properly handle SNI IPs

fixes mitmproxy/mitmproxy#772 We must use the ipaddress package here, because that's what cryptography uses. If we opt for something else, we have nasty namespace conflicts.
2015-09-18 15:35:02 +02:00 · 2015-09-18 15:35:02 +02:00 · 7b6b157547
parent f2c87cff8a
commit 7b6b157547
2 changed files with 23 additions and 11 deletions
--- a/netlib/certutils.py
+++ b/netlib/certutils.py
@ -4,6 +4,7 @@ import ssl
 import time
 import datetime
 import itertools
+import ipaddress
 from pyasn1.type import univ, constraint, char, namedtype, tag
 from pyasn1.codec.der.decoder import decode
 from pyasn1.error import PyAsn1Error
@ -85,8 +86,13 @@ def dummy_cert(privkey, cacert, commonname, sans):
    """
    ss = []
    for i in sans:
-        ss.append("DNS: %s" % i)
-    ss = ", ".join(ss)
+        try:
+            ipaddress.ip_address(i.decode("ascii"))
+        except ValueError:
+            ss.append(b"DNS: %s" % i)
+        else:
+            ss.append(b"IP: %s" % i)
+    ss = b", ".join(ss)

    cert = OpenSSL.crypto.X509()
    cert.gmtime_adj_notBefore(-3600 * 48)
@ -335,6 +341,7 @@ class CertStore(object):
 class _GeneralName(univ.Choice):
    # We are only interested in dNSNames. We use a default handler to ignore
    # other types.
+    # TODO: We should also handle iPAddresses.
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('dNSName', char.IA5String().subtype(
            implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)
--- a/setup.py
+++ b/setup.py
@ -1,6 +1,7 @@
 from setuptools import setup, find_packages
 from codecs import open
 import os
+import sys

 from netlib import version

@ -13,6 +14,18 @@ here = os.path.abspath(os.path.dirname(__file__))
 with open(os.path.join(here, 'README.mkd'), encoding='utf-8') as f:
    long_description = f.read()

+deps = {
+    "pyasn1>=0.1.7",
+    "pyOpenSSL>=0.15.1",
+    "cryptography>=1.0",
+    "passlib>=1.6.2",
+    "hpack>=1.0.1",
+    "six>=1.9.0",
+    "certifi>=2015.9.6.2",
+}
+if sys.version_info < (3, 0):
+    deps.add("ipaddress>=1.0.14")
+
 setup(
    name="netlib",
    version=version.VERSION,
@ -40,15 +53,7 @@ setup(
    packages=find_packages(),
    include_package_data=True,
    zip_safe=False,
-    install_requires=[
-        "pyasn1>=0.1.7",
-        "pyOpenSSL>=0.15.1",
-        "cryptography>=1.0",
-        "passlib>=1.6.2",
-        "hpack>=1.0.1",
-        "six>=1.9.0",
-        "certifi"
-    ],
+    install_requires=list(deps),
    extras_require={
        'dev': [
            "mock>=1.0.1",