kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
893 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: ac6900b0d3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ac6900b0d3'
${ noResults }
boringssl/crypto/x509v3/v3nametest.c

424 lines
12 KiB
Raw Blame History 

  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

  2.  * project 1999. */

  3. /* ====================================================================

  4.  * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.

  5.  *

  6.  * Redistribution and use in source and binary forms, with or without

  7.  * modification, are permitted provided that the following conditions

  8.  * are met:

  9.  *

  10.  * 1. Redistributions of source code must retain the above copyright

  11.  *    notice, this list of conditions and the following disclaimer. 

  12.  *

  13.  * 2. Redistributions in binary form must reproduce the above copyright

  14.  *    notice, this list of conditions and the following disclaimer in

  15.  *    the documentation and/or other materials provided with the

  16.  *    distribution.

  17.  *

  18.  * 3. All advertising materials mentioning features or use of this

  19.  *    software must display the following acknowledgment:

  20.  *    "This product includes software developed by the OpenSSL Project

  21.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  22.  *

  23.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  24.  *    endorse or promote products derived from this software without

  25.  *    prior written permission. For written permission, please contact

  26.  *    licensing@OpenSSL.org.

  27.  *

  28.  * 5. Products derived from this software may not be called "OpenSSL"

  29.  *    nor may "OpenSSL" appear in their names without prior written

  30.  *    permission of the OpenSSL Project.

  31.  *

  32.  * 6. Redistributions of any form whatsoever must retain the following

  33.  *    acknowledgment:

  34.  *    "This product includes software developed by the OpenSSL Project

  35.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  36.  *

  37.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  38.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  39.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  40.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  41.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  42.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  43.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  44.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  45.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  46.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  47.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  48.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  49.  * ====================================================================

  50.  *

  51.  * This product includes cryptographic software written by Eric Young

  52.  * (eay@cryptsoft.com).  This product includes software written by Tim

  53.  * Hudson (tjh@cryptsoft.com). */

  54. 

  55. #include <string.h>

  56. 

  57. #include <openssl/crypto.h>

  58. #include <openssl/mem.h>

  59. #include <openssl/x509.h>

  60. #include <openssl/x509v3.h>

  61. 

  62. 

  63. static const char *const names[] =

  64. 	{

  65. 	"a", "b", ".", "*", "@",

  66. 	".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",

  67. 	"@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",

  68. 	"*@example.com", "test@*.example.com", "example.com", "www.example.com",

  69. 	"test.www.example.com", "*.example.com", "*.www.example.com",

  70. 	"test.*.example.com", "www.*.com",

  71. 	".www.example.com", "*www.example.com",

  72. 	"example.net", "xn--rger-koa.example.com",

  73. 	"a.example.com", "b.example.com",

  74. 	"postmaster@example.com", "Postmaster@example.com",

  75. 	"postmaster@EXAMPLE.COM",

  76. 	NULL

  77. 	};

  78. 

  79. static const char *const exceptions[] =

  80. 	{

  81. 	"set CN: host: [*.example.com] matches [a.example.com]",

  82. 	"set CN: host: [*.example.com] matches [b.example.com]",

  83. 	"set CN: host: [*.example.com] matches [www.example.com]",

  84. 	"set CN: host: [*.example.com] matches [xn--rger-koa.example.com]",

  85. 	"set CN: host: [*.www.example.com] matches [test.www.example.com]",

  86. 	"set CN: host: [*.www.example.com] matches [.www.example.com]",

  87. 	"set CN: host: [*www.example.com] matches [www.example.com]",

  88. 	"set CN: host: [test.www.example.com] matches [.www.example.com]",

  89. 	"set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",

  90. 	"set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",

  91. 	"set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",

  92. 	"set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",

  93. 	"set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",

  94. 	"set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",

  95. 	"set dnsName: host: [*.example.com] matches [www.example.com]",

  96. 	"set dnsName: host: [*.example.com] matches [a.example.com]",

  97. 	"set dnsName: host: [*.example.com] matches [b.example.com]",

  98. 	"set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com]",

  99. 	"set dnsName: host: [*.www.example.com] matches [test.www.example.com]",

  100. 	"set dnsName: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",

  101. 	"set dnsName: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",

  102. 	"set dnsName: host: [*.www.example.com] matches [.www.example.com]",

  103. 	"set dnsName: host: [*www.example.com] matches [www.example.com]",

  104. 	"set dnsName: host: [test.www.example.com] matches [.www.example.com]",

  105. 	"set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",

  106. 	"set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",

  107. 	"set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",

  108. 	"set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",

  109. 	NULL

  110. 	};

  111. 

  112. static int is_exception(const char *msg)

  113. 	{

  114. 	const char *const *p;

  115. 	for (p = exceptions; *p; ++p)

  116. 		if (strcmp(msg, *p) == 0)

  117. 			return 1;

  118. 	return 0;

  119. 	}

  120. 

  121. static int set_cn(X509 *crt, ...)

  122. 	{

  123. 	int ret = 0;

  124. 	X509_NAME *n = NULL;

  125. 	va_list ap;

  126. 	va_start(ap, crt);

  127. 	n = X509_NAME_new();

  128. 	if (n == NULL)

  129. 		goto out;

  130. 	while (1) {

  131. 		int nid;

  132. 		const char *name;

  133. 		nid = va_arg(ap, int);

  134. 		if (nid == 0)

  135. 			break;

  136. 		name = va_arg(ap, const char *);

  137. 		if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,

  138. 							(unsigned char *)name,

  139. 						-1, -1, 1))

  140. 			goto out;

  141. 	}

  142. 	if (!X509_set_subject_name(crt, n))

  143. 		goto out;

  144. 	ret = 1;

  145.  out:

  146. 	X509_NAME_free(n);

  147. 	va_end(ap);

  148. 	return ret;

  149. 	}

  150. 

  151. /*

  152. int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);

  153. X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,

  154. 			int nid, int crit, ASN1_OCTET_STRING *data);

  155. int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);

  156. */

  157. 

  158. static int set_altname(X509 *crt, ...)

  159. 	{

  160. 	int ret = 0;

  161. 	GENERAL_NAMES *gens = NULL;

  162. 	GENERAL_NAME *gen = NULL;

  163. 	ASN1_IA5STRING *ia5 = NULL;

  164. 	va_list ap;

  165. 	va_start(ap, crt);

  166. 	gens = sk_GENERAL_NAME_new_null();

  167. 	if (gens == NULL)

  168. 		goto out;

  169. 	while (1) {

  170. 		int type;

  171. 		const char *name;

  172. 		type = va_arg(ap, int);

  173. 		if (type == 0)

  174. 			break;

  175. 		name = va_arg(ap, const char *);

  176. 

  177. 		gen = GENERAL_NAME_new();

  178. 		if (gen == NULL)

  179. 			goto out;

  180. 		ia5 = ASN1_IA5STRING_new();

  181. 		if (ia5 == NULL)

  182. 			goto out;

  183. 		if (!ASN1_STRING_set(ia5, name, -1))

  184. 			goto out;

  185. 		switch (type)

  186. 			{

  187. 			case GEN_EMAIL:

  188. 			case GEN_DNS:

  189. 				GENERAL_NAME_set0_value(gen, type, ia5);

  190. 				ia5 = NULL;

  191. 				break;

  192. 			default:

  193. 				abort();

  194. 			}

  195. 		sk_GENERAL_NAME_push(gens, gen);

  196. 		gen = NULL;

  197. 	}

  198. 	if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))

  199. 		goto out;

  200. 	ret = 1;

  201.  out:

  202. 	ASN1_IA5STRING_free(ia5);

  203. 	GENERAL_NAME_free(gen);

  204. 	GENERAL_NAMES_free(gens);

  205. 	va_end(ap);

  206. 	return ret;

  207. 	}

  208. 

  209. static int set_cn1(X509 *crt, const char *name)

  210. 	{

  211. 	return set_cn(crt, NID_commonName, name, 0);

  212. 	}

  213. 

  214. 

  215. static int set_cn_and_email(X509 *crt, const char *name)

  216. 	{

  217. 	return set_cn(crt, NID_commonName, name,

  218. 		      NID_pkcs9_emailAddress, "dummy@example.com", 0);

  219. 	}

  220. 

  221. static int set_cn2(X509 *crt, const char *name)

  222. 	{

  223. 	return set_cn(crt, NID_commonName, "dummy value",

  224. 		      NID_commonName, name, 0);

  225. 	}

  226. 

  227. static int set_cn3(X509 *crt, const char *name)

  228. 	{

  229. 	return set_cn(crt, NID_commonName, name,

  230. 		      NID_commonName, "dummy value", 0);

  231. 	}

  232. 

  233. static int set_email1(X509 *crt, const char *name)

  234. 	{

  235. 	return set_cn(crt, NID_pkcs9_emailAddress, name, 0);

  236. 	}

  237. 

  238. static int set_email2(X509 *crt, const char *name)

  239. 	{

  240. 	return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",

  241. 		      NID_pkcs9_emailAddress, name, 0);

  242. 	}

  243. 

  244. static int set_email3(X509 *crt, const char *name)

  245. 	{

  246. 	return set_cn(crt, NID_pkcs9_emailAddress, name,

  247. 		      NID_pkcs9_emailAddress, "dummy@example.com", 0);

  248. 	}

  249. 

  250. static int set_email_and_cn(X509 *crt, const char *name)

  251. 	{

  252. 	return set_cn(crt, NID_pkcs9_emailAddress, name,

  253. 		      NID_commonName, "www.example.org", 0);

  254. 	}

  255. 

  256. static int set_altname_dns(X509 *crt, const char *name)

  257. 	{

  258. 	return set_altname(crt, GEN_DNS, name, 0);

  259. 	}

  260. 

  261. static int set_altname_email(X509 *crt, const char *name)

  262. 	{

  263. 	return set_altname(crt, GEN_EMAIL, name, 0);

  264. 	}

  265. 

  266. struct set_name_fn

  267. 	{

  268. 	int (*fn)(X509 *, const char *);

  269. 	const char *name;

  270. 	int host;

  271. 	int email;

  272. 	};

  273. 

  274. static const struct set_name_fn name_fns[] =

  275. 	{

  276. 	{set_cn1, "set CN", 1, 0},

  277. 	{set_cn2, "set CN", 1, 0},

  278. 	{set_cn3, "set CN", 1, 0},

  279. 	{set_cn_and_email, "set CN", 1, 0},

  280. 	{set_email1, "set emailAddress", 0, 1},

  281. 	{set_email2, "set emailAddress", 0, 1},

  282. 	{set_email3, "set emailAddress", 0, 1},

  283. 	{set_email_and_cn, "set emailAddress", 0, 1},

  284. 	{set_altname_dns, "set dnsName", 1, 0},

  285. 	{set_altname_email, "set rfc822Name", 0, 1},

  286. 	{NULL, NULL, 0}

  287. 	};

  288. 

  289. static X509 *make_cert(void)

  290. 	{

  291. 	X509 *ret = NULL;

  292. 	X509 *crt = NULL;

  293. 	X509_NAME *issuer = NULL;

  294. 	crt = X509_new();

  295. 	if (crt == NULL)

  296. 		goto out;

  297. 	if (!X509_set_version(crt, 3))

  298. 		goto out;

  299. 	ret = crt;

  300. 	crt = NULL;

  301.  out:

  302. 	X509_NAME_free(issuer);

  303. 	return ret;

  304. 	}

  305. 

  306. static int errors;

  307. 

  308. static void check_message(const struct set_name_fn *fn, const char *op,

  309. 			  const char *nameincert, int match, const char *name)

  310. 	{

  311. 	char msg[1024];

  312. 	if (match < 0)

  313. 		return;

  314. 	BIO_snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",

  315. 		 fn->name, op, nameincert,

  316. 		 match ? "matches" : "does not match", name);

  317. 	if (is_exception(msg))

  318. 		return;

  319. 	puts(msg);

  320. 	++errors;

  321. 	}

  322. 

  323. static void run_cert(X509 *crt, const char *nameincert,

  324. 		     const struct set_name_fn *fn)

  325. 	{

  326. 	const char *const *pname = names;

  327. 	while (*pname)

  328. 		{

  329. 		int samename = OPENSSL_strcasecmp(nameincert, *pname) == 0;

  330. 		size_t namelen = strlen(*pname);

  331. 		char *name = malloc(namelen);

  332. 		int match, ret;

  333. 		memcpy(name, *pname, namelen);

  334. 

  335. 		ret = X509_check_host(crt, (const unsigned char *)name,

  336. 				      namelen, 0);

  337. 		match = -1;

  338. 		if (ret < 0)

  339. 			{

  340. 			fprintf(stderr, "internal error in X509_check_host");

  341. 			++errors;

  342. 			}

  343. 		else if (fn->host)

  344. 			{

  345. 			if (ret == 1 && !samename)

  346. 				match = 1;

  347. 			if (ret == 0 && samename)

  348. 				match = 0;

  349. 			}

  350. 		else if (ret == 1)

  351. 			match = 1;

  352. 		check_message(fn, "host", nameincert, match, *pname);

  353. 

  354. 		ret = X509_check_host(crt, (const unsigned char *)name,

  355. 				      namelen, X509_CHECK_FLAG_NO_WILDCARDS);

  356. 		match = -1;

  357. 		if (ret < 0)

  358. 			{

  359. 			fprintf(stderr, "internal error in X509_check_host");

  360. 			++errors;

  361. 			}

  362. 		else if (fn->host)

  363. 			{

  364. 			if (ret == 1 && !samename)

  365. 				match = 1;

  366. 			if (ret == 0 && samename)

  367. 				match = 0;

  368. 			}

  369. 		else if (ret == 1)

  370. 			match = 1;

  371. 		check_message(fn, "host-no-wildcards",

  372. 			      nameincert, match, *pname);

  373. 

  374. 		ret = X509_check_email(crt, (const unsigned char *)name,

  375. 				       namelen, 0);

  376. 		match = -1;

  377. 		if (fn->email)

  378. 			{

  379. 			if (ret && !samename)

  380. 				match = 1;

  381. 			if (!ret && samename && strchr(nameincert, '@') != NULL)

  382. 				match = 0;

  383. 			}

  384. 		else if (ret)

  385. 			match = 1;

  386. 		check_message(fn, "email", nameincert, match, *pname);

  387. 		++pname;

  388. 		free(name);

  389. 		}

  390. 	}

  391. 

  392. int

  393. main(void)

  394. 	{

  395. 	CRYPTO_library_init();

  396. 

  397. 	const struct set_name_fn *pfn = name_fns;

  398. 	while (pfn->name) {

  399. 		const char *const *pname = names;

  400. 		while (*pname)

  401. 			{

  402. 			X509 *crt = make_cert();

  403. 			if (crt == NULL)

  404. 				{

  405. 				fprintf(stderr, "make_cert failed\n");

  406. 				return 1;

  407. 				}

  408. 			if (!pfn->fn(crt, *pname))

  409. 				{

  410. 				fprintf(stderr, "X509 name setting failed\n");

  411. 				return 1;

  412. 				}

  413. 			run_cert(crt, *pname, pfn);

  414. 			X509_free(crt);

  415. 			++pname;

  416. 			}

  417. 		++pfn;

  418. 	}

  419. 	if (errors == 0) {

  420. 	  printf("PASS\n");

  421. 	}

  422. 	return errors > 0 ? 1 : 0;

  423. 	}