def _judge_name(self, certificate, name):
judgements = SecurityJudgements()
rdns = certificate.subject.get_all(OIDDB.RDNTypes.inverse("CN"))
have_valid_cn = False
if len(rdns) > 0:
found_rdn = None
for rdn in rdns:
value = rdn.get_value(OIDDB.RDNTypes.inverse("CN"))
if ValidationTools.validate_domainname_template_match(
value.printable_value, name):
found_rdn = rdn
break
if found_rdn is not None:
if found_rdn.component_cnt == 1:
judgements += SecurityJudgement(
JudgementCode.CertUsage_Purpose_ServerCert_CN_Match,
"Common name (CN) matches '%s'." % (name),
commonness=Commonness.COMMON)
else:
judgements += SecurityJudgement(
JudgementCode.
CertUsage_Purpose_ServerCert_CN_MatchMultivalueRDN,
"Common name (CN) matches '%s', but is part of a multi-valued RDN: %s"
% (name, found_rdn.pretty_str),
commonness=Commonness.HIGHLY_UNUSUAL)
else:
judgements += SecurityJudgement(
JudgementCode.CertUsage_Purpose_ServerCert_CN_Mismatch,
"No common name (CN) matches '%s'." % (name),
commonness=Commonness.UNUSUAL)
have_valid_san = False
extension = certificate.extensions.get_first(
OIDDB.X509Extensions.inverse("SubjectAlternativeName"))
if extension is not None:
for san_name in extension.get_all("dNSName"):
if ValidationTools.validate_domainname_template_match(
san_name.str_value, name):
have_valid_san = True
judgements += SecurityJudgement(
JudgementCode.CertUsage_Purpose_ServerCert_SAN_Match,
"Subject Alternative Name matches '%s'." % (name),
commonness=Commonness.COMMON)
break
else:
judgements += SecurityJudgement(
JudgementCode.CertUsage_Purpose_ServerCert_SAN_Mismatch,
"No Subject Alternative Name X.509 extension matches '%s'."
% (name),
commonness=Commonness.UNUSUAL)
if (not have_valid_cn) and (not have_valid_san):
judgements += SecurityJudgement(
JudgementCode.
CertUsage_Purpose_ServerCert_NameVerificationFailed,
"Found neither valid common name (CN) nor valid subject alternative name (SAN).",
commonness=Commonness.HIGHLY_UNUSUAL,
verdict=Verdict.NO_SECURITY)
return judgements
def test_domainname_template_no_match(self):
self.assertFalse(
ValidationTools.validate_domainname_template_match(
"foo.com", "foo.de"))
self.assertFalse(
ValidationTools.validate_domainname_template_match(
"*.com", "www.FOO.com"))
self.assertFalse(
ValidationTools.validate_domainname_template_match(
"*.foo.com", "FOO.cOm"))
self.assertFalse(
ValidationTools.validate_domainname_template_match(
"*blubb.foo.com", "wWw.FOO.cOm"))
self.assertFalse(
ValidationTools.validate_domainname_template_match(
"blubb*.foo.com", "www.FOO.cOm"))
self.assertFalse(
ValidationTools.validate_domainname_template_match(
"muh*blubb.foo.com", "mUh.FOO.cOm"))
self.assertFalse(
ValidationTools.validate_domainname_template_match(
"muh*blubb.foo.com", "blubb.FOO.cOm"))
self.assertFalse(
ValidationTools.validate_domainname_template_match(
"muh*blubb.foo.com", "abcblubb.FOO.cOm"))
self.assertFalse(
ValidationTools.validate_domainname_template_match(
"muh.f*o.com", "mUh.web.cOm"))
def test_domainname_template_match(self):
self.assertTrue(
ValidationTools.validate_domainname_template_match(
"foo.com", "FOO.cOm"))
self.assertTrue(
ValidationTools.validate_domainname_template_match(
"foo.CoM", "FOO.cOm"))
self.assertTrue(
ValidationTools.validate_domainname_template_match(
"*.com", "FOO.cOm"))
self.assertTrue(
ValidationTools.validate_domainname_template_match(
"*.foo.com", "wWw.FOO.cOm"))
self.assertTrue(
ValidationTools.validate_domainname_template_match(
"*blubb.foo.com", "wWwblubb.FOO.cOm"))
self.assertTrue(
ValidationTools.validate_domainname_template_match(
"blubb*.foo.com", "bLubbmoo.FOO.cOm"))
self.assertTrue(
ValidationTools.validate_domainname_template_match(
"muh*blubb.foo.com", "mUhwWwblubb.FOO.cOm"))
self.assertTrue(
ValidationTools.validate_domainname_template_match(
"muh.f*o.com", "mUh.FOO.cOm"))
self.assertTrue(
ValidationTools.validate_domainname_template_match(
"muh.f*o.com", "mUh.FO.cOm"))
self.assertTrue(
ValidationTools.validate_domainname_template_match(
"muh.f*o.com", "mUh.FabcdefO.cOm"))
self.assertTrue(
ValidationTools.validate_domainname_template_match(
"muh.fo*.com", "mUh.FOobar.cOm"))