extmod/modssl_mbedtls: Add SSLContext certificate methods.

This commit adds: 1) Methods to SSLContext class that match CPython signature: - `SSLContext.load_cert_chain(certfile, keyfile)` - `SSLContext.load_verify_locations(cafile=, cadata=)` - `SSLContext.get_ciphers()` --> ["CIPHERSUITE"] - `SSLContext.set_ciphers(["CIPHERSUITE"])` 2) `sslsocket.cipher()` to get current ciphersuite and protocol version. 3) `ssl.MBEDTLS_VERSION` string constant. 4) Certificate verification errors info instead of `MBEDTLS_ERR_X509_CERT_VERIFY_FAILED`. 5) Tests in `net_inet` and `multi_net` to test these new methods. `SSLContext.load_cert_chain` method allows loading key and cert from disk passing a filepath in `certfile` or `keyfile` options. `SSLContext.load_verify_locations`'s `cafile` option enables the same functionality for ca files. Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
2023-06-27 03:00:00 +01:00
parent 4365edb810
commit f3f215e9bd
25 changed files with 722 additions and 113 deletions
--- a/tests/multi_net/sslcontext_verify_time_error.py
+++ b/tests/multi_net/sslcontext_verify_time_error.py
@@ -0,0 +1,58 @@
+# Test creating an SSL connection with an expired certificate.
+
+try:
+    import os
+    import socket
+    import ssl
+except ImportError:
+    print("SKIP")
+    raise SystemExit
+
+PORT = 8000
+
+# These are test certificates. See tests/README.md for details.
+cert = cafile = "multi_net/expired_cert.der"
+key = "multi_net/rsa_key.der"
+
+try:
+    os.stat(cafile)
+    os.stat(key)
+except OSError:
+    print("SKIP")
+    raise SystemExit
+
+
+# Server
+def instance0():
+    multitest.globals(IP=multitest.get_network_ip())
+    s = socket.socket()
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1])
+    s.listen(1)
+    multitest.next()
+    s2, _ = s.accept()
+    server_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+    server_ctx.load_cert_chain(cert, key)
+    try:
+        s2 = server_ctx.wrap_socket(s2, server_side=True)
+    except Exception as e:
+        print(e)
+    multitest.broadcast("finished")
+    s.close()
+
+
+# Client
+def instance1():
+    multitest.next()
+    s = socket.socket()
+    s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
+    client_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    client_ctx.verify_mode = ssl.CERT_REQUIRED
+    client_ctx.load_verify_locations(cafile=cafile)
+    try:
+        s = client_ctx.wrap_socket(s, server_hostname="micropython.local")
+    except Exception as e:
+        print(e)
+    # Don't close the socket until the server has seen our SSL rejection.
+    multitest.wait("finished")
+    s.close()