kris
/
boringssl
1
0
Derivar 0
Código Questões 0 Pedidos de integração 0 Lançamentos 0 Wiki Trabalho
Não pode escolher mais do que 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
2891 Cometimentos
12 Ramos
38 MiB
 
 
 
 
 
 
Árvore: 71dd6660e8
Ramos Etiquetas
${ item.name }
Criar ramo ${ searchTerm }
de '71dd6660e8'
${ noResults }
boringssl/crypto/x509v3/v3name_test.c

411 linhas
14 KiB
Em bruto Responsabilidade Histórico 

  1. /*

  2.  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project

  3.  * 1999.

  4.  */

  5. /* ====================================================================

  6.  * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.

  7.  *

  8.  * Redistribution and use in source and binary forms, with or without

  9.  * modification, are permitted provided that the following conditions

  10.  * are met:

  11.  *

  12.  * 1. Redistributions of source code must retain the above copyright

  13.  *    notice, this list of conditions and the following disclaimer.

  14.  *

  15.  * 2. Redistributions in binary form must reproduce the above copyright

  16.  *    notice, this list of conditions and the following disclaimer in

  17.  *    the documentation and/or other materials provided with the

  18.  *    distribution.

  19.  *

  20.  * 3. All advertising materials mentioning features or use of this

  21.  *    software must display the following acknowledgment:

  22.  *    "This product includes software developed by the OpenSSL Project

  23.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  24.  *

  25.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  26.  *    endorse or promote products derived from this software without

  27.  *    prior written permission. For written permission, please contact

  28.  *    licensing@OpenSSL.org.

  29.  *

  30.  * 5. Products derived from this software may not be called "OpenSSL"

  31.  *    nor may "OpenSSL" appear in their names without prior written

  32.  *    permission of the OpenSSL Project.

  33.  *

  34.  * 6. Redistributions of any form whatsoever must retain the following

  35.  *    acknowledgment:

  36.  *    "This product includes software developed by the OpenSSL Project

  37.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  38.  *

  39.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  40.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  41.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  42.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  43.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  44.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  45.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  46.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  48.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  49.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  50.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  51.  * ====================================================================

  52.  *

  53.  * This product includes cryptographic software written by Eric Young

  54.  * (eay@cryptsoft.com).  This product includes software written by Tim

  55.  * Hudson (tjh@cryptsoft.com). */

  56. 

  57. #include <stdarg.h>

  58. #include <string.h>

  59. 

  60. #include <openssl/crypto.h>

  61. #include <openssl/mem.h>

  62. #include <openssl/x509.h>

  63. #include <openssl/x509v3.h>

  64. 

  65. static const char *const names[] = {

  66.     "a", "b", ".", "*", "@",

  67.     ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",

  68.     "-example.com", "example-.com",

  69.     "@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",

  70.     "*@example.com", "test@*.example.com", "example.com", "www.example.com",

  71.     "test.www.example.com", "*.example.com", "*.www.example.com",

  72.     "test.*.example.com", "www.*.com",

  73.     ".www.example.com", "*www.example.com",

  74.     "example.net", "xn--rger-koa.example.com",

  75.     "*.xn--rger-koa.example.com", "www.xn--rger-koa.example.com",

  76.     "*.good--example.com", "www.good--example.com",

  77.     "*.xn--bar.com", "xn--foo.xn--bar.com",

  78.     "a.example.com", "b.example.com",

  79.     "postmaster@example.com", "Postmaster@example.com",

  80.     "postmaster@EXAMPLE.COM",

  81.     NULL

  82. };

  83. 

  84. static const char *const exceptions[] = {

  85.     "set CN: host: [*.example.com] matches [a.example.com]",

  86.     "set CN: host: [*.example.com] matches [b.example.com]",

  87.     "set CN: host: [*.example.com] matches [www.example.com]",

  88.     "set CN: host: [*.example.com] matches [xn--rger-koa.example.com]",

  89.     "set CN: host: [*.www.example.com] matches [test.www.example.com]",

  90.     "set CN: host: [*.www.example.com] matches [.www.example.com]",

  91.     "set CN: host: [*www.example.com] matches [www.example.com]",

  92.     "set CN: host: [test.www.example.com] matches [.www.example.com]",

  93.     "set CN: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",

  94.     "set CN: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",

  95.     "set CN: host: [*.good--example.com] matches [www.good--example.com]",

  96.     "set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",

  97.     "set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",

  98.     "set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",

  99.     "set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",

  100.     "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",

  101.     "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",

  102.     "set dnsName: host: [*.example.com] matches [www.example.com]",

  103.     "set dnsName: host: [*.example.com] matches [a.example.com]",

  104.     "set dnsName: host: [*.example.com] matches [b.example.com]",

  105.     "set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com]",

  106.     "set dnsName: host: [*.www.example.com] matches [test.www.example.com]",

  107.     "set dnsName: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",

  108.     "set dnsName: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",

  109.     "set dnsName: host: [*.www.example.com] matches [.www.example.com]",

  110.     "set dnsName: host: [*www.example.com] matches [www.example.com]",

  111.     "set dnsName: host: [test.www.example.com] matches [.www.example.com]",

  112.     "set dnsName: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",

  113.     "set dnsName: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",

  114.     "set dnsName: host: [*.good--example.com] matches [www.good--example.com]",

  115.     "set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",

  116.     "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",

  117.     "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",

  118.     "set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",

  119.     NULL

  120. };

  121. 

  122. static int is_exception(const char *msg)

  123. {

  124.     const char *const *p;

  125.     for (p = exceptions; *p; ++p)

  126.         if (strcmp(msg, *p) == 0)

  127.             return 1;

  128.     return 0;

  129. }

  130. 

  131. static int set_cn(X509 *crt, ...)

  132. {

  133.     int ret = 0;

  134.     X509_NAME *n = NULL;

  135.     va_list ap;

  136.     va_start(ap, crt);

  137.     n = X509_NAME_new();

  138.     if (n == NULL)

  139.         goto out;

  140.     while (1) {

  141.         int nid;

  142.         const char *name;

  143.         nid = va_arg(ap, int);

  144.         if (nid == 0)

  145.             break;

  146.         name = va_arg(ap, const char *);

  147.         if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,

  148.                                         (unsigned char *)name, -1, -1, 1))

  149.             goto out;

  150.     }

  151.     if (!X509_set_subject_name(crt, n))

  152.         goto out;

  153.     ret = 1;

  154.  out:

  155.     X509_NAME_free(n);

  156.     va_end(ap);

  157.     return ret;

  158. }

  159. 

  160. /*

  161.  * int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); X509_EXTENSION

  162.  * *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit,

  163.  * ASN1_OCTET_STRING *data); int X509_add_ext(X509 *x, X509_EXTENSION *ex,

  164.  * int loc);

  165.  */

  166. 

  167. static int set_altname(X509 *crt, ...)

  168. {

  169.     int ret = 0;

  170.     GENERAL_NAMES *gens = NULL;

  171.     GENERAL_NAME *gen = NULL;

  172.     ASN1_IA5STRING *ia5 = NULL;

  173.     va_list ap;

  174.     va_start(ap, crt);

  175.     gens = sk_GENERAL_NAME_new_null();

  176.     if (gens == NULL)

  177.         goto out;

  178.     while (1) {

  179.         int type;

  180.         const char *name;

  181.         type = va_arg(ap, int);

  182.         if (type == 0)

  183.             break;

  184.         name = va_arg(ap, const char *);

  185. 

  186.         gen = GENERAL_NAME_new();

  187.         if (gen == NULL)

  188.             goto out;

  189.         ia5 = ASN1_IA5STRING_new();

  190.         if (ia5 == NULL)

  191.             goto out;

  192.         if (!ASN1_STRING_set(ia5, name, -1))

  193.             goto out;

  194.         switch (type) {

  195.         case GEN_EMAIL:

  196.         case GEN_DNS:

  197.             GENERAL_NAME_set0_value(gen, type, ia5);

  198.             ia5 = NULL;

  199.             break;

  200.         default:

  201.             abort();

  202.         }

  203.         sk_GENERAL_NAME_push(gens, gen);

  204.         gen = NULL;

  205.     }

  206.     if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))

  207.         goto out;

  208.     ret = 1;

  209.  out:

  210.     ASN1_IA5STRING_free(ia5);

  211.     GENERAL_NAME_free(gen);

  212.     GENERAL_NAMES_free(gens);

  213.     va_end(ap);

  214.     return ret;

  215. }

  216. 

  217. static int set_cn1(X509 *crt, const char *name)

  218. {

  219.     return set_cn(crt, NID_commonName, name, 0);

  220. }

  221. 

  222. static int set_cn_and_email(X509 *crt, const char *name)

  223. {

  224.     return set_cn(crt, NID_commonName, name,

  225.                   NID_pkcs9_emailAddress, "dummy@example.com", 0);

  226. }

  227. 

  228. static int set_cn2(X509 *crt, const char *name)

  229. {

  230.     return set_cn(crt, NID_commonName, "dummy value",

  231.                   NID_commonName, name, 0);

  232. }

  233. 

  234. static int set_cn3(X509 *crt, const char *name)

  235. {

  236.     return set_cn(crt, NID_commonName, name,

  237.                   NID_commonName, "dummy value", 0);

  238. }

  239. 

  240. static int set_email1(X509 *crt, const char *name)

  241. {

  242.     return set_cn(crt, NID_pkcs9_emailAddress, name, 0);

  243. }

  244. 

  245. static int set_email2(X509 *crt, const char *name)

  246. {

  247.     return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",

  248.                   NID_pkcs9_emailAddress, name, 0);

  249. }

  250. 

  251. static int set_email3(X509 *crt, const char *name)

  252. {

  253.     return set_cn(crt, NID_pkcs9_emailAddress, name,

  254.                   NID_pkcs9_emailAddress, "dummy@example.com", 0);

  255. }

  256. 

  257. static int set_email_and_cn(X509 *crt, const char *name)

  258. {

  259.     return set_cn(crt, NID_pkcs9_emailAddress, name,

  260.                   NID_commonName, "www.example.org", 0);

  261. }

  262. 

  263. static int set_altname_dns(X509 *crt, const char *name)

  264. {

  265.     return set_altname(crt, GEN_DNS, name, 0);

  266. }

  267. 

  268. static int set_altname_email(X509 *crt, const char *name)

  269. {

  270.     return set_altname(crt, GEN_EMAIL, name, 0);

  271. }

  272. 

  273. struct set_name_fn {

  274.     int (*fn) (X509 *, const char *);

  275.     const char *name;

  276.     int host;

  277.     int email;

  278. };

  279. 

  280. static const struct set_name_fn name_fns[] = {

  281.     {set_cn1, "set CN", 1, 0},

  282.     {set_cn2, "set CN", 1, 0},

  283.     {set_cn3, "set CN", 1, 0},

  284.     {set_cn_and_email, "set CN", 1, 0},

  285.     {set_email1, "set emailAddress", 0, 1},

  286.     {set_email2, "set emailAddress", 0, 1},

  287.     {set_email3, "set emailAddress", 0, 1},

  288.     {set_email_and_cn, "set emailAddress", 0, 1},

  289.     {set_altname_dns, "set dnsName", 1, 0},

  290.     {set_altname_email, "set rfc822Name", 0, 1},

  291.     {NULL, NULL, 0, 0},

  292. };

  293. 

  294. static X509 *make_cert(void)

  295. {

  296.     X509 *ret = NULL;

  297.     X509 *crt = NULL;

  298.     X509_NAME *issuer = NULL;

  299.     crt = X509_new();

  300.     if (crt == NULL)

  301.         goto out;

  302.     if (!X509_set_version(crt, 3))

  303.         goto out;

  304.     ret = crt;

  305.     crt = NULL;

  306.  out:

  307.     X509_NAME_free(issuer);

  308.     return ret;

  309. }

  310. 

  311. static int errors;

  312. 

  313. static void check_message(const struct set_name_fn *fn, const char *op,

  314.                           const char *nameincert, int match, const char *name)

  315. {

  316.     char msg[1024];

  317.     if (match < 0)

  318.         return;

  319.     BIO_snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",

  320.                  fn->name, op, nameincert,

  321.                  match ? "matches" : "does not match", name);

  322.     if (is_exception(msg))

  323.         return;

  324.     puts(msg);

  325.     ++errors;

  326. }

  327. 

  328. static void run_cert(X509 *crt, const char *nameincert,

  329.                      const struct set_name_fn *fn)

  330. {

  331.     const char *const *pname = names;

  332.     while (*pname) {

  333.         int samename = OPENSSL_strcasecmp(nameincert, *pname) == 0;

  334.         size_t namelen = strlen(*pname);

  335.         char *name = malloc(namelen);

  336.         int match, ret;

  337.         memcpy(name, *pname, namelen);

  338. 

  339.         ret = X509_check_host(crt, name, namelen, 0, NULL);

  340.         match = -1;

  341.         if (ret < 0) {

  342.             fprintf(stderr, "internal error in X509_check_host");

  343.             ++errors;

  344.         } else if (fn->host) {

  345.             if (ret == 1 && !samename)

  346.                 match = 1;

  347.             if (ret == 0 && samename)

  348.                 match = 0;

  349.         } else if (ret == 1)

  350.             match = 1;

  351.         check_message(fn, "host", nameincert, match, *pname);

  352. 

  353.         ret = X509_check_host(crt, name, namelen,

  354.                               X509_CHECK_FLAG_NO_WILDCARDS, NULL);

  355.         match = -1;

  356.         if (ret < 0) {

  357.             fprintf(stderr, "internal error in X509_check_host");

  358.             ++errors;

  359.         } else if (fn->host) {

  360.             if (ret == 1 && !samename)

  361.                 match = 1;

  362.             if (ret == 0 && samename)

  363.                 match = 0;

  364.         } else if (ret == 1)

  365.             match = 1;

  366.         check_message(fn, "host-no-wildcards", nameincert, match, *pname);

  367. 

  368.         ret = X509_check_email(crt, name, namelen, 0);

  369.         match = -1;

  370.         if (fn->email) {

  371.             if (ret && !samename)

  372.                 match = 1;

  373.             if (!ret && samename && strchr(nameincert, '@') != NULL)

  374.                 match = 0;

  375.         } else if (ret)

  376.             match = 1;

  377.         check_message(fn, "email", nameincert, match, *pname);

  378.         ++pname;

  379.         free(name);

  380.     }

  381. }

  382. 

  383. int main(void)

  384. {

  385.     CRYPTO_library_init();

  386. 

  387.     const struct set_name_fn *pfn = name_fns;

  388.     while (pfn->name) {

  389.         const char *const *pname = names;

  390.         while (*pname) {

  391.             X509 *crt = make_cert();

  392.             if (crt == NULL) {

  393.                 fprintf(stderr, "make_cert failed\n");

  394.                 return 1;

  395.             }

  396.             if (!pfn->fn(crt, *pname)) {

  397.                 fprintf(stderr, "X509 name setting failed\n");

  398.                 return 1;

  399.             }

  400.             run_cert(crt, *pname, pfn);

  401.             X509_free(crt);

  402.             ++pname;

  403.         }

  404.         ++pfn;

  405.     }

  406.     if (errors == 0) {

  407.         printf("PASS\n");

  408.     }

  409.     return errors > 0 ? 1 : 0;

  410. }