v3nametest.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366
  1. /*
  2. * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <string.h>
  10. #include <openssl/e_os2.h>
  11. #include <openssl/x509.h>
  12. #include <openssl/x509v3.h>
  13. #include "internal/nelem.h"
  14. #include "testutil.h"
  15. #ifdef OPENSSL_SYS_WINDOWS
  16. # define strcasecmp _stricmp
  17. #endif
  18. static const char *const names[] = {
  19. "a", "b", ".", "*", "@",
  20. ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",
  21. "-example.com", "example-.com",
  22. "@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",
  23. "*@example.com", "test@*.example.com", "example.com", "www.example.com",
  24. "test.www.example.com", "*.example.com", "*.www.example.com",
  25. "test.*.example.com", "www.*.com",
  26. ".www.example.com", "*www.example.com",
  27. "example.net", "xn--rger-koa.example.com",
  28. "*.xn--rger-koa.example.com", "www.xn--rger-koa.example.com",
  29. "*.good--example.com", "www.good--example.com",
  30. "*.xn--bar.com", "xn--foo.xn--bar.com",
  31. "a.example.com", "b.example.com",
  32. "postmaster@example.com", "Postmaster@example.com",
  33. "postmaster@EXAMPLE.COM",
  34. NULL
  35. };
  36. static const char *const exceptions[] = {
  37. "set CN: host: [*.example.com] matches [a.example.com]",
  38. "set CN: host: [*.example.com] matches [b.example.com]",
  39. "set CN: host: [*.example.com] matches [www.example.com]",
  40. "set CN: host: [*.example.com] matches [xn--rger-koa.example.com]",
  41. "set CN: host: [*.www.example.com] matches [test.www.example.com]",
  42. "set CN: host: [*.www.example.com] matches [.www.example.com]",
  43. "set CN: host: [*www.example.com] matches [www.example.com]",
  44. "set CN: host: [test.www.example.com] matches [.www.example.com]",
  45. "set CN: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",
  46. "set CN: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",
  47. "set CN: host: [*.good--example.com] matches [www.good--example.com]",
  48. "set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",
  49. "set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",
  50. "set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",
  51. "set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
  52. "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",
  53. "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
  54. "set dnsName: host: [*.example.com] matches [www.example.com]",
  55. "set dnsName: host: [*.example.com] matches [a.example.com]",
  56. "set dnsName: host: [*.example.com] matches [b.example.com]",
  57. "set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com]",
  58. "set dnsName: host: [*.www.example.com] matches [test.www.example.com]",
  59. "set dnsName: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",
  60. "set dnsName: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",
  61. "set dnsName: host: [*.www.example.com] matches [.www.example.com]",
  62. "set dnsName: host: [*www.example.com] matches [www.example.com]",
  63. "set dnsName: host: [test.www.example.com] matches [.www.example.com]",
  64. "set dnsName: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",
  65. "set dnsName: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",
  66. "set dnsName: host: [*.good--example.com] matches [www.good--example.com]",
  67. "set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",
  68. "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",
  69. "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
  70. "set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
  71. NULL
  72. };
  73. static int is_exception(const char *msg)
  74. {
  75. const char *const *p;
  76. for (p = exceptions; *p; ++p)
  77. if (strcmp(msg, *p) == 0)
  78. return 1;
  79. return 0;
  80. }
  81. static int set_cn(X509 *crt, ...)
  82. {
  83. int ret = 0;
  84. X509_NAME *n = NULL;
  85. va_list ap;
  86. va_start(ap, crt);
  87. n = X509_NAME_new();
  88. if (n == NULL)
  89. goto out;
  90. while (1) {
  91. int nid;
  92. const char *name;
  93. nid = va_arg(ap, int);
  94. if (nid == 0)
  95. break;
  96. name = va_arg(ap, const char *);
  97. if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,
  98. (unsigned char *)name, -1, -1, 1))
  99. goto out;
  100. }
  101. if (!X509_set_subject_name(crt, n))
  102. goto out;
  103. ret = 1;
  104. out:
  105. X509_NAME_free(n);
  106. va_end(ap);
  107. return ret;
  108. }
  109. /*-
  110. int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
  111. X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
  112. int nid, int crit, ASN1_OCTET_STRING *data);
  113. int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
  114. */
  115. static int set_altname(X509 *crt, ...)
  116. {
  117. int ret = 0;
  118. GENERAL_NAMES *gens = NULL;
  119. GENERAL_NAME *gen = NULL;
  120. ASN1_IA5STRING *ia5 = NULL;
  121. va_list ap;
  122. va_start(ap, crt);
  123. gens = sk_GENERAL_NAME_new_null();
  124. if (gens == NULL)
  125. goto out;
  126. while (1) {
  127. int type;
  128. const char *name;
  129. type = va_arg(ap, int);
  130. if (type == 0)
  131. break;
  132. name = va_arg(ap, const char *);
  133. gen = GENERAL_NAME_new();
  134. if (gen == NULL)
  135. goto out;
  136. ia5 = ASN1_IA5STRING_new();
  137. if (ia5 == NULL)
  138. goto out;
  139. if (!ASN1_STRING_set(ia5, name, -1))
  140. goto out;
  141. switch (type) {
  142. case GEN_EMAIL:
  143. case GEN_DNS:
  144. GENERAL_NAME_set0_value(gen, type, ia5);
  145. ia5 = NULL;
  146. break;
  147. default:
  148. abort();
  149. }
  150. sk_GENERAL_NAME_push(gens, gen);
  151. gen = NULL;
  152. }
  153. if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))
  154. goto out;
  155. ret = 1;
  156. out:
  157. ASN1_IA5STRING_free(ia5);
  158. GENERAL_NAME_free(gen);
  159. GENERAL_NAMES_free(gens);
  160. va_end(ap);
  161. return ret;
  162. }
  163. static int set_cn1(X509 *crt, const char *name)
  164. {
  165. return set_cn(crt, NID_commonName, name, 0);
  166. }
  167. static int set_cn_and_email(X509 *crt, const char *name)
  168. {
  169. return set_cn(crt, NID_commonName, name,
  170. NID_pkcs9_emailAddress, "dummy@example.com", 0);
  171. }
  172. static int set_cn2(X509 *crt, const char *name)
  173. {
  174. return set_cn(crt, NID_commonName, "dummy value",
  175. NID_commonName, name, 0);
  176. }
  177. static int set_cn3(X509 *crt, const char *name)
  178. {
  179. return set_cn(crt, NID_commonName, name,
  180. NID_commonName, "dummy value", 0);
  181. }
  182. static int set_email1(X509 *crt, const char *name)
  183. {
  184. return set_cn(crt, NID_pkcs9_emailAddress, name, 0);
  185. }
  186. static int set_email2(X509 *crt, const char *name)
  187. {
  188. return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",
  189. NID_pkcs9_emailAddress, name, 0);
  190. }
  191. static int set_email3(X509 *crt, const char *name)
  192. {
  193. return set_cn(crt, NID_pkcs9_emailAddress, name,
  194. NID_pkcs9_emailAddress, "dummy@example.com", 0);
  195. }
  196. static int set_email_and_cn(X509 *crt, const char *name)
  197. {
  198. return set_cn(crt, NID_pkcs9_emailAddress, name,
  199. NID_commonName, "www.example.org", 0);
  200. }
  201. static int set_altname_dns(X509 *crt, const char *name)
  202. {
  203. return set_altname(crt, GEN_DNS, name, 0);
  204. }
  205. static int set_altname_email(X509 *crt, const char *name)
  206. {
  207. return set_altname(crt, GEN_EMAIL, name, 0);
  208. }
  209. struct set_name_fn {
  210. int (*fn) (X509 *, const char *);
  211. const char *name;
  212. int host;
  213. int email;
  214. };
  215. static const struct set_name_fn name_fns[] = {
  216. {set_cn1, "set CN", 1, 0},
  217. {set_cn2, "set CN", 1, 0},
  218. {set_cn3, "set CN", 1, 0},
  219. {set_cn_and_email, "set CN", 1, 0},
  220. {set_email1, "set emailAddress", 0, 1},
  221. {set_email2, "set emailAddress", 0, 1},
  222. {set_email3, "set emailAddress", 0, 1},
  223. {set_email_and_cn, "set emailAddress", 0, 1},
  224. {set_altname_dns, "set dnsName", 1, 0},
  225. {set_altname_email, "set rfc822Name", 0, 1},
  226. };
  227. static X509 *make_cert(void)
  228. {
  229. X509 *crt = NULL;
  230. if (!TEST_ptr(crt = X509_new()))
  231. return NULL;
  232. if (!TEST_true(X509_set_version(crt, 2))) {
  233. X509_free(crt);
  234. return NULL;
  235. }
  236. return crt;
  237. }
  238. static int check_message(const struct set_name_fn *fn, const char *op,
  239. const char *nameincert, int match, const char *name)
  240. {
  241. char msg[1024];
  242. if (match < 0)
  243. return 1;
  244. BIO_snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",
  245. fn->name, op, nameincert,
  246. match ? "matches" : "does not match", name);
  247. if (is_exception(msg))
  248. return 1;
  249. TEST_error("%s", msg);
  250. return 0;
  251. }
  252. static int run_cert(X509 *crt, const char *nameincert,
  253. const struct set_name_fn *fn)
  254. {
  255. const char *const *pname = names;
  256. int failed = 0;
  257. for (; *pname != NULL; ++pname) {
  258. int samename = strcasecmp(nameincert, *pname) == 0;
  259. size_t namelen = strlen(*pname);
  260. char *name = OPENSSL_malloc(namelen + 1);
  261. int match, ret;
  262. memcpy(name, *pname, namelen + 1);
  263. match = -1;
  264. if (!TEST_int_ge(ret = X509_check_host(crt, name, namelen, 0, NULL),
  265. 0)) {
  266. failed = 1;
  267. } else if (fn->host) {
  268. if (ret == 1 && !samename)
  269. match = 1;
  270. if (ret == 0 && samename)
  271. match = 0;
  272. } else if (ret == 1)
  273. match = 1;
  274. if (!TEST_true(check_message(fn, "host", nameincert, match, *pname)))
  275. failed = 1;
  276. match = -1;
  277. if (!TEST_int_ge(ret = X509_check_host(crt, name, namelen,
  278. X509_CHECK_FLAG_NO_WILDCARDS,
  279. NULL), 0)) {
  280. failed = 1;
  281. } else if (fn->host) {
  282. if (ret == 1 && !samename)
  283. match = 1;
  284. if (ret == 0 && samename)
  285. match = 0;
  286. } else if (ret == 1)
  287. match = 1;
  288. if (!TEST_true(check_message(fn, "host-no-wildcards",
  289. nameincert, match, *pname)))
  290. failed = 1;
  291. match = -1;
  292. ret = X509_check_email(crt, name, namelen, 0);
  293. if (fn->email) {
  294. if (ret && !samename)
  295. match = 1;
  296. if (!ret && samename && strchr(nameincert, '@') != NULL)
  297. match = 0;
  298. } else if (ret)
  299. match = 1;
  300. if (!TEST_true(check_message(fn, "email", nameincert, match, *pname)))
  301. failed = 1;
  302. OPENSSL_free(name);
  303. }
  304. return failed == 0;
  305. }
  306. static int call_run_cert(int i)
  307. {
  308. int failed = 0;
  309. const struct set_name_fn *pfn = &name_fns[i];
  310. X509 *crt;
  311. const char *const *pname;
  312. TEST_info("%s", pfn->name);
  313. for (pname = names; *pname != NULL; pname++) {
  314. if (!TEST_ptr(crt = make_cert())
  315. || !TEST_true(pfn->fn(crt, *pname))
  316. || !run_cert(crt, *pname, pfn))
  317. failed = 1;
  318. X509_free(crt);
  319. }
  320. return failed == 0;
  321. }
  322. int setup_tests(void)
  323. {
  324. ADD_ALL_TESTS(call_run_cert, OSSL_NELEM(name_fns));
  325. return 1;
  326. }