OLD | NEW |
| (Empty) |
1 """The match_hostname() function from Python 3.2, essential when using SSL.""" | |
2 | |
3 import re | |
4 | |
5 __version__ = '3.2.2' | |
6 | |
7 class CertificateError(ValueError): | |
8 pass | |
9 | |
10 def _dnsname_match(dn, hostname, max_wildcards=1): | |
11 """Matching according to RFC 6125, section 6.4.3 | |
12 | |
13 http://tools.ietf.org/html/rfc6125#section-6.4.3 | |
14 """ | |
15 pats = [] | |
16 if not dn: | |
17 return False | |
18 | |
19 parts = dn.split(r'.') | |
20 leftmost = parts[0] | |
21 | |
22 wildcards = leftmost.count('*') | |
23 if wildcards > max_wildcards: | |
24 # Issue #17980: avoid denials of service by refusing more | |
25 # than one wildcard per fragment. A survery of established | |
26 # policy among SSL implementations showed it to be a | |
27 # reasonable choice. | |
28 raise CertificateError( | |
29 "too many wildcards in certificate DNS name: " + repr(dn)) | |
30 | |
31 # speed up common case w/o wildcards | |
32 if not wildcards: | |
33 return dn.lower() == hostname.lower() | |
34 | |
35 # RFC 6125, section 6.4.3, subitem 1. | |
36 # The client SHOULD NOT attempt to match a presented identifier in which | |
37 # the wildcard character comprises a label other than the left-most label. | |
38 if leftmost == '*': | |
39 # When '*' is a fragment by itself, it matches a non-empty dotless | |
40 # fragment. | |
41 pats.append('[^.]+') | |
42 elif leftmost.startswith('xn--') or hostname.startswith('xn--'): | |
43 # RFC 6125, section 6.4.3, subitem 3. | |
44 # The client SHOULD NOT attempt to match a presented identifier | |
45 # where the wildcard character is embedded within an A-label or | |
46 # U-label of an internationalized domain name. | |
47 pats.append(re.escape(leftmost)) | |
48 else: | |
49 # Otherwise, '*' matches any dotless string, e.g. www* | |
50 pats.append(re.escape(leftmost).replace(r'\*', '[^.]*')) | |
51 | |
52 # add the remaining fragments, ignore any wildcards | |
53 for frag in parts[1:]: | |
54 pats.append(re.escape(frag)) | |
55 | |
56 pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) | |
57 return pat.match(hostname) | |
58 | |
59 | |
60 def match_hostname(cert, hostname): | |
61 """Verify that *cert* (in decoded format as returned by | |
62 SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 | |
63 rules are followed, but IP addresses are not accepted for *hostname*. | |
64 | |
65 CertificateError is raised on failure. On success, the function | |
66 returns nothing. | |
67 """ | |
68 if not cert: | |
69 raise ValueError("empty or no certificate") | |
70 dnsnames = [] | |
71 san = cert.get('subjectAltName', ()) | |
72 for key, value in san: | |
73 if key == 'DNS': | |
74 if _dnsname_match(value, hostname): | |
75 return | |
76 dnsnames.append(value) | |
77 if not dnsnames: | |
78 # The subject is only checked when there is no dNSName entry | |
79 # in subjectAltName | |
80 for sub in cert.get('subject', ()): | |
81 for key, value in sub: | |
82 # XXX according to RFC 2818, the most specific Common Name | |
83 # must be used. | |
84 if key == 'commonName': | |
85 if _dnsname_match(value, hostname): | |
86 return | |
87 dnsnames.append(value) | |
88 if len(dnsnames) > 1: | |
89 raise CertificateError("hostname %r " | |
90 "doesn't match either of %s" | |
91 % (hostname, ', '.join(map(repr, dnsnames)))) | |
92 elif len(dnsnames) == 1: | |
93 raise CertificateError("hostname %r " | |
94 "doesn't match %r" | |
95 % (hostname, dnsnames[0])) | |
96 else: | |
97 raise CertificateError("no appropriate commonName or " | |
98 "subjectAltName fields were found") | |
OLD | NEW |