upstream/mercurial-mirror Commit - r13250:1a4330e3

merge with stable

Mads Kiilerich -

r13250:1a4330e3 default

parent child

mercurial/url.py

0 +21 -5

             def _verifycert(cert, hostname):
                 '''Verify that cert (in socket.getpeercert() format) matches hostname.
-                CRLs and subjectAltName are not handled.
+                CRLs is not handled.
                 Returns error message if any problems are found and None on success.
                 '''
                 if not cert:
                     return _('no certificate received')
                 dnsname = hostname.lower()
+                def matchdnsname(certname):
+                    return (certname == dnsname or
+                            '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
+                san = cert.get('subjectAltName', [])
+                if san:
+                    certnames = [value.lower() for key, value in san if key == 'DNS']
+                    for name in certnames:
+                        if matchdnsname(name):
+                            return None
+                    return _('certificate is for %s') % ', '.join(certnames)
+                # subject is only checked when subjectAltName is empty
                 for s in cert.get('subject', []):
                     key, value = s[0]
                     if key == 'commonName':
-                        certname = value.lower()
+                        try:
-                        if (certname == dnsname or
+                            # 'subject' entries are unicode
-                            '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]):
+                            certname = value.lower().encode('ascii')
+                        except UnicodeEncodeError:
+                            return _('IDN in certificate not supported')
+                        if matchdnsname(certname):
                             return None
                         return _('certificate is for %s') % certname
-                return _('no commonName found in certificate')
+                return _('no commonName or subjectAltName found in certificate')
             if has_https:
                 class BetterHTTPS(httplib.HTTPSConnection):

tests/test-url.py

0 +17 -1

@@ -25,6 +25,18 b" check(_verifycert(cert('*.example.com'),"
25	check(_verifycert(cert('*.example.com'), 'w.w.example.com'),	25	check(_verifycert(cert('*.example.com'), 'w.w.example.com'),
26	'certificate is for *.example.com')	26	'certificate is for *.example.com')
27		27
		28	# Test subjectAltName
		29	san_cert = {'subject': ((('commonName', 'example.com'),),),
		30	'subjectAltName': (('DNS', '*.example.net'),
		31	('DNS', 'example.net'))}
		32	check(_verifycert(san_cert, 'example.net'),
		33	None)
		34	check(_verifycert(san_cert, 'foo.example.net'),
		35	None)
		36	# subject is only checked when subjectAltName is empty
		37	check(_verifycert(san_cert, 'example.com'),
		38	'certificate is for *.example.net, example.net')
		39
28	# Avoid some pitfalls	40	# Avoid some pitfalls
29	check(_verifycert(cert('*.foo'), 'foo'),	41	check(_verifycert(cert('*.foo'), 'foo'),
30	'certificate is for *.foo')	42	'certificate is for *.foo')
@@ -33,6 +45,10 b" check(_verifycert(cert('*o'), 'foo'),"
33		45
34	check(_verifycert({'subject': ()},	46	check(_verifycert({'subject': ()},
35	'example.com'),	47	'example.com'),
36	'no commonName found in certificate')	48	'no commonName or subjectAltName found in certificate')
37	check(_verifycert(None, 'example.com'),	49	check(_verifycert(None, 'example.com'),
38	'no certificate received')	50	'no certificate received')
		51
		52	# Unicode (IDN) certname isn't supported
		53	check(_verifycert(cert(u'\u4f8b.jp'), 'example.jp'),
		54	'IDN in certificate not supported')

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages