Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.

2025-11-01 10:45:30 +00:00 · 2016-09-06 23:25:35 +02:00 · 2016-09-06 23:25:35 +02:00 · 1c03abd026
commit 1c03abd026
parent 03d13c0cbf
5 changed files with 142 additions and 5 deletions
--- a/Lib/test/make_ssl_certs.py
+++ b/Lib/test/make_ssl_certs.py
@ -20,7 +20,28 @@ req_template = """
    CN                     = {hostname}

    [req_x509_extensions]
-    subjectAltName         = DNS:{hostname}
+    subjectAltName         = @san
+
+    [san]
+    DNS.1 = {hostname}
+    {extra_san}
+
+    [dir_sect]
+    C                      = XY
+    L                      = Castle Anthrax
+    O                      = Python Software Foundation
+    CN                     = dirname example
+
+    [princ_name]
+    realm = EXP:0, GeneralString:KERBEROS.REALM
+    principal_name = EXP:1, SEQUENCE:principal_seq
+
+    [principal_seq]
+    name_type = EXP:0, INTEGER:1
+    name_string = EXP:1, SEQUENCE:principals
+
+    [principals]
+    princ1 = GeneralString:username

    [ ca ]
    default_ca      = CA_default
@ -67,7 +88,7 @@ req_template = """

 here = os.path.abspath(os.path.dirname(__file__))

-def make_cert_key(hostname, sign=False):
+def make_cert_key(hostname, sign=False, extra_san=''):
    print("creating cert for " + hostname)
    tempnames = []
    for i in range(3):
@ -75,8 +96,9 @@ def make_cert_key(hostname, sign=False):
            tempnames.append(f.name)
    req_file, cert_file, key_file = tempnames
    try:
+        req = req_template.format(hostname=hostname, extra_san=extra_san)
        with open(req_file, 'w') as f:
-            f.write(req_template.format(hostname=hostname))
+            f.write(req)
        args = ['req', '-new', '-days', '3650', '-nodes',
                '-newkey', 'rsa:1024', '-keyout', key_file,
                '-config', req_file]
@ -120,7 +142,7 @@ def make_ca():
        f.write('unique_subject = no')

    with tempfile.NamedTemporaryFile("w") as t:
-        t.write(req_template.format(hostname='our-ca-server'))
+        t.write(req_template.format(hostname='our-ca-server', extra_san=''))
        t.flush()
        with tempfile.NamedTemporaryFile() as f:
            args = ['req', '-new', '-days', '3650', '-extensions', 'v3_ca', '-nodes',
@ -171,6 +193,25 @@ if __name__ == '__main__':
        f.write(key)
        f.write(cert)

+    extra_san = [
+        'otherName.1 = 1.2.3.4;UTF8:some other identifier',
+        'otherName.2 = 1.3.6.1.5.2.2;SEQUENCE:princ_name',
+        'email.1 = user@example.org',
+        'DNS.2 = www.example.org',
+        # GEN_X400
+        'dirName.1 = dir_sect',
+        # GEN_EDIPARTY
+        'URI.1 = https://www.python.org/',
+        'IP.1 = 127.0.0.1',
+        'IP.2 = ::1',
+        'RID.1 = 1.2.3.4.5',
+    ]
+
+    cert, key = make_cert_key('allsans', extra_san='\n'.join(extra_san))
+    with open('allsans.pem', 'w') as f:
+        f.write(key)
+        f.write(cert)
+
    unmake_ca()
    print("\n\nPlease change the values in test_ssl.py, test_parse_cert function related to notAfter,notBefore and serialNumber")
    check_call(['openssl','x509','-in','keycert.pem','-dates','-serial','-noout'])