From d244412d94ef2904b2819ee016357a01bcc66896 Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Thu, 31 May 2012 12:34:47 -0700
Subject: [PATCH] notion of can_sign()

---
 webserver/CSR.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/webserver/CSR.py b/webserver/CSR.py
index 27eaa704a..2130f4dd1 100644
--- a/webserver/CSR.py
+++ b/webserver/CSR.py
@@ -22,6 +22,16 @@ def san(csr):
     """Get the subject alternate names from this CSR."""
     return []
 
+def can_sign(name):
+    """Does this CA's policy forbid signing this name via Chocolate DV?"""
+    # We could have a regular expression match here, like
+    # ([a-z0-9]+\.)+[a-z0-9]+
+    # and there is also a list of TLDs to check against to confirm that
+    # the name is actually a FQDN.
+    if "." not in name: return False
+    # Examples of names that are forbidden by policy due to a blacklist.
+    if name in ["google.com", "www.google.com"]: return False
+
 def verify(key, data):
     """What string was validly signed by this public key? (or None)"""
     return None