Issue #13034: When decoding some SSL certificates, the subjectAltName extension could...

author Antoine Pitrou <solipsis@pitrou.net>

Sat, 1 Oct 2011 17:20:25 +0000 (19:20 +0200)

committer Antoine Pitrou <solipsis@pitrou.net>

Sat, 1 Oct 2011 17:20:25 +0000 (19:20 +0200)
author Antoine Pitrou <solipsis@pitrou.net>
Sat, 1 Oct 2011 17:20:25 +0000 (19:20 +0200)
committer Antoine Pitrou <solipsis@pitrou.net>
Sat, 1 Oct 2011 17:20:25 +0000 (19:20 +0200)
diff --git a/Lib/test/nokia.pem b/Lib/test/nokia.pem

new file mode 100644 (file)

index 0000000..0d044df
--- /dev/null
+++ b/Lib/test/nokia.pem
@@ -0,0 +1,31 @@
+# Certificate for projects.developer.nokia.com:443 (see issue 13034)
+-----BEGIN CERTIFICATE-----
+MIIFLDCCBBSgAwIBAgIQLubqdkCgdc7lAF9NfHlUmjANBgkqhkiG9w0BAQUFADCB
+vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
+YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt
+VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X
+DTExMDkyMTAwMDAwMFoXDTEyMDkyMDIzNTk1OVowcTELMAkGA1UEBhMCRkkxDjAM
+BgNVBAgTBUVzcG9vMQ4wDAYDVQQHFAVFc3BvbzEOMAwGA1UEChQFTm9raWExCzAJ
+BgNVBAsUAkJJMSUwIwYDVQQDFBxwcm9qZWN0cy5kZXZlbG9wZXIubm9raWEuY29t
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr92w1bpHYSYxUEx8N/8Iddda2
+lYi+aXNtQfV/l2Fw9Ykv3Ipw4nLeGTj18FFlAZgMdPRlgrzF/NNXGw/9l3/qKdow
+CypkQf8lLaxb9Ze1E/KKmkRJa48QTOqvo6GqKuTI6HCeGlG1RxDb8YSKcQWLiytn
+yj3Wp4MgRQO266xmMQIDAQABo4IB9jCCAfIwQQYDVR0RBDowOIIccHJvamVjdHMu
+ZGV2ZWxvcGVyLm5va2lhLmNvbYIYcHJvamVjdHMuZm9ydW0ubm9raWEuY29tMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgWgMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9T
+VlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNybDBEBgNVHSAE
+PTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZl
+cmlzaWduLmNvbS9ycGEwKAYDVR0lBCEwHwYJYIZIAYb4QgQBBggrBgEFBQcDAQYI
+KwYBBQUHAwIwcgYIKwYBBQUHAQEEZjBkMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz
+cC52ZXJpc2lnbi5jb20wPAYIKwYBBQUHMAKGMGh0dHA6Ly9TVlJJbnRsLUczLWFp
+YS52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNlcjBuBggrBgEFBQcBDARiMGChXqBc
+MFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsH
+iyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJ
+KoZIhvcNAQEFBQADggEBACQuPyIJqXwUyFRWw9x5yDXgMW4zYFopQYOw/ItRY522
+O5BsySTh56BWS6mQB07XVfxmYUGAvRQDA5QHpmY8jIlNwSmN3s8RKo+fAtiNRlcL
+x/mWSfuMs3D/S6ev3D6+dpEMZtjrhOdctsarMKp8n/hPbwhAbg5hVjpkW5n8vz2y
+0KxvvkA1AxpLwpVv7OlK17ttzIHw8bp9HTlHBU5s8bKz4a565V/a5HI0CSEv/+0y
+ko4/ghTnZc1CkmUngKKeFMSah/mT/xAh8XnE2l1AazFa8UKuYki1e+ArHaGZc4ix
+UYOtiRphwfuYQhRZ7qX9q2MMkCMI65XNK/SaFrAbbG0=
+-----END CERTIFICATE-----
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py

index 869381a5016b467734c6c5be8fd0538520b07eec..a79fce63bb835b4c17874c1ff923d37bd5ffec06 100644 (file)
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -51,6 +51,7 @@ EMPTYCERT = data_file("nullcert.pem")
  BADCERT = data_file("badcert.pem")
  WRONGCERT = data_file("XXXnonexisting.pem")
  BADKEY = data_file("badkey.pem")
+NOKIACERT = data_file("nokia.pem")
  
  
  def handle_error(prefix):
@@ -117,6 +118,31 @@ class BasicSocketTests(unittest.TestCase):
          p = ssl._ssl._test_decode_cert(CERTFILE)
          if support.verbose:
              sys.stdout.write("\n" + pprint.pformat(p) + "\n")
+        self.assertEqual(p['issuer'],
+                         ((('countryName', 'XY'),),
+                          (('localityName', 'Castle Anthrax'),),
+                          (('organizationName', 'Python Software Foundation'),),
+                          (('commonName', 'localhost'),))
+                        )
+        self.assertEqual(p['notAfter'], 'Oct  5 23:01:56 2020 GMT')
+        self.assertEqual(p['notBefore'], 'Oct  8 23:01:56 2010 GMT')
+        self.assertEqual(p['serialNumber'], 'D7C7381919AFC24E')
+        self.assertEqual(p['subject'],
+                         ((('countryName', 'XY'),),
+                          (('localityName', 'Castle Anthrax'),),
+                          (('organizationName', 'Python Software Foundation'),),
+                          (('commonName', 'localhost'),))
+                        )
+        self.assertEqual(p['subjectAltName'], (('DNS', 'localhost'),))
+        # Issue #13034: the subjectAltName in some certificates
+        # (notably projects.developer.nokia.com:443) wasn't parsed
+        p = ssl._ssl._test_decode_cert(NOKIACERT)
+        if support.verbose:
+            sys.stdout.write("\n" + pprint.pformat(p) + "\n")
+        self.assertEqual(p['subjectAltName'],
+                         (('DNS', 'projects.developer.nokia.com'),
+                          ('DNS', 'projects.forum.nokia.com'))
+                        )
  
      def test_DER_to_PEM(self):
          with open(SVN_PYTHON_ORG_ROOT_CERT, 'r') as f:
diff --git a/Misc/NEWS b/Misc/NEWS

index 2f6ef7f280a67c395ff2b3bed2880d7ef3b62b79..f13fbe8d3e9ef1b08270b5643f106a1a328ad613 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -36,6 +36,9 @@ Core and Builtins
  Library
  -------
  
+- Issue #13034: When decoding some SSL certificates, the subjectAltName
+  extension could be unreported.
+
  - Issue #9871: Prevent IDLE 3 crash when given byte stings
    with invalid hex escape sequences, like b'\x0'.
    (Original patch by Claudiu Popa.)
diff --git a/Modules/_ssl.c b/Modules/_ssl.c

index b27353a493ec2b3fe42d91e00b01458e9b4b8769..84ec477aaa9574ad79f2becbc62ed37238ca12c4 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -578,7 +578,7 @@ _get_peer_alt_names (X509 *certificate) {
      /* get a memory buffer */
      biobuf = BIO_new(BIO_s_mem());
  
-    i = 0;
+    i = -1;
      while ((i = X509_get_ext_by_NID(
                      certificate, NID_subject_alt_name, i)) >= 0) {
author	Antoine Pitrou <solipsis@pitrou.net>
	Sat, 1 Oct 2011 17:20:25 +0000 (19:20 +0200)
committer	Antoine Pitrou <solipsis@pitrou.net>
	Sat, 1 Oct 2011 17:20:25 +0000 (19:20 +0200)
Lib/test/nokia.pem	[new file with mode: 0644]	patch \| blob
Lib/test/test_ssl.py		patch \| blob \| history
Misc/NEWS		patch \| blob \| history
Modules/_ssl.c		patch \| blob \| history