/usr/lib/python2.7/dist-packages/service_identity/pyopenssl.py is in python-service-identity 1.0.0-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 | # -*- test-case-name: tests.test_pyopenssl -*-
"""
`pyOpenSSL <https://github.com/pyca/pyopenssl>`_-specific code.
"""
from __future__ import absolute_import, division, print_function
from pyasn1.codec.der.decoder import decode
from pyasn1.type.char import IA5String
from pyasn1.type.univ import ObjectIdentifier
from pyasn1_modules.rfc2459 import GeneralNames
from ._common import (
CertificateError,
DNSPattern,
DNS_ID,
SRVPattern,
URIPattern,
verify_service_identity,
)
def verify_hostname(connection, hostname):
"""
Verify whether *connection* has a valid certificate chain for *hostname*.
"""
verify_service_identity(
cert_patterns=extract_ids(connection.get_peer_certificate()),
obligatory_ids=[DNS_ID(hostname)],
optional_ids=[],
)
ID_ON_DNS_SRV = ObjectIdentifier('1.3.6.1.5.5.7.8.7') # id_on_dnsSRV
def extract_ids(cert):
"""
Extract all valid IDs from a certificate for service verification.
If *cert* doesn't contain any identifiers, the ``CN``s are used as DNS-IDs
as fallback.
:param cert: The certificate to be dissected.
:type cert: :class:`OpenSSL.SSL.X509`
:return: List of IDs.
"""
ids = []
for i in range(cert.get_extension_count()):
ext = cert.get_extension(i)
if ext.get_short_name() == b"subjectAltName":
names, _ = decode(ext.get_data(), asn1Spec=GeneralNames())
for n in names:
name_string = n.getName()
if name_string == "dNSName":
ids.append(DNSPattern(n.getComponent().asOctets()))
elif name_string == "uniformResourceIdentifier":
ids.append(URIPattern(n.getComponent().asOctets()))
elif name_string == "otherName":
comp = n.getComponent()
oid = comp.getComponentByPosition(0)
if oid == ID_ON_DNS_SRV:
srv, _ = decode(comp.getComponentByPosition(1))
if isinstance(srv, IA5String):
ids.append(SRVPattern(srv.asOctets()))
else: # pragma: nocover
raise CertificateError(
"Unexpected certificate content."
)
if not ids:
# http://tools.ietf.org/search/rfc6125#section-6.4.4
# A client MUST NOT seek a match for a reference identifier of CN-ID if
# the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any
# application-specific identifier types supported by the client.
ids = [DNSPattern(c[1])
for c
in cert.get_subject().get_components()
if c[0] == b"CN"]
return ids
__all__ = [
"verify_hostname",
]
|