def match_hostname(cert, hostname):
try:
host_ip = ip_address(hostname)
except ValueError:
# Not an IP address (common case)
host_ip = None
dnsnames = []
san = cert.get_subject_alt_name() or ()
for key, value in san:
if key == 'DNS':
if host_ip is None and _dnsname_match(value, hostname):
return
dnsnames.append(value)
elif key == 'IP Address':
if host_ip is not None and _ipaddress_match(value, host_ip):
return
dnsnames.append(value)
if not dnsnames:
# The subject is only checked when there is no dNSName entry in subjectAltName
# XXX according to RFC 2818, the most specific Common Name must be used.
value = cert.get_subject().commonName
if _dnsname_match(value, hostname):
return
dnsnames.append(value)
if len(dnsnames) > 1:
raise CertificateError(
-1, "hostname %r doesn't match either of %s" %
(hostname, ', '.join(map(repr, dnsnames))))
elif len(dnsnames) == 1:
raise CertificateError(
-1, "hostname %r doesn't match %r" % (hostname, dnsnames[0]))
else:
raise CertificateError(
-1, "no appropriate commonName or "
"subjectAltName fields were found")
def match_hostname(cert, hostname):
"""Verify that *cert* (in decoded format as returned by
SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125
rules are followed, but IP addresses are not accepted for *hostname*.
CertificateError is raised on failure. On success, the function
returns nothing.
"""
if not cert:
raise ValueError("empty or no certificate, match_hostname needs a "
"SSL socket or SSL context with either "
"CERT_OPTIONAL or CERT_REQUIRED")
try:
host_ip = ipaddress.ip_address(hostname)
except ValueError:
# Not an IP address (common case)
host_ip = None
dnsnames = []
san = cert.get('subjectAltName', ())
for key, value in san:
if key == 'DNS':
if host_ip is None and ssl._dnsname_match(value, hostname):
return
dnsnames.append(value)
elif key == 'IP Address':
if host_ip is not None and _ipaddress_match(value, host_ip):
return
dnsnames.append(value)
if not dnsnames:
# The subject is only checked when there is no dNSName entry
# in subjectAltName
for sub in cert.get('subject', ()):
for key, value in sub:
# XXX according to RFC 2818, the most specific Common Name
# must be used.
if key == 'commonName':
if ssl._dnsname_match(value, hostname):
return
dnsnames.append(value)
if len(dnsnames) > 1:
raise ssl.CertificateError("hostname %r "
"doesn't match either of %s"
% (hostname, ', '.join(map(repr, dnsnames)))
)
elif len(dnsnames) == 1:
raise ssl.CertificateError("hostname %r "
"doesn't match %r"
% (hostname, dnsnames[0]))
else:
raise ssl.CertificateError("no appropriate commonName or "
"subjectAltName fields were found")
def checkhosts(hostsfile):
dnsmatchlist = lambda dnl, hostname: hostname in dnl or any(
ssl._dnsname_match(dn, hostname) for dn in dnl)
ipname = {}
for k, ln in enumerate(hostsfile):
try:
line = ln.split(b'#')[0].split()
if line:
ip = line[0].strip().decode('ascii')
host = line[1].strip().decode('utf-8')
else:
yield ln
continue
except Exception as ex:
# invalid line
continue
if ip in ipname:
res = ipname[ip]
else:
res = ipname[ip] = checkcert(ip, timeout=10, issuer=None)
if res is None:
# no SSL available
yield ln
elif res and dnsmatchlist(res, host):
yield ln
def checkhosts(hostsfile):
dnsmatchlist = lambda dnl, hostname: hostname in dnl or any(ssl._dnsname_match(dn, hostname) for dn in dnl)
ipname = {}
for k,ln in enumerate(hostsfile):
try:
line = ln.split(b'#')[0].split()
if line:
ip = line[0].strip().decode('ascii')
host = line[1].strip().decode('utf-8')
else:
yield ln
continue
except Exception as ex:
# invalid line
continue
if ip in ipname:
res = ipname[ip]
else:
res = ipname[ip] = checkcert(ip, timeout=10, issuer=None)
if res is None:
# no SSL available
yield ln
elif res and dnsmatchlist(res, host):
yield ln
def update_event(self, inp=-1):
self.set_output_val(0, ssl._dnsname_match(self.input(0),
self.input(1)))