diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-06-26 18:43:26 -0500 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-06-26 19:57:47 -0500 |
| commit | 3c6bba5729fa81475dd9e756b800a5e6eda4653b (patch) | |
| tree | 24fbc4bdf35262502d1b6dee9b7efe97c8940e64 /src | |
| parent | be7294e17f485909b8b94e6deaef7e0a4179e597 (diff) | |
| download | cryptography-3c6bba5729fa81475dd9e756b800a5e6eda4653b.tar.gz cryptography-3c6bba5729fa81475dd9e756b800a5e6eda4653b.tar.bz2 cryptography-3c6bba5729fa81475dd9e756b800a5e6eda4653b.zip | |
handle wildcard DNSNames with IDNA.
fixes #2054
Diffstat (limited to 'src')
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index a03414c8..ce8b89cc 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -82,7 +82,20 @@ def _decode_general_names(backend, gns): def _decode_general_name(backend, gn): if gn.type == backend._lib.GEN_DNS: data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:] - return x509.DNSName(idna.decode(data)) + if data.startswith(b"*."): + # This is a wildcard name. We need to split on period, remove the + # leading wildcard, IDNA decode, then re-add the wildcard + # Wildcard characters should always be left-most (RFC 2595 + # section 2.4). + parts = data.split(b".") + parts.pop(0) + data = u"*." + idna.decode(b".".join(parts)) + else: + # Not a wildcard, decode away. If the string has a * in it anywhere + # invalid this will raise an InvalidCodePoint + data = idna.decode(data) + + return x509.DNSName(data) elif gn.type == backend._lib.GEN_URI: data = backend._ffi.buffer( gn.d.uniformResourceIdentifier.data, |