Use trustme for test TLS certificate and key

With the current approach TLS certificate and key are hardcoded in
separate files and distributed as part of wheels.
This is unnecessary for end users of the package, also this brings
difficulties while supporting Python 3.13, see:
aio-libs#473

Use trustme for generating TLS certificate and key on the fly, as it is
done in other aio-libs packages.

Initially proposed in:
aio-libs#473 (comment)

Author: rominf

aiosmtpd/tests/certs/__init__.py

@@ -9,7 +9,7 @@
 from contextlib import suppress
 from functools import wraps
 from smtplib import SMTP as SMTPClient
-from typing import Any, Callable, Generator, NamedTuple, Optional, Type, TypeVar
+from typing import Any, Callable, Generator, Iterator, NamedTuple, Optional, Type, TypeVar
 
 import pytest
 from pkg_resources import resource_filename
@@ -26,14 +26,22 @@
     _ProactorBasePipeTransport = None
     HAS_PROACTOR = False
 
+try:
+    import trustme
+
+    # Check if the CA is available in runtime, MacOS on Py3.10 fails somehow
+    trustme.CA()
+
+    TRUSTME: bool = True
+except ImportError:
+    TRUSTME = False
+
 
 __all__ = [
     "controller_data",
     "handler_data",
     "Global",
     "AUTOSTOP_DELAY",
-    "SERVER_CRT",
-    "SERVER_KEY",
 ]
 
 
@@ -73,8 +81,6 @@ def set_addr_from(cls, contr: Controller):
 # If less than 1.0, might cause intermittent error if test system
 # is too busy/overloaded.
 AUTOSTOP_DELAY = 1.5
-SERVER_CRT = resource_filename("aiosmtpd.tests.certs", "server.crt")
-SERVER_KEY = resource_filename("aiosmtpd.tests.certs", "server.key")
 
 # endregion
 
@@ -315,27 +321,52 @@ def client(request: pytest.FixtureRequest) -> Generator[SMTPClient, None, None]:
 
 
 @pytest.fixture
-def ssl_context_server() -> ssl.SSLContext:
+def tls_certificate_authority() -> trustme.CA:
+    if not TRUSTME:
+        pytest.xfail("trustme is not supported")
+    return trustme.CA()
+
+
+@pytest.fixture
+def tls_certificate(tls_certificate_authority: trustme.CA) -> trustme.LeafCert:
+    return tls_certificate_authority.issue_cert(
+        "localhost",
+        "xn--prklad-4va.localhost",
+        "127.0.0.1",
+        "::1",
+    )
+
+
+@pytest.fixture
+def ssl_context_server(tls_certificate: trustme.LeafCert) -> ssl.SSLContext:
     """
     Provides a server-side SSL Context
     """
-    context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-    context.check_hostname = False
-    context.load_cert_chain(SERVER_CRT, SERVER_KEY)
-    #
-    return context
+    ssl_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+    tls_certificate.configure_cert(ssl_ctx)
+    return ssl_ctx
 
 
 @pytest.fixture
-def ssl_context_client() -> ssl.SSLContext:
+def ssl_context_client(tls_certificate_authority: trustme.CA) -> ssl.SSLContext:
     """
     Provides a client-side SSL Context
     """
-    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
-    context.check_hostname = False
-    context.load_verify_locations(SERVER_CRT)
-    #
-    return context
+    ssl_ctx = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH)
+    tls_certificate_authority.configure_trust(ssl_ctx)
+    return ssl_ctx
+
+
+@pytest.fixture
+def tls_cert_pem_path(tls_certificate: trustme.LeafCert) -> Iterator[str]:
+    with tls_certificate.cert_chain_pems[0].tempfile() as cert_pem:
+        yield cert_pem
+
+
+@pytest.fixture
+def tls_key_pem_path(tls_certificate: trustme.LeafCert) -> Iterator[str]:
+    with tls_certificate.private_key_pem.tempfile() as key_pem:
+        yield key_pem
 
 
 # Please keep the scope as "module"; setting it as "function" (the default) somehow

aiosmtpd/tests/certs/server.crt

@@ -21,7 +21,7 @@
 from aiosmtpd.main import main, parseargs
 from aiosmtpd.testing.helpers import catchup_delay
 from aiosmtpd.testing.statuscodes import SMTP_STATUS_CODES as S
-from aiosmtpd.tests.conftest import AUTOSTOP_DELAY, SERVER_CRT, SERVER_KEY
+from aiosmtpd.tests.conftest import AUTOSTOP_DELAY
 
 try:
     import pwd
@@ -199,24 +199,24 @@ def test_debug_3(self):
 
 @pytest.mark.skipif(sys.platform == "darwin", reason="No idea why these are failing")
 class TestMainByWatcher:
-    def test_tls(self, temp_event_loop):
+    def test_tls(self, temp_event_loop, tls_cert_pem_path, tls_key_pem_path):
         with watcher_process(watch_for_tls) as retq:
             temp_event_loop.call_later(AUTOSTOP_DELAY, temp_event_loop.stop)
-            main_n("--tlscert", str(SERVER_CRT), "--tlskey", str(SERVER_KEY))
+            main_n("--tlscert", tls_cert_pem_path, "--tlskey", tls_key_pem_path)
             catchup_delay()
         has_starttls = retq.get()
         assert has_starttls is True
         require_tls = retq.get()
         assert require_tls is True
 
-    def test_tls_noreq(self, temp_event_loop):
+    def test_tls_noreq(self, temp_event_loop, tls_cert_pem_path, tls_key_pem_path):
         with watcher_process(watch_for_tls) as retq:
             temp_event_loop.call_later(AUTOSTOP_DELAY, temp_event_loop.stop)
             main_n(
                 "--tlscert",
-                str(SERVER_CRT),
+                tls_cert_pem_path,
                 "--tlskey",
-                str(SERVER_KEY),
+                tls_key_pem_path,
                 "--no-requiretls",
             )
             catchup_delay()
@@ -225,10 +225,10 @@ def test_tls_noreq(self, temp_event_loop):
         require_tls = retq.get()
         assert require_tls is False
 
-    def test_smtps(self, temp_event_loop):
+    def test_smtps(self, temp_event_loop, tls_cert_pem_path, tls_key_pem_path):
         with watcher_process(watch_for_smtps) as retq:
             temp_event_loop.call_later(AUTOSTOP_DELAY, temp_event_loop.stop)
-            main_n("--smtpscert", str(SERVER_CRT), "--smtpskey", str(SERVER_KEY))
+            main_n("--smtpscert", tls_cert_pem_path, "--smtpskey", tls_key_pem_path)
             catchup_delay()
         has_smtps = retq.get()
         assert has_smtps is True
@@ -335,16 +335,18 @@ def test_norequiretls(self, capsys, mocker):
         assert args.requiretls is False
 
     @pytest.mark.parametrize(
-        ("certfile", "keyfile", "expect"),
+        ("certfile_present", "keyfile_present", "expect"),
         [
-            ("x", "x", "Cert file x not found"),
-            (SERVER_CRT, "x", "Key file x not found"),
-            ("x", SERVER_KEY, "Cert file x not found"),
+            (False, True, "Cert file x not found"),
+            (True, False, "Key file x not found"),
+            (False, True, "Cert file x not found"),
         ],
         ids=["x-x", "cert-x", "x-key"],
     )
     @pytest.mark.parametrize("meth", ["smtps", "tls"])
-    def test_ssl_files_err(self, capsys, mocker, meth, certfile, keyfile, expect):
+    def test_ssl_files_err(self, capsys, mocker, meth, certfile_present, keyfile_present, expect, request):
+        certfile = request.getfixturevalue("tls_cert_pem_path") if certfile_present else "x"
+        keyfile = request.getfixturevalue("tls_key_pem_path") if keyfile_present else "x"
         mocker.patch("aiosmtpd.main.PROGRAM", "smtpd")
         with pytest.raises(SystemExit) as exc:
             parseargs((f"--{meth}cert", certfile, f"--{meth}key", keyfile))

aiosmtpd/tests/certs/server.key

@@ -4,3 +4,4 @@ coverage==7.6.1
 pytest==8.3.4
 pytest-cov==5.0.0
 pytest-mock==3.14.0
+trustme==1.2.1

aiosmtpd/tests/certs/server_alt.crt

@@ -28,6 +28,7 @@ deps =
     pytest-profiling
     pytest-sugar
     py # needed for pytest-sugar as it doesn't declare dependency on it.
+    trustme
     !nocov: coverage>=7.0.1
     !nocov: coverage[toml]
     !nocov: coverage-conditional-plugin