Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement asgiref tls extension #1119

Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

Implement asgiref tls extension #1119

Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
aa26b2c
Implement asgiref tls extension
mdgilene Jul 11, 2021
3ae8704
Only add tls extension if connection is over tls
mdgilene Jul 18, 2021
278fd24
Merge branch 'master' into feature-asgiref-tls-extension
mdgilene Dec 6, 2021
053dc4f
Fix formatting issues
mdgilene Dec 6, 2021
4114948
Merge remote-tracking branch 'upstream/master' into feature-asgiref-t…
mdgilene Mar 4, 2023
a84dc93
Address linting issues and fix tests
mdgilene Mar 4, 2023
d1feb3c
Merge remote-tracking branch 'upstream/master' into feature-asgiref-t…
May 25, 2024
5c7b539
Fix issues found by check script
May 25, 2024
02c53b4
add generated TLS constants
jschlyter May 27, 2024
b4da8a2
Add generate script and update generation to run formatting automatic…
May 27, 2024
19a5c1e
Added DN escaping and use new generated cipher_suite lookup table
May 27, 2024
eb60eb8
Add test for escaping
May 27, 2024
9f05147
Run formatting on tests
May 27, 2024
1ac95c0
Merge branch 'master' into feature-asgiref-tls-extension
mdgilene May 28, 2024
050d862
fix incorrect dictionary access
May 29, 2024
7b24335
Merge branch 'feature-asgiref-tls-extension' of https://github.com/md…
May 29, 2024
f50dddb
Merge branch 'master' into feature-asgiref-tls-extension
mdgilene Jun 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 39 additions & 8 deletions uvicorn/protocols/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,17 @@
import urllib.parse

from uvicorn._types import WWWScope
from uvicorn.protocols.http.tls_const import TLS_CIPHER_SUITES

RDNS_MAPPING: dict[str, str] = {
"domainComponent": "DC",
"commonName": "CN",
"organizationalUnitName": "OU",
"organizationName": "O",
"streetAddress": "STREET",
"localityName": "L",
"stateOrProvinceName": "ST",
"organizationName": "O",
"organizationalUnitName": "OU",
"countryName": "C",
"streetAddress": "STREET",
"domainComponent": "DC",
"userId": "UID",
}

Expand Down Expand Up @@ -76,14 +77,40 @@ def get_path_with_query_string(scope: WWWScope) -> str:
return path_with_query_string


def escape_dn_chars(s: str) -> str:
"""
Escape all DN special characters found in s
with a back-slash (see RFC 4514, section 2.4)

Based upon the implementation here - https://github.com/python-ldap/python-ldap/blob/e885b621562a3c987934be3fba3873d21026bf5c/Lib/ldap/dn.py#L17
"""
if s:
s = s.replace("\\", "\\\\")
s = s.replace(",", "\\,")
s = s.replace("+", "\\+")
s = s.replace('"', '\\"')
s = s.replace("<", "\\<")
s = s.replace(">", "\\>")
s = s.replace(";", "\\;")
s = s.replace("=", "\\=")
s = s.replace("\000", "\\\000")
s = s.replace("\n", "\\0a")
s = s.replace("\r", "\\0d")
if s[-1] == " ":
s = "".join((s[:-1], "\\ "))
if s[0] == "#" or s[0] == " ":
s = "".join(("\\", s))
return s


def get_tls_info(transport: asyncio.Transport) -> dict[object, object]:
###
# server_cert: Unable to set from transport information
# client_cert_chain: Just the peercert, currently no access to the full cert chain
# client_cert_name:
# client_cert_error: No access to this
# tls_version:
# cipher_suite: Too hard to convert without direct access to openssl
# cipher_suite:
###

ssl_info: dict[object, object] = {
Expand All @@ -103,15 +130,19 @@ def get_tls_info(transport: asyncio.Transport) -> dict[object, object]:
for rdn in peercert["subject"]:
rdn_strings.append(
"+".join(
[f"{RDNS_MAPPING[entry[0]]} = {entry[1]}" for entry in reversed(rdn) if entry[0] in RDNS_MAPPING]
[
f"{RDNS_MAPPING[entry[0]]}={escape_dn_chars(entry[1])}"
for entry in reversed(rdn)
if entry[0] in RDNS_MAPPING
]
)
)

ssl_info["client_cert_chain"] = [ssl.DER_cert_to_PEM_cert(ssl_object.getpeercert(binary_form=True))]
ssl_info["client_cert_name"] = ", ".join(rdn_strings) if rdn_strings else ""
ssl_info["client_cert_name"] = ",".join(rdn_strings) if rdn_strings else ""
ssl_info["tls_version"] = (
TLS_VERSION_MAP[ssl_object.version()] if ssl_object.version() in TLS_VERSION_MAP else None
)
ssl_info["cipher_suite"] = list(ssl_object.cipher())
ssl_info["cipher_suite"] = TLS_CIPHER_SUITES[ssl_object.cipher()[0]]
mdgilene marked this conversation as resolved.
Show resolved Hide resolved

return ssl_info
Loading