|jtt|d	d
�|j|j|j�d|_|j|j|j�y)
zh
        Check that abbreviations used in certificates correctly map to
        complete names.
        �ashello)rs�OU)�
commonName�organizationalUnitNamesxxx)rsr,�emailAddresssabcdefg)rs�Cnr�sbcdefgaN)
rNrv�DN�DistinguishedName�assertNotEqualrK�AttributeErrorrCrsr-)r��dns  r/�#test_abbreviatingDistinguishedNamesz7OpenSSLOptionsTests.test_abbreviatingDistinguishedNamesTs���
	
����L�L�D�X�.��'�'���
�	
�	
����L�L�D�X�.��L�L�D�X�F�C�	
��\�\�Z�
(�����.�'�2�t�T�B��������
�
�.�����������
�
�.r2c	���tjddddddd��}|j�}d	D]<}|j|||�d
��|j|j	�||�d
���>y)Nscommon namesorganization namesorganizational unit name�
locality namesstate or province namescountry names
email address)r-�organizationNamer.�localityName�stateOrProvinceName�countryNamer/)�common name�organization name�organizational unit name�
locality name�state or province name�country name�
email addressz was not in inspect output.)rvr1�inspectr��title�r��n�srKs    r/�testInspectDistinguishedNamez0OpenSSLOptionsTests.testInspectDistinguishedNameis}���L�L�%�1�#>�)� 9�'�)�
��
�I�I�K��
�
	M�A�
�M�M�!�Q�1�%�'B� C�D��M�M�!�'�'�)�Q�1�%�/J�(K�L�
	Mr2c��tjd��}|j�}dD]<}|j|||�d��|j|j	�||�d���>|jd|�|jd|�y)Nr8)r:)r=r>r?rArBrCz was in inspect output.r@z
Locality Name)rvr1rD�assertNotInrEr�rFs    r/�,testInspectDistinguishedNameWithoutAllFieldsz@OpenSSLOptionsTests.testInspectDistinguishedNameWithoutAllFields�s����L�L�&6�7��
�I�I�K��
�		L�A�
���Q��a�U�*A�#B�C����Q�W�W�Y��a�U�2I�+J�K�		L�	
�
�
�o�q�)��
�
�o�q�)r2c��tjjt�}|j	�}|j�}|j
|j�jd�dddddddd	d
dddddddd	d
dd
d|zg�y)z�
        Test that the C{inspect} method of L{sslverify.Certificate} returns
        a human-readable string containing some basic information about the
        certificate.
        �
zCertificate For Subject:z5               Common Name: example.twistedmatrix.comz              Country Name: USz4             Email Address: nobody@twistedmatrix.comz"             Locality Name: Bostonz/         Organization Name: Twisted Matrix Labsz$  Organizational Unit Name: Securityz)    State Or Province Name: MassachusettsrzIssuer:zSerial Number: 12345z7Digest: C4:96:11:00:30:C3:EC:EE:A3:55:AA:ED:8C:84:85:18zPublic Key with Hash: N)	rvrwrx�A_HOST_CERTIFICATE_PEM�getPublicKey�keyHashrNrD�split)r�r.�pkrQs    r/�test_inspectCertificatez+OpenSSLOptionsTests.test_inspectCertificate�s���
�!�!�)�)�*@�A��
�^�^�
���*�*�,��	
���
�I�I�K���d�#�*�G�0�F�4�A�6�;���G�0�F�4�A�6�;��&�I�(�7�2�+
�	
r2c���tjjt�}tjjt�}tjjt�}|j|j
�j|j
���|j|j
�j|j
���y)z�
        L{PublicKey.matches} returns L{True} for keys from certificates with
        the same key, and L{False} for keys from certificates with different
        keys.
        N)	rvrwrxrO�A_PEER_CERTIFICATE_PEMrXrP�matchesr^)r��hostA�hostB�peerAs    r/�test_publicKeyMatchingz*OpenSSLOptionsTests.test_publicKeyMatching�s����%�%�-�-�.D�E���%�%�-�-�.D�E���%�%�-�-�.D�E������*�*�,�4�4�U�5G�5G�5I�J�K�����+�+�-�5�5�e�6H�6H�6J�K�Lr2c��tj�}|j|jd�|j	�}|j|j�tj�tjd��}|j|jd�|j	�}|j|j�tj�y)z�
        The enableSessions argument sets the session cache mode; it defaults to
        False (at least until https://twistedmatrix.com/trac/ticket/9764 can be
        resolved).
        FT)�enableSessionsN)	rvr�rNr]r�r0r�SESS_CACHE_OFFr	)r�rr�s   r/�!test_enablingAndDisablingSessionsz5OpenSSLOptionsTests.test_enablingAndDisablingSessions�s����5�5�7������/�/��7�� � �"������3�3�5�s�7I�7I�J��5�5�T�J������/�/��6�� � �"������3�3�5�s�7L�7L�Mr2c��tj|j|jtj
d|jgddddddd��}|j
�}|j||j�|j|�|j�}|jd|�tj�}|j|�|j|j|j�|j|j|j�|j|j tj
�|j#|j$�|j|j&|jg�|j|j(d�|j+|j,�|j+|j.�|j+|j0�|j+|j2�|j#|j4�|j#|j6�y)zN
        Test that __setstate__(__getstate__()) round-trips properly.
        T�F)r�rIrr�r{�verifyDepthr��
verifyOncer�r]�fixBrokenPeers�enableSessionTickets�_contextN)rvr�rurvrr�r��assertIsrf�assertIsNotNone�__getstate__rK�__setstate__rNr�rIrrXr�r{rbr^r�rcr�r]rdre)r��	firstOpts�context�stater�s     r/�$test_certificateOptionsSerializationz8OpenSSLOptionsTests.test_certificateOptionsSerialization�s����7�7��y�y��
�
��$�$���Z�Z�L��$�� %� ��!%�

�	��&�&�(���
�
�g�y�1�1�2����W�%��&�&�(������U�+��2�2�4�����%� �������$�)�)�4�����)�)�4�:�:�6�������c�&7�&7�8�������$��������
�
�|�4�����)�)�1�-�����0�0�1�������)�����1�1�2�����,�,�-�����+�+�,�����1�1�2r2z/twisted\.internet\._sslverify\.*__[gs]etstate__)r�r�c��tjd��}|j�}|jd|j	d�dz�y)zR
        Enabling session tickets should not set the OP_NO_TICKET option.
        T�rer�@N�rvr�r�rNrr�s   r/�%test_certificateOptionsSessionTicketsz9OpenSSLOptionsTests.test_certificateOptionsSessionTicketss>���2�2��M���o�o�������C�O�O�A�.��;�<r2c��tjd��}|j�}|jd|j	d�dz�y)zN
        Enabling session tickets should set the OP_NO_TICKET option.
        FrprqrNrrr�s   r/�-test_certificateOptionsSessionTicketsDisabledzAOpenSSLOptionsTests.test_certificateOptionsSessionTicketsDisabled
s>���2�2��N���o�o�������S�_�_�Q�%7�*�%D�Er2c���tj�}�jtj�j
�jd��tjd��|��|j�fd��S)zw
        Check that anonymous connections are allowed when certificates aren't
        required on the server.
        F)r�rIr��r��r�c�D���j|tj�Sr+�rNr�r��resultr�s �r/r0zKOpenSSLOptionsTests.test_allowedAnonymousClientConnection.<locals>.<lambda>$����4�+�+�F�O�4H�4H�I�r2�rr�r�rvr�rurv�addCallback�r�r�s` r/�%test_allowedAnonymousClientConnectionz9OpenSSLOptionsTests.test_allowedAnonymousClientConnectionsk���
���!���
�
��/�/��9�9�$�*�*�QV�
�
�/�/�5�I��	�	
��!�!�I�
�	
r2c	�r��tj�}tj�}�jtj�j
�jd�jgd��tjd��||��tj||gd��}�fd�}|j|�S)zt
        Check that anonymous connections are refused when certificates are
        required on the server.
        T)r�rIr�r{r�Frw�r�r�rc���|\\}}\}}�j|��j|��j|jtjt
f��j|jtj�yr+)r^r��valuer�Errorr
�r|�cSuccess�cResult�sSuccess�sResultr�s     �r/�	afterLostzLOpenSSLOptionsTests.test_refusedAnonymousClientConnection.<locals>.afterLost=sj���9?�6�
 �h��"5�8�W����X�&����X�&�
�!�!�'�-�-�#�)�)�^�1L�M��!�!�'�-�-����;r2)	rr�r�rvr�rurvr�r�r�r�r�r�r�s`    r/�%test_refusedAnonymousClientConnectionz9OpenSSLOptionsTests.test_refusedAnonymousClientConnection's����
�~�~�'���~�~�'���
�
��/�/��9�9� �J�J������#'�
�
�/�/�5�I�%�%�	�	
�
����l�;�4�P��	<��}�}�Y�'�'r2c�t��tj�}tj�}�jtj�j
�jdd��tjdd�jg��||��tj||gd��}�fd�}|j|�S)zg
        Check that connecting with a certificate not accepted by the server CA
        fails.
        F�r�rIr�r�T�r�r�r{r�rc�`��|\\}}\}}�j|��j|�yr+)r^r�s     �r/r�zIOpenSSLOptionsTests.test_failedCertificateVerification.<locals>.afterLost`s3���9?�6�
 �h��"5�8�W����X�&����X�&r2)
rr�r�rvr�rurvrxr�rr�s`    r/�"test_failedCertificateVerificationz6OpenSSLOptionsTests.test_failedCertificateVerificationIs����
�~�~�'���~�~�'���
�
��/�/��9�9� �J�J��#(�	
�
�/�/����
�
�|�
�&�%�	�	
�
����l�;�4�P��	'�
�}�}�Y�'�'r2c���tj�}�jtj�j
�jdd��tjdd�jg��|��|j�fd��S)zi
        Test a successful connection with client certificate validation on
        server side.
        Fr�Tr�rxc�D���j|tj�Sr+rzr{s �r/r0zLOpenSSLOptionsTests.test_successfulCertificateVerification.<locals>.<lambda>{r}r2r~r�s` r/�&test_successfulCertificateVerificationz:OpenSSLOptionsTests.test_successfulCertificateVerificationgs~���
���!���
�
��/�/��9�9� �J�J��#(�	
�
�/�/���t�z�z�l�
��	�	
��!�!�I�
�	
r2c
�X��tj�}�jtj�j
�jdd�jg��tj�j�jdd�jg��|��|j�fd��S)zg
        Test a successful connection with validation on both server and client
        sides.
        T)r�rIr�r�r{rxc�D���j|tj�Sr+rzr{s �r/r0z_OpenSSLOptionsTests.test_successfulSymmetricSelfSignedCertificateVerification.<locals>.<lambda>�r}r2)
rr�r�rvr�rurvrxrwrr�s` r/�9test_successfulSymmetricSelfSignedCertificateVerificationzMOpenSSLOptionsTests.test_successfulSymmetricSelfSignedCertificateVerification~s����
���!���
�
��/�/��9�9� �J�J��#'�����
�
�/�/��9�9� �J�J��#'�����
��	�	
�$�!�!�I�
�	
r2c�H��tjd��}tjj�}|j	|�}tjd��}tjj�}|j	|�}|j	|�}|j||d�d�}|j
|�}	|j	|�}
|j||
d�d�}|j
|�}|j||d�d	�}
|j
|
�}|j||d
�d�}|j
|�}tj�}|j|�}|j|	�}�j|||��|j�fd
��S)zT
        Check certificates verification building custom certificates data.
        �client)r-�serverc��y�NTr,�r5s r/r0z7OpenSSLOptionsTests.test_verification.<locals>.<lambda>�r1r2�c��yr�r,r�s r/r0z7OpenSSLOptionsTests.test_verification.<locals>.<lambda>�r1r2ic��yr�r,r�s r/r0z7OpenSSLOptionsTests.test_verification.<locals>.<lambda>�r1r2�c��yr�r,r�s r/r0z7OpenSSLOptionsTests.test_verification.<locals>.<lambda>�r1r2�*rxc�D���j|tj�Sr+rzr{s �r/r0z7OpenSSLOptionsTests.test_verification.<locals>.<lambda>�r}r2)rvr2�KeyPair�generate�certificateRequest�signCertificateRequest�newCertificaterr�rr�r)r��clientDN�	clientKey�
clientCertReq�serverDN�	serverKey�
serverCertReq�clientSelfCertReq�clientSelfCertData�clientSelfCert�serverSelfCertReq�serverSelfCertData�serverSelfCert�clientCertData�
clientCert�serverCertDatar�r�r�r�s`                   r/�test_verificationz%OpenSSLOptionsTests.test_verification�s�����.�.�(�C���%�%�.�.�0�	�!�4�4�X�>�
��.�.�(�C���%�%�.�.�0�	�!�4�4�X�>�
�%�8�8��B��&�=�=��'��#�
��#�1�1�2D�E��%�8�8��B��&�=�=��'��#�
��#�1�1�2D�E��"�9�9��m�_�a�
���-�-�n�=�
�"�9�9��m�_�b�
���-�-�n�=�
����!���'�'��7�
��'�'��7�
��
�
�j�*�V�
�<��!�!�I�
�	
r2);r�r�r�rCr}r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rrr
rrrrrrrrr)r6rIrLrTr[r_rnr�suppressr�rsrur�r�r�r�r�r��
__classcell__)r�s@r/r�r��s4����

�
�
�	2�

�
�05�5�
C�

�

�C�"
0�N�7�&:� 
>�
:�:�0:�*8�$8�$8�$8�$
�.
�$:�2:�2:�2:�2:�2:�0:�.W�6:�.T�$/�*M�.*� )
�VM�
N�%3�P	��
�
�'�F�	
�5�(�1�=�F�
�$ (�D(�<
�.
�8+
r2r�c��eZdZdZd�Zy)�"OpenSSLOptionsECDHIntegrationTestsz?
    ECDH-related integration tests for L{OpenSSLOptions}.
    c���t�std��tj�}�j	tj�j�jdt
jj��tjdt
jj��|��|j�fd��}|S)z@
        Connections use ECDH when OpenSSL supports it.
        zOpenSSL does not support ECDH.F)r�rIr�r�)r�r�rxc����jt�jjj�d��jjj\}|j�j
�}�jd|�y)NrO�ECDH)rNr�r�r��	protocols�	getHandle�get_cipher_namer�)r��clientProtocol�cipherr�s   �r/�
assertECDHzVOpenSSLOptionsECDHIntegrationTests.test_ellipticCurveDiffieHellman.<locals>.assertECDH�se������S����!8�!8�!B�!B�C�Q�G�#���6�6�@�@��^�#�-�-�/�?�?�A�F��M�M�&�&�)r2)r rrr�r�rvr�rurvr��TLSv1_3r)r�r�r�s`  r/�test_ellipticCurveDiffieHellmanzBOpenSSLOptionsECDHIntegrationTests.test_ellipticCurveDiffieHellman�s����#�$��;�<�<����!��	
�
�
��/�/��9�9� �J�J�#(�'0�';�';�'C�'C�	
�
�/�/�#(�'0�';�';�'C�'C�
��	�	
�
�	�	�	*�
�	*��
r2N)r�r�r�rCr�r,r2r/r�r��s���&r2r�c�$�eZdZdZereZd�Zd�Zy)�DeprecationTestszo
    Tests for deprecation of L{sslverify.OpenSSLCertificateOptions}'s support
    of the pickle protocol.
    c�|�|jtdddd�dftj�j�y)zT
        L{sslverify.OpenSSLCertificateOptions.__getstate__} is deprecated.
        �Twisted�r�a real persistence systemN)�callDeprecatedrrvr�rir�s r/�test_getstateDeprecationz)DeprecationTests.test_getstateDeprecation�s8��	
���
�Y��A�q�
)�+F�G��/�/�1�>�>�	
r2c�~�|jtdddd�dftj�ji�y)zT
        L{sslverify.OpenSSLCertificateOptions.__setstate__} is deprecated.
        r�r�rr�N)r�rrvr�rjr�s r/�test_setstateDeprecationz)DeprecationTests.test_setstateDeprecations;��	
���
�Y��A�q�
)�+F�G��/�/�1�>�>��	
r2N)r�r�r�rCrbrcr�r�r,r2r/r�r��s���
���
�
r2r�c�0�eZdZdZereZd�Zd�Zd�Zd�Z	y)�TrustRootTestsz�
    Tests for L{sslverify.OpenSSLCertificateOptions}' C{trustRoot} argument,
    L{sslverify.platformTrust}, and their interactions.
    c�:�|jtdt�y)zG
        Patch L{sslverify._ChooseDiffieHellmanEllipticCurve}.
        r�N)r�rvrer�s r/r}zTrustRootTests.setUps��	
�
�
��/�0�	
r2c����tjtj���}ttj
���fd�|_|j�|j�j�y)z�
        Specifying a C{trustRoot} of L{sslverify.OpenSSLDefaultPaths} when
        initializing L{sslverify.OpenSSLCertificateOptions} loads the
        platform-provided trusted certificates via C{set_default_verify_paths}.
        r�c����Sr+r,)r�fcs �r/r0z=TrustRootTests.test_caCertsPlatformDefaults.<locals>.<lambda>0s���b�r2N)
rvr��OpenSSLDefaultPathsrr�TLSv1_METHODr�r�rXr)r�r�r�s  @r/�test_caCertsPlatformDefaultsz+TrustRootTests.test_caCertsPlatformDefaults&sW����2�2��3�3�5�
����)�)�
*��0�����������1�1�2r2c��t�\}}t|||�}t||j�}tt	�||��\}}}}}	|j|jd�|j|jjtj�|jj}
|j|
jdddd�y)a-
        Specifying a C{trustRoot} of L{platformTrust} when initializing
        L{sslverify.OpenSSLCertificateOptions} causes certificates issued by a
        newly created CA to be rejected by an SSL connection using these
        options.

        Note that this test should I{always} pass, even on platforms where the
        CA certificates are not installed, as long as L{platformTrust} rejects
        completely invalid / unknown root CA certificates.  This is simply a
        smoke test to make sure that verification is happening at all.
        �r�r�r�r2rra�tlsv1 alert unknown caN)
r�r�r�r�r6rNr�r��typerr�r�r�)r�r�r��chainedCertr�r�r��sWrapped�cWrappedr��errs           r/�(test_trustRootPlatformRejectsUntrustedCAz7TrustRootTests.test_trustRootPlatformRejectsUntrustedCA4s���"C�!D��
�J�*�4��Z�H��)�$�
�0E�0E�F�
�3H�#�o�%�'�4
�0����(�D�	
�������,�	
����,�,�1�1�3�9�9�=��!�!�'�'��������!��Q���*�,D�Er2c�>�t�\}}t�\}}t|t||j�t||���\}}}}}	|	j	�|j|j�|j|j|j�y)z�
        Specifying a L{Certificate} object for L{trustRoot} will result in that
        certificate being the only trust root for a client.
        r�N)
r�r�r�r�r��assertIsNoner�rNr�r�)
r��caCertr��otherCa�otherServerr�r�r�r�r�s
          r/�!test_trustRootSpecificCertificatez0TrustRootTests.test_trustRootSpecificCertificateSs���
?�@���
�@�B����3H��/��j�6K�6K�L�0��z�B�4
�0����(�D�
	
�
�
�����(�-�-�.��������(9�(9�:r2N)
r�r�r�rCrbrcr}r�r�r�r,r2r/r�r�s&���
���
�3�F�>;r2r�c��eZdZdZereZd�dddddddfd�Zd�Zd�Zd�Z	d	�Z
d
�Zd�Zd�Z
eee�d
��Zeee�d��Zd�Zd�Zy)�ServiceIdentityTestsz�
    Tests for the verification of the peer's service's identity via the
    C{hostname} argument to L{sslverify.OpenSSLCertificateOptions}.
    c��yr+r,�r�s r/r0zServiceIdentityTests.<lambda>qr1r2TFc�"�� �!�"�#�t|�\�!}i}d}
td�\}}|r|j|��|r|r|}
ntd�\}}|}
tjd|jj
|j
d�|��}||j
��|st|�\�!}|r$d�}|jtjd|�d|i}|
r|j|
��|
s|j�!��|	r|jtd	�!fd
��tjdi|��}Gd�dtj�}Gd
�dtj�}|��#|�� tj�}� fd�|_
tj�}�#fd�|_
||_
||_t�}t!|d||���t!|d||���"t#�"fd��fd�|��\}}}|j%�||� �#|fS)a�	
        Connect a server and a client.

        @param clientHostname: The I{client's idea} of the server's hostname;
            passed as the C{hostname} to the
            L{sslverify.OpenSSLCertificateOptions} instance.
        @type clientHostname: L{unicode}

        @param serverHostname: The I{server's own idea} of the server's
            hostname; present in the certificate presented by the server.
        @type serverHostname: L{unicode}

        @param serverContextSetup: a 1-argument callable invoked with the
            L{OpenSSL.SSL.Context} after it's produced.
        @type serverContextSetup: L{callable} taking L{OpenSSL.SSL.Context}
            returning L{None}.

        @param validCertificate: Is the server's certificate valid?  L{True} if
            so, L{False} otherwise.
        @type validCertificate: L{bool}

        @param clientPresentsCertificate: Should the client present a
            certificate to the server?  Defaults to 'no'.
        @type clientPresentsCertificate: L{bool}

        @param validClientCertificate: If the client presents a certificate,
            should it actually be a valid one, i.e. signed by the same CA that
            the server is checking?  Defaults to 'yes'.
        @type validClientCertificate: L{bool}

        @param serverVerifies: Should the server verify the client's
            certificate?  Defaults to 'no'.
        @type serverVerifies: L{bool}

        @param buggyInfoCallback: Should we patch the implementation so that
            the C{info_callback} passed to OpenSSL to have a bug and raise an
            exception (L{ZeroDivisionError})?  Defaults to 'no'.
        @type buggyInfoCallback: L{bool}

        @param fakePlatformTrust: Should we fake the platformTrust to be the
            same as our fake server certificate authority, so that we can test
            it's being used?  Defaults to 'no' and we just pass platform trust.
        @type fakePlatformTrust: L{bool}

        @param useDefaultTrust: Should we avoid passing the C{trustRoot} to
            L{ssl.optionsForClientTLS}?  Defaults to 'no'.
        @type useDefaultTrust: L{bool}

        @return: the client TLS protocol, the client wrapped protocol,
            the server TLS protocol, the server wrapped protocol and
            an L{IOPump} which, when its C{pump} and C{flush} methods are
            called, will move data between the created client and server
            protocol instances
        @rtype: 5-L{tuple} of 4 L{IProtocol}s and L{IOPump}
        Nr�r�r�c��ddzy)z�
                Raise an exception.

                @param a: Arguments for an C{info_callback}

                @param k: Keyword arguments for an C{info_callback}
                rOrNr,)�arKs  r/�brokenz9ServiceIdentityTests.serviceIdentitySetup.<locals>.broken�s���A�r2�_identityVerifyingInfoCallbackrI)�clientCertificater6c����Sr+r,)�serverCAs�r/r0z;ServiceIdentityTests.serviceIdentitySetup.<locals>.<lambda>�s���8�r2c�*�eZdZdZdZdZd�Zd�Zd�Zy)�AServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServerr�Nr2c�N�|jj|j�yr+r�r�s r/r�zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServer.connectionMade�������$�$�T�]�]�3r2c�.�|xj|z
c_yr+r�r�s  r/r�zNServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServer.dataReceived�����	�	�T�!�	r2c��||_yr+r�r�s  r/r�zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServer.connectionLost��	��"(��r2)	r�r�r�r�r�r�r�r�r�r,r2r/r�r��s ��$�H��J��D�
4�
"�
)r2r�c�*�eZdZdZdZdZd�Zd�Zd�Zy)�AServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClientscheerio!r2Nc�N�|jj|j�yr+r�r�s r/r�zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClient.connectionMade�r�r2c�.�|xj|z
c_yr+r�r�s  r/r�zNServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClient.dataReceived�r�r2c��||_yr+r�r�s  r/r�zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClient.connectionLost�rr2)	r�r�r�r�r�r�r�r�r�r,r2r/�GreetingClientr�s ��"�H��D��J�
4�
"�
)r2rc����Sr+r,r�s�r/r0z;ServiceIdentityTests.serviceIdentitySetup.<locals>.<lambda>����);�r2c����Sr+r,r�s�r/r0z;ServiceIdentityTests.serviceIdentitySetup.<locals>.<lambda>rr2Tr�Fc�&���jd�Sr+r�)�serverTLSFactorys�r/r0z;ServiceIdentityTests.serviceIdentitySetup.<locals>.<lambda>����$�2�2�4�8�r2c�&���jd�Sr+r�)�clientTLSFactorys�r/r0z;ServiceIdentityTests.serviceIdentitySetup.<locals>.<lambda>rr2r�r,)r��updatervr�r��originalr�r��ClientTLSOptionsrMrr�r�r�r�rr7rr�)$r��clientHostname�serverHostname�serverContextSetup�validCertificate�clientPresentsCertificate�validClientCertificate�serverVerifies�buggyInfoCallback�fakePlatformTrust�useDefaultTrustr��other�passClientCert�clientCAr��bogusCA�bogusr�r�r��	signaturer�r�rr�r�r�r�r�r�rr�r�rr�s$                               @@@@@r/�serviceIdentitySetupz)ServiceIdentityTests.serviceIdentitySetupms���H A��P���*�����@��J���*���L�L�8�L�,�$�%�!+��!B�8�!L����!&���8�8�
�!�,�,�5�5�"�+�+�
��
�
�
	�:�0�0�2�3��$E�n�$U�!�H�k��
�
�J�J��*�*�0��
� ��0�	�����~��>�����x��0���J�J�y�/�3C�D��2�2�?�Y�?�
�	)�X�.�.�	)�	)�X�.�.�	)�,�-��+�-�� �(�(�*�
�!;�
�� �(�(�*�
�!;�
��$���$������.���m�5�
��/���}�E�
�� 8�8�8�� 
�����
	
�
�
���v�1�3E�t�K�Kr2c�T�|jdd�\}}}}}|j|jd�|j|jd�|jj}|jj}|j|t�|j|t�y)z�
        When a certificate containing an invalid hostname is received from the
        server, the connection is immediately dropped.
        zwrong-host.example.com�correct-host.example.comr2N)r"rNr�r�r�r�r5r�r�r�r�r�r�r��cErr�sErrs        r/�test_invalidHostnamez)ServiceIdentityTests.test_invalidHostnames���
48�3L�3L�$�&�4
�0����(�D�	
�������,��������,��"�"�(�(���"�"�(�(�����d�$5�6����d�$4�5r2c���|jdd�\}}}}}|j|jd�|j}|j}|j	|�|j	|�y)z}
        Whenever a valid certificate containing a valid hostname is received,
        connection proceeds normally.
        �valid.example.comr�N�r"rNr�r�r�r%s        r/�test_validHostnamez'ServiceIdentityTests.test_validHostname-sm��
48�3L�3L���4
�0����(�D�	
������
�6��"�"���"�"�����$�����$�r2c��|jddd��\}}}}}|j|jd�|j|jd�|jj}|jj}|j|tj�|j|tj�y)z�
        When an invalid certificate containing a perfectly valid hostname is
        received, the connection is aborted with an OpenSSL error.
        r*F)rr2N�r"rNr�r�r�r�rr�r%s        r/�$test_validHostnameInvalidCertificatez9ServiceIdentityTests.test_validHostnameInvalidCertificate=s���
48�3L�3L���"�4M�4
�0����(�D�	
�������,��������,��"�"�(�(���"�"�(�(�����d�C�I�I�.����d�C�I�I�.r2c��|jdddd��\}}}}}|j|jd�|j|jd�|jj}|jj}|j|tj�|j|tj�y)zu
        If we use the default trust from the platform, our dinky certificate
        should I{really} fail.
        r*FT)rrr2Nr.r%s        r/�*test_realCAsBetterNotSignOurBogusTestCertsz?ServiceIdentityTests.test_realCAsBetterNotSignOurBogusTestCertsQs���
48�3L�3L���"� �	4M�4
�0����(�D�	
�������,��������,��"�"�(�(���"�"�(�(�����d�C�I�I�.����d�C�I�I�.r2c���|jdddd��\}}}}}|j|jd�|j}|j}|j	|�|j	|�y)z�
        L{ssl.optionsForClientTLS} should be using L{ssl.platformTrust} by
        default, so if we fake that out then it should trust ourselves again.
        r*T)rrr�Nr+r%s        r/�test_butIfTheyDidItWouldWorkz1ServiceIdentityTests.test_butIfTheyDidItWouldWorkfsy��
48�3L�3L��� �"�	4M�4
�0����(�D�	
������
�6��"�"���"�"�����$�����$�r2c���|jddddd��\}}}}}|j|jd�|j}|j}|j	|�|j	|�y)z�
        When the server verifies and the client presents a valid certificate
        for that verification by passing it to
        L{sslverify.optionsForClientTLS}, communication proceeds.
        r*T)rrrr�Nr+r%s        r/�test_clientPresentsCertificatez3ServiceIdentityTests.test_clientPresentsCertificatexs|��48�3L�3L���!��&*�4M�4
�0����(�D�	
������
�6��"�"���"�"�����$�����$�r2c�N�|jdddddd��\}}}}}|j|jd�|jj}|jj}|j|tj�|j|tj�y)z�
        When the server verifies and the client presents an invalid certificate
        for that verification by passing it to
        L{sslverify.optionsForClientTLS}, the connection cannot be established
        with an SSL error.
        r*TF)rrrrr2Nr.r%s        r/�!test_clientPresentsBadCertificatez6ServiceIdentityTests.test_clientPresentsBadCertificate�s���48�3L�3L���!��#(�&*�
4M�4
�0����(�D�	
�������,��"�"�(�(���"�"�(�(�����d�C�I�I�.����d�C�I�I�.r2c�l��g��fd�}|jdd|�\}}}}}|j�dg�y)z�
        Specifying the C{hostname} argument to L{CertificateOptions} also sets
        the U{Server Name Extension
        <https://en.wikipedia.org/wiki/Server_Name_Indication>} TLS indication
        field to the correct value.
        c�2���fd�}|j|�y)Nc�b���j|j�jd��y)NrZ)r2�get_servernamert)�conn�namess �r/�servername_receivedzfServiceIdentityTests.test_hostnameIsIndicated.<locals>.setupServerContext.<locals>.servername_received�s#������T�0�0�2�9�9�'�B�Cr2��set_tlsext_servername_callback�r�r>r=s  �r/�setupServerContextzIServiceIdentityTests.test_hostnameIsIndicated.<locals>.setupServerContext�s���
D�
�.�.�/B�Cr2r*N)r"rN)r�rBr�r�r�r�r�r=s       @r/�test_hostnameIsIndicatedz-ServiceIdentityTests.test_hostnameIsIndicated�sL�����	D�48�3L�3L��!4�6H�4
�0����(�D�	
����!4� 5�6r2c��
�g�
d}�
fd�}|j|||�\}}}}}|j�
|g�|j|jd�|j}|j}	|j	|�|j	|	�y)z0
        Hostnames are encoded as IDNA.
        uhállo.example.comc�2���fd�}|j|�y)Nc�Z��t|j��}�j|�yr+)r
r;r2)r<�
serverIDNAr=s  �r/r>zcServiceIdentityTests.test_hostnameEncoding.<locals>.setupServerContext.<locals>.servername_received�s"���&�t�':�':�'<�=�
����Z�(r2r?rAs  �r/rBzFServiceIdentityTests.test_hostnameEncoding.<locals>.setupServerContext�s���
)�
�.�.�/B�Cr2r�Nr+)r��hellorBr�r�r�r�r�r&r'r=s          @r/�test_hostnameEncodingz*ServiceIdentityTests.test_hostnameEncoding�s����
��E��	D�48�3L�3L��5�,�4
�0����(�D�	
������(�������
�6��"�"���"�"�����$�����$�r2c����d�G�fd�d�}|�}|jtj|d�d�|jtjtj|d�y)z�
        L{sslverify.simpleVerifyHostname} checks string equality on the
        commonName of a connection's certificate's subject, doing nothing if it
        matches and raising L{VerificationError} if it doesn't.
        zsomething.example.comc���eZdZ�fd�Zy)�6ServiceIdentityTests.test_fallback.<locals>.Connectionc�F��t�}�|j�_|S)z�
                Fake of L{OpenSSL.SSL.Connection.get_peer_certificate}.

                @return: A certificate with a known common name.
                @rtype: L{OpenSSL.crypto.X509}
                )rrAr-)r�r3�names  �r/�get_peer_certificatezKServiceIdentityTests.test_fallback.<locals>.Connection.get_peer_certificate�s"����v��04�� � �"�-��r2N)r�r�r�rO)rNs�r/�
ConnectionrL�s���	
r2rPN�nonsense)rgrv�simpleVerifyHostnamerK�SimpleVerificationError)r�rPr<rNs   @r/�
test_fallbackz"ServiceIdentityTests.test_fallback�sd���'��
	�
	��|���
�
��*�*�4�1H�I�4�	
�	
����-�-��*�*���		
r2c���|jddd��\}}}}}|j|jd�|j|jd�|jj}|jj}|j|t�|j|ttjf�|jt�}|j|�y)a,
        pyOpenSSL isn't always so great about reporting errors.  If one occurs
        in the verification info callback, it should be logged and the
        connection should be shut down (if possible, anyway; the app_data could
        be clobbered but there's no point testing for that).
        r$T)rr2N)r"rNr�r�r�r��ZeroDivisionErrorrrr��flushLoggedErrorsrX)	r�r�r�r�r�r�r&r'�errorss	         r/�test_surpriseFromInfoCallbackz2ServiceIdentityTests.test_surpriseFromInfoCallback�s���48�3L�3L�&�&�"�4M�4
�0����(�D�	
�������,��������,��"�"�(�(���"�"�(�(�����d�$5�6����d�%5�s�y�y�$A�B��'�'�(9�:������r2N)r�r�r�rCrbrcr"r(r,r/r1r3r5r7r�skipSNIrCrIrTrYr,r2r/r�r�ds����
���,��"'�#�����lL�\6�$ � /�(/�* �$ �*/�0�G�W��7��7�(�G�W�� �� �2
�> r2r�c��t�\}}tj|jg�}t	||j
j|j|||��\}}}}	}
|
j
�|j|	jfS)a�
    Create the TLS connection and negotiate a next protocol.

    @param serverProtocols: The protocols the server is willing to negotiate.
    @param clientProtocols: The protocols the client is willing to negotiate.
    @param clientOptions: The type of C{OpenSSLCertificateOptions} class to
        use for the client. Defaults to C{OpenSSLCertificateOptions}.
    @return: A L{tuple} of the negotiated protocol and the reason the
        connection was lost.
    )r�r�r�r�r�r�)	r�rv�OpenSSLCertificateAuthoritiesrr�r�r��negotiatedProtocolr�)r�r�r�r�r�r�r�r�r�r�r�s           r/�negotiateProtocolr^	s���(I�'J�$�M�$��7�7��"�"�	
��I�0M��$�/�/�8�8�+�4�4�'�'�#�
0�,�F�F�H�h��	�J�J�L��%�%�x�':�':�;�;r2c�@�eZdZdZereZnereZd�Zd�Zd�Z	d�Z
d�Zy)�NPNOrALPNTestsz�
    NPN and ALPN protocol selection.

    These tests only run on platforms that have a PyOpenSSL version >= 0.15,
    and OpenSSL version 1.0.1 or later.
    c��tj�}|jtjj|v�y)z
        When at least NPN is available on the platform, NPN is in the set of
        supported negotiation protocols.
        N)rv�protocolNegotiationMechanismsrX�ProtocolNegotiationSupport�NPN�r��supportedProtocolss  r/�)test_nextProtocolMechanismsNPNIsSupportedz8NPNOrALPNTests.test_nextProtocolMechanismsNPNIsSupported8	s1��
'�D�D�F�����	�<�<�@�@�DV�V�Wr2c�r�ddg}t||��\}}|j|d�|j|�y)z�
        When both ALPN and NPN are used, and both the client and server have
        overlapping protocol choices, a protocol is successfully negotiated.
        Further, the negotiated protocol is the first one in the list.
        �h2�http/1.1�r�r�N�r^rNr��r�r�r]r�s    r/�test_NPNAndALPNSuccessz%NPNOrALPNTests.test_NPNAndALPNSuccess@	sE���K�(�	�):�%�%�*
�&��J�	
���+�U�3����*�%r2c�z�gd�}ddg}t||��\}}|j|d�|j|�y)zm
        Client and server have different protocol lists: only the common
        element is chosen.
        )rirjsspdy/2�spdy/3rjrkNrl�r�r�r�r]r�s     r/�test_NPNAndALPNDifferentz'NPNOrALPNTests.test_NPNAndALPNDifferentN	sJ��
:��$�k�2��):�+�+�*
�&��J�	
���+�[�9����*�%r2c�p�ddg}t|g��\}}|j|�|j|�y)zy
        When one peer does not advertise any protocols, the connection is set
        up with no next protocol.
        rirjrkN�r^r�rms    r/�test_NPNAndALPNNoAdvertisez)NPNOrALPNTests.test_NPNAndALPNNoAdvertise\	sC��
�K�(�	�):�%��*
�&��J�	
���,�-����*�%r2c��ddg}dg}t||��\}}|j|�|j|jtj
�y)zh
        When the client and server have no overlap of protocols, the connection
        fails.
        rirjrp�r�r�N)r^r�rNr�rr�)r�r�r�r]r�s     r/�test_NPNAndALPNNoOverlapz'NPNOrALPNTests.test_NPNAndALPNNoOverlapi	sT��
!�+�.��$�+��):�+�+�*
�&��J�	
���,�-�������#�)�)�4r2N)r�r�r�rCrbrc�skipNPNrgrnrrrurxr,r2r/r`r`+	s3������	���X�&�&�&�5r2r`c�.�eZdZdZereZd�ZyereZd�Zy)�	ALPNTestsa.
    ALPN protocol selection.

    These tests only run on platforms that have a PyOpenSSL version >= 0.15,
    and OpenSSL version 1.0.2 or later.

    This covers only the ALPN specific logic, as any platform that has ALPN
    will also have NPN and so will run the NPNAndALPNTest suite as well.
    c��tj�}|jtjj|v�y)z�
        When ALPN is available on a platform, protocolNegotiationMechanisms
        includes ALPN in the suported protocols.
        N)rvrbrXrc�ALPNres  r/�*test_nextProtocolMechanismsALPNIsSupportedz4ALPNTests.test_nextProtocolMechanismsALPNIsSupported�	s1��
'�D�D�F�����	�<�<�A�A�EW�W�Xr2N)r�r�r�rCrbrc�skipALPNr~r,r2r/r{r{x	s'������Y�
���Yr2r{c�8�eZdZdZereZneresdZd�Zd�Z	d�Z
y)�NPNAndALPNAbsentTestsz�
    NPN/ALPN operations fail on platforms that do not support them.

    These tests only run on platforms that have a PyOpenSSL version < 0.15,
    an OpenSSL version earlier than 1.0.1, or an OpenSSL/cryptography built
    without NPN support.
    z+NPN and/or ALPN is present on this platformc�N�tj�}|j|�y)z}
        When neither NPN or ALPN are available on a platform, there are no
        supported negotiation protocols.
        N)rvrbr^res  r/�1test_nextProtocolMechanismsNoNegotiationSupportedzGNPNAndALPNAbsentTests.test_nextProtocolMechanismsNoNegotiationSupported�	s"��
'�D�D�F�����+�,r2c�F�ddg}|jtt||��y)z�
        A NotImplementedError is raised when using acceptableProtocols on a
        platform that does not support either NPN or ALPN.
        rirjrwN)rK�NotImplementedErrorr^)r�r�s  r/�test_NPNAndALPNNotImplementedz3NPNAndALPNAbsentTests.test_NPNAndALPNNotImplemented�	s-��
�K�(�	������%�%�		�	
r2c�p�d}d}t||��\}}|j|�|j|�y)z�
        negotiatedProtocol return L{None} even when NPN/ALPN aren't supported.
        This works because, as neither are supported, negotiation isn't even
        attempted.
        Nrkrtrqs     r/�"test_NegotiatedProtocolReturnsNonez8NPNAndALPNAbsentTests.test_NegotiatedProtocolReturnsNone�	sC������):�+�+�*
�&��J�	
���,�-����*�%r2N)r�r�r�rCrbrcryrr�r�r�r,r2r/r�r��	s*������
�H�<��-�
�
&r2r�c��eZdZd�Zy)�_NotSSLTransportc��|Sr+r,r�s r/r�z_NotSSLTransport.getHandle�	����r2N)r�r�r�r�r,r2r/r�r��	s��r2r�c��eZdZd�Zd�Zd�Zy)�_MaybeSSLTransportc��|Sr+r,r�s r/r�z_MaybeSSLTransport.getHandle�	r�r2c��yr+r,r�s r/rOz'_MaybeSSLTransport.get_peer_certificate�	rr2c��yr+r,r�s r/�get_host_certificatez'_MaybeSSLTransport.get_host_certificate�	rr2N)r�r�r�r�rOr�r,r2r/r�r��	s����r2r�c��eZdZd�Zd�Zd�Zy)�_ActualSSLTransportc��|Sr+r,r�s r/r�z_ActualSSLTransport.getHandle�	r�r2c�\�tjjt�jSr+)rvrwrxrOrr�s r/r�z(_ActualSSLTransport.get_host_certificate�	� ���$�$�,�,�-C�D�M�M�Mr2c�\�tjjt�jSr+)rvrwrxrVrr�s r/rOz(_ActualSSLTransport.get_peer_certificate�	r�r2N)r�r�r�r�r�rOr,r2r/r�r��	s���N�Nr2r�c�8�eZdZereZd�Zd�Zd�Zd�Zd�Z	d�Z
y)�ConstructorsTestsc���|jttjjt��}|j
t|�jd��y)z�
        Verify that peerFromTransport raises an exception if the transport
        passed is not actually an SSL transport.
        �non-TLSN)	rKrrvrw�peerFromTransportr�rXrO�
startswith�r��xs  r/�test_peerFromNonSSLTransportz.ConstructorsTests.test_peerFromNonSSLTransport�	�I��

�����!�!�3�3���
��
	
����A��)�)�)�4�5r2c���|jttjjt��}|j
t|�jd��y)z�
        Verify that peerFromTransport raises an exception if the transport
        passed is an SSL transport, but doesn't have a peer certificate.
        �TLSN)	rKrrvrwr�r�rXrOr�r�s  r/�test_peerFromBlankSSLTransportz0ConstructorsTests.test_peerFromBlankSSLTransport�	�I��

�����!�!�3�3�� �
��
	
����A��)�)�%�0�1r2c���|jttjjt��}|j
t|�jd��y)z�
        Verify that hostFromTransport raises an exception if the transport
        passed is not actually an SSL transport.
        r�N)	rKrrvrw�hostFromTransportr�rXrOr�r�s  r/�test_hostFromNonSSLTransportz.ConstructorsTests.test_hostFromNonSSLTransport�	r�r2c���|jttjjt��}|j
t|�jd��y)z�
        Verify that hostFromTransport raises an exception if the transport
        passed is an SSL transport, but doesn't have a host certificate.
        r�N)	rKrrvrwr�r�rXrOr�r�s  r/�test_hostFromBlankSSLTransportz0ConstructorsTests.test_hostFromBlankSSLTransport
r�r2c��|jtjjt	��j�d�y)z�
        Verify that hostFromTransport successfully creates the correct
        certificate if passed a valid SSL transport.
        i90N)rNrvrwr�r��serialNumberr�s r/�test_hostFromSSLTransportz+ConstructorsTests.test_hostFromSSLTransport
�6��
	
����!�!�3�3�#�%�
��l�n��		
r2c��|jtjjt	��j�d�y)z�
        Verify that peerFromTransport successfully creates the correct
        certificate if passed a valid SSL transport.
        i:0N)rNrvrwr�r�r�r�s r/�test_peerFromSSLTransportz+ConstructorsTests.test_peerFromSSLTransport
r�r2N)r�r�r�rbrcr�r�r�r�r�r�r,r2r/r�r��	s(�����
6�
2�
6�
2�

�

r2r�c�6�eZdZdZereZd�Zd�Zd�Zd�Z	d�Z
y)�!MultipleCertificateTrustRootTestszH
    Test the behavior of the trustRootFromCertificates() API call.
    c��tjjt�}tjjt
�}tj||g�}t||jj|j��\}}}}}|j|jd�|j|j�y)z�
        L{trustRootFromCertificates} accepts either a L{sslverify.Certificate}
        or a L{sslverify.PrivateCertificate} instance.
        �r�r�r�r�N)rvr{rx�	A_KEYPAIRrwrO�trustRootFromCertificatesr�r�rrNr�r�r�)	r��privateCertr3�mtr�r��sWrap�cWrapr�s	         r/�+test_trustRootFromCertificatesPrivatePubliczMMultipleCertificateTrustRootTests.test_trustRootFromCertificatesPrivatePublic4
s���
 �2�2�:�:�9�E���$�$�,�,�-C�D��
�
0�
0�+�t�1D�
E��.K��"�-�-�6�6�)�2�2�.
�*����u�d�	
������]�3����%�*�*�+r2c��tdd��\}}tjjtj|�tj
|��}tj|g�}t||jj|j��\}}}}}	|j|jd�|j|j�y)z�
        L{trustRootFromCertificates} called with a single self-signed
        certificate will cause L{optionsForClientTLS} to accept client
        connections to a server with that certificate.
        rorprqr�r�N)rMrvr{�fromCertificateAndKeyPairrwr�r�r�r�rrNr�r�r�)
r��keyr3�
selfSigned�trustr�r�r�r�r�s
          r/�)test_trustRootSelfSignedServerCertificatezKMultipleCertificateTrustRootTests.test_trustRootSelfSignedServerCertificateJ
s���$�&@�Y�O�	��T��1�1�K�K��!�!�$�'����c�"�
�
�
�3�3�Z�L�A��.K��!�,�,�5�5�(�1�1�.
�*����u�d�
	
������]�3����%�*�*�+r2c��t�\}}tj|g�}t||jj
|j
��\}}}}}|j
|jd�|j|j�y)z�
        L{trustRootFromCertificates} called with certificate A will cause
        L{optionsForClientTLS} to accept client connections to a server with
        certificate B where B is signed by A.
        r�r�N)
r�rvr�r�r�rrNr�r�r�)	r�r�r�r�r�r�r�r�r�s	         r/�2test_trustRootCertificateAuthorityTrustsConnectionzTMultipleCertificateTrustRootTests.test_trustRootCertificateAuthorityTrustsConnectionb
s���?�@���
��3�3�V�H�=��.K��!�,�,�5�5�(�1�1�.
�*����u�d�
	
������]�3����%�*�*�+r2c��tdd��\}}tjjtj|�tj
|��}tjtdd��d�}tj|g�}t||jj|j��\}}}}	}
|j|	jd�|j|	jjtj�|	jj }|j|j"d	d	d
d�y)
z�
        L{trustRootFromCertificates} called with certificate A will cause
        L{optionsForClientTLS} to disallow any connections to a server with
        certificate B where B is not signed by A.
        rorprqrts
unknown CArOr�r2rrar�N)rMrvr{r�rwr�r�r�r�rrNr�r�r�rr�r�r�)r�r�r3r��
untrustedCertr�r�r�r�r�r�r�s            r/�'test_trustRootFromCertificatesUntrustedzIMultipleCertificateTrustRootTests.test_trustRootFromCertificatesUntrustedv
s��$�&@�Y�O�	��T��1�1�K�K��!�!�$�'����c�"�
�
�"�-�-��4��G��J�
�
��3�3�]�O�D��.K��!�,�,�5�5�(�1�1�.
�*����u�d�	
������S�)�	
����)�)�.�.��	�	�:����$�$��������!��Q���*�,D�Er2c���tjjt�}|j}|jttj|g�}|jd|jd�y)z}
        L{trustRootFromCertificates} rejects any L{OpenSSL.crypto.X509}
        instances in the list passed to it.
        zBcertificates items must be twisted.internet.ssl.CertBase instancesrN)
rvr{rxr�rrKrLr�rNr�)r��private�certX509r�s    r/�,test_trustRootFromCertificatesOpenSSLObjectszNMultipleCertificateTrustRootTests.test_trustRootFromCertificatesOpenSSLObjects�
se��
�.�.�6�6�y�A���#�#���%�%���/�/�
�J�
�	�
	
���S��N�N�1��	
r2N)r�r�r�rCrbrcr�r�r�r�r�r,r2r/r�r�,
s,������,�,,�0,�(!F�F
r2r�c�4�eZdZdZereZdZd�Zd�Zd�Z	d�Z
y)�OpenSSLCipherTestsz>
    Tests for twisted.internet._sslverify.OpenSSLCipher.
    z
CIPHER-STRINGc��|j|jtj|j�j�y)zU
        The first argument passed to the constructor becomes the full name.
        N)rN�
cipherNamervr��fullNamer�s r/�test_constructorSetsFullNamez/OpenSSLCipherTests.test_constructorSetsFullName�
s0��	
����O�O�Y�4�4�T�_�_�E�N�N�	
r2c��tj|j�}|j|t	t|�dtji��y)zC
        C{repr(cipher)} returns a valid constructor call.
        r�N)rvr�r�rN�eval�repr)r�r�s  r/�	test_reprzOpenSSLCipherTests.test_repr�
sA���(�(����9������D��f����9P�9P�'Q�R�	
r2c��tj|j�}tj|j�}|j||�y)zN
        Equal type and C{fullName} means that the objects are equal.
        N)rvr�r�rN)r��cipher1�cipher2s   r/�test_eqSameClassz#OpenSSLCipherTests.test_eqSameClass�
s<���)�)�$�/�/�:���)�)�$�/�/�:������'�*r2c���G�fd�d�}�jtj�j�|��y)ze
        If ciphers have the same name but different types, they're still
        different.
        c�(��eZdZW�jZy)�HOpenSSLCipherTests.test_eqSameNameDifferentType.<locals>.DifferentCipherN)r�r�r�r�r�r�s�r/�DifferentCipherr��
s������Hr2r�N)r3rvr�r�)r�r�s` r/�test_eqSameNameDifferentTypez/OpenSSLCipherTests.test_eqSameNameDifferentType�
s5���	'�	'�	
����#�#�D�O�O�4���	
r2N)r�r�r�rCrbrcr�r�r�r�r�r,r2r/r�r��
s*������ �J�
�
�+�
r2r�c�*�eZdZdZereZd�Zd�Zd�Zy)�ExpandCipherStringTestszD
    Tests for twisted.internet._sslverify._expandCipherString.
    c�~�|jt�tjdtj
d��y)zU
        If the expanded cipher list is empty, an empty L{list} is returned.
        rrN)rN�tuplerv�_expandCipherStringrr�r�s r/�!_test_doesNotStumbleOverEmptyListz9ExpandCipherStringTests._test_doesNotStumbleOverEmptyList�
s.��	
����G�Y�2�2�2�s�7H�7H�!�L�	
r2c���d�}ttj��|�_|j	t
jd�fd��|j
tjt
jdtjd�y)zf
        Only no cipher matches get swallowed, every other SSL error gets
        propagated.
        c�2�tjgd�g��)N)rrr)rr�)r�s r/�raiserzIExpandCipherStringTests.test_doesNotSwallowOtherSSLErrors.<locals>.raiser�
s���)�)�\�N�+�+r2r�c����Sr+r,)r�r�s �r/r0zKExpandCipherStringTests.test_doesNotSwallowOtherSSLErrors.<locals>.<lambda>�
s���s�r2�ALLrN)	rrr�r8r�rvrKr�r�)r�r�r�s  @r/�!test_doesNotSwallowOtherSSLErrorsz9ExpandCipherStringTests.test_doesNotSwallowOtherSSLErrors�
s`���	,�
�#�+�+�,��$����
�
�9�=�=�)�]�;�����I�I�y�4�4�e�S�=N�=N�PQ�	
r2c��tjdtjd�}|j	|t
�g}|D]3}tjj|�r�#|j|��5|jg|�y)zn
        L{sslverify._expandCipherString} always returns a L{tuple} of
        L{interfaces.ICipher}.
        r�rN)rvr�rr�r�r�r�ICipher�
providedByr2rN)r��ciphersr r.s    r/�test_returnsTupleOfICiphersz3ExpandCipherStringTests.test_returnsTupleOfICiphersss��
�/�/��s�7H�7H�!�L�����g�u�-����	 �A��%�%�0�0��3����Q��	 �	
����U�#r2N)	r�r�r�rCrbrcr�r�r�r,r2r/r�r��
s ������
�
�$$r2r�c�*�eZdZdZereZd�Zd�Zd�Zy)�AcceptableCiphersTestszI
    Tests for twisted.internet._sslverify.OpenSSLAcceptableCiphers.
    c��tjt��}|jt�|j	t���y)zG
        If no ciphers are available, nothing can be selected.
        N)rv�OpenSSLAcceptableCiphersr�rNr��r��acs  r/�&test_selectOnEmptyListReturnsEmptyListz=AcceptableCiphersTests.test_selectOnEmptyListReturnsEmptyLists5���
/�
/���
8�������"�"2�"2�5�7�";�<r2c	�8�tjtjd�tjd�g�}|jtjd�f|j	tjd�tjd�g��y)zi
        Select only returns a cross section of what is available and what is
        desirable.
        �A�B�CN)rvr�r�rNr�r�s  r/�#test_selectReturnsOnlyFromAvailablez:AcceptableCiphersTests.test_selectReturnsOnlyFromAvailables���
�
/�
/��'�'��,��'�'��,�
�
��	
���
�
$�
$�S�
)�+�����(�(��-�y�/F�/F�s�/K�L�
�	
r2c���tjjd�}|j|jt
�|j
td�|jD���y)z�
        If L{sslverify.OpenSSLAcceptableCiphers.fromOpenSSLCipherString} is
        called it expands the string to a tuple of ciphers.
        r�c3�ZK�|]#}tjj|����%y�wr+)rvr�r�)�.0r.s  r/�	<genexpr>z]AcceptableCiphersTests.test_fromOpenSSLCipherStringExpandsToTupleOfCiphers.<locals>.<genexpr>7s!����Q��I�-�-�8�8��;�Q�s�)+N)rvr��fromOpenSSLCipherStringr��_ciphersr�rX�allr�s  r/�3test_fromOpenSSLCipherStringExpandsToTupleOfCipherszJAcceptableCiphersTests.test_fromOpenSSLCipherStringExpandsToTupleOfCiphers0sI��
�
/�
/�
G�
G��
N�����b�k�k�5�1�����Q�R�[�[�Q�Q�Rr2N)	r�r�r�rCrbrcr�r�rr,r2r/r�r�s!������=�
�$Sr2r�c�.�eZdZdZereZed�Zd�Zy)�DiffieHellmanParametersTestszD
    Tests for twisted.internet._sslverify.OpenSSLDHParameters.
    r#c��tjj|j�}|j	|j|j
�y)zl
        Calling C{fromFile} with a filename returns an instance with that file
        name saved.
        N)rv�OpenSSLDiffieHellmanParameters�fromFile�filePathrNr$)r��paramss  r/�
test_fromFilez*DiffieHellmanParametersTests.test_fromFileCs6��
�9�9�B�B�4�=�=�Q�����������7r2N)	r�r�r�rCrbrcrr	rr,r2r/rr:s ��������%�H�8r2rc��eZdZdZdZd�Zy)�FakeLibStatea�
    State for L{FakeLib}

    @param setECDHAutoRaises: An exception
        L{FakeLib.SSL_CTX_set_ecdh_auto} should raise; if L{None},
        nothing is raised.

    @ivar ecdhContexts: A list of SSL contexts with which
        L{FakeLib.SSL_CTX_set_ecdh_auto} was called
    @type ecdhContexts: L{list} of L{OpenSSL.SSL.Context}s

    @ivar ecdhValues: A list of boolean values with which
        L{FakeLib.SSL_CTX_set_ecdh_auto} was called
    @type ecdhValues: L{list} of L{boolean}s
    ��setECDHAutoRaises�ecdhContexts�
ecdhValuesc�.�||_g|_g|_yr+r)r�rs  r/rzFakeLibState.__init___s��!2��������r2N�r�r�r�rC�	__slots__rr,r2r/r
r
Ls��� D�I�r2r
c��eZdZdZd�Zd�Zy)�FakeLibz�
    An introspectable fake of cryptography's lib object.

    @param state: A L{FakeLibState} instance that contains this fake's
        state.
    c��||_yr+��_state�r�rms  r/rzFakeLib.__init__m�	����r2c���|jjj|�|jjj|�|jj�|jj�y)a
        Record the context and value under in the C{_state} instance
        variable.

        @see: L{FakeLibState}

        @param ctx: An SSL context.
        @type ctx: L{OpenSSL.SSL.Context}

        @param value: A boolean value
        @type value: L{bool}
        N)rrr2rr)r�r�r�s   r/�SSL_CTX_set_ecdh_autozFakeLib.SSL_CTX_set_ecdh_autopsY��	
��� � �'�'��,������%�%�e�,��;�;�(�(�4��+�+�/�/�/�5r2N)r�r�r�rCrrr,r2r/rres����0r2rc��eZdZdZd�Zd�Zy)�FakeLibTestsz
    Tests for L{FakeLib}.
    c�@�td��}t|�}|j|j�|j|j�d\}}|j||�|j
|j|g�|j
|jdg�y)zh
        L{FakeLib.SSL_CTX_set_ecdh_auto} records context and value it
        was called with.
        N�r��CONTEXTTT)r
r�	assertNotrrrrN�r�rm�librlr�s     r/�test_SSL_CTX_set_ecdh_autoz'FakeLibTests.test_SSL_CTX_set_ecdh_auto�s���
�t�4���e�n�����u�)�)�*����u�'�'�(�(�����!�!�'�5�1�����+�+�g�Y�7�����)�)�D�6�2r2c�h�tt��}t|�}|j|j�|j|j
�d\}}|j
t|j||�|j|j|g�|j|j
dg�y)z�
        L{FakeLib.SSL_CTX_set_ecdh_auto} raises the exception provided
        by its state, while still recording its arguments.
        r!r"TN)	r
rqrr$rrrKrrNr%s     r/� test_SSL_CTX_set_ecdh_autoRaisesz-FakeLibTests.test_SSL_CTX_set_ecdh_autoRaises�s���
�z�:���e�n�����u�)�)�*����u�'�'�(�(�������*�c�&?�&?��%�P�����+�+�g�Y�7�����)�)�D�6�2r2N)r�r�r�rCr'r)r,r2r/rr�s���
3�
3r2rc��eZdZdZdZd�Zy)�FakeCryptoStatea�
    State for L{FakeCrypto}

    @param getEllipticCurveRaises: What
        L{FakeCrypto.get_elliptic_curve} should raise; L{None} and it
        won't raise anything

    @param getEllipticCurveReturns: What
        L{FakeCrypto.get_elliptic_curve} should return.

    @ivar getEllipticCurveCalls: The arguments with which
        L{FakeCrypto.get_elliptic_curve} has been called.
    @type getEllipticCurveCalls: L{list}
    ��getEllipticCurveRaises�getEllipticCurveReturns�getEllipticCurveCallsc�.�||_||_g|_yr+r,)r�r-r.s   r/rzFakeCryptoState.__init__�s��
'=��#�'>��$�%'��"r2Nrr,r2r/r+r+�s��
��I�(r2r+c��eZdZdZd�Zd�Zy)�
FakeCryptozy
    An introspectable fake of pyOpenSSL's L{OpenSSL.crypto} module.

    @ivar state: A L{FakeCryptoState} instance
    c��||_yr+rrs  r/rzFakeCrypto.__init__�rr2c���|jjj|�|jj�|jj�|jjS)a
        A fake that records the curve with which it was called.

        @param curve: see L{crypto.get_elliptic_curve}

        @return: see L{FakeCryptoState.getEllipticCurveReturns}
        @raises: see L{FakeCryptoState.getEllipticCurveRaises}
        )rr/r2r-r.r@s  r/�get_elliptic_curvezFakeCrypto.get_elliptic_curve�sL��	
���)�)�0�0��7��;�;�-�-�9��+�+�4�4�4��{�{�2�2�2r2N)r�r�r�rCrr5r,r2r/r2r2�s����3r2r2c�"�eZdZdZd�Zd�Zd�Zy)�FakeCryptoTestsz"
    Tests for L{FakeCrypto}.
    c��tdd��}t|�}|jd�|j|jdg�y)zk
        L{FakeCrypto.test_get_elliptic_curve} records the curve with
        which it was called.
        N�r-r.za curve name)r+r2r5rNr/�r�rm�cryptos   r/�&test_get_elliptic_curveRecordsArgumentz6FakeCryptoTests.test_get_elliptic_curveRecordsArgument�sG��
 �#'�$(�
���E�"���!�!�.�1�����4�4�~�6F�Gr2c��d}td|��}t|�}|j|jd�|�|j	|j
dg�y)z�
        L{FakeCrypto.test_get_elliptic_curve} returns the value
        specified by its state object and records what it was called
        with.
        �objectNr9zanother curve name)r+r2rgr5rNr/)r��returnValuermr;s    r/�test_get_elliptic_curveReturnsz.FakeCryptoTests.test_get_elliptic_curveReturns�s_�����#'�$/�
���E�"���
�
��%�%�&:�;��	
�	
����4�4�7K�6L�Mr2c��ttd��}t|�}|jt|jd�|j|jdg�y)zs
        L{FakeCrypto.test_get_elliptic_curve} raises the exception
        specified by its state object.
        Nr9zyet another curve name)r+rqr2rKr5rNr/r:s   r/�test_get_elliptic_curveRaisesz-FakeCryptoTests.test_get_elliptic_curveRaisess[��
 �#-�t�
���E�"�������%�%�$�	
�
	
����'�'�
%�&�	
r2N)r�r�r�rCr<r@rBr,r2r/r7r7�s���H�N�$
r2r7c�N�eZdZdZereZdZdZdZd�Z	d�Z
d�Zd�Zd	�Z
d
�Zd�Zy)
�%ChooseDiffieHellmanEllipticCurveTestsaN
    Tests for L{sslverify._ChooseDiffieHellmanEllipticCurve}.

    @cvar OPENSSL_110: A version number for OpenSSL 1.1.0

    @cvar OPENSSL_102: A version number for OpenSSL 1.0.2

    @cvar OPENSSL_101: A version number for OpenSSL 1.0.1

    @see:
        U{https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)}
    ii� iOc���td��|_t|j�|_t	dd��|_t
|j
�|_ttj�|_y)NFr!)r.r-)r
�libStaterr&r+�cryptoStater2r;rrr�rlr�s r/r}z+ChooseDiffieHellmanEllipticCurveTests.setUp-sV��$�u�=��
��4�=�=�)���*�$(��
���!��!1�!1�2���"�3�#4�#4�5��r2c���tj|j|j|j��}|j|j�|j|jj�|j|jj�|j|jj�|j|jj�y)z�
        No configuration of contexts occurs under OpenSSL 1.1.0 and
        later, because they create contexts with secure ECDH curves.

        @see: U{http://twistedmatrix.com/trac/ticket/9210}
        �rhriN)rvr��OPENSSL_110r&r;rkrlr^rFrrrGr/r�r�r��choosers  r/�test_openSSL110z5ChooseDiffieHellmanEllipticCurveTests.test_openSSL1107s����=�=�����x�x��+�+�
��
	�"�"�4�<�<�0�������3�3�4�������1�1�2�����)�)�?�?�@����$�,�,�/�/�0r2c��tjtj�}tj|j
|j|j��}|j|�|j|jj|jg�|j|jjdg�|j|jj �|j#|j$j&�y)z�
        OpenSSL 1.0.2 does not set ECDH curves by default, but
        C{SSL_CTX_set_ecdh_auto} requests that a context choose a
        secure set curves automatically.
        rITN)rr�r�rvr��OPENSSL_102r&r;rkrNrFrrfrr^rGr/r�rlr�r�rlrLs   r/�test_openSSL102z5ChooseDiffieHellmanEllipticCurveTests.test_openSSL102Js����+�+�c�/�/�0���=�=�����x�x��+�+�
��
	�"�"�7�+�������3�3�g�6F�6F�5G�H�������1�1�D�6�:�����)�)�?�?�@����$�,�,�/�/�0r2c��t|j_tjtj
�}t
j|j|j|j��}|j|�|j|jj|jg�|j|jjdg�|j!|j"j$�y)z�
        An exception raised by C{SSL_CTX_set_ecdh_auto} under OpenSSL
        1.0.2 is suppressed because ECDH is best-effort.
        rITN)�
BaseExceptionrFrrr�r�rvr�rOr&r;rkrNrrfrr^rGr/rPs   r/� test_openSSL102SetECDHAutoRaiseszFChooseDiffieHellmanEllipticCurveTests.test_openSSL102SetECDHAutoRaises]s���
+8��
�
�'��+�+�c�/�/�0���=�=�����x�x��+�+�
��
	�"�"�7�+�������3�3�g�6F�6F�5G�H�������1�1�D�6�:�����)�)�?�?�@r2c��dx|j_}tj|j|j
|j��}|j|j�|j|jj�|j|jj�|j|jjtjg�|j!|jj"|�y)z�
        OpenSSL 1.0.1 does not set ECDH curves by default, nor does
        it expose L{SSL_CTX_set_ecdh_auto}.  Instead, a single ECDH
        curve can be set with L{OpenSSL.SSL.Context.set_tmp_ecdh}.
        zcurve objectrIN)rGr.rvr��OPENSSL_101r&r;rkrlr^rFrrrNr/�_defaultCurveNamergr)r�rArLs   r/�test_openSSL101z5ChooseDiffieHellmanEllipticCurveTests.test_openSSL101os���<J�I����0�5��=�=�����x�x��+�+�
��
	�"�"�4�<�<�0�������3�3�4�������1�1�2�������2�2�
�
(�
(�)�	
�	
�
�
�d�l�l�+�+�U�3r2c���d�}||j_tj|j|j
|j��}|j|j�|j|jj�|j|jj�|j|jjtjg�y)z�
        An exception raised by L{OpenSSL.SSL.Context.set_tmp_ecdh}
        under OpenSSL 1.0.1 is suppressed because ECHDE is best-effort.
        c��t�r+)rSr�s r/rBzXChooseDiffieHellmanEllipticCurveTests.test_openSSL101SetECDHRaises.<locals>.set_tmp_ecdh�s���r2rIN)rlrBrvr�rVr&r;rkr^rFrrrNrGr/rW)r�rBrLs   r/�test_openSSL101SetECDHRaiseszBChooseDiffieHellmanEllipticCurveTests.test_openSSL101SetECDHRaises�s���	 �%1����!��=�=�����x�x��+�+�
��
	�"�"�4�<�<�0�������3�3�4�������1�1�2�������2�2�
�
(�
(�)�	
r2c��t|j_tj|j
|j|j��}|j|j�|j|jj�|j|jj�|j|jj�y)zy
        Contexts created under an OpenSSL 1.0.1 that doesn't support
        ECC have no configuration applied.
        rIN)rqrGr-rvr�rVr&r;rkrlr^rFrrr�rrKs  r/�test_openSSL101NoECCz:ChooseDiffieHellmanEllipticCurveTests.test_openSSL101NoECC�s���
3=����/��=�=�����x�x��+�+�
��
	�"�"�4�<�<�0�������3�3�4�������1�1�2����$�,�,�/�/�0r2N)r�r�r�rCrbrcrJrOrVr}rMrQrTrXr[r]r,r2r/rDrDsD�������K��K��K�6�1�&1�&A�$4�,
�21r2rDc�0�eZdZdZereZd�Zd�Zd�Zd�Z	y)�KeyPairTestsz)
    Tests for L{sslverify.KeyPair}.
    c�.�tdd��d|_y)z*
        Create test certificate.
        rorprqrN)rMrur�s r/r}zKeyPairTests.setUp�s��$�&@�Y�O�PQ�R��	r2c��|jtdddd�dftj|j�j
�y)zB
        L{sslverify.KeyPair.__getstate__} is deprecated.
        r�r�rr�N)r�rrvr�rurir�s r/r�z%KeyPairTests.test_getstateDeprecation�s>��	
���
�Y��A�q�
)�+F�G����d�i�i�(�5�5�	
r2c���tj|j�j�}|j	tdddd�dftj|j�j|�y)zA
        {sslverify.KeyPair.__setstate__} is deprecated.
        r�r�rr�N)rvr�rur�r�rrjrs  r/r�z%KeyPairTests.test_setstateDeprecation�s^���!�!�$�)�)�,�1�1�3�����
�Y��A�q�
)�+F�G����d�i�i�(�5�5��	
r2c��td�jjd�}|j�}tj
j
|�y)Nztwisted.testzcert.pem.no_trailing_newline)rr	�sibling�
getContentr)rwrx)r��noTrailingNewlineKeyPemPath�certPEMs   r/�test_noTrailingNewlinePemCertz*KeyPairTests.test_noTrailingNewlinePemCert�sC��&/��&?�&H�&H�&P�&P�*�'
�#�.�8�8�:��������(r2N)
r�r�r�rCrbrcr}r�r�rhr,r2r/r_r_�s&������S�
�	
�)r2r_c�V�eZdZdZereZd�Zejd��ge_d�Z	y)�SelectVerifyImplementationTestsz3
    Tests for L{_selectVerifyImplementation}.
    c��td�5dtjd<tj�}tj
tjtjf}|j||�ddd�y#1swYyxYw)z�
        If I{service_identity} cannot be imported then
        L{_selectVerifyImplementation} returns L{simpleVerifyHostname} and
        L{SimpleVerificationError}.
        �service_identityN)	r�sys�modulesrv�_selectVerifyImplementationrR�simpleVerifyIPAddressrSrN)r�r|�expecteds   r/�test_dependencyMissingz6SelectVerifyImplementationTests.test_dependencyMissing�ss���.�
/�		/�.2�C�K�K�*�+��:�:�<�F��.�.��/�/��1�1��H�

���X�v�.�		/�		/�		/�s�A)A>�>BzEYou do not have a working installation of the service_identity module)r�c�X�td�5dtjd<tj�ddd�td�|j
�D��\}d}|j|d|�|j|dd�|j|dd	�y#1swY�mxYw)
z�
        If I{service_identity} cannot be imported then
        L{_selectVerifyImplementation} emits a L{UserWarning} advising the user
        of the exact error.
        rlNc3�8K�|]}|dtk(r|���y�w)r�N)�UserWarning)r��warnings  r/r�zPSelectVerifyImplementationTests.test_dependencyMissingWarning.<locals>.<genexpr>
s%����
���z�"�k�1�
�
�s�a�You do not have a working installation of the service_identity module: 'import of service_identity halted; None in sys.modules'.  Please install it from <https://pypi.python.org/pypi/service_identity> and make sure all of its dependencies are satisfied.  Without the service_identity module, Twisted can perform only rudimentary TLS client hostname verification.  Many valid certificate/hostname mappings may be rejected.r��filenamer�linenor)rrmrnrvro�listr�rN)r�rv�expectedMessages   r/�test_dependencyMissingWarningz=SelectVerifyImplementationTests.test_dependencyMissingWarning�s����.�
/�	4�.2�C�K�K�*�+��1�1�3�	4�
�
��-�-�/�
�
�	��
=�	�	
�����+�_�=�	
�����,�b�1������*�A�.�=	4�	4�s�(B � B)N)
r�r�r�rCrbrcrrrr�r{r,r2r/rjrj�s;������/�$	��
�
�*�	
�'��#�$/r2rj)rWr+r�)�rCr_�	itertoolsrm�unittestr�zope.interfacer�incrementalr�twisted.internetrrrr	�twisted.internet._idnar
�twisted.internet.errorrrr
�twisted.internet.taskr�twisted.python.compatr�twisted.python.filepathr�twisted.python.modulesr�twisted.python.reflectr�twisted.test.iosimr�twisted.test.test_twistedr�
twisted.trialr�twisted.trial.unittestrrrrbrZryrrnrr�OpenSSL.cryptorrrrr �cryptographyr!�cryptography.hazmat.backendsr"�cryptography.hazmat.primitivesr#�)cryptography.hazmat.primitives.asymmetricr$�,cryptography.hazmat.primitives.serializationr%r&r'�cryptography.x509.oidr(r)r�r�r��set_npn_advertise_callbackr�r4�set_alpn_select_callbackr4rv�twisted.internet.sslr5r6�twisted.protocols.tlsr7rOrVr�r	rdrer��countr:rMr�r�r�r�r�r�r�r�rrErermr�r�r�r�r�r^r`r{r�r�r�r�r�r�r�r�r�rr
rrr+r2r7rDr_rjr,r2r/�<module>r�sn��
�
��
��&��A�A�,�U�U�'�.�,�,�0�7�4��J�J�
��
��
��
�������V�V�!�<�5�=���
.�$�
��c�k�k�#�+�+�,���&�&�~�6�H��c�k�k�#�+�+�,���$�$�^�4�3�G��G��G��H��8�E�9���*��*
�h��(�(�0�0��>�I�I�K�	�$�I�O�O�%�� �$]"�@:H�z%:�X���
/B�d�2	�8�,�,�	�,�h�'�'�,�u�u�p=5�,�=5�@��&E
�E
�Ps
�2�H�s
�l+�)A�8�+�\
�*�
�:N;�X�N;�be �.�e �P
<�>J5�X�J5�ZY��Y�20&�H�0&�f��
��N�N�J
��J
�Z}
��}
�@/
��/
�d.$�h�.$�b(S�X�(S�V8�8�8�$��20�0�<!3�8�!3�H(�(�@3�3�25
�)�5
�pU1�,?�U1�p()�8�()�VF/�&9�F/��Ae
 ��0�
�
�	�
���H�G��H�s$�.L�=.L*�	L'�&L'�*L5�4L5

Zerion Mini Shell 1.0