def common_name(csr, allowed_domains=[], allowed_networks=[], **kwargs): """Check the CN entry is a known domain. Refuse requests for certificates if they contain multiple CN entries, or the domain does not match the list of known suffixes. """ alt_present = any(ext.get_name() == "subjectAltName" for ext in csr.get_extensions()) CNs = csr.get_subject().get_entries_by_oid(x509_name.OID_commonName) if len(CNs) > 1: raise v_errors.ValidationError("Too many CNs in the request") # rfc2459#section-4.2.1.6 says so if len(CNs) == 0 and not alt_present: raise v_errors.ValidationError("Alt subjects have to exist if the main" " subject doesn't") if len(CNs) > 0: cn = utils.csr_require_cn(csr) try: # is it an IP rather than domain? ip = netaddr.IPAddress(cn) if not (utils.check_networks(ip, allowed_networks)): raise v_errors.ValidationError( "Address '%s' not allowed (does not match known networks)" % cn) except netaddr.AddrFormatError: if not (utils.check_domains(cn, allowed_domains)): raise v_errors.ValidationError( "Domain '%s' not allowed (does not match known domains)" % cn)
def alternative_names_ip(csr, allowed_domains=[], allowed_networks=[], **kwargs): """Check known domain and ip alternative names. Refuse requests for certificates if the domain does not match the list of known suffixes, or network ranges. """ for name_type, name in utils.iter_alternative_names(csr, ['DNS', 'IP Address']): if name_type == 'DNS' and not utils.check_domains(name, allowed_domains): raise v_errors.ValidationError("Domain '%s' not allowed (doesn't" " match known domains)" % name) if name_type == 'IP Address': if not utils.check_networks(name, allowed_networks): raise v_errors.ValidationError("IP '%s' not allowed (doesn't" " match known networks)" % name)
def test_check_networks_bad(self): allowed_networks = ['15/8', '74.125/16'] self.assertFalse(utils.check_networks( netaddr.IPAddress('12.2.2.2'), allowed_networks))
def test_check_networks_passthrough(self): good_ip = netaddr.IPAddress("10.2.3.4") self.assertTrue(utils.check_networks(good_ip, []))
def test_check_networks_good(self): allowed_networks = ['15/8', '74.125/16'] self.assertTrue(utils.check_networks( netaddr.IPAddress('74.125.224.64'), allowed_networks))
def test_check_networks(self): good_ip = netaddr.IPAddress("10.2.3.4") bad_ip = netaddr.IPAddress("88.2.3.4") test_allowed = ["10/8"] self.assertTrue(utils.check_networks(good_ip, test_allowed)) self.assertFalse(utils.check_networks(bad_ip, test_allowed))
def test_check_networks_invalid(self): with self.assertRaises(TypeError): utils.check_networks("1.2.3.4", ["10/8"])
def test_check_networks_bad(self): allowed_networks = ['15/8', '74.125/16'] self.assertFalse( utils.check_networks(netaddr.IPAddress('12.2.2.2'), allowed_networks))
def test_check_networks_good(self): allowed_networks = ['15/8', '74.125/16'] self.assertTrue( utils.check_networks(netaddr.IPAddress('74.125.224.64'), allowed_networks))
def test_check_networks_passthrough(self): good_ip = netaddr.IPAddress('10.2.3.4') self.assertTrue(utils.check_networks(good_ip, []))
def test_check_networks_invalid(self): with self.assertRaises(TypeError): utils.check_networks('1.2.3.4', ['10/8'])
def test_check_networks(self): good_ip = netaddr.IPAddress('10.2.3.4') bad_ip = netaddr.IPAddress('88.2.3.4') test_allowed = ['10/8'] self.assertTrue(utils.check_networks(good_ip, test_allowed)) self.assertFalse(utils.check_networks(bad_ip, test_allowed))