reviewboard.certs.utils¶

Utilities for certificate and SSL/TLS usage.

New in version 8.0.

get_cert_hostname_matches(*, cert_hostname: str, check_hostname: str, normalize_hostnames: bool = True) → bool[source]¶

Return whether a certificate’s hostname matches the provided hostname.

A certificate is a match if any of the following conditions are true:

The hostnames are a direct match (ignoring case).
The first label of a cert hostname is a wildcard (*) and matches the first label of the hostname, and the remaining labels are a direct match (ignoring case).

Partial wildcards (e.g., foo*.example.com, *bar.example.com, or foo*bar.example.com) are not supported. Most Certificate Authorities no longer support these, and major browsers (including Chrome) consider them security risks.

This is not intended to be used with IP addresses, only hostnames.

New in version 8.0.

Parameters:

cert_hostname (str) – A certificate-provided hostname.
check_hostname (str) – The hostname to check.
normalize_hostnames (bool, optional) –
Whether to normalize hostnames before comparison.

Callers should set this to False if they’re already handling normalization.

Returns:

True if the hostname is a match for the certificate hostname. False if it is not.

Return type:

bool

normalize_cert_hostname(hostname: str) → str[source]¶

Return a normalized version of the cert hostname.

This requires a hostname or wildcard hostname pattern that is considered valid on its own (no whitespace or invalid characters). Both the pre-normalized and normalized values must be considered interchangeable for the purpose of resolving a domain (or, in the case of wildcards, must be able to match the same domain).

The normalized value will be case-folded for comparison or storage purposes.

New in version 8.0.

Parameters:: hostname (str) – The valid hostname to normalize.
Returns:: The normalized hostname.
Return type:: str