o

^h�b��
�	@s�dZd
dl
Z
d
dlZd
dlZd
dlmZ
d
dlmZ
d
dlm	Z	
d
dl
mZmZm
Z
mZ
d
dlmZ
d
dlmZmZmZ
d
d	lmZ
d
d
lmZ
d
dlmZ
d
dlmZ
d
d
lmZ
d
dlm Z 
d
dl!m"Z"
d
dl#m$Z$m%Z%m&Z&
dZ'dZ(dZ)dZ*ed�
r�d
dl+Z+d
dl,m-Z-
d
dl.m/Z/m0Z0m1Z1m2Z2m3Z3
d
dl4m5Z5
d
dl6m7Z7
d
dl8m9Z9
d
dl:m;Z;
d
dl<m=Z=m>Z>m?Z?
d
dl@mAZA
d
dl
mBZB
ze-�Ce-jD�
ZEeE�Fdd��

Wn
eGeHfy�


dZ)Yn
wze-�Ce-jD�
ZEeE�Idd��

WneGy�


d Z*Yn	wd!Z'e'Z(e'Z)e'Z*e'�
sd
d"l
mJZK
d
d#lLmMZMmNZN
d
d$lOmPZP
d%ZQd&ZReeS�
jT�Ud'�
�V�ZWe�X�f
d(d)�
ZYd*d+�ZZdyd-d.�
Z[d/d0�Z\dzd1d2�
Z]			d{d3d4�
Z^d5d6�Z_Gd7d8�d8e
j`�ZaGd9d:�d:e
j`�ZbGd;d<�d<�ZcGd=d>�d>e%�ZdGd?d@�d@�ZeGdAdB�dB�ZfGdCdD�dDefe&�ZgGdEdF�dFefe&�ZhGdGdH�dHe%�ZiGdIdJ�dJe&�ZjGdKdL�dLe%�ZkdzdMdN�
ZlGdOdP�dPe&�ZmGdQdR�dRe&�ZnGdSdT�dTe&�ZoGdUdV�dV�ZpGdWdX�dX�ZqGdYdZ�dZ�ZrGd[d\�d\e&�ZsGd]d^�d^e&�ZtGd_d`�d`e&�ZuGdadb�dbe&�ZvGdcdd�dde&�ZwGdedf�dfe&�ZxGdgdh�dh�ZyGdidj�dj�ZzGdkdl�dle&�Z{Gdmdn�dn�Z|Gdodp�dp�Z}Gdqdr�dre%�Z~Gdsdt�dte%�ZGdudv�dve&�Z�Gdwdx�dxe%�Z�dS)|z+
Tests for L{twisted.internet._sslverify}.
�N)
�skipIf)
�implementer)
�Version)�defer�
interfaces�protocol�reactor)
�	_idnaText)�CertificateError�ConnectionClosed�ConnectionLost)
�nativeString)
�FilePath)
�	getModule)
�
requireModule)
�connectedServerAndClient)
�SetAsideModule)
�util)�SkipTest�SynchronousTestCase�TestCase��OpenSSL)
�SSL)�FILETYPE_PEM�TYPE_RSA�X509�PKey�get_elliptic_curves)
�x509)
�default_backend)
�hashes)
�rsa)�Encoding�NoEncryption�
PrivateFormat)
�NameOID)
�sslc


C�dS�
N��
�
cr*r*�=/usr/lib/python3/dist-packages/twisted/test/test_sslverify.py�<lambda>9�r.zINPN is deprecated (and OpenSSL 1.0.1 or greater required for NPN support)c


Cr(r)r*r+r*r*r-r.Br/z2OpenSSL 1.0.2 or greater required for ALPN supportz"OpenSSL is required for SSL tests.)
�
_sslverify)�VerificationError�
platformTrust)
�TLSMemoryBIOFactorya�
-----BEGIN CERTIFICATE-----
        MIIC2jCCAkMCAjA5MA0GCSqGSIb3DQEBBAUAMIG0MQswCQYDVQQGEwJVUzEiMCAG
        A1UEAxMZZXhhbXBsZS50d2lzdGVkbWF0cml4LmNvbTEPMA0GA1UEBxMGQm9zdG9u
        MRwwGgYDVQQKExNUd2lzdGVkIE1hdHJpeCBMYWJzMRYwFAYDVQQIEw1NYXNzYWNo
        dXNldHRzMScwJQYJKoZIhvcNAQkBFhhub2JvZHlAdHdpc3RlZG1hdHJpeC5jb20x
        ETAPBgNVBAsTCFNlY3VyaXR5MB4XDTA2MDgxNjAxMDEwOFoXDTA3MDgxNjAxMDEw
        OFowgbQxCzAJBgNVBAYTAlVTMSIwIAYDVQQDExlleGFtcGxlLnR3aXN0ZWRtYXRy
        aXguY29tMQ8wDQYDVQQHEwZCb3N0b24xHDAaBgNVBAoTE1R3aXN0ZWQgTWF0cml4
        IExhYnMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxJzAlBgkqhkiG9w0BCQEWGG5v
        Ym9keUB0d2lzdGVkbWF0cml4LmNvbTERMA8GA1UECxMIU2VjdXJpdHkwgZ8wDQYJ
        KoZIhvcNAQEBBQADgY0AMIGJAoGBAMzH8CDF/U91y/bdbdbJKnLgnyvQ9Ig9ZNZp
        8hpsu4huil60zF03+Lexg2l1FIfURScjBuaJMR6HiMYTMjhzLuByRZ17KW4wYkGi
        KXstz03VIKy4Tjc+v4aXFI4XdRw10gGMGQlGGscXF/RSoN84VoDKBfOMWdXeConJ
        VyC4w3iJAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAviMT4lBoxOgQy32LIgZ4lVCj
        JNOiZYg8GMQ6y0ugp86X80UjOvkGtNf/R7YgED/giKRN/q/XJiLJDEhzknkocwmO
        S+4b2XpiaZYxRyKWwL221O7CGmtWYyZl2+92YYmmCiNzWQPfP6BOMlfax0AGLHls
        fXzCWdG0O/3Lk2SRM0I=
-----END CERTIFICATE-----
a�
-----BEGIN CERTIFICATE-----
        MIIC3jCCAkcCAjA6MA0GCSqGSIb3DQEBBAUAMIG2MQswCQYDVQQGEwJVUzEiMCAG
        A1UEAxMZZXhhbXBsZS50d2lzdGVkbWF0cml4LmNvbTEPMA0GA1UEBxMGQm9zdG9u
        MRwwGgYDVQQKExNUd2lzdGVkIE1hdHJpeCBMYWJzMRYwFAYDVQQIEw1NYXNzYWNo
        dXNldHRzMSkwJwYJKoZIhvcNAQkBFhpzb21lYm9keUB0d2lzdGVkbWF0cml4LmNv
        bTERMA8GA1UECxMIU2VjdXJpdHkwHhcNMDYwODE2MDEwMTU2WhcNMDcwODE2MDEw
        MTU2WjCBtjELMAkGA1UEBhMCVVMxIjAgBgNVBAMTGWV4YW1wbGUudHdpc3RlZG1h
        dHJpeC5jb20xDzANBgNVBAcTBkJvc3RvbjEcMBoGA1UEChMTVHdpc3RlZCBNYXRy
        aXggTGFiczEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEpMCcGCSqGSIb3DQEJARYa
        c29tZWJvZHlAdHdpc3RlZG1hdHJpeC5jb20xETAPBgNVBAsTCFNlY3VyaXR5MIGf
        MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnm+WBlgFNbMlHehib9ePGGDXF+Nz4
        CjGuUmVBaXCRCiVjg3kSDecwqfb0fqTksBZ+oQ1UBjMcSh7OcvFXJZnUesBikGWE
        JE4V8Bjh+RmbJ1ZAlUPZ40bAkww0OpyIRAGMvKG+4yLFTO4WDxKmfDcrOb6ID8WJ
        e1u+i3XGkIf/5QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAD4Oukm3YYkhedUepBEA
        vvXIQhVDqL7mk6OqYdXmNj6R7ZMC8WWvGZxrzDI1bZuB+4aIxxd1FXC3UOHiR/xg
        i9cDl1y8P/qRp4aEBNF6rI0D4AxTbfnHQx4ERDAOShJdYZs/2zifPJ6va6YvrEyr
        yqDtGhklsWW3ZwBzEh5VEOUp
-----END CERTIFICATE-----
z
server.pemc

Cst|�
S)
zQ
    Each time we're called, return the next integer in the natural numbers.
    )
�next)
�counterr*r*r-r5sr5cKs�t�}
|
�
td
�
t�}|�d�

|�d�

|��|��fD]}|��D]\}}t	||t
|�
�
q$q|�t��

|�
|
�

|�|
d�
|
|fS)Nir
i�3�
�md5)r�generate_keyrr�gmtime_adj_notBefore�gmtime_adj_notAfter�
get_issuer�get_subject�items�setattrr
�set_serial_numberr5�
set_pubkey�sign)�kw�keypair�certificate�xname�
k�
vr*r*r-�makeCertificate�s








�


rG�example.comc
	Cs�
t�
t�tjd
�g
�
}
t�
t�tjd�g
�
}t�ddd�}tjddt	�d�}|�
�}t���|
�
�
|
�
�tj��|�
�tj��|�
�t���
�
|�
jtjdd	d
�dd�j|t��t	�d�}tjddt	�d�}|�
�}zt�|�
}	Wnty�


t�|�d
�
�d�
�
g
}
Ynwt�|	�
g
}
t���|�
�
|
�
�tj��|�
�tj��|�
�t���
�
|�
jtjddd
�dd�jt�|
�
dd�j|t��t	�d�}t j!�"|�#t$j%�
�
}t j&�"d�'|�(t$j%t)j*t+��|�#t$j%�
g�
�
}
||
fS)a~

    Create a self-signed CA certificate and server certificate signed by the
    CA.

    @param serviceIdentity: The identity (hostname) of the server.
    @type serviceIdentity: L{unicode}

    @return: a 2-tuple of C{(certificate_authority_certificate,
        server_certificate)}
    @rtype: L{tuple} of (L{sslverify.Certificate},
        L{sslverify.PrivateCertificate})
    zTesting Example CAzTesting Example Server�
r
i

i)�public_exponent�key_size�backendT�	)�ca�path_length)
�critical)�private_key�	algorithmrL�idna�asciiFN�

),r�Name�
NameAttributer&�COMMON_NAME�datetime�	timedeltar"�generate_private_keyr �
public_key�CertificateBuilder�subject_name�issuer_name�not_valid_before�today�not_valid_after�
serial_number�random_serial_number�
add_extension�BasicConstraintsr@r!�SHA256�	ipaddress�
ip_address�
ValueError�DNSName�encode�decode�	IPAddress�SubjectAlternativeName�	sslverify�Certificate�loadPEM�public_bytesr#�PEM�PrivateCertificate�join�
private_bytesr%�TraditionalOpenSSLr$)�serviceIdentity�commonNameForCA�commonNameForServer�oneDay�privateKeyForCA�publicKeyForCA�
caCertificate�privateKeyForServer�publicKeyForServer�	ipAddress�subjectAlternativeNames�serverCertificate�
caSelfCert�
serverCertr*r*r-�!certificatesForAuthorityAndServer�s�

�
�

�









�


��
�

��









�

�


��




�
���
r�c	s�Gd
d�dtj
�}Gdd�dtj
�}|��
|��t��}�
f
dd�|_t��}�f
dd�|_t|
d|d	��t|d
|d	��t�f
dd��f
dd��\}}}||��
|fS)
a�
    Common implementation code for both L{loopbackTLSConnection} and
    L{loopbackTLSConnectionInMemory}. Creates a loopback TLS connection
    using the provided server and client context factories.

    @param serverOpts: An OpenSSL context factory for the server.
    @type serverOpts: C{OpenSSLCertificateOptions}, or any class with an
        equivalent API.

    @param clientOpts: An OpenSSL context factory for the client.
    @type clientOpts: C{OpenSSLCertificateOptions}, or any class with an
        equivalent API.

    @return: 5-tuple of server-tls-protocol, server-inner-protocol,
        client-tls-protocol, client-inner-protocol and L{IOPump}
    @rtype: L{tuple}
    c@�eZ
dZd
Zdd�ZdS)z._loopbackTLSConnection.<locals>.GreetingServer�
greetings!c

S�|j�
|j�

dSr)��	transport�write�greeting�
�selfr*r*r-�connectionMade
�
z=_loopbackTLSConnection.<locals>.GreetingServer.connectionMadeN)�__name__�
__module__�__qualname__r�r�r*r*r*r-�GreetingServer
s
r�c@s$eZ
dZd
ZdZdd�Zdd�ZdS)z/_loopbackTLSConnection.<locals>.ListeningClient�NcS�|j|
7_dSr)�
�data�r�r�r*r*r-�dataReceived
r�z<_loopbackTLSConnection.<locals>.ListeningClient.dataReceivedcS�
|
|_dSr)�
�
lostReason�r��reasonr*r*r-�connectionLost
�

z>_loopbackTLSConnection.<locals>.ListeningClient.connectionLost)r�r�r�r�r�r�r�r*r*r*r-�ListeningClient
s


r�c
��Sr)r*r*�
�clientWrappedProtor*r-r.
r/z(_loopbackTLSConnection.<locals>.<lambda>c
r�r)r*r*�
�serverWrappedProtor*r-r.!
r/T��isClient�wrappedFactoryFc�
��d�
Sr)�
�
buildProtocolr*)
�
serverFactoryr*r-r.+
�
cr�r)r�r*)
�
clientFactoryr*r-r.,
r�)r�Protocol�Factoryr3r)	�
serverOpts�
clientOptsr�r��plainClientFactory�plainServerFactory�sProto�cProto�pumpr*)r�r�r�r�r-�_loopbackTLSConnection�s&





�
�




�r�cs0G��
fd
d�d�}|�}tj
|d�
}t||�S)aF
    Create a loopback TLS connection with the given trust and keys.

    @param trustRoot: the C{trustRoot} argument for the client connection's
        context.
    @type trustRoot: L{sslverify.IOpenSSLTrustRoot}

    @param privateKeyFile: The name of the file containing the private key.
    @type privateKeyFile: L{str} (native string; file name)

    @param chainedCertFile: The name of the chained certificate file.
    @type chainedCertFile: L{str} (native string; file name)

    @return: 3-tuple of server-protocol, client-protocol, and L{IOPump}
    @rtype: L{tuple}
    cseZ
dZ��
fd
d�ZdS)z-loopbackTLSConnection.<locals>.ContextFactoryc
s4t�
tj�
}
�d
u
r|
���

|
��
�

|
��
|
S)z�
            Create a context for the server side of the connection.

            @return: an SSL context using a certificate and key.
            @rtype: C{OpenSSL.SSL.Context}
            N)r�Context�
SSLv23_METHOD�use_certificate_chain_file�use_privatekey_file�check_privatekey�r��ctx��chainedCertFile�privateKeyFiler*r-�
getContextD
s





z8loopbackTLSConnection.<locals>.ContextFactory.getContextN)r�r�r�r�r*r�r*r-�ContextFactoryC
s
r��
�	trustRoot�rp�OpenSSLCertificateOptionsr�)r�r�r�r�r�r�r*r�r-�loopbackTLSConnection1
s

r�cCs4|d
urtj
}|||d�}tj
|
||d�}t||�S)a�
    Create a loopback TLS connection with the given trust and keys. Like
    L{loopbackTLSConnection}, but using in-memory certificates and keys rather
    than writing them to disk.

    @param trustRoot: the C{trustRoot} argument for the client connection's
        context.
    @type trustRoot: L{sslverify.IOpenSSLTrustRoot}

    @param privateKey: The private key.
    @type privateKey: L{str} (native string)

    @param serverCertificate: The certificate used by the server.
    @type chainedCertFile: L{str} (native string)

    @param clientProtocols: The protocols the client is willing to negotiate
        using NPN/ALPN.

    @param serverProtocols: The protocols the server is willing to negotiate
        using NPN/ALPN.

    @param clientOptions: The type of C{OpenSSLCertificateOptions} class to
        use for the client. Defaults to C{OpenSSLCertificateOptions}.

    @return: 3-tuple of server-protocol, client-protocol, and L{IOPump}
    @rtype: L{tuple}
    N)r��acceptableProtocols)�
privateKeyrCr�r�)r�r�r��clientProtocols�serverProtocols�
clientOptions�clientCertOpts�serverCertOptsr*r*r-�loopbackTLSConnectionInMemoryY
s#

�


�
r�c
GsR|��}t
|d
��}|
D]
}|�|�t�
�

qWd�
|S1s"w



Y
|S)a�
    Create a temporary file to store some serializable-as-PEM objects in, and
    return its name.

    @param testCase: a test case to use for generating a temporary directory.
    @type testCase: L{twisted.trial.unittest.TestCase}

    @param dumpables: arguments are objects from pyOpenSSL with a C{dump}
        method, taking a pyOpenSSL file-type constant, such as
        L{OpenSSL.crypto.FILETYPE_PEM} or L{OpenSSL.crypto.FILETYPE_ASN1}.
    @type dumpables: L{tuple} of L{object} with C{dump} method taking L{int}
        returning L{bytes}

    @return: the path to a file where all of the dumpables were dumped in PEM
        format.
    @rtype: L{str}
    �wbN)�mktemp�openr��dumpr)�testCase�	dumpables�fname�
f�dumpabler*r*r-�pathContainingDumpOf�
s


�
��r�c@seZ
dZd
d�Zdd�ZdS)�DataCallbackProtocolcC�,|jj
d}|j_
|du
r|�|
�

dSdSr))�factory�onData�callback)r�r��
dr*r*r-r��
�


�z!DataCallbackProtocol.dataReceivedcCr�r)�r��onLost�errback)r�r�r�r*r*r-r��
r�z#DataCallbackProtocol.connectionLostN)r�r�r�r�r�r*r*r*r-r��
s
r�c@� eZ
dZd
Zdd�Zdd�ZdS)�WritingProtocol�
xc

Cr�r))r�r��byter�r*r*r-r��
r�zWritingProtocol.connectionMadecCs|jj
�|
�

dSr)r�r�r*r*r-r��
r�zWritingProtocol.connectionLostN)r�r�r�r�r�r�r*r*r*r-r��
s
r�c@s�eZ
dZd
ZdZdd�Zdd�Zdd�Zd	d
�Zdd�Z	d
d�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd�Zdd �Zd!d"�Zd#S)$�FakeContexta�
    Introspectable fake of an C{OpenSSL.SSL.Context}.

    Saves call arguments for later introspection.

    Necessary because C{Context} offers poor introspection.  cf. this
    U{pyOpenSSL bug<https://bugs.launchpad.net/pyopenssl/+bug/1173899>}.

    @ivar _method: See C{method} parameter of L{__init__}.

    @ivar _options: L{int} of C{OR}ed values from calls of L{set_options}.

    @ivar _certificate: Set by L{use_certificate}.

    @ivar _privateKey: Set by L{use_privatekey}.

    @ivar _verify: Set by L{set_verify}.

    @ivar _verifyDepth: Set by L{set_verify_depth}.

    @ivar _mode: Set by L{set_mode}.

    @ivar _sessionID: Set by L{set_session_id}.

    @ivar _extraCertChain: Accumulated L{list} of all extra certificates added
        by L{add_extra_chain_cert}.

    @ivar _cipherList: Set by L{set_cipher_list}.

    @ivar _dhFilename: Set by L{load_tmp_dh}.

    @ivar _defaultVerifyPathsSet: Set by L{set_default_verify_paths}

    @ivar _ecCurve: Set by L{set_tmp_ecdh}
    r
cCs$|
|_g|_
d
|_d|_tj|_dS)NF)�_method�_extraCertChain�_defaultVerifyPathsSet�_ecCurver�SESS_CACHE_SERVER�_sessionCacheMode)r��methodr*r*r-�__init__�
s




zFakeContext.__init__cCs|j|
O_dSr))
�_options�r��optionsr*r*r-�set_options�
r�zFakeContext.set_optionscCr�r))
�_certificate)r�rCr*r*r-�use_certificate�
r�zFakeContext.use_certificatecCr�r))
�_privateKey)r�r�r*r*r-�use_privatekey�
r�zFakeContext.use_privatekeyc


Cr(r)r*r�r*r*r-r��
�
zFakeContext.check_privatekeycC�
|
|_d
S)zo
        Set the mode. See L{SSL.Context.set_mode}.

        @param mode: See L{SSL.Context.set_mode}.
        N)
�_mode)r��moder*r*r-�set_mode�
s
zFakeContext.set_modecCs|
|f|_dSr))
�_verify)r��flagsr�r*r*r-�
set_verify�
zFakeContext.set_verifycCr�r))
�_verifyDepth)r��depthr*r*r-�set_verify_depthr�zFakeContext.set_verify_depthcCr�r))
�_sessionIDContext)r��sessionIDContextr*r*r-�set_session_ids
zFakeContext.set_session_idcCr
)zr
        Set the session cache mode on the context, as per
        L{SSL.Context.set_session_cache_mode}.
        N�
r�)r��	cacheModer*r*r-�set_session_cache_modes
z"FakeContext.set_session_cache_modec


Cs|jS)
zy
        Retrieve the session cache mode from the context, as per
        L{SSL.Context.get_session_cache_mode}.
        r
r�r*r*r-�get_session_cache_modesz"FakeContext.get_session_cache_modecCs|j�
|
�

dSr))r��append�r��certr*r*r-�add_extra_chain_certs
z FakeContext.add_extra_chain_certcCr�r))
�_cipherList)r��
cipherListr*r*r-�set_cipher_listr�zFakeContext.set_cipher_listcCr�r))
�_dhFilename)r��
dhfilenamer*r*r-�load_tmp_dhr�zFakeContext.load_tmp_dhc

Cs
d
|_dS)z9
        Set the default paths for the platform.
        TN)
r�r�r*r*r-�set_default_verify_paths"s
z$FakeContext.set_default_verify_pathscCr
)z�
        Set an ECDH curve.  Should only be called by OpenSSL 1.0.1
        code.

        @param curve: See L{OpenSSL.SSL.Context.set_tmp_ecdh}
        N)
r��r��curver*r*r-�set_tmp_ecdh(s
zFakeContext.set_tmp_ecdhN)r�r�r��__doc__r�r�r�r�r�r�r
r
r

r

r
r
r
r
r
r
r
r*r*r*r-r��
s&
$r�c@�@eZ
dZd
Zer
eZdd�Zdd�Zdd�Zdd	�Z	d
d�Z
dS)
�ClientOptionsTestsz5
    Tests for L{sslverify.optionsForClientTLS}.
    c
Cs(|jt
tjd
dd�}
|�t|
�
d�
dS)z�
        When passed a keyword parameter other than C{extraCertificateOptions},
        L{sslverify.optionsForClientTLS} raises an exception just like a
        normal Python function would.
        �alpha�beta)�hostname�someRandomThingzJoptionsForClientTLS() got an unexpected keyword argument 'someRandomThing'N)�assertRaises�	TypeErrorrp�optionsForClientTLS�assertEqual�str)r��errorr*r*r-�test_extraKeywords:s



�

�z%ClientOptionsTests.test_extraKeywordsc
Cs.|�t
tjd
�}
dtj}|�t|
�
|�
dS)z�
        If you pass L{bytes} as the hostname to
        L{sslverify.optionsForClientTLS} it immediately raises a L{TypeError}.
        snot-actually-a-hostname.comz6optionsForClientTLS requires text for host names, not N)r'
r(
rpr)
�bytesr�r*
r+
)r�r,
�expectedTextr*r*r-�test_bytesFailFastLs
��z%ClientOptionsTests.test_bytesFailFastc
C�t�
d
�
}
|�|
j�

dS)zv
        If you pass a dNSName to L{sslverify.optionsForClientTLS}
        L{_hostnameIsDnsName} will be True
        rHN)rpr)
�
assertTrue�_hostnameIsDnsNamer�r*r*r-�test_dNSNameHostnameY�

z'ClientOptionsTests.test_dNSNameHostnamec
Cr1
)z}
        If you pass an IPv4 address to L{sslverify.optionsForClientTLS}
        L{_hostnameIsDnsName} will be False
        �	127.0.0.1N�rpr)
�assertFalser3
r�r*r*r-�test_IPv4AddressHostnamear5
z+ClientOptionsTests.test_IPv4AddressHostnamec
Cr1
)z}
        If you pass an IPv6 address to L{sslverify.optionsForClientTLS}
        L{_hostnameIsDnsName} will be False
        z::1Nr7
r�r*r*r-�test_IPv6AddressHostnameir5
z+ClientOptionsTests.test_IPv6AddressHostnameN)r�r�r�r 
�skipSSL�skipr-
r0
r4
r9
r:
r*r*r*r-r"
2s


r"
c@r�)�$FakeChooseDiffieHellmanEllipticCurvezG
    A fake implementation of L{_ChooseDiffieHellmanEllipticCurve}
    c
C�d
S)z&
        A no-op constructor.
        Nr*)r��
versionNumber�
openSSLlib�
openSSLcryptor*r*r-r�wr/z-FakeChooseDiffieHellmanEllipticCurve.__init__c
Cr>
)z|
        A null configuration.

        @param ctx: An L{OpenSSL.SSL.Context} that would be
            configured.
        Nr*r�r*r*r-�configureECDHCurve|r/z7FakeChooseDiffieHellmanEllipticCurve.configureECDHCurveN)r�r�r�r 
r�rB
r*r*r*r-r=
rs
r=
c@sHeZ
dZd
Zer
eZdZZdZZ	dd�Z
dd�Z			d	dd�
ZdS)
�OpenSSLOptionsTestsMixinz�
    A mixin for L{OpenSSLOptions} test cases creates client and server
    certificates, signs them with a CA, and provides a L{loopback}
    that creates TLS a connections with them.
    Nc

Csftd
dd�\|_
|_tddd�\|_|_tddd�d|_td	d
d�d|_|j|jg|_|j|_dS)zK
        Create class variables of client and server certificates.
        �Server Test Certificate�server��
O�CNsClient Test CertificatesclientsCA Test Certificate 1sca1rI�CA Test Certificatesca2N)	rG�sKey�sCert�cKey�cCert�caCert1�caCert2�caCerts�extraCertChainr�r*r*r-�setUp�s
�
�


zOpenSSLOptionsTestsMixin.setUpc
Csf|jdu
r
|j�
�
|jdu
r|j��
g}
|jdu
r!|
�|j�

|jdu
r,|
�|j�

tj|
d
d�S)NT�
�
consumeErrors)	�
serverPort�
stopListening�
clientConn�
disconnect�onServerLostr
�onClientLostr�DeferredList)r��
Lr*r*r-�tearDown�s













z!OpenSSLOptionsTestsMixin.tearDowncCs�|durt�
�|_}|durt�
�|_}|durt�
�}t��}t|_||_||_t�	�}t
|_||_t�d
||
�|_
t�d|j
��j||�|_dS)Nr
r6
)r�DeferredrY
rZ
r�
ServerFactoryr�r�r��
ClientFactoryr�r�	listenSSLrU
�
connectSSL�getHost�portrW
)r�r�r�rY
rZ
r�r�r�r*r*r-�loopback�s"












�z!OpenSSLOptionsTestsMixin.loopback�NNN)
r�r�r�r 
r;
r<
rU
rW
rY
rZ
rR
r]
re
r*r*r*r-rC
�s




�rC
cs�
eZ
dZd
Z�f
dd�Zdd�Zdd�Zdd	�Zd
d�Zdd
�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Zd*d+�Zd,d-�Zd.d/�Zd0d1�Zd2d3�Zd4d5�Zd6d7�Zd8d9�Zd:d;�Z d<d=�Z!d>d?�Z"d@dA�Z#dBdC�Z$dDdE�Z%dFdG�Z&dHdI�Z'dJdK�Z(dLdM�Z)dNdO�Z*dPdQ�Z+dRdS�Z,dTdU�Z-dVdW�Z.e/j0e1dXdY�g
e._0dZd[�Z2d\d]�Z3d^d_�Z4d`da�Z5dbdc�Z6ddde�Z7dfdg�Z8dhdi�Z9�Z:S)j�OpenSSLOptionsTestsz0
    Tests for L{sslverify.OpenSSLOptions}.
    c

st��
�
|�td
t�
dS)z�
        Same as L{OpenSSLOptionsTestsMixin.setUp}, but it also patches
        L{sslverify._ChooseDiffieHellmanEllipticCurve}.
        �!_ChooseDiffieHellmanEllipticCurveN)�superrR
�patchrpr=
r��
�	__class__r*r-rR
�s




�zOpenSSLOptionsTests.setUpc

C�|jt
tj|jd
�
dS)�S
        C{privateKey} and C{certificate} make only sense if both are set.
        )
r�N)r'
rjrpr�rJ
r�r*r*r-�"test_constructorWithOnlyPrivateKey��


�z6OpenSSLOptionsTests.test_constructorWithOnlyPrivateKeyc

Crm
)rn
)
rCN)r'
rjrpr�rK
r�r*r*r-�#test_constructorWithOnlyCertificate�rp
z7OpenSSLOptionsTests.test_constructorWithOnlyCertificatec
CsDtj
|j|jd
�}
|�|
j|j�
|�|
j|j�
|�|
jg�
dS)zT
        Specifying C{privateKey} and C{certificate} initializes correctly.
        �r�rCN)rpr�rJ
rK
r*
r�rCrQ
�r��optsr*r*r-�,test_constructorWithCertificateAndPrivateKey�s
�

z@OpenSSLOptionsTests.test_constructorWithCertificateAndPrivateKeyc

Cs|jt
tj|j|jd
d�
dS)zN
        C{verify} must not be C{True} without specifying C{caCerts}.
        T)r�rC�verifyN)r'
rjrpr�rJ
rK
r�r*r*r-�0test_constructorDoesNotAllowVerifyWithoutCACerts�s





�zDOpenSSLOptionsTests.test_constructorDoesNotAllowVerifyWithoutCACertsc

	Cs@|jt
tj|j|jd
d|jd�
|jt
tj|j|jdd
d�
dS)z�
        C{verify}, C{requireCertificate}, and C{caCerts} must not be specified
        by the caller (to be I{any} value, even the default!) when specifying
        C{trustRoot}.
        TN)r�rCrv
r�rP
)r�rCr��requireCertificate)r'
r(
rpr�rJ
rK
rP
r�r*r*r-�/test_constructorDoesNotAllowLegacyWithTrustRoots"






�	






�zCOpenSSLOptionsTests.test_constructorDoesNotAllowLegacyWithTrustRootc
Cs6tj
|j|j|jd
�}
|�|
j�

|�|j|
j�
dS)z2
        It's currently a NOP, but valid.
        )r�rCrP
N)rpr�rJ
rK
rP
r8
rv
r*
rs
r*r*r-�*test_constructorAllowsCACertsWithoutVerifys

�
z>OpenSSLOptionsTests.test_constructorAllowsCACertsWithoutVerifyc
Cs8tj
|j|jd
|jd�}
|�|
j�

|�|j|
j�
dS)zL
        Specifying C{verify} and C{caCerts} initializes correctly.
        T)r�rCrv
rP
N)rpr�rJ
rK
rP
r2
rv
r*
rs
r*r*r-�$test_constructorWithVerifyAndCACerts's



�
z8OpenSSLOptionsTests.test_constructorWithVerifyAndCACertsc
Cs*tj
|j|j|jd
�}
|�|j|
j�
dS)zt
        Setting C{extraCertChain} works if C{certificate} and C{privateKey} are
        set along with it.
        �r�rCrQ
N)rpr�rJ
rK
rQ
r*
rs
r*r*r-�test_constructorSetsExtraChain4s


�z2OpenSSLOptionsTests.test_constructorSetsExtraChainc

C�|jt
tj|j|jd
�
dS)zl
        A C{extraCertChain} without C{privateKey} doesn't make sense and is
        thus rejected.
        )rCrQ
N)r'
rjrpr�rK
rQ
r�r*r*r-�7test_constructorDoesNotAllowExtraChainWithoutPrivateKey@�




�zKOpenSSLOptionsTests.test_constructorDoesNotAllowExtraChainWithoutPrivateKeyc

Cr~
)zm
        A C{extraCertChain} without C{certificate} doesn't make sense and is
        thus rejected.
        )r�rQ
N)r'
rjrpr�rJ
rQ
r�r*r*r-�7test_constructorDoesNotAllowExtraChainWithOutPrivateKeyLr�
zKOpenSSLOptionsTests.test_constructorDoesNotAllowExtraChainWithOutPrivateKeyc
CsXtj
|j|j|jd
�}
t|
_|
��}|�|j|j	�
|�|j|j
�
|�|j|j�
dS)z�
        If C{extraCertChain} is set and all prerequisites are met, the
        specified chain certificates are added to C{Context}s that get
        created.
        r|
N)rpr�rJ
rK
rQ
r��_contextFactoryr�r*
r�r�r��r�rt
r�r*r*r-�&test_extraChainFilesAreAddedIfSuppliedXs


�



z:OpenSSLOptionsTests.test_extraChainFilesAreAddedIfSuppliedc
Cs0tj
|j|j|jd
�}
|
��}|�|tj�
dS)zR
        C{extraCertChain} doesn't break C{OpenSSL.SSL.Context} creation.
        r|
N)	rpr�rJ
rK
rQ
r��assertIsInstancerr�r�
r*r*r-�$test_extraChainDoesNotBreakPyOpenSSLis


�
z8OpenSSLOptionsTests.test_extraChainDoesNotBreakPyOpenSSLc
Cs:tj
|j|jd
�}
t|
_|
��}|�|
j�	d�
|j
�
dS)z�
        If the user doesn't supply custom acceptable ciphers, a shipped secure
        default is used.  We can't check directly for it because the effective
        cipher string we set varies with platforms.
        rr
rTN)rpr�rJ
rK
r�r�
r�r*
�
_cipherStringrlr
r�
r*r*r-�"test_acceptableCiphersAreAlwaysSetus

�

z6OpenSSLOptionsTests.test_acceptableCiphersAreAlwaysSetc
CsNtt
j�
Gd
d�d��
}
tj|j|j|
�d�}t|_|�	�}|�
d|j�
dS)zB
        If acceptable ciphers are passed, they are used.
        c@�eZ
dZd
d�ZdS)zWOpenSSLOptionsTests.test_honorsAcceptableCiphersArgument.<locals>.FakeAcceptableCipherscSst�
d
�
g
S)N�sentinel)rp�
OpenSSLCipher)r��
_r*r*r-�
selectCiphers�s
zeOpenSSLOptionsTests.test_honorsAcceptableCiphersArgument.<locals>.FakeAcceptableCiphers.selectCiphersN)r�r�r�r�
r*r*r*r-�FakeAcceptableCiphers�sr�
)r�rC�acceptableCiphersssentinelN)rr�IAcceptableCiphersrpr�rJ
rK
r�r�
r�r*
r
)r�r�
rt
r�r*r*r-�$test_honorsAcceptableCiphersArgument�s



�

z8OpenSSLOptionsTests.test_honorsAcceptableCiphersArgumentc
CsHtj
|j|jd
�}
t|
_|
��}tjtj	Btj
B}|�||j|@�
dS)z
        Every context must have C{OP_NO_SSLv2}, C{OP_NO_COMPRESSION}, and
        C{OP_CIPHER_SERVER_PREFERENCE} set.
        rr
N)
rpr�rJ
rK
r�r�
r�r�OP_NO_SSLv2�OP_NO_COMPRESSION�OP_CIPHER_SERVER_PREFERENCEr*
r��r�rt
r�r�r*r*r-�test_basicSecurityOptionsAreSet�s

�
�z3OpenSSLOptionsTests.test_basicSecurityOptionsAreSetc
Cs4tj
|j|jd
�}
t|
_|
��}|�tj	|j
�
dS)zH
        Every context must be in C{MODE_RELEASE_BUFFERS} mode.
        rr
N)rpr�rJ
rK
r�r�
r�r*
r�MODE_RELEASE_BUFFERSr

r�
r*r*r-�test_modeIsSet�s

�

z"OpenSSLOptionsTests.test_modeIsSetc
CsDtj
|j|jd
d�}
t|
_|
��}tjtj	B}|�
||j|@�
dS)z�
        If C{singleUseKeys} is set, every context must have
        C{OP_SINGLE_DH_USE} and C{OP_SINGLE_ECDH_USE} set.
        T)r�rC�enableSingleUseKeysN)rpr�rJ
rK
r�r�
r�r�OP_SINGLE_DH_USE�OP_SINGLE_ECDH_USEr*
r�r�
r*r*r-�test_singleUseKeys�s


�


z&OpenSSLOptionsTests.test_singleUseKeysc
Csdtj
|j|jtjd
�
d}
|�|jg
�
}|�dt	|�
�
|�t
|dd�
|�|
|dd�
dS)zd
        Passing C{method} to L{sslverify.OpenSSLCertificateOptions} is
        deprecated.
        )r�rCr�z�Passing method to twisted.internet.ssl.CertificateOptions was deprecated in Twisted 17.1.0. Please use a combination of insecurelyLowerMinimumTo, raiseMinimumTo, and lowerMaximumSecurityTo instead, as Twisted will correctly configure the method.rIr
�category�messageN)rpr�rJ
rK
rr��
flushWarnings�test_methodIsDeprecatedr*
�len�DeprecationWarning)r�r�
�warningsr*r*r-r�
�s


��


z+OpenSSLOptionsTests.test_methodIsDeprecatedc
CsNtj
|j|jd
�}
t|
_|
��}tjtj	Btj
BtjB}|�||j
|@�
dS)z�
        L{sslverify.OpenSSLCertificateOptions} will make the default minimum
        TLS version v1.0, if no C{method}, or C{insecurelyLowerMinimumTo} is
        given.
        rr
N)rpr�rJ
rK
r�r�
r�rr�
r�
r�
�OP_NO_SSLv3r*
r�r�
r*r*r-�test_tlsv1ByDefault�s
�

����z'OpenSSLOptionsTests.test_tlsv1ByDefaultc
Cs�|�t
�
�}
tj|j|jtjjtjjd
�
Wd�
n1sw



Y
|�d|
j	j
d�
|�d|
j	j
d�
|�d|
j	j
d�
dS)z�
        Passing C{insecurelyLowerMinimumTo} along with C{raiseMinimumTo} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�rC�raiseMinimumTo�insecurelyLowerMinimumToNr�
r
r�
�	exclusive)r'
r(
rpr�rJ
rK
�
TLSVersion�TLSv1_2�assertIn�	exception�args�r��
er*r*r-�#test_tlsProtocolsAtLeastWithMinimum�s




��

z7OpenSSLOptionsTests.test_tlsProtocolsAtLeastWithMinimumc
C�|�t
�
�}
tj|j|jtjtjj	d
�
Wd�
n1sw



Y
|�
d|
jjd�
|�
d|
jjd�
|�
d|
jjd�
dS)z�
        Passing C{raiseMinimumTo} along with C{method} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�rCr�r�
Nr�r
r�
r�
�
r'
r(
rpr�rJ
rK
rr�r�
r�
r�
r�
r�
r�
r*r*r-�$test_tlsProtocolsNoMethodWithAtLeast��




��

z8OpenSSLOptionsTests.test_tlsProtocolsNoMethodWithAtLeastc
Cr�
)z�
        Passing C{insecurelyLowerMinimumTo} along with C{method} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�rCr�r�
Nr�r
r�
r�
r�
r�
r*r*r-�$test_tlsProtocolsNoMethodWithMinimumr�
z8OpenSSLOptionsTests.test_tlsProtocolsNoMethodWithMinimumc
Cr�
)z�
        Passing C{lowerMaximumSecurityTo} along with C{method} to
        L{sslverify.OpenSSLCertificateOptions} will cause it to raise an
        exception.
        )r�rCr��lowerMaximumSecurityToNr�r
r�
r�
r�
r�
r*r*r-�$test_tlsProtocolsNoMethodWithMaximum"r�
z8OpenSSLOptionsTests.test_tlsProtocolsNoMethodWithMaximumc
C�\|�t
�
�}
tj|j|jtjjtjjd
�
Wd�
n1sw



Y
|�	|
j
jd�
dS)z�
        Passing out of order TLS versions to C{insecurelyLowerMinimumTo} and
        C{lowerMaximumSecurityTo} will cause it to raise an exception.
        �r�rCr�
r�
N)
zFinsecurelyLowerMinimumTo needs to be lower than lowerMaximumSecurityTo�r'
rjrpr�rJ
rK
r�
�TLSv1_0�SSLv3r*
r�
r�
r�
r*r*r-�test_tlsVersionRangeInOrder4�




��

�z/OpenSSLOptionsTests.test_tlsVersionRangeInOrderc
Cr�
)z�
        Passing out of order TLS versions to C{raiseMinimumTo} and
        C{lowerMaximumSecurityTo} will cause it to raise an exception.
        )r�rCr�
r�
N)
z<raiseMinimumTo needs to be lower than lowerMaximumSecurityTor�
r�
r*r*r-�"test_tlsVersionRangeInOrderAtLeastKr�
z6OpenSSLOptionsTests.test_tlsVersionRangeInOrderAtLeastc
Csftj
|j|jtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
Bt	jBt	jB|
jB}|�||j|@�
dS)a

        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{lowerMaximumSecurityTo} but no C{raiseMinimumTo} or
        C{insecurelyLowerMinimumTo} set, and C{lowerMaximumSecurityTo} is
        below the minimum default, the minimum will be made the new maximum.
        )r�rCr�
N�rpr�rJ
rK
r�
r�
r�r�
r�rr�
r�
r�
�OP_NO_TLSv1�
OP_NO_TLSv1_1�
OP_NO_TLSv1_2�_OP_NO_TLSv1_3r*
r�r�
r*r*r-�&test_tlsProtocolsreduceToMaxWithoutMin]s,


�

�������	z:OpenSSLOptionsTests.test_tlsProtocolsreduceToMaxWithoutMinc
C�ltj
|j|jtjjtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
Bt	jBt	jB|
jB}|�||j|@�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to
        SSLv3, it will exclude all others.
        r�
Nr�
r�
r*r*r-�test_tlsProtocolsSSLv3Onlyv�.



�

�������	z.OpenSSLOptionsTests.test_tlsProtocolsSSLv3Onlyc
Cr�
)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.0,
        it will exclude all others.
        r�
N)rpr�rJ
rK
r�
r�
r�r�
r�rr�
r�
r�
r�
r�
r�
r�
r*
r�r�
r*r*r-� test_tlsProtocolsTLSv1Point0Only�r�
z4OpenSSLOptionsTests.test_tlsProtocolsTLSv1Point0Onlyc
Cr�
)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.1,
        it will exclude all others.
        r�
N)rpr�rJ
rK
r�
�TLSv1_1r�r�
r�rr�
r�
r�
r�
r�
r�
r�
r*
r�r�
r*r*r-� test_tlsProtocolsTLSv1Point1Only�r�
z4OpenSSLOptionsTests.test_tlsProtocolsTLSv1Point1Onlyc
Cr�
)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.2,
        it will exclude all others.
        r�
N)rpr�rJ
rK
r�
r�
r�r�
r�rr�
r�
r�
r�
r�
r�
r�
r*
r�r�
r*r*r-� test_tlsProtocolsTLSv1Point2Only�r�
z4OpenSSLOptionsTests.test_tlsProtocolsTLSv1Point2Onlyc
Cs`tj
|j|jtjjtjjd
�}
t|
_|
�	�}t
jt
jBt
j
Bt
jB|
jB}|�||j|@�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} set to TLSv1.0 and
        C{lowerMaximumSecurityTo} to TLSv1.2, it will exclude both SSLs and
        the (unreleased) TLSv1.3.
        r�
N)rpr�rJ
rK
r�
r�
r�
r�r�
r�rr�
r�
r�
r�
r�
r*
r�r�
r*r*r-�test_tlsProtocolsAllModernTLS�s&



�

�����z1OpenSSLOptionsTests.test_tlsProtocolsAllModernTLSc
C�`tj
|j|jtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
Bt	jBt	jB}|�||j|@�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{raiseMinimumTo} set to TLSv1.2, it will ignore all TLSs below
        1.2 and SSL.
        �r�rCr�
N�rpr�rJ
rK
r�
r�
r�r�
r�rr�
r�
r�
r�
r�
r�
r*
r�r�
r*r*r-�$test_tlsProtocolsAtLeastAllSecureTLS��(


�

������z8OpenSSLOptionsTests.test_tlsProtocolsAtLeastAllSecureTLSc
Csftj
|j|jtjjd
�}
t|
_|
��}t	j
t	jBt	jBt	j
B}|�||j|@�
|�|
jtjj�
dS)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{raiseMinimumTo} set to a value lower than Twisted's default will
        cause it to use the more secure default.
        r�
N)rpr�rJ
rK
r�
r�
r�r�
r�rr�
r�
r�
r�
r*
r��_defaultMinimumTLSVersionr�
r�
r*r*r-�/test_tlsProtocolsAtLeastWillAcceptHigherDefault	s"


�

����
zCOpenSSLOptionsTests.test_tlsProtocolsAtLeastWillAcceptHigherDefaultc
Cr�
)z�
        When calling L{sslverify.OpenSSLCertificateOptions} with
        C{insecurelyLowerMinimumTo} set to TLSv1.2, it will ignore all TLSs below
        1.2 and SSL.
        )r�rCr�
Nr�
r�
r*r*r-�test_tlsProtocolsAllSecureTLS"r�
z1OpenSSLOptionsTests.test_tlsProtocolsAllSecureTLSc
CsLGd
d�d�}
|
�}tj
|j|j|d�}t|_|��}|�|
jj	|j
�
dS)zO
        If C{dhParams} is set, they are loaded into each new context.
        c@seZ
dZed
�
ZdS)zFOpenSSLOptionsTests.test_dhParams.<locals>.FakeDiffieHellmanParameters�	dh.paramsN)r�r�r�r�_dhFiler*r*r*r-�FakeDiffieHellmanParameters>�
r�
)r�rC�dhParametersN)rpr�rJ
rK
r�r�
r�r*
r�
�pathr
)r�r�
�dhParamsrt
r�r*r*r-�
test_dhParams9s



�

z!OpenSSLOptionsTests.test_dhParamsc
Cs�|�t
jd
dd�t
jd
dd��
|�t
jd
dd�t
jd
ddd��
t
jdd�
}
|�tt|
d	d
�
|�|
j|
j	�
d|
_|�|
j|
j	�
dS)
zh
        Check that abbreviations used in certificates correctly map to
        complete names.
        �
ashello)rH
�OU)�
commonName�organizationalUnitNamesxxx)rH
r�
�emailAddresssabcdefg)
rH
�Cnr�sbcdefgaN)
r*
rp�DN�DistinguishedName�assertNotEqualr'
�AttributeErrorr=rH
r�
)r��dnr*r*r-�#test_abbreviatingDistinguishedNamesKs


��

�



z7OpenSSLOptionsTests.test_abbreviatingDistinguishedNamesc
	CsZtj
d
ddddddd�}
|
��}d	D]}|�|||�d
��
|�|��||�d
��
qdS)Nscommon namesorganization namesorganizational unit name�
locality namesstate or province namescountry names
email address)r�
�organizationNamer�
�localityName�stateOrProvinceName�countryNamer�
)�common name�organization name�organizational unit name�
locality name�state or province name�country name�
email addressz was not in inspect output.)rpr�
�inspectr�
�title�r��
n�
srEr*r*r-�testInspectDistinguishedName`s







�	
	
�z0OpenSSLOptionsTests.testInspectDistinguishedNamec
Csftj
d
d�
}
|
��}dD]}|�|||�d��
|�|��||�d��
q|�d|�
|�d|�
dS)Nr�
)
r�
)r�
r�
r�
r�
r�
r�
z was in inspect output.r�
z
Locality Name)rpr�
r�
�assertNotInr�
r�
r�
r*r*r-�,testInspectDistinguishedNameWithoutAllFieldsws





z@OpenSSLOptionsTests.testInspectDistinguishedNameWithoutAllFieldsc
Csdtj
�t�
}
|
��}|��}|�|
���d
�
dddddddd	d
dddddddd	d
dd
d|g�
dS)z�
        Test that the C{inspect} method of L{sslverify.Certificate} returns
        a human-readable string containing some basic information about the
        certificate.
        �

zCertificate For Subject:z5               Common Name: example.twistedmatrix.comz              Country Name: USz4             Email Address: nobody@twistedmatrix.comz"             Locality Name: Bostonz/         Organization Name: Twisted Matrix Labsz$  Organizational Unit Name: Securityz)    State Or Province Name: MassachusettsrzIssuer:zSerial Number: 12345z7Digest: C4:96:11:00:30:C3:EC:EE:A3:55:AA:ED:8C:84:85:18zPublic Key with Hash: N)	rprqrr�A_HOST_CERTIFICATE_PEM�getPublicKey�keyHashr*
r�
�split)r�r,�pkr
r*r*r-�test_inspectCertificate�s8






















��z+OpenSSLOptionsTests.test_inspectCertificatec
CsXtj
�t�
}
tj
�t�
}tj
�t�
}|�|
���|���
�

|�|���|
���
�

d
S)z�
        L{PublicKey.matches} returns L{True} for keys from certificates with
        the same key, and L{False} for keys from certificates with different
        keys.
        N)	rprqrrr�
�A_PEER_CERTIFICATE_PEMr2
r�matchesr8
)r��hostA�hostB�peerAr*r*r-�test_publicKeyMatching�s



z*OpenSSLOptionsTests.test_publicKeyMatchingc
Csht�
�}
|�|
jd
�
|
��}|�|��tj�
tj
dd�
}
|�|
jd�
|
��}|�|��tj�
dS)z�
        The enableSessions argument sets the session cache mode; it defaults to
        False (at least until https://twistedmatrix.com/trac/ticket/9764 can be
        resolved).
        FT)
�enableSessionsN)	rpr�r*
rr�r
r�SESS_CACHE_OFFr�)r�r�r�r*r*r-�!test_enablingAndDisablingSessions�s






z5OpenSSLOptionsTests.test_enablingAndDisablingSessionsc
Cs
tj
|j|jtjd
|jg
dddddd
d
d�}
|
��}|�||
j�
|�	|�

|
�
�}|�d|�
t�
�}|�|�

|�
|j|j�
|�
|j|j�
|�
|jtj�
|�|j�

|�
|j|jg
�
|�
|jd�
|�|j�

|�|j�

|�|j�

|�|j�

|�|j�

|�|j�

dS)zN
        Test that __setstate__(__getstate__()) round-trips properly.
        T�F)r�rCr�rv
rP
�verifyDepthrx
�
verifyOncer�
r�fixBrokenPeers�enableSessionTickets�_contextN)rpr�rJ
rK
rr�r��assertIsr�assertIsNotNone�__getstate__r�
�__setstate__r*
r�rCr�r2
rv
rP
rr8
rx
rr�
rrr)r��	firstOpts�context�statert
r*r*r-�$test_certificateOptionsSerialization�sB











�


















z8OpenSSLOptionsTests.test_certificateOptionsSerializationz/twisted\.internet\._sslverify\.*__[gs]etstate__)r�
r�
c
Cs.tj
d
d�
}
|
��}|�d|�d�
d@�
dS)zR
        Enabling session tickets should not set the OP_NO_TICKET option.
        T�
rr
�@N�rpr�r�r*
r�r�
r*r*r-�%test_certificateOptionsSessionTickets��

z9OpenSSLOptionsTests.test_certificateOptionsSessionTicketsc
Cs.tj
d
d�
}
|
��}|�d|�d�
d@�
dS)zN
        Enabling session tickets should set the OP_NO_TICKET option.
        Frrr
Nrr�
r*r*r-�-test_certificateOptionsSessionTicketsDisabledr zAOpenSSLOptionsTests.test_certificateOptionsSessionTicketsDisabledc
sBt�
�}
�jtj�j�jd
d�tjd
d�
|
d�
|
��f
dd��
S)zw
        Check that anonymous connections are allowed when certificates aren't
        required on the server.
        F)r�rCrx
�
rx
�
r�c

���|t
j�Sr)�r*
r�r��
�resultr�r*r-r.�zKOpenSSLOptionsTests.test_allowedAnonymousClientConnection.<locals>.<lambda>�rr^
re
rpr�rJ
rK
�addCallback�r�r�r*r�r-�%test_allowedAnonymousClientConnections



�

�

�z9OpenSSLOptionsTests.test_allowedAnonymousClientConnectionc
sjt�
�}
t�
�}�jtj�j�jd
�jg
d
d�tjdd�
|
|d�
tj||
gd
d�}�f
dd�}|�|�
S)	zt
        Check that anonymous connections are refused when certificates are
        required on the server.
        T)r�rCrv
rP
rx
Fr"�rY
rZ
rS
c
sL|\\}
}\}}��|
�

��|�

��
|jtjtf�
��
|jtj�
dSr))r8
r�
�valuer�Errorr�r'�cSuccess�cResult�sSuccess�sResultr�r*r-�	afterLost4s






zLOpenSSLOptionsTests.test_refusedAnonymousClientConnection.<locals>.afterLost)	rr^
re
rpr�rJ
rK
r[
r*�r�rY
rZ
r�r5r*r�r-�%test_refusedAnonymousClientConnections"







�


�


z9OpenSSLOptionsTests.test_refusedAnonymousClientConnectionc
slt�
�}
t�
�}�jtj�j�jd
d
d�tjdd
�jg
d�|
|d�
tj||
gdd�}�f
dd�}|�	|�
S)	zg
        Check that connecting with a certificate not accepted by the server CA
        fails.
        F�r�rCrv
rx
T�rv
rx
rP
r-rS
c
s(|\\}
}\}}��|
�

��|�

dSr))
r8
r0r�r*r-r5Ws



zIOpenSSLOptionsTests.test_failedCertificateVerification.<locals>.afterLost)
rr^
re
rpr�rJ
rK
rM
r[
r*r6r*r�r-�"test_failedCertificateVerification@s$






�

�
�
z6OpenSSLOptionsTests.test_failedCertificateVerificationc
sLt�
�}
�jtj�j�jd
d
d�tjdd�jg
d�|
d�
|
��f
dd��
S)zi
        Test a successful connection with client certificate validation on
        server side.
        Fr8Tr9r#c

r$r)r%r&r�r*r-r.rr(zLOpenSSLOptionsTests.test_successfulCertificateVerification.<locals>.<lambda>r)r+r*r�r-�&test_successfulCertificateVerification^s 





�

��

�z:OpenSSLOptionsTests.test_successfulCertificateVerificationc
	sZt�
�}
�jtj�j�jd
d
�jg
d�tj�j�jd
d
�jg
d�|
d�
|
�	�f
dd��
S)zg
        Test a successful connection with validation on both server and client
        sides.
        T)r�rCrv
rx
rP
r#c

r$r)r%r&r�r*r-r.�r(z_OpenSSLOptionsTests.test_successfulSymmetricSelfSignedCertificateVerification.<locals>.<lambda>)
rr^
re
rpr�rJ
rK
rM
rL
r*r+r*r�r-�9test_successfulSymmetricSelfSignedCertificateVerificationus*






�




��

�zMOpenSSLOptionsTests.test_successfulSymmetricSelfSignedCertificateVerificationc
s

tj
d
d�
}
tj��}|�|
�
}tj
dd�
}tj��}|�|�
}|�|
�
}|�|
|dd�d�}|�|�
}	|�|�
}
|�||
dd�d�}|�|�
}|�||d	d�d
�}
|�|
�
}|�|
|dd�d�}|�|�
}t��}|�	|�
}|�	|	�
}�j
|||d
�
|��f
dd��
S)zT
        Check certificates verification building custom certificates data.
        �client)
r�
�serverc


Sr>
�NTr*�
r�
r*r*r-r.�r/z7OpenSSLOptionsTests.test_verification.<locals>.<lambda>�c


Sr>
r?r*r@r*r*r-r.�r/ic


Sr>
r?r*r@r*r*r-r.�r/�c


Sr>
r?r*r@r*r*r-r.�r/�*r#c

r$r)r%r&r�r*r-r.�r()rpr�
�KeyPair�generate�certificateRequest�signCertificateRequest�newCertificaterr^
r�re
r*)r��clientDN�	clientKey�
clientCertReq�serverDN�	serverKey�
serverCertReq�clientSelfCertReq�clientSelfCertData�clientSelfCert�serverSelfCertReq�serverSelfCertData�serverSelfCert�clientCertData�
clientCert�serverCertDatar�r�r�r�r*r�r-�test_verification�s>










�



�

�

�





�z%OpenSSLOptionsTests.test_verification);r�r�r�r 
rR
ro
rq
ru
rw
ry
rz
r{
r}
r
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
r�
rr
r
rr�suppressr�
rr!r,r7r:r;r<rX�
__classcell__r*r*rk
r-rg
�st


+
(

��"rg
c@r�)�"OpenSSLOptionsECDHIntegrationTestsz?
    ECDH-related integration tests for L{OpenSSLOptions}.
    c
s`t�st
d
�
�
t��}
�jtj�j�jdtj	j
d�tjdtj	j
d�|
d�
|
j�f
dd��
}|
S)z@
        Connections use ECDH when OpenSSL supports it.
        zOpenSSL does not support ECDH.F)r�rCrx
r�
)rx
r�
r#c
s>��t
�jjj�
d
�
�jjj\
}
|
����}��d|�
dS)NrI�ECDH)r*
r�
rW
r��	protocols�	getHandle�get_cipher_namer�
)r�
�clientProtocol�cipherr�r*r-�
assertECDH�s


zVOpenSSLOptionsECDHIntegrationTests.test_ellipticCurveDiffieHellman.<locals>.assertECDH)rrrr^
re
rpr�rJ
rK
r�
�TLSv1_3r*)r�r�rbr*r�r-�test_ellipticCurveDiffieHellman�s&






�

��
zBOpenSSLOptionsECDHIntegrationTests.test_ellipticCurveDiffieHellmanN)r�r�r�r 
rdr*r*r*r-r[�s
r[c@s(eZ
dZd
Zer
eZdd�Zdd�ZdS)�DeprecationTestszo
    Tests for deprecation of L{sslverify.OpenSSLCertificateOptions}'s support
    of the pickle protocol.
    c

Cs$|�t
d
ddd�dft��j�
dS)zT
        L{sslverify.OpenSSLCertificateOptions.__getstate__} is deprecated.
        �Twisted�r
�a real persistence systemN)�callDeprecatedrrpr�rr�r*r*r-�test_getstateDeprecation�s

�z)DeprecationTests.test_getstateDeprecationc

Cs&|�t
d
ddd�dft��ji�
dS)zT
        L{sslverify.OpenSSLCertificateOptions.__setstate__} is deprecated.
        rfrgr
rhN)rirrpr�rr�r*r*r-�test_setstateDeprecation�s



�z)DeprecationTests.test_setstateDeprecationN)r�r�r�r 
r;
r<
rjrkr*r*r*r-re�s

	rec@�8eZ
dZd
Zer
eZdd�Zdd�Zdd�Zdd	�Z	d
S)�TrustRootTestsz�
    Tests for L{sslverify.OpenSSLCertificateOptions}' C{trustRoot} argument,
    L{sslverify.platformTrust}, and their interactions.
    c

Cs|�t
d
t�
dS)zG
        Patch L{sslverify._ChooseDiffieHellmanEllipticCurve}.
        rh
N)rj
rpr=
r�r*r*r-rR
s



�zTrustRootTests.setUpc
s@tj
t��d
�
}
ttj�
��f
dd�|
_|
��
|��j	�

dS)z�
        Specifying a C{trustRoot} of L{sslverify.OpenSSLDefaultPaths} when
        initializing L{sslverify.OpenSSLCertificateOptions} loads the
        platform-provided trusted certificates via C{set_default_verify_paths}.
        r�c


r�r)r*)
r��
�fcr*r-r.'r/z=TrustRootTests.test_caCertsPlatformDefaults.<locals>.<lambda>N)
rpr��OpenSSLDefaultPathsr�r�TLSv1_METHODr�
r�r2
r�rs
r*rnr-�test_caCertsPlatformDefaultss
�



z+TrustRootTests.test_caCertsPlatformDefaultsc
Cs�t�\}
}t
|||
�}t
||j�}tt�||d
�\}}}}}	|�|jd�
|�|jjt	j
�
|jj}
|�|
jdddd�
dS)a-
        Specifying a C{trustRoot} of L{platformTrust} when initializing
        L{sslverify.OpenSSLCertificateOptions} causes certificates issued by a
        newly created CA to be rejected by an SSL connection using these
        options.

        Note that this test should I{always} pass, even on platforms where the
        CA certificates are not installed, as long as L{platformTrust} rejects
        completely invalid / unknown root CA certificates.  This is simply a
        smoke test to make sure that verification is happening at all.
        �r�r�r�r�r
r�tlsv1 alert unknown caN)
r�r�r�r�r2r*
r�r��typerr/r.r�
)r�r�r��chainedCertr�r�r��sWrapped�cWrappedr��errr*r*r-�(test_trustRootPlatformRejectsUntrustedCA+s





�
z7TrustRootTests.test_trustRootPlatformRejectsUntrustedCAc

Csbt�\}
}t�\}}t
|
t||j�t||�d
�\}}}}}	|	��
|�|j�

|�|j|j	�
dS)z�
        Specifying a L{Certificate} object for L{trustRoot} will result in that
        certificate being the only trust root for a client.
        rsN)
r�r�r�r��flush�assertIsNoner�r*
r�r�)
r��caCertr��otherCa�otherServerr�r�rwrxr�r*r*r-�!test_trustRootSpecificCertificateJs







�

z0TrustRootTests.test_trustRootSpecificCertificateN)
r�r�r�r 
r;
r<
rR
rrrzr�r*r*r*r-rm
s


rmc@s�eZ
dZd
Zer
eZdd�dddddddfdd�
Zdd	�Zd
d�Zdd
�Z	dd�Z
dd�Zdd�Zdd�Z
eee�dd��
Zeee�dd��
Zdd�Zdd�ZdS)�ServiceIdentityTestsz�
    Tests for the verification of the peer's service's identity via the
    C{hostname} argument to L{sslverify.OpenSSLCertificateOptions}.
    c


Cr(r)r*�
r�r*r*r-r.hr/zServiceIdentityTests.<lambda>TFcs�
t|�
\�}i}d
}
td�
\}}|r|j
|d�

|r'|r|}
ntd�
\}}|}
tjd|jj|jd�|�
�
}||���

|sCt|�
\�}|rQdd�}|�tjd|�
d|
i
}|
r]|j
|
d	�

|
se|j
�d�

|	rr|�td
�f
dd��
tj	di|�
�
}Gd
d�dt
j�}Gdd�dt
j�}|��|��
t
��}�
f
dd�|_
t
��}�f
dd�|_
||_
||_t|d|d��t|d|d��t�f
dd��f
dd��\}}}||�
�|fS)a�	
        Connect a server and a client.

        @param clientHostname: The I{client's idea} of the server's hostname;
            passed as the C{hostname} to the
            L{sslverify.OpenSSLCertificateOptions} instance.
        @type clientHostname: L{unicode}

        @param serverHostname: The I{server's own idea} of the server's
            hostname; present in the certificate presented by the server.
        @type serverHostname: L{unicode}

        @param serverContextSetup: a 1-argument callable invoked with the
            L{OpenSSL.SSL.Context} after it's produced.
        @type serverContextSetup: L{callable} taking L{OpenSSL.SSL.Context}
            returning L{None}.

        @param validCertificate: Is the server's certificate valid?  L{True} if
            so, L{False} otherwise.
        @type validCertificate: L{bool}

        @param clientPresentsCertificate: Should the client present a
            certificate to the server?  Defaults to 'no'.
        @type clientPresentsCertificate: L{bool}

        @param validClientCertificate: If the client presents a certificate,
            should it actually be a valid one, i.e. signed by the same CA that
            the server is checking?  Defaults to 'yes'.
        @type validClientCertificate: L{bool}

        @param serverVerifies: Should the server verify the client's
            certificate?  Defaults to 'no'.
        @type serverVerifies: L{bool}

        @param buggyInfoCallback: Should we patch the implementation so that
            the C{info_callback} passed to OpenSSL to have a bug and raise an
            exception (L{ZeroDivisionError})?  Defaults to 'no'.
        @type buggyInfoCallback: L{bool}

        @param fakePlatformTrust: Should we fake the platformTrust to be the
            same as our fake server certificate authority, so that we can test
            it's being used?  Defaults to 'no' and we just pass platform trust.
        @type fakePlatformTrust: L{bool}

        @param useDefaultTrust: Should we avoid passing the C{trustRoot} to
            L{ssl.optionsForClientTLS}?  Defaults to 'no'.
        @type useDefaultTrust: L{bool}

        @return: the client TLS protocol, the client wrapped protocol,
            the server TLS protocol, the server wrapped protocol and
            an L{IOPump} which, when its C{pump} and C{flush} methods are
            called, will move data between the created client and server
            protocol instances
        @rtype: 5-L{tuple} of 4 L{IProtocol}s and L{IOPump}
        Nr=r�rr
c_sd
d
dS)z�
                Raise an exception.

                @param a: Arguments for an C{info_callback}

                @param k: Keyword arguments for an C{info_callback}
                rIr
Nr*)�
arEr*r*r-�broken�sz9ServiceIdentityTests.serviceIdentitySetup.<locals>.broken�_identityVerifyingInfoCallbackr%
)
�clientCertificater2c
r�r)r*r*)
�serverCAr*r-r.�r/z;ServiceIdentityTests.serviceIdentitySetup.<locals>.<lambda>c@s0eZ
dZd
ZdZdZdd�Zdd�Zdd	�ZdS)
zAServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServerr�Nr�c

Sr�r)r�r�r*r*r-r��r�zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServer.connectionMadecSr�r)r�r�r*r*r-r��r�zNServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServer.dataReceivedcSr�r)r�r�r*r*r-r��r�zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingServer.connectionLost)	r�r�r�r�r�r�r�r�r�r*r*r*r-r���


r�c@s0eZ
dZd
ZdZdZdd�Zdd�Zdd	�ZdS)
zAServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClientscheerio!r�Nc

Sr�r)r�r�r*r*r-r��r�zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClient.connectionMadecSr�r)r�r�r*r*r-r��r�zNServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClient.dataReceivedcSr�r)r�r�r*r*r-r��r�zPServiceIdentityTests.serviceIdentitySetup.<locals>.GreetingClient.connectionLost)	r�r�r�r�r�r�r�r�r�r*r*r*r-�GreetingClient�r�r�c
r�r)r*r*r�r*r-r.�r/c
r�r)r*r*r�r*r-r.�r/Tr�Fcr�r)r�r*)
�serverTLSFactoryr*r-r.	r�cr�r)r�r*)
�clientTLSFactoryr*r-r.
r�r*)r��updaterpr�r��originalr�rj
�ClientTLSOptionsr)
rr�r�r�r�r3r)r��clientHostname�serverHostname�serverContextSetup�validCertificate�clientPresentsCertificate�validClientCertificate�serverVerifies�buggyInfoCallback�fakePlatformTrust�useDefaultTrustr��other�passClientCert�clientCArV�bogusCA�bogusr�rr��	signaturer�r�r�r�r�r�r�r�r*)r�r�r�r�r�r-�serviceIdentitySetupdspD









��






�











�
�




�z)ServiceIdentityTests.serviceIdentitySetupc
Cs^|�d
d�\}
}}}}|�
|jd�
|�
|jd�
|jj}|jj}|�|t�
|�|t�
dS)z�
        When a certificate containing an invalid hostname is received from the
        server, the connection is immediately dropped.
        zwrong-host.example.com�correct-host.example.comr�N)r�r*
r�r�r.r�
r1r�r�r�r�rxrwr��cErr�sErrr*r*r-�test_invalidHostnames

�


z)ServiceIdentityTests.test_invalidHostnamec
CsH|�d
d
�\}
}}}}|�
|jd�
|j}|j}|�|�

|�|�

dS)z}
        Whenever a valid certificate containing a valid hostname is received,
        connection proceeds normally.
        �valid.example.comr�N�r�r*
r�r�r|r�r*r*r-�test_validHostname s

�



z'ServiceIdentityTests.test_validHostnamec
Csf|jd
d
dd�\}
}}}}|�
|jd�
|�
|jd�
|jj}|jj}|�|tj�
|�|tj�
dS)z�
        When an invalid certificate containing a perfectly valid hostname is
        received, the connection is aborted with an OpenSSL error.
        r�F)
r�r�N�r�r*
r�r�r.r�
rr/r�r*r*r-�$test_validHostnameInvalidCertificate0s


�


z9ServiceIdentityTests.test_validHostnameInvalidCertificatec
Csh|jd
d
ddd�\}
}}}}|�
|jd�
|�
|jd�
|jj}|jj}|�|tj�
|�|tj�
dS)zu
        If we use the default trust from the platform, our dinky certificate
        should I{really} fail.
        r�FT)r�r�r�Nr�r�r*r*r-�*test_realCAsBetterNotSignOurBogusTestCertsDs



�


z?ServiceIdentityTests.test_realCAsBetterNotSignOurBogusTestCertsc
CsN|jd
d
ddd�\}
}}}}|�
|jd�
|j}|j}|�|�

|�|�

dS)z�
        L{ssl.optionsForClientTLS} should be using L{ssl.platformTrust} by
        default, so if we fake that out then it should trust ourselves again.
        r�T)r�r�r�Nr�r�r*r*r-�test_butIfTheyDidItWouldWorkYs



�



z1ServiceIdentityTests.test_butIfTheyDidItWouldWorkc
CsP|jd
d
dddd�\}
}}}}|�
|jd�
|j}|j}|�|�

|�|�

dS)z�
        When the server verifies and the client presents a valid certificate
        for that verification by passing it to
        L{sslverify.optionsForClientTLS}, communication proceeds.
        r�T)r�r�r�r�Nr�r�r*r*r-�test_clientPresentsCertificateks




�



z3ServiceIdentityTests.test_clientPresentsCertificatec
Cs^|jd
d
ddddd�\}
}}}}|�
|jd�
|jj}|jj}|�|tj�
|�|tj�
dS)z�
        When the server verifies and the client presents an invalid certificate
        for that verification by passing it to
        L{sslverify.optionsForClientTLS}, the connection cannot be established
        with an SSL error.
        r�TF)r�r�r�r�r�Nr�r�r*r*r-�!test_clientPresentsBadCertificate�s





�	

z6ServiceIdentityTests.test_clientPresentsBadCertificatec
s:g��f
d
d�}
|�dd|
�\}}}}}|�
�dg
�
dS)z�
        Specifying the C{hostname} argument to L{CertificateOptions} also sets
        the U{Server Name Extension
        <https://en.wikipedia.org/wiki/Server_Name_Indication>} TLS indication
        field to the correct value.
        c
��f
d
d�}
|�|
�

dS)Nc

s��|�
��d
�
�

dS)NrT)r
�get_servernamerm)
�conn�
�namesr*r-�servername_received�s
zfServiceIdentityTests.test_hostnameIsIndicated.<locals>.setupServerContext.<locals>.servername_received�
�set_tlsext_servername_callback�r�r�r�r*r-�setupServerContext�s
zIServiceIdentityTests.test_hostnameIsIndicated.<locals>.setupServerContextr�N)r�r*
)r�r�r�r�rxrwr�r*r�r-�test_hostnameIsIndicated�s
�z-ServiceIdentityTests.test_hostnameIsIndicatedc

slg�d
}
�f
dd�}|�|
|
|�\}}}}}|�
�|
g
�
|�
|jd�
|j}|j}	|�|�

|�|	�

dS)z0
        Hostnames are encoded as IDNA.
        uhállo.example.comc
r�)Nc
st|�
��
}
��|
�

dSr))r	r�r
)r��
serverIDNAr�r*r-r��s

zcServiceIdentityTests.test_hostnameEncoding.<locals>.setupServerContext.<locals>.servername_receivedr�r�r�r*r-r��s
zFServiceIdentityTests.test_hostnameEncoding.<locals>.setupServerContextr�Nr�)
r��hellor�r�r�rxrwr�r�r�r*r�r-�test_hostnameEncoding�s

�




z*ServiceIdentityTests.test_hostnameEncodingc
sHd
�G�f
dd�d�}
|
�}|�t
�|d
�d�
|�t
jt
j|d�
dS)z�
        L{sslverify.simpleVerifyHostname} checks string equality on the
        commonName of a connection's certificate's subject, doing nothing if it
        matches and raising L{VerificationError} if it doesn't.
        zsomething.example.comcseZ
dZ�f
d
d�ZdS)z6ServiceIdentityTests.test_fallback.<locals>.Connectionc
st�}
�|
�
�_|
S)
z�
                Fake of L{OpenSSL.SSL.Connection.get_peer_certificate}.

                @return: A certificate with a known common name.
                @rtype: L{OpenSSL.crypto.X509}
                )rr;r�
r
�
�namer*r-�get_peer_certificate�s


zKServiceIdentityTests.test_fallback.<locals>.Connection.get_peer_certificateN)r�r�r�r�r*r�r*r-�
Connection�s
r�N�nonsense)rrp�simpleVerifyHostnamer'
�SimpleVerificationError)r�r�r�r*r�r-�
test_fallback�s

�



�z"ServiceIdentityTests.test_fallbackc
	Cs||jd
d
dd�\}
}}}}|�
|jd�
|�
|jd�
|jj}|jj}|�|t�
|�|ttj	f�
|�
t�
}|�|�

dS)a,

        pyOpenSSL isn't always so great about reporting errors.  If one occurs
        in the verification info callback, it should be logged and the
        connection should be shut down (if possible, anyway; the app_data could
        be clobbered but there's no point testing for that).
        r�T)
r�r�N)r�r*
r�r�r.r�
�ZeroDivisionErrorrrr/�flushLoggedErrorsr2
)	r�r�r�rxrwr�r�r��errorsr*r*r-�test_surpriseFromInfoCallback�s


�





z2ServiceIdentityTests.test_surpriseFromInfoCallbackN)r�r�r�r 
r;
r<
r�r�r�r�r�r�r�r�r�skipSNIr�r�r�r�r*r*r*r-r�[s6









�+



r�cCsPt�\}}t
�|jg
�
}t||jj|j|
||d
�\}}}}	}
|
��
|j|	jfS)a�

    Create the TLS connection and negotiate a next protocol.

    @param serverProtocols: The protocols the server is willing to negotiate.
    @param clientProtocols: The protocols the client is willing to negotiate.
    @param clientOptions: The type of C{OpenSSLCertificateOptions} class to
        use for the client. Defaults to C{OpenSSLCertificateOptions}.
    @return: A L{tuple} of the negotiated protocol and the reason the
        connection was lost.
    )r�r�r�r�r�r�)	r�rp�OpenSSLCertificateAuthoritiesr�r�r�r{�negotiatedProtocolr�)r�r�r�rr�r�r�r�rwrxr�r*r*r-�negotiateProtocol�s

��





�r�c@sJeZ
dZd
ZereZnereZdd�Zdd�Zdd�Z	dd	�Z
d
d�ZdS)
�NPNOrALPNTestsz�
    NPN and ALPN protocol selection.

    These tests only run on platforms that have a PyOpenSSL version >= 0.15,
    and OpenSSL version 1.0.1 or later.
    c
C�t�
�}
|�tjj|
v�

d
S)z
        When at least NPN is available on the platform, NPN is in the set of
        supported negotiation protocols.
        N)rp�protocolNegotiationMechanismsr2
�ProtocolNegotiationSupport�NPN�r��supportedProtocolsr*r*r-�)test_nextProtocolMechanismsNPNIsSupported+	�
z8NPNOrALPNTests.test_nextProtocolMechanismsNPNIsSupportedc
Cs2d
dg}
t|
|
d�\}}|�
|d
�
|�|�

dS)z�
        When both ALPN and NPN are used, and both the client and server have
        overlapping protocol choices, a protocol is successfully negotiated.
        Further, the negotiated protocol is the first one in the list.
        �h2�http/1.1�r�r�N�r�r*
r|�r�r]r�r�r*r*r-�test_NPNAndALPNSuccess3	s



�
z%NPNOrALPNTests.test_NPNAndALPNSuccessc
Cs:gd
�
}
ddg}t||
d�\}}|�
|d�
|�|�

dS)zm
        Client and server have different protocol lists: only the common
        element is chosen.
        )r�r�sspdy/2�spdy/3r�r�Nr��r�r�r�r�r�r*r*r-�test_NPNAndALPNDifferentA	s




�
z'NPNOrALPNTests.test_NPNAndALPNDifferentc
Cs0d
dg}
t|
gd�\}}|�
|�

|�
|�

dS)zy
        When one peer does not advertise any protocols, the connection is set
        up with no next protocol.
        r�r�r�N�r�r|r�r*r*r-�test_NPNAndALPNNoAdvertiseO	s



�

z)NPNOrALPNTests.test_NPNAndALPNNoAdvertisec
Cs<d
dg}
dg
}t|
|d�\}}|�
|�

|�|jtj�
dS)zh
        When the client and server have no overlap of protocols, the connection
        fails.
        r�r�r��r�r�N)r�r|r*
rurr/)r�r�r�r�r�r*r*r-�test_NPNAndALPNNoOverlap\	s




�

z'NPNOrALPNTests.test_NPNAndALPNNoOverlapN)r�r�r�r 
r;
r<
�skipNPNr�r�r�r�r�r*r*r*r-r�	s




r�c@s*eZ
dZd
ZereZnereZdd�ZdS)�	ALPNTestsa.

    ALPN protocol selection.

    These tests only run on platforms that have a PyOpenSSL version >= 0.15,
    and OpenSSL version 1.0.2 or later.

    This covers only the ALPN specific logic, as any platform that has ALPN
    will also have NPN and so will run the NPNAndALPNTest suite as well.
    c
Cr�)z�
        When ALPN is available on a platform, protocolNegotiationMechanisms
        includes ALPN in the suported protocols.
        N)rpr�r2
r��ALPNr�r*r*r-�*test_nextProtocolMechanismsALPNIsSupported{	r�z4ALPNTests.test_nextProtocolMechanismsALPNIsSupportedN)r�r�r�r 
r;
r<
�skipALPNr�r*r*r*r-r�k	s




r�c@s>eZ
dZd
ZereZneresdZdd�Zdd�Z	dd�Z
d	S)
�NPNAndALPNAbsentTestsz�
    NPN/ALPN operations fail on platforms that do not support them.

    These tests only run on platforms that have a PyOpenSSL version < 0.15,
    an OpenSSL version earlier than 1.0.1, or an OpenSSL/cryptography built
    without NPN support.
    z+NPN and/or ALPN is present on this platformc
Cst�
�}
|�|
�

d
S)z}
        When neither NPN or ALPN are available on a platform, there are no
        supported negotiation protocols.
        N)rpr�r8
r�r*r*r-�1test_nextProtocolMechanismsNoNegotiationSupported�	s
zGNPNAndALPNAbsentTests.test_nextProtocolMechanismsNoNegotiationSupportedc
Csd
dg}
|jt
t|
|
d�
dS)z�
        A NotImplementedError is raised when using acceptableProtocols on a
        platform that does not support either NPN or ALPN.
        r�r�r�N)r'
�NotImplementedErrorr�)r�r]r*r*r-�test_NPNAndALPNNotImplemented�	s





�z3NPNAndALPNAbsentTests.test_NPNAndALPNNotImplementedc
Cs0d
}
d
}t||
d�\}}|�
|�

|�
|�

d
S)z�
        negotiatedProtocol return L{None} even when NPN/ALPN aren't supported.
        This works because, as neither are supported, negotiation isn't even
        attempted.
        Nr�r�r�r*r*r-�"test_NegotiatedProtocolReturnsNone�	s




�

z8NPNAndALPNAbsentTests.test_NegotiatedProtocolReturnsNoneN)r�r�r�r 
r;
r<
r�r�r�r�r�r*r*r*r-r��	s




r�c@r�
)�_NotSSLTransportc


C�|Sr)r*r�r*r*r-r^�	r�z_NotSSLTransport.getHandleN)r�r�r�r^r*r*r*r-r��	r�
r�c@�$eZ
dZd
d�Zdd�Zdd�ZdS)�_MaybeSSLTransportc


Cr�r)r*r�r*r*r-r^�	r�z_MaybeSSLTransport.getHandlec


Cr(r)r*r�r*r*r-r��	r�z'_MaybeSSLTransport.get_peer_certificatec


Cr(r)r*r�r*r*r-�get_host_certificate�	r�z'_MaybeSSLTransport.get_host_certificateN)r�r�r�r^r�r�r*r*r*r-r��	�
r�c@r�)�_ActualSSLTransportc


Cr�r)r*r�r*r*r-r^�	r�z_ActualSSLTransport.getHandlec

C�tj
�t�
jSr))rprqrrr�
r�r�r*r*r-r��	r
z(_ActualSSLTransport.get_host_certificatec

Cr�r))rprqrrrr�r�r*r*r-r��	r
z(_ActualSSLTransport.get_peer_certificateN)r�r�r�r^r�r�r*r*r*r-r��	r�r�c@sDeZ
dZereZd
d�Zdd�Zdd�Zdd�Zd	d
�Z	dd�Z
d
S)�ConstructorsTestsc
C�,|�t
tjjt��}
|�t|
�
�d
�
�

dS)z�
        Verify that peerFromTransport raises an exception if the transport
        passed is not actually an SSL transport.
        �non-TLSN)	r'
r
rprq�peerFromTransportr�r2
r+
�
startswith�r��
xr*r*r-�test_peerFromNonSSLTransport�	�


�z.ConstructorsTests.test_peerFromNonSSLTransportc
Cr�)z�
        Verify that peerFromTransport raises an exception if the transport
        passed is an SSL transport, but doesn't have a peer certificate.
        �TLSN)	r'
r
rprqr�r�r2
r+
r�r�r*r*r-�test_peerFromBlankSSLTransport�	r�z0ConstructorsTests.test_peerFromBlankSSLTransportc
Cr�)z�
        Verify that hostFromTransport raises an exception if the transport
        passed is not actually an SSL transport.
        r�N)	r'
r
rprq�hostFromTransportr�r2
r+
r�r�r*r*r-�test_hostFromNonSSLTransport�	r�z.ConstructorsTests.test_hostFromNonSSLTransportc
Cr�)z�
        Verify that hostFromTransport raises an exception if the transport
        passed is an SSL transport, but doesn't have a host certificate.
        r�N)	r'
r
rprqr�r�r2
r+
r�r�r*r*r-�test_hostFromBlankSSLTransport�	r�z0ConstructorsTests.test_hostFromBlankSSLTransportc

C�|�t
j�t��
��d
�
dS)z�
        Verify that hostFromTransport successfully creates the correct
        certificate if passed a valid SSL transport.
        i90N)r*
rprqr�r��serialNumberr�r*r*r-�test_hostFromSSLTransport
�

�
�z+ConstructorsTests.test_hostFromSSLTransportc

Cr)z�
        Verify that peerFromTransport successfully creates the correct
        certificate if passed a valid SSL transport.
        i:0N)r*
rprqr�r�rr�r*r*r-�test_peerFromSSLTransport
rz+ConstructorsTests.test_peerFromSSLTransportN)r�r�r�r;
r<
r�r�rr
rrr*r*r*r-r��	s

r�c@r!
)
�!MultipleCertificateTrustRootTestszH
    Test the behavior of the trustRootFromCertificates() API call.
    c
	Csbtj
�t�
}
tj�t�
}t�|
|g�
}t||
jj	|
j	d
�\}}}}}|�
|jd�
|�|j
�

dS)z�
        L{trustRootFromCertificates} accepts either a L{sslverify.Certificate}
        or a L{sslverify.PrivateCertificate} instance.
        �r�r�r�r�N)rprurr�	A_KEYPAIRrqr�
�trustRootFromCertificatesr�r�r�r*
r�r|r�)	r��privateCertr
�mtr�r��sWrap�cWrapr�r*r*r-�+test_trustRootFromCertificatesPrivatePublic'
s



�
zMMultipleCertificateTrustRootTests.test_trustRootFromCertificatesPrivatePublicc

Csrtd
dd�\}
}t
j�t
�|�
t
�|
�
�}t
�|g
�
}t||jj	|j	d�\}}}}}	|�
|jd�
|�|j
�

dS)z�
        L{trustRootFromCertificates} called with a single self-signed
        certificate will cause L{optionsForClientTLS} to accept client
        connections to a server with that certificate.
        rD
rE
rF
rr�N)rGrpru�fromCertificateAndKeyPairrqrDr
r�r�r�r*
r�r|r�)
r��keyr
�
selfSigned�trustr�r�r
rr�r*r*r-�)test_trustRootSelfSignedServerCertificate=
s


�


�
zKMultipleCertificateTrustRootTests.test_trustRootSelfSignedServerCertificatec
	CsRt�\}
}t
�|
g
�
}t||jj|jd
�\}}}}}|�|jd�
|�|j	�

dS)z�
        L{trustRootFromCertificates} called with certificate A will cause
        L{optionsForClientTLS} to accept client connections to a server with
        certificate B where B is signed by A.
        rr�N)
r�rpr
r�r�r�r*
r�r|r�)	r�r}r�rr�r�r
rr�r*r*r-�2test_trustRootCertificateAuthorityTrustsConnectionU
s



�
zTMultipleCertificateTrustRootTests.test_trustRootCertificateAuthorityTrustsConnectionc
Cs�td
dd�\}
}t
j�t
�|�
t
�|
�
�}t
�tddd�d�
}t
�|g
�
}t||jj	|j	d�\}}}}	}
|�
|	jd�
|�
|	jj
tj�
|	jj}|�
|jd	d	d
d�
dS)
z�
        L{trustRootFromCertificates} called with certificate A will cause
        L{optionsForClientTLS} to disallow any connections to a server with
        certificate B where B is not signed by A.
        rD
rE
rF
rI
s
unknown CArIrr�r
rrtN)rGrprurrqrDr
r�r�r�r*
r�r�rurr/r.r�
)r�rr
r��
untrustedCertrr�r�r
rr�ryr*r*r-�'test_trustRootFromCertificatesUntrustedi
s$


�
�


�
zIMultipleCertificateTrustRootTests.test_trustRootFromCertificatesUntrustedc
Cs:tj
�t�
}
|
j}|�ttj|g
�}|�d
|j	d�
dS)z}
        L{trustRootFromCertificates} rejects any L{OpenSSL.crypto.X509}
        instances in the list passed to it.
        zBcertificates items must be twisted.internet.ssl.CertBase instancesr
N)
rprurrr	r�r'
r(
r
r*
r�
)r��private�certX509r�
r*r*r-�,test_trustRootFromCertificatesOpenSSLObjects�
s



�

�zNMultipleCertificateTrustRootTests.test_trustRootFromCertificatesOpenSSLObjectsN)r�r�r�r 
r;
r<
rrrrrr*r*r*r-r
s

#rc@s<eZ
dZd
Zer
eZdZdd�Zdd�Zdd�Z	d	d
�Z
dS)�OpenSSLCipherTestsz>
    Tests for twisted.internet._sslverify.OpenSSLCipher.
    z
CIPHER-STRINGc

Cs|�|j
t�|j
�
j�
d
S)zU
        The first argument passed to the constructor becomes the full name.
        N)r*
�
cipherNamerpr�
�fullNamer�r*r*r-�test_constructorSetsFullName�
s
�z/OpenSSLCipherTests.test_constructorSetsFullNamec
Cs,t�
|j�
}
|�|
tt|
�
d
tj
i
��
dS)zC
        C{repr(cipher)} returns a valid constructor call.
        r�
N)rpr�
rr*
�eval�repr)r�rar*r*r-�	test_repr�
s

�zOpenSSLCipherTests.test_reprc
Cs(t�
|j�
}
t�
|j�
}|�|
|�
d
S)zN
        Equal type and C{fullName} means that the objects are equal.
        N)rpr�
rr*
)r��cipher1�cipher2r*r*r-�test_eqSameClass�
s

z#OpenSSLCipherTests.test_eqSameClassc
s,G�f
d
d�d�}
��t
��j�
|
��
dS)ze
        If ciphers have the same name but different types, they're still
        different.
        c
seZ
dZ�jZd
S)zHOpenSSLCipherTests.test_eqSameNameDifferentType.<locals>.DifferentCipherN)r�r�r�rrr*r�r*r-�DifferentCipher�
s

r%N)r�
rpr�
r)r�r%r*r�r-�test_eqSameNameDifferentType�
s



�z/OpenSSLCipherTests.test_eqSameNameDifferentTypeN)r�r�r�r 
r;
r<
rrr!r$r&r*r*r*r-r�
s

	rc@�0eZ
dZd
Zer
eZdd�Zdd�Zdd�ZdS)	�ExpandCipherStringTestszD
    Tests for twisted.internet._sslverify._expandCipherString.
    c

Cs|�t
�t�d
tjd��
dS)zU
        If the expanded cipher list is empty, an empty L{list} is returned.
        rr
N)r*
�tuplerp�_expandCipherStringrr�r�r*r*r-�!_test_doesNotStumbleOverEmptyList�
s
�z9ExpandCipherStringTests._test_doesNotStumbleOverEmptyListc
sLd
d�}
tt
j�
�|
�_|�tj
d�f
dd��
|�t
jtjdt
jd�
dS)	zf
        Only no cipher matches get swallowed, every other SSL error gets
        propagated.
        c

Sst�
gd
�
g
�
�
)N)rrr)rr/�
r�
r*r*r-�raiser�
szIExpandCipherStringTests.test_doesNotSwallowOtherSSLErrors.<locals>.raiserr�c


r�r)r*r,r�r*r-r.�
r/zKExpandCipherStringTests.test_doesNotSwallowOtherSSLErrors.<locals>.<lambda>�ALLr
N)	r�rr�r
rj
rpr'
r/r*)r�r-r*r�r-�!test_doesNotSwallowOtherSSLErrors�
s




�z9ExpandCipherStringTests.test_doesNotSwallowOtherSSLErrorsc
CsPt�
d
tjd�}
|�|
t�
g}|
D]
}tj�|�
s|�	|�

q|�
g|�
dS)zn
        L{sslverify._expandCipherString} always returns a L{tuple} of
        L{interfaces.ICipher}.
        r.r
N)rpr*rr�r�
r)r�ICipher�
providedByr
r*
)r��ciphersr�r,r*r*r-�test_returnsTupleOfICiphers�
s





�z3ExpandCipherStringTests.test_returnsTupleOfICiphersN)	r�r�r�r 
r;
r<
r+r/r3r*r*r*r-r(�
s

r(c@r')	�AcceptableCiphersTestszI
    Tests for twisted.internet._sslverify.OpenSSLAcceptableCiphers.
    c
Cs&t�
t��
}
|�t�|
�t��
�
d
S)zG
        If no ciphers are available, nothing can be selected.
        N)rp�OpenSSLAcceptableCiphersr)r*
r�
�r��acr*r*r-�&test_selectOnEmptyListReturnsEmptyList
s
z=AcceptableCiphersTests.test_selectOnEmptyListReturnsEmptyListc
	CsHt�
t�d
�
t�d�
g�
}
|�t�d�
f
|
�t�d�
t�d�
g�
�
dS)zi
        Select only returns a cross section of what is available and what is
        desirable.
        �
A�
B�
CN)rpr5r�
r*
r�
r6r*r*r-�#test_selectReturnsOnlyFromAvailables
��



��z:AcceptableCiphersTests.test_selectReturnsOnlyFromAvailablec
Cs8tj
�d
�
}
|�|
jt�
|�tdd�|
jD�
�
�

dS)z�
        If L{sslverify.OpenSSLAcceptableCiphers.fromOpenSSLCipherString} is
        called it expands the string to a tuple of ciphers.
        r.c
ss�|]	}
tj
�|
�
V
qdSr))rpr0r1)�.0r,r*r*r-�	<genexpr>*s�z]AcceptableCiphersTests.test_fromOpenSSLCipherStringExpandsToTupleOfCiphers.<locals>.<genexpr>N)rpr5�fromOpenSSLCipherStringr�
�_ciphersr)r2
�allr6r*r*r-�3test_fromOpenSSLCipherStringExpandsToTupleOfCiphers#s

zJAcceptableCiphersTests.test_fromOpenSSLCipherStringExpandsToTupleOfCiphersN)	r�r�r�r 
r;
r<
r8r<rBr*r*r*r-r4s

r4c@s(eZ
dZd
Zer
eZed�
Zdd�ZdS)�DiffieHellmanParametersTestszD
    Tests for twisted.internet._sslverify.OpenSSLDHParameters.
    r�
c
Cs"tj
�|j�
}
|�|j|
j�
d
S)zl
        Calling C{fromFile} with a filename returns an instance with that file
        name saved.
        N)rp�OpenSSLDiffieHellmanParameters�fromFile�filePathr*
r�
)r��paramsr*r*r-�
test_fromFile6s
z*DiffieHellmanParametersTests.test_fromFileN)	r�r�r�r 
r;
r<
rrFrHr*r*r*r-rC-s


rCc@�eZ
dZd
ZdZdd�ZdS)�FakeLibStatea�

    State for L{FakeLib}

    @param setECDHAutoRaises: An exception
        L{FakeLib.SSL_CTX_set_ecdh_auto} should raise; if L{None},
        nothing is raised.

    @ivar ecdhContexts: A list of SSL contexts with which
        L{FakeLib.SSL_CTX_set_ecdh_auto} was called
    @type ecdhContexts: L{list} of L{OpenSSL.SSL.Context}s

    @ivar ecdhValues: A list of boolean values with which
        L{FakeLib.SSL_CTX_set_ecdh_auto} was called
    @type ecdhValues: L{list} of L{boolean}s
    ��setECDHAutoRaises�ecdhContexts�
ecdhValuescCs|
|_g|_
g|_dSr)rK)r�rLr*r*r-r�Rs



zFakeLibState.__init__N�r�r�r�r 
�	__slots__r�r*r*r*r-rJ?s
rJc@r�)�FakeLibz�
    An introspectable fake of cryptography's lib object.

    @param state: A L{FakeLibState} instance that contains this fake's
        state.
    cCr�r)�
�_state�r�rr*r*r-r�`r�zFakeLib.__init__cCs4|jj
�|
�

|jj�|�

|jjd
u
r|jj�
d
S)a

        Record the context and value under in the C{_state} instance
        variable.

        @see: L{FakeLibState}

        @param ctx: An SSL context.
        @type ctx: L{OpenSSL.SSL.Context}

        @param value: A boolean value
        @type value: L{bool}
        N)rSrMr
rNrL)r�r�r.r*r*r-�SSL_CTX_set_ecdh_autocs




�zFakeLib.SSL_CTX_set_ecdh_autoN)r�r�r�r 
r�rUr*r*r*r-rQXs
rQc@r�)�FakeLibTestsz
    Tests for L{FakeLib}.
    c
Csbtd
d�
}
t
|
�
}|�|
j�

|�|
j�

d\}}|�||�
|�|
j|g
�
|�|
jdg
�
d
S)zh
        L{FakeLib.SSL_CTX_set_ecdh_auto} records context and value it
        was called with.
        N�
rL��CONTEXTTT)rJrQ�	assertNotrMrNrUr*
�r�r�librr.r*r*r-�test_SSL_CTX_set_ecdh_auto{s






z'FakeLibTests.test_SSL_CTX_set_ecdh_autoc
Cshtt
d
�
}
t|
�
}|�|
j�

|�|
j�

d\}}|�t
|j||�
|�|
j|g
�
|�|
jdg
�
dS)z�
        L{FakeLib.SSL_CTX_set_ecdh_auto} raises the exception provided
        by its state, while still recording its arguments.
        rWrXTN)	rJrjrQrZrMrNr'
rUr*
r[r*r*r-� test_SSL_CTX_set_ecdh_autoRaises�s






z-FakeLibTests.test_SSL_CTX_set_ecdh_autoRaisesN)r�r�r�r 
r]r^r*r*r*r-rVvs
rVc@rI)�FakeCryptoStatea�

    State for L{FakeCrypto}

    @param getEllipticCurveRaises: What
        L{FakeCrypto.get_elliptic_curve} should raise; L{None} and it
        won't raise anything

    @param getEllipticCurveReturns: What
        L{FakeCrypto.get_elliptic_curve} should return.

    @ivar getEllipticCurveCalls: The arguments with which
        L{FakeCrypto.get_elliptic_curve} has been called.
    @type getEllipticCurveCalls: L{list}
    ��getEllipticCurveRaises�getEllipticCurveReturns�getEllipticCurveCallscCs|
|_||_
g|_dSr)r`)r�rarbr*r*r-r��s


zFakeCryptoState.__init__NrOr*r*r*r-r_�s
r_c@r�)�
FakeCryptozy
    An introspectable fake of pyOpenSSL's L{OpenSSL.crypto} module.

    @ivar state: A L{FakeCryptoState} instance
    cCr�r)rRrTr*r*r-r��r�zFakeCrypto.__init__cCs*|jj
�|
�

|jjd
u
r|jj�
|jjS)a


        A fake that records the curve with which it was called.

        @param curve: see L{crypto.get_elliptic_curve}

        @return: see L{FakeCryptoState.getEllipticCurveReturns}
        @raises: see L{FakeCryptoState.getEllipticCurveRaises}
        N)rSrcr
rarbr
r*r*r-�get_elliptic_curve�s	


zFakeCrypto.get_elliptic_curveN)r�r�r�r 
r�rer*r*r*r-rd�s
rdc@s(eZ
dZd
Zdd�Zdd�Zdd�ZdS)	�FakeCryptoTestsz"
    Tests for L{FakeCrypto}.
    c
Cs2td
d
d�}
t
|
�
}|�d�

|�|
jdg
�
d
S)zk
        L{FakeCrypto.test_get_elliptic_curve} records the curve with
        which it was called.
        N�rarbza curve name)r_rdrer*
rc�r�r�cryptor*r*r-�&test_get_elliptic_curveRecordsArgument�s

�


z6FakeCryptoTests.test_get_elliptic_curveRecordsArgumentc
Cs>d
}
td|
d�}t
|�
}|�|�d�
|
�
|�|jdg
�
dS)z�
        L{FakeCrypto.test_get_elliptic_curve} returns the value
        specified by its state object and records what it was called
        with.
        �objectNrgzanother curve name)r_rdrrer*
rc)r��returnValuerrir*r*r-�test_get_elliptic_curveReturns�s


�


�z.FakeCryptoTests.test_get_elliptic_curveReturnsc
Cs8tt
d
d�}
t|
�
}|�t
|jd�
|�|
jdg
�
d
S)zs
        L{FakeCrypto.test_get_elliptic_curve} raises the exception
        specified by its state object.
        Nrgzyet another curve name)r_rjrdr'
rer*
rcrhr*r*r-�test_get_elliptic_curveRaises�s
�



�

�z-FakeCryptoTests.test_get_elliptic_curveRaisesN)r�r�r�r 
rjrmrnr*r*r*r-rf�s


rfc@s\eZ
dZd
Zer
eZdZdZdZdd�Z	dd�Z
d	d
�Zdd�Zd
d�Z
dd�Zdd�ZdS)�%ChooseDiffieHellmanEllipticCurveTestsaN

    Tests for L{sslverify._ChooseDiffieHellmanEllipticCurve}.

    @cvar OPENSSL_110: A version number for OpenSSL 1.1.0

    @cvar OPENSSL_102: A version number for OpenSSL 1.0.2

    @cvar OPENSSL_101: A version number for OpenSSL 1.0.1

    @see:
        U{https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)}
    ii� iOc

CsBtd
d�
|_
t|j
�
|_tddd�|_t|j�
|_tt	j
�
|_dS)NFrW)rbra)rJ�libStaterQr\r_�cryptoStaterdrir�rr�rr�r*r*r-rR
 s


�
z+ChooseDiffieHellmanEllipticCurveTests.setUpc
Cs^tj
|j|j|jd
�}
|
�|j�

|�|jj	�

|�|jj
�

|�|jj�

|�
|jj�

dS)z�
        No configuration of contexts occurs under OpenSSL 1.1.0 and
        later, because they create contexts with secure ECDH curves.

        @see: U{http://twistedmatrix.com/trac/ticket/9210}
        �r@
rA
N)rprh
�OPENSSL_110r\rirB
rr8
rprMrNrqrcr|r��r��chooserr*r*r-�test_openSSL110*s


�


z5ChooseDiffieHellmanEllipticCurveTests.test_openSSL110c
Csrt�
tj�
}
tj|j|j|jd
�}|�|
�

|�	|j
j|
jg
�
|�	|j
j
dg
�
|�|jj�

|�|jj�

dS)z�
        OpenSSL 1.0.2 does not set ECDH curves by default, but
        C{SSL_CTX_set_ecdh_auto} requests that a context choose a
        secure set curves automatically.
        rrTN)rr�r�rprh
�OPENSSL_102r\rirB
r*
rprMrrNr8
rqrcr|rr��r�rrur*r*r-�test_openSSL102=s



�



z5ChooseDiffieHellmanEllipticCurveTests.test_openSSL102c
Cslt|j
_t�tj�
}
tj|j|j	|j
d
�}|�|
�

|�|j
j
|
jg
�
|�|j
jdg
�
|�|jj�

dS)z�
        An exception raised by C{SSL_CTX_set_ecdh_auto} under OpenSSL
        1.0.2 is suppressed because ECDH is best-effort.
        rrTN)�
BaseExceptionrprLrr�r�rprh
rwr\rirB
r*
rMrrNr8
rqrcrxr*r*r-� test_openSSL102SetECDHAutoRaisesPs




�


zFChooseDiffieHellmanEllipticCurveTests.test_openSSL102SetECDHAutoRaisesc
Csrd
|j_
}
tj|j|j|jd�}|�|j�

|�	|j
j�

|�	|j
j�

|�
|jjtjg
�
|�|jj|
�
dS)z�
        OpenSSL 1.0.1 does not set ECDH curves by default, nor does
        it expose L{SSL_CTX_set_ecdh_auto}.  Instead, a single ECDH
        curve can be set with L{OpenSSL.SSL.Context.set_tmp_ecdh}.
        zcurve objectrrN)rqrbrprh
�OPENSSL_101r\rirB
rr8
rprMrNr*
rc�_defaultCurveNamerr�)r�r
rur*r*r-�test_openSSL101bs



�



�z5ChooseDiffieHellmanEllipticCurveTests.test_openSSL101c
Csfd
d�}
|
|j_
tj|j|j|jd�}|�|j�

|�|j	j
�

|�|j	j�

|�|j
jtjg
�
dS)z�
        An exception raised by L{OpenSSL.SSL.Context.set_tmp_ecdh}
        under OpenSSL 1.0.1 is suppressed because ECHDE is best-effort.
        c


Sst�
r))
rzr�r*r*r-r
~r�zXChooseDiffieHellmanEllipticCurveTests.test_openSSL101SetECDHRaises.<locals>.set_tmp_ecdhrrN)rr
rprh
r|r\rirB
r8
rprMrNr*
rqrcr})r�r
rur*r*r-�test_openSSL101SetECDHRaisesxs


�



�zBChooseDiffieHellmanEllipticCurveTests.test_openSSL101SetECDHRaisesc
CsXt|j
_tj|j|j|jd
�}
|
�|j	�

|�
|jj�

|�
|jj
�

|�|j	j�

dS)zy
        Contexts created under an OpenSSL 1.0.1 that doesn't support
        ECC have no configuration applied.
        rrN)rjrqrarprh
r|r\rirB
rr8
rprMrNr|r�rtr*r*r-�test_openSSL101NoECC�s



�

z:ChooseDiffieHellmanEllipticCurveTests.test_openSSL101NoECCN)r�r�r�r 
r;
r<
rsrwr|rR
rvryr{r~rr�r*r*r*r-ros





roc@rl)�KeyPairTestsz)
    Tests for L{sslverify.KeyPair}.
    c

Cstd
dd�d|_
dS)z*
        Create test certificate.
        rD
rE
rF
r
N)rGrJ
r�r*r*r-rR
�szKeyPairTests.setUpc

Cs(|�t
d
ddd�dft�|j�
j�
dS)zB
        L{sslverify.KeyPair.__getstate__} is deprecated.
        rfrgr
rhN)rirrprDrJ
rr�r*r*r-rj�s

�z%KeyPairTests.test_getstateDeprecationc
Cs:t�
|j�
��}
|�td
ddd�dft�
|j�
j|
�
dS)zA
        {sslverify.KeyPair.__setstate__} is deprecated.
        rfrgr
rhN)rprDrJ
r�rirrrTr*r*r-rk�s



�z%KeyPairTests.test_setstateDeprecationc
Cs(td
�
j
�d�
}
|
��}tj�|�

dS)Nztwisted.testzcert.pem.no_trailing_newline)rrF�sibling�
getContentr'rqrr)r��noTrailingNewlineKeyPemPath�certPEMr*r*r-�test_noTrailingNewlinePemCert�s



�
z*KeyPairTests.test_noTrailingNewlinePemCertN)
r�r�r�r 
r;
r<
rR
rjrkr�r*r*r*r-r��s

	r�c@s8eZ
dZd
Zer
eZdd�Zejdd�
g
e_dd�Z	dS)	�SelectVerifyImplementationTestsz3
    Tests for L{_selectVerifyImplementation}.
    c
Cs\td
�
� 
dt
jd
<t��}
tjtjtjf}|�||
�
Wd�
dS1s'w



Y
dS)z�
        If I{service_identity} cannot be imported then
        L{_selectVerifyImplementation} returns L{simpleVerifyHostname} and
        L{SimpleVerificationError}.
        �service_identityN)	r�sys�modulesrp�_selectVerifyImplementationr��simpleVerifyIPAddressr�r*
)r�r'�expectedr*r*r-�test_dependencyMissing�s




�"�z6SelectVerifyImplementationTests.test_dependencyMissingzEYou do not have a working installation of the service_identity module�
r�
c
Cs�td
�
�
dt
jd
<t��
Wd�
n1sw



Y
tdd�|��D�
�
\
}
gd�
}g}|D]}|�dj|d�
�

q1|�	|
d|�
|�
|
d	d
�
|�
|
dd�
dS)
z�
        If I{service_identity} cannot be imported then
        L{_selectVerifyImplementation} emits a L{UserWarning} advising the user
        of the exact error.
        r�Nc
ss �|]}
|
dtkr|
V
qd
S)r�
N)
�UserWarning)r=�warningr*r*r-r>�s�
��zPSelectVerifyImplementationTests.test_dependencyMissingWarning.<locals>.<genexpr>)z8'import of service_identity halted; None in sys.modules'z:'import of 'service_identity' halted; None in sys.modules'z"'No module named service_identity'av
You do not have a working installation of the service_identity module: {message}.  Please install it from <https://pypi.python.org/pypi/service_identity> and make sure all of its dependencies are satisfied.  Without the service_identity module, Twisted can perform only rudimentary TLS client hostname verification.  Many valid certificate/hostname mappings may be rejected.r�r�
�filenamer�linenor
)rr�r�rpr��listr�
r
�formatr�
r*
)r�r��importErrors�expectedMessages�importErrorr*r*r-�test_dependencyMissingWarning�s&



�
�	



��
z=SelectVerifyImplementationTests.test_dependencyMissingWarningN)
r�r�r�r 
r;
r<
r�rrYr�r*r*r*r-r��s

��	r�)
rHr)rf
)�r 
rY�	itertoolsr��unittestr�zope.interfacer�incrementalr�twisted.internetrrrr�twisted.internet._idnar	�twisted.internet.errorr
rr�twisted.python.compatr
�twisted.python.filepathr�twisted.python.modulesr�twisted.python.reflectr�twisted.test.iosimr�twisted.test.test_twistedr�
twisted.trialr�twisted.trial.unittestrrrr;
r�r�r�rhrr�OpenSSL.cryptorrrrr�cryptographyr�cryptography.hazmat.backendsr �cryptography.hazmat.primitivesr!�)cryptography.hazmat.primitives.asymmetricr"�,cryptography.hazmat.primitives.serializationr#r$r%�cryptography.x509.oidr&r'r�r�r��set_npn_advertise_callbackr�r�
�set_alpn_select_callbackr0rp�twisted.internet.sslr1r2�twisted.protocols.tlsr3r�
rr�rFr�r�r	�countr5rGr�r�r�r�r�r�r�r�r�r"
r=
rC
rg
r[rermr�r�r�r�r�r�r�r�r�rrr(r4rCrJrQrVr_rdrfror�r�r*r*r*r-�<module>
s�
























��



�






`
9,


�2
x@Hy.Q
'M3M
21+$ 8+