Mercurial > hg
changeset 13249:75d0c38a0bca stable
url: check subjectAltName when verifying ssl certificate
Now it verifies certificate in the same manner as py3k implementation:
http://svn.python.org/view/python/branches/py3k/Lib/ssl.py?view=markup#match_hostname
author | Yuya Nishihara <yuya@tcha.org> |
---|---|
date | Sun, 09 Jan 2011 00:35:36 +0900 |
parents | 00411a4fa1bb |
children | 1a4330e30017 2ef915184ff2 d76115391140 |
files | mercurial/url.py tests/test-url.py |
diffstat | 2 files changed, 29 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/url.py Sat Jan 08 21:52:25 2011 +0900 +++ b/mercurial/url.py Sun Jan 09 00:35:36 2011 +0900 @@ -488,13 +488,26 @@ def _verifycert(cert, hostname): '''Verify that cert (in socket.getpeercert() format) matches hostname. - CRLs and subjectAltName are not handled. + CRLs is not handled. Returns error message if any problems are found and None on success. ''' if not cert: return _('no certificate received') dnsname = hostname.lower() + def matchdnsname(certname): + return (certname == dnsname or + '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]) + + san = cert.get('subjectAltName', []) + if san: + certnames = [value.lower() for key, value in san if key == 'DNS'] + for name in certnames: + if matchdnsname(name): + return None + return _('certificate is for %s') % ', '.join(certnames) + + # subject is only checked when subjectAltName is empty for s in cert.get('subject', []): key, value = s[0] if key == 'commonName': @@ -503,11 +516,10 @@ certname = value.lower().encode('ascii') except UnicodeEncodeError: return _('IDN in certificate not supported') - if (certname == dnsname or - '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]): + if matchdnsname(certname): return None return _('certificate is for %s') % certname - return _('no commonName found in certificate') + return _('no commonName or subjectAltName found in certificate') if has_https: class BetterHTTPS(httplib.HTTPSConnection):
--- a/tests/test-url.py Sat Jan 08 21:52:25 2011 +0900 +++ b/tests/test-url.py Sun Jan 09 00:35:36 2011 +0900 @@ -25,6 +25,18 @@ check(_verifycert(cert('*.example.com'), 'w.w.example.com'), 'certificate is for *.example.com') +# Test subjectAltName +san_cert = {'subject': ((('commonName', 'example.com'),),), + 'subjectAltName': (('DNS', '*.example.net'), + ('DNS', 'example.net'))} +check(_verifycert(san_cert, 'example.net'), + None) +check(_verifycert(san_cert, 'foo.example.net'), + None) +# subject is only checked when subjectAltName is empty +check(_verifycert(san_cert, 'example.com'), + 'certificate is for *.example.net, example.net') + # Avoid some pitfalls check(_verifycert(cert('*.foo'), 'foo'), 'certificate is for *.foo') @@ -33,7 +45,7 @@ check(_verifycert({'subject': ()}, 'example.com'), - 'no commonName found in certificate') + 'no commonName or subjectAltName found in certificate') check(_verifycert(None, 'example.com'), 'no certificate received')