Adapt "no subjectaltname" test for service-identitity >= 24

aiortc / aioquic

QUIC and HTTP/3 implementation in Python

BSD 3-Clause "New" or "Revised" License

1.69k stars 237 forks source link

Adapt "no subjectaltname" test for service-identitity >= 24 #452

Closed jlaine closed 10 months ago

jlaine commented 10 months ago

When a certificate contains no subjectAltName extension, service-identity now raises a CertificateError instead of a VerificationError.

jlaine commented 10 months ago

@rthalley I'm not entirely comfortable with this code, because extract_patterns could also raise an Exception.

I think I'd be more comfortable with exactly two errors paths:

CertificateError => use str(exc)
VerificationError => f"Certificate subjectAltName does not match {hostname}."

codecov[bot] commented 10 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (20cd4ee) 100.00% compared to head (9dd2b96) 100.00%.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #452 +/- ## ========================================= Coverage 100.00% 100.00% ========================================= Files 25 25 Lines 4881 4881 ========================================= Hits 4881 4881 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

rthalley commented 10 months ago

You could also go for "belt and braces" and just fall back to the first exception if extract_patterns raises, e.g.

try:
    patterns = service_identity.cryptography.extract_patterns(certificate)
except Exception:
    patterns = []
if len(patterns) == 0:
     errmsg = str(exc)

jlaine commented 10 months ago

I'm going to merge as-is after thinking about it, we can always revisit this.