| From 73fbd1e646f6bbf202d4418bae80eb9941fbf552 Mon Sep 17 00:00:00 2001 |
| From: Casey Deccio <casey@deccio.net> |
| Date: Fri, 8 Jan 2021 12:43:09 -0700 |
| Subject: [PATCH] Allow verify_cb_* to be called with ok=True |
| |
| With https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 |
| OpenSSL allowed verificaton to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE |
| --- |
| tests/test_ssl.py | 14 ++++++++++++-- |
| 1 file changed, 12 insertions(+), 2 deletions(-) |
| |
| diff --git a/tests/test_ssl.py b/tests/test_ssl.py |
| index 92b6942..7a3271a 100644 |
| --- a/tests/test_ssl.py |
| +++ b/tests/test_ssl.py |
| @@ -59,8 +59,13 @@ def allocate_srv_port(): |
| |
| |
| def verify_cb_new_function(ok, store): |
| - assert not ok |
| err = store.get_error() |
| + # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of |
| + # aborting, this callback is called to retrieve additional error |
| + # information. In this case, ok might not be False. |
| + # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 |
| + if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: |
| + assert not ok |
| assert err in [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, |
| m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, |
| m2.X509_V_ERR_CERT_UNTRUSTED, |
| @@ -618,7 +623,12 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): |
| |
| def verify_cb_old(self, ctx_ptr, x509_ptr, err, depth, ok): |
| try: |
| - self.assertFalse(ok) |
| + # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of |
| + # aborting, this callback is called to retrieve additional error |
| + # information. In this case, ok might not be False. |
| + # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 |
| + if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: |
| + self.assertFalse(ok) |
| self.assertIn(err, |
| [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, |
| m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, |
| -- |
| 2.29.2 |
| |