Exemplo n.º 1
0
    def _judge_name(self, certificate, name):
        judgements = SecurityJudgements()
        rdns = certificate.subject.get_all(OIDDB.RDNTypes.inverse("CN"))
        have_valid_cn = False
        if len(rdns) > 0:
            found_rdn = None
            for rdn in rdns:
                value = rdn.get_value(OIDDB.RDNTypes.inverse("CN"))
                if ValidationTools.validate_domainname_template_match(
                        value.printable_value, name):
                    found_rdn = rdn
                    break
            if found_rdn is not None:
                if found_rdn.component_cnt == 1:
                    judgements += SecurityJudgement(
                        JudgementCode.CertUsage_Purpose_ServerCert_CN_Match,
                        "Common name (CN) matches '%s'." % (name),
                        commonness=Commonness.COMMON)
                else:
                    judgements += SecurityJudgement(
                        JudgementCode.
                        CertUsage_Purpose_ServerCert_CN_MatchMultivalueRDN,
                        "Common name (CN) matches '%s', but is part of a multi-valued RDN: %s"
                        % (name, found_rdn.pretty_str),
                        commonness=Commonness.HIGHLY_UNUSUAL)
            else:
                judgements += SecurityJudgement(
                    JudgementCode.CertUsage_Purpose_ServerCert_CN_Mismatch,
                    "No common name (CN) matches '%s'." % (name),
                    commonness=Commonness.UNUSUAL)

        have_valid_san = False
        extension = certificate.extensions.get_first(
            OIDDB.X509Extensions.inverse("SubjectAlternativeName"))
        if extension is not None:
            for san_name in extension.get_all("dNSName"):
                if ValidationTools.validate_domainname_template_match(
                        san_name.str_value, name):
                    have_valid_san = True
                    judgements += SecurityJudgement(
                        JudgementCode.CertUsage_Purpose_ServerCert_SAN_Match,
                        "Subject Alternative Name matches '%s'." % (name),
                        commonness=Commonness.COMMON)
                    break
            else:
                judgements += SecurityJudgement(
                    JudgementCode.CertUsage_Purpose_ServerCert_SAN_Mismatch,
                    "No Subject Alternative Name X.509 extension matches '%s'."
                    % (name),
                    commonness=Commonness.UNUSUAL)

        if (not have_valid_cn) and (not have_valid_san):
            judgements += SecurityJudgement(
                JudgementCode.
                CertUsage_Purpose_ServerCert_NameVerificationFailed,
                "Found neither valid common name (CN) nor valid subject alternative name (SAN).",
                commonness=Commonness.HIGHLY_UNUSUAL,
                verdict=Verdict.NO_SECURITY)

        return judgements
Exemplo n.º 2
0
 def test_domainname_template_no_match(self):
     self.assertFalse(
         ValidationTools.validate_domainname_template_match(
             "foo.com", "foo.de"))
     self.assertFalse(
         ValidationTools.validate_domainname_template_match(
             "*.com", "www.FOO.com"))
     self.assertFalse(
         ValidationTools.validate_domainname_template_match(
             "*.foo.com", "FOO.cOm"))
     self.assertFalse(
         ValidationTools.validate_domainname_template_match(
             "*blubb.foo.com", "wWw.FOO.cOm"))
     self.assertFalse(
         ValidationTools.validate_domainname_template_match(
             "blubb*.foo.com", "www.FOO.cOm"))
     self.assertFalse(
         ValidationTools.validate_domainname_template_match(
             "muh*blubb.foo.com", "mUh.FOO.cOm"))
     self.assertFalse(
         ValidationTools.validate_domainname_template_match(
             "muh*blubb.foo.com", "blubb.FOO.cOm"))
     self.assertFalse(
         ValidationTools.validate_domainname_template_match(
             "muh*blubb.foo.com", "abcblubb.FOO.cOm"))
     self.assertFalse(
         ValidationTools.validate_domainname_template_match(
             "muh.f*o.com", "mUh.web.cOm"))
Exemplo n.º 3
0
 def test_domainname_template_match(self):
     self.assertTrue(
         ValidationTools.validate_domainname_template_match(
             "foo.com", "FOO.cOm"))
     self.assertTrue(
         ValidationTools.validate_domainname_template_match(
             "foo.CoM", "FOO.cOm"))
     self.assertTrue(
         ValidationTools.validate_domainname_template_match(
             "*.com", "FOO.cOm"))
     self.assertTrue(
         ValidationTools.validate_domainname_template_match(
             "*.foo.com", "wWw.FOO.cOm"))
     self.assertTrue(
         ValidationTools.validate_domainname_template_match(
             "*blubb.foo.com", "wWwblubb.FOO.cOm"))
     self.assertTrue(
         ValidationTools.validate_domainname_template_match(
             "blubb*.foo.com", "bLubbmoo.FOO.cOm"))
     self.assertTrue(
         ValidationTools.validate_domainname_template_match(
             "muh*blubb.foo.com", "mUhwWwblubb.FOO.cOm"))
     self.assertTrue(
         ValidationTools.validate_domainname_template_match(
             "muh.f*o.com", "mUh.FOO.cOm"))
     self.assertTrue(
         ValidationTools.validate_domainname_template_match(
             "muh.f*o.com", "mUh.FO.cOm"))
     self.assertTrue(
         ValidationTools.validate_domainname_template_match(
             "muh.f*o.com", "mUh.FabcdefO.cOm"))
     self.assertTrue(
         ValidationTools.validate_domainname_template_match(
             "muh.fo*.com", "mUh.FOobar.cOm"))