From ec074915782e2f01f92ffe0820b0bc28f7960f12 Mon Sep 17 00:00:00 2001
From: Solderpunk <solderpunk@sdf.org>
Date: Sun, 17 May 2020 22:36:10 +0200
Subject: [PATCH] Check alternative subject names.

---
 av98.py | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/av98.py b/av98.py
index 3088c0c..de1ad64 100755
--- a/av98.py
+++ b/av98.py
@@ -665,10 +665,24 @@ Slow internet connection?  Use 'set timeout' to be more patient.""")
             elif c.not_valid_after <= now:
                 raise CertificateError("Certificate expired as of: {})!".format(c.not_valid_after))
 
-            # Check certificate hostname
-            # TODO: Check alternative names too
+            # Check certificate hostnames
+            names = []
             common_name = c.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value
-            ssl._dnsname_match(common_name, host)
+            names.append(common_name)
+            try:
+                names.extend([alt.value for alt in c.extensions.get_extension_for_oid(x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value])
+            except x509.ExtensionNotFound:
+                pass
+            names = set(names)
+            for name in names:
+                try:
+                    ssl._dnsname_match(common_name, host)
+                    break
+                except CertificateError:
+                    continue
+            else:
+                # If we didn't break out, none of the names were valid
+                raise CertificateError("Hostname does not match certificate common name or any alternative names.")
 
         sha = hashlib.sha256()
         sha.update(cert)