diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2015-06-27 00:03:00 -0400 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2015-06-27 00:03:00 -0400 |
| commit | 7d85341b2143015756d44c278453c285e1518fbf (patch) | |
| tree | 19618f1923839fe463425b8657cb2327065c4696 | |
| parent | b7c7b39bd15f552ebb6ea8ae74f4af2b8985b198 (diff) | |
| parent | 666252ce9eb00b926437b49f17553097a8f813e9 (diff) | |
| download | cryptography-7d85341b2143015756d44c278453c285e1518fbf.tar.gz cryptography-7d85341b2143015756d44c278453c285e1518fbf.tar.bz2 cryptography-7d85341b2143015756d44c278453c285e1518fbf.zip | |
Merge pull request #2071 from reaperhulk/wildcard-oh-no
handle wildcard DNSNames with IDNA.
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 12 | ||||
| -rw-r--r-- | tests/test_x509_ext.py | 31 |
2 files changed, 42 insertions, 1 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index a03414c8..ebda9c98 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -82,7 +82,17 @@ def _decode_general_names(backend, gns): def _decode_general_name(backend, gn): if gn.type == backend._lib.GEN_DNS: data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:] - return x509.DNSName(idna.decode(data)) + if data.startswith(b"*."): + # This is a wildcard name. We need to remove the leading wildcard, + # IDNA decode, then re-add the wildcard. Wildcard characters should + # always be left-most (RFC 2595 section 2.4). + data = u"*." + idna.decode(data[2:]) + else: + # Not a wildcard, decode away. If the string has a * in it anywhere + # invalid this will raise an InvalidCodePoint + data = idna.decode(data) + + return x509.DNSName(data) elif gn.type == backend._lib.GEN_URI: data = backend._ffi.buffer( gn.d.uniformResourceIdentifier.data, diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index cacc0573..6d91ba41 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1351,6 +1351,37 @@ class TestRSASubjectAlternativeNameExtension(object): dns = san.get_values_for_type(x509.DNSName) assert dns == [u"www.cryptography.io", u"cryptography.io"] + def test_wildcard_dns_name(self, backend): + cert = _load_cert( + os.path.join("x509", "wildcard_san.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + + dns = ext.value.get_values_for_type(x509.DNSName) + assert dns == [ + u'*.langui.sh', + u'langui.sh', + u'*.saseliminator.com', + u'saseliminator.com' + ] + + def test_san_wildcard_idna_dns_name(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "san_wildcard_idna.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + + dns = ext.value.get_values_for_type(x509.DNSName) + assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography'] + def test_unsupported_other_name(self, backend): cert = _load_cert( os.path.join( |