Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

* not allowed in general names #2054

Closed
reaperhulk opened this issue Jun 22, 2015 · 5 comments · Fixed by #2059 or #2071
Closed

* not allowed in general names #2054

reaperhulk opened this issue Jun 22, 2015 · 5 comments · Fixed by #2059 or #2071
Labels
bugs x509
Milestone
Tenth Release

Comments

@reaperhulk
Copy link
Member

If you attempt to parse a DNS name from a certificate SAN that contains a wildcard (e.g. *.cryptography.io) you get an IDNA InvalidCodePoint when it should successfully parse.
@reaperhulk reaperhulk added this to the Tenth Release milestone Jun 22, 2015
@reaperhulk
Copy link
Member Author

I'm not entirely sure how to resolve this short of just excluding a name from the IDNA decode if there's a * in it. Ideas?

@alex
Copy link
Member

alex commented Jun 22, 2015

Presumaebly in *.cryptgography.io the cryptography.io portion should still be IDNA decoded?

@reaperhulk
Copy link
Member Author

Yeah, I think so.

@reaperhulk reaperhulk mentioned this issue Jun 23, 2015
Merged
@alex
Copy link
Member

alex commented Jun 24, 2015

This isn't actually fixed, we just added a vector.

@alex alex reopened this Jun 24, 2015
reaperhulk added a commit to reaperhulk/cryptography that referenced this issue Jun 27, 2015
@reaperhulk
handle wildcard DNSNames with IDNA.
3c6bba5 
fixes pyca#2054
@reaperhulk reaperhulk mentioned this issue Jun 27, 2015
Merged
@JoshData
Copy link
Contributor

JoshData commented Jul 2, 2015

Hey, I'm wondering why you IDNA-decode at all here. The cert's subject CN won't be IDNA decoded, so it's a little inconsistent. When doing rudimentary validity checking on whether a cert matches a domain, the caller will be given an IDNA (ASCII but returned as a Python 3 str) common name and IDNA-decoded SAN values. If the caller has IDNA, it'll have to do the same "*." wildcard fix to make the string comparable with the DNSName value, and if the caller has Unicode it'll have to do the "*." fix in reverse to get IDNA to compare with the CN. (Reference: mail-in-a-box/mailinabox#467)

@Xoib Xoib mentioned this issue Jul 25, 2015
Closed
@honzakral honzakral mentioned this issue Sep 9, 2016
Closed
@redNixon redNixon mentioned this issue May 1, 2017
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 22, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bugs x509
Milestone
Tenth Release
3 participants
@alex @reaperhulk @JoshData