From f0ad1f334ca57fdf57a3bfb190d314fc8d983475 Mon Sep 17 00:00:00 2001
From: Kyle Morton <kylemorton@google.com>
Date: Mon, 29 Jun 2015 10:32:57 -0700
Subject: Enabling upstream server verification. Added flags
 --verify_upstream_cert, --upstream-trusted-cadir, and --upstream-trusted-ca.

---
 test/test_server.py | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

(limited to 'test/test_server.py')

diff --git a/test/test_server.py b/test/test_server.py
index 8cf4095b..3726ec27 100644
--- a/test/test_server.py
+++ b/test/test_server.py
@@ -9,6 +9,7 @@ import tutils
 import tservers
 from libmproxy.protocol import KILL, Error
 from libmproxy.protocol.http import CONTENT_MISSING
+from OpenSSL import SSL
 
 """
     Note that the choice of response code in these tests matters more than you
@@ -348,6 +349,65 @@ class TestHTTPSCertfile(tservers.HTTPProxTest, CommonMixin):
         assert self.pathod("304")
 
 
+class TestHTTPSUpstreamServerVerificationWTrustedCert(tservers.HTTPProxTest):
+    """
+    Test upstream server certificate verification with a trusted server cert.
+    """
+    ssl = True
+    ssloptions = pathod.SSLOptions(
+        cn = "trusted-cert",
+        certs = [
+            ("trusted-cert", tutils.test_data.path("data/trusted-server.crt"))
+        ])
+
+    def test_verification_w_cadir(self):
+        self.config.openssl_verification_mode_server = SSL.VERIFY_PEER
+        self.config.openssl_trusted_cadir_server = tutils.test_data.path(
+            "data/trusted-cadir/")
+        
+        self.pathoc()
+
+    def test_verification_w_pemfile(self):
+        self.config.openssl_verification_mode_server = SSL.VERIFY_PEER
+        self.config.openssl_trusted_ca_server = tutils.test_data.path(
+            "data/trusted-cadir/trusted-ca.pem")
+
+        self.pathoc()
+
+
+class TestHTTPSUpstreamServerVerificationWBadCert(tservers.HTTPProxTest):
+    """
+    Test upstream server certificate verification with an untrusted server cert.
+    """
+    ssl = True
+    ssloptions = pathod.SSLOptions(
+        cn = "untrusted-cert",
+        certs = [
+             ("untrusted-cert", tutils.test_data.path("data/untrusted-server.crt"))
+        ])
+
+    def test_default_verification_w_bad_cert(self):
+        """Should use no verification."""
+        self.config.openssl_trusted_ca_server = tutils.test_data.path(
+            "data/trusted-cadir/trusted-ca.pem")
+
+        self.pathoc()
+
+    def test_no_verification_w_bad_cert(self):
+        self.config.openssl_verification_mode_server = SSL.VERIFY_NONE
+        self.config.openssl_trusted_ca_server = tutils.test_data.path(
+            "data/trusted-cadir/trusted-ca.pem")
+
+        self.pathoc()
+
+    def test_verification_w_bad_cert(self):
+        self.config.openssl_verification_mode_server = SSL.VERIFY_PEER
+        self.config.openssl_trusted_ca_server = tutils.test_data.path(
+            "data/trusted-cadir/trusted-ca.pem")
+
+        tutils.raises("SSL handshake error", self.pathoc)
+
+
 class TestHTTPSNoCommonName(tservers.HTTPProxTest):
     """
     Test what happens if we get a cert without common name back.
-- 
cgit v1.2.3