def test_dns(self): """ Returns the correct DNSPattern from a certificate. """ rv = extract_ids(CERT_DNS_ONLY) assert [ DNSPattern(b"www.twistedmatrix.com"), DNSPattern(b"twistedmatrix.com"), ] == rv
def test_ip(self): """ Returns IP patterns. """ rv = extract_ids(CERT_EVERYTHING) assert [ DNSPattern(pattern=b"service.identity.invalid"), DNSPattern(pattern=b"*.wildcard.service.identity.invalid"), DNSPattern(pattern=b"service.identity.invalid"), DNSPattern(pattern=b"single.service.identity.invalid"), IPAddressPattern(pattern=ipaddress.IPv4Address(u"1.1.1.1")), IPAddressPattern(pattern=ipaddress.IPv6Address(u"::1")), IPAddressPattern(pattern=ipaddress.IPv4Address(u"2.2.2.2")), IPAddressPattern(pattern=ipaddress.IPv6Address(u"2a00:1c38::53")), ] == rv
def test_invalid_wildcard(self): """ Integration test with _validate_pattern: catches double wildcards thus is used if an wildward is present. """ with pytest.raises(CertificateError): DNSPattern(b"*.foo.*")
def test_cn_ids_are_used_as_fallback(self): """ CNs are returned as DNSPattern if no other IDs are present and a warning is raised. """ with pytest.warns(SubjectAltNameWarning): rv = extract_ids(X509_CN_ONLY) assert [DNSPattern(b"www.microsoft.com")] == rv
def test_dns_id_success(self): """ Return pairs of certificate ids and service ids on matches. """ rv = verify_service_identity(DNS_IDS, [DNS_ID(u"twistedmatrix.com")], []) assert [ ServiceMatch(cert_pattern=DNSPattern(b"twistedmatrix.com"), service_id=DNS_ID(u"twistedmatrix.com"),), ] == rv
def test_optional_missing(self): """ Optional IDs may miss as long as they don't conflict with an existing pattern. """ p = DNSPattern(b"mail.foo.com") i = DNS_ID(u"mail.foo.com") rv = verify_service_identity([p], obligatory_ids=[i], optional_ids=[SRV_ID(u"_mail.foo.com")]) assert [ServiceMatch(cert_pattern=p, service_id=i)] == rv
def test_obligatory_mismatch(self): """ Raise if one of the obligatory IDs doesn't match. """ i = DNS_ID(u"example.net") with pytest.raises(VerificationError) as e: verify_service_identity( [SRVPattern(b"_mail.example.net"), DNSPattern(b"example.com")], obligatory_ids=[SRV_ID(u"_mail.example.net"), i], optional_ids=[], ) assert [DNSMismatch(mismatched_id=i)] == e.value.errors
def test_contains_optional_and_matches(self): """ If an optional ID is found, return the match within the returned list and don't raise an error. """ p = SRVPattern(b"_mail.example.net") i = SRV_ID(u"_mail.example.net") rv = verify_service_identity( [DNSPattern(b"example.net"), p], obligatory_ids=[DNS_ID(u"example.net")], optional_ids=[i], ) assert ServiceMatch(cert_pattern=p, service_id=i) == rv[1]
def test_optional_mismatch(self): """ Raise VerificationError if an ID from optional_ids does not match a pattern of respective type even if obligatory IDs match. """ i = SRV_ID(u"_xmpp.example.com") with pytest.raises(VerificationError) as e: verify_service_identity( [DNSPattern(b"example.net"), SRVPattern(b"_mail.example.com")], obligatory_ids=[DNS_ID(u"example.net")], optional_ids=[i], ) assert [SRVMismatch(mismatched_id=i)] == e.value.errors
def test_cn_ids_are_used_as_fallback(self): """ CNs are returned as DNSPattern if no other IDs are present and a warning is raised. """ with pytest.warns(SubjectAltNameWarning) as ws: rv = extract_ids(CERT_CN_ONLY) msg = ws[0].message.args[0] assert [DNSPattern(b"www.microsoft.com")] == rv assert msg.startswith( "Certificate with CN 'www.microsoft.com' has no `subjectAltName`") assert msg.endswith( "service-identity will remove the support for it in mid-2018.")
def match(self, value): # This is somewhat terrible. Probably can be better after # pyca/service_identity#14 is resolved. target_ids = [ DNSPattern(target_name.encode('utf-8')) for target_name in (value.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value. get_values_for_type(x509.DNSName)) ] ids = [DNS_ID(self.name)] try: verify_service_identity(cert_patterns=target_ids, obligatory_ids=ids, optional_ids=[]) except VerificationError: return Mismatch('{!r} is not valid for {!r}'.format( value, self.name))
def test_simple_mismatch(self): """ Simple integration test with _hostname_matches with a mismatch. """ assert not DNS_ID(u"foo.com").verify(DNSPattern(b"bar.com"))
def verifyHostname(connection, hostname): if _is_ip_address(hostname): hostname_id = IPADDRESS_ID(hostname) else: hostname_id = DNS_ID(hostname) cert = connection.get_peer_certificate() ids = [] # Basically the same as service_identity.pyopenssl.extract_ids, but with # subjectAltName support for iPAddress IDs and IP Addresses stuck in dNSName ids for i in range(cert.get_extension_count()): ext = cert.get_extension(i) if ext.get_short_name() == b"subjectAltName": names, _ = decode(ext.get_data(), asn1Spec=GeneralNames()) for n in names: name_string = n.getName() if name_string == "iPAddress": ids.append(IPADDRESSPattern(n.getComponent().asOctets())) elif name_string == "dNSName" and _is_ip_address( n.getComponent().asOctets().strip()): # If an IP Address is passed as a dNSName, it will # cause service_identity to throw an exception, as # it doesn't consider this valid. From reading the # RFCs, i think it's a gray area, so i'm going to # allow it, since we've seen it happen with a customer. try: ip_string = n.getComponent().asOctets().strip() if ":" in ip_string: value = inet_pton(AF_INET6, ip_string) else: value = inet_pton(AF_INET, ip_string) ids.append(IPADDRESSPattern(value)) except CertificateError as e: log.warning( "Ignoring invalid dNSName record in subjectAltName: %s", e) # Normal behavior below: elif name_string == "dNSName": ids.append(DNSPattern(n.getComponent().asOctets())) elif name_string == "uniformResourceIdentifier": ids.append(URIPattern(n.getComponent().asOctets())) elif name_string == "otherName": comp = n.getComponent() oid = comp.getComponentByPosition(0) if oid == ID_ON_DNS_SRV: srv, _ = decode(comp.getComponentByPosition(1)) if isinstance(srv, IA5String): ids.append(SRVPattern(srv.asOctets())) else: # pragma: nocover raise CertificateError( "Unexpected certificate content.") if not ids: # http://tools.ietf.org/search/rfc6125#section-6.4.4 # A client MUST NOT seek a match for a reference identifier of CN-ID if # the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any # application-specific identifier types supported by the client. warnings.warn( "Certificate has no `subjectAltName`, falling back to check for a " "`commonName` for now. This feature is being removed by major " "browsers and deprecated by RFC 2818.", SubjectAltNameWarning) ids = [ DNSPattern(c[1]) for c in cert.get_subject().get_components() if c[0] == b"CN" ] verify_service_identity( cert_patterns=ids, obligatory_ids=[hostname_id], optional_ids=[], )
def test_catches_ip_address(self): """ IP addresses are invalid and raise a :class:`CertificateError`. """ with pytest.raises(CertificateError): DNSPattern(b"192.168.0.0")
def test_catches_NULL_bytes(self): """ Raise :class:`CertificateError` if a NULL byte is in the hostname. """ with pytest.raises(CertificateError): DNSPattern(b"www.google.com\0nasty.h4x0r.com")
def test_catches_empty(self): """ Empty DNS-IDs raise a :class:`CertificateError`. """ with pytest.raises(CertificateError): DNSPattern(b" ")
def test_enforces_bytes(self): """ Raise TypeError if unicode is passed. """ with pytest.raises(TypeError): DNSPattern(u"foo.com")