##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

test-https: test basic functions of client certificate authentication...
Yuya Nishihara -
r25413:4d705f6a default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -315,6 +315,15 b' def has_ssl():'
315 except ImportError:
315 except ImportError:
316 return False
316 return False
317
317
318 @check("sslcontext", "python >= 2.7.9 ssl")
319 def has_sslcontext():
320 try:
321 import ssl
322 ssl.SSLContext
323 return True
324 except (ImportError, AttributeError):
325 return False
326
318 @check("defaultcacerts", "can verify SSL certs by system's CA certs store")
327 @check("defaultcacerts", "can verify SSL certs by system's CA certs store")
319 def has_defaultcacerts():
328 def has_defaultcacerts():
320 from mercurial import sslutil
329 from mercurial import sslutil
Show file before | Show file after | Hide comments
@@ -81,6 +81,53 b' pub.pem patched with other notBefore / n'
81 > EOT
81 > EOT
82 $ cat priv.pem pub-expired.pem > server-expired.pem
82 $ cat priv.pem pub-expired.pem > server-expired.pem
83
83
84 Client certificates created with:
85 openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512
86 openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
87 printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
88 openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
89 openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
90 -set_serial 01 -out client-cert.pem
91
92 $ cat << EOT > client-key.pem
93 > -----BEGIN RSA PRIVATE KEY-----
94 > Proc-Type: 4,ENCRYPTED
95 > DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8
96 >
97 > JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF
98 > BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS
99 > jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7
100 > Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2
101 > u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/
102 > CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl
103 > bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0=
104 > -----END RSA PRIVATE KEY-----
105 > EOT
106
107 $ cat << EOT > client-key-decrypted.pem
108 > -----BEGIN RSA PRIVATE KEY-----
109 > MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb
110 > FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6
111 > AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT
112 > AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop
113 > 4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5
114 > +MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01
115 > mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY
116 > -----END RSA PRIVATE KEY-----
117 > EOT
118
119 $ cat << EOT > client-cert.pem
120 > -----BEGIN CERTIFICATE-----
121 > MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
122 > GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z
123 > OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv
124 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH
125 > R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB
126 > MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/
127 > NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A==
128 > -----END CERTIFICATE-----
129 > EOT
130
84 $ hg init test
131 $ hg init test
85 $ cd test
132 $ cd test
86 $ echo foo>foo
133 $ echo foo>foo
@@ -297,3 +344,51 b' Test https with cert problems through pr'
297 pulling from https://localhost:$HGPORT2/
344 pulling from https://localhost:$HGPORT2/
298 abort: error: *certificate verify failed* (glob)
345 abort: error: *certificate verify failed* (glob)
299 [255]
346 [255]
347
348
349 $ "$TESTDIR/killdaemons.py" $DAEMON_PIDS
350
351 #if sslcontext
352
353 Start patched hgweb that requires client certificates:
354
355 $ cat << EOT > reqclientcert.py
356 > import ssl
357 > from mercurial.hgweb import server
358 > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
359 > @staticmethod
360 > def preparehttpserver(httpserver, ssl_cert):
361 > sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
362 > sslcontext.verify_mode = ssl.CERT_REQUIRED
363 > sslcontext.load_cert_chain(ssl_cert)
364 > # verify clients by server certificate
365 > sslcontext.load_verify_locations(ssl_cert)
366 > httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
367 > server_side=True)
368 > server._httprequesthandlerssl = _httprequesthandlersslclientcert
369 > EOT
370 $ cd test
371 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
372 > --config extensions.reqclientcert=../reqclientcert.py
373 $ cat ../hg0.pid >> $DAEMON_PIDS
374 $ cd ..
375
376 without client certificate:
377
378 $ P=`pwd` hg id https://localhost:$HGPORT/
379 abort: error: *handshake failure* (glob)
380 [255]
381
382 with client certificate:
383
384 $ cat << EOT >> $HGRCPATH
385 > [auth]
386 > l.prefix = localhost
387 > l.cert = client-cert.pem
388 > EOT
389
390 $ P=`pwd` hg id https://localhost:$HGPORT/ \
391 > --config auth.l.key=client-key-decrypted.pem
392 5fed3813f7f5
393
394 #endif
General Comments 0
You need to be logged in to leave comments. Login now