diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2015-06-27 00:03:00 -0400 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2015-06-27 00:03:00 -0400 |
| commit | 7d85341b2143015756d44c278453c285e1518fbf (patch) | |
| tree | 19618f1923839fe463425b8657cb2327065c4696 /src | |
| parent | b7c7b39bd15f552ebb6ea8ae74f4af2b8985b198 (diff) | |
| parent | 666252ce9eb00b926437b49f17553097a8f813e9 (diff) | |
| download | cryptography-7d85341b2143015756d44c278453c285e1518fbf.tar.gz cryptography-7d85341b2143015756d44c278453c285e1518fbf.tar.bz2 cryptography-7d85341b2143015756d44c278453c285e1518fbf.zip | |
Merge pull request #2071 from reaperhulk/wildcard-oh-no
handle wildcard DNSNames with IDNA.
Diffstat (limited to 'src')
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index a03414c8..ebda9c98 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -82,7 +82,17 @@ def _decode_general_names(backend, gns): def _decode_general_name(backend, gn): if gn.type == backend._lib.GEN_DNS: data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:] - return x509.DNSName(idna.decode(data)) + if data.startswith(b"*."): + # This is a wildcard name. We need to remove the leading wildcard, + # IDNA decode, then re-add the wildcard. Wildcard characters should + # always be left-most (RFC 2595 section 2.4). + data = u"*." + idna.decode(data[2:]) + else: + # Not a wildcard, decode away. If the string has a * in it anywhere + # invalid this will raise an InvalidCodePoint + data = idna.decode(data) + + return x509.DNSName(data) elif gn.type == backend._lib.GEN_URI: data = backend._ffi.buffer( gn.d.uniformResourceIdentifier.data, |