Merge pull request #179 from exarkun/Context.check_privatekey

Fix a regression in Context.check_privatekey which caused it to always succeed.

5 files changed, 50 insertions, 5 deletions

diff --git a/ChangeLog b/ChangeLog
index 4019c27..482bae4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-11  Jean-Paul Calderone  <exarkun@twistedmatrix.com>
+
+	* OpenSSL/SSL.py: Fixed a regression ``Context.check_privatekey``
+	  causing it to always succeed - even if it should fail.
+
 2015-01-08  Paul Aurich <paul@darkrain42.org>
 
 	* OpenSSL/SSL.py: ``Connection.shutdown`` now propagates errors from the
diff --git a/OpenSSL/SSL.py b/OpenSSL/SSL.py
index b6c8076..2731d64 100644
--- a/OpenSSL/SSL.py
+++ b/OpenSSL/SSL.py
@@ -492,6 +492,9 @@ class Context(object):
 
         :return: None (raises an exception if something's wrong)
         """
+        if not _lib.SSL_CTX_check_private_key(self._context):
+            _raise_current_error()
+
 
     def load_client_ca(self, cafile):
         """
diff --git a/OpenSSL/test/test_ssl.py b/OpenSSL/test/test_ssl.py
index 79010fb..f098327 100644
--- a/OpenSSL/test/test_ssl.py
+++ b/OpenSSL/test/test_ssl.py
@@ -507,6 +507,43 @@ class ContextTests(TestCase, _LoopbackMixin):
             ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))
 
 
+    def test_check_privatekey_valid(self):
+        """
+        :py:obj:`Context.check_privatekey` returns :py:obj:`None` if the
+        :py:obj:`Context` instance has been configured to use a matched key and
+        certificate pair.
+        """
+        key = load_privatekey(FILETYPE_PEM, client_key_pem)
+        cert = load_certificate(FILETYPE_PEM, client_cert_pem)
+        context = Context(TLSv1_METHOD)
+        context.use_privatekey(key)
+        context.use_certificate(cert)
+        self.assertIs(None, context.check_privatekey())
+
+
+    def test_check_privatekey_invalid(self):
+        """
+        :py:obj:`Context.check_privatekey` raises :py:obj:`Error` if the
+        :py:obj:`Context` instance has been configured to use a key and
+        certificate pair which don't relate to each other.
+        """
+        key = load_privatekey(FILETYPE_PEM, client_key_pem)
+        cert = load_certificate(FILETYPE_PEM, server_cert_pem)
+        context = Context(TLSv1_METHOD)
+        context.use_privatekey(key)
+        context.use_certificate(cert)
+        self.assertRaises(Error, context.check_privatekey)
+
+
+    def test_check_privatekey_wrong_args(self):
+        """
+        :py:obj:`Context.check_privatekey` raises :py:obj:`TypeError` if called
+        with other than no arguments.
+        """
+        context = Context(TLSv1_METHOD)
+        self.assertRaises(TypeError, context.check_privatekey, object())
+
+
     def test_set_app_data_wrong_args(self):
         """
         :py:obj:`Context.set_app_data` raises :py:obj:`TypeError` if called with other than
diff --git a/OpenSSL/test/util.py b/OpenSSL/test/util.py
index 21bbdc4..4260eb0 100644
--- a/OpenSSL/test/util.py
+++ b/OpenSSL/test/util.py
@@ -227,7 +227,7 @@ class TestCase(TestCase):
     failIfIn = assertNotIn
 
 
-    def failUnlessIdentical(self, first, second, msg=None):
+    def assertIs(self, first, second, msg=None):
         """
         Fail the test if :py:data:`first` is not :py:data:`second`.  This is an
         obect-identity-equality test, not an object equality
@@ -239,10 +239,10 @@ class TestCase(TestCase):
         if first is not second:
             raise self.failureException(msg or '%r is not %r' % (first, second))
         return first
-    assertIdentical = failUnlessIdentical
+    assertIdentical = failUnlessIdentical = assertIs
 
 
-    def failIfIdentical(self, first, second, msg=None):
+    def assertIsNot(self, first, second, msg=None):
         """
         Fail the test if :py:data:`first` is :py:data:`second`.  This is an
         obect-identity-equality test, not an object equality
@@ -254,7 +254,7 @@ class TestCase(TestCase):
         if first is second:
             raise self.failureException(msg or '%r is %r' % (first, second))
         return first
-    assertNotIdentical = failIfIdentical
+    assertNotIdentical = failIfIdentical = assertIsNot
 
 
     def failUnlessRaises(self, exception, f, *args, **kwargs):
diff --git a/setup.py b/setup.py
index 1450630..65a1b52 100755
--- a/setup.py
+++ b/setup.py
@@ -34,7 +34,7 @@ setup(name='pyOpenSSL', version=__version__,
       maintainer_email = 'exarkun@twistedmatrix.com',
       url = 'https://github.com/pyca/pyopenssl',
       license = 'APL2',
-      install_requires=["cryptography>=0.5.4", "six>=1.5.2"],
+      install_requires=["cryptography>=0.7", "six>=1.5.2"],
       long_description = """\
 High-level wrapper around a subset of the OpenSSL library, includes
  * SSL.Connection objects, wrapping the methods of Python's portable