commit ec074915782e2f01f92ffe0820b0bc28f7960f12 parent 094e3117c40537279ec20c8ffcf479d92db7ffd3 Author: Solderpunk <solderpunk@sdf.org> Date: Sun, 17 May 2020 22:36:10 +0200 Check alternative subject names. Diffstat:
M | av98.py | | | 20 | +++++++++++++++++--- |
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/av98.py b/av98.py @@ -665,10 +665,24 @@ Slow internet connection? Use 'set timeout' to be more patient.""") elif c.not_valid_after <= now: raise CertificateError("Certificate expired as of: {})!".format(c.not_valid_after)) - # Check certificate hostname - # TODO: Check alternative names too + # Check certificate hostnames + names = [] common_name = c.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value - ssl._dnsname_match(common_name, host) + names.append(common_name) + try: + names.extend([alt.value for alt in c.extensions.get_extension_for_oid(x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value]) + except x509.ExtensionNotFound: + pass + names = set(names) + for name in names: + try: + ssl._dnsname_match(common_name, host) + break + except CertificateError: + continue + else: + # If we didn't break out, none of the names were valid + raise CertificateError("Hostname does not match certificate common name or any alternative names.") sha = hashlib.sha256() sha.update(cert)