1 /*
2 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
3 * 1999.
4 */
5 /* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com). */
56
57 #include <stdarg.h>
58 #include <string.h>
59
60 #include <gtest/gtest.h>
61
62 #include <openssl/crypto.h>
63 #include <openssl/mem.h>
64 #include <openssl/x509.h>
65 #include <openssl/x509v3.h>
66
67 #include "../internal.h"
68 #include "internal.h"
69
70
71 static const char *const names[] = {
72 "a", "b", ".", "*", "@",
73 ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",
74 "-example.com", "example-.com",
75 "@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",
76 "*@example.com", "test@*.example.com", "example.com", "www.example.com",
77 "test.www.example.com", "*.example.com", "*.www.example.com",
78 "test.*.example.com", "www.*.com",
79 ".www.example.com", "*www.example.com",
80 "example.net", "xn--rger-koa.example.com",
81 "*.xn--rger-koa.example.com", "www.xn--rger-koa.example.com",
82 "*.good--example.com", "www.good--example.com",
83 "*.xn--bar.com", "xn--foo.xn--bar.com",
84 "a.example.com", "b.example.com",
85 "postmaster@example.com", "Postmaster@example.com",
86 "postmaster@EXAMPLE.COM",
87 NULL
88 };
89
90 static const char *const exceptions[] = {
91 "set CN: host: [*.example.com] matches [a.example.com]",
92 "set CN: host: [*.example.com] matches [b.example.com]",
93 "set CN: host: [*.example.com] matches [www.example.com]",
94 "set CN: host: [*.example.com] matches [xn--rger-koa.example.com]",
95 "set CN: host: [*.www.example.com] matches [test.www.example.com]",
96 "set CN: host: [*.www.example.com] matches [.www.example.com]",
97 "set CN: host: [*www.example.com] matches [www.example.com]",
98 "set CN: host: [test.www.example.com] matches [.www.example.com]",
99 "set CN: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",
100 "set CN: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",
101 "set CN: host: [*.good--example.com] matches [www.good--example.com]",
102 "set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",
103 "set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",
104 "set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",
105 "set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
106 "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",
107 "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
108 "set dnsName: host: [*.example.com] matches [www.example.com]",
109 "set dnsName: host: [*.example.com] matches [a.example.com]",
110 "set dnsName: host: [*.example.com] matches [b.example.com]",
111 "set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com]",
112 "set dnsName: host: [*.www.example.com] matches [test.www.example.com]",
113 "set dnsName: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",
114 "set dnsName: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",
115 "set dnsName: host: [*.www.example.com] matches [.www.example.com]",
116 "set dnsName: host: [*www.example.com] matches [www.example.com]",
117 "set dnsName: host: [test.www.example.com] matches [.www.example.com]",
118 "set dnsName: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",
119 "set dnsName: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",
120 "set dnsName: host: [*.good--example.com] matches [www.good--example.com]",
121 "set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",
122 "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",
123 "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
124 "set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
125 NULL
126 };
127
is_exception(const char * msg)128 static int is_exception(const char *msg)
129 {
130 const char *const *p;
131 for (p = exceptions; *p; ++p)
132 if (strcmp(msg, *p) == 0)
133 return 1;
134 return 0;
135 }
136
set_cn(X509 * crt,...)137 static int set_cn(X509 *crt, ...)
138 {
139 int ret = 0;
140 X509_NAME *n = NULL;
141 va_list ap;
142 va_start(ap, crt);
143 n = X509_NAME_new();
144 if (n == NULL)
145 goto out;
146 while (1) {
147 int nid;
148 const char *name;
149 nid = va_arg(ap, int);
150 if (nid == 0)
151 break;
152 name = va_arg(ap, const char *);
153 if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,
154 (unsigned char *)name, -1, -1, 1))
155 goto out;
156 }
157 if (!X509_set_subject_name(crt, n))
158 goto out;
159 ret = 1;
160 out:
161 X509_NAME_free(n);
162 va_end(ap);
163 return ret;
164 }
165
166 /*
167 * int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); X509_EXTENSION
168 * *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit,
169 * ASN1_OCTET_STRING *data); int X509_add_ext(X509 *x, X509_EXTENSION *ex,
170 * int loc);
171 */
172
set_altname(X509 * crt,...)173 static int set_altname(X509 *crt, ...)
174 {
175 int ret = 0;
176 GENERAL_NAMES *gens = NULL;
177 GENERAL_NAME *gen = NULL;
178 ASN1_IA5STRING *ia5 = NULL;
179 va_list ap;
180 va_start(ap, crt);
181 gens = sk_GENERAL_NAME_new_null();
182 if (gens == NULL)
183 goto out;
184 while (1) {
185 int type;
186 const char *name;
187 type = va_arg(ap, int);
188 if (type == 0)
189 break;
190 name = va_arg(ap, const char *);
191
192 gen = GENERAL_NAME_new();
193 if (gen == NULL)
194 goto out;
195 ia5 = ASN1_IA5STRING_new();
196 if (ia5 == NULL)
197 goto out;
198 if (!ASN1_STRING_set(ia5, name, -1))
199 goto out;
200 switch (type) {
201 case GEN_EMAIL:
202 case GEN_DNS:
203 GENERAL_NAME_set0_value(gen, type, ia5);
204 ia5 = NULL;
205 break;
206 default:
207 abort();
208 }
209 sk_GENERAL_NAME_push(gens, gen);
210 gen = NULL;
211 }
212 if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))
213 goto out;
214 ret = 1;
215 out:
216 ASN1_IA5STRING_free(ia5);
217 GENERAL_NAME_free(gen);
218 GENERAL_NAMES_free(gens);
219 va_end(ap);
220 return ret;
221 }
222
set_cn1(X509 * crt,const char * name)223 static int set_cn1(X509 *crt, const char *name)
224 {
225 return set_cn(crt, NID_commonName, name, 0);
226 }
227
set_cn_and_email(X509 * crt,const char * name)228 static int set_cn_and_email(X509 *crt, const char *name)
229 {
230 return set_cn(crt, NID_commonName, name,
231 NID_pkcs9_emailAddress, "dummy@example.com", 0);
232 }
233
set_cn2(X509 * crt,const char * name)234 static int set_cn2(X509 *crt, const char *name)
235 {
236 return set_cn(crt, NID_commonName, "dummy value",
237 NID_commonName, name, 0);
238 }
239
set_cn3(X509 * crt,const char * name)240 static int set_cn3(X509 *crt, const char *name)
241 {
242 return set_cn(crt, NID_commonName, name,
243 NID_commonName, "dummy value", 0);
244 }
245
set_email1(X509 * crt,const char * name)246 static int set_email1(X509 *crt, const char *name)
247 {
248 return set_cn(crt, NID_pkcs9_emailAddress, name, 0);
249 }
250
set_email2(X509 * crt,const char * name)251 static int set_email2(X509 *crt, const char *name)
252 {
253 return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",
254 NID_pkcs9_emailAddress, name, 0);
255 }
256
set_email3(X509 * crt,const char * name)257 static int set_email3(X509 *crt, const char *name)
258 {
259 return set_cn(crt, NID_pkcs9_emailAddress, name,
260 NID_pkcs9_emailAddress, "dummy@example.com", 0);
261 }
262
set_email_and_cn(X509 * crt,const char * name)263 static int set_email_and_cn(X509 *crt, const char *name)
264 {
265 return set_cn(crt, NID_pkcs9_emailAddress, name,
266 NID_commonName, "www.example.org", 0);
267 }
268
set_altname_dns(X509 * crt,const char * name)269 static int set_altname_dns(X509 *crt, const char *name)
270 {
271 return set_altname(crt, GEN_DNS, name, 0);
272 }
273
set_altname_email(X509 * crt,const char * name)274 static int set_altname_email(X509 *crt, const char *name)
275 {
276 return set_altname(crt, GEN_EMAIL, name, 0);
277 }
278
279 struct set_name_fn {
280 int (*fn) (X509 *, const char *);
281 const char *name;
282 int host;
283 int email;
284 };
285
286 static const struct set_name_fn name_fns[] = {
287 {set_cn1, "set CN", 1, 0},
288 {set_cn2, "set CN", 1, 0},
289 {set_cn3, "set CN", 1, 0},
290 {set_cn_and_email, "set CN", 1, 0},
291 {set_email1, "set emailAddress", 0, 1},
292 {set_email2, "set emailAddress", 0, 1},
293 {set_email3, "set emailAddress", 0, 1},
294 {set_email_and_cn, "set emailAddress", 0, 1},
295 {set_altname_dns, "set dnsName", 1, 0},
296 {set_altname_email, "set rfc822Name", 0, 1},
297 {NULL, NULL, 0, 0},
298 };
299
make_cert(void)300 static X509 *make_cert(void)
301 {
302 X509 *ret = NULL;
303 X509 *crt = NULL;
304 X509_NAME *issuer = NULL;
305 crt = X509_new();
306 if (crt == NULL)
307 goto out;
308 if (!X509_set_version(crt, 3))
309 goto out;
310 ret = crt;
311 crt = NULL;
312 out:
313 X509_NAME_free(issuer);
314 return ret;
315 }
316
317 static int errors;
318
check_message(const struct set_name_fn * fn,const char * op,const char * nameincert,int match,const char * name)319 static void check_message(const struct set_name_fn *fn, const char *op,
320 const char *nameincert, int match, const char *name)
321 {
322 char msg[1024];
323 if (match < 0)
324 return;
325 BIO_snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",
326 fn->name, op, nameincert,
327 match ? "matches" : "does not match", name);
328 if (is_exception(msg))
329 return;
330 puts(msg);
331 ++errors;
332 }
333
run_cert(X509 * crt,const char * nameincert,const struct set_name_fn * fn)334 static void run_cert(X509 *crt, const char *nameincert,
335 const struct set_name_fn *fn)
336 {
337 const char *const *pname = names;
338 while (*pname) {
339 int samename = OPENSSL_strcasecmp(nameincert, *pname) == 0;
340 size_t namelen = strlen(*pname);
341 char *name = (char *)malloc(namelen);
342 int match, ret;
343 OPENSSL_memcpy(name, *pname, namelen);
344
345 ret = X509_check_host(crt, name, namelen, 0, NULL);
346 match = -1;
347 if (ret < 0) {
348 fprintf(stderr, "internal error in X509_check_host\n");
349 ++errors;
350 } else if (fn->host) {
351 if (ret == 1 && !samename)
352 match = 1;
353 if (ret == 0 && samename)
354 match = 0;
355 } else if (ret == 1)
356 match = 1;
357 check_message(fn, "host", nameincert, match, *pname);
358
359 ret = X509_check_host(crt, name, namelen,
360 X509_CHECK_FLAG_NO_WILDCARDS, NULL);
361 match = -1;
362 if (ret < 0) {
363 fprintf(stderr, "internal error in X509_check_host\n");
364 ++errors;
365 } else if (fn->host) {
366 if (ret == 1 && !samename)
367 match = 1;
368 if (ret == 0 && samename)
369 match = 0;
370 } else if (ret == 1)
371 match = 1;
372 check_message(fn, "host-no-wildcards", nameincert, match, *pname);
373
374 ret = X509_check_email(crt, name, namelen, 0);
375 match = -1;
376 if (fn->email) {
377 if (ret && !samename)
378 match = 1;
379 if (!ret && samename && strchr(nameincert, '@') != NULL)
380 match = 0;
381 } else if (ret)
382 match = 1;
383 check_message(fn, "email", nameincert, match, *pname);
384 ++pname;
385 free(name);
386 }
387 }
388
389 // TODO(davidben): Convert this test to GTest more thoroughly.
TEST(X509V3Test,NameTest)390 TEST(X509V3Test, NameTest) {
391 const struct set_name_fn *pfn = name_fns;
392 while (pfn->name) {
393 const char *const *pname = names;
394 while (*pname) {
395 // The common name fallback requires the name look sufficiently
396 // DNS-like.
397 if (strcmp(pfn->name, "set CN") == 0 &&
398 !x509v3_looks_like_dns_name(
399 reinterpret_cast<const unsigned char*>(*pname),
400 strlen(*pname))) {
401 ++pname;
402 continue;
403 }
404 bssl::UniquePtr<X509> crt(make_cert());
405 ASSERT_TRUE(crt);
406 ASSERT_TRUE(pfn->fn(crt.get(), *pname));
407 run_cert(crt.get(), *pname, pfn);
408 ++pname;
409 }
410 ++pfn;
411 }
412 EXPECT_EQ(0, errors);
413 }
414