summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2013-08-22 21:12:36 +0000
committerGerrit Code Review <review@openstack.org>2013-08-22 21:12:36 +0000
commitfe9a62b5b5681f3f8d467b24b8aca7ab646d1366 (patch)
tree68160b8f171aa3ecc74ca5d554fdc3de21903705
parent53d3a0e129d085b3cb21e8827b321132f3b5f48e (diff)
parent683e40fd31d791683e272555485b9eef1400752a (diff)
downloadpython-glanceclient-fe9a62b5b5681f3f8d467b24b8aca7ab646d1366.tar.gz
Merge "Allow single-wildcard SSL common name matching"
Diffstat
-rw-r--r--glanceclient/common/http.py11
-rw-r--r--tests/test_ssl.py15
-rw-r--r--tests/var/wildcard-certificate.crt61
3 files changed, 85 insertions, 2 deletions
diff --git a/glanceclient/common/http.py b/glanceclient/common/http.py
index f54d650..af3c0d0 100644
--- a/glanceclient/common/http.py
+++ b/glanceclient/common/http.py
@@ -327,10 +327,17 @@ class VerifiedHTTPSConnection(HTTPSConnection):
connecting to, ie that the certificate's Common Name
or a Subject Alternative Name matches 'host'.
"""
+ common_name = x509.get_subject().commonName
+
# First see if we can match the CN
- if x509.get_subject().commonName == host:
+ if common_name == host:
return True
+ # Support single wildcard matching
+ if common_name.startswith('*.') and host.find('.') > 0:
+ if common_name[2:] == host.split('.', 1)[1]:
+ return True
+
# Also try Subject Alternative Names for a match
san_list = None
for i in xrange(x509.get_extension_count()):
@@ -343,7 +350,7 @@ class VerifiedHTTPSConnection(HTTPSConnection):
# Server certificate does not match host
msg = ('Host "%s" does not match x509 certificate contents: '
- 'CommonName "%s"' % (host, x509.get_subject().commonName))
+ 'CommonName "%s"' % (host, common_name))
if san_list is not None:
msg = msg + ', subjectAltName "%s"' % san_list
raise exc.SSLCertificateError(msg)
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index cc41f89..8792a9c 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -129,6 +129,21 @@ class TestVerifiedHTTPSConnection(testtools.TestCase):
except Exception:
self.fail('Unexpected exception.')
+ def test_ssl_cert_cname_wildcard(self):
+ """
+ Test certificate: wildcard CN match
+ """
+ cert_file = os.path.join(TEST_VAR_DIR, 'wildcard-certificate.crt')
+ cert = crypto.load_certificate(crypto.FILETYPE_PEM,
+ file(cert_file).read())
+ # The expected cert should have CN=*.pong.example.com
+ self.assertEqual(cert.get_subject().commonName, '*.pong.example.com')
+ try:
+ conn = http.VerifiedHTTPSConnection('ping.pong.example.com', 0)
+ conn.verify_callback(None, cert, 0, 0, 1)
+ except Exception:
+ self.fail('Unexpected exception.')
+
def test_ssl_cert_subject_alt_name(self):
"""
Test certificate: SAN match
diff --git a/tests/var/wildcard-certificate.crt b/tests/var/wildcard-certificate.crt
new file mode 100644
index 0000000..a5f0b62
--- /dev/null
+++ b/tests/var/wildcard-certificate.crt
@@ -0,0 +1,61 @@
+#Certificate:
+# Data:
+# Version: 1 (0x0)
+# Serial Number: 13493453254446411258 (0xbb42603e589dedfa)
+# Signature Algorithm: sha1WithRSAEncryption
+# Issuer: C=US, ST=CA, L=State1, O=Openstack Test Org, OU=Openstack Test Unit, CN=*.pong.example.com/emailAddress=admin@example.com
+# Validity
+# Not Before: Aug 21 17:29:18 2013 GMT
+# Not After : Jul 28 17:29:18 2113 GMT
+# Subject: C=US, ST=CA, L=State1, O=Openstack Test Org, OU=Openstack Test Unit, CN=*.pong.example.com/emailAddress=admin@example.com
+# Subject Public Key Info:
+# Public Key Algorithm: rsaEncryption
+# Public-Key: (4096 bit)
+# Modulus:
+# 00:d4:bb:3a:c4:a0:06:54:31:23:5d:b0:78:5a:be:
+# 45:44:ae:a1:89:86:11:d8:ca:a8:33:b0:4f:f3:e1:
+# 46:1e:85:a3:2a:9c:a4:e0:c2:14:34:4f:91:df:dc:
+# .
+# .
+# .
+# Exponent: 65537 (0x10001)
+# Signature Algorithm: sha1WithRSAEncryption
+# 9f:cc:08:5d:19:ee:54:31:a3:57:d7:3c:89:89:c0:69:41:dd:
+# 46:f8:73:68:ec:46:b9:fa:f5:df:f6:d9:58:35:d8:53:94:88:
+# bd:36:a6:23:9e:0c:0d:89:62:35:91:49:b6:14:f4:43:69:3c:
+# .
+# .
+# .
+-----BEGIN CERTIFICATE-----
+MIIFyjCCA7ICCQC7QmA+WJ3t+jANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQHDAZTdGF0ZTExGzAZBgNVBAoMEk9wZW5z
+dGFjayBUZXN0IE9yZzEcMBoGA1UECwwTT3BlbnN0YWNrIFRlc3QgVW5pdDEbMBkG
+A1UEAwwSKi5wb25nLmV4YW1wbGUuY29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBl
+eGFtcGxlLmNvbTAgFw0xMzA4MjExNzI5MThaGA8yMTEzMDcyODE3MjkxOFowgaUx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEPMA0GA1UEBwwGU3RhdGUxMRswGQYD
+VQQKDBJPcGVuc3RhY2sgVGVzdCBPcmcxHDAaBgNVBAsME09wZW5zdGFjayBUZXN0
+IFVuaXQxGzAZBgNVBAMMEioucG9uZy5leGFtcGxlLmNvbTEgMB4GCSqGSIb3DQEJ
+ARYRYWRtaW5AZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQDUuzrEoAZUMSNdsHhavkVErqGJhhHYyqgzsE/z4UYehaMqnKTgwhQ0T5Hf
+3GmlIBt4I96/3cxj0qSLrdR81fM+5Km8lIlVHwVn1y6LKcMlaUC4K+sgDLcjhZfb
+f9+fMkcur3WlNzKpAEaIosWwsu6YvYc+W/nPBpKxMbOZ4fZiPMEo8Pxmw7sl/6hn
+lBOJj7dpZOZpHhVPZgzYNVoyfKCZiwgdxH4JEYa+EQos87+2Nwhs7bCgrTLLppCU
+vpobwZV5w4O0D6INpUfBmsr4IAuXeFWZa61vZYqhaVbAbTTlUzOLGh7Z2uz9gt75
+iSR2J0e2xntVaUIYLIAUNOO2edk8NMAuIOGr2EIyC7i2O/BTti2YjGNO7SsEClxi
+IFKjYahylHmNrS1Q/oMAcJppmhz+oOCmKOMmAZXYAH1A3gs/sWphJpgv/MWt6Ji2
+4VpFaJ+o4bHILlqIpuvL4GLIOkmxVP639khaumgKtgNIUTKJ/V6t/J31WARfxKxl
+BQTTzV/Be+84YJiiddx8eunU8AorPyAJFzsDPTJpFUB4Q5BwAeDGCySgxJpUqM2M
+TETBycdiVToM4SWkRsOZgZxQ+AVfkkqDct2Bat2lg9epcIez8PrsohQjQbmiqUUL
+2c3de4kLYzIWF8EN3P2Me/7b06jbn4c7Fly/AN6tJOG23BzhHQIDAQABMA0GCSqG
+SIb3DQEBBQUAA4ICAQCfzAhdGe5UMaNX1zyJicBpQd1G+HNo7Ea5+vXf9tlYNdhT
+lIi9NqYjngwNiWI1kUm2FPRDaTwC0kLxk5zBPzF7bcf0SwJCeDjmlUpY7YenS0DA
+XmIbg8FvgOlp69Ikrqz98Y4pB9H4O81WdjxNBBbHjrufAXxZYnh5rXrVsXeSJ8jN
+MYGWlSv4xwFGfRX53b8VwXFjGjAkH8SQGtRV2w9d0jF8OzFwBA4bKk4EplY0yBPR
+2d7Y3RVrDnOVfV13F8CZxJ5fu+6QamUwIaTjpyqflE1L52KTy+vWPYR47H2u2bhD
+IeZRufJ8adNIOtH32EcENkusQjLrb3cTXGW00TljhFXd22GqL5d740u+GEKHtWh+
+9OKPTMZK8yK7d5EyS2agTVWmXU6HfpAKz9+AEOnVYErpnggNZjkmJ9kD185rGlSZ
+Vvo429hXoUAHNbd+8zda3ufJnJf5q4ZEl8+hp8xsvraUy83XLroVZRsKceldmAM8
+swt6n6w5gRKg4xTH7KFrd+KNptaoY3SsVrnJuaSOPenrUXbZzaI2Q35CId93+8NP
+mXVIWdPO1msdZNiCYInRIGycK+oifUZPtAaJdErg8rt8NSpHzYKQ0jfjAGiVHBjK
+s0J2TjoKB3jtlrw2DAmFWKeMGNp//1Rm6kfQCCXWftn+TA7XEJhcjyDBVciugA==
+-----END CERTIFICATE-----
View Lorry Controller Status