aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docs/development/test-vectors.rst6
-rw-r--r--docs/spelling_wordlist.txt1
-rw-r--r--src/cryptography/hazmat/backends/openssl/x509.py9
-rw-r--r--tests/test_x509_ext.py39
-rw-r--r--vectors/cryptography_vectors/x509/custom/cdp_empty_hostname.pem33
-rw-r--r--vectors/cryptography_vectors/x509/custom/san_empty_hostname.pem32
6 files changed, 118 insertions, 2 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index 81998f77..bfe76330 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -148,6 +148,9 @@ Custom X.509 Vectors
certificate containing a subject alternative name extension with the
following general names: ``rfc822Name``, ``dNSName``, ``iPAddress``,
``directoryName``, and ``uniformResourceIdentifier``.
+* ``san_empty_hostname.pem`` - An RSA 2048 bit self-signed certificate
+ containing a subject alternative extension with an empty ``dNSName``
+ general name.
* ``san_other_name.pem`` - An RSA 2048 bit self-signed certificate containing
a subject alternative name extension with the ``otherName`` general name.
* ``san_registered_id.pem`` - An RSA 1024 bit certificate containing a
@@ -193,6 +196,9 @@ Custom X.509 Vectors
containing an authority information access extension with an OCSP entry.
* ``aia_ca_issuers.pem`` - An RSA 2048 bit self-signed certificate
containing an authority information access extension with a CA issuers entry.
+* ``cdp_empty_hostname.pem`` - An RSA 2048 bit self-signed certificate
+ containing a CRL distribution point extension with ``fullName`` URI without
+ a hostname.
* ``cdp_fullname_reasons_crl_issuer.pem`` - An RSA 1024 bit certificate
containing a CRL distribution points extension with ``fullName``,
``cRLIssuer``, and ``reasons`` data.
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
index adb9186c..dc8bcd0b 100644
--- a/docs/spelling_wordlist.txt
+++ b/docs/spelling_wordlist.txt
@@ -30,6 +30,7 @@ fernet
Fernet
FIPS
hazmat
+hostname
indistinguishability
initialisms
interoperable
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index cfde4a73..2de5a8c7 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -64,7 +64,9 @@ def _decode_general_names(backend, gns):
def _decode_general_name(backend, gn):
if gn.type == backend._lib.GEN_DNS:
data = backend._asn1_string_to_bytes(gn.d.dNSName)
- if data.startswith(b"*."):
+ if not data:
+ decoded = u""
+ elif data.startswith(b"*."):
# This is a wildcard name. We need to remove the leading wildcard,
# IDNA decode, then re-add the wildcard. Wildcard characters should
# always be left-most (RFC 2595 section 2.4).
@@ -82,7 +84,10 @@ def _decode_general_name(backend, gn):
elif gn.type == backend._lib.GEN_URI:
data = backend._asn1_string_to_ascii(gn.d.uniformResourceIdentifier)
parsed = urllib_parse.urlparse(data)
- hostname = idna.decode(parsed.hostname)
+ if parsed.hostname:
+ hostname = idna.decode(parsed.hostname)
+ else:
+ hostname = ""
if parsed.port:
netloc = hostname + u":" + six.text_type(parsed.port)
else:
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 85373973..1bc14620 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -1555,6 +1555,21 @@ class TestRSASubjectAlternativeNameExtension(object):
u'saseliminator.com'
]
+ def test_san_empty_hostname(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "san_empty_hostname.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ san = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
+ )
+
+ dns = san.value.get_values_for_type(x509.DNSName)
+ assert dns == [u'']
+
def test_san_wildcard_idna_dns_name(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "san_wildcard_idna.pem"),
@@ -2903,6 +2918,30 @@ class TestCRLDistributionPointsExtension(object):
)
])
+ def test_crl_empty_hostname(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "cdp_empty_hostname.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+
+ cdps = cert.extensions.get_extension_for_oid(
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
+ ).value
+
+ assert cdps == x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=[x509.UniformResourceIdentifier(
+ u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
+ )],
+ relative_name=None,
+ reasons=None,
+ crl_issuer=None
+ )
+ ])
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
diff --git a/vectors/cryptography_vectors/x509/custom/cdp_empty_hostname.pem b/vectors/cryptography_vectors/x509/custom/cdp_empty_hostname.pem
new file mode 100644
index 00000000..8a97ea2e
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/cdp_empty_hostname.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFsDCCA5igAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UECgwEUHlD
+QTAeFw0xNTEwMTAwNDQ3MTVaFw0xNjEwMDkwNDQ3MTVaMA8xDTALBgNVBAoMBFB5
+Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4CpXJ7KnM/wyy/LyK
++yO/I8G0HmZd3sUcOca8WLwIgld0FMet9vC0OIIln9PvWdYEDux1IzTEPF1KWmar
+2hgE9QcQzJVbELrqzh4SMvePcT9SW22qexDkzOvlVs/XaADf3t/HdSghi/uF/RVj
+boN0UyeSMFPB3myKZ9lIyFaJ9bZAjKI+Yfa6nvAE5b+bIc4zd8BkxzPToDq8XyBl
+j/gqYF9B3ZBJvhuztke93YDiMUlTCOIjlx/+kwjP9T1iob6oT7DanfdYxPrEIIqW
+c3vaaNNh+8p7ZkB+ipKjfYa8BdaJ6mfeUUwDrBnG2PXm/GMdQPJvFoOF5tTOZ7gd
+wQbJhHtlyl2Ah8dZiy4mU2o/4buHilu8FI755Q1gVCSZWvwnECHbF1yL7ZHPJ9Y0
+swhbcewR0xc/uYx/Mu//o0v/IRVQ4yQZDUe0B68+pqQtlUnZR/0pIuqfyvZt6tvb
+0rQt8YPahgbRxsZ81NH++0M9mD+NYuFJda+7uhS2HwAxLN2qal1repB2914z/WiW
+FHdG6sjR+Dfp3wG2Q1gIkXH6KNyOATa1kbUf4IoDKZ6T1CfEixJ3DxT0PlzDGPA1
+8QdF+jWxxyIJf2K2x95WotB9RGDLhKFfB/yw+PiaO3Yj8bKurUQEk/OhHhOxFESQ
+I5NNdN4vY0MfykL5BbKIjyabqwIDAQABo4IBFDCCARAwCQYDVR0TBAIwADARBglg
+hkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVk
+IFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUGjhISt50wkqiNQcSJ3YYhQ29
+CBYwPwYDVR0jBDgwNoAUGjhISt50wkqiNQcSJ3YYhQ29CBahE6QRMA8xDTALBgNV
+BAoMBFB5Q0GCCQDJtDPL+4grIjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYI
+KwYBBQUHAwEwNgYDVR0fBC8wLTAroCmgJ4YlbGRhcDovLy9DTj1BLE9VPUIsZGM9
+QyxEQz1EP0U/Rj9HP0g9STANBgkqhkiG9w0BAQsFAAOCAgEAg5r2b6APXiXaUQeT
+daEeuWDGFtPxg/eOBoFh/GrqxxX6TfvqfcTQfwPeJqT1b5TBs5OAq3vcaJhSy4/X
+FWbMSzZjpEbr2mGrvt1EU8lAu9LZFDZD+UMvAOSAeQN5ePogUkXOip2GfRn+mK5w
+Yko9vroyprU1NhJFPagJ7jLEHKULQB5VC61Of57+72P5u+dU563pWcM0t9A1Jw5N
+ERpO1m3oXJMFKhgxeTsmitH/Q2b/39V+o5LplQtyyjvHjSthE2PM0+0A7IafQmAV
+z4C7wEaSqwOsrzEz2mw5MAqeqpc6/TcmxZOLgajVLvyEyfb5OaLiWkjj+Mi1RtWp
+Ylx4Z9B1wCgPcZYkfMmUwn/YuBSxTMWk5ktHiM6mc1K/0FFxnAR4+WXIzQW9n5Rg
+uuurBKYHWFOtfjThSEOqTSBMDEzRtk/d3n7aXGD1xOEYti6U5o3gASv7wQDIVKkv
+xpil5fmrmwEjU0dcjU5AtSZt0rLXJGywT2hTrCL7Ua8BtKwzp0KKVXLAo7O+1Vau
+u3m1D26xvgkwgB8fbgaXpFViJADHHVxBSeIuEEtkrgq2Znubc/BF7QGoXLbrsYo/
+mgbT71C8VbY+g5Gmk0xr5+xWiEBCq+Px2Bkz09J83/eJ5UU9zcMn+5oK9YQ5QAJk
+Mb7IyeivYBRJP4cqh4LdUaBIEHI=
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/x509/custom/san_empty_hostname.pem b/vectors/cryptography_vectors/x509/custom/san_empty_hostname.pem
new file mode 100644
index 00000000..90b678b9
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/san_empty_hostname.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFgzCCA2ugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UECgwEUHlD
+QTAeFw0xNTEwMTAwNDQ2MTRaFw0xNjEwMDkwNDQ2MTRaMA8xDTALBgNVBAoMBFB5
+Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4CpXJ7KnM/wyy/LyK
++yO/I8G0HmZd3sUcOca8WLwIgld0FMet9vC0OIIln9PvWdYEDux1IzTEPF1KWmar
+2hgE9QcQzJVbELrqzh4SMvePcT9SW22qexDkzOvlVs/XaADf3t/HdSghi/uF/RVj
+boN0UyeSMFPB3myKZ9lIyFaJ9bZAjKI+Yfa6nvAE5b+bIc4zd8BkxzPToDq8XyBl
+j/gqYF9B3ZBJvhuztke93YDiMUlTCOIjlx/+kwjP9T1iob6oT7DanfdYxPrEIIqW
+c3vaaNNh+8p7ZkB+ipKjfYa8BdaJ6mfeUUwDrBnG2PXm/GMdQPJvFoOF5tTOZ7gd
+wQbJhHtlyl2Ah8dZiy4mU2o/4buHilu8FI755Q1gVCSZWvwnECHbF1yL7ZHPJ9Y0
+swhbcewR0xc/uYx/Mu//o0v/IRVQ4yQZDUe0B68+pqQtlUnZR/0pIuqfyvZt6tvb
+0rQt8YPahgbRxsZ81NH++0M9mD+NYuFJda+7uhS2HwAxLN2qal1repB2914z/WiW
+FHdG6sjR+Dfp3wG2Q1gIkXH6KNyOATa1kbUf4IoDKZ6T1CfEixJ3DxT0PlzDGPA1
+8QdF+jWxxyIJf2K2x95WotB9RGDLhKFfB/yw+PiaO3Yj8bKurUQEk/OhHhOxFESQ
+I5NNdN4vY0MfykL5BbKIjyabqwIDAQABo4HoMIHlMAkGA1UdEwQCMAAwEQYJYIZI
+AYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBT
+ZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBo4SEredMJKojUHEid2GIUNvQgW
+MD8GA1UdIwQ4MDaAFBo4SEredMJKojUHEid2GIUNvQgWoROkETAPMQ0wCwYDVQQK
+DARQeUNBggkAybQzy/uIKyIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMAsGA1UdEQQEMAKCADANBgkqhkiG9w0BAQsFAAOCAgEAjDlZFmLz7JPA
+8sQCjTbHkTJsn4vD/VqZPszqXuaR/De2R8EhnJEd2uTMYOG+X9iFkyxUYl3OWzQ3
+GLznmjLaobuOQ9ck3RhNDaSjcqTVFGB8EXIVrM3ioh/1YB9GPlOuaUFWJKwWQkS0
+GqUp5JlmWV9ScyW7R7IgZOMTb2opaww0vlSNudqaFGjpTmSd/VNPaAIAEK3NQwZa
+XtQ70CqiwBAHoDWvHfFfIiXVvkze0QPzWbKPRmK0iaGzxZ9E+0+w36r2YL0vkQzQ
+9fwrfPM10Am7VdHnyExbm/gr9LkJQDb6Igz3M6Hd8Ui7w8dlaw0+jzTZ1cwXyOL8
+4BjbBvuFvsx8OyCaPl+EO0Z4XPquPWV80igbGbkxGQiIFMP5TyK+7yGB+1txWnMR
+8ADmuMhCRUJ5Gim5p8yrq6cZTsxfgbmNsPCWeTroyscBXZEDYEzLpUvs/SI826+Y
+a607iwg4YcHl9JUN2bcTay5G0tXFyrI5iLfEeMaSiRSM1EOqyYsBI9buf3WhH+rm
+mlXyXt1mXhHvZDY/kWdbiHNc7GNAhhCQIuuLHhXd3/6eyMn8iGE5a/cbjPVwcYLw
+bxjb9YB6yWbrAQSG/ts89v/efqqhxnpjXtZ+gJLLmBrVq70UZj0ptNKDCvsCNlHr
+cHZkH9okuLpO5zNsYPEWjg1NoF4wwxw=
+-----END CERTIFICATE-----
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-03 15:03:20 +0000