Check alternative subject names.

2020-05-17 22:36:10 +02:00 · 2020-05-17 22:36:10 +02:00 · ec07491578
parent 094e3117c4
commit ec07491578
1 changed files with 17 additions and 3 deletions
--- a/av98.py
+++ b/av98.py
@ -665,10 +665,24 @@ Slow internet connection?  Use 'set timeout' to be more patient.""")
            elif c.not_valid_after <= now:
                raise CertificateError("Certificate expired as of: {})!".format(c.not_valid_after))

-            # Check certificate hostname
-            # TODO: Check alternative names too
+            # Check certificate hostnames
+            names = []
            common_name = c.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value
-            ssl._dnsname_match(common_name, host)
+            names.append(common_name)
+            try:
+                names.extend([alt.value for alt in c.extensions.get_extension_for_oid(x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value])
+            except x509.ExtensionNotFound:
+                pass
+            names = set(names)
+            for name in names:
+                try:
+                    ssl._dnsname_match(common_name, host)
+                    break
+                except CertificateError:
+                    continue
+            else:
+                # If we didn't break out, none of the names were valid
+                raise CertificateError("Hostname does not match certificate common name or any alternative names.")

        sha = hashlib.sha256()
        sha.update(cert)