Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace deprecated ssl.match_hostname method (fixes: #368) #389

Merged
merged 1 commit into from
Jul 5, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ dependencies = [
"certifi",
"pylsqpack>=0.3.3,<0.4.0",
"pyopenssl>=22",
"service-identity>=23.1.0",
]
dynamic = ["version"]

Expand Down
23 changes: 7 additions & 16 deletions src/aioquic/tls.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
)

import certifi
import service_identity
from cryptography import x509
from cryptography.exceptions import InvalidSignature
from cryptography.hazmat.backends import default_backend
Expand Down Expand Up @@ -216,24 +217,14 @@ def verify_certificate(

# verify subject
if server_name is not None:
subject = []
subjectAltName: List[Tuple[str, str]] = []
for attr in certificate.subject:
if attr.oid == x509.NameOID.COMMON_NAME:
subject.append((("commonName", attr.value),))
for ext in certificate.extensions:
if isinstance(ext.value, x509.SubjectAlternativeName):
for name in ext.value:
if isinstance(name, x509.DNSName):
subjectAltName.append(("DNS", name.value))

try:
ssl.match_hostname(
{"subject": tuple(subject), "subjectAltName": tuple(subjectAltName)},
server_name,
service_identity.cryptography.verify_certificate_hostname(
certificate, server_name
)
except ssl.CertificateError as exc:
raise AlertBadCertificate("\n".join(exc.args)) from exc
except service_identity.VerificationError as exc:
raise AlertBadCertificate(
"Certificate does not match hostname '%s'" % server_name
) from exc

# load CAs
store = crypto.X509Store()
Expand Down
12 changes: 9 additions & 3 deletions tests/test_asyncio.py
Original file line number Diff line number Diff line change
Expand Up @@ -149,19 +149,25 @@ async def _test_connect_and_serve_with_certificate(self, certificate, private_ke
@asynctest
async def test_connect_and_serve_with_ec_certificate(self):
await self._test_connect_and_serve_with_certificate(
*generate_ec_certificate(common_name="localhost")
*generate_ec_certificate(
alternative_names=["localhost"], common_name="localhost"
)
)

@asynctest
async def test_connect_and_serve_with_ed25519_certificate(self):
await self._test_connect_and_serve_with_certificate(
*generate_ed25519_certificate(common_name="localhost")
*generate_ed25519_certificate(
alternative_names=["localhost"], common_name="localhost"
)
)

@asynctest
async def test_connect_and_serve_with_ed448_certificate(self):
await self._test_connect_and_serve_with_certificate(
*generate_ed448_certificate(common_name="localhost")
*generate_ed448_certificate(
alternative_names=["localhost"], common_name="localhost"
)
)

@asynctest
Expand Down
38 changes: 8 additions & 30 deletions tests/test_tls.py
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@
)
from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ec

from .utils import (
SERVER_CACERTFILE,
Expand Down Expand Up @@ -1295,7 +1294,7 @@ def test_verify_certificate_chain(self):

def test_verify_certificate_chain_self_signed(self):
certificate, _ = generate_ec_certificate(
common_name="localhost", curve=ec.SECP256R1
alternative_names=["localhost"], common_name="localhost"
)

with patch("aioquic.tls.utcnow") as mock_utcnow:
Expand All @@ -1321,7 +1320,7 @@ def test_verify_certificate_chain_self_signed(self):

def test_verify_dates(self):
certificate, _ = generate_ec_certificate(
common_name="example.com", curve=ec.SECP256R1
alternative_names=["example.com"], common_name="example.com"
)
cadata = certificate.public_bytes(serialization.Encoding.PEM)

Expand Down Expand Up @@ -1360,45 +1359,26 @@ def test_verify_dates(self):
)
self.assertEqual(str(cm.exception), "Certificate is no longer valid")

def test_verify_subject(self):
certificate, _ = generate_ec_certificate(
common_name="example.com", curve=ec.SECP256R1
)
def test_verify_subject_no_subjaltname(self):
certificate, _ = generate_ec_certificate(common_name="example.com")
cadata = certificate.public_bytes(serialization.Encoding.PEM)

with patch("aioquic.tls.utcnow") as mock_utcnow:
mock_utcnow.return_value = certificate.not_valid_before

# valid
verify_certificate(
cadata=cadata, certificate=certificate, server_name="example.com"
)

# invalid
with self.assertRaises(tls.AlertBadCertificate) as cm:
verify_certificate(
cadata=cadata,
certificate=certificate,
server_name="test.example.com",
)
self.assertEqual(
str(cm.exception),
"hostname 'test.example.com' doesn't match 'example.com'",
)

# certificates with no SubjectAltName are rejected
with self.assertRaises(tls.AlertBadCertificate) as cm:
verify_certificate(
cadata=cadata, certificate=certificate, server_name="acme.com"
cadata=cadata, certificate=certificate, server_name="example.com"
)
self.assertEqual(
str(cm.exception), "hostname 'acme.com' doesn't match 'example.com'"
str(cm.exception), "Certificate does not match hostname 'example.com'"
)

def test_verify_subject_with_subjaltname(self):
certificate, _ = generate_ec_certificate(
alternative_names=["*.example.com", "example.com"],
common_name="example.com",
curve=ec.SECP256R1,
)
cadata = certificate.public_bytes(serialization.Encoding.PEM)

Expand All @@ -1419,7 +1399,5 @@ def test_verify_subject_with_subjaltname(self):
cadata=cadata, certificate=certificate, server_name="acme.com"
)
self.assertEqual(
str(cm.exception),
"hostname 'acme.com' doesn't match either of '*.example.com', "
"'example.com'",
str(cm.exception), "Certificate does not match hostname 'acme.com'"
)