bpo-28414: ssl module idna test (#5395)

Add test cases for IDNA 2003 and 2008 host names. IDNA 2003 internationalized host names are working since bpo-31399 has landed. IDNA 2008 deviations are still broken and will be fixed in another patch. Signed-off-by: Christian Heimes <christian@python.org>

bpo-28414: ssl module idna test (#5395)
Add test cases for IDNA 2003 and 2008 host names. IDNA 2003 internationalized host names are working since bpo-31399 has landed. IDNA 2008 deviations are still broken and will be fixed in another patch. Signed-off-by: Christian Heimes <christian@python.org>
66e5742b · Christian Heimes · GitHub · 892d66e4 · 66e5742b · 66e5742b
Unverified Kaydet (Commit) 66e5742b authored Ock 29, 2018 tarafından Christian Heimes Kaydeden (comit) GitHub Ock 29, 2018
Show whitespace changes
Inline Side-by-side

Showing with 68 additions and 1 deletion

test_ssl.py Lib/test/test_ssl.py +65 -1

2018-01-28-21-19-13.bpo-28414.a6Onzt.rst ...EWS.d/next/Tests/2018-01-28-21-19-13.bpo-28414.a6Onzt.rst +3 -0

No files found.
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -105,6 +105,7 @@ SIGNED_CERTFILE_ECC_HOSTNAME = 'localhost-ecc'
 SIGNING_CA = data_file("capath", "ceff1710.0")
 # cert with all kinds of subject alt names
 ALLSANFILE = data_file("allsans.pem")
+IDNSANSFILE = data_file("idnsans.pem")
 REMOTE_HOST = "self-signed.pythontest.net"
@@ -1612,7 +1613,6 @@ class MemoryBIOTests(unittest.TestCase):
 class SimpleBackgroundTests(unittest.TestCase):
    """Tests that connect to a simple server running in the background"""
    def setUp(self):
@@ -2630,6 +2630,70 @@ class ThreadedTests(unittest.TestCase):
                cipher = s.cipher()[0].split('-')
                self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
+    def test_check_hostname_idn(self):
+        if support.verbose:
+            sys.stdout.write("\n")
+        server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+        server_context.load_cert_chain(IDNSANSFILE)
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+        context.verify_mode = ssl.CERT_REQUIRED
+        context.check_hostname = True
+        context.load_verify_locations(SIGNING_CA)
+        # correct hostname should verify, when specified in several
+        # different ways
+        idn_hostnames = [
+            ('könig.idn.pythontest.net',
+             'könig.idn.pythontest.net',),
+            ('xn--knig-5qa.idn.pythontest.net',
+             'xn--knig-5qa.idn.pythontest.net'),
+            (b'xn--knig-5qa.idn.pythontest.net',
+             b'xn--knig-5qa.idn.pythontest.net'),
+            ('königsgäßchen.idna2003.pythontest.net',
+             'königsgäßchen.idna2003.pythontest.net'),
+            ('xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
+             'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
+            (b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
+             b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
+        ]
+        for server_hostname, expected_hostname in idn_hostnames:
+            server = ThreadedEchoServer(context=server_context, chatty=True)
+            with server:
+                with context.wrap_socket(socket.socket(),
+                                         server_hostname=server_hostname) as s:
+                    self.assertEqual(s.server_hostname, expected_hostname)
+                    s.connect((HOST, server.port))
+                    cert = s.getpeercert()
+                    self.assertEqual(s.server_hostname, expected_hostname)
+                    self.assertTrue(cert, "Can't get peer certificate.")
+                with ssl.SSLSocket(socket.socket(),
+                                   server_hostname=server_hostname) as s:
+                    s.connect((HOST, server.port))
+                    s.getpeercert()
+                    self.assertEqual(s.server_hostname, expected_hostname)
+        # bug https://bugs.python.org/issue28414
+        # IDNA 2008 deviations are broken
+        idna2008 = 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'
+        server = ThreadedEchoServer(context=server_context, chatty=True)
+        with server:
+            with self.assertRaises(UnicodeError):
+                with context.wrap_socket(socket.socket(),
+                                         server_hostname=idna2008) as s:
+                    s.connect((HOST, server.port))
+        # incorrect hostname should raise an exception
+        server = ThreadedEchoServer(context=server_context, chatty=True)
+        with server:
+            with context.wrap_socket(socket.socket(),
+                                     server_hostname="python.example.org") as s:
+                with self.assertRaises(ssl.CertificateError):
+                    s.connect((HOST, server.port))
    def test_wrong_cert(self):
        """Connecting when the server rejects the client's certificate

--- a/Misc/NEWS.d/next/Tests/2018-01-28-21-19-13.bpo-28414.a6Onzt.rst
+++ b/Misc/NEWS.d/next/Tests/2018-01-28-21-19-13.bpo-28414.a6Onzt.rst
+Add test cases for IDNA 2003 and 2008 host names. IDNA 2003
+internationalized host names are working since bpo-31399 has landed. IDNA
+2008 are still broken.