Merge browserlikepolicy-secfix-7647: Honor trust roots.

Author: glyph Reviewer: exarkun, hynek Fixes: twisted#7647 twisted.web.client.BrowserLikePolicyForHTTPS now uses the trust root that it is given, rather than always using the system's. git-svn-id: svn://svn.twistedmatrix.com/svn/Twisted/trunk@43662 bbbe8e31-12d6-0310-92fd-ac37d47ddeeb
daodaoliang · Jan 9, 2015 · 2c3f346 · 2c3f346
1 parent ecf9c7f
commit 2c3f346
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/twisted/web/client.py b/twisted/web/client.py
@@ -873,7 +873,8 @@ def creatorForNetloc(self, hostname, port):
         @rtype: L{client connection creator
             <twisted.internet.interfaces.IOpenSSLClientConnectionCreator>}
         """
-        return optionsForClientTLS(hostname.decode("ascii"))
+        return optionsForClientTLS(hostname.decode("ascii"),
+                                   trustRoot=self._trustRoot)
 
 
 

diff --git a/twisted/web/test/test_agent.py b/twisted/web/test/test_agent.py
@@ -50,7 +50,7 @@
 except ImportError:
     ssl = None
 else:
-    from twisted.internet._sslverify import ClientTLSOptions
+    from twisted.internet._sslverify import ClientTLSOptions, IOpenSSLTrustRoot
 
 
 
@@ -1315,6 +1315,27 @@ def warnMe():
         )
 
 
+    def test_alternateTrustRoot(self):
+        """
+        L{BrowserLikePolicyForHTTPS.creatorForNetloc} returns an
+        L{IOpenSSLClientConnectionCreator} provider which will add certificates
+        from the given trust root.
+        """
+        @implementer(IOpenSSLTrustRoot)
+        class CustomOpenSSLTrustRoot(object):
+            called = False
+            context = None
+            def _addCACertsToContext(self, context):
+                self.called = True
+                self.context = context
+        trustRoot = CustomOpenSSLTrustRoot()
+        policy = BrowserLikePolicyForHTTPS(trustRoot=trustRoot)
+        creator = policy.creatorForNetloc(b"thingy", 4321)
+        self.assertTrue(trustRoot.called)
+        connection = creator.clientConnectionForTLS(None)
+        self.assertIs(trustRoot.context, connection.get_context())
+
+
 
 class WebClientContextFactoryTests(TestCase):
     """

diff --git a/twisted/web/topfiles/7647.bugfix b/twisted/web/topfiles/7647.bugfix
@@ -0,0 +1,2 @@
+twisted.web.client.BrowserLikePolicyForHTTPS now uses the trust root that it is given, rather than always using the system's.
+
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		twisted.web.client.BrowserLikePolicyForHTTPS now uses the trust root that it is given, rather than always using the system's.