Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(174)

Side by Side Diff: net/tools/testserver/testserver.py

Issue 92443002: Extract Certificate Transparency SCTs from stapled OCSP responses (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@extract_scts
Patch Set: fix format errors Created 7 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 #!/usr/bin/env python 1 #!/usr/bin/env python
2 # Copyright 2013 The Chromium Authors. All rights reserved. 2 # Copyright 2013 The Chromium Authors. All rights reserved.
3 # Use of this source code is governed by a BSD-style license that can be 3 # Use of this source code is governed by a BSD-style license that can be
4 # found in the LICENSE file. 4 # found in the LICENSE file.
5 5
6 """This is a simple HTTP/FTP/TCP/UDP/BASIC_AUTH_PROXY/WEBSOCKET server used for 6 """This is a simple HTTP/FTP/TCP/UDP/BASIC_AUTH_PROXY/WEBSOCKET server used for
7 testing Chrome. 7 testing Chrome.
8 8
9 It supports several test URLs, as specified by the handlers in TestPageHandler. 9 It supports several test URLs, as specified by the handlers in TestPageHandler.
10 By default, it listens on an ephemeral port and sends the port number back to 10 By default, it listens on an ephemeral port and sends the port number back to
(...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after
129 class HTTPSServer(tlslite.api.TLSSocketServerMixIn, 129 class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
130 testserver_base.ClientRestrictingServerMixIn, 130 testserver_base.ClientRestrictingServerMixIn,
131 testserver_base.BrokenPipeHandlerMixIn, 131 testserver_base.BrokenPipeHandlerMixIn,
132 testserver_base.StoppableHTTPServer): 132 testserver_base.StoppableHTTPServer):
133 """This is a specialization of StoppableHTTPServer that add https support and 133 """This is a specialization of StoppableHTTPServer that add https support and
134 client verification.""" 134 client verification."""
135 135
136 def __init__(self, server_address, request_hander_class, pem_cert_and_key, 136 def __init__(self, server_address, request_hander_class, pem_cert_and_key,
137 ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers, 137 ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers,
138 record_resume_info, tls_intolerant, signed_cert_timestamps, 138 record_resume_info, tls_intolerant, signed_cert_timestamps,
139 fallback_scsv_enabled): 139 fallback_scsv_enabled, ocsp_response):
140 self.cert_chain = tlslite.api.X509CertChain().parseChain(pem_cert_and_key) 140 self.cert_chain = tlslite.api.X509CertChain().parseChain(pem_cert_and_key)
141 # Force using only python implementation - otherwise behavior is different 141 # Force using only python implementation - otherwise behavior is different
142 # depending on whether m2crypto Python module is present (error is thrown 142 # depending on whether m2crypto Python module is present (error is thrown
143 # when it is). m2crypto uses a C (based on OpenSSL) implementation under 143 # when it is). m2crypto uses a C (based on OpenSSL) implementation under
144 # the hood. 144 # the hood.
145 self.private_key = tlslite.api.parsePEMKey(pem_cert_and_key, 145 self.private_key = tlslite.api.parsePEMKey(pem_cert_and_key,
146 private=True, 146 private=True,
147 implementations=['python']) 147 implementations=['python'])
148 self.ssl_client_auth = ssl_client_auth 148 self.ssl_client_auth = ssl_client_auth
149 self.ssl_client_cas = [] 149 self.ssl_client_cas = []
150 self.tls_intolerant = tls_intolerant 150 self.tls_intolerant = tls_intolerant
151 self.signed_cert_timestamps = signed_cert_timestamps 151 self.signed_cert_timestamps = signed_cert_timestamps
152 self.fallback_scsv_enabled = fallback_scsv_enabled 152 self.fallback_scsv_enabled = fallback_scsv_enabled
153 self.ocsp_response = ocsp_response
153 154
154 for ca_file in ssl_client_cas: 155 for ca_file in ssl_client_cas:
155 s = open(ca_file).read() 156 s = open(ca_file).read()
156 x509 = tlslite.api.X509() 157 x509 = tlslite.api.X509()
157 x509.parse(s) 158 x509.parse(s)
158 self.ssl_client_cas.append(x509.subject) 159 self.ssl_client_cas.append(x509.subject)
159 self.ssl_handshake_settings = tlslite.api.HandshakeSettings() 160 self.ssl_handshake_settings = tlslite.api.HandshakeSettings()
160 if ssl_bulk_ciphers is not None: 161 if ssl_bulk_ciphers is not None:
161 self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers 162 self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers
162 163
(...skipping 14 matching lines...) Expand all
177 self.tlsConnection = tlsConnection 178 self.tlsConnection = tlsConnection
178 tlsConnection.handshakeServer(certChain=self.cert_chain, 179 tlsConnection.handshakeServer(certChain=self.cert_chain,
179 privateKey=self.private_key, 180 privateKey=self.private_key,
180 sessionCache=self.session_cache, 181 sessionCache=self.session_cache,
181 reqCert=self.ssl_client_auth, 182 reqCert=self.ssl_client_auth,
182 settings=self.ssl_handshake_settings, 183 settings=self.ssl_handshake_settings,
183 reqCAs=self.ssl_client_cas, 184 reqCAs=self.ssl_client_cas,
184 tlsIntolerant=self.tls_intolerant, 185 tlsIntolerant=self.tls_intolerant,
185 signedCertTimestamps= 186 signedCertTimestamps=
186 self.signed_cert_timestamps, 187 self.signed_cert_timestamps,
187 fallbackSCSV=self.fallback_scsv_enabled) 188 fallbackSCSV=self.fallback_scsv_enabled,
189 ocspResponse = self.ocsp_response)
188 tlsConnection.ignoreAbruptClose = True 190 tlsConnection.ignoreAbruptClose = True
189 return True 191 return True
190 except tlslite.api.TLSAbruptCloseError: 192 except tlslite.api.TLSAbruptCloseError:
191 # Ignore abrupt close. 193 # Ignore abrupt close.
192 return True 194 return True
193 except tlslite.api.TLSError, error: 195 except tlslite.api.TLSError, error:
194 print "Handshake failure:", str(error) 196 print "Handshake failure:", str(error)
195 return False 197 return False
196 198
197 199
(...skipping 1738 matching lines...) Expand 10 before | Expand all | Expand 10 after
1936 ocsp_state = ocsp_state, 1938 ocsp_state = ocsp_state,
1937 serial = self.options.cert_serial) 1939 serial = self.options.cert_serial)
1938 1940
1939 self.__ocsp_server.ocsp_response = ocsp_der 1941 self.__ocsp_server.ocsp_response = ocsp_der
1940 1942
1941 for ca_cert in self.options.ssl_client_ca: 1943 for ca_cert in self.options.ssl_client_ca:
1942 if not os.path.isfile(ca_cert): 1944 if not os.path.isfile(ca_cert):
1943 raise testserver_base.OptionError( 1945 raise testserver_base.OptionError(
1944 'specified trusted client CA file not found: ' + ca_cert + 1946 'specified trusted client CA file not found: ' + ca_cert +
1945 ' exiting...') 1947 ' exiting...')
1948
1949 stapled_ocsp_response = None
1950 if self.__ocsp_server and self.options.staple_ocsp_response:
1951 stapled_ocsp_response = self.__ocsp_server.ocsp_response
1952
1946 server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key, 1953 server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key,
1947 self.options.ssl_client_auth, 1954 self.options.ssl_client_auth,
1948 self.options.ssl_client_ca, 1955 self.options.ssl_client_ca,
1949 self.options.ssl_bulk_cipher, 1956 self.options.ssl_bulk_cipher,
1950 self.options.record_resume, 1957 self.options.record_resume,
1951 self.options.tls_intolerant, 1958 self.options.tls_intolerant,
1952 self.options.signed_cert_timestamps.decode( 1959 self.options.signed_cert_timestamps_tls_ext.decode(
1953 "base64"), 1960 "base64"),
1954 self.options.fallback_scsv) 1961 self.options.fallback_scsv,
1962 stapled_ocsp_response)
1955 print 'HTTPS server started on %s:%d...' % (host, server.server_port) 1963 print 'HTTPS server started on %s:%d...' % (host, server.server_port)
1956 else: 1964 else:
1957 server = HTTPServer((host, port), TestPageHandler) 1965 server = HTTPServer((host, port), TestPageHandler)
1958 print 'HTTP server started on %s:%d...' % (host, server.server_port) 1966 print 'HTTP server started on %s:%d...' % (host, server.server_port)
1959 1967
1960 server.data_dir = self.__make_data_dir() 1968 server.data_dir = self.__make_data_dir()
1961 server.file_root_url = self.options.file_root_url 1969 server.file_root_url = self.options.file_root_url
1962 server_data['port'] = server.server_port 1970 server_data['port'] = server.server_port
1963 elif self.options.server_type == SERVER_WEBSOCKET: 1971 elif self.options.server_type == SERVER_WEBSOCKET:
1964 # Launch pywebsocket via WebSocketServer. 1972 # Launch pywebsocket via WebSocketServer.
(...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after
2082 help='If non-zero then the generated ' 2090 help='If non-zero then the generated '
2083 'certificate will have this serial number') 2091 'certificate will have this serial number')
2084 self.option_parser.add_option('--tls-intolerant', dest='tls_intolerant', 2092 self.option_parser.add_option('--tls-intolerant', dest='tls_intolerant',
2085 default='0', type='int', 2093 default='0', type='int',
2086 help='If nonzero, certain TLS connections ' 2094 help='If nonzero, certain TLS connections '
2087 'will be aborted in order to test version ' 2095 'will be aborted in order to test version '
2088 'fallback. 1 means all TLS versions will be ' 2096 'fallback. 1 means all TLS versions will be '
2089 'aborted. 2 means TLS 1.1 or higher will be ' 2097 'aborted. 2 means TLS 1.1 or higher will be '
2090 'aborted. 3 means TLS 1.2 or higher will be ' 2098 'aborted. 3 means TLS 1.2 or higher will be '
2091 'aborted.') 2099 'aborted.')
2092 self.option_parser.add_option('--signed-cert-timestamps', 2100 self.option_parser.add_option('--signed-cert-timestamps-tls-ext',
2093 dest='signed_cert_timestamps', 2101 dest='signed_cert_timestamps_tls_ext',
2094 default='', 2102 default='',
2095 help='Base64 encoded SCT list. If set, ' 2103 help='Base64 encoded SCT list. If set, '
2096 'server will respond with a ' 2104 'server will respond with a '
2097 'signed_certificate_timestamp TLS extension ' 2105 'signed_certificate_timestamp TLS extension '
2098 'whenever the client supports it.') 2106 'whenever the client supports it.')
2099 self.option_parser.add_option('--fallback-scsv', dest='fallback_scsv', 2107 self.option_parser.add_option('--fallback-scsv', dest='fallback_scsv',
2100 default=False, const=True, 2108 default=False, const=True,
2101 action='store_const', 2109 action='store_const',
2102 help='If given, TLS_FALLBACK_SCSV support ' 2110 help='If given, TLS_FALLBACK_SCSV support '
2103 'will be enabled. This causes the server to ' 2111 'will be enabled. This causes the server to '
2104 'reject fallback connections from compatible ' 2112 'reject fallback connections from compatible '
2105 'clients (e.g. Chrome).') 2113 'clients (e.g. Chrome).')
2114 self.option_parser.add_option('--staple-ocsp-response',
2115 dest='staple_ocsp_response',
2116 default=False, action='store_true',
2117 help='If set, server will staple the OCSP '
2118 'response whenever OCSP is on and the client '
2119 'supports OCSP stapling.')
2106 self.option_parser.add_option('--https-record-resume', 2120 self.option_parser.add_option('--https-record-resume',
2107 dest='record_resume', const=True, 2121 dest='record_resume', const=True,
2108 default=False, action='store_const', 2122 default=False, action='store_const',
2109 help='Record resumption cache events rather ' 2123 help='Record resumption cache events rather '
2110 'than resuming as normal. Allows the use of ' 2124 'than resuming as normal. Allows the use of '
2111 'the /ssl-session-cache request') 2125 'the /ssl-session-cache request')
2112 self.option_parser.add_option('--ssl-client-auth', action='store_true', 2126 self.option_parser.add_option('--ssl-client-auth', action='store_true',
2113 help='Require SSL client auth on every ' 2127 help='Require SSL client auth on every '
2114 'connection.') 2128 'connection.')
2115 self.option_parser.add_option('--ssl-client-ca', action='append', 2129 self.option_parser.add_option('--ssl-client-ca', action='append',
(...skipping 11 matching lines...) Expand all
2127 '"aes128", "3des", "rc4". If omitted, all ' 2141 '"aes128", "3des", "rc4". If omitted, all '
2128 'algorithms will be used. This option may ' 2142 'algorithms will be used. This option may '
2129 'appear multiple times, indicating ' 2143 'appear multiple times, indicating '
2130 'multiple algorithms should be enabled.'); 2144 'multiple algorithms should be enabled.');
2131 self.option_parser.add_option('--file-root-url', default='/files/', 2145 self.option_parser.add_option('--file-root-url', default='/files/',
2132 help='Specify a root URL for files served.') 2146 help='Specify a root URL for files served.')
2133 2147
2134 2148
2135 if __name__ == '__main__': 2149 if __name__ == '__main__':
2136 sys.exit(ServerRunner().main()) 2150 sys.exit(ServerRunner().main())
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698