def _judge_name(self, certificate, name): judgements = SecurityJudgements() rdns = certificate.subject.get_all(OIDDB.RDNTypes.inverse("CN")) have_valid_cn = False if len(rdns) > 0: found_rdn = None for rdn in rdns: value = rdn.get_value(OIDDB.RDNTypes.inverse("CN")) if ValidationTools.validate_domainname_template_match( value.printable_value, name): found_rdn = rdn break if found_rdn is not None: if found_rdn.component_cnt == 1: judgements += SecurityJudgement( JudgementCode.CertUsage_Purpose_ServerCert_CN_Match, "Common name (CN) matches '%s'." % (name), commonness=Commonness.COMMON) else: judgements += SecurityJudgement( JudgementCode. CertUsage_Purpose_ServerCert_CN_MatchMultivalueRDN, "Common name (CN) matches '%s', but is part of a multi-valued RDN: %s" % (name, found_rdn.pretty_str), commonness=Commonness.HIGHLY_UNUSUAL) else: judgements += SecurityJudgement( JudgementCode.CertUsage_Purpose_ServerCert_CN_Mismatch, "No common name (CN) matches '%s'." % (name), commonness=Commonness.UNUSUAL) have_valid_san = False extension = certificate.extensions.get_first( OIDDB.X509Extensions.inverse("SubjectAlternativeName")) if extension is not None: for san_name in extension.get_all("dNSName"): if ValidationTools.validate_domainname_template_match( san_name.str_value, name): have_valid_san = True judgements += SecurityJudgement( JudgementCode.CertUsage_Purpose_ServerCert_SAN_Match, "Subject Alternative Name matches '%s'." % (name), commonness=Commonness.COMMON) break else: judgements += SecurityJudgement( JudgementCode.CertUsage_Purpose_ServerCert_SAN_Mismatch, "No Subject Alternative Name X.509 extension matches '%s'." % (name), commonness=Commonness.UNUSUAL) if (not have_valid_cn) and (not have_valid_san): judgements += SecurityJudgement( JudgementCode. CertUsage_Purpose_ServerCert_NameVerificationFailed, "Found neither valid common name (CN) nor valid subject alternative name (SAN).", commonness=Commonness.HIGHLY_UNUSUAL, verdict=Verdict.NO_SECURITY) return judgements
def test_domainname_template_no_match(self): self.assertFalse( ValidationTools.validate_domainname_template_match( "foo.com", "foo.de")) self.assertFalse( ValidationTools.validate_domainname_template_match( "*.com", "www.FOO.com")) self.assertFalse( ValidationTools.validate_domainname_template_match( "*.foo.com", "FOO.cOm")) self.assertFalse( ValidationTools.validate_domainname_template_match( "*blubb.foo.com", "wWw.FOO.cOm")) self.assertFalse( ValidationTools.validate_domainname_template_match( "blubb*.foo.com", "www.FOO.cOm")) self.assertFalse( ValidationTools.validate_domainname_template_match( "muh*blubb.foo.com", "mUh.FOO.cOm")) self.assertFalse( ValidationTools.validate_domainname_template_match( "muh*blubb.foo.com", "blubb.FOO.cOm")) self.assertFalse( ValidationTools.validate_domainname_template_match( "muh*blubb.foo.com", "abcblubb.FOO.cOm")) self.assertFalse( ValidationTools.validate_domainname_template_match( "muh.f*o.com", "mUh.web.cOm"))
def test_domainname_template_match(self): self.assertTrue( ValidationTools.validate_domainname_template_match( "foo.com", "FOO.cOm")) self.assertTrue( ValidationTools.validate_domainname_template_match( "foo.CoM", "FOO.cOm")) self.assertTrue( ValidationTools.validate_domainname_template_match( "*.com", "FOO.cOm")) self.assertTrue( ValidationTools.validate_domainname_template_match( "*.foo.com", "wWw.FOO.cOm")) self.assertTrue( ValidationTools.validate_domainname_template_match( "*blubb.foo.com", "wWwblubb.FOO.cOm")) self.assertTrue( ValidationTools.validate_domainname_template_match( "blubb*.foo.com", "bLubbmoo.FOO.cOm")) self.assertTrue( ValidationTools.validate_domainname_template_match( "muh*blubb.foo.com", "mUhwWwblubb.FOO.cOm")) self.assertTrue( ValidationTools.validate_domainname_template_match( "muh.f*o.com", "mUh.FOO.cOm")) self.assertTrue( ValidationTools.validate_domainname_template_match( "muh.f*o.com", "mUh.FO.cOm")) self.assertTrue( ValidationTools.validate_domainname_template_match( "muh.f*o.com", "mUh.FabcdefO.cOm")) self.assertTrue( ValidationTools.validate_domainname_template_match( "muh.fo*.com", "mUh.FOobar.cOm"))