upstream/mercurial-mirror Commit - r13249:75d0c38a

url: check subjectAltName when verifying ssl certificate...

Yuya Nishihara -

r13249:75d0c38a stable

parent child

mercurial/url.py

0 +16 -4

             def _verifycert(cert, hostname):
                 '''Verify that cert (in socket.getpeercert() format) matches hostname.
-                CRLs and subjectAltName are not handled.
+                CRLs is not handled.
                 Returns error message if any problems are found and None on success.
                 '''
                 if not cert:
                     return _('no certificate received')
                 dnsname = hostname.lower()
+                def matchdnsname(certname):
+                    return (certname == dnsname or
+                            '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
+                san = cert.get('subjectAltName', [])
+                if san:
+                    certnames = [value.lower() for key, value in san if key == 'DNS']
+                    for name in certnames:
+                        if matchdnsname(name):
+                            return None
+                    return _('certificate is for %s') % ', '.join(certnames)
+                # subject is only checked when subjectAltName is empty
                 for s in cert.get('subject', []):
                     key, value = s[0]
                     if key == 'commonName':
                             certname = value.lower().encode('ascii')
                         except UnicodeEncodeError:
                             return _('IDN in certificate not supported')
-                        if (certname == dnsname or
+                        if matchdnsname(certname):
-                            '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]):
                             return None
                         return _('certificate is for %s') % certname
-                return _('no commonName found in certificate')
+                return _('no commonName or subjectAltName found in certificate')
             if has_https:
                 class BetterHTTPS(httplib.HTTPSConnection):

tests/test-url.py

0 +13 -1

             check(_verifycert(cert('*.example.com'), 'w.w.example.com'),
                   'certificate is for *.example.com')
+            # Test subjectAltName
+            san_cert = {'subject': ((('commonName', 'example.com'),),),
+                        'subjectAltName': (('DNS', '*.example.net'),
+                                           ('DNS', 'example.net'))}
+            check(_verifycert(san_cert, 'example.net'),
+                  None)
+            check(_verifycert(san_cert, 'foo.example.net'),
+                  None)
+            # subject is only checked when subjectAltName is empty
+            check(_verifycert(san_cert, 'example.com'),
+                  'certificate is for *.example.net, example.net')
             # Avoid some pitfalls
             check(_verifycert(cert('*.foo'), 'foo'),
                   'certificate is for *.foo')
             check(_verifycert({'subject': ()},
                               'example.com'),
-                  'no commonName found in certificate')
+                  'no commonName or subjectAltName found in certificate')
             check(_verifycert(None, 'example.com'),
                   'no certificate received')

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages