Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 3c6bba5729fa81475dd9e756b800a5e6eda4653b^! / .
commit3c6bba5729fa81475dd9e756b800a5e6eda4653b[log] [tgz]
authorPaul Kehrer <paul.l.kehrer@gmail.com>Fri Jun 26 18:43:26 2015 -0500
committerPaul Kehrer <paul.l.kehrer@gmail.com>Fri Jun 26 19:57:47 2015 -0500
tree24fbc4bdf35262502d1b6dee9b7efe97c8940e64
parentbe7294e17f485909b8b94e6deaef7e0a4179e597 [diff]
handle wildcard DNSNames with IDNA.

fixes #2054

diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index a03414c..ce8b89c 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py

@@ -82,7 +82,20 @@
 def _decode_general_name(backend, gn):
     if gn.type == backend._lib.GEN_DNS:
         data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:]
-        return x509.DNSName(idna.decode(data))
+        if data.startswith(b"*."):
+            # This is a wildcard name. We need to split on period, remove the
+            # leading wildcard, IDNA decode, then re-add the wildcard
+            # Wildcard characters should always be left-most (RFC 2595
+            # section 2.4).
+            parts = data.split(b".")
+            parts.pop(0)
+            data = u"*." + idna.decode(b".".join(parts))
+        else:
+            # Not a wildcard, decode away. If the string has a * in it anywhere
+            # invalid this will raise an InvalidCodePoint
+            data = idna.decode(data)
+
+        return x509.DNSName(data)
     elif gn.type == backend._lib.GEN_URI:
         data = backend._ffi.buffer(
             gn.d.uniformResourceIdentifier.data,

diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index cacc057..6d91ba4 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py

@@ -1351,6 +1351,37 @@
         dns = san.get_values_for_type(x509.DNSName)
         assert dns == [u"www.cryptography.io", u"cryptography.io"]
 
+    def test_wildcard_dns_name(self, backend):
+        cert = _load_cert(
+            os.path.join("x509", "wildcard_san.pem"),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+        ext = cert.extensions.get_extension_for_oid(
+            x509.OID_SUBJECT_ALTERNATIVE_NAME
+        )
+
+        dns = ext.value.get_values_for_type(x509.DNSName)
+        assert dns == [
+            u'*.langui.sh',
+            u'langui.sh',
+            u'*.saseliminator.com',
+            u'saseliminator.com'
+        ]
+
+    def test_san_wildcard_idna_dns_name(self, backend):
+        cert = _load_cert(
+            os.path.join("x509", "custom", "san_wildcard_idna.pem"),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+        ext = cert.extensions.get_extension_for_oid(
+            x509.OID_SUBJECT_ALTERNATIVE_NAME
+        )
+
+        dns = ext.value.get_values_for_type(x509.DNSName)
+        assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
+
     def test_unsupported_other_name(self, backend):
         cert = _load_cert(
             os.path.join(