def alternative_names(csr, allowed_domains=[], **kwargs):
"""Check known domain alternative names.
Refuse requests for certificates if the domain does not match
the list of known suffixes, or network ranges.
"""
for _, name in utils.iter_alternative_names(csr, ['DNS']):
if not utils.check_domains(name, allowed_domains):
raise v_errors.ValidationError("Domain '%s' not allowed (doesn't"
" match known domains)" % name)
def alternative_names_ip(csr, allowed_domains=[], allowed_networks=[],
**kwargs):
"""Check known domain and ip alternative names.
Refuse requests for certificates if the domain does not match
the list of known suffixes, or network ranges.
"""
for name_type, name in utils.iter_alternative_names(csr,
['DNS', 'IP Address']):
if name_type == 'DNS' and not utils.check_domains(name,
allowed_domains):
raise v_errors.ValidationError("Domain '%s' not allowed (doesn't"
" match known domains)" % name)
if name_type == 'IP Address':
if not utils.check_networks(name, allowed_networks):
raise v_errors.ValidationError("IP '%s' not allowed (doesn't"
" match known networks)" % name)
def blacklist_names(csr, domains=[], **kwargs):
"""Check for blacklisted names in CN and altNames."""
if not domains:
logger.warning("No domains were configured for the blacklist filter, "
"consider disabling the step or providing a list")
return
CNs = csr.get_subject().get_entries_by_oid(x509_name.OID_commonName)
if len(CNs) > 0:
cn = utils.csr_require_cn(csr)
if utils.check_domains(cn, domains):
raise v_errors.ValidationError("Domain '%s' not allowed "
"(CN blacklisted)" % cn)
for _, name in utils.iter_alternative_names(csr, ['DNS'],
fail_other_types=False):
if utils.check_domains(name, domains):
raise v_errors.ValidationError("Domain '%s' not allowed "
"(alt blacklisted)" % name)
