kris
/
boringssl
1
0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 0 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
5667 Revīzijas
12 Atzari
38 MiB
 
 
 
 
 
 
Koks: 9978f0a865
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '9978f0a865'
${ noResults }
boringssl/crypto/x509v3/v3name_test.cc

404 rindas
14 KiB
Neapstrādāts Vainot Vēsture 

  1. /*

  2.  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project

  3.  * 1999.

  4.  */

  5. /* ====================================================================

  6.  * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.

  7.  *

  8.  * Redistribution and use in source and binary forms, with or without

  9.  * modification, are permitted provided that the following conditions

  10.  * are met:

  11.  *

  12.  * 1. Redistributions of source code must retain the above copyright

  13.  *    notice, this list of conditions and the following disclaimer.

  14.  *

  15.  * 2. Redistributions in binary form must reproduce the above copyright

  16.  *    notice, this list of conditions and the following disclaimer in

  17.  *    the documentation and/or other materials provided with the

  18.  *    distribution.

  19.  *

  20.  * 3. All advertising materials mentioning features or use of this

  21.  *    software must display the following acknowledgment:

  22.  *    "This product includes software developed by the OpenSSL Project

  23.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  24.  *

  25.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  26.  *    endorse or promote products derived from this software without

  27.  *    prior written permission. For written permission, please contact

  28.  *    licensing@OpenSSL.org.

  29.  *

  30.  * 5. Products derived from this software may not be called "OpenSSL"

  31.  *    nor may "OpenSSL" appear in their names without prior written

  32.  *    permission of the OpenSSL Project.

  33.  *

  34.  * 6. Redistributions of any form whatsoever must retain the following

  35.  *    acknowledgment:

  36.  *    "This product includes software developed by the OpenSSL Project

  37.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  38.  *

  39.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  40.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  41.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  42.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  43.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  44.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  45.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  46.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  48.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  49.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  50.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  51.  * ====================================================================

  52.  *

  53.  * This product includes cryptographic software written by Eric Young

  54.  * (eay@cryptsoft.com).  This product includes software written by Tim

  55.  * Hudson (tjh@cryptsoft.com). */

  56. 

  57. #include <stdarg.h>

  58. #include <string.h>

  59. 

  60. #include <gtest/gtest.h>

  61. 

  62. #include <openssl/crypto.h>

  63. #include <openssl/mem.h>

  64. #include <openssl/x509.h>

  65. #include <openssl/x509v3.h>

  66. 

  67. #include "../internal.h"

  68. 

  69. 

  70. static const char *const names[] = {

  71.     "a", "b", ".", "*", "@",

  72.     ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",

  73.     "-example.com", "example-.com",

  74.     "@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",

  75.     "*@example.com", "test@*.example.com", "example.com", "www.example.com",

  76.     "test.www.example.com", "*.example.com", "*.www.example.com",

  77.     "test.*.example.com", "www.*.com",

  78.     ".www.example.com", "*www.example.com",

  79.     "example.net", "xn--rger-koa.example.com",

  80.     "*.xn--rger-koa.example.com", "www.xn--rger-koa.example.com",

  81.     "*.good--example.com", "www.good--example.com",

  82.     "*.xn--bar.com", "xn--foo.xn--bar.com",

  83.     "a.example.com", "b.example.com",

  84.     "postmaster@example.com", "Postmaster@example.com",

  85.     "postmaster@EXAMPLE.COM",

  86.     NULL

  87. };

  88. 

  89. static const char *const exceptions[] = {

  90.     "set CN: host: [*.example.com] matches [a.example.com]",

  91.     "set CN: host: [*.example.com] matches [b.example.com]",

  92.     "set CN: host: [*.example.com] matches [www.example.com]",

  93.     "set CN: host: [*.example.com] matches [xn--rger-koa.example.com]",

  94.     "set CN: host: [*.www.example.com] matches [test.www.example.com]",

  95.     "set CN: host: [*.www.example.com] matches [.www.example.com]",

  96.     "set CN: host: [*www.example.com] matches [www.example.com]",

  97.     "set CN: host: [test.www.example.com] matches [.www.example.com]",

  98.     "set CN: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",

  99.     "set CN: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",

  100.     "set CN: host: [*.good--example.com] matches [www.good--example.com]",

  101.     "set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",

  102.     "set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",

  103.     "set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",

  104.     "set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",

  105.     "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",

  106.     "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",

  107.     "set dnsName: host: [*.example.com] matches [www.example.com]",

  108.     "set dnsName: host: [*.example.com] matches [a.example.com]",

  109.     "set dnsName: host: [*.example.com] matches [b.example.com]",

  110.     "set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com]",

  111.     "set dnsName: host: [*.www.example.com] matches [test.www.example.com]",

  112.     "set dnsName: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",

  113.     "set dnsName: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",

  114.     "set dnsName: host: [*.www.example.com] matches [.www.example.com]",

  115.     "set dnsName: host: [*www.example.com] matches [www.example.com]",

  116.     "set dnsName: host: [test.www.example.com] matches [.www.example.com]",

  117.     "set dnsName: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",

  118.     "set dnsName: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",

  119.     "set dnsName: host: [*.good--example.com] matches [www.good--example.com]",

  120.     "set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",

  121.     "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",

  122.     "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",

  123.     "set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",

  124.     NULL

  125. };

  126. 

  127. static int is_exception(const char *msg)

  128. {

  129.     const char *const *p;

  130.     for (p = exceptions; *p; ++p)

  131.         if (strcmp(msg, *p) == 0)

  132.             return 1;

  133.     return 0;

  134. }

  135. 

  136. static int set_cn(X509 *crt, ...)

  137. {

  138.     int ret = 0;

  139.     X509_NAME *n = NULL;

  140.     va_list ap;

  141.     va_start(ap, crt);

  142.     n = X509_NAME_new();

  143.     if (n == NULL)

  144.         goto out;

  145.     while (1) {

  146.         int nid;

  147.         const char *name;

  148.         nid = va_arg(ap, int);

  149.         if (nid == 0)

  150.             break;

  151.         name = va_arg(ap, const char *);

  152.         if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,

  153.                                         (unsigned char *)name, -1, -1, 1))

  154.             goto out;

  155.     }

  156.     if (!X509_set_subject_name(crt, n))

  157.         goto out;

  158.     ret = 1;

  159.  out:

  160.     X509_NAME_free(n);

  161.     va_end(ap);

  162.     return ret;

  163. }

  164. 

  165. /*

  166.  * int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); X509_EXTENSION

  167.  * *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit,

  168.  * ASN1_OCTET_STRING *data); int X509_add_ext(X509 *x, X509_EXTENSION *ex,

  169.  * int loc);

  170.  */

  171. 

  172. static int set_altname(X509 *crt, ...)

  173. {

  174.     int ret = 0;

  175.     GENERAL_NAMES *gens = NULL;

  176.     GENERAL_NAME *gen = NULL;

  177.     ASN1_IA5STRING *ia5 = NULL;

  178.     va_list ap;

  179.     va_start(ap, crt);

  180.     gens = sk_GENERAL_NAME_new_null();

  181.     if (gens == NULL)

  182.         goto out;

  183.     while (1) {

  184.         int type;

  185.         const char *name;

  186.         type = va_arg(ap, int);

  187.         if (type == 0)

  188.             break;

  189.         name = va_arg(ap, const char *);

  190. 

  191.         gen = GENERAL_NAME_new();

  192.         if (gen == NULL)

  193.             goto out;

  194.         ia5 = ASN1_IA5STRING_new();

  195.         if (ia5 == NULL)

  196.             goto out;

  197.         if (!ASN1_STRING_set(ia5, name, -1))

  198.             goto out;

  199.         switch (type) {

  200.         case GEN_EMAIL:

  201.         case GEN_DNS:

  202.             GENERAL_NAME_set0_value(gen, type, ia5);

  203.             ia5 = NULL;

  204.             break;

  205.         default:

  206.             abort();

  207.         }

  208.         sk_GENERAL_NAME_push(gens, gen);

  209.         gen = NULL;

  210.     }

  211.     if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))

  212.         goto out;

  213.     ret = 1;

  214.  out:

  215.     ASN1_IA5STRING_free(ia5);

  216.     GENERAL_NAME_free(gen);

  217.     GENERAL_NAMES_free(gens);

  218.     va_end(ap);

  219.     return ret;

  220. }

  221. 

  222. static int set_cn1(X509 *crt, const char *name)

  223. {

  224.     return set_cn(crt, NID_commonName, name, 0);

  225. }

  226. 

  227. static int set_cn_and_email(X509 *crt, const char *name)

  228. {

  229.     return set_cn(crt, NID_commonName, name,

  230.                   NID_pkcs9_emailAddress, "dummy@example.com", 0);

  231. }

  232. 

  233. static int set_cn2(X509 *crt, const char *name)

  234. {

  235.     return set_cn(crt, NID_commonName, "dummy value",

  236.                   NID_commonName, name, 0);

  237. }

  238. 

  239. static int set_cn3(X509 *crt, const char *name)

  240. {

  241.     return set_cn(crt, NID_commonName, name,

  242.                   NID_commonName, "dummy value", 0);

  243. }

  244. 

  245. static int set_email1(X509 *crt, const char *name)

  246. {

  247.     return set_cn(crt, NID_pkcs9_emailAddress, name, 0);

  248. }

  249. 

  250. static int set_email2(X509 *crt, const char *name)

  251. {

  252.     return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",

  253.                   NID_pkcs9_emailAddress, name, 0);

  254. }

  255. 

  256. static int set_email3(X509 *crt, const char *name)

  257. {

  258.     return set_cn(crt, NID_pkcs9_emailAddress, name,

  259.                   NID_pkcs9_emailAddress, "dummy@example.com", 0);

  260. }

  261. 

  262. static int set_email_and_cn(X509 *crt, const char *name)

  263. {

  264.     return set_cn(crt, NID_pkcs9_emailAddress, name,

  265.                   NID_commonName, "www.example.org", 0);

  266. }

  267. 

  268. static int set_altname_dns(X509 *crt, const char *name)

  269. {

  270.     return set_altname(crt, GEN_DNS, name, 0);

  271. }

  272. 

  273. static int set_altname_email(X509 *crt, const char *name)

  274. {

  275.     return set_altname(crt, GEN_EMAIL, name, 0);

  276. }

  277. 

  278. struct set_name_fn {

  279.     int (*fn) (X509 *, const char *);

  280.     const char *name;

  281.     int host;

  282.     int email;

  283. };

  284. 

  285. static const struct set_name_fn name_fns[] = {

  286.     {set_cn1, "set CN", 1, 0},

  287.     {set_cn2, "set CN", 1, 0},

  288.     {set_cn3, "set CN", 1, 0},

  289.     {set_cn_and_email, "set CN", 1, 0},

  290.     {set_email1, "set emailAddress", 0, 1},

  291.     {set_email2, "set emailAddress", 0, 1},

  292.     {set_email3, "set emailAddress", 0, 1},

  293.     {set_email_and_cn, "set emailAddress", 0, 1},

  294.     {set_altname_dns, "set dnsName", 1, 0},

  295.     {set_altname_email, "set rfc822Name", 0, 1},

  296.     {NULL, NULL, 0, 0},

  297. };

  298. 

  299. static X509 *make_cert(void)

  300. {

  301.     X509 *ret = NULL;

  302.     X509 *crt = NULL;

  303.     X509_NAME *issuer = NULL;

  304.     crt = X509_new();

  305.     if (crt == NULL)

  306.         goto out;

  307.     if (!X509_set_version(crt, 3))

  308.         goto out;

  309.     ret = crt;

  310.     crt = NULL;

  311.  out:

  312.     X509_NAME_free(issuer);

  313.     return ret;

  314. }

  315. 

  316. static int errors;

  317. 

  318. static void check_message(const struct set_name_fn *fn, const char *op,

  319.                           const char *nameincert, int match, const char *name)

  320. {

  321.     char msg[1024];

  322.     if (match < 0)

  323.         return;

  324.     BIO_snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",

  325.                  fn->name, op, nameincert,

  326.                  match ? "matches" : "does not match", name);

  327.     if (is_exception(msg))

  328.         return;

  329.     puts(msg);

  330.     ++errors;

  331. }

  332. 

  333. static void run_cert(X509 *crt, const char *nameincert,

  334.                      const struct set_name_fn *fn)

  335. {

  336.     const char *const *pname = names;

  337.     while (*pname) {

  338.         int samename = OPENSSL_strcasecmp(nameincert, *pname) == 0;

  339.         size_t namelen = strlen(*pname);

  340.         char *name = (char *)malloc(namelen);

  341.         int match, ret;

  342.         OPENSSL_memcpy(name, *pname, namelen);

  343. 

  344.         ret = X509_check_host(crt, name, namelen, 0, NULL);

  345.         match = -1;

  346.         if (ret < 0) {

  347.             fprintf(stderr, "internal error in X509_check_host");

  348.             ++errors;

  349.         } else if (fn->host) {

  350.             if (ret == 1 && !samename)

  351.                 match = 1;

  352.             if (ret == 0 && samename)

  353.                 match = 0;

  354.         } else if (ret == 1)

  355.             match = 1;

  356.         check_message(fn, "host", nameincert, match, *pname);

  357. 

  358.         ret = X509_check_host(crt, name, namelen,

  359.                               X509_CHECK_FLAG_NO_WILDCARDS, NULL);

  360.         match = -1;

  361.         if (ret < 0) {

  362.             fprintf(stderr, "internal error in X509_check_host");

  363.             ++errors;

  364.         } else if (fn->host) {

  365.             if (ret == 1 && !samename)

  366.                 match = 1;

  367.             if (ret == 0 && samename)

  368.                 match = 0;

  369.         } else if (ret == 1)

  370.             match = 1;

  371.         check_message(fn, "host-no-wildcards", nameincert, match, *pname);

  372. 

  373.         ret = X509_check_email(crt, name, namelen, 0);

  374.         match = -1;

  375.         if (fn->email) {

  376.             if (ret && !samename)

  377.                 match = 1;

  378.             if (!ret && samename && strchr(nameincert, '@') != NULL)

  379.                 match = 0;

  380.         } else if (ret)

  381.             match = 1;

  382.         check_message(fn, "email", nameincert, match, *pname);

  383.         ++pname;

  384.         free(name);

  385.     }

  386. }

  387. 

  388. // TOOD(davidben): Convert this test to GTest more thoroughly.

  389. TEST(X509V3Test, NameTest) {

  390.     const struct set_name_fn *pfn = name_fns;

  391.     while (pfn->name) {

  392.         const char *const *pname = names;

  393.         while (*pname) {

  394.             bssl::UniquePtr<X509> crt(make_cert());

  395.             ASSERT_TRUE(crt);

  396.             ASSERT_TRUE(pfn->fn(crt.get(), *pname));

  397.             run_cert(crt.get(), *pname, pfn);

  398.             ++pname;

  399.         }

  400.         ++pfn;

  401.     }

  402.     EXPECT_EQ(0, errors);

  403. }