|
 |
ce0369 |
diff --git a/CHANGES.rst b/CHANGES.rst
|
|
|
ce0369 |
index b2b8ae6..0150d85 100644
|
|
|
ce0369 |
--- a/CHANGES.rst
|
|
|
ce0369 |
+++ b/CHANGES.rst
|
|
|
ce0369 |
@@ -1,6 +1,9 @@
|
|
|
ce0369 |
Changes
|
|
|
ce0369 |
=======
|
|
|
ce0369 |
|
|
|
ce0369 |
+* Accept ``iPAddress`` subject alternative name fields in TLS certificates.
|
|
|
ce0369 |
+ (Issue #258)
|
|
|
ce0369 |
+
|
|
|
ce0369 |
1.10.2 (2015-02-25)
|
|
|
ce0369 |
+++++++++++++++++++
|
|
|
ce0369 |
|
|
|
ce0369 |
diff --git a/dummyserver/certs/server.ip_san.crt b/dummyserver/certs/server.ip_san.crt
|
|
|
ce0369 |
new file mode 100644
|
|
|
ce0369 |
index 000000000..58689d64d
|
|
|
ce0369 |
--- /dev/null
|
|
|
ce0369 |
+++ b/dummyserver/certs/server.ip_san.crt
|
|
|
ce0369 |
@@ -0,0 +1,21 @@
|
|
|
ce0369 |
+-----BEGIN CERTIFICATE-----
|
|
|
ce0369 |
+MIIDeTCCAuKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgTELMAkGA1UEBhMCRkkx
|
|
|
ce0369 |
+DjAMBgNVBAgMBWR1bW15MQ4wDAYDVQQHDAVkdW1teTEOMAwGA1UECgwFZHVtbXkx
|
|
|
ce0369 |
+DjAMBgNVBAsMBWR1bW15MREwDwYDVQQDDAhTbmFrZU9pbDEfMB0GCSqGSIb3DQEJ
|
|
|
ce0369 |
+ARYQZHVtbXlAdGVzdC5sb2NhbDAeFw0xMTEyMjIwNzU4NDBaFw0yMTEyMTgwNzU4
|
|
|
ce0369 |
+NDBaMGExCzAJBgNVBAYTAkZJMQ4wDAYDVQQIDAVkdW1teTEOMAwGA1UEBwwFZHVt
|
|
|
ce0369 |
+bXkxDjAMBgNVBAoMBWR1bW15MQ4wDAYDVQQLDAVkdW1teTESMBAGA1UEAwwJbG9j
|
|
|
ce0369 |
+YWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXe3FqmCWvP8XPxqtT
|
|
|
ce0369 |
++0bfL1Tvzvebi46k0WIcUV8bP3vyYiSRXG9ALmyzZH4GHY9UVs4OEDkCMDOBSezB
|
|
|
ce0369 |
+0y9ai/9doTNcaictdEBu8nfdXKoTtzrn+VX4UPrkH5hm7NQ1fTQuj1MR7yBCmYqN
|
|
|
ce0369 |
+3Q2Q+Efuujyx0FwBzAuy1aKYuwIDAQABo4IBHjCCARowCQYDVR0TBAIwADAdBgNV
|
|
|
ce0369 |
+HQ4EFgQUG+dK5Uos08QUwAWofDb3a8YcYlIwgbYGA1UdIwSBrjCBq4AUGXd/I2Ji
|
|
|
ce0369 |
+QllF+3Wdx3NyBLszCi2hgYekgYQwgYExCzAJBgNVBAYTAkZJMQ4wDAYDVQQIDAVk
|
|
|
ce0369 |
+dW1teTEOMAwGA1UEBwwFZHVtbXkxDjAMBgNVBAoMBWR1bW15MQ4wDAYDVQQLDAVk
|
|
|
ce0369 |
+dW1teTERMA8GA1UEAwwIU25ha2VPaWwxHzAdBgkqhkiG9w0BCQEWEGR1bW15QHRl
|
|
|
ce0369 |
+c3QubG9jYWyCCQCz67HKL+G/4zAJBgNVHRIEAjAAMCoGA1UdEQQjMCGBDnJvb3RA
|
|
|
ce0369 |
+bG9jYWxob3N0gglsb2NhbGhvc3SHBH8AAAEwDQYJKoZIhvcNAQEFBQADgYEAFEAy
|
|
|
ce0369 |
+O9rxM14W0pVJWHTZkWBcDTqp8A8OB3JFVxeuCNcbtyfyYLWs2juv4YMmo1EKBOQe
|
|
|
ce0369 |
+7LYfGuIvtIzT7KBa2QAPmX9JR+F6yl0IVSrYYt9hS7w9Cqr8+jK9QRpNwm3k25hp
|
|
|
ce0369 |
+BmmoT5b9Q+AYcLMtdMu3uFjLmQBI2XobI/9vCT4=
|
|
|
ce0369 |
+-----END CERTIFICATE-----
|
|
|
ce0369 |
diff --git a/dummyserver/server.py b/dummyserver/server.py
|
|
|
ce0369 |
index 18d81e1..3190835 100755
|
|
|
ce0369 |
--- a/dummyserver/server.py
|
|
|
ce0369 |
+++ b/dummyserver/server.py
|
|
|
ce0369 |
@@ -32,6 +32,10 @@ NO_SAN_CERTS = {
|
|
|
ce0369 |
'certfile': os.path.join(CERTS_PATH, 'server.no_san.crt'),
|
|
|
ce0369 |
'keyfile': DEFAULT_CERTS['keyfile']
|
|
|
ce0369 |
}
|
|
|
ce0369 |
+IP_SAN_CERTS = {
|
|
|
ce0369 |
+ 'certfile': os.path.join(CERTS_PATH, 'server.ip_san.crt'),
|
|
|
ce0369 |
+ 'keyfile': DEFAULT_CERTS['keyfile']
|
|
|
ce0369 |
+}
|
|
|
ce0369 |
DEFAULT_CA = os.path.join(CERTS_PATH, 'cacert.pem')
|
|
|
ce0369 |
DEFAULT_CA_BAD = os.path.join(CERTS_PATH, 'client_bad.pem')
|
|
|
ce0369 |
NO_SAN_CA = os.path.join(CERTS_PATH, 'cacert.no_san.pem')
|
|
|
ce0369 |
diff --git a/urllib3/packages/ssl_match_hostname/__init__.py b/urllib3/packages/ssl_match_hostname/__init__.py
|
|
|
ce0369 |
index dd59a75fd..d6594eb26 100644
|
|
|
ce0369 |
--- a/urllib3/packages/ssl_match_hostname/__init__.py
|
|
|
ce0369 |
+++ b/urllib3/packages/ssl_match_hostname/__init__.py
|
|
|
ce0369 |
@@ -1,5 +1,11 @@
|
|
|
ce0369 |
+import sys
|
|
|
ce0369 |
+
|
|
|
ce0369 |
try:
|
|
|
ce0369 |
- # Python 3.2+
|
|
|
ce0369 |
+ # Our match_hostname function is the same as 3.5's, so we only want to
|
|
|
ce0369 |
+ # import the match_hostname function if it's at least that good.
|
|
|
ce0369 |
+ if sys.version_info < (3, 5):
|
|
|
ce0369 |
+ raise ImportError("Fallback to vendored code")
|
|
|
ce0369 |
+
|
|
|
ce0369 |
from ssl import CertificateError, match_hostname
|
|
|
ce0369 |
except ImportError:
|
|
|
ce0369 |
try:
|
|
|
ce0369 |
diff --git a/urllib3/packages/ssl_match_hostname/_implementation.py b/urllib3/packages/ssl_match_hostname/_implementation.py
|
|
|
ce0369 |
index 52f428733..1fd42f38a 100644
|
|
|
ce0369 |
--- a/urllib3/packages/ssl_match_hostname/_implementation.py
|
|
|
ce0369 |
+++ b/urllib3/packages/ssl_match_hostname/_implementation.py
|
|
|
ce0369 |
@@ -4,8 +4,20 @@
|
|
|
ce0369 |
# stdlib. http://docs.python.org/3/license.html
|
|
|
ce0369 |
|
|
|
ce0369 |
import re
|
|
|
ce0369 |
+import sys
|
|
|
ce0369 |
+
|
|
|
ce0369 |
+# ipaddress has been backported to 2.6+ in pypi. If it is installed on the
|
|
|
ce0369 |
+# system, use it to handle IPAddress ServerAltnames (this was added in
|
|
|
ce0369 |
+# python-3.5) otherwise only do DNS matching. This allows
|
|
|
ce0369 |
+# backports.ssl_match_hostname to continue to be used all the way back to
|
|
|
ce0369 |
+# python-2.4.
|
|
|
ce0369 |
+try:
|
|
|
ce0369 |
+ import ipaddress
|
|
|
ce0369 |
+except ImportError:
|
|
|
ce0369 |
+ ipaddress = None
|
|
|
ce0369 |
+
|
|
|
ce0369 |
+__version__ = '3.5.0.1'
|
|
|
ce0369 |
|
|
|
ce0369 |
-__version__ = '3.4.0.2'
|
|
|
ce0369 |
|
|
|
ce0369 |
class CertificateError(ValueError):
|
|
|
ce0369 |
pass
|
|
|
ce0369 |
@@ -64,6 +76,23 @@ def _dnsname_match(dn, hostname, max_wildcards=1):
|
|
|
ce0369 |
return pat.match(hostname)
|
|
|
ce0369 |
|
|
|
ce0369 |
|
|
|
ce0369 |
+def _to_unicode(obj):
|
|
|
ce0369 |
+ if isinstance(obj, str) and sys.version_info < (3,):
|
|
|
ce0369 |
+ obj = unicode(obj, encoding='ascii', errors='strict')
|
|
|
ce0369 |
+ return obj
|
|
|
ce0369 |
+
|
|
|
ce0369 |
+def _ipaddress_match(ipname, host_ip):
|
|
|
ce0369 |
+ """Exact matching of IP addresses.
|
|
|
ce0369 |
+
|
|
|
ce0369 |
+ RFC 6125 explicitly doesn't define an algorithm for this
|
|
|
ce0369 |
+ (section 1.7.2 - "Out of Scope").
|
|
|
ce0369 |
+ """
|
|
|
ce0369 |
+ # OpenSSL may add a trailing newline to a subjectAltName's IP address
|
|
|
ce0369 |
+ # Divergence from upstream: ipaddress can't handle byte str
|
|
|
ce0369 |
+ ip = ipaddress.ip_address(_to_unicode(ipname).rstrip())
|
|
|
ce0369 |
+ return ip == host_ip
|
|
|
ce0369 |
+
|
|
|
ce0369 |
+
|
|
|
ce0369 |
def match_hostname(cert, hostname):
|
|
|
ce0369 |
"""Verify that *cert* (in decoded format as returned by
|
|
|
ce0369 |
SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125
|
|
|
ce0369 |
@@ -73,12 +102,35 @@ def match_hostname(cert, hostname):
|
|
|
ce0369 |
returns nothing.
|
|
|
ce0369 |
"""
|
|
|
ce0369 |
if not cert:
|
|
|
ce0369 |
- raise ValueError("empty or no certificate")
|
|
|
ce0369 |
+ raise ValueError("empty or no certificate, match_hostname needs a "
|
|
|
ce0369 |
+ "SSL socket or SSL context with either "
|
|
|
ce0369 |
+ "CERT_OPTIONAL or CERT_REQUIRED")
|
|
|
ce0369 |
+ try:
|
|
|
ce0369 |
+ # Divergence from upstream: ipaddress can't handle byte str
|
|
|
ce0369 |
+ host_ip = ipaddress.ip_address(_to_unicode(hostname))
|
|
|
ce0369 |
+ except ValueError:
|
|
|
ce0369 |
+ # Not an IP address (common case)
|
|
|
ce0369 |
+ host_ip = None
|
|
|
ce0369 |
+ except UnicodeError:
|
|
|
ce0369 |
+ # Divergence from upstream: Have to deal with ipaddress not taking
|
|
|
ce0369 |
+ # byte strings. addresses should be all ascii, so we consider it not
|
|
|
ce0369 |
+ # an ipaddress in this case
|
|
|
ce0369 |
+ host_ip = None
|
|
|
ce0369 |
+ except AttributeError:
|
|
|
ce0369 |
+ # Divergence from upstream: Make ipaddress library optional
|
|
|
ce0369 |
+ if ipaddress is None:
|
|
|
ce0369 |
+ host_ip = None
|
|
|
ce0369 |
+ else:
|
|
|
ce0369 |
+ raise
|
|
|
ce0369 |
dnsnames = []
|
|
|
ce0369 |
san = cert.get('subjectAltName', ())
|
|
|
ce0369 |
for key, value in san:
|
|
|
ce0369 |
if key == 'DNS':
|
|
|
ce0369 |
- if _dnsname_match(value, hostname):
|
|
|
ce0369 |
+ if host_ip is None and _dnsname_match(value, hostname):
|
|
|
ce0369 |
+ return
|
|
|
ce0369 |
+ dnsnames.append(value)
|
|
|
ce0369 |
+ elif key == 'IP Address':
|
|
|
ce0369 |
+ if host_ip is not None and _ipaddress_match(value, host_ip):
|
|
|
ce0369 |
return
|
|
|
ce0369 |
dnsnames.append(value)
|
|
|
ce0369 |
if not dnsnames:
|