diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2015-07-01 21:47:31 -0400 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2015-07-01 21:47:31 -0400 |
| commit | ec3cc9bd730b6799424dc3f69b79d490eaa2f07d (patch) | |
| tree | f616a48bd600d4b44e1180b81c1641a24c2693e3 /src | |
| parent | 246fc85526af4d5e48ca827ecb6baa3e8331f77d (diff) | |
| parent | 423768361e3b5ea6a39819d512ca72ce176d151d (diff) | |
| download | cryptography-ec3cc9bd730b6799424dc3f69b79d490eaa2f07d.tar.gz cryptography-ec3cc9bd730b6799424dc3f69b79d490eaa2f07d.tar.bz2 cryptography-ec3cc9bd730b6799424dc3f69b79d490eaa2f07d.zip | |
Merge pull request #2094 from reaperhulk/nc-the-hard-part-again
name constraints - support leading periods
Diffstat (limited to 'src')
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 41258483..c7ca2ad1 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -86,13 +86,17 @@ def _decode_general_name(backend, gn): # This is a wildcard name. We need to remove the leading wildcard, # IDNA decode, then re-add the wildcard. Wildcard characters should # always be left-most (RFC 2595 section 2.4). - data = u"*." + idna.decode(data[2:]) + decoded = u"*." + idna.decode(data[2:]) else: # Not a wildcard, decode away. If the string has a * in it anywhere # invalid this will raise an InvalidCodePoint - data = idna.decode(data) + decoded = idna.decode(data) + if data.startswith(b"."): + # idna strips leading periods. Name constraints can have that + # so we need to re-add it. Sigh. + decoded = u"." + decoded - return x509.DNSName(data) + return x509.DNSName(decoded) elif gn.type == backend._lib.GEN_URI: data = backend._ffi.buffer( gn.d.uniformResourceIdentifier.data, |