| OLD | NEW |
|---|
| 1 #!/usr/bin/env python | 1 #!/usr/bin/env python |
| 2 # Copyright 2013 The Chromium Authors. All rights reserved. | 2 # Copyright 2013 The Chromium Authors. All rights reserved. |
| 3 # Use of this source code is governed by a BSD-style license that can be | 3 # Use of this source code is governed by a BSD-style license that can be |
| 4 # found in the LICENSE file. | 4 # found in the LICENSE file. |
| 5 | 5 |
| 6 """This is a simple HTTP/FTP/TCP/UDP/BASIC_AUTH_PROXY/WEBSOCKET server used for | 6 """This is a simple HTTP/FTP/TCP/UDP/BASIC_AUTH_PROXY/WEBSOCKET server used for |
| 7 testing Chrome. | 7 testing Chrome. |
| 8 | 8 |
| 9 It supports several test URLs, as specified by the handlers in TestPageHandler. | 9 It supports several test URLs, as specified by the handlers in TestPageHandler. |
| 10 By default, it listens on an ephemeral port and sends the port number back to | 10 By default, it listens on an ephemeral port and sends the port number back to |
| (...skipping 110 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 121 | 121 |
| 122 class HTTPSServer(tlslite.api.TLSSocketServerMixIn, | 122 class HTTPSServer(tlslite.api.TLSSocketServerMixIn, |
| 123 testserver_base.ClientRestrictingServerMixIn, | 123 testserver_base.ClientRestrictingServerMixIn, |
| 124 testserver_base.BrokenPipeHandlerMixIn, | 124 testserver_base.BrokenPipeHandlerMixIn, |
| 125 testserver_base.StoppableHTTPServer): | 125 testserver_base.StoppableHTTPServer): |
| 126 """This is a specialization of StoppableHTTPServer that add https support and | 126 """This is a specialization of StoppableHTTPServer that add https support and |
| 127 client verification.""" | 127 client verification.""" |
| 128 | 128 |
| 129 def __init__(self, server_address, request_hander_class, pem_cert_and_key, | 129 def __init__(self, server_address, request_hander_class, pem_cert_and_key, |
| 130 ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers, | 130 ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers, |
| 131 record_resume_info, tls_intolerant, signed_cert_timestamps): | 131 record_resume_info, tls_intolerant, |
| 132 signed_cert_timestamps, ocsp_response): |
| 132 self.cert_chain = tlslite.api.X509CertChain().parseChain(pem_cert_and_key) | 133 self.cert_chain = tlslite.api.X509CertChain().parseChain(pem_cert_and_key) |
| 133 # Force using only python implementation - otherwise behavior is different | 134 # Force using only python implementation - otherwise behavior is different |
| 134 # depending on whether m2crypto Python module is present (error is thrown | 135 # depending on whether m2crypto Python module is present (error is thrown |
| 135 # when it is). m2crypto uses a C (based on OpenSSL) implementation under | 136 # when it is). m2crypto uses a C (based on OpenSSL) implementation under |
| 136 # the hood. | 137 # the hood. |
| 137 self.private_key = tlslite.api.parsePEMKey(pem_cert_and_key, | 138 self.private_key = tlslite.api.parsePEMKey(pem_cert_and_key, |
| 138 private=True, | 139 private=True, |
| 139 implementations=['python']) | 140 implementations=['python']) |
| 140 self.ssl_client_auth = ssl_client_auth | 141 self.ssl_client_auth = ssl_client_auth |
| 141 self.ssl_client_cas = [] | 142 self.ssl_client_cas = [] |
| 142 self.tls_intolerant = tls_intolerant | 143 self.tls_intolerant = tls_intolerant |
| 143 self.signed_cert_timestamps = signed_cert_timestamps | 144 self.signed_cert_timestamps = signed_cert_timestamps |
| 145 self.ocsp_response = ocsp_response |
| 144 | 146 |
| 145 for ca_file in ssl_client_cas: | 147 for ca_file in ssl_client_cas: |
| 146 s = open(ca_file).read() | 148 s = open(ca_file).read() |
| 147 x509 = tlslite.api.X509() | 149 x509 = tlslite.api.X509() |
| 148 x509.parse(s) | 150 x509.parse(s) |
| 149 self.ssl_client_cas.append(x509.subject) | 151 self.ssl_client_cas.append(x509.subject) |
| 150 self.ssl_handshake_settings = tlslite.api.HandshakeSettings() | 152 self.ssl_handshake_settings = tlslite.api.HandshakeSettings() |
| 151 if ssl_bulk_ciphers is not None: | 153 if ssl_bulk_ciphers is not None: |
| 152 self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers | 154 self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers |
| 153 | 155 |
| (...skipping 13 matching lines...) Expand all Loading... |
| 167 try: | 169 try: |
| 168 self.tlsConnection = tlsConnection | 170 self.tlsConnection = tlsConnection |
| 169 tlsConnection.handshakeServer(certChain=self.cert_chain, | 171 tlsConnection.handshakeServer(certChain=self.cert_chain, |
| 170 privateKey=self.private_key, | 172 privateKey=self.private_key, |
| 171 sessionCache=self.session_cache, | 173 sessionCache=self.session_cache, |
| 172 reqCert=self.ssl_client_auth, | 174 reqCert=self.ssl_client_auth, |
| 173 settings=self.ssl_handshake_settings, | 175 settings=self.ssl_handshake_settings, |
| 174 reqCAs=self.ssl_client_cas, | 176 reqCAs=self.ssl_client_cas, |
| 175 tlsIntolerant=self.tls_intolerant, | 177 tlsIntolerant=self.tls_intolerant, |
| 176 signedCertTimestamps= | 178 signedCertTimestamps= |
| 177 self.signed_cert_timestamps) | 179 self.signed_cert_timestamps, |
| 180 ocspResponse = self.ocsp_response) |
| 178 tlsConnection.ignoreAbruptClose = True | 181 tlsConnection.ignoreAbruptClose = True |
| 179 return True | 182 return True |
| 180 except tlslite.api.TLSAbruptCloseError: | 183 except tlslite.api.TLSAbruptCloseError: |
| 181 # Ignore abrupt close. | 184 # Ignore abrupt close. |
| 182 return True | 185 return True |
| 183 except tlslite.api.TLSError, error: | 186 except tlslite.api.TLSError, error: |
| 184 print "Handshake failure:", str(error) | 187 print "Handshake failure:", str(error) |
| 185 return False | 188 return False |
| 186 | 189 |
| 187 | 190 |
| (...skipping 1738 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1926 ocsp_state = ocsp_state, | 1929 ocsp_state = ocsp_state, |
| 1927 serial = self.options.cert_serial) | 1930 serial = self.options.cert_serial) |
| 1928 | 1931 |
| 1929 self.__ocsp_server.ocsp_response = ocsp_der | 1932 self.__ocsp_server.ocsp_response = ocsp_der |
| 1930 | 1933 |
| 1931 for ca_cert in self.options.ssl_client_ca: | 1934 for ca_cert in self.options.ssl_client_ca: |
| 1932 if not os.path.isfile(ca_cert): | 1935 if not os.path.isfile(ca_cert): |
| 1933 raise testserver_base.OptionError( | 1936 raise testserver_base.OptionError( |
| 1934 'specified trusted client CA file not found: ' + ca_cert + | 1937 'specified trusted client CA file not found: ' + ca_cert + |
| 1935 ' exiting...') | 1938 ' exiting...') |
| 1939 |
| 1940 stapled_ocsp_response = None |
| 1941 if self.__ocsp_server and self.options.staple_ocsp_response: |
| 1942 stapled_ocsp_response = self.__ocsp_server.ocsp_response |
| 1943 |
| 1936 server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key, | 1944 server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key, |
| 1937 self.options.ssl_client_auth, | 1945 self.options.ssl_client_auth, |
| 1938 self.options.ssl_client_ca, | 1946 self.options.ssl_client_ca, |
| 1939 self.options.ssl_bulk_cipher, | 1947 self.options.ssl_bulk_cipher, |
| 1940 self.options.record_resume, | 1948 self.options.record_resume, |
| 1941 self.options.tls_intolerant, | 1949 self.options.tls_intolerant, |
| 1942 self.options.signed_cert_timestamps.decode( | 1950 self.options.signed_cert_timestamps_tls_ext.decode( |
| 1943 "base64")) | 1951 "base64"), |
| 1952 stapled_ocsp_response) |
| 1944 print 'HTTPS server started on %s:%d...' % (host, server.server_port) | 1953 print 'HTTPS server started on %s:%d...' % (host, server.server_port) |
| 1945 else: | 1954 else: |
| 1946 server = HTTPServer((host, port), TestPageHandler) | 1955 server = HTTPServer((host, port), TestPageHandler) |
| 1947 print 'HTTP server started on %s:%d...' % (host, server.server_port) | 1956 print 'HTTP server started on %s:%d...' % (host, server.server_port) |
| 1948 | 1957 |
| 1949 server.data_dir = self.__make_data_dir() | 1958 server.data_dir = self.__make_data_dir() |
| 1950 server.file_root_url = self.options.file_root_url | 1959 server.file_root_url = self.options.file_root_url |
| 1951 server_data['port'] = server.server_port | 1960 server_data['port'] = server.server_port |
| 1952 elif self.options.server_type == SERVER_WEBSOCKET: | 1961 elif self.options.server_type == SERVER_WEBSOCKET: |
| 1953 # Launch pywebsocket via WebSocketServer. | 1962 # Launch pywebsocket via WebSocketServer. |
| (...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2071 help='If non-zero then the generated ' | 2080 help='If non-zero then the generated ' |
| 2072 'certificate will have this serial number') | 2081 'certificate will have this serial number') |
| 2073 self.option_parser.add_option('--tls-intolerant', dest='tls_intolerant', | 2082 self.option_parser.add_option('--tls-intolerant', dest='tls_intolerant', |
| 2074 default='0', type='int', | 2083 default='0', type='int', |
| 2075 help='If nonzero, certain TLS connections ' | 2084 help='If nonzero, certain TLS connections ' |
| 2076 'will be aborted in order to test version ' | 2085 'will be aborted in order to test version ' |
| 2077 'fallback. 1 means all TLS versions will be ' | 2086 'fallback. 1 means all TLS versions will be ' |
| 2078 'aborted. 2 means TLS 1.1 or higher will be ' | 2087 'aborted. 2 means TLS 1.1 or higher will be ' |
| 2079 'aborted. 3 means TLS 1.2 or higher will be ' | 2088 'aborted. 3 means TLS 1.2 or higher will be ' |
| 2080 'aborted.') | 2089 'aborted.') |
| 2081 self.option_parser.add_option('--signed-cert-timestamps', | 2090 self.option_parser.add_option('--signed-cert-timestamps-tls-ext', |
| 2082 dest='signed_cert_timestamps', | 2091 dest='signed_cert_timestamps_tls_ext', |
| 2083 default='', | 2092 default='', |
| 2084 help='Base64 encoded SCT list. If set, ' | 2093 help='Base64 encoded SCT list. If set, ' |
| 2085 'server will respond with a ' | 2094 'server will respond with a ' |
| 2086 'signed_certificate_timestamp TLS extension ' | 2095 'signed_certificate_timestamp TLS extension ' |
| 2087 'whenever the client supports it.') | 2096 'whenever the client supports it.') |
| 2097 self.option_parser.add_option('--staple-ocsp-response', |
| 2098 dest='staple_ocsp_response', |
| 2099 default=False, action='store_true', |
| 2100 help='If set, server will staple the OCSP ' |
| 2101 'response whenever OCSP is on and the client ' |
| 2102 'supports OCSP stapling.') |
| 2088 self.option_parser.add_option('--https-record-resume', | 2103 self.option_parser.add_option('--https-record-resume', |
| 2089 dest='record_resume', const=True, | 2104 dest='record_resume', const=True, |
| 2090 default=False, action='store_const', | 2105 default=False, action='store_const', |
| 2091 help='Record resumption cache events rather ' | 2106 help='Record resumption cache events rather ' |
| 2092 'than resuming as normal. Allows the use of ' | 2107 'than resuming as normal. Allows the use of ' |
| 2093 'the /ssl-session-cache request') | 2108 'the /ssl-session-cache request') |
| 2094 self.option_parser.add_option('--ssl-client-auth', action='store_true', | 2109 self.option_parser.add_option('--ssl-client-auth', action='store_true', |
| 2095 help='Require SSL client auth on every ' | 2110 help='Require SSL client auth on every ' |
| 2096 'connection.') | 2111 'connection.') |
| 2097 self.option_parser.add_option('--ssl-client-ca', action='append', | 2112 self.option_parser.add_option('--ssl-client-ca', action='append', |
| (...skipping 11 matching lines...) Expand all Loading... |
| 2109 '"aes128", "3des", "rc4". If omitted, all ' | 2124 '"aes128", "3des", "rc4". If omitted, all ' |
| 2110 'algorithms will be used. This option may ' | 2125 'algorithms will be used. This option may ' |
| 2111 'appear multiple times, indicating ' | 2126 'appear multiple times, indicating ' |
| 2112 'multiple algorithms should be enabled.'); | 2127 'multiple algorithms should be enabled.'); |
| 2113 self.option_parser.add_option('--file-root-url', default='/files/', | 2128 self.option_parser.add_option('--file-root-url', default='/files/', |
| 2114 help='Specify a root URL for files served.') | 2129 help='Specify a root URL for files served.') |
| 2115 | 2130 |
| 2116 | 2131 |
| 2117 if __name__ == '__main__': | 2132 if __name__ == '__main__': |
| 2118 sys.exit(ServerRunner().main()) | 2133 sys.exit(ServerRunner().main()) |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 92443002:
Extract Certificate Transparency SCTs from stapled OCSP responses (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@extract_scts