Ejemplo n.º 1
0
def common_name(csr, allowed_domains=[], allowed_networks=[], **kwargs):
    """Check the CN entry is a known domain.

    Refuse requests for certificates if they contain multiple CN
    entries, or the domain does not match the list of known suffixes.
    """
    alt_present = any(ext.get_name() == "subjectAltName"
                      for ext in csr.get_extensions())

    CNs = csr.get_subject().get_entries_by_oid(x509_name.OID_commonName)

    if len(CNs) > 1:
        raise v_errors.ValidationError("Too many CNs in the request")

    # rfc2459#section-4.2.1.6 says so
    if len(CNs) == 0 and not alt_present:
        raise v_errors.ValidationError("Alt subjects have to exist if the main"
                                       " subject doesn't")

    if len(CNs) > 0:
        cn = utils.csr_require_cn(csr)
        try:
            # is it an IP rather than domain?
            ip = netaddr.IPAddress(cn)
            if not (utils.check_networks(ip, allowed_networks)):
                raise v_errors.ValidationError(
                    "Address '%s' not allowed (does not match known networks)"
                    % cn)
        except netaddr.AddrFormatError:
            if not (utils.check_domains(cn, allowed_domains)):
                raise v_errors.ValidationError(
                    "Domain '%s' not allowed (does not match known domains)"
                    % cn)
Ejemplo n.º 2
0
def alternative_names(csr, allowed_domains=[], **kwargs):
    """Check known domain alternative names.

    Refuse requests for certificates if the domain does not match
    the list of known suffixes, or network ranges.
    """

    for _, name in utils.iter_alternative_names(csr, ['DNS']):
        if not utils.check_domains(name, allowed_domains):
            raise v_errors.ValidationError("Domain '%s' not allowed (doesn't"
                                           " match known domains)" % name)
Ejemplo n.º 3
0
def blacklist_names(csr, domains=[], **kwargs):
    """Check for blacklisted names in CN and altNames."""

    if not domains:
        logger.warning("No domains were configured for the blacklist filter, "
                       "consider disabling the step or providing a list")
        return

    CNs = csr.get_subject().get_entries_by_oid(x509_name.OID_commonName)
    if len(CNs) > 0:
        cn = utils.csr_require_cn(csr)
        if utils.check_domains(cn, domains):
            raise v_errors.ValidationError("Domain '%s' not allowed "
                                           "(CN blacklisted)" % cn)

    for _, name in utils.iter_alternative_names(csr, ['DNS'],
                                                fail_other_types=False):
        if utils.check_domains(name, domains):
            raise v_errors.ValidationError("Domain '%s' not allowed "
                                           "(alt blacklisted)" % name)
Ejemplo n.º 4
0
def alternative_names_ip(csr, allowed_domains=[], allowed_networks=[],
                         **kwargs):
    """Check known domain and ip alternative names.

    Refuse requests for certificates if the domain does not match
    the list of known suffixes, or network ranges.
    """

    for name_type, name in utils.iter_alternative_names(csr,
                                                        ['DNS', 'IP Address']):
        if name_type == 'DNS' and not utils.check_domains(name,
                                                          allowed_domains):
            raise v_errors.ValidationError("Domain '%s' not allowed (doesn't"
                                           " match known domains)" % name)
        if name_type == 'IP Address':
            if not utils.check_networks(name, allowed_networks):
                raise v_errors.ValidationError("IP '%s' not allowed (doesn't"
                                               " match known networks)" % name)
Ejemplo n.º 5
0
 def test_check_domains_empty(self):
     self.assertTrue(utils.check_domains(
         'example.com', []))
Ejemplo n.º 6
0
 def test_check_domains(self):
     test_domain = "good.example.com"
     test_allowed = [".example.com", ".example.net"]
     self.assertTrue(utils.check_domains(test_domain, test_allowed))
     self.assertFalse(utils.check_domains("bad.example.org", test_allowed))
Ejemplo n.º 7
0
 def test_check_domains_empty(self):
     self.assertTrue(utils.check_domains('example.com', []))
Ejemplo n.º 8
0
 def test_check_domains(self):
     test_domain = 'good.example.com'
     test_allowed = ['.example.com', '.example.net']
     self.assertTrue(utils.check_domains(test_domain, test_allowed))
     self.assertFalse(utils.check_domains('bad.example.org',
                                          test_allowed))