mirror of
https://github.com/python/cpython.git
synced 2025-11-04 07:31:38 +00:00
Issue #13034: When decoding some SSL certificates, the subjectAltName extension could be unreported.
This commit is contained in:
Antoine Pitrou
commit
a02a12c517
4 changed files with 61 additions and 1 deletions
31
Lib/test/nokia.pem
Normal file
31
Lib/test/nokia.pem
Normal file
|
|
@ -0,0 +1,31 @@
|
||||||
|
# Certificate for projects.developer.nokia.com:443 (see issue 13034)
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIFLDCCBBSgAwIBAgIQLubqdkCgdc7lAF9NfHlUmjANBgkqhkiG9w0BAQUFADCB
|
||||||
|
vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
|
||||||
|
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
|
||||||
|
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt
|
||||||
|
VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X
|
||||||
|
DTExMDkyMTAwMDAwMFoXDTEyMDkyMDIzNTk1OVowcTELMAkGA1UEBhMCRkkxDjAM
|
||||||
|
BgNVBAgTBUVzcG9vMQ4wDAYDVQQHFAVFc3BvbzEOMAwGA1UEChQFTm9raWExCzAJ
|
||||||
|
BgNVBAsUAkJJMSUwIwYDVQQDFBxwcm9qZWN0cy5kZXZlbG9wZXIubm9raWEuY29t
|
||||||
|
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr92w1bpHYSYxUEx8N/8Iddda2
|
||||||
|
lYi+aXNtQfV/l2Fw9Ykv3Ipw4nLeGTj18FFlAZgMdPRlgrzF/NNXGw/9l3/qKdow
|
||||||
|
CypkQf8lLaxb9Ze1E/KKmkRJa48QTOqvo6GqKuTI6HCeGlG1RxDb8YSKcQWLiytn
|
||||||
|
yj3Wp4MgRQO266xmMQIDAQABo4IB9jCCAfIwQQYDVR0RBDowOIIccHJvamVjdHMu
|
||||||
|
ZGV2ZWxvcGVyLm5va2lhLmNvbYIYcHJvamVjdHMuZm9ydW0ubm9raWEuY29tMAkG
|
||||||
|
A1UdEwQCMAAwCwYDVR0PBAQDAgWgMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9T
|
||||||
|
VlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNybDBEBgNVHSAE
|
||||||
|
PTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZl
|
||||||
|
cmlzaWduLmNvbS9ycGEwKAYDVR0lBCEwHwYJYIZIAYb4QgQBBggrBgEFBQcDAQYI
|
||||||
|
KwYBBQUHAwIwcgYIKwYBBQUHAQEEZjBkMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz
|
||||||
|
cC52ZXJpc2lnbi5jb20wPAYIKwYBBQUHMAKGMGh0dHA6Ly9TVlJJbnRsLUczLWFp
|
||||||
|
YS52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNlcjBuBggrBgEFBQcBDARiMGChXqBc
|
||||||
|
MFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsH
|
||||||
|
iyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJ
|
||||||
|
KoZIhvcNAQEFBQADggEBACQuPyIJqXwUyFRWw9x5yDXgMW4zYFopQYOw/ItRY522
|
||||||
|
O5BsySTh56BWS6mQB07XVfxmYUGAvRQDA5QHpmY8jIlNwSmN3s8RKo+fAtiNRlcL
|
||||||
|
x/mWSfuMs3D/S6ev3D6+dpEMZtjrhOdctsarMKp8n/hPbwhAbg5hVjpkW5n8vz2y
|
||||||
|
0KxvvkA1AxpLwpVv7OlK17ttzIHw8bp9HTlHBU5s8bKz4a565V/a5HI0CSEv/+0y
|
||||||
|
ko4/ghTnZc1CkmUngKKeFMSah/mT/xAh8XnE2l1AazFa8UKuYki1e+ArHaGZc4ix
|
||||||
|
UYOtiRphwfuYQhRZ7qX9q2MMkCMI65XNK/SaFrAbbG0=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
@ -54,6 +54,7 @@
|
||||||
BADCERT = data_file("badcert.pem")
|
BADCERT = data_file("badcert.pem")
|
||||||
WRONGCERT = data_file("XXXnonexisting.pem")
|
WRONGCERT = data_file("XXXnonexisting.pem")
|
||||||
BADKEY = data_file("badkey.pem")
|
BADKEY = data_file("badkey.pem")
|
||||||
|
NOKIACERT = data_file("nokia.pem")
|
||||||
|
|
||||||
|
|
||||||
def handle_error(prefix):
|
def handle_error(prefix):
|
||||||
|
|
@ -130,6 +131,31 @@ def test_parse_cert(self):
|
||||||
p = ssl._ssl._test_decode_cert(CERTFILE)
|
p = ssl._ssl._test_decode_cert(CERTFILE)
|
||||||
if support.verbose:
|
if support.verbose:
|
||||||
sys.stdout.write("\n" + pprint.pformat(p) + "\n")
|
sys.stdout.write("\n" + pprint.pformat(p) + "\n")
|
||||||
|
self.assertEqual(p['issuer'],
|
||||||
|
((('countryName', 'XY'),),
|
||||||
|
(('localityName', 'Castle Anthrax'),),
|
||||||
|
(('organizationName', 'Python Software Foundation'),),
|
||||||
|
(('commonName', 'localhost'),))
|
||||||
|
)
|
||||||
|
self.assertEqual(p['notAfter'], 'Oct 5 23:01:56 2020 GMT')
|
||||||
|
self.assertEqual(p['notBefore'], 'Oct 8 23:01:56 2010 GMT')
|
||||||
|
self.assertEqual(p['serialNumber'], 'D7C7381919AFC24E')
|
||||||
|
self.assertEqual(p['subject'],
|
||||||
|
((('countryName', 'XY'),),
|
||||||
|
(('localityName', 'Castle Anthrax'),),
|
||||||
|
(('organizationName', 'Python Software Foundation'),),
|
||||||
|
(('commonName', 'localhost'),))
|
||||||
|
)
|
||||||
|
self.assertEqual(p['subjectAltName'], (('DNS', 'localhost'),))
|
||||||
|
# Issue #13034: the subjectAltName in some certificates
|
||||||
|
# (notably projects.developer.nokia.com:443) wasn't parsed
|
||||||
|
p = ssl._ssl._test_decode_cert(NOKIACERT)
|
||||||
|
if support.verbose:
|
||||||
|
sys.stdout.write("\n" + pprint.pformat(p) + "\n")
|
||||||
|
self.assertEqual(p['subjectAltName'],
|
||||||
|
(('DNS', 'projects.developer.nokia.com'),
|
||||||
|
('DNS', 'projects.forum.nokia.com'))
|
||||||
|
)
|
||||||
|
|
||||||
def test_DER_to_PEM(self):
|
def test_DER_to_PEM(self):
|
||||||
with open(SVN_PYTHON_ORG_ROOT_CERT, 'r') as f:
|
with open(SVN_PYTHON_ORG_ROOT_CERT, 'r') as f:
|
||||||
|
|
|
||||||
|
|
@ -294,6 +294,9 @@ Core and Builtins
|
||||||
Library
|
Library
|
||||||
-------
|
-------
|
||||||
|
|
||||||
|
- Issue #13034: When decoding some SSL certificates, the subjectAltName
|
||||||
|
extension could be unreported.
|
||||||
|
|
||||||
- Issue #9871: Prevent IDLE 3 crash when given byte stings
|
- Issue #9871: Prevent IDLE 3 crash when given byte stings
|
||||||
with invalid hex escape sequences, like b'\x0'.
|
with invalid hex escape sequences, like b'\x0'.
|
||||||
(Original patch by Claudiu Popa.)
|
(Original patch by Claudiu Popa.)
|
||||||
|
|
|
||||||
|
|
@ -595,7 +595,7 @@ _get_peer_alt_names (X509 *certificate) {
|
||||||
/* get a memory buffer */
|
/* get a memory buffer */
|
||||||
biobuf = BIO_new(BIO_s_mem());
|
biobuf = BIO_new(BIO_s_mem());
|
||||||
|
|
||||||
i = 0;
|
i = -1;
|
||||||
while ((i = X509_get_ext_by_NID(
|
while ((i = X509_get_ext_by_NID(
|
||||||
certificate, NID_subject_alt_name, i)) >= 0) {
|
certificate, NID_subject_alt_name, i)) >= 0) {
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue