Merge pull request #6662 from sigmavirus24/fix-tls-floppy

Add local TLS server

Author: sigmavirus24

src/requests/adapters.py

@@ -73,7 +73,9 @@ def SOCKSProxyManager(*args, **kwargs):
 
 
 def _urllib3_request_context(
-    request: "PreparedRequest", verify: "bool | str | None"
+    request: "PreparedRequest",
+    verify: "bool | str | None",
+    client_cert: "typing.Tuple[str, str] | str | None",
 ) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
     host_params = {}
     pool_kwargs = {}
@@ -86,6 +88,14 @@ def _urllib3_request_context(
     if isinstance(verify, str):
         pool_kwargs["ca_certs"] = verify
     pool_kwargs["cert_reqs"] = cert_reqs
+    if client_cert is not None:
+        if isinstance(client_cert, tuple) and len(client_cert) == 2:
+            pool_kwargs["cert_file"] = client_cert[0]
+            pool_kwargs["key_file"] = client_cert[1]
+        else:
+            # According to our docs, we allow users to specify just the client
+            # cert path
+            pool_kwargs["cert_file"] = client_cert
     host_params = {
         "scheme": scheme,
         "host": parsed_request_url.hostname,
@@ -354,13 +364,13 @@ def build_response(self, req, resp):
 
         return response
 
-    def _get_connection(self, request, verify, proxies=None):
+    def _get_connection(self, request, verify, proxies=None, cert=None):
         # Replace the existing get_connection without breaking things and
         # ensure that TLS settings are considered when we interact with
         # urllib3 HTTP Pools
         proxy = select_proxy(request.url, proxies)
         try:
-            host_params, pool_kwargs = _urllib3_request_context(request, verify)
+            host_params, pool_kwargs = _urllib3_request_context(request, verify, cert)
         except ValueError as e:
             raise InvalidURL(e, request=request)
         if proxy:
@@ -509,7 +519,7 @@ def send(
         """
 
         try:
-            conn = self._get_connection(request, verify, proxies)
+            conn = self._get_connection(request, verify, proxies=proxies, cert=cert)
         except LocationValueError as e:
             raise InvalidURL(e, request=request)
 

tests/certs/README.md

@@ -0,0 +1,10 @@
+# Testing Certificates
+
+This is a collection of certificates useful for testing aspects of Requests'
+behaviour.
+
+The certificates include:
+
+* [expired](./expired) server certificate with a valid certificate authority
+* [mtls](./mtls) provides a valid client certificate with a 2 year validity
+* [valid](./valid) has a valid server certificate

tests/certs/expired/Makefile

@@ -0,0 +1,13 @@
+.PHONY: all clean ca server
+
+ca:
+	make -C $@ all
+
+server:
+	make -C $@ all
+
+all: ca server
+
+clean:
+	make -C ca clean
+	make -C server clean

tests/certs/expired/README.md

@@ -0,0 +1,11 @@
+# Expired Certificates and Configuration for Testing
+
+This has a valid certificate authority in [ca](./ca) and an invalid server
+certificate in [server](./server).
+
+This can all be regenerated with:
+
+```
+make clean
+make all
+```

tests/certs/expired/ca/Makefile

@@ -0,0 +1,13 @@
+.PHONY: all clean
+
+root_files = ca-private.key ca.crt
+
+ca-private.key:
+	openssl genrsa -out ca-private.key 2048
+
+all: ca-private.key
+	openssl req -x509 -sha256 -days 7300 -key ca-private.key -out ca.crt -config ca.cnf
+	ln -s ca.crt cacert.pem
+
+clean:
+	rm -f cacert.pem ca.crt ca-private.key *.csr

tests/certs/expired/ca/ca-private.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDHlIhe7GLCeSk8
+RZOKdtmyKns6KdZgGw/LcxPkYvQlu1g0zV8X0DqVr2LdMumWUTNCc9sPdSlAG+He
+mQp2TMoWUMumMuwDtit9RT0Sb6Eh9svWgjY9ferovPJRfCWUTsA2Ug8uoh0wyEXK
+na7X6fHt5E3B9vj0+b9a4vDibdBXV11FheLT02/uEmAEJDdP/zeBgvVbhcVyumO6
+fAGMIWzR2ukhe8z/ma5H9zoi4gZA8nsK6reZUD8+6affnPe+jIt/AdzggtV9jkWm
+zSpr+RHeZ0y+q4eik2ZNUGg4XcF6JsJ9yu/AqLBXxd38uLdFfgyhP2y6K628yzgy
+e6lzFyWnAgMBAAECggEAFwzHhzcD3PQDWCus85PwZoxTeQ817BmUBGpBBOKM0gLG
+GCsT7XsmGP2NjICBy9OK+QTKawmb/wR5XK0OMUWDHXqtWn+NFIyojyo8+HEeCf8n
+4ZleTFHLnJ+d2N1etbc2qc9mY3tjpaurq8/0Tol9YH06ock1TY2+lO+a5HvMURnY
+hcWs70CamL+5B/6n67DhjzMtIW3dIXuEEceM1BW/jW8SKq0JHpQ3t+OJwID7zFaJ
+bLyOwAVheMzVGvN3yphf8tll3tMA65bNjdOzgOfZSjAy7EGjW3DyAolDw9jKLRyu
+E0gw/exNGe618oMIeUDv0KParlL4RjdiUP8l0xYOwQKBgQD3eYj9rWeqZquI9vKP
+gaSv6urb2UJLngShZUpEZRNJgBO+Ewiof0w8tpQdsnuMvWudxMLbzgiUNA+NyC/K
+CpzIXFkWnWx+A/pxs8ZO8moOfajVRayJgeOLsQZb7c4fXGsVGApbN4+cPNhTNG6d
+ucErv6tae/SzAzcLc5Vkw/ELxwKBgQDOdJ5Wl5JeKAvU/3kF6+MYWCrXxZqMjoHS
+y1BtyMX5RbdaWTCfDUu1aV3qJOJjjWQ9DJdJQcEsrTjOpD4bVdZx4w/XEG0JXAa3
+jRypVHGdeG/TjhUGJA8U+KX3a1DkcdqM9pqFYRw5Ie95Wz9YRroI+YkixqpK8d7W
+C+5BodxXIQKBgCk8Lv9V7XgPM3XW8APJbk+BrTCEuu8unUbnQcCztssAdEmvkjnB
+PErBgVyRaNTCmzPmnTFS20sWgaD2QkBAFG+uM4n5ISK+NvTLJ7fv3IwdlAw1V9Jx
+uiCElrKqpTXEiHMzVkZss5ks6j6y9duCIBXSEhM5pERPvNRDphjsLTXxAoGARSNC
+nyb1Kjjo9XR0V+pNy6pC9q1C+00B5tCVZ55zxe114Hi70pfGQcM+YxnlAoeoCNW9
+mBfAFDESNAlGjyrovIzYkiH7EcZSrYdBEOepgJ2DfWo4Wi0bK9+03K2AknAaS1iO
+GJqTtAJMSuymwu40gKroJNA42Q40nKO0LyCARGECgYEAiFRHkblBtStv22SpZxNC
+jim9yuM0ikh7Ij1lEHysc/GWb2RQNxQVk54BU2kQ0d9xwMZQTKvpF3VE9t7uGdwt
+AasWPr/tWYt35Ud0D4bNlagJJ4Xdslf8n1nkq3qqqDQbd7kkQRgwGzVr0uVg7ZfS
+26qSPQ0/aF9nagb5eHX3AuU=
+-----END PRIVATE KEY-----

tests/certs/expired/ca/ca.cnf

@@ -0,0 +1,12 @@
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+encrypt_key = no
+distinguished_name = dn
+
+[dn]
+C = US                            # country code
+O = Python Software Foundation    # organization
+OU = python-requests              # organization unit/department
+CN = Self-Signed Root CA          # common name / your cert name

tests/certs/expired/ca/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWzCCAkMCFA9wdtNh/V99DRwYp8vXjPxSjJnWMA0GCSqGSIb3DQEBCwUAMGox
+CzAJBgNVBAYTAlVTMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUgRm91bmRhdGlv
+bjEYMBYGA1UECwwPcHl0aG9uLXJlcXVlc3RzMRwwGgYDVQQDDBNTZWxmLVNpZ25l
+ZCBSb290IENBMB4XDTI0MDMxMjIxMDQwM1oXDTQ0MDMwNzIxMDQwM1owajELMAkG
+A1UEBhMCVVMxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRgw
+FgYDVQQLDA9weXRob24tcmVxdWVzdHMxHDAaBgNVBAMME1NlbGYtU2lnbmVkIFJv
+b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHlIhe7GLCeSk8
+RZOKdtmyKns6KdZgGw/LcxPkYvQlu1g0zV8X0DqVr2LdMumWUTNCc9sPdSlAG+He
+mQp2TMoWUMumMuwDtit9RT0Sb6Eh9svWgjY9ferovPJRfCWUTsA2Ug8uoh0wyEXK
+na7X6fHt5E3B9vj0+b9a4vDibdBXV11FheLT02/uEmAEJDdP/zeBgvVbhcVyumO6
+fAGMIWzR2ukhe8z/ma5H9zoi4gZA8nsK6reZUD8+6affnPe+jIt/AdzggtV9jkWm
+zSpr+RHeZ0y+q4eik2ZNUGg4XcF6JsJ9yu/AqLBXxd38uLdFfgyhP2y6K628yzgy
+e6lzFyWnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGymNVTsKSAq8Ju6zV+AWAyV
+GcUNBmLpgzDA0e7pkVYhHTdWKlGH4GnrRcp0nvnSbr6iq1Ob/8yEUUoRzK55Flws
+Kt1OLwnZyhfRoSUesoEqpP68vzWEgiYv0QuIWvzNt0YfAAvEgGoc3iri44MelKLn
+9ZMT8m91nVamA35R8ZjfeAkNp2xcz0a67V0ww6o4wSXrG7o5ZRXyjqZ/9K7SfwUJ
+rV9RciccsjH/MzKbfrx73QwsbPWiFmjzHopdasIO0lDlmgm/r9gKfkbzfKoGCgLZ
+6an6FlmLftLSXijf/QwtqeSP9fODeE3dzBmnTM3jdoVS53ZegUDWNl14o25v2Kg=
+-----END CERTIFICATE-----

tests/certs/expired/ca/ca.srl

@@ -0,0 +1 @@
+4F36C3A7E075BA6452D10EEB81E7F189FF489B74

tests/certs/expired/server/Makefile

@@ -0,0 +1,16 @@
+.PHONY: all clean
+
+server.key:
+	openssl genrsa -out $@ 2048
+
+server.csr: server.key
+	openssl req -key $< -new -out $@ -config cert.cnf
+
+server.pem: server.csr
+	openssl x509 -req -CA ../ca/ca.crt -CAkey ../ca/ca-private.key -in server.csr -outform PEM -out server.pem -days 0 -CAcreateserial
+	openssl x509 -in ../ca/ca.crt -outform PEM >> $@
+
+all: server.pem
+
+clean:
+	rm -f server.*