diff options
author | Jenkins <jenkins@review.openstack.org> | 2013-08-22 21:12:36 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2013-08-22 21:12:36 +0000 |
commit | fe9a62b5b5681f3f8d467b24b8aca7ab646d1366 (patch) | |
tree | 68160b8f171aa3ecc74ca5d554fdc3de21903705 | |
parent | 53d3a0e129d085b3cb21e8827b321132f3b5f48e (diff) | |
parent | 683e40fd31d791683e272555485b9eef1400752a (diff) | |
download | python-glanceclient-fe9a62b5b5681f3f8d467b24b8aca7ab646d1366.tar.gz |
Merge "Allow single-wildcard SSL common name matching"
-rw-r--r-- | glanceclient/common/http.py | 11 | ||||
-rw-r--r-- | tests/test_ssl.py | 15 | ||||
-rw-r--r-- | tests/var/wildcard-certificate.crt | 61 |
3 files changed, 85 insertions, 2 deletions
diff --git a/glanceclient/common/http.py b/glanceclient/common/http.py index f54d650..af3c0d0 100644 --- a/glanceclient/common/http.py +++ b/glanceclient/common/http.py @@ -327,10 +327,17 @@ class VerifiedHTTPSConnection(HTTPSConnection): connecting to, ie that the certificate's Common Name or a Subject Alternative Name matches 'host'. """ + common_name = x509.get_subject().commonName + # First see if we can match the CN - if x509.get_subject().commonName == host: + if common_name == host: return True + # Support single wildcard matching + if common_name.startswith('*.') and host.find('.') > 0: + if common_name[2:] == host.split('.', 1)[1]: + return True + # Also try Subject Alternative Names for a match san_list = None for i in xrange(x509.get_extension_count()): @@ -343,7 +350,7 @@ class VerifiedHTTPSConnection(HTTPSConnection): # Server certificate does not match host msg = ('Host "%s" does not match x509 certificate contents: ' - 'CommonName "%s"' % (host, x509.get_subject().commonName)) + 'CommonName "%s"' % (host, common_name)) if san_list is not None: msg = msg + ', subjectAltName "%s"' % san_list raise exc.SSLCertificateError(msg) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index cc41f89..8792a9c 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -129,6 +129,21 @@ class TestVerifiedHTTPSConnection(testtools.TestCase): except Exception: self.fail('Unexpected exception.') + def test_ssl_cert_cname_wildcard(self): + """ + Test certificate: wildcard CN match + """ + cert_file = os.path.join(TEST_VAR_DIR, 'wildcard-certificate.crt') + cert = crypto.load_certificate(crypto.FILETYPE_PEM, + file(cert_file).read()) + # The expected cert should have CN=*.pong.example.com + self.assertEqual(cert.get_subject().commonName, '*.pong.example.com') + try: + conn = http.VerifiedHTTPSConnection('ping.pong.example.com', 0) + conn.verify_callback(None, cert, 0, 0, 1) + except Exception: + self.fail('Unexpected exception.') + def test_ssl_cert_subject_alt_name(self): """ Test certificate: SAN match diff --git a/tests/var/wildcard-certificate.crt b/tests/var/wildcard-certificate.crt new file mode 100644 index 0000000..a5f0b62 --- /dev/null +++ b/tests/var/wildcard-certificate.crt @@ -0,0 +1,61 @@ +#Certificate: +# Data: +# Version: 1 (0x0) +# Serial Number: 13493453254446411258 (0xbb42603e589dedfa) +# Signature Algorithm: sha1WithRSAEncryption +# Issuer: C=US, ST=CA, L=State1, O=Openstack Test Org, OU=Openstack Test Unit, CN=*.pong.example.com/emailAddress=admin@example.com +# Validity +# Not Before: Aug 21 17:29:18 2013 GMT +# Not After : Jul 28 17:29:18 2113 GMT +# Subject: C=US, ST=CA, L=State1, O=Openstack Test Org, OU=Openstack Test Unit, CN=*.pong.example.com/emailAddress=admin@example.com +# Subject Public Key Info: +# Public Key Algorithm: rsaEncryption +# Public-Key: (4096 bit) +# Modulus: +# 00:d4:bb:3a:c4:a0:06:54:31:23:5d:b0:78:5a:be: +# 45:44:ae:a1:89:86:11:d8:ca:a8:33:b0:4f:f3:e1: +# 46:1e:85:a3:2a:9c:a4:e0:c2:14:34:4f:91:df:dc: +# . +# . +# . +# Exponent: 65537 (0x10001) +# Signature Algorithm: sha1WithRSAEncryption +# 9f:cc:08:5d:19:ee:54:31:a3:57:d7:3c:89:89:c0:69:41:dd: +# 46:f8:73:68:ec:46:b9:fa:f5:df:f6:d9:58:35:d8:53:94:88: +# bd:36:a6:23:9e:0c:0d:89:62:35:91:49:b6:14:f4:43:69:3c: +# . +# . +# . +-----BEGIN CERTIFICATE----- +MIIFyjCCA7ICCQC7QmA+WJ3t+jANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC +VVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQHDAZTdGF0ZTExGzAZBgNVBAoMEk9wZW5z +dGFjayBUZXN0IE9yZzEcMBoGA1UECwwTT3BlbnN0YWNrIFRlc3QgVW5pdDEbMBkG +A1UEAwwSKi5wb25nLmV4YW1wbGUuY29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBl +eGFtcGxlLmNvbTAgFw0xMzA4MjExNzI5MThaGA8yMTEzMDcyODE3MjkxOFowgaUx +CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEPMA0GA1UEBwwGU3RhdGUxMRswGQYD +VQQKDBJPcGVuc3RhY2sgVGVzdCBPcmcxHDAaBgNVBAsME09wZW5zdGFjayBUZXN0 +IFVuaXQxGzAZBgNVBAMMEioucG9uZy5leGFtcGxlLmNvbTEgMB4GCSqGSIb3DQEJ +ARYRYWRtaW5AZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQDUuzrEoAZUMSNdsHhavkVErqGJhhHYyqgzsE/z4UYehaMqnKTgwhQ0T5Hf +3GmlIBt4I96/3cxj0qSLrdR81fM+5Km8lIlVHwVn1y6LKcMlaUC4K+sgDLcjhZfb +f9+fMkcur3WlNzKpAEaIosWwsu6YvYc+W/nPBpKxMbOZ4fZiPMEo8Pxmw7sl/6hn +lBOJj7dpZOZpHhVPZgzYNVoyfKCZiwgdxH4JEYa+EQos87+2Nwhs7bCgrTLLppCU +vpobwZV5w4O0D6INpUfBmsr4IAuXeFWZa61vZYqhaVbAbTTlUzOLGh7Z2uz9gt75 +iSR2J0e2xntVaUIYLIAUNOO2edk8NMAuIOGr2EIyC7i2O/BTti2YjGNO7SsEClxi +IFKjYahylHmNrS1Q/oMAcJppmhz+oOCmKOMmAZXYAH1A3gs/sWphJpgv/MWt6Ji2 +4VpFaJ+o4bHILlqIpuvL4GLIOkmxVP639khaumgKtgNIUTKJ/V6t/J31WARfxKxl +BQTTzV/Be+84YJiiddx8eunU8AorPyAJFzsDPTJpFUB4Q5BwAeDGCySgxJpUqM2M +TETBycdiVToM4SWkRsOZgZxQ+AVfkkqDct2Bat2lg9epcIez8PrsohQjQbmiqUUL +2c3de4kLYzIWF8EN3P2Me/7b06jbn4c7Fly/AN6tJOG23BzhHQIDAQABMA0GCSqG +SIb3DQEBBQUAA4ICAQCfzAhdGe5UMaNX1zyJicBpQd1G+HNo7Ea5+vXf9tlYNdhT +lIi9NqYjngwNiWI1kUm2FPRDaTwC0kLxk5zBPzF7bcf0SwJCeDjmlUpY7YenS0DA +XmIbg8FvgOlp69Ikrqz98Y4pB9H4O81WdjxNBBbHjrufAXxZYnh5rXrVsXeSJ8jN +MYGWlSv4xwFGfRX53b8VwXFjGjAkH8SQGtRV2w9d0jF8OzFwBA4bKk4EplY0yBPR +2d7Y3RVrDnOVfV13F8CZxJ5fu+6QamUwIaTjpyqflE1L52KTy+vWPYR47H2u2bhD +IeZRufJ8adNIOtH32EcENkusQjLrb3cTXGW00TljhFXd22GqL5d740u+GEKHtWh+ +9OKPTMZK8yK7d5EyS2agTVWmXU6HfpAKz9+AEOnVYErpnggNZjkmJ9kD185rGlSZ +Vvo429hXoUAHNbd+8zda3ufJnJf5q4ZEl8+hp8xsvraUy83XLroVZRsKceldmAM8 +swt6n6w5gRKg4xTH7KFrd+KNptaoY3SsVrnJuaSOPenrUXbZzaI2Q35CId93+8NP +mXVIWdPO1msdZNiCYInRIGycK+oifUZPtAaJdErg8rt8NSpHzYKQ0jfjAGiVHBjK +s0J2TjoKB3jtlrw2DAmFWKeMGNp//1Rm6kfQCCXWftn+TA7XEJhcjyDBVciugA== +-----END CERTIFICATE----- |