upstream/mercurial-mirror Commit - r13249:75d0c38a

url: check subjectAltName when verifying ssl certificate...

Yuya Nishihara -

r13249:75d0c38a stable

parent child

mercurial/url.py

0 +16 -4

              def _verifycert(cert, hostname):
                  '''Verify that cert (in socket.getpeercert() format) matches hostname.
-                 CRLs and subjectAltName are not handled.
+                 CRLs is not handled.
                  Returns error message if any problems are found and None on success.
                  '''
                  if not cert:
                      return _('no certificate received')
                  dnsname = hostname.lower()
+                 def matchdnsname(certname):
+                     return (certname == dnsname or
+                             '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
+                 san = cert.get('subjectAltName', [])
+                 if san:
+                     certnames = [value.lower() for key, value in san if key == 'DNS']
+                     for name in certnames:
+                         if matchdnsname(name):
+                             return None
+                     return _('certificate is for %s') % ', '.join(certnames)
+                 # subject is only checked when subjectAltName is empty
                  for s in cert.get('subject', []):
                      key, value = s[0]
                      if key == 'commonName':
                              certname = value.lower().encode('ascii')
                          except UnicodeEncodeError:
                              return _('IDN in certificate not supported')
-                         if (certname == dnsname or
-                             '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]):
+                         if matchdnsname(certname):
                              return None
                          return _('certificate is for %s') % certname
-                 return _('no commonName found in certificate')
+                 return _('no commonName or subjectAltName found in certificate')
              if has_https:
                  class BetterHTTPS(httplib.HTTPSConnection):

tests/test-url.py

0 +13 -1

              check(_verifycert(cert('*.example.com'), 'w.w.example.com'),
                    'certificate is for *.example.com')
+             # Test subjectAltName
+             san_cert = {'subject': ((('commonName', 'example.com'),),),
+                         'subjectAltName': (('DNS', '*.example.net'),
+                                            ('DNS', 'example.net'))}
+             check(_verifycert(san_cert, 'example.net'),
+                   None)
+             check(_verifycert(san_cert, 'foo.example.net'),
+                   None)
+             # subject is only checked when subjectAltName is empty
+             check(_verifycert(san_cert, 'example.com'),
+                   'certificate is for *.example.net, example.net')
              # Avoid some pitfalls
              check(_verifycert(cert('*.foo'), 'foo'),
                    'certificate is for *.foo')
              check(_verifycert({'subject': ()},
                                'example.com'),
-                   'no commonName found in certificate')
+                   'no commonName or subjectAltName found in certificate')
              check(_verifycert(None, 'example.com'),
                    'no certificate received')

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages