1 /*
2 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
3 * 1999.
4 */
5 /* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com). */
56
57 #include <stdarg.h>
58 #include <string.h>
59
60 #include <openssl/crypto.h>
61 #include <openssl/mem.h>
62 #include <openssl/x509.h>
63 #include <openssl/x509v3.h>
64
65 #include "../internal.h"
66
67
68 static const char *const names[] = {
69 "a", "b", ".", "*", "@",
70 ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",
71 "-example.com", "example-.com",
72 "@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",
73 "*@example.com", "test@*.example.com", "example.com", "www.example.com",
74 "test.www.example.com", "*.example.com", "*.www.example.com",
75 "test.*.example.com", "www.*.com",
76 ".www.example.com", "*www.example.com",
77 "example.net", "xn--rger-koa.example.com",
78 "*.xn--rger-koa.example.com", "www.xn--rger-koa.example.com",
79 "*.good--example.com", "www.good--example.com",
80 "*.xn--bar.com", "xn--foo.xn--bar.com",
81 "a.example.com", "b.example.com",
82 "postmaster@example.com", "Postmaster@example.com",
83 "postmaster@EXAMPLE.COM",
84 NULL
85 };
86
87 static const char *const exceptions[] = {
88 "set CN: host: [*.example.com] matches [a.example.com]",
89 "set CN: host: [*.example.com] matches [b.example.com]",
90 "set CN: host: [*.example.com] matches [www.example.com]",
91 "set CN: host: [*.example.com] matches [xn--rger-koa.example.com]",
92 "set CN: host: [*.www.example.com] matches [test.www.example.com]",
93 "set CN: host: [*.www.example.com] matches [.www.example.com]",
94 "set CN: host: [*www.example.com] matches [www.example.com]",
95 "set CN: host: [test.www.example.com] matches [.www.example.com]",
96 "set CN: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",
97 "set CN: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",
98 "set CN: host: [*.good--example.com] matches [www.good--example.com]",
99 "set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",
100 "set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",
101 "set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",
102 "set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
103 "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",
104 "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
105 "set dnsName: host: [*.example.com] matches [www.example.com]",
106 "set dnsName: host: [*.example.com] matches [a.example.com]",
107 "set dnsName: host: [*.example.com] matches [b.example.com]",
108 "set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com]",
109 "set dnsName: host: [*.www.example.com] matches [test.www.example.com]",
110 "set dnsName: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",
111 "set dnsName: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",
112 "set dnsName: host: [*.www.example.com] matches [.www.example.com]",
113 "set dnsName: host: [*www.example.com] matches [www.example.com]",
114 "set dnsName: host: [test.www.example.com] matches [.www.example.com]",
115 "set dnsName: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",
116 "set dnsName: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",
117 "set dnsName: host: [*.good--example.com] matches [www.good--example.com]",
118 "set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",
119 "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",
120 "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
121 "set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
122 NULL
123 };
124
is_exception(const char * msg)125 static int is_exception(const char *msg)
126 {
127 const char *const *p;
128 for (p = exceptions; *p; ++p)
129 if (strcmp(msg, *p) == 0)
130 return 1;
131 return 0;
132 }
133
set_cn(X509 * crt,...)134 static int set_cn(X509 *crt, ...)
135 {
136 int ret = 0;
137 X509_NAME *n = NULL;
138 va_list ap;
139 va_start(ap, crt);
140 n = X509_NAME_new();
141 if (n == NULL)
142 goto out;
143 while (1) {
144 int nid;
145 const char *name;
146 nid = va_arg(ap, int);
147 if (nid == 0)
148 break;
149 name = va_arg(ap, const char *);
150 if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,
151 (unsigned char *)name, -1, -1, 1))
152 goto out;
153 }
154 if (!X509_set_subject_name(crt, n))
155 goto out;
156 ret = 1;
157 out:
158 X509_NAME_free(n);
159 va_end(ap);
160 return ret;
161 }
162
163 /*
164 * int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); X509_EXTENSION
165 * *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit,
166 * ASN1_OCTET_STRING *data); int X509_add_ext(X509 *x, X509_EXTENSION *ex,
167 * int loc);
168 */
169
set_altname(X509 * crt,...)170 static int set_altname(X509 *crt, ...)
171 {
172 int ret = 0;
173 GENERAL_NAMES *gens = NULL;
174 GENERAL_NAME *gen = NULL;
175 ASN1_IA5STRING *ia5 = NULL;
176 va_list ap;
177 va_start(ap, crt);
178 gens = sk_GENERAL_NAME_new_null();
179 if (gens == NULL)
180 goto out;
181 while (1) {
182 int type;
183 const char *name;
184 type = va_arg(ap, int);
185 if (type == 0)
186 break;
187 name = va_arg(ap, const char *);
188
189 gen = GENERAL_NAME_new();
190 if (gen == NULL)
191 goto out;
192 ia5 = ASN1_IA5STRING_new();
193 if (ia5 == NULL)
194 goto out;
195 if (!ASN1_STRING_set(ia5, name, -1))
196 goto out;
197 switch (type) {
198 case GEN_EMAIL:
199 case GEN_DNS:
200 GENERAL_NAME_set0_value(gen, type, ia5);
201 ia5 = NULL;
202 break;
203 default:
204 abort();
205 }
206 sk_GENERAL_NAME_push(gens, gen);
207 gen = NULL;
208 }
209 if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))
210 goto out;
211 ret = 1;
212 out:
213 ASN1_IA5STRING_free(ia5);
214 GENERAL_NAME_free(gen);
215 GENERAL_NAMES_free(gens);
216 va_end(ap);
217 return ret;
218 }
219
set_cn1(X509 * crt,const char * name)220 static int set_cn1(X509 *crt, const char *name)
221 {
222 return set_cn(crt, NID_commonName, name, 0);
223 }
224
set_cn_and_email(X509 * crt,const char * name)225 static int set_cn_and_email(X509 *crt, const char *name)
226 {
227 return set_cn(crt, NID_commonName, name,
228 NID_pkcs9_emailAddress, "dummy@example.com", 0);
229 }
230
set_cn2(X509 * crt,const char * name)231 static int set_cn2(X509 *crt, const char *name)
232 {
233 return set_cn(crt, NID_commonName, "dummy value",
234 NID_commonName, name, 0);
235 }
236
set_cn3(X509 * crt,const char * name)237 static int set_cn3(X509 *crt, const char *name)
238 {
239 return set_cn(crt, NID_commonName, name,
240 NID_commonName, "dummy value", 0);
241 }
242
set_email1(X509 * crt,const char * name)243 static int set_email1(X509 *crt, const char *name)
244 {
245 return set_cn(crt, NID_pkcs9_emailAddress, name, 0);
246 }
247
set_email2(X509 * crt,const char * name)248 static int set_email2(X509 *crt, const char *name)
249 {
250 return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",
251 NID_pkcs9_emailAddress, name, 0);
252 }
253
set_email3(X509 * crt,const char * name)254 static int set_email3(X509 *crt, const char *name)
255 {
256 return set_cn(crt, NID_pkcs9_emailAddress, name,
257 NID_pkcs9_emailAddress, "dummy@example.com", 0);
258 }
259
set_email_and_cn(X509 * crt,const char * name)260 static int set_email_and_cn(X509 *crt, const char *name)
261 {
262 return set_cn(crt, NID_pkcs9_emailAddress, name,
263 NID_commonName, "www.example.org", 0);
264 }
265
set_altname_dns(X509 * crt,const char * name)266 static int set_altname_dns(X509 *crt, const char *name)
267 {
268 return set_altname(crt, GEN_DNS, name, 0);
269 }
270
set_altname_email(X509 * crt,const char * name)271 static int set_altname_email(X509 *crt, const char *name)
272 {
273 return set_altname(crt, GEN_EMAIL, name, 0);
274 }
275
276 struct set_name_fn {
277 int (*fn) (X509 *, const char *);
278 const char *name;
279 int host;
280 int email;
281 };
282
283 static const struct set_name_fn name_fns[] = {
284 {set_cn1, "set CN", 1, 0},
285 {set_cn2, "set CN", 1, 0},
286 {set_cn3, "set CN", 1, 0},
287 {set_cn_and_email, "set CN", 1, 0},
288 {set_email1, "set emailAddress", 0, 1},
289 {set_email2, "set emailAddress", 0, 1},
290 {set_email3, "set emailAddress", 0, 1},
291 {set_email_and_cn, "set emailAddress", 0, 1},
292 {set_altname_dns, "set dnsName", 1, 0},
293 {set_altname_email, "set rfc822Name", 0, 1},
294 {NULL, NULL, 0, 0},
295 };
296
make_cert(void)297 static X509 *make_cert(void)
298 {
299 X509 *ret = NULL;
300 X509 *crt = NULL;
301 X509_NAME *issuer = NULL;
302 crt = X509_new();
303 if (crt == NULL)
304 goto out;
305 if (!X509_set_version(crt, 3))
306 goto out;
307 ret = crt;
308 crt = NULL;
309 out:
310 X509_NAME_free(issuer);
311 return ret;
312 }
313
314 static int errors;
315
check_message(const struct set_name_fn * fn,const char * op,const char * nameincert,int match,const char * name)316 static void check_message(const struct set_name_fn *fn, const char *op,
317 const char *nameincert, int match, const char *name)
318 {
319 char msg[1024];
320 if (match < 0)
321 return;
322 BIO_snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",
323 fn->name, op, nameincert,
324 match ? "matches" : "does not match", name);
325 if (is_exception(msg))
326 return;
327 puts(msg);
328 ++errors;
329 }
330
run_cert(X509 * crt,const char * nameincert,const struct set_name_fn * fn)331 static void run_cert(X509 *crt, const char *nameincert,
332 const struct set_name_fn *fn)
333 {
334 const char *const *pname = names;
335 while (*pname) {
336 int samename = OPENSSL_strcasecmp(nameincert, *pname) == 0;
337 size_t namelen = strlen(*pname);
338 char *name = malloc(namelen);
339 int match, ret;
340 OPENSSL_memcpy(name, *pname, namelen);
341
342 ret = X509_check_host(crt, name, namelen, 0, NULL);
343 match = -1;
344 if (ret < 0) {
345 fprintf(stderr, "internal error in X509_check_host");
346 ++errors;
347 } else if (fn->host) {
348 if (ret == 1 && !samename)
349 match = 1;
350 if (ret == 0 && samename)
351 match = 0;
352 } else if (ret == 1)
353 match = 1;
354 check_message(fn, "host", nameincert, match, *pname);
355
356 ret = X509_check_host(crt, name, namelen,
357 X509_CHECK_FLAG_NO_WILDCARDS, NULL);
358 match = -1;
359 if (ret < 0) {
360 fprintf(stderr, "internal error in X509_check_host");
361 ++errors;
362 } else if (fn->host) {
363 if (ret == 1 && !samename)
364 match = 1;
365 if (ret == 0 && samename)
366 match = 0;
367 } else if (ret == 1)
368 match = 1;
369 check_message(fn, "host-no-wildcards", nameincert, match, *pname);
370
371 ret = X509_check_email(crt, name, namelen, 0);
372 match = -1;
373 if (fn->email) {
374 if (ret && !samename)
375 match = 1;
376 if (!ret && samename && strchr(nameincert, '@') != NULL)
377 match = 0;
378 } else if (ret)
379 match = 1;
380 check_message(fn, "email", nameincert, match, *pname);
381 ++pname;
382 free(name);
383 }
384 }
385
main(void)386 int main(void)
387 {
388 CRYPTO_library_init();
389
390 const struct set_name_fn *pfn = name_fns;
391 while (pfn->name) {
392 const char *const *pname = names;
393 while (*pname) {
394 X509 *crt = make_cert();
395 if (crt == NULL) {
396 fprintf(stderr, "make_cert failed\n");
397 return 1;
398 }
399 if (!pfn->fn(crt, *pname)) {
400 fprintf(stderr, "X509 name setting failed\n");
401 return 1;
402 }
403 run_cert(crt, *pname, pfn);
404 X509_free(crt);
405 ++pname;
406 }
407 ++pfn;
408 }
409 if (errors == 0) {
410 printf("PASS\n");
411 }
412 return errors > 0 ? 1 : 0;
413 }
414