Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
DNS testing tools
Remoh
Commits
5b162fb2
Commit
5b162fb2
authored
Dec 07, 2019
by
Stephane Bortzmeyer
Browse files
Refactoring of hostname canonicalisation. Closes #20
parent
8ebd73a2
Changes
1
Hide whitespace changes
Inline
Side-by-side
homer.py
View file @
5b162fb2
...
...
@@ -74,9 +74,18 @@ def usage(msg=None):
print
(
"See the README.md for more details."
,
file
=
sys
.
stderr
)
def
is_valid_hostname
(
name
):
name
=
str
(
name
.
encode
(
'idna'
).
lower
()
)
name
=
canonicalize
(
name
)
return
re_host
.
search
(
name
)
def
canonicalize
(
hostname
):
result
=
hostname
.
lower
()
# TODO handle properly the case where it fails with UnicodeError
# (two consecutive dots for instance) to get a custom exception
result
=
result
.
encode
(
'idna'
).
decode
()
if
result
[
len
(
result
)
-
1
]
==
'.'
:
result
=
result
[:
-
1
]
return
result
def
is_valid_ip_address
(
addr
):
try
:
baddr
=
netaddr
.
IPAddress
(
addr
)
...
...
@@ -125,15 +134,11 @@ def validate_hostname(hostname, cert):
# Complete specification is in RFC 6125. It is long and
# complicated and I'm not sure we do it perfectly.
is_addr
=
is_valid_ip_address
(
hostname
)
hostname
=
hostname
.
lower
()
hostname
=
hostname
.
encode
(
'idna'
).
decode
()
hostname
=
canonicalize
(
hostname
)
for
alt_name
in
get_certificate_san
(
cert
).
split
(
", "
):
if
alt_name
.
startswith
(
"DNS:"
)
and
not
is_addr
:
(
start
,
base
)
=
alt_name
.
split
(
"DNS:"
)
base
=
base
.
lower
()
# We assume the certificate contains only
# A-labels. Otherwise, we would need to: "base =
# str(base.encode('idna'))"
base
=
canonicalize
(
base
)
found
=
match_hostname
(
hostname
,
base
)
if
found
:
return
True
...
...
@@ -152,7 +157,7 @@ def validate_hostname(hostname, cert):
pass
# Ignore unknown alternative name types. May be
# accept URI alternative names for DoH,
# According to RFC 6125, we MUST NOT try the Common Name before the Subject Alternative Names.
cn
=
cert
.
get_subject
().
commonName
.
lower
(
)
cn
=
canonicalize
(
cert
.
get_subject
().
commonName
)
found
=
match_hostname
(
hostname
,
cn
)
if
found
:
return
True
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment