From 25cb9471f08333cf93ba6cb23079a1c4876292af Mon Sep 17 00:00:00 2001 From: Aldo Cortesi Date: Sun, 20 Jan 2013 22:39:28 +1300 Subject: Add tests for client certificate support. --- libmproxy/proxy.py | 2 -- test/data/clientcert/.gitignore | 3 ++ test/data/clientcert/127.0.0.1.pem | 66 ++++++++++++++++++++++---------------- test/data/clientcert/client.cnf | 5 +++ test/data/clientcert/client.pem | 42 ++++++++++++++++++++++++ test/data/clientcert/make | 8 +++++ test/test_server.py | 5 +-- test/tutils.py | 5 ++- 8 files changed, 101 insertions(+), 35 deletions(-) create mode 100644 test/data/clientcert/.gitignore create mode 100644 test/data/clientcert/client.cnf create mode 100644 test/data/clientcert/client.pem create mode 100755 test/data/clientcert/make diff --git a/libmproxy/proxy.py b/libmproxy/proxy.py index 036d26d3..d2452e36 100644 --- a/libmproxy/proxy.py +++ b/libmproxy/proxy.py @@ -29,14 +29,12 @@ class ProxyError(Exception): return "ProxyError(%s, %s)"%(self.code, self.msg) - class Log(controller.Msg): def __init__(self, msg): controller.Msg.__init__(self) self.msg = msg - class ProxyConfig: def __init__(self, certfile = None, cacert = None, clientcerts = None, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, transparent_proxy=None, certdir = None, authenticator=None): assert not (reverse_proxy and transparent_proxy) diff --git a/test/data/clientcert/.gitignore b/test/data/clientcert/.gitignore new file mode 100644 index 00000000..07bc53d2 --- /dev/null +++ b/test/data/clientcert/.gitignore @@ -0,0 +1,3 @@ +client.crt +client.key +client.req diff --git a/test/data/clientcert/127.0.0.1.pem b/test/data/clientcert/127.0.0.1.pem index af8d9d8f..d7093b76 100644 --- a/test/data/clientcert/127.0.0.1.pem +++ b/test/data/clientcert/127.0.0.1.pem @@ -1,32 +1,42 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQC+6rG6A/BGD0dI+mh2FZIqQZn82z/pGs4f3pyxbHb+ROxjjQOr -fDCw2jc11XDxK7CXpDQAnkO6au/sQ5t50vSZ+PGhFD+t558VV2ausB5OYZsR7RRx -gl1jsxWdde3EHGjxSK+aXRgFpVrZzPLSy6dl8tMoqUMWIBi0u1WTbmyYjwIDAQAB -AoGBAKyqhmK9/Sjf2JDgKGnjyHX/Ls3JXVvtqk6Yfw7YEiaVH1ZJyu/lOgQ414YQ -rDzyTpxXHdERUh/fZ24/FvZvHFgy5gWEQjQPpprIxvqCLKJhX73L2+TnXmfYDApb -J7V/JfnTeOaK9LTpHsofB98A1s9DWX/ccOgKTtZIYMjYpdoBAkEA9hLvtixbO2A2 -ZgDcA9ftVX2WwdpRH+mYXl1G60Fem5nlO3Rl3FDoafRvSQNZiqyOlObvKbbYh/S2 -L7ihEMMNYQJBAMaeLnAc9jO/z4ApTqSBGUpM9b7ul16aSgq56saUI0VULIZcXeo3 -3BwdL2fEOOnzjNy6NpH2BW63h/+2t7lV++8CQQDK+S+1Sr0uKtx0Iv1YRkHEJMW3 -vQbxldNS8wnOf6s0GisVcZubsTkkPLWWuiaf1ln9xMc9106gRmAI2PgyRVHBAkA6 -iI+C9uYP5i1Oxd2pWWqMnRWnSUVO2gWMF7J7B1lFq0Lb7gi3Z/L0Th2UZR2oxN/0 -hORkK676LBhmYgDPG+n9AkAJOnPIFQVAEBAO9bAxFrje8z6GRt332IlgxuiTeDE3 -EAlH9tmZma4Tri4sWnhJwCsxl+5hWamI8NL4EIeXRvPw +MIIEpQIBAAKCAQEA5+OwETm917hxPTtzE05OA5eEoQ6aFqqHIVqfKb3p8BLmpLmH +tqT/ebYL6QrXg23Zz1Tb0Q/qWWHrZRtTrwVJDG1wE2OlN9l9V8bK3LAtSNpuG71d +s0kp8Z2u70lONMlAkiwLz5H+GyJpldAEW3/8ShKQ/b01uxOn7OX70+7R8VtPUPsB +WF5GftpZNzzhKaO9xoJsdPalA5zG/ArbkJokw6Djey1SMaCl7hcc7vy+hZrzNmTe +CVRIq4g0L1CnzvmCaN0Sc3IM2YsO1ur0HoWNOm2ls7Y8sSpoicuAeIQizFJzyeEm +jENQYoYfSwy70UzR7PQRK48+o9Ndk8cA8wunRwIDAQABAoIBAC1PumnDRKtQaSAz +66qMFIZzJwFpnwZqz/jegldfusSkjNkHP9OarikUP4OMEMynvHXc+Q8C8yIAFkUt +b861U67P+6RuRiyBnRJ3z9ALxO2FcRqOiC6uTzndO/+Z7WQ3Jxzo6m3m8yZONR+H +BDL08VFwC1DplgQ2NQv/bJPfCLsGY0ckKJ02Wu/CqVKG0xhTAKU4CRv8fNpdI9n9 +3N+oHnh9ZvuEzB19Mj60AsRxG6pCpnSsvHNvxDFnAxTZ3erv/z9NGCkIJ/EXkHSr +Bm9VtfHocvIHSOrePgUD51wjCj0JdPHijiInNoy3BkMBJjIBV7F7hCYhPNKVc1TM +zjniSaECgYEA/58NmMQGi0plPiWB0eRxcwUEfhbBf9npVag5aowDlSLhkXXGhA8K +RbFIkedjv43usLqS7Nn0SxrPoFH/gGFjxFUxZMh3bhIYYZ05NyC1WN7Gsd8OWg4J +iRqd2HNG74Il6DCOX/PCi94ihOIhjI1FnONPafeXCpzELPLYbOJrn48CgYEA6Dui +VB8jZJAut5J3qKfJzTXS4n49mrsSrHogOixZgdJ8j+8EN//v+q/oYa4VBASKYZpD +EQvyfT35xwDXZU2PyBYQCsgedsXby+LnxVcg5q6a+yNBHVOfWxI5NBLx1ANLF2L1 +dYofcHAgiPo47JgJu2Xvi599zTMIg8je2GEOoMkCgYEA+HHNlEoKFj2zkyh/OdJv +lZwt1qMlZK8WQ2OiknUNUlk5pdgznszDbiM15mFgKKC5elmMTdo0vv6LCEZKL6v4 +fK1UuaDBu2CpA878+iC3QW4c7mpel5aHHBObkPHR4x263Ca9anMQBkNbh44Fj4cL +PsYLvHGhAvaFES7ivUl/0u8CgYEAkq9QGhhM77EOgQ73m8TXd1He8QbR/JDa+6xr +/LKUmqaL3RIYtRJozwwbGM+vIImJqpqYcAT+1lK2GReT9b2m6rfczCKY82aILWEW +ChS9iFeTNruO3mo6RnjdPuIUc1jdLlloNyTWNNvuAPcjy3VA+GgrhSJpgJoSb8MJ +1tx/M9kCgYEAt+W8W71pFg8cf3VdYjgDhqOJVzINztVSkHRwpkqTchhNo+22WrRc +Bzd56Q2/6Bm8P4EuTZQF9bY7YSk1y2kXQQNx9VyBA9RnQUvtb+LCny9P5TK328jc +wwHeCcodiHe+aCM8t0bU8I0k5xRuX18m9Dml0IL0rvDSlj3+tYorrJs= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIICsDCCAhmgAwIBAgIJAI7G7a/d5YwEMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV -BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX -aWRnaXRzIFB0eSBMdGQwHhcNMTAwMjAyMDM0MTExWhcNMTEwMjAyMDM0MTExWjBF -MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50 -ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB -gQC+6rG6A/BGD0dI+mh2FZIqQZn82z/pGs4f3pyxbHb+ROxjjQOrfDCw2jc11XDx -K7CXpDQAnkO6au/sQ5t50vSZ+PGhFD+t558VV2ausB5OYZsR7RRxgl1jsxWdde3E -HGjxSK+aXRgFpVrZzPLSy6dl8tMoqUMWIBi0u1WTbmyYjwIDAQABo4GnMIGkMB0G -A1UdDgQWBBS+MFJTsriCPNYsj8/4f+PympPEkzB1BgNVHSMEbjBsgBS+MFJTsriC -PNYsj8/4f+PympPEk6FJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt -U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAI7G7a/d -5YwEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAlpan/QX2fpXVRihV -lQic2DktF4xd5unrZnFC8X8ScNX1ClU+AO79ejaobt4YGjeVYs0iQQsUL2E0G43c -mOXfsq1b970Ep6xRS76EmZ+tTdFBd86tFTIhZJrOi67gs+twj5V2elyp3tQpg2ze -G/jwDQS8V1X9CbfqBQriL7x5Tk4= +MIICYDCCAckCAQEwDQYJKoZIhvcNAQEFBQAwKDESMBAGA1UEAxMJbWl0bXByb3h5 +MRIwEAYDVQQKEwltaXRtcHJveHkwHhcNMTMwMTIwMDg1MDEwWhcNMTUxMDE3MDg1 +MDEwWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UE +ChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA5+OwETm917hxPTtzE05OA5eEoQ6aFqqHIVqfKb3p8BLmpLmH +tqT/ebYL6QrXg23Zz1Tb0Q/qWWHrZRtTrwVJDG1wE2OlN9l9V8bK3LAtSNpuG71d +s0kp8Z2u70lONMlAkiwLz5H+GyJpldAEW3/8ShKQ/b01uxOn7OX70+7R8VtPUPsB +WF5GftpZNzzhKaO9xoJsdPalA5zG/ArbkJokw6Djey1SMaCl7hcc7vy+hZrzNmTe +CVRIq4g0L1CnzvmCaN0Sc3IM2YsO1ur0HoWNOm2ls7Y8sSpoicuAeIQizFJzyeEm +jENQYoYfSwy70UzR7PQRK48+o9Ndk8cA8wunRwIDAQABMA0GCSqGSIb3DQEBBQUA +A4GBAMF+bvgrGUpaMGgE8/NfVWLpYD62cl9+5Tq5l52UZ5LC1NZLcQxtHzRJe1Vs +YYxNRRSe9C2UKq6/t8wA40nXAlBwQl2LbfgJn3M8+jFUb89QCvHptcfZhDd63My4 +eA8L5ciHfbEu6YuG1Oh+iJZ4+yXegiJtMr4pBYC4EvMwmi/N -----END CERTIFICATE----- diff --git a/test/data/clientcert/client.cnf b/test/data/clientcert/client.cnf new file mode 100644 index 00000000..5046a944 --- /dev/null +++ b/test/data/clientcert/client.cnf @@ -0,0 +1,5 @@ +[ ssl_client ] +basicConstraints = CA:FALSE +nsCertType = client +keyUsage = digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth diff --git a/test/data/clientcert/client.pem b/test/data/clientcert/client.pem new file mode 100644 index 00000000..322e07e0 --- /dev/null +++ b/test/data/clientcert/client.pem @@ -0,0 +1,42 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAvePcOuHOLzXSNGmunF+adQIsFIVx5F40WmvtLPiuV2mrcJyY +lMvluOk36Yf39jIUlAqP5y2JvzoPI3BAEZHFt4taIe3LrDddolsyzcAWcyQD9ow1 +eTfuF7wIMgi0TY27Azvu602CGZWdlteGiKanaEOn6nsoDZEIxCK4TnaNFFDQSXRq +/9+1X5AsHmaaaUJd+uGhWOfBLuXEDuURGHtnD4TKMpKupS0BX6X5J9QXKNiMQe0B +8T8o196+1gl/wsYyTzESUV1YWe5kAEsqAWZvmLee5+16DIV/CUVk4OS9Ny/fCZY1 +wxvCnUankHNTJtcgNPZ9s1c1MD1NIKrI3NekdwIDAQABAoIBAEKESAgEQ0J8Wvbr +MjQqtSNZsHE70YqKiVJHThybvA54wIpBAJ3W0tC0OVa/v1dpcZXuITx80iy/PMBQ +ONEuvBCwatFJyDe6aT1PLvut1u9cZVr/AFhHBEsiHcjRDb/A7wqR+v5H91PY+gv1 +0XWa0zeNw4s6uuwNqwFxnBg4JPFBRx2C//ds9qiySqoBeElAtZ0kP5t+6hwJ32pn +gA1ZSBVBJUjt3Mgq9Rb1AT+lcWULbX0vHr4YzBeO15sTIOlcxxeKD6tWCdc4/0DQ +L6BefU9FC0xjq7xB7KgGGWiGJvo86YBL520jpXs7oOoIcufWab5Fj1I9klDWAd9d +0M1GdfkCgYEA55pi+avXZxHZ3yr/PR0C5eABFlM1P+u76BkadCxUetndrLEjQKNT +q5aMEGYFPt4zt12MeFmp9PH9N7dLZC4pKMtxl59vugoZtg3Qmnsv7I91dJL6qP1h +SaeQkR+eZXDydlXJYE+v/IArbSraby/p2ja1HNeY5kZrLYKq36guTJMCgYEA0eSa +qkA0zG2pPQjbesBgn5flS9pkGssyveHMUz9khH8l+jYBoFJMFw9/iiokkHjNDzqR +2WkcAiuiCq8Qwt3Y7Pa9AFmRlbvMn3mVMjcdl6KhFwNSSuNA9/jdXlBZw0eQAmui +usmkU4ZDAMsJUYL2CwGkWbwkUGF7Sq3kygaU2w0CgYBoOeUywK+WNcVblij5IrYs +Jwu2NUnwczDD+ZAbGdwG0UbeMXVQ4G+F96EevBq+ORcC/Pl7K7a9ga1XxogKFG/3 +aN68wkZwbZ02fa8T5j4h8kmEZaSiKiz/DYaUmKsasaKbuG2AhzwGoNNqNG/Ku8A8 +sIP+79NiRexztasaLcBwOwKBgQC6hr7QJ+kD9zxcKj/qMYZsra8vHrCxgvzf9AcB +wCdS/C/C0TXWxOwr3jEIlvURktkg/Hray+cBIseJWRS7KC38QDWsVuzjNRbebk0h +aAubUwJ3khMSzCxTck0/4IY03abkD8V423N2aq2mycjJMGn5VAc7W9ClwkuwDSNy +SjEFDQKBgEuTzRXhBql1ZLMZlephjYXe0Q2Q9JBX9hbZ+EC+nxqa1of1lQeVRMGV +fGLgxHmts5NkUCCon+/XPF4F/Lv+YsHDg5J7Evwy80GU4LkkM8NdGy6RbT1Rof7U +9+q66ntLWnzI5nWaUjg6qyJ7hx+IVynmK/F22WhbuJ5iqFEFnSQ/ +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIICYDCCAckCAQEwDQYJKoZIhvcNAQEFBQAwKDESMBAGA1UEAxMJbWl0bXByb3h5 +MRIwEAYDVQQKEwltaXRtcHJveHkwHhcNMTMwMTIwMDg0OTM5WhcNMTUxMDE3MDg0 +OTM5WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UE +ChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAvePcOuHOLzXSNGmunF+adQIsFIVx5F40WmvtLPiuV2mrcJyY +lMvluOk36Yf39jIUlAqP5y2JvzoPI3BAEZHFt4taIe3LrDddolsyzcAWcyQD9ow1 +eTfuF7wIMgi0TY27Azvu602CGZWdlteGiKanaEOn6nsoDZEIxCK4TnaNFFDQSXRq +/9+1X5AsHmaaaUJd+uGhWOfBLuXEDuURGHtnD4TKMpKupS0BX6X5J9QXKNiMQe0B +8T8o196+1gl/wsYyTzESUV1YWe5kAEsqAWZvmLee5+16DIV/CUVk4OS9Ny/fCZY1 +wxvCnUankHNTJtcgNPZ9s1c1MD1NIKrI3NekdwIDAQABMA0GCSqGSIb3DQEBBQUA +A4GBAM9i0K4Sffaofi/k9QT7GJKWqmQKQVJoueC8ZZvkHRbUoOexIPnKduCzgreZ +M+QCteZHXT0UEMjscm5MuiF+/32sVGsF1aCPWc1esggpuLkhWtxjJtA9d1PE4xjt +z3+hyF+/tAkSVwVtj2WouczBY9HULP2uR1G19DwOJwIaup1Q +-----END CERTIFICATE----- diff --git a/test/data/clientcert/make b/test/data/clientcert/make new file mode 100755 index 00000000..e829952d --- /dev/null +++ b/test/data/clientcert/make @@ -0,0 +1,8 @@ +#!/bin/sh + +openssl genrsa -out client.key 2048 +openssl req -key client.key -new -out client.req +openssl x509 -req -days 365 -in client.req -signkey client.key -out client.crt -extfile client.cnf -extensions ssl_client +openssl x509 -req -days 1000 -in client.req -CA ~/.mitmproxy/mitmproxy-ca.pem -CAkey ~/.mitmproxy/mitmproxy-ca.pem -set_serial 00001 -out client.crt -extensions ssl_client +cat client.key client.crt > 127.0.0.1.pem +openssl x509 -text -noout -in 127.0.0.1.pem diff --git a/test/test_server.py b/test/test_server.py index 74647601..f0000af4 100644 --- a/test/test_server.py +++ b/test/test_server.py @@ -71,9 +71,10 @@ class TestHTTP(tutils.HTTPProxTest, SanityMixin): class TestHTTPS(tutils.HTTPProxTest, SanityMixin): ssl = True - # FIXME: Instrument pathod to actually test that client cert is being sent - # correctly. clientcerts = True + def test_clientcert(self): + f = self.pathod("304") + assert self.last_log()["request"]["clientcert"]["keyinfo"] class TestReverse(tutils.ReverseProxTest, SanityMixin): diff --git a/test/tutils.py b/test/tutils.py index 2dc4c090..9868c778 100644 --- a/test/tutils.py +++ b/test/tutils.py @@ -116,9 +116,8 @@ class ProxTestBase: """ return self.server.urlbase - def log(self): - pthread = self.proxy - return pthread.tmaster.log + def last_log(self): + return self.server.last_log() class HTTPProxTest(ProxTestBase): -- cgit v1.2.3