def alternative_names(csr, allowed_domains=[], **kwargs): """Check known domain alternative names. Refuse requests for certificates if the domain does not match the list of known suffixes, or network ranges. """ for _, name in utils.iter_alternative_names(csr, ['DNS']): if not utils.check_domains(name, allowed_domains): raise v_errors.ValidationError("Domain '%s' not allowed (doesn't" " match known domains)" % name)
def alternative_names_ip(csr, allowed_domains=[], allowed_networks=[], **kwargs): """Check known domain and ip alternative names. Refuse requests for certificates if the domain does not match the list of known suffixes, or network ranges. """ for name_type, name in utils.iter_alternative_names(csr, ['DNS', 'IP Address']): if name_type == 'DNS' and not utils.check_domains(name, allowed_domains): raise v_errors.ValidationError("Domain '%s' not allowed (doesn't" " match known domains)" % name) if name_type == 'IP Address': if not utils.check_networks(name, allowed_networks): raise v_errors.ValidationError("IP '%s' not allowed (doesn't" " match known networks)" % name)
def blacklist_names(csr, domains=[], **kwargs): """Check for blacklisted names in CN and altNames.""" if not domains: logger.warning("No domains were configured for the blacklist filter, " "consider disabling the step or providing a list") return CNs = csr.get_subject().get_entries_by_oid(x509_name.OID_commonName) if len(CNs) > 0: cn = utils.csr_require_cn(csr) if utils.check_domains(cn, domains): raise v_errors.ValidationError("Domain '%s' not allowed " "(CN blacklisted)" % cn) for _, name in utils.iter_alternative_names(csr, ['DNS'], fail_other_types=False): if utils.check_domains(name, domains): raise v_errors.ValidationError("Domain '%s' not allowed " "(alt blacklisted)" % name)