| OLD | NEW |
|---|
| (Empty) |
| 1 """The match_hostname() function from Python 3.2, essential when using SSL.""" | |
| 2 | |
| 3 import re | |
| 4 | |
| 5 __version__ = '3.2.2' | |
| 6 | |
| 7 class CertificateError(ValueError): | |
| 8 pass | |
| 9 | |
| 10 def _dnsname_match(dn, hostname, max_wildcards=1): | |
| 11 """Matching according to RFC 6125, section 6.4.3 | |
| 12 | |
| 13 http://tools.ietf.org/html/rfc6125#section-6.4.3 | |
| 14 """ | |
| 15 pats = [] | |
| 16 if not dn: | |
| 17 return False | |
| 18 | |
| 19 parts = dn.split(r'.') | |
| 20 leftmost = parts[0] | |
| 21 | |
| 22 wildcards = leftmost.count('*') | |
| 23 if wildcards > max_wildcards: | |
| 24 # Issue #17980: avoid denials of service by refusing more | |
| 25 # than one wildcard per fragment. A survery of established | |
| 26 # policy among SSL implementations showed it to be a | |
| 27 # reasonable choice. | |
| 28 raise CertificateError( | |
| 29 "too many wildcards in certificate DNS name: " + repr(dn)) | |
| 30 | |
| 31 # speed up common case w/o wildcards | |
| 32 if not wildcards: | |
| 33 return dn.lower() == hostname.lower() | |
| 34 | |
| 35 # RFC 6125, section 6.4.3, subitem 1. | |
| 36 # The client SHOULD NOT attempt to match a presented identifier in which | |
| 37 # the wildcard character comprises a label other than the left-most label. | |
| 38 if leftmost == '*': | |
| 39 # When '*' is a fragment by itself, it matches a non-empty dotless | |
| 40 # fragment. | |
| 41 pats.append('[^.]+') | |
| 42 elif leftmost.startswith('xn--') or hostname.startswith('xn--'): | |
| 43 # RFC 6125, section 6.4.3, subitem 3. | |
| 44 # The client SHOULD NOT attempt to match a presented identifier | |
| 45 # where the wildcard character is embedded within an A-label or | |
| 46 # U-label of an internationalized domain name. | |
| 47 pats.append(re.escape(leftmost)) | |
| 48 else: | |
| 49 # Otherwise, '*' matches any dotless string, e.g. www* | |
| 50 pats.append(re.escape(leftmost).replace(r'\*', '[^.]*')) | |
| 51 | |
| 52 # add the remaining fragments, ignore any wildcards | |
| 53 for frag in parts[1:]: | |
| 54 pats.append(re.escape(frag)) | |
| 55 | |
| 56 pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) | |
| 57 return pat.match(hostname) | |
| 58 | |
| 59 | |
| 60 def match_hostname(cert, hostname): | |
| 61 """Verify that *cert* (in decoded format as returned by | |
| 62 SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 | |
| 63 rules are followed, but IP addresses are not accepted for *hostname*. | |
| 64 | |
| 65 CertificateError is raised on failure. On success, the function | |
| 66 returns nothing. | |
| 67 """ | |
| 68 if not cert: | |
| 69 raise ValueError("empty or no certificate") | |
| 70 dnsnames = [] | |
| 71 san = cert.get('subjectAltName', ()) | |
| 72 for key, value in san: | |
| 73 if key == 'DNS': | |
| 74 if _dnsname_match(value, hostname): | |
| 75 return | |
| 76 dnsnames.append(value) | |
| 77 if not dnsnames: | |
| 78 # The subject is only checked when there is no dNSName entry | |
| 79 # in subjectAltName | |
| 80 for sub in cert.get('subject', ()): | |
| 81 for key, value in sub: | |
| 82 # XXX according to RFC 2818, the most specific Common Name | |
| 83 # must be used. | |
| 84 if key == 'commonName': | |
| 85 if _dnsname_match(value, hostname): | |
| 86 return | |
| 87 dnsnames.append(value) | |
| 88 if len(dnsnames) > 1: | |
| 89 raise CertificateError("hostname %r " | |
| 90 "doesn't match either of %s" | |
| 91 % (hostname, ', '.join(map(repr, dnsnames)))) | |
| 92 elif len(dnsnames) == 1: | |
| 93 raise CertificateError("hostname %r " | |
| 94 "doesn't match %r" | |
| 95 % (hostname, dnsnames[0])) | |
| 96 else: | |
| 97 raise CertificateError("no appropriate commonName or " | |
| 98 "subjectAltName fields were found") | |
| OLD | NEW |
|---|
Chromium Code Reviews
