handle wildcard DNSNames with IDNA.

[reaperhulk]

fixes #2054

[alex]

Is there a reason not to just write this as idna.decode(parts[2:])

[reaperhulk]

No reason other than that it totally didn't occur to me. I assume you mean parts[1:] and drop the pop right?

[alex]

I mean, drop the split as well.

On Fri, Jun 26, 2015 at 11:25 PM, Paul Kehrer notifications@github.com
wrote:

In src/cryptography/hazmat/backends/openssl/x509.py
#2071 (comment):

@@ -82,7 +82,20 @@ def _decode_general_names(backend, gns):
def _decode_general_name(backend, gn):
if gn.type == backend._lib.GEN_DNS:
data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:]

•    return x509.DNSName(idna.decode(data))
  

•    if data.startswith(b"*."):
  

•        # This is a wildcard name. We need to split on period, remove the
  

•        # leading wildcard, IDNA decode, then re-add the wildcard
  

•        # Wildcard characters should always be left-most (RFC 2595
  

•        # section 2.4).
  

•        parts = data.split(b".")
  

•        parts.pop(0)
  

•        data = u"*." + idna.decode(b".".join(parts))
  

No reason other than that it totally didn't occur to me. I assume you mean
parts[1:] and drop the pop right?

—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/pull/2071/files#r33409091.

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

[alex]

Should have been idna.decode(data[2:])

[reaperhulk]

Yeah, that's a better way to do it.