kris
/
boringssl
1
0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 0 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
3990 Revīzijas
12 Atzari
38 MiB
 
 
 
 
 
 
Koks: 3e0b2ce12b
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '3e0b2ce12b'
${ noResults }
boringssl/crypto/x509v3/v3name_test.c

414 rindas
14 KiB
Neapstrādāts Vainot Vēsture 

  1. /*

  2.  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project

  3.  * 1999.

  4.  */

  5. /* ====================================================================

  6.  * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.

  7.  *

  8.  * Redistribution and use in source and binary forms, with or without

  9.  * modification, are permitted provided that the following conditions

  10.  * are met:

  11.  *

  12.  * 1. Redistributions of source code must retain the above copyright

  13.  *    notice, this list of conditions and the following disclaimer.

  14.  *

  15.  * 2. Redistributions in binary form must reproduce the above copyright

  16.  *    notice, this list of conditions and the following disclaimer in

  17.  *    the documentation and/or other materials provided with the

  18.  *    distribution.

  19.  *

  20.  * 3. All advertising materials mentioning features or use of this

  21.  *    software must display the following acknowledgment:

  22.  *    "This product includes software developed by the OpenSSL Project

  23.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  24.  *

  25.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  26.  *    endorse or promote products derived from this software without

  27.  *    prior written permission. For written permission, please contact

  28.  *    licensing@OpenSSL.org.

  29.  *

  30.  * 5. Products derived from this software may not be called "OpenSSL"

  31.  *    nor may "OpenSSL" appear in their names without prior written

  32.  *    permission of the OpenSSL Project.

  33.  *

  34.  * 6. Redistributions of any form whatsoever must retain the following

  35.  *    acknowledgment:

  36.  *    "This product includes software developed by the OpenSSL Project

  37.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  38.  *

  39.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  40.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  41.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  42.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  43.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  44.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  45.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  46.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  48.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  49.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  50.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  51.  * ====================================================================

  52.  *

  53.  * This product includes cryptographic software written by Eric Young

  54.  * (eay@cryptsoft.com).  This product includes software written by Tim

  55.  * Hudson (tjh@cryptsoft.com). */

  56. 

  57. #include <stdarg.h>

  58. #include <string.h>

  59. 

  60. #include <openssl/crypto.h>

  61. #include <openssl/mem.h>

  62. #include <openssl/x509.h>

  63. #include <openssl/x509v3.h>

  64. 

  65. #include "../internal.h"

  66. 

  67. 

  68. static const char *const names[] = {

  69.     "a", "b", ".", "*", "@",

  70.     ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",

  71.     "-example.com", "example-.com",

  72.     "@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",

  73.     "*@example.com", "test@*.example.com", "example.com", "www.example.com",

  74.     "test.www.example.com", "*.example.com", "*.www.example.com",

  75.     "test.*.example.com", "www.*.com",

  76.     ".www.example.com", "*www.example.com",

  77.     "example.net", "xn--rger-koa.example.com",

  78.     "*.xn--rger-koa.example.com", "www.xn--rger-koa.example.com",

  79.     "*.good--example.com", "www.good--example.com",

  80.     "*.xn--bar.com", "xn--foo.xn--bar.com",

  81.     "a.example.com", "b.example.com",

  82.     "postmaster@example.com", "Postmaster@example.com",

  83.     "postmaster@EXAMPLE.COM",

  84.     NULL

  85. };

  86. 

  87. static const char *const exceptions[] = {

  88.     "set CN: host: [*.example.com] matches [a.example.com]",

  89.     "set CN: host: [*.example.com] matches [b.example.com]",

  90.     "set CN: host: [*.example.com] matches [www.example.com]",

  91.     "set CN: host: [*.example.com] matches [xn--rger-koa.example.com]",

  92.     "set CN: host: [*.www.example.com] matches [test.www.example.com]",

  93.     "set CN: host: [*.www.example.com] matches [.www.example.com]",

  94.     "set CN: host: [*www.example.com] matches [www.example.com]",

  95.     "set CN: host: [test.www.example.com] matches [.www.example.com]",

  96.     "set CN: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",

  97.     "set CN: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",

  98.     "set CN: host: [*.good--example.com] matches [www.good--example.com]",

  99.     "set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",

  100.     "set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",

  101.     "set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",

  102.     "set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",

  103.     "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",

  104.     "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",

  105.     "set dnsName: host: [*.example.com] matches [www.example.com]",

  106.     "set dnsName: host: [*.example.com] matches [a.example.com]",

  107.     "set dnsName: host: [*.example.com] matches [b.example.com]",

  108.     "set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com]",

  109.     "set dnsName: host: [*.www.example.com] matches [test.www.example.com]",

  110.     "set dnsName: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",

  111.     "set dnsName: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",

  112.     "set dnsName: host: [*.www.example.com] matches [.www.example.com]",

  113.     "set dnsName: host: [*www.example.com] matches [www.example.com]",

  114.     "set dnsName: host: [test.www.example.com] matches [.www.example.com]",

  115.     "set dnsName: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",

  116.     "set dnsName: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",

  117.     "set dnsName: host: [*.good--example.com] matches [www.good--example.com]",

  118.     "set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",

  119.     "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",

  120.     "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",

  121.     "set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",

  122.     NULL

  123. };

  124. 

  125. static int is_exception(const char *msg)

  126. {

  127.     const char *const *p;

  128.     for (p = exceptions; *p; ++p)

  129.         if (strcmp(msg, *p) == 0)

  130.             return 1;

  131.     return 0;

  132. }

  133. 

  134. static int set_cn(X509 *crt, ...)

  135. {

  136.     int ret = 0;

  137.     X509_NAME *n = NULL;

  138.     va_list ap;

  139.     va_start(ap, crt);

  140.     n = X509_NAME_new();

  141.     if (n == NULL)

  142.         goto out;

  143.     while (1) {

  144.         int nid;

  145.         const char *name;

  146.         nid = va_arg(ap, int);

  147.         if (nid == 0)

  148.             break;

  149.         name = va_arg(ap, const char *);

  150.         if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,

  151.                                         (unsigned char *)name, -1, -1, 1))

  152.             goto out;

  153.     }

  154.     if (!X509_set_subject_name(crt, n))

  155.         goto out;

  156.     ret = 1;

  157.  out:

  158.     X509_NAME_free(n);

  159.     va_end(ap);

  160.     return ret;

  161. }

  162. 

  163. /*

  164.  * int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); X509_EXTENSION

  165.  * *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit,

  166.  * ASN1_OCTET_STRING *data); int X509_add_ext(X509 *x, X509_EXTENSION *ex,

  167.  * int loc);

  168.  */

  169. 

  170. static int set_altname(X509 *crt, ...)

  171. {

  172.     int ret = 0;

  173.     GENERAL_NAMES *gens = NULL;

  174.     GENERAL_NAME *gen = NULL;

  175.     ASN1_IA5STRING *ia5 = NULL;

  176.     va_list ap;

  177.     va_start(ap, crt);

  178.     gens = sk_GENERAL_NAME_new_null();

  179.     if (gens == NULL)

  180.         goto out;

  181.     while (1) {

  182.         int type;

  183.         const char *name;

  184.         type = va_arg(ap, int);

  185.         if (type == 0)

  186.             break;

  187.         name = va_arg(ap, const char *);

  188. 

  189.         gen = GENERAL_NAME_new();

  190.         if (gen == NULL)

  191.             goto out;

  192.         ia5 = ASN1_IA5STRING_new();

  193.         if (ia5 == NULL)

  194.             goto out;

  195.         if (!ASN1_STRING_set(ia5, name, -1))

  196.             goto out;

  197.         switch (type) {

  198.         case GEN_EMAIL:

  199.         case GEN_DNS:

  200.             GENERAL_NAME_set0_value(gen, type, ia5);

  201.             ia5 = NULL;

  202.             break;

  203.         default:

  204.             abort();

  205.         }

  206.         sk_GENERAL_NAME_push(gens, gen);

  207.         gen = NULL;

  208.     }

  209.     if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))

  210.         goto out;

  211.     ret = 1;

  212.  out:

  213.     ASN1_IA5STRING_free(ia5);

  214.     GENERAL_NAME_free(gen);

  215.     GENERAL_NAMES_free(gens);

  216.     va_end(ap);

  217.     return ret;

  218. }

  219. 

  220. static int set_cn1(X509 *crt, const char *name)

  221. {

  222.     return set_cn(crt, NID_commonName, name, 0);

  223. }

  224. 

  225. static int set_cn_and_email(X509 *crt, const char *name)

  226. {

  227.     return set_cn(crt, NID_commonName, name,

  228.                   NID_pkcs9_emailAddress, "dummy@example.com", 0);

  229. }

  230. 

  231. static int set_cn2(X509 *crt, const char *name)

  232. {

  233.     return set_cn(crt, NID_commonName, "dummy value",

  234.                   NID_commonName, name, 0);

  235. }

  236. 

  237. static int set_cn3(X509 *crt, const char *name)

  238. {

  239.     return set_cn(crt, NID_commonName, name,

  240.                   NID_commonName, "dummy value", 0);

  241. }

  242. 

  243. static int set_email1(X509 *crt, const char *name)

  244. {

  245.     return set_cn(crt, NID_pkcs9_emailAddress, name, 0);

  246. }

  247. 

  248. static int set_email2(X509 *crt, const char *name)

  249. {

  250.     return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",

  251.                   NID_pkcs9_emailAddress, name, 0);

  252. }

  253. 

  254. static int set_email3(X509 *crt, const char *name)

  255. {

  256.     return set_cn(crt, NID_pkcs9_emailAddress, name,

  257.                   NID_pkcs9_emailAddress, "dummy@example.com", 0);

  258. }

  259. 

  260. static int set_email_and_cn(X509 *crt, const char *name)

  261. {

  262.     return set_cn(crt, NID_pkcs9_emailAddress, name,

  263.                   NID_commonName, "www.example.org", 0);

  264. }

  265. 

  266. static int set_altname_dns(X509 *crt, const char *name)

  267. {

  268.     return set_altname(crt, GEN_DNS, name, 0);

  269. }

  270. 

  271. static int set_altname_email(X509 *crt, const char *name)

  272. {

  273.     return set_altname(crt, GEN_EMAIL, name, 0);

  274. }

  275. 

  276. struct set_name_fn {

  277.     int (*fn) (X509 *, const char *);

  278.     const char *name;

  279.     int host;

  280.     int email;

  281. };

  282. 

  283. static const struct set_name_fn name_fns[] = {

  284.     {set_cn1, "set CN", 1, 0},

  285.     {set_cn2, "set CN", 1, 0},

  286.     {set_cn3, "set CN", 1, 0},

  287.     {set_cn_and_email, "set CN", 1, 0},

  288.     {set_email1, "set emailAddress", 0, 1},

  289.     {set_email2, "set emailAddress", 0, 1},

  290.     {set_email3, "set emailAddress", 0, 1},

  291.     {set_email_and_cn, "set emailAddress", 0, 1},

  292.     {set_altname_dns, "set dnsName", 1, 0},

  293.     {set_altname_email, "set rfc822Name", 0, 1},

  294.     {NULL, NULL, 0, 0},

  295. };

  296. 

  297. static X509 *make_cert(void)

  298. {

  299.     X509 *ret = NULL;

  300.     X509 *crt = NULL;

  301.     X509_NAME *issuer = NULL;

  302.     crt = X509_new();

  303.     if (crt == NULL)

  304.         goto out;

  305.     if (!X509_set_version(crt, 3))

  306.         goto out;

  307.     ret = crt;

  308.     crt = NULL;

  309.  out:

  310.     X509_NAME_free(issuer);

  311.     return ret;

  312. }

  313. 

  314. static int errors;

  315. 

  316. static void check_message(const struct set_name_fn *fn, const char *op,

  317.                           const char *nameincert, int match, const char *name)

  318. {

  319.     char msg[1024];

  320.     if (match < 0)

  321.         return;

  322.     BIO_snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",

  323.                  fn->name, op, nameincert,

  324.                  match ? "matches" : "does not match", name);

  325.     if (is_exception(msg))

  326.         return;

  327.     puts(msg);

  328.     ++errors;

  329. }

  330. 

  331. static void run_cert(X509 *crt, const char *nameincert,

  332.                      const struct set_name_fn *fn)

  333. {

  334.     const char *const *pname = names;

  335.     while (*pname) {

  336.         int samename = OPENSSL_strcasecmp(nameincert, *pname) == 0;

  337.         size_t namelen = strlen(*pname);

  338.         char *name = malloc(namelen);

  339.         int match, ret;

  340.         OPENSSL_memcpy(name, *pname, namelen);

  341. 

  342.         ret = X509_check_host(crt, name, namelen, 0, NULL);

  343.         match = -1;

  344.         if (ret < 0) {

  345.             fprintf(stderr, "internal error in X509_check_host");

  346.             ++errors;

  347.         } else if (fn->host) {

  348.             if (ret == 1 && !samename)

  349.                 match = 1;

  350.             if (ret == 0 && samename)

  351.                 match = 0;

  352.         } else if (ret == 1)

  353.             match = 1;

  354.         check_message(fn, "host", nameincert, match, *pname);

  355. 

  356.         ret = X509_check_host(crt, name, namelen,

  357.                               X509_CHECK_FLAG_NO_WILDCARDS, NULL);

  358.         match = -1;

  359.         if (ret < 0) {

  360.             fprintf(stderr, "internal error in X509_check_host");

  361.             ++errors;

  362.         } else if (fn->host) {

  363.             if (ret == 1 && !samename)

  364.                 match = 1;

  365.             if (ret == 0 && samename)

  366.                 match = 0;

  367.         } else if (ret == 1)

  368.             match = 1;

  369.         check_message(fn, "host-no-wildcards", nameincert, match, *pname);

  370. 

  371.         ret = X509_check_email(crt, name, namelen, 0);

  372.         match = -1;

  373.         if (fn->email) {

  374.             if (ret && !samename)

  375.                 match = 1;

  376.             if (!ret && samename && strchr(nameincert, '@') != NULL)

  377.                 match = 0;

  378.         } else if (ret)

  379.             match = 1;

  380.         check_message(fn, "email", nameincert, match, *pname);

  381.         ++pname;

  382.         free(name);

  383.     }

  384. }

  385. 

  386. int main(void)

  387. {

  388.     CRYPTO_library_init();

  389. 

  390.     const struct set_name_fn *pfn = name_fns;

  391.     while (pfn->name) {

  392.         const char *const *pname = names;

  393.         while (*pname) {

  394.             X509 *crt = make_cert();

  395.             if (crt == NULL) {

  396.                 fprintf(stderr, "make_cert failed\n");

  397.                 return 1;

  398.             }

  399.             if (!pfn->fn(crt, *pname)) {

  400.                 fprintf(stderr, "X509 name setting failed\n");

  401.                 return 1;

  402.             }

  403.             run_cert(crt, *pname, pfn);

  404.             X509_free(crt);

  405.             ++pname;

  406.         }

  407.         ++pfn;

  408.     }

  409.     if (errors == 0) {

  410.         printf("PASS\n");

  411.     }

  412.     return errors > 0 ? 1 : 0;

  413. }