diff --git a/.evergreen/scripts/configure-env.sh b/.evergreen/scripts/configure-env.sh index 8dc328aab3..ae5da8c7e9 100755 --- a/.evergreen/scripts/configure-env.sh +++ b/.evergreen/scripts/configure-env.sh @@ -74,8 +74,8 @@ EOT # Write the .env file for drivers-tools. rm -rf $DRIVERS_TOOLS -BRANCH=master -ORG=mongodb-labs +BRANCH=allow-cert-folder-override +ORG=blink1073 git clone --branch $BRANCH https://github.com/$ORG/drivers-evergreen-tools.git $DRIVERS_TOOLS cat < ${DRIVERS_TOOLS}/.env diff --git a/.evergreen/scripts/setup_tests.py b/.evergreen/scripts/setup_tests.py index e188dcaa9d..1765f03c38 100644 --- a/.evergreen/scripts/setup_tests.py +++ b/.evergreen/scripts/setup_tests.py @@ -341,10 +341,8 @@ def handle_test_env() -> None: run_command(cmd, cwd=DRIVERS_TOOLS) if SSL != "nossl": - if not DRIVERS_TOOLS: - raise RuntimeError("Missing DRIVERS_TOOLS") - write_env("CLIENT_PEM", f"{DRIVERS_TOOLS}/.evergreen/x509gen/client.pem") - write_env("CA_PEM", f"{DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem") + write_env("CLIENT_PEM", ROOT / "test/certificates/client.pem") + write_env("CA_PEM", ROOT / "test/certificates/ca.pem") compressors = os.environ.get("COMPRESSORS") or opts.compressor if compressors == "snappy": @@ -382,6 +380,20 @@ def handle_test_env() -> None: if not DRIVERS_TOOLS: raise RuntimeError("Missing DRIVERS_TOOLS") csfle_dir = Path(f"{DRIVERS_TOOLS}/.evergreen/csfle") + + # Set CSFLE TLS cert paths to our AKI-enabled test/certificates/ before + # setup-secrets.sh runs. setup-secrets.sh uses ${VAR:-default} so + # pre-setting these vars causes them to flow into secrets-export.sh via + # csfle/setup_secrets.py (which reads os.environ for these keys). + # load_config_from_file then persists all vars from that file for the + # test runner, so no separate write_env calls are needed. + certs = ROOT / "test/certificates" + os.environ["CSFLE_TLS_CA_FILE"] = str(certs / "ca.pem") + os.environ["CSFLE_TLS_CERT_FILE"] = str(certs / "server.pem") + os.environ["CSFLE_TLS_CLIENT_CERT_FILE"] = str(certs / "client.pem") + os.environ["CSFLE_TLS_WRONG_HOST_FILE"] = str(certs / "wrong-host.pem") + os.environ["CSFLE_TLS_EXPIRED_FILE"] = str(certs / "expired.pem") + run_command(f"bash {csfle_dir.as_posix()}/setup-secrets.sh", cwd=csfle_dir) load_config_from_file(csfle_dir / "secrets-export.sh") run_command(f"bash {csfle_dir.as_posix()}/start-servers.sh") diff --git a/.github/workflows/test-python.yml b/.github/workflows/test-python.yml index 2a70021cf7..5e31d3a41e 100644 --- a/.github/workflows/test-python.yml +++ b/.github/workflows/test-python.yml @@ -219,12 +219,16 @@ jobs: - id: setup-mongodb uses: mongodb-labs/drivers-evergreen-tools@master - name: Run tests - run: | + run: | just integration-tests - id: setup-mongodb-ssl uses: mongodb-labs/drivers-evergreen-tools@master with: ssl: true + env: + TLS_PEM_KEY_FILE: ${{ github.workspace }}/test/certificates/server.pem + TLS_CA_FILE: ${{ github.workspace }}/test/certificates/ca.pem + TLS_CERT_KEY_FILE: ${{ github.workspace }}/test/certificates/client.pem - name: Run tests run: | just integration-tests diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 773c9ec0d8..61ad4ece29 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -250,6 +250,16 @@ client = MongoClient( If you want to use the actual certificate file then set `tlsCertificateKeyFile` to the local path to `/test/certificates/client.pem` and `tlsCAFile` to the local path to `/test/certificates/ca.pem`. +#### Regenerating test certificates + +If the test certificates in `test/certificates/` need to be regenerated (e.g. after expiry or to add missing extensions), run: + +```bash +cd test/certificates && bash gen-certs.sh +``` + +See `test/certificates/README.md` for full details and constraints on certificate subjects/SANs that must be preserved. + ### Encryption tests - Run `just run-server` to start the server. diff --git a/test/asynchronous/test_encryption.py b/test/asynchronous/test_encryption.py index 455b1940c4..16d0feed4e 100644 --- a/test/asynchronous/test_encryption.py +++ b/test/asynchronous/test_encryption.py @@ -3047,8 +3047,6 @@ async def http_post(self, path, data=None): # each request because the server is single threaded. ctx = ssl.create_default_context(cafile=CA_PEM) ctx.load_cert_chain(CLIENT_PEM) - ctx.check_hostname = False - ctx.verify_mode = ssl.CERT_NONE conn = http.client.HTTPSConnection("127.0.0.1:9003", context=ctx) try: if data is not None: diff --git a/test/certificates/README.md b/test/certificates/README.md new file mode 100644 index 0000000000..5975b4c722 --- /dev/null +++ b/test/certificates/README.md @@ -0,0 +1,40 @@ +# Test TLS Certificates + +These certificates are used by the PyMongo test suite for TLS/SSL integration tests. + +## Regenerating certificates + +Run the generation script from this directory: + +```bash +bash gen-certs.sh +``` + +**Prerequisites:** OpenSSL 1.1+ or LibreSSL 3+ + +## Certificate details + +| File | Subject | Signed by | Purpose | +|---|---|---|---| +| `ca.pem` | `CN=Drivers Testing CA, ...` | Self (CA) | Root CA for test certs | +| `server.pem` | `CN=localhost, ...` + SAN | Drivers Testing CA | MongoDB server cert (key + cert) | +| `client.pem` | `CN=client, O=MDB, ...` | Drivers Testing CA | Client auth cert (key + cert) | +| `password_protected.pem` | Same as client | Drivers Testing CA | Client cert with AES-256 encrypted key | +| `crl.pem` | — | Drivers Testing CA | Empty Certificate Revocation List | +| `trusted-ca.pem` | `CN=Trusted Kernel Test CA, OU=Kernel, ...` | Self (CA) | Separate CA for bundle tests | + +**Password** for `password_protected.pem`: `qwerty` + +## Important constraints + +The following values are hardcoded in tests and **must not change**: + +- Client cert subject: `C=US,ST=New York,L=New York City,O=MDB,OU=Drivers,CN=client` + (used as the MongoDB X.509 username in `test/test_ssl.py`) +- Server cert SAN: `DNS:localhost, IP:127.0.0.1, IP:::1` +- The `server` hostname alias for `127.0.0.1` must be present in `/etc/hosts` for SSL tests to pass + (added automatically by `.evergreen/scripts/setup-system.sh`) + +## Background + +Certificates were regenerated to add the **Authority Key Identifier (AKI)** extension, which Python 3.13 requires for TLS certificate chain validation (PYTHON-5040). Prior to regeneration, certs were missing AKI, causing `ssl.SSLCertVerificationError: Missing Authority Key Identifier` on macOS and Windows with Python 3.13. diff --git a/test/certificates/ca.pem b/test/certificates/ca.pem index 24beea2d48..b895b13102 100644 --- a/test/certificates/ca.pem +++ b/test/certificates/ca.pem @@ -1,21 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDfzCCAmegAwIBAgIDB1MGMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMTEkRy -aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECxMHRHJpdmVyczEQMA4GA1UEChMHTW9u -Z29EQjEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsx -CzAJBgNVBAYTAlVTMB4XDTE5MDUyMjIwMjMxMVoXDTM5MDUyMjIwMjMxMVoweTEb -MBkGA1UEAxMSRHJpdmVycyBUZXN0aW5nIENBMRAwDgYDVQQLEwdEcml2ZXJzMRAw -DgYDVQQKEwdNb25nb0RCMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQI -EwhOZXcgWW9yazELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQCl7VN+WsQfHlwapcOpTLZVoeMAl1LTbWTFuXSAavIyy0W1Ytky1UP/ -bxCSW0mSWwCgqoJ5aXbAvrNRp6ArWu3LsTQIEcD3pEdrFIVQhYzWUs9fXqPyI9k+ -QNNQ+MRFKeGteTPYwF2eVEtPzUHU5ws3+OKp1m6MCLkwAG3RBFUAfddUnLvGoZiT -pd8/eNabhgHvdrCw+tYFCWvSjz7SluEVievpQehrSEPKe8DxJq/IM3tSl3tdylzT -zeiKNO7c7LuQrgjAfrZl7n2SriHIlNmqiDR/kdd8+TxBuxjFlcf2WyHCO3lIcIgH -KXTlhUCg50KfHaxHu05Qw0x8869yIzqbAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8w -DQYJKoZIhvcNAQELBQADggEBAEHuhTL8KQZcKCTSJbYA9MgZj7U32arMGBbc1hiq -VBREwvdVz4+9tIyWMzN9R/YCKmUTnCq8z3wTlC8kBtxYn/l4Tj8nJYcgLJjQ0Fwe -gT564CmvkUat8uXPz6olOCdwkMpJ9Sj62i0mpgXJdBfxKQ6TZ9yGz6m3jannjZpN -LchB7xSAEWtqUgvNusq0dApJsf4n7jZ+oBZVaQw2+tzaMfaLqHgMwcu1FzA8UKCD -sxCgIsZUs8DdxaD418Ot6nPfheOTqe24n+TTa+Z6O0W0QtnofJBx7tmAo1aEc57i -77s89pfwIJetpIlhzNSMKurCAocFCJMJLAASJFuu6dyDvPo= +MIIDkDCCAnigAwIBAgIBZDANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzER +MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV +BAoMB01vbmdvREIxEDAOBgNVBAsMB0RyaXZlcnMxGzAZBgNVBAMMEkRyaXZlcnMg +VGVzdGluZyBDQTAeFw0yNjA2MDcxODUzMjBaFw00NjA2MDMxODUzMjBaMHkxCzAJ +BgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsg +Q2l0eTEQMA4GA1UECgwHTW9uZ29EQjEQMA4GA1UECwwHRHJpdmVyczEbMBkGA1UE +AwwSRHJpdmVycyBUZXN0aW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAstE5hAPpY4cVlDdQEx6L4Hg4ZTFFrovlB1f5I7lyZxplyOCU+jLRvdyj +pta346xDEBZRKHenFEWtkUZwEklXv3ZxHGANxnz5POiyPQvkJXXfE431Umtnl/T3 +/zDjTqspTQTbvdvW1+Qiy6rIjZUGUqYuzwe9P+YVH4tBL7yIOWbm8vTnu5xLXp0o +Ww707dIxIEIp7hD5P+At86oFk6dy6GhEkNiall6rNXg9gsCrF2kF0eH24/URm0F/ +mS2c7S2TIlZD0llD6MYtmo/KWLpLZLBSzLO6/F+t5r9nfXSJhXWcIWVs2o0T2sLh +XIJFKJsXwykZ3WaAj+WdoBYCueiyuwIDAQABoyMwITAPBgNVHRMBAf8EBTADAQH/ +MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAdEL/OI5F5ddSoywA +P6Rt/fNPj+skMI7IfUia7Mf26KXR6WnLXCBidhGRdoVyzsXC6KvGAMQ0zY8fOQVe +T3/a7JqvwqcmSURGgNKFVZg8rgdcbhAnORmMePLpmXK4E8NifBZcNbhLiEVR2/XK +AGt/yTAg0RS+H/1Hg+7Mj8jLm1/7aQFki/s7ip4XyFDj4nMBKnTXB8XLp6BAYGBs +8sCuosOecDKUjdrKVRl/p/vurwwyQHX8mLi3rNSSVYwE432MKs4aFhe5TxxNhWPv +PxlJ9T6pioqDPmTbAvFTBgg5WgqTrlkm/wxJ51YO9OzrEZ+aACb3454Jv8Tw+x5q +fAvsug== -----END CERTIFICATE----- diff --git a/test/certificates/client.pem b/test/certificates/client.pem index 5b07001092..e3198e3365 100644 --- a/test/certificates/client.pem +++ b/test/certificates/client.pem @@ -1,48 +1,51 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAsNS8UEuin7/K29jXfIOLpIoh1jEyWVqxiie2Onx7uJJKcoKo -khA3XeUnVN0k6X5MwYWcN52xcns7LYtyt06nRpTG2/emoV44w9uKTuHsvUbiOwSV -m/ToKQQ4FUFZoqorXH+ZmJuIpJNfoW+3CkE1vEDCIecIq6BNg5ySsPtvSuSJHGjp -mc7/5ZUDvFE2aJ8QbJU3Ws0HXiEb6ymi048LlzEL2VKX3w6mqqh+7dcZGAy7qYk2 -5FZ9ktKvCeQau7mTyU1hsPrKFiKtMN8Q2ZAItX13asw5/IeSTq2LgLFHlbj5Kpq4 -GmLdNCshzH5X7Ew3IYM8EHmsX8dmD6mhv7vpVwIDAQABAoIBABOdpb4qhcG+3twA -c/cGCKmaASLnljQ/UU6IFTjrsjXJVKTbRaPeVKX/05sgZQXZ0t3s2mV5AsQ2U1w8 -Cd+3w+qaemzQThW8hAOGCROzEDX29QWi/o2sX0ydgTMqaq0Wv3SlWv6I0mGfT45y -/BURIsrdTCvCmz2erLqa1dL4MWJXRFjT9UTs5twlecIOM2IHKoGGagFhymRK4kDe -wTRC9fpfoAgyfus3pCO/wi/F8yKGPDEwY+zgkhrJQ+kSeki7oKdGD1H540vB8gRt -EIqssE0Y6rEYf97WssQlxJgvoJBDSftOijS6mwvoasDUwfFqyyPiirawXWWhHXkc -DjIi/XECgYEA5xfjilw9YyM2UGQNESbNNunPcj7gDZbN347xJwmYmi9AUdPLt9xN -3XaMqqR22k1DUOxC/5hH0uiXir7mDfqmC+XS/ic/VOsa3CDWejkEnyGLiwSHY502 -wD/xWgHwUiGVAG9HY64vnDGm6L3KGXA2oqxanL4V0+0+Ht49pZ16i8sCgYEAw+Ox -CHGtpkzjCP/z8xr+1VTSdpc/4CP2HONnYopcn48KfQnf7Nale69/1kZpypJlvQSG -eeA3jMGigNJEkb8/kaVoRLCisXcwLc0XIfCTeiK6FS0Ka30D/84Qm8UsHxRdpGkM -kYITAa2r64tgRL8as4/ukeXBKE+oOhX43LeEfyUCgYBkf7IX2Ndlhsm3GlvIarxy -NipeP9PGdR/hKlPbq0OvQf9R1q7QrcE7H7Q6/b0mYNV2mtjkOQB7S2WkFDMOP0P5 -BqDEoKLdNkV/F9TOYH+PCNKbyYNrodJOt0Ap6Y/u1+Xpw3sjcXwJDFrO+sKqX2+T -PStG4S+y84jBedsLbDoAEwKBgQCTz7/KC11o2yOFqv09N+WKvBKDgeWlD/2qFr3w -UU9K5viXGVhqshz0k5z25vL09Drowf1nAZVpFMO2SPOMtq8VC6b+Dfr1xmYIaXVH -Gu1tf77CM9Zk/VSDNc66e7GrUgbHBK2DLo+A+Ld9aRIfTcSsMbNnS+LQtCrQibvb -cG7+MQKBgQCY11oMT2dUekoZEyW4no7W5D74lR8ztMjp/fWWTDo/AZGPBY6cZoZF -IICrzYtDT/5BzB0Jh1f4O9ZQkm5+OvlFbmoZoSbMzHL3oJCBOY5K0/kdGXL46WWh -IRJSYakNU6VIS7SjDpKgm9D8befQqZeoSggSjIIULIiAtYgS80vmGA== +MIIEowIBAAKCAQEAhox4m8i+hLbia83C39Bvsw6MRIK/D8u0+rPRm9Cmh9Aonf2K +z223wYHs6OhipcowMgkGlTSztuVvVSpSISNyy4RVPKukUV5M3II7aH2+p4H6HFWG +yHvLHIWCDc0vawADtCwCcBoQjJ8gGaYdpBcDQBrIJPtWz/9QYcc2e1Kr+ka/2Lh/ +Dd6JjFqVmSWzHTRUJPN9J9DEsUgpZuRldEGBZmmSzvj2HwoOK2tgMMv2zmykuLIK +mPEO+wgcxQMC/uNIBdQGLsiHrmMkXIE7Ay/X1qR8P3HOhyePyM2MbZnkfbLpIwcc +93EIgK1z4JQn7EO8h7LTMRUqs7I8kv08u1zMawIDAQABAoIBAAOVAOBjo/ARzv7n +bwBFe47h4adYDP01SDwHgYbGboOigWEXGO2Ufqnk9P9lJ9AZ0hFsyyqv5oDxuABM +560ApCKDjRgmtpkKvOR+6KPVhS4KAiCfSpd6RDyn2AnFGlz/W5AKF5mZqUY1IgEv +RFznr1KfRl726M7C8/KVOrEDqaqa+lIg8Zvn+fsy6AIvfa3KGQliwpJ898f5Z7Fj +RpjL73biGu2JpHEBVl7OUYNIFehhzERbbmrb+R9Xc6KBwVb2Eukq35M7qtju6MY3 +uNStq8kmfLEI8vrcNg5EgHM2NW/AT341ux9zP9phk4hPP9wXrn3NOUF67c2tjZxF +NZRm8NECgYEAuZlZorjrDAVDKGrwpXs1sa3OK5XCCXQ9Plb8gadxl+PQFid/qIOE +7Ddgz2HUVorMgZ5A8oZ4uGviTdyZbS5VsxF00OjjM8ayTIDK9C3OhkmhqTj6Rf42 +XCDaoemueH/m4ynr47FPzqEXM24AbQBnQFiqLjzVAtK1IHeOSF9wj8cCgYEAuZXd +fQRWD3hVgW0fslFfzYrtTHdr0/P7Agm20YckQGiona+J/NYycv3lF8koQRh8lGtd +bqRY1DXmde5qgrnFzqwOpiraB4r5Y/YYP17vE47MplsT9jjtRm8p7xgx71lvZ4wg +BE1vF5gXfqFYrVDrhfdGc7Wg8N6q9VSDVlw1Jj0CgYB7JrQBcy4TldJQGVWAmFay +hR9OcFqGJ2kT2mhGJ7MKFBHZAXCFgm9Kxhwov0NEAWldgIKb6npj9MH+5Cex+JLI +9QZMMJvBmVBpzvPcPiDRnj30qWf31YyAaRRpZ0NrlYLArOpm9Rp9gwqAB7eknCXm +3m5dq+OzsdiZqHryrtFjtQKBgCZDR88mvbeiz75HiWlybZYrNpG1bX3dp7rb1d2N +R2QgL+OS9ZgzcWNUBY/J4YrKSaUwHataJxZZppJZ/YvGUYoy3zJTU3CKrrB1ZLps +EE6v+nGyBYOWaRVEhhjNnD4E6nsm4NMCRA1RRkbNbUMOlACi4tuobu46enTqX8nG +aQ7hAoGBAI2EkcAymqZg2+sfVMIYfdPmM3p6D7jWKRn6dnSU2H//eLRjRZX2I7Sh +V6hOYjdZm2HhtodePXu9IceZqgXyMdEB9TgaBAvJnEvUE1xHRCJK8RL22vDoeW77 +Ig/BNEmsh2SgWFEo7Q0ZImObOcqbP9YLNZRjLeI0+aeoti8olTjt -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDgzCCAmugAwIBAgIDAxOUMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMTEkRy -aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECxMHRHJpdmVyczEQMA4GA1UEChMHTW9u -Z29EQjEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsx -CzAJBgNVBAYTAlVTMB4XDTE5MDUyMjIzNTU1NFoXDTM5MDUyMjIzNTU1NFowaTEP -MA0GA1UEAxMGY2xpZW50MRAwDgYDVQQLEwdEcml2ZXJzMQwwCgYDVQQKEwNNREIx -FjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD -VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDUvFBLop+/ -ytvY13yDi6SKIdYxMllasYontjp8e7iSSnKCqJIQN13lJ1TdJOl+TMGFnDedsXJ7 -Oy2LcrdOp0aUxtv3pqFeOMPbik7h7L1G4jsElZv06CkEOBVBWaKqK1x/mZibiKST -X6FvtwpBNbxAwiHnCKugTYOckrD7b0rkiRxo6ZnO/+WVA7xRNmifEGyVN1rNB14h -G+spotOPC5cxC9lSl98Opqqofu3XGRgMu6mJNuRWfZLSrwnkGru5k8lNYbD6yhYi -rTDfENmQCLV9d2rMOfyHkk6ti4CxR5W4+SqauBpi3TQrIcx+V+xMNyGDPBB5rF/H -Zg+pob+76VcCAwEAAaMkMCIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF -BwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAqRcLAGvYMaGYOV4HJTzNotT2qE0I9THNQ -wOV1fBg69x6SrUQTQLjJEptpOA288Wue6Jt3H+p5qAGV5GbXjzN/yjCoItggSKxG -Xg7279nz6/C5faoIKRjpS9R+MsJGlttP9nUzdSxrHvvqm62OuSVFjjETxD39DupE -YPFQoHOxdFTtBQlc/zIKxVdd20rs1xJeeU2/L7jtRBSPuR/Sk8zot7G2/dQHX49y -kHrq8qz12kj1T6XDXf8KZawFywXaz0/Ur+fUYKmkVk1T0JZaNtF4sKqDeNE4zcns -p3xLVDSl1Q5Gwj7bgph9o4Hxs9izPwiqjmNaSjPimGYZ399zcurY +MIIEEzCCAvugAwIBAgIBAjANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzER +MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV +BAoMB01vbmdvREIxEDAOBgNVBAsMB0RyaXZlcnMxGzAZBgNVBAMMEkRyaXZlcnMg +VGVzdGluZyBDQTAeFw0yNjA2MDcxODUzMjBaFw00NjA2MDMxODUzMjBaMGkxDzAN +BgNVBAMMBmNsaWVudDEQMA4GA1UECwwHRHJpdmVyczEMMAoGA1UECgwDTURCMRYw +FAYDVQQHDA1OZXcgWW9yayBDaXR5MREwDwYDVQQIDAhOZXcgWW9yazELMAkGA1UE +BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGjHibyL6EtuJr +zcLf0G+zDoxEgr8Py7T6s9Gb0KaH0Cid/YrPbbfBgezo6GKlyjAyCQaVNLO25W9V +KlIhI3LLhFU8q6RRXkzcgjtofb6ngfocVYbIe8schYINzS9rAAO0LAJwGhCMnyAZ +ph2kFwNAGsgk+1bP/1BhxzZ7Uqv6Rr/YuH8N3omMWpWZJbMdNFQk830n0MSxSClm +5GV0QYFmaZLO+PYfCg4ra2Awy/bObKS4sgqY8Q77CBzFAwL+40gF1AYuyIeuYyRc +gTsDL9fWpHw/cc6HJ4/IzYxtmeR9sukjBxz3cQiArXPglCfsQ7yHstMxFSqzsjyS +/Ty7XMxrAgMBAAGjgbUwgbIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF +BwMCMIGNBgNVHSMEgYUwgYKhfaR7MHkxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhO +ZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9uZ29E +QjEQMA4GA1UECwwHRHJpdmVyczEbMBkGA1UEAwwSRHJpdmVycyBUZXN0aW5nIENB +ggFkMA0GCSqGSIb3DQEBCwUAA4IBAQCi1zSezWD8IpIjzj+I6hlXIRbV5twftNkd +nA86NaYfx+k1khoOV99gjALYff4IzCZoDZ027VeqL1mQblh4OM2o7Iirns4G21ka +bpSbjgKs3PbijcWHgWpjnWHL1osQsP/WApaZQbNIyh29F0qDmKm5fgn7eHqX4oTV +DTHzOd+tTVTkM1UHzJnYf1+1IdFwzyTVz2RT5uakuHwpJRTQhQBAdahOZPxFUURN +x7N9s/T7UnAmKHCzl7QFxfN/BsjPb8RxgRP5Rl+lU/WF+MIeK2QiJ7d2jRa9Eewn +v+8kv+HCaER3D5KpjFzM5IFofUF58J7RCZQYf71gK9kqgcIq4jpX -----END CERTIFICATE----- diff --git a/test/certificates/crl.pem b/test/certificates/crl.pem index 733a0acdc0..ec5de0bd5f 100644 --- a/test/certificates/crl.pem +++ b/test/certificates/crl.pem @@ -1,13 +1,12 @@ -----BEGIN X509 CRL----- -MIIB6jCB0wIBATANBgkqhkiG9w0BAQsFADB5MRswGQYDVQQDExJEcml2ZXJzIFRl -c3RpbmcgQ0ExEDAOBgNVBAsTB0RyaXZlcnMxEDAOBgNVBAoTB01vbmdvREIxFjAU -BgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYDVQQG -EwJVUxcNMTkwNTIyMjI0NTUzWhcNMTkwNjIxMjI0NTUzWjAVMBMCAncVFw0xOTA1 -MjIyMjQ1MzJaoA8wDTALBgNVHRQEBAICEAAwDQYJKoZIhvcNAQELBQADggEBACwQ -W9OF6ExJSzzYbpCRroznkfdLG7ghNSxIpBQUGtcnYbkP4em6TdtAj5K3yBjcKn4a -hnUoa5EJGr2Xgg0QascV/1GuWEJC9rsYYB9boVi95l1CrkS0pseaunM086iItZ4a -hRVza8qEMBc3rdsracA7hElYMKdFTRLpIGciJehXzv40yT5XFBHGy/HIT0CD50O7 -BDOHzA+rCFCvxX8UY9myDfb1r1zUW7Gzjn241VT7bcIJmhFE9oV0popzDyqr6GvP -qB2t5VmFpbnSwkuc4ie8Jizip1P8Hg73lut3oVAHACFGPpfaNIAp4GcSH61zJmff -9UBe3CJ1INwqyiuqGeA= +MIIB2DCBwQIBATANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzERMA8GA1UE +CAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNVBAoMB01v +bmdvREIxEDAOBgNVBAsMB0RyaXZlcnMxGzAZBgNVBAMMEkRyaXZlcnMgVGVzdGlu +ZyBDQRcNMjYwNjA4MTg1MzIwWhcNNDYwNjAzMTg1MzIwWjAUMBICAQEXDTI2MDYw +ODE4NTMyMFowDQYJKoZIhvcNAQELBQADggEBAB6LRmtO+u2zn4IFE/CRdOBsCTsz +tZ8EaZSBP6P+Ag/GeLT4M6CIjHhJV1SUMt2aEAU3JBBye+sKX6Rk1JK6UzEjDnUf ++TRoGFvqh057ujD01LVh9FQpobr0Nsa/Xx4551/Nc91z/khlG5aBrTBoB4I7Q2VB +OeYjdhrAKZ0jc2xEKy6z+vJWAgj0UmSwxjhJ8Qf3xiaPnf9Nqu2UhAv+IwhWMxBC +GrXaJBOhkv9GqtNmnLJrOJoHgoO/MAKvaKi+/YqCH7pCHKt62t2f6ZD0oNuqFZYx +QofmyawIOr6FY2tHQNL2ZN4cVHgQ2X6b4vhJnpNw6tKG4s4niK3MVr7qo2A= -----END X509 CRL----- diff --git a/test/certificates/expired.pem b/test/certificates/expired.pem new file mode 100644 index 0000000000..8c9c0ad8a6 --- /dev/null +++ b/test/certificates/expired.pem @@ -0,0 +1,52 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEA4nSKxBpsnS1QX4PCO3VEEdBcCqHxKU2j4dmY8soANTyva3xs +Q1Mvu7tr+0kDWVMCI/clnMsbCIoLikiNaLXhz84/Ne7WTHkEMr31GPH4XDu6FMxz +g4zydQQ9fuCC0FyxR0KlqBLzVcrC3HIP56MzXLlbCAfCitubti8dHdZdtgC/vbTX +f2LiOG/R0M++6M4Wj+KAEagnV4bn5MiCt4KnZyf2w57ylSorhFHhszEI7YmzHjkW +4czGmHuE50NVPftU09750bFRrnxvlO/wsknER9ZrBqjkbw0E9ezMtoAGwK9Sp8hR +bVGXKBdw4aXG43MLDleaenGGJBeAJPjY76Es6wIDAQABAoIBAC2hSRLRtkAHkPHm +FT2w19n1D47O6c6mR9bq5yBI5rjTdQ9l/1SjjvM3hT8Zi7S0frJriucon9ZdJo0j +KGdIeutKBj+iVAkNu3RUBW6U1zQSjuDA/6eqv3InvBJ0P7enbctLmSCgTOrlE9Wi +oCTPJDrTWI3qLl+Xd61Cmg3Yk4JoDCkPzdWaaTBIwLCfIlgcn6Y9hmM9vxGHKR5P +NGw2pdziXBKwTvE/eM+ducNnWhHbgmG97yaLLzxDl96BQ2768ZdD/eEOpM74sr+a +mo+HyCHAQvcrEyoBGHlk+qdyBBBA2AVUiiuBXx2zlYlsHmgYJBaVnENrQSccWTzg +vkVv0hkCgYEA933L13nL4BQHFKyhRsbHaE/0GOGY/Pe6T8a31jXHqQN4jka44gGP +JD/S6Cfc+jSbiPu2EN0Yu4P8vYiTGIeKeCcD5zsh0Dk/Ht9Lts7hu1UBmVxoOokG +ndR35L7R4FE7LNqXjFO+SNKxhpSXqabUmCLGBswFdAApgU83Q8m5w1MCgYEA6j2a +mw1oRelSeYQlG0eRQ99Y9vUzf5Hb1p44A1F3zQNSzX86L+mpPLF7i7sD7TM+b9J2 +Ik2ClaQ5r1vMH/pkBHrjGHYKU9JIJc/9YOZWMmKcvb9X9/4xs5us/Q0UN255/Lgx +xynjR67NRC70oAdxTi37E+OgVXDkOlheaU2ulQkCgYA5/GxVGQFOiAK8slG7Hnm8 +E/eSGNFae8RYSqvp8YHNNLX7R9Cri0f5a0bEBAr/SHIkny0iOFtCHAOMeMJWHfOw +gRumArHCcpc6aYD43PIAjUMppn/5Lv+w3QYWPys3TnD56mFVjI1pzIuxh4EdS6xF +1Ofm0ch5TExtMp01Mb9nZwKBgEPAhdOLUTnHfv9+5Wy6ip3jIExuJ/MiMUAmi3UK +P2ihKXYe8qmhID5Z565G7Z/STqDxcxIA8WBvG/BI0QX+2qchFEai/eG41P1654L7 +nLr+IvAPRFaKw717rdGT0uElp0sdy+gbiY3WVbD/E+qlvHQsgI8ELAAKozjtDoHO +4kxhAoGAT2zXUOdWDHqqC/Kezjjuz22JvLD1IZ5B7k/Y15KX0OIZ0W2pXY4isFhC +hsbCzYRN5PFqx+Mr+OawjzO+CaW2wnLK33a4QrooY0NJ/tHsXYWFAA00asAtNlp2 +i0SwTRuvmb/M08m1338+HAFdpQrhlz4uhtbeA4ZEGRjUKCg0OqU= +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIEJjCCAw6gAwIBAgIBBDANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzER +MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV +BAoMB01vbmdvREIxEDAOBgNVBAsMB0RyaXZlcnMxGzAZBgNVBAMMEkRyaXZlcnMg +VGVzdGluZyBDQTAeFw0wMDAxMDEwMDAwMDBaFw0wMTAxMDEwMDAwMDBaMHAxCzAJ +BgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsg +Q2l0eTEQMA4GA1UECgwHTW9uZ29EQjEQMA4GA1UECwwHRHJpdmVyczESMBAGA1UE +AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4nSK +xBpsnS1QX4PCO3VEEdBcCqHxKU2j4dmY8soANTyva3xsQ1Mvu7tr+0kDWVMCI/cl +nMsbCIoLikiNaLXhz84/Ne7WTHkEMr31GPH4XDu6FMxzg4zydQQ9fuCC0FyxR0Kl +qBLzVcrC3HIP56MzXLlbCAfCitubti8dHdZdtgC/vbTXf2LiOG/R0M++6M4Wj+KA +EagnV4bn5MiCt4KnZyf2w57ylSorhFHhszEI7YmzHjkW4czGmHuE50NVPftU0975 +0bFRrnxvlO/wsknER9ZrBqjkbw0E9ezMtoAGwK9Sp8hRbVGXKBdw4aXG43MLDlea +enGGJBeAJPjY76Es6wIDAQABo4HBMIG+MCwGA1UdEQQlMCOCCWxvY2FsaG9zdIcE +fwAAAYcQAAAAAAAAAAAAAAAAAAAAATCBjQYDVR0jBIGFMIGCoX2kezB5MQswCQYD +VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp +dHkxEDAOBgNVBAoMB01vbmdvREIxEDAOBgNVBAsMB0RyaXZlcnMxGzAZBgNVBAMM +EkRyaXZlcnMgVGVzdGluZyBDQYIBZDANBgkqhkiG9w0BAQsFAAOCAQEADH7WYlZY +Mbkn+87kgMhNFk9RDXtGYHxQ29+8PL1lDyqOli1nMVBnh57pq7oBOeUXuqdosFVG +KnQIvUa1EZrT4/y+RaQXzD2xcWbdCzXQj3DT/mFYuwwtI5T6hUCHAw45LcZQxc+t +4xhnssnl7Nm7fnOl1KVkLiQWaEZqZohm7vATvNjRcZaeGS4MxAAERKWbC7wbkfBt +Eqp6h+/GnpBAW4PV/lH6hSemlr7/9UkGrbZbyqkHsOeXwOdmgxkMGUL7M3uuonwa ++XBGXvH8cxzpnmgQvqzvxC5oixJjq3wvNxa/T4T2o1Ez22jNuI8TVri1F1yfjnBs +XstbsY3QF7jg8A== +-----END CERTIFICATE----- diff --git a/test/certificates/gen-certs.py b/test/certificates/gen-certs.py new file mode 100755 index 0000000000..8c339b3acc --- /dev/null +++ b/test/certificates/gen-certs.py @@ -0,0 +1,388 @@ +#!/usr/bin/env python3 +"""Generate TLS test certificates for the PyMongo test suite. + +Leaf certs carry AKI in the *issuer* form (DirName + serial, no keyid). +Python 3.13 / OpenSSL 3.x requires AKI to be present for chain building. +The issuer form satisfies that requirement while avoiding the *keyid* form, +which would enable macOS SecTrust's keyid-based chain verification and trigger +its hard-fail OCSP check (CSSMERR_TP_CERT_SUSPENDED) against test certs that +have no OCSP URL. MongoDB's own jstests/libs certs use the same approach. + +The CA cert carries keyUsage (keyCertSign + cRLSign, critical), required by +Python 3.13 on Windows (OpenSSL 3.x enforces keyUsage on CA certs). + +Using Python's cryptography library gives precise control over extensions — +in particular it lets us add AKI without OpenSSL 3.x auto-adding SKI. + +Usage: + pip install cryptography + python gen-certs.py # run from test/certificates/ + +Password for password_protected.pem: qwerty +""" +from __future__ import annotations + +import datetime +import ipaddress +import sys +from pathlib import Path + +try: + from cryptography import x509 + from cryptography.hazmat.primitives import hashes + from cryptography.hazmat.primitives.asymmetric import rsa + from cryptography.hazmat.primitives.serialization import ( + BestAvailableEncryption, + Encoding, + NoEncryption, + PrivateFormat, + ) + from cryptography.x509.oid import ExtendedKeyUsageOID, NameOID +except ImportError: + sys.exit("cryptography package is required: pip install cryptography") + +SCRIPT_DIR = Path(__file__).parent.resolve() +DAYS = 7300 # ~20 years +NOW = datetime.datetime.now(datetime.timezone.utc) +NOT_BEFORE = NOW - datetime.timedelta(days=1) +NOT_AFTER = NOW + datetime.timedelta(days=DAYS) + + +def make_key() -> rsa.RSAPrivateKey: + return rsa.generate_private_key(public_exponent=65537, key_size=2048) + + +def key_pem(key, password=None) -> bytes: + enc = BestAvailableEncryption(password) if password else NoEncryption() + return key.private_bytes(Encoding.PEM, PrivateFormat.TraditionalOpenSSL, enc) + + +def cert_pem(cert) -> bytes: + return cert.public_bytes(Encoding.PEM) + + +def aki_from_ca(ca_cert: x509.Certificate) -> x509.AuthorityKeyIdentifier: + # Use the issuer form (DirName + serial) rather than the keyid form. + # The keyid form enables macOS SecTrust keyid-based chain verification, which + # then triggers hard-fail OCSP (CSSMERR_TP_CERT_SUSPENDED) because our test + # certs have no OCSP URL. The issuer form satisfies Python 3.13 / OpenSSL + # 3.x's AKI requirement without providing a keyid, so macOS falls back to + # name-based chain matching and does not attempt OCSP at all. + return x509.AuthorityKeyIdentifier( + key_identifier=None, + authority_cert_issuer=[x509.DirectoryName(ca_cert.subject)], + authority_cert_serial_number=ca_cert.serial_number, + ) + + +def server_san() -> x509.SubjectAlternativeName: + return x509.SubjectAlternativeName( + [ + x509.DNSName("localhost"), + x509.IPAddress(ipaddress.IPv4Address("127.0.0.1")), + x509.IPAddress(ipaddress.IPv6Address("::1")), + ] + ) + + +# Canonical names — kept stable so tests that hard-code DN strings keep passing. +CA_NAME = x509.Name( + [ + x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "New York"), + x509.NameAttribute(NameOID.LOCALITY_NAME, "New York City"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "MongoDB"), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Drivers"), + x509.NameAttribute(NameOID.COMMON_NAME, "Drivers Testing CA"), + ] +) + +SERVER_NAME = x509.Name( + [ + x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "New York"), + x509.NameAttribute(NameOID.LOCALITY_NAME, "New York City"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "MongoDB"), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Drivers"), + x509.NameAttribute(NameOID.COMMON_NAME, "localhost"), + ] +) + +# Attribute order must be CN→OU→O→L→ST→C so that MongoDB's reversed-order +# x509 username string is "C=US,ST=New York,L=New York City,O=MDB,OU=Drivers,CN=client" +# (see MONGODB_X509_USERNAME in test/test_ssl.py). +CLIENT_NAME = x509.Name( + [ + x509.NameAttribute(NameOID.COMMON_NAME, "client"), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Drivers"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "MDB"), + x509.NameAttribute(NameOID.LOCALITY_NAME, "New York City"), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "New York"), + x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + ] +) + +TRUSTED_CA_NAME = x509.Name( + [ + x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "New York"), + x509.NameAttribute(NameOID.LOCALITY_NAME, "New York City"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "MongoDB"), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Kernel"), + x509.NameAttribute(NameOID.COMMON_NAME, "Trusted Kernel Test CA"), + ] +) + + +# --------------------------------------------------------------------------- +# 1. Drivers Testing CA +# --------------------------------------------------------------------------- +print("==> Generating Drivers Testing CA...") +ca_key = make_key() +ca_cert = ( + x509.CertificateBuilder() + .subject_name(CA_NAME) + .issuer_name(CA_NAME) + .public_key(ca_key.public_key()) + .serial_number(100) + .not_valid_before(NOT_BEFORE) + .not_valid_after(NOT_AFTER) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension( + x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=True, + encipher_only=False, + decipher_only=False, + ), + critical=True, + ) + .sign(ca_key, hashes.SHA256()) +) +(SCRIPT_DIR / "ca.pem").write_bytes(cert_pem(ca_cert)) +print(" ca.pem written") + + +# --------------------------------------------------------------------------- +# 2. Server certificate — serial 1, revoked in crl.pem for test_tlsCRLFile_support +# --------------------------------------------------------------------------- +print("==> Generating server certificate...") +server_key = make_key() +server_cert = ( + x509.CertificateBuilder() + .subject_name(SERVER_NAME) + .issuer_name(CA_NAME) + .public_key(server_key.public_key()) + .serial_number(1) + .not_valid_before(NOT_BEFORE) + .not_valid_after(NOT_AFTER) + .add_extension(server_san(), critical=False) + .add_extension(aki_from_ca(ca_cert), critical=False) + .sign(ca_key, hashes.SHA256()) +) +(SCRIPT_DIR / "server.pem").write_bytes(key_pem(server_key) + cert_pem(server_cert)) +print(" server.pem written") + + +# --------------------------------------------------------------------------- +# 3. Client certificate — serial 2 +# --------------------------------------------------------------------------- +print("==> Generating client certificate...") +client_key = make_key() +client_cert = ( + x509.CertificateBuilder() + .subject_name(CLIENT_NAME) + .issuer_name(CA_NAME) + .public_key(client_key.public_key()) + .serial_number(2) + .not_valid_before(NOT_BEFORE) + .not_valid_after(NOT_AFTER) + .add_extension( + x509.KeyUsage( + digital_signature=True, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=False, + ), + critical=False, + ) + .add_extension( + x509.ExtendedKeyUsage([ExtendedKeyUsageOID.CLIENT_AUTH]), + critical=False, + ) + .add_extension(aki_from_ca(ca_cert), critical=False) + .sign(ca_key, hashes.SHA256()) +) +(SCRIPT_DIR / "client.pem").write_bytes(key_pem(client_key) + cert_pem(client_cert)) +print(" client.pem written") + + +# --------------------------------------------------------------------------- +# 4. Password-protected client certificate (same cert, encrypted key) +# --------------------------------------------------------------------------- +print("==> Generating password-protected client certificate...") +(SCRIPT_DIR / "password_protected.pem").write_bytes( + key_pem(client_key, password=b"qwerty") + cert_pem(client_cert) +) +print(" password_protected.pem written (password: qwerty)") + + +# --------------------------------------------------------------------------- +# 5. CRL — revokes the server cert (serial 1) for test_tlsCRLFile_support +# --------------------------------------------------------------------------- +print("==> Generating CRL...") +crl = ( + x509.CertificateRevocationListBuilder() + .issuer_name(CA_NAME) + .last_update(NOW) + .next_update(NOW + datetime.timedelta(days=DAYS)) + .add_revoked_certificate( + x509.RevokedCertificateBuilder().serial_number(1).revocation_date(NOW).build() + ) + .sign(ca_key, hashes.SHA256()) +) +(SCRIPT_DIR / "crl.pem").write_bytes(crl.public_bytes(Encoding.PEM)) +print(" crl.pem written") + + +# --------------------------------------------------------------------------- +# 6. Wrong-host certificate (serial 3) — used in KMS TLS tests +# --------------------------------------------------------------------------- +print("==> Generating wrong-host certificate...") +wrong_host_key = make_key() +wrong_host_cert = ( + x509.CertificateBuilder() + .subject_name( + x509.Name( + [ + x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "New York"), + x509.NameAttribute(NameOID.LOCALITY_NAME, "New York City"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "MongoDB"), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Drivers"), + x509.NameAttribute(NameOID.COMMON_NAME, "wronghost.example.com"), + ] + ) + ) + .issuer_name(CA_NAME) + .public_key(wrong_host_key.public_key()) + .serial_number(3) + .not_valid_before(NOT_BEFORE) + .not_valid_after(NOT_AFTER) + .add_extension( + x509.SubjectAlternativeName([x509.DNSName("wronghost.example.com")]), + critical=False, + ) + .add_extension(aki_from_ca(ca_cert), critical=False) + .sign(ca_key, hashes.SHA256()) +) +(SCRIPT_DIR / "wrong-host.pem").write_bytes(key_pem(wrong_host_key) + cert_pem(wrong_host_cert)) +print(" wrong-host.pem written (SAN: wronghost.example.com)") + + +# --------------------------------------------------------------------------- +# 7. Expired certificate (serial 4) — used in KMS TLS tests +# --------------------------------------------------------------------------- +print("==> Generating expired certificate...") +expired_key = make_key() +expired_cert = ( + x509.CertificateBuilder() + .subject_name(SERVER_NAME) + .issuer_name(CA_NAME) + .public_key(expired_key.public_key()) + .serial_number(4) + .not_valid_before(datetime.datetime(2000, 1, 1, tzinfo=datetime.timezone.utc)) + .not_valid_after(datetime.datetime(2001, 1, 1, tzinfo=datetime.timezone.utc)) + .add_extension(server_san(), critical=False) + .add_extension(aki_from_ca(ca_cert), critical=False) + .sign(ca_key, hashes.SHA256()) +) +(SCRIPT_DIR / "expired.pem").write_bytes(key_pem(expired_key) + cert_pem(expired_cert)) +print(" expired.pem written (expired 2001-01-01)") + + +# --------------------------------------------------------------------------- +# 8. Trusted Kernel Test CA — separate CA, used in CA-bundle tests +# --------------------------------------------------------------------------- +print("==> Generating Trusted Kernel Test CA...") +trusted_ca_key = make_key() +trusted_ca_cert = ( + x509.CertificateBuilder() + .subject_name(TRUSTED_CA_NAME) + .issuer_name(TRUSTED_CA_NAME) + .public_key(trusted_ca_key.public_key()) + .serial_number(200) + .not_valid_before(NOT_BEFORE) + .not_valid_after(NOT_AFTER) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension( + x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=True, + encipher_only=False, + decipher_only=False, + ), + critical=True, + ) + .sign(trusted_ca_key, hashes.SHA256()) +) +(SCRIPT_DIR / "trusted-ca.pem").write_bytes(cert_pem(trusted_ca_cert)) +print(" trusted-ca.pem written") + + +# --------------------------------------------------------------------------- +# Verification +# --------------------------------------------------------------------------- +print() +print("==> Verifying AKI on leaf certs and no SKI on CA...") + +import subprocess + + +def cert_extensions(path: Path) -> str: + return subprocess.check_output( + ["openssl", "x509", "-noout", "-text", "-in", str(path)], + stderr=subprocess.DEVNULL, + ).decode() + + +errors = 0 +for name in ("server.pem", "client.pem", "wrong-host.pem", "expired.pem"): + text = cert_extensions(SCRIPT_DIR / name) + has_aki = "Authority Key Identifier" in text + has_ski = "Subject Key Identifier" in text + if not has_aki: + print(f" {name}: MISSING AKI", file=sys.stderr) + errors += 1 + elif has_ski: + print(f" {name}: OK (AKI present, but unexpected SKI also present)") + else: + print(f" {name}: OK") + +ca_text = cert_extensions(SCRIPT_DIR / "ca.pem") +if "Subject Key Identifier" in ca_text: + print(" ca.pem: UNEXPECTED SKI — OpenSSL auto-added it", file=sys.stderr) + errors += 1 +else: + print(" ca.pem: OK (no SKI)") + +if errors: + sys.exit(1) + +print() +print("Done. All certificates regenerated.") diff --git a/test/certificates/gen-certs.sh b/test/certificates/gen-certs.sh new file mode 100755 index 0000000000..42285b2aa3 --- /dev/null +++ b/test/certificates/gen-certs.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# Thin wrapper — delegates certificate generation to gen-certs.py. +# See gen-certs.py for full documentation on the cert design. +# +# Usage: bash gen-certs.sh (run from test/certificates/) +# Requires: pip install cryptography + +set -euo pipefail +cd "$(dirname "${BASH_SOURCE[0]}")" +python3 gen-certs.py diff --git a/test/certificates/password_protected.pem b/test/certificates/password_protected.pem index cc9e124703..f9df236a2c 100644 --- a/test/certificates/password_protected.pem +++ b/test/certificates/password_protected.pem @@ -1,51 +1,54 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIC8as6PDVhwECAggA -MB0GCWCGSAFlAwQBAgQQTYOgCJcRqUI7dsgqNojv/ASCBNCG9fiu642V4AuFK34c -Q42lvy/cR0CIXLq/rDXN1L685kdeKex7AfDuRtnjY2+7CLJiJimgQNJXDJPHab/k -MBHbwbBs38fg6eSYX8V08/IyyTege5EJMhYxmieHDC3DXKt0gyHk6hA/r5+Mr49h -HeVGwqBLJEQ3gVIeHaOleZYspsXXWqOPHnFiqnk/biaJS0+LkDDEiQgTLEYSnOjP -lexxUc4BV/TN0Z920tZCMfwx7IXD/C+0AkV/Iqq4LALmT702EccB3indaIJ8biGR -radqDLR32Q+vT9uZHgT8EFiUsISMqhob2mnyTfFV/s9ghWwogjSz0HrRcq6fxdg7 -oeyT9K0ET53AGTGmV0206byPu6qCj1eNvtn+t1Ob+d5hecaTugRMVheWPlc5frsz -AcewDNa0pv4pZItjAGMqOPJHfzEDnzTJXpLqGYhg044H1+OCY8+1YK7U0u8dO+/3 -f5AoDMq18ipDVTFTooJURej4/Wjbrfad3ZFjp86nxfHPeWM1YjC9+IlLtK1wr0/U -V8TjGqCkw8yHayz01A86iA8X53YQBg+tyMGjxmivo6LgFGKa9mXGvDkN+B+0+OcA -PqldAuH/TJhnkqzja767e4n9kcr+TmV19Hn1hcJPTDrRU8+sSqQFsWN4pvHazAYB -UdWie+EXI0eU2Av9JFgrVcpRipXjB48BaPwuBw8hm+VStCH7ynF4lJy6/3esjYwk -Mx+NUf8+pp1DRzpzuJa2vAutzqia5r58+zloQMxkgTZtJkQU6OCRoUhHGVk7WNb1 -nxsibOSzyVSP9ZNbHIHAn43vICFGrPubRs200Kc4CdXsOSEWoP0XYebhiNJgGtQs -KoISsV4dFRLwhaJhIlayTBQz6w6Ph87WbtuiAqoLiuqdXhUGz/79j/6JZqCH8t/H -eZs4Dhu+HdD/wZKJDYAS+JBsiwYWnI3y/EowZYgLdOMI4u6xYDejhxwEw20LW445 -qjJ7pV/iX2uavazHgC91Bfd4zodfXIQ1IDyTmb51UFwx0ARzG6enntduO6xtcYU9 -MXwfrEpuZ/MkWTLkR0PHPbIPcR1MiVwPKdvrLk42Bzj/urtXYrAFUckMFMzEh+uv -0lix2hbq/Xwj4dXcY4w9hnC6QQDCJTf9S6MU6OisrZHKk0qZ2Vb4aU/eBcBsHBwo -X/QGcDHneHxlrrs2eLX26Vh8Odc5h8haeIxnfaa1t+Yv56OKHuAztPMnJOUL7KtQ -A556LxT0b5IGx0RcfUcbG8XbxEHseACptoDOoguh9923IBI0uXmpi8q0P815LPUu -0AsE47ATDMGPnXbopejRDicfgMGjykJn8vKO8r/Ia3Fpnomx4iJNCXGqomL+GMpZ -IhQbKNrRG6XZMlx5kVCT0Qr1nOWMiOTSDCQ5vrG3c1Viu+0bctvidEvs+LCm98tb -7ty8F0uOno0rYGNQz18OEE1Tj+E19Vauz1U35Z5SsgJJ/GfzhSJ79Srmdg2PsAzk -AUNTKXux1GLf1cMjTiiU5g+tCEtUL9Me7lsv3L6aFdrCyRbhXUQfJh4NAG8+3Pvh -EaprThBzKsVvbOfU81mOaH9YMmUgmxG86vxDiNtaWd4v6c1k+HGspJr/q49pcXZP -ltBMuS9AihstZ1sHJsyQCmNXkA== ------END ENCRYPTED PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,2A1A2A327D032B31FE54E4A4C4C470C7 + +MkuZ4JgpxXQs5zYCF9a5CgWhWBNs/eF1KUv1lKzSh6LjjsGczgonpq2sx+ll541B +P6dTMXt9nypkRWuOr5NTMGV1RE4evHgvNEtztQLCyqSK1sZWjsqnDNR9kON4+W2P +KaLKD5ARsw8xvibV3mS2a6an2zWdL5DPm/wGBgUMcmLReX+xxGm6HbCvAr2Xjapi +x/xnmFgqKN/SbdS08M1Lwndpuxa/+LBcSt3zm5JEpEEzSXh+dX//pDM90R8XYBJj +Y4Am3f7uKibFPjFea7qUxDCIlvLaaE594cDztYiz8GdBFihZBWzp05dG+fFj+U5V +6L4EjIHoJ4j5bZUfmPJTOvXmG9H8PSayOC+JuxR7HcarZF2HsvQa5+yJLy5VP3zM +0fOkHnbIZdwCys3rkZxqh+77JfJIuu8eX0+Mu2uW7UBoyNxs4n1rqQXWk3nx5PgZ +DVUbSDwzqwOhl2nF7VeiurfLQLcbQMuUkWBh4n4Pyki1VCekqQMisi7ibMgZ+iPi +lSnTR8MvXVaK53lpvLdG0K0yQDIMA5TmRnStH0zWQwZBqfrVSgnt2Lm3bJrj2owf +yeh192X3wlL2GNUzu+tBSGs1QCllLXqnDM+6lV+zYzZEg2KhsUxGS8IpUvv96w8m +RayHj5+AFlPWBWEnNLlMK+hVBXuklerZufHvNQ+y1q2muiKPCCdXK+s+zw33LOis +ibohNvjtfgawcxXaEw0GqoVnd17J/CO7gY6jrnS+9hS4UinXiPvfMuVUdbKsMiMA +WWwta7xPz41IohewdwjByjN1qHTzFaGCiGRoXda7l2sRXfF9HjxepB6wYpQApN4z +ki3bBuuwR+vJo6SnAkpkcYAdQMsztTrpiOVlu/HUha0+l6A9eb/rkm8n+7O5hLgs +O6m/n/Rjw2biX8U2ElBstvsyQgECXKmjU/NBz5mZ72KuG9lJg2wdk3QNFGWxZnPH +wnbWyqhqwPmeIGkYQXfqMFAFpzmOxdqAlG/v9hp4kLPmuV8vc1S2g85TVX/vCRxP +cET3zfR7s+Glb793gN1vx6z1MTbs4MuamfjfVjGvSY0Dm8tiboupDC1PowBw3fVE +DIx6lLK4E/2uNQOXy2mu/enTQ1D7lAwSflfMTEjscIstCLkW3IprdV9nQOZdDysq +3jkB/FpX/u4hhveZaNwUVFxyI4i3ligJjvfGVDxPmNreO4cJ6b9UrWbj15HfjfkF +1QUlqe+pie3X9+yv2K7FmACmtR8ZAFBWGpYRNuQQiIgXe+HUiyrkkLubn6gqBjcF +jwc64lMRTAQHWY/MlYKg+6YMsVYgcCjhi16RG+8zWyBsXIJISZzJbv/OIqrhxTcY +mqEsyR+/GCoEoKeaLgxiEPizNtOH37gG0bFuRVsJDUJ0Wg89ZvJexLY3VuQmdTDn +Kew8O25oqMboz5oI5hcnJiYl8AkUvmMSbWG1akpwExtWv6FQckJznUaSiwaiIgtd +v5fBzxiGrqBs/9cxuDfBdG5hN91NiGv7XfJh3az9/Ln3lnSABFH0ZFtyHQhuvhaa +MyT/MW3DnEHlpAXPamWuxgZsS5BeyJWimCi9JjCmVcknZrxP8CFVXHiPDic4ZD8s +-----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDgzCCAmugAwIBAgIDBXUHMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMTEkRy -aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECxMHRHJpdmVyczEQMA4GA1UEChMHTW9u -Z29EQjEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsx -CzAJBgNVBAYTAlVTMB4XDTE5MDUyMzAwMDEyOVoXDTM5MDUyMzAwMDEyOVowaTEP -MA0GA1UEAxMGY2xpZW50MRAwDgYDVQQLEwdEcml2ZXJzMQwwCgYDVQQKEwNNREIx -FjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD -VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOqCb0Lo4XsV -W327Wlnqc5rwWa5Elw0rFuehSfViRIcYfuFWAPXoOj3fIDsYz6d41G8hp6tkF88p -swlbzDF8Fc7mXDhauwwl2F/NrWYUXwCT8fKju4DtGd2JlDMi1TRDeofkYCGVPp70 -vNqd0H8iDWWs8OmiNrdBLJwNiGaf9y15ena4ImQGitXLFn+qNSXYJ1Rs8p7Y2PTr -L+dff5gJCVbANwGII1rjMAsrMACPVmr8c1Lxoq4fSdJiLweosrv2Lk0WWGsO0Seg -ZY71dNHEyNjItE+VtFEtslJ5L261i3BfF/FqNnH2UmKXzShwfwxyHT8o84gSAltQ -5/lVJ4QQKosCAwEAAaMkMCIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF -BwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBOAlKxIMFcTZ+4k8NJv97RSf+zOb5Wu2ct -uxSZxzgKTxLFUuEM8XQiEz1iHQ3XG+uV1fzA74YLQiKjjLrU0mx54eM1vaRtOXvF -sJlzZU8Z2+523FVPx4HBPyObQrfXmIoAiHoQ4VUeepkPRpXxpifgWd/OCWhLDr2/ -0Kgcb0ybaGVDpA0UD9uVIwgFjRu6id7wG+lVcdRxJYskTOOaN2o1hMdAKkrpFQbd -zNRfEoBPUYR3QAmAKP2HBjpgp4ktOHoOKMlfeAuuMCUocSnmPKc3xJaH/6O7rHcf -/Rm0X411RH8JfoXYsSiPsd601kZefhuWvJH0sJLibRDvT7zs8C1v +MIIEEzCCAvugAwIBAgIBAjANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzER +MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV +BAoMB01vbmdvREIxEDAOBgNVBAsMB0RyaXZlcnMxGzAZBgNVBAMMEkRyaXZlcnMg +VGVzdGluZyBDQTAeFw0yNjA2MDcxODUzMjBaFw00NjA2MDMxODUzMjBaMGkxDzAN +BgNVBAMMBmNsaWVudDEQMA4GA1UECwwHRHJpdmVyczEMMAoGA1UECgwDTURCMRYw +FAYDVQQHDA1OZXcgWW9yayBDaXR5MREwDwYDVQQIDAhOZXcgWW9yazELMAkGA1UE +BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGjHibyL6EtuJr +zcLf0G+zDoxEgr8Py7T6s9Gb0KaH0Cid/YrPbbfBgezo6GKlyjAyCQaVNLO25W9V +KlIhI3LLhFU8q6RRXkzcgjtofb6ngfocVYbIe8schYINzS9rAAO0LAJwGhCMnyAZ +ph2kFwNAGsgk+1bP/1BhxzZ7Uqv6Rr/YuH8N3omMWpWZJbMdNFQk830n0MSxSClm +5GV0QYFmaZLO+PYfCg4ra2Awy/bObKS4sgqY8Q77CBzFAwL+40gF1AYuyIeuYyRc +gTsDL9fWpHw/cc6HJ4/IzYxtmeR9sukjBxz3cQiArXPglCfsQ7yHstMxFSqzsjyS +/Ty7XMxrAgMBAAGjgbUwgbIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF +BwMCMIGNBgNVHSMEgYUwgYKhfaR7MHkxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhO +ZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9uZ29E +QjEQMA4GA1UECwwHRHJpdmVyczEbMBkGA1UEAwwSRHJpdmVycyBUZXN0aW5nIENB +ggFkMA0GCSqGSIb3DQEBCwUAA4IBAQCi1zSezWD8IpIjzj+I6hlXIRbV5twftNkd +nA86NaYfx+k1khoOV99gjALYff4IzCZoDZ027VeqL1mQblh4OM2o7Iirns4G21ka +bpSbjgKs3PbijcWHgWpjnWHL1osQsP/WApaZQbNIyh29F0qDmKm5fgn7eHqX4oTV +DTHzOd+tTVTkM1UHzJnYf1+1IdFwzyTVz2RT5uakuHwpJRTQhQBAdahOZPxFUURN +x7N9s/T7UnAmKHCzl7QFxfN/BsjPb8RxgRP5Rl+lU/WF+MIeK2QiJ7d2jRa9Eewn +v+8kv+HCaER3D5KpjFzM5IFofUF58J7RCZQYf71gK9kqgcIq4jpX -----END CERTIFICATE----- diff --git a/test/certificates/server.pem b/test/certificates/server.pem index e745e037fc..813ff71d63 100644 --- a/test/certificates/server.pem +++ b/test/certificates/server.pem @@ -1,49 +1,52 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAhNrB0E6GY/kFSd8/vNpu/t952tbnOsD5drV0XPvmuy7SgKDY -a/S+xb/jPnlZKKehdBnH7qP/gYbv34ZykzcDFZscjPLiGc2cRGP+NQCSFK0d2/7d -y15zSD3zhj14G8+MkpAejTU+0/qFNZMc5neDvGanTe0+8aWa0DXssM0MuTxIv7j6 -CtsMWeqLLofN7a1Kw2UvmieCHfHMuA/08pJwRnV/+5T9WONBPJja2ZQRrG1BjpI4 -81zSPUZesIqi8yDlExdvgNaRZIEHi/njREqwVgJOZomUY57zmKypiMzbz48dDTsV -gUStxrEqbaP+BEjQYPX5+QQk4GdMjkLf52LR6QIDAQABAoIBAHSs+hHLJNOf2zkp -S3y8CUblVMsQeTpsR6otaehPgi9Zy50TpX4KD5D0GMrBH8BIl86y5Zd7h+VlcDzK -gs0vPxI2izhuBovKuzaE6rf5rFFkSBjxGDCG3o/PeJOoYFdsS3RcBbjVzju0hFCs -xnDQ/Wz0anJRrTnjyraY5SnQqx/xuhLXkj/lwWoWjP2bUqDprnuLOj16soNu60Um -JziWbmWx9ty0wohkI/8DPBl9FjSniEEUi9pnZXPElFN6kwPkgdfT5rY/TkMH4lsu -ozOUc5xgwlkT6kVjXHcs3fleuT/mOfVXLPgNms85JKLucfd6KiV7jYZkT/bXIjQ+ -7CZEn0ECgYEA5QiKZgsfJjWvZpt21V/i7dPje2xdwHtZ8F9NjX7ZUFA7mUPxUlwe -GiXxmy6RGzNdnLOto4SF0/7ebuF3koO77oLup5a2etL+y/AnNAufbu4S5D72sbiz -wdLzr3d5JQ12xeaEH6kQNk2SD5/ShctdS6GmTgQPiJIgH0MIdi9F3v0CgYEAlH84 -hMWcC+5b4hHUEexeNkT8kCXwHVcUjGRaYFdSHgovvWllApZDHSWZ+vRcMBdlhNPu -09Btxo99cjOZwGYJyt20QQLGc/ZyiOF4ximQzabTeFgLkTH3Ox6Mh2Rx9yIruYoX -nE3UfMDkYELanEJUv0zenKpZHw7tTt5yXXSlEF0CgYBSsEOvVcKYO/eoluZPYQAA -F2jgzZ4HeUFebDoGpM52lZD+463Dq2hezmYtPaG77U6V3bUJ/TWH9VN/Or290vvN -v83ECcC2FWlSXdD5lFyqYx/E8gqE3YdgqfW62uqM+xBvoKsA9zvYLydVpsEN9v8m -6CSvs/2btA4O21e5u5WBTQKBgGtAb6vFpe0gHRDs24SOeYUs0lWycPhf+qFjobrP -lqnHpa9iPeheat7UV6BfeW3qmBIVl/s4IPE2ld4z0qqZiB0Tf6ssu/TpXNPsNXS6 -dLFz+myC+ufFdNEoQUtQitd5wKbjTCZCOGRaVRgJcSdG6Tq55Fa22mOKPm+mTmed -ZdKpAoGAFsTYBAHPxs8nzkCJCl7KLa4/zgbgywO6EcQgA7tfelB8bc8vcAMG5o+8 -YqAfwxrzhVSVbJx0fibTARXROmbh2pn010l2wj3+qUajM8NiskCPFbSjGy7HSUze -P8Kt1uMDJdj55gATzn44au31QBioZY2zXleorxF21cr+BZCJgfA= ------END RSA PRIVATE KEY----- ------BEGIN CERTIFICATE----- -MIIDlTCCAn2gAwIBAgICdxUwDQYJKoZIhvcNAQELBQAweTEbMBkGA1UEAxMSRHJp -dmVycyBUZXN0aW5nIENBMRAwDgYDVQQLEwdEcml2ZXJzMRAwDgYDVQQKEwdNb25n -b0RCMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazEL -MAkGA1UEBhMCVVMwHhcNMTkwNTIyMjIzMjU2WhcNMzkwNTIyMjIzMjU2WjBwMRIw -EAYDVQQDEwlsb2NhbGhvc3QxEDAOBgNVBAsTB0RyaXZlcnMxEDAOBgNVBAoTB01v -bmdvREIxFjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3Jr -MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAITa -wdBOhmP5BUnfP7zabv7fedrW5zrA+Xa1dFz75rsu0oCg2Gv0vsW/4z55WSinoXQZ -x+6j/4GG79+GcpM3AxWbHIzy4hnNnERj/jUAkhStHdv+3ctec0g984Y9eBvPjJKQ -Ho01PtP6hTWTHOZ3g7xmp03tPvGlmtA17LDNDLk8SL+4+grbDFnqiy6Hze2tSsNl -L5ongh3xzLgP9PKScEZ1f/uU/VjjQTyY2tmUEaxtQY6SOPNc0j1GXrCKovMg5RMX -b4DWkWSBB4v540RKsFYCTmaJlGOe85isqYjM28+PHQ07FYFErcaxKm2j/gRI0GD1 -+fkEJOBnTI5C3+di0ekCAwEAAaMwMC4wLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/ -AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQBol8+YH7MA -HwnIh7KcJ8h87GkCWsjOJCDJWiYBJArQ0MmgDO0qdx+QEtvLMn3XNtP05ZfK0WyX -or4cWllAkMFYaFbyB2hYazlD1UAAG+22Rku0UP6pJMLbWe6pnqzx+RL68FYdbZhN -fCW2xiiKsdPoo2VEY7eeZKrNr/0RFE5EKXgzmobpTBQT1Dl3Ve4aWLoTy9INlQ/g -z40qS7oq1PjjPLgxINhf4ncJqfmRXugYTOnyFiVXLZTys5Pb9SMKdToGl3NTYWLL -2AZdjr6bKtT+WtXyHqO0cQ8CkAW0M6VOlMluACllcJxfrtdlQS2S4lUIj76QKBdZ -khBHXq/b8MFX ------END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAxnAdSc+RDsXTgJipcYiVMhAhiOUzMGDjruTp4nrRFiothP4K +JO+73eA38GhAzlCLVXtsewQRBYS0jFsGACPf9qO6YmBLdRh7SqftlYsENiZDiC+E +WUT58R+2z8zoYSl6mJUk4ARwUlB9PxLKI9OSC9ZpcVOWg/LNv5pE/vTMCUoPWNAK +Fx0ltNzMkWt8yzZvAStEwm/oOiPb+ngtJQM/748L3Ra6m7HK/VUzcgZbb7TJN2ag +ydO8Y46lEjQKqzJOoK4LiPtMdJYlI1SlEX67CPGw0VEjDU7G2+IUzR573bE99Qvq +fLcTvV/aIgUo9tCz4fcuvKrStczh299btcLspQIDAQABAoIBAAZ9HggO2IByKZNX +6pqCy9YiPuZ6EC1xzaAnbhpwx6uA35IsuGoyyKLdtRaQYiYc7iFycr6nCGN0zm6U +f2K7yZQIEI0s9uqyTT3ItfUg4Zdfsu+eFibRIZcn4VN0MNkUgSTCI72Lh5y5cw7/ +70oyneDzNul0wUQ5SU8NnVn06UMYcQ7uRnBtVwW5BY6ziVQh3NU+wspc5ywhocVp +NULn/mc3xcwMrv6Y08Dp4sYP5mS4tvVEqZfmssakzV14PgJIpklV/pGdHa89RLdw +lXAEJS1NBf63weCpEi4b5EtktxS4Q5EkNE7zuL2RAdMBWqfVccUu4jLM1xiMBRgo +m8h52ZUCgYEA+DtODv+T6e6oxsIB+Ma5GSoRsxvDCN5pZbWggeJmtBytJheckpF0 +lRRzodfigVUoTKLqQJjADoiYZ3tFeKUeDKsiURzsCiLxEJCt6JT0c/xPupdC1m3O +WtYr8uied1ghvnlKm2CRj1F4jIiedmNN+gFZjxNnh7KAqjwzuJ51mFcCgYEAzKXj +xffn6RnwQZKYssP1g9GnPiJ4mueEt5uSbA2KlyWlcxy+e0TqJRjTv7gpxT5fm8LC +/gx812LWOX7ZIU+03IpbmQU+Ske8QrgBih9phdTSTqg58zfRUIZ6tpWn+ssp7IAz +0PFgcnfhKf/BhtT2Sjpe3L4LR4CYmCABLSzZNWMCgYAcTxcd2sPRn+gbkrCK4I7n +ccbG+FmLv2Ghuc7uQRWZYNPWTkcK6A+1mLl/MZGhUkbgRowUhdcRUT6gPoyzr5D3 +vOSS/4tjtIxtaTKMHcCrIZEuJGX48ljgPyCP+TtpPOHMSSTbB25SO+ZVkJcRxU11 +P4YpLPtXnGHUCD2Vxmx+zQKBgQCKr309gvRBzxc3iN48f3oZe/HntLqg13bkauR+ +n2qlZZjK+tbHePtoanvNeEOubMekKge03MeZu1xMGH+TCI4byxOqDpiZBCY73LEG +ZqU/Ueu37F9hSRlrhccRhzgQSLA/mt4CoiFnUYBg0vbWpenGgeoZlBzWtvoyVbYW +ZEdK2wKBgG7WHcgNW5wuTojLp2Jpybxt7sV7kDhm89px/bhMcA6VNCYQU6GiYdi5 +yY3H12XJfMOJzVsSZpqjc0pCFVd8q7BHVfZAai9Ampcd61dBOak7pEQyNxyysaCE +tueB7Fz43W52sgCzt0m5ekghJjXaMJRoBVKOzTlx2bXydEHWM5MA +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIEJjCCAw6gAwIBAgIBATANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzER +MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV +BAoMB01vbmdvREIxEDAOBgNVBAsMB0RyaXZlcnMxGzAZBgNVBAMMEkRyaXZlcnMg +VGVzdGluZyBDQTAeFw0yNjA2MDcxODUzMjBaFw00NjA2MDMxODUzMjBaMHAxCzAJ +BgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsg +Q2l0eTEQMA4GA1UECgwHTW9uZ29EQjEQMA4GA1UECwwHRHJpdmVyczESMBAGA1UE +AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxnAd +Sc+RDsXTgJipcYiVMhAhiOUzMGDjruTp4nrRFiothP4KJO+73eA38GhAzlCLVXts +ewQRBYS0jFsGACPf9qO6YmBLdRh7SqftlYsENiZDiC+EWUT58R+2z8zoYSl6mJUk +4ARwUlB9PxLKI9OSC9ZpcVOWg/LNv5pE/vTMCUoPWNAKFx0ltNzMkWt8yzZvAStE +wm/oOiPb+ngtJQM/748L3Ra6m7HK/VUzcgZbb7TJN2agydO8Y46lEjQKqzJOoK4L +iPtMdJYlI1SlEX67CPGw0VEjDU7G2+IUzR573bE99QvqfLcTvV/aIgUo9tCz4fcu +vKrStczh299btcLspQIDAQABo4HBMIG+MCwGA1UdEQQlMCOCCWxvY2FsaG9zdIcE +fwAAAYcQAAAAAAAAAAAAAAAAAAAAATCBjQYDVR0jBIGFMIGCoX2kezB5MQswCQYD +VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp +dHkxEDAOBgNVBAoMB01vbmdvREIxEDAOBgNVBAsMB0RyaXZlcnMxGzAZBgNVBAMM +EkRyaXZlcnMgVGVzdGluZyBDQYIBZDANBgkqhkiG9w0BAQsFAAOCAQEAo6XZjd/0 +Jmc80JOMp5T3qGWGgu1CE0bmtwMbNy3E2z6nxfb6nLJlHn3Pxczp3/9acALakOyZ +9eK9Y0ipu50Vd6wAyD7C9lMGFkiNbHagvC6RGbBff3OJvL5ijsiQDHaJNaC9UuX1 +9l0A60XgOj5nk56+W0a3NKo5phEIHbgY1nyJcK7Ih951MMDmrtg7Kgq+czssQwvV +8AtB+10zN3WIanRC0lR3YhihiOi+a0qnNjWwFGt5cHqBxZQcJ6sVqC994haBNiPf +8l5FcbCFwLhuXN7tTxIgT88757nzm2zm9ZMCWt7UdDa4mXqpJTW7+0zKDYAIw2p7 +3Y0OEy4KgIAgOg== +-----END CERTIFICATE----- diff --git a/test/certificates/trusted-ca.pem b/test/certificates/trusted-ca.pem index a6f6f312d0..b759fe503e 100644 --- a/test/certificates/trusted-ca.pem +++ b/test/certificates/trusted-ca.pem @@ -1,82 +1,22 @@ -# CA bundle file used to test tlsCAFile loading for OCSP. -# Copied from the server: -# https://github.com/mongodb/mongo/blob/r4.3.4/jstests/libs/trusted-ca.pem - -# Autogenerated file, do not edit. -# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml trusted-ca.pem -# -# CA for alternate client/server certificate chain. -----BEGIN CERTIFICATE----- -MIIDojCCAooCBG585gswDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxETAP -BgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQK -DAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxHzAdBgNVBAMMFlRydXN0ZWQgS2Vy -bmVsIFRlc3QgQ0EwHhcNMTkwOTI1MjMyNzQxWhcNMzkwOTI3MjMyNzQxWjB8MQsw -CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr -IENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEfMB0GA1UE -AwwWVHJ1c3RlZCBLZXJuZWwgVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBANlRxtpMeCGhkotkjHQqgqvO6O6hoRoAGGJlDaTVtqrjmC8nwySz -1nAFndqUHttxS3A5j4enOabvffdOcV7+Z6vDQmREF6QZmQAk81pmazSc3wOnRiRs -AhXjld7i+rhB50CW01oYzQB50rlBFu+ONKYj32nBjD+1YN4AZ2tuRlbxfx2uf8Bo -Zowfr4n9nHVcWXBLFmaQLn+88WFO/wuwYUOn6Di1Bvtkvqum0or5QeAF0qkJxfhg -3a4vBnomPdwEXCgAGLvHlB41CWG09EuAjrnE3HPPi5vII8pjY2dKKMomOEYmA+KJ -AC1NlTWdN0TtsoaKnyhMMhLWs3eTyXL7kbkCAwEAAaMxMC8wDAYDVR0TBAUwAwEB -/zAfBgNVHREEGDAWgglsb2NhbGhvc3SCCTEyNy4wLjAuMTANBgkqhkiG9w0BAQsF -AAOCAQEAQk56MO9xAhtO077COCqIYe6pYv3uzOplqjXpJ7Cph7GXwQqdFWfKls7B -cLfF/fhIUZIu5itStEkY+AIwht4mBr1F5+hZUp9KZOed30/ewoBXAUgobLipJV66 -FKg8NRtmJbiZrrC00BSO+pKfQThU8k0zZjBmNmpjxnbKZZSFWUKtbhHV1vujver6 -SXZC7R6692vLwRBMoZxhgy/FkYRdiN0U9wpluKd63eo/O02Nt6OEMyeiyl+Z3JWi -8g5iHNrBYGBbGSnDOnqV6tjEY3eq600JDWiodpA1OQheLi78pkc/VQZwof9dyBCm -6BoCskTjip/UB+vIhdPFT9sgUdgDTg== ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDZUcbaTHghoZKL -ZIx0KoKrzujuoaEaABhiZQ2k1baq45gvJ8Mks9ZwBZ3alB7bcUtwOY+Hpzmm7333 -TnFe/merw0JkRBekGZkAJPNaZms0nN8Dp0YkbAIV45Xe4vq4QedAltNaGM0AedK5 -QRbvjjSmI99pwYw/tWDeAGdrbkZW8X8drn/AaGaMH6+J/Zx1XFlwSxZmkC5/vPFh -Tv8LsGFDp+g4tQb7ZL6rptKK+UHgBdKpCcX4YN2uLwZ6Jj3cBFwoABi7x5QeNQlh -tPRLgI65xNxzz4ubyCPKY2NnSijKJjhGJgPiiQAtTZU1nTdE7bKGip8oTDIS1rN3 -k8ly+5G5AgMBAAECggEAS7GjLKgT88reSzUTgubHquYf1fZwMak01RjTnsVdoboy -aMJVwzPsjgo2yEptUQvuNcGmz54cg5vJaVlmPaspGveg6WGaRmswEo/MP4GK98Fo -IFKkKM2CEHO74O14XLN/w8yFA02+IdtM3X/haEFE71VxXNmwawRXIBxN6Wp4j5Fb -mPLKIspnWQ/Y/Fn799sCFAzX5mKkbCt1IEgKssgQQEm1UkvmCkcZE+mdO/ErYP8A -COO0LpM+TK6WQY2LKiteeCCiosTZFb1GO7MkXrRP5uOBZKaW5kq1R0b6PcopJPCM -OcYF0Zli6KB7oiQLdXgU2jCaxYOnuRb6RYh2l7NvAQKBgQD6CZ9TKOn/EUQtukyw -pvYTyt1hoLXqYGcbRtLc1gcC+Z2BD28hd3eD/mEUv+g/8bq/OP4wYV9X+VRvR8xN -MmfAG/sJeOCOClz1A1TyNeA+G0GZ25qWHyHQ2W4WlSG1CXQgxGzU6wo/t6wiVW5R -O4jplFVEOXznf4vmVfBJK50R2QKBgQDegGxm23jF2N5sIYDZ14oxms8bbjPz8zH6 -tiIRYNGbSzI7J4KFGY2HiBwtf1yxS22HBL69Y1WrEzGm1vm4aZG/GUwBzI79QZAO -+YFIGaIrdlv12Zm6lpJMmAWlOs9XFirC17oQEwOQFweOdQSt7F/+HMZOigdikRBV -pK+8Kfay4QKBgQDarDevHwUmkg8yftA7Xomv3aenjkoK5KzH6jTX9kbDj1L0YG8s -sbLQuVRmNUAFTH+qZUnJPh+IbQIvIHfIu+CI3u+55QFeuCl8DqHoAr5PEr9Ys/qK -eEe2w7HIBj0oe1AYqDEWNUkNWLEuhdCpMowW3CeGN1DJlX7gvyAang4MYQKBgHwM -aWNnFQxo/oiWnTnWm2tQfgszA7AMdF7s0E2UBwhnghfMzU3bkzZuwhbznQATp3rR -QG5iRU7dop7717ni0akTN3cBTu8PcHuIy3UhJXLJyDdnG/gVHnepgew+v340E58R -muB/WUsqK8JWp0c4M8R+0mjTN47ShaLZ8EgdtTbBAoGBAKOcpuDfFEMI+YJgn8zX -h0nFT60LX6Lx+zcSDY9+6J6a4n5NhC+weYCDFOGlsLka1SwHcg1xanfrLVjpH7Ok -HDJGLrSh1FP2Rq/oFxZ/OKCjonHLa8IulqD/AA+sqYRbysKNsT3Pi0554F2xFEqQ -z/C84nlT1R2uTCWIxvrnpU2h ------END PRIVATE KEY----- -# Pre Oct 2019 trusted-ca.pem -# Transitional pending BUILD update. ------BEGIN CERTIFICATE----- -MIIDpjCCAo6gAwIBAgIDAghHMA0GCSqGSIb3DQEBBQUAMHwxHzAdBgNVBAMTFlRy -dXN0ZWQgS2VybmVsIFRlc3QgQ0ExDzANBgNVBAsTBktlcm5lbDEQMA4GA1UEChMH -TW9uZ29EQjEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlv -cmsxCzAJBgNVBAYTAlVTMB4XDTE2MDMzMTE0NTY1NVoXDTM2MDMzMTE0NTY1NVow -fDEfMB0GA1UEAxMWVHJ1c3RlZCBLZXJuZWwgVGVzdCBDQTEPMA0GA1UECxMGS2Vy -bmVsMRAwDgYDVQQKEwdNb25nb0RCMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREw -DwYDVQQIEwhOZXcgWW9yazELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQCePFHZTydC96SlSHSyu73vw//ddaE33kPllBB9DP2L7yRF -6D/blFmno9fSM+Dfg64VfGV+0pCXPIZbpH29nzJu0DkvHzKiWK7P1zUj8rAHaX++ -d6k0yeTLFM9v+7YE9rHoANVn22aOyDvTgAyMmA0CLn+SmUy6WObwMIf9cZn97Znd -lww7IeFNyK8sWtfsVN4yRBnjr7kKN2Qo0QmWeFa7jxVQptMJQrY8k1PcyVUOgOjQ -ocJLbWLlm9k0/OMEQSwQHJ+d9weUbKjlZ9ExOrm4QuuA2tJhb38baTdAYw3Jui4f -yD6iBAGD0Jkpc+3YaWv6CBmK8NEFkYJD/gn+lJ75AgMBAAGjMTAvMAwGA1UdEwQF -MAMBAf8wHwYDVR0RBBgwFoIJbG9jYWxob3N0ggkxMjcuMC4wLjEwDQYJKoZIhvcN -AQEFBQADggEBADYikjB6iwAUs6sglwkE4rOkeMkJdRCNwK/5LpFJTWrDjBvBQCdA -Y5hlAVq8PfIYeh+wEuSvsEHXmx7W29X2+p4VuJ95/xBA6NLapwtzuiijRj2RBAOG -1EGuyFQUPTL27DR3+tfayNykDclsVDNN8+l7nt56j8HojP74P5OMHtn+6HX5+mtF -FfZMTy0mWguCsMOkZvjAskm6s4U5gEC8pYEoC0ZRbfUdyYsxZe/nrXIFguVlVPCB -XnfB/0iG9t+VH5cUVj1LP9skXTW4kXfhQmljUuo+EVBNR6n2nfTnpoC65WeAgHV4 -V+s9mJsUv2x72KtKYypqEVT0gaJ1WIN9N1s= +MIIDlzCCAn+gAwIBAgICAMgwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMx +ETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYD +VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxHzAdBgNVBAMMFlRydXN0ZWQg +S2VybmVsIFRlc3QgQ0EwHhcNMjYwNjA3MTg1MzIwWhcNNDYwNjAzMTg1MzIwWjB8 +MQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZ +b3JrIENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEfMB0G +A1UEAwwWVHJ1c3RlZCBLZXJuZWwgVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAOYdJ8NPq6BIcrtz+EznoGo6RI1U3xJ+IELSyQesvaO8OKp5 +o3JOoDbCfaXWwVGq8qbUzcyhkA8gl1xf0MIzHOKrd8f1dieNOPM8tPe3uMcOF2tf +04Ov+ArmYDxtk5k/N6fDCd8anVG1uo1GhQywcYwn2TUHT+NpYuGDDfpv+nLFoj4T +Lap3cbHlKgsoWK5/ZzbbsKwHHPbh8LIuSVbafZymvylNsyNrrEMvWTfkGRp5AekS ++Mp1m9plwcezpmkumPgXHuHL0KZOZvy9Slo2EgByl4UjR67ABp4JcoX+JBeHhP/h +8MQLkDW+MYddZ8MBOhRvR8vvgl2tQ/9n3Uz2MrkCAwEAAaMjMCEwDwYDVR0TAQH/ +BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAAfwMivK +0MVkRGPg3PbSh6zgx3wfTnn08Kg9zcSoAG55WkkrW5Kq4H8NQIsEDvbHEFbkRoB+ +vcoKVgepMXhgMbrH9F00yAwTep1kFDzqs4RBPvQs4sOf4xxMs6Ba65hLUIVrBEpN +46XN2NwEyzi2x4J00KfJgGghwNQjFhk0IRIlJ0ygFzGy46QR2j4AzW9PPs4B2lC6 +NkbgvM0O1Bju+cgpKObQG3mCOHQTDXmLMN8Sr9EfZxvvmzQNF/ijFPR6cs/rJmAf +kWOpaEWRul95rs5cZtzYXvhiHVM2FTJs7/hvJIuyhjCFkJP4yppOFsLNCDLwF4lo +Uf2yrrLhqcO6pHc= -----END CERTIFICATE----- diff --git a/test/certificates/wrong-host.pem b/test/certificates/wrong-host.pem new file mode 100644 index 0000000000..5cb119b72f --- /dev/null +++ b/test/certificates/wrong-host.pem @@ -0,0 +1,52 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA6PnNveV+f6FvvClQFMlur4j7ZK3RQHEIIRVDOiuOvpIvWzti +oEfQSjfTJjuggcsmWI+gk08ntXhk+6qqBaXSM2FzD2KeaXEJ7kMVujF9f8N++SDb +QX73aTtKjifvfW8IhbtRYJ96njd6dACE21lmm3Nraub1JMF3pF3GyKglSXqsslet +hcEHGhsBv8CJm/J/c+WEfwXWT42Vrik3FLM72zjtw067+f+MftX5CjfAqAl5r0xT +/g7HwPYLQByBuIyAYmmVsb6ejp7r31BqAFGzFeaInsqqVmz8HUCaqa8Zk1enZnmh +4/H821D4n4r/aWFWovWzJkIPp1soNMUU81bHSQIDAQABAoIBAAC1yDSAt1C8xXop +lxKlJYb38Co3pGhhn9B3/980xEfc6rOIvA14gpBDWMuoSV4z6A9Dis4AIwMY1Zf1 +xnRjc79P1/mvR4PTQiA9iJqrbXI+/otUWA68TBVARsMlqIN1m+1Ka55Thhxm12L0 +oHMJs/gb0zM9dnhQ9aQk3Ab/CjQN3+0+g9319Z7F4hYgM9Hr3GvElFlyeaF28g7u +1jT0zPr0NVF5XR0ifIit1Q754xSDotMPzMcG10ESEJQ4pfXsX/88k5NP+vI91sY5 +0Ijg2rUfHaCcxukjwn2AoMcsCBZuWAorYRrjIXvoX5h0ngllCFRwYs0HFgISA1rd +RmcieaECgYEA9rxQ8sax100ioqoVbEudT0QmX1/H/x9Rw4iWivDNuwxOJawWyTMj +gszPe/UzK5QgKQhHRJPPzIfqOYHMrcqzM2bqyAiZijExDiP3p4/xbjt58I4XF4Uc +pG7dooHxq1jSwHqvd9nfcwNUmMoRDGzV45ISgpCkDDVFzZKz3X8CVPkCgYEA8bk5 +h9Vjqy1oDQz3wnta1k8lM9OIEtww5djPsJIaxV43Ait9rtqYiaS9dAk7nn738Jln +TxOWFzYS/zGvZPqOG9Ftvhp+x9NKmgtVOL1qF2MkL1KBj7hssQ6s8VzZnQ4SPHNs +QWhJz/ZJRC2iVF91seajcWqCF8A75dgMY3cMqNECgYAdtz50jtOaX5LdTmi4Gz89 +7bJFaE64/jelugyPfUL51RiQVvKDluIe/bW7cyOPiw54gqO6saakNnZSKLzS7Ye5 +mBqMruR3DUegMVrBVoe4Q/eCrko/retuLmAJE2dcwJzZS61YXOgZfPwyTpvRCEaW +WuBZ0zu+sKfQg2ugMIzCWQKBgHGkTirRJMGGYGO6VATn74XPwcLC0Tdks8xriQEP +P2zI5X2sqrL47DvR6ovSB2h1cuV3iX1AzRBuiLHXTwlfTk4/wKNeW3pgmLMhXtiF +HIqQPqPM20KRRvBa4O28ZEaVJferoBqECCewNzPJbIbUNkYEE5UvqKe35bEiSHi+ +sIHxAoGBAJRC0MA6gFhXwoj/LM1wF5pVUqqm8QXSXKPGDnW7HEuFSIA2dY1UtDvC +q8tZ5cwN4VBWQrxoFN99RUqyOqXq3sH/sdDYduqMvO+FKJknkzitPDiowCVi/uu4 +b8fOQPejGUXHVgAuVVTTrUS7MIy4Uy43S2+Sn/kfxUKVrphoNbKy +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIEJjCCAw6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzER +MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV +BAoMB01vbmdvREIxEDAOBgNVBAsMB0RyaXZlcnMxGzAZBgNVBAMMEkRyaXZlcnMg +VGVzdGluZyBDQTAeFw0yNjA2MDcxODUzMjBaFw00NjA2MDMxODUzMjBaMHwxCzAJ +BgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsg +Q2l0eTEQMA4GA1UECgwHTW9uZ29EQjEQMA4GA1UECwwHRHJpdmVyczEeMBwGA1UE +AwwVd3Jvbmdob3N0LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA6PnNveV+f6FvvClQFMlur4j7ZK3RQHEIIRVDOiuOvpIvWztioEfQ +SjfTJjuggcsmWI+gk08ntXhk+6qqBaXSM2FzD2KeaXEJ7kMVujF9f8N++SDbQX73 +aTtKjifvfW8IhbtRYJ96njd6dACE21lmm3Nraub1JMF3pF3GyKglSXqsslethcEH +GhsBv8CJm/J/c+WEfwXWT42Vrik3FLM72zjtw067+f+MftX5CjfAqAl5r0xT/g7H +wPYLQByBuIyAYmmVsb6ejp7r31BqAFGzFeaInsqqVmz8HUCaqa8Zk1enZnmh4/H8 +21D4n4r/aWFWovWzJkIPp1soNMUU81bHSQIDAQABo4G1MIGyMCAGA1UdEQQZMBeC +FXdyb25naG9zdC5leGFtcGxlLmNvbTCBjQYDVR0jBIGFMIGCoX2kezB5MQswCQYD +VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp +dHkxEDAOBgNVBAoMB01vbmdvREIxEDAOBgNVBAsMB0RyaXZlcnMxGzAZBgNVBAMM +EkRyaXZlcnMgVGVzdGluZyBDQYIBZDANBgkqhkiG9w0BAQsFAAOCAQEAoRmIKS3Q +X4xrluZfFsdK+RtK/adFYdmIVAWEajBgQEBJGfyrhQJCGu+mysaIFo8ITPEApliE +xr4myEOjfSABBPQle1W8v6qCoXo9+D9Gk//Kc6vYjvyZHJw/SPUkcYlAngLwJnse +8iHSfpCkFIDH2m+iXMgoncgaW5ALdO6OBuRHz30JJSfTmcDp42zqE3BHvWM0qZSI +5Cj+DWCITXfpTUBwOKdE+TL0eGARck8x5xH99dUfJXJbzwlOXYpNeAOB7hpmcuUF +QlT7Mr+zvD/lsPRGKZCJFKcGMCEVQ4an6+XCETUNLofM7cAlBZx6tgNEP2QJA9lL +t0F/hOBFGS072Q== +-----END CERTIFICATE----- diff --git a/test/test_encryption.py b/test/test_encryption.py index 7df9e7ac38..fd0e05e48d 100644 --- a/test/test_encryption.py +++ b/test/test_encryption.py @@ -3029,8 +3029,6 @@ def http_post(self, path, data=None): # each request because the server is single threaded. ctx = ssl.create_default_context(cafile=CA_PEM) ctx.load_cert_chain(CLIENT_PEM) - ctx.check_hostname = False - ctx.verify_mode = ssl.CERT_NONE conn = http.client.HTTPSConnection("127.0.0.1:9003", context=ctx) try: if data is not None: