Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for parsing common/alt names #63

Closed
wants to merge 10 commits into from
Closed

Conversation

rmccue
Copy link
Collaborator

@rmccue rmccue commented Aug 11, 2013

This appears to follow both the specification and browser behaviour, but this should be double-checked before merge.

Pinging @mdawaffe for a review on this. Appears to follow both the RFC and Firefox's implementation.

Notably, doesn't support double wildcards (*.*.x.com), but I'm not sure that browsers support this any more. Google has migrated away from it for App Engine, I believe due to browser support.

This appears to follow both the specification and browser behaviour, but this
should be double-checked before merge.
@rmccue
Copy link
Collaborator Author

rmccue commented Aug 11, 2013

Crap, 5.2 support. Working on this now.

@coveralls
Copy link

Coverage Status

Coverage decreased (-0%) when pulling 727de7b on common-name into 08e3638 on master.

@coveralls
Copy link

Coverage Status

Coverage decreased (-0%) when pulling af873c1 on common-name into 08e3638 on master.

@coveralls
Copy link

Coverage Status

Coverage decreased (-0%) when pulling 7c3c967 on common-name into 08e3638 on master.

@rmccue
Copy link
Collaborator Author

rmccue commented Aug 11, 2013

Tests are now passing completely, but 5.2 requires some manual testing here, since Travis skips them (it doesn't have OpenSSL enabled, alas). I'll attempt this tomorrow if no one beats me to it. :)

@coveralls
Copy link

Coverage Status

Coverage decreased (-0%) when pulling 4502755 on common-name into 08e3638 on master.

@rmccue
Copy link
Collaborator Author

rmccue commented Aug 11, 2013

Also to test: self-signed certificates. They should be handled by the built in verification, but we should formalise this with a test.

@rmccue
Copy link
Collaborator Author

rmccue commented Sep 3, 2013

Does not support IP address certificates, possibly vulnerable to MITM attacks with those? (CN = google.com, subjectAltName = IP: 127.0.0.1)

@mdawaffe
Copy link

mdawaffe commented Sep 4, 2013

Two thoughts about the wildcard matching.

  1. From RFC 2818 Section 3.1:

    Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.

    So, technically, the matching needs to be fancier than what the code here does. Whether anyone actually does something like "f*.com" (which seems like a silly thing to do), I don't know.

  2. If the host is "example.com", the code will test a wildcard match for "*.com", which seems odd.

@mdawaffe
Copy link

mdawaffe commented Sep 4, 2013

Some of the test cases have no assertions.

@rmccue
Copy link
Collaborator Author

rmccue commented Sep 4, 2013

Some of the test cases have no assertions.

Handled by the @expectedException Requests_Exception tag instead for those.

So, technically, the matching needs to be fancier than what the code here does. Whether anyone actually does something like "f*.com" (which seems like a silly thing to do), I don't know.

@dd32 used regular expressions for this in the WP port, I'll switch to doing the same.

If the host is "example.com", the code will test a wildcard match for "*.com", which seems odd.

Without using the public suffix list and doing extra validation, can't really catch this. Also IMO a problem for the upstream CAs; if they want to issue a certificate for *.com, that's their policy (although I'd expect to see them dropped from the bundle).

Thanks for the feedback! 🍰

@mdawaffe
Copy link

mdawaffe commented Sep 4, 2013

Handled by the @expectedException Requests_Exception tag instead for those.

Oh, oops. Nice :)

@dd32
Copy link
Member

dd32 commented Sep 4, 2013

So, technically, the matching needs to be fancier than what the code here does. Whether anyone actually does something like "f*.com" (which seems like a silly thing to do), I don't know.

@dd32 used regular expressions for this in the WP port, I'll switch to doing the same.

Originally I was using a regular expression for matching, but switched it to only allowing .example.com, no f.com funkyness.

@rmccue
Copy link
Collaborator Author

rmccue commented Sep 4, 2013

Originally I was using a regular expression for matching, but switched it to only allowing .example.com, no f.com funkyness.

Noted. I'm wary of allowing f*.com personally, lest it gets exploited.

@rmccue
Copy link
Collaborator Author

rmccue commented Sep 4, 2013

For reference, all implementations of Firefox (NSS for desktop versions and httpclientandroidlib on Android) allow f*.com, but only with the wildcard as the final character. They also only allow them for >3 components, as per the following comment from NSS:

/* For a cn pattern to be considered valid, the wildcard character...
 * - may occur only in a DNS name with at least 3 components, and
 * - may occur only as last character in the first component, and
 * - may be preceded by additional characters
 */

I'm happy with those restrictions for Requests.

@rmccue
Copy link
Collaborator Author

rmccue commented Sep 24, 2013

To complete before merging:

  • Make the pattern checking stricter
  • Rearrange certificates to catch bug with old OpenSSL caught by @dd32

This was referenced Sep 24, 2013
rmccue added 3 commits October 4, 2013 17:17
This makes it easier to test, as it means we don't need to test against live
APIs.
Fixes an obscure bug with OpenSSL 0.9.8j and lower. Props @dd32, see
http://core.trac.wordpress.org/changeset/25569 for prior art.
@rmccue rmccue closed this in 450f400 Oct 6, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants