def common_name(csr, allowed_domains=[], allowed_networks=[], **kwargs):
"""Check the CN entry is a known domain.
Refuse requests for certificates if they contain multiple CN
entries, or the domain does not match the list of known suffixes.
"""
alt_present = any(ext.get_name() == "subjectAltName"
for ext in csr.get_extensions())
CNs = csr.get_subject().get_entries_by_oid(x509_name.OID_commonName)
if len(CNs) > 1:
raise v_errors.ValidationError("Too many CNs in the request")
# rfc2459#section-4.2.1.6 says so
if len(CNs) == 0 and not alt_present:
raise v_errors.ValidationError("Alt subjects have to exist if the main"
" subject doesn't")
if len(CNs) > 0:
cn = utils.csr_require_cn(csr)
try:
# is it an IP rather than domain?
ip = netaddr.IPAddress(cn)
if not (utils.check_networks(ip, allowed_networks)):
raise v_errors.ValidationError(
"Address '%s' not allowed (does not match known networks)"
% cn)
except netaddr.AddrFormatError:
if not (utils.check_domains(cn, allowed_domains)):
raise v_errors.ValidationError(
"Domain '%s' not allowed (does not match known domains)"
% cn)
def alternative_names_ip(csr, allowed_domains=[], allowed_networks=[],
**kwargs):
"""Check known domain and ip alternative names.
Refuse requests for certificates if the domain does not match
the list of known suffixes, or network ranges.
"""
for name_type, name in utils.iter_alternative_names(csr,
['DNS', 'IP Address']):
if name_type == 'DNS' and not utils.check_domains(name,
allowed_domains):
raise v_errors.ValidationError("Domain '%s' not allowed (doesn't"
" match known domains)" % name)
if name_type == 'IP Address':
if not utils.check_networks(name, allowed_networks):
raise v_errors.ValidationError("IP '%s' not allowed (doesn't"
" match known networks)" % name)
def test_check_networks_bad(self):
allowed_networks = ['15/8', '74.125/16']
self.assertFalse(utils.check_networks(
netaddr.IPAddress('12.2.2.2'), allowed_networks))
def test_check_networks_passthrough(self):
good_ip = netaddr.IPAddress("10.2.3.4")
self.assertTrue(utils.check_networks(good_ip, []))
def test_check_networks_good(self):
allowed_networks = ['15/8', '74.125/16']
self.assertTrue(utils.check_networks(
netaddr.IPAddress('74.125.224.64'), allowed_networks))
def test_check_networks(self):
good_ip = netaddr.IPAddress("10.2.3.4")
bad_ip = netaddr.IPAddress("88.2.3.4")
test_allowed = ["10/8"]
self.assertTrue(utils.check_networks(good_ip, test_allowed))
self.assertFalse(utils.check_networks(bad_ip, test_allowed))
def test_check_networks_invalid(self):
with self.assertRaises(TypeError):
utils.check_networks("1.2.3.4", ["10/8"])
def test_check_networks_bad(self):
allowed_networks = ['15/8', '74.125/16']
self.assertFalse(
utils.check_networks(netaddr.IPAddress('12.2.2.2'),
allowed_networks))
def test_check_networks_good(self):
allowed_networks = ['15/8', '74.125/16']
self.assertTrue(
utils.check_networks(netaddr.IPAddress('74.125.224.64'),
allowed_networks))
def test_check_networks_passthrough(self):
good_ip = netaddr.IPAddress('10.2.3.4')
self.assertTrue(utils.check_networks(good_ip, []))
def test_check_networks_invalid(self):
with self.assertRaises(TypeError):
utils.check_networks('1.2.3.4', ['10/8'])
def test_check_networks(self):
good_ip = netaddr.IPAddress('10.2.3.4')
bad_ip = netaddr.IPAddress('88.2.3.4')
test_allowed = ['10/8']
self.assertTrue(utils.check_networks(good_ip, test_allowed))
self.assertFalse(utils.check_networks(bad_ip, test_allowed))
