From 3c6bba5729fa81475dd9e756b800a5e6eda4653b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 26 Jun 2015 18:43:26 -0500 Subject: handle wildcard DNSNames with IDNA. fixes #2054 --- src/cryptography/hazmat/backends/openssl/x509.py | 15 +++++++++++- tests/test_x509_ext.py | 31 ++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index a03414c8..ce8b89cc 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -82,7 +82,20 @@ def _decode_general_names(backend, gns): def _decode_general_name(backend, gn): if gn.type == backend._lib.GEN_DNS: data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:] - return x509.DNSName(idna.decode(data)) + if data.startswith(b"*."): + # This is a wildcard name. We need to split on period, remove the + # leading wildcard, IDNA decode, then re-add the wildcard + # Wildcard characters should always be left-most (RFC 2595 + # section 2.4). + parts = data.split(b".") + parts.pop(0) + data = u"*." + idna.decode(b".".join(parts)) + else: + # Not a wildcard, decode away. If the string has a * in it anywhere + # invalid this will raise an InvalidCodePoint + data = idna.decode(data) + + return x509.DNSName(data) elif gn.type == backend._lib.GEN_URI: data = backend._ffi.buffer( gn.d.uniformResourceIdentifier.data, diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index cacc0573..6d91ba41 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1351,6 +1351,37 @@ class TestRSASubjectAlternativeNameExtension(object): dns = san.get_values_for_type(x509.DNSName) assert dns == [u"www.cryptography.io", u"cryptography.io"] + def test_wildcard_dns_name(self, backend): + cert = _load_cert( + os.path.join("x509", "wildcard_san.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + + dns = ext.value.get_values_for_type(x509.DNSName) + assert dns == [ + u'*.langui.sh', + u'langui.sh', + u'*.saseliminator.com', + u'saseliminator.com' + ] + + def test_san_wildcard_idna_dns_name(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "san_wildcard_idna.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + + dns = ext.value.get_values_for_type(x509.DNSName) + assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography'] + def test_unsupported_other_name(self, backend): cert = _load_cert( os.path.join( -- cgit v1.2.3 From 666252ce9eb00b926437b49f17553097a8f813e9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 26 Jun 2015 22:31:05 -0500 Subject: do this much more simply --- src/cryptography/hazmat/backends/openssl/x509.py | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index ce8b89cc..ebda9c98 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -83,13 +83,10 @@ def _decode_general_name(backend, gn): if gn.type == backend._lib.GEN_DNS: data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:] if data.startswith(b"*."): - # This is a wildcard name. We need to split on period, remove the - # leading wildcard, IDNA decode, then re-add the wildcard - # Wildcard characters should always be left-most (RFC 2595 - # section 2.4). - parts = data.split(b".") - parts.pop(0) - data = u"*." + idna.decode(b".".join(parts)) + # This is a wildcard name. We need to remove the leading wildcard, + # IDNA decode, then re-add the wildcard. Wildcard characters should + # always be left-most (RFC 2595 section 2.4). + data = u"*." + idna.decode(data[2:]) else: # Not a wildcard, decode away. If the string has a * in it anywhere # invalid this will raise an InvalidCodePoint -- cgit v1.2.3