feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #1643 from ejohnstown/altnames

Browse Source 
Subject Alt Name Matching
This commit is contained in:
toddouska
2018-07-11 13:20:58 -07:00
committed by GitHub
parent df6c496c4e 239880a9de
commit 23687f44bc
8 changed files with 205 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
certs/test/gen-testcerts.sh
View File

@ -95,3 +95,9 @@ generate_test_cert server-badaltnull www.nomatch.com DER:30:0d:82:0b:6c:6f:63:61
# Generate Bad Alt Name CN=www.nomatch.com, Alt=www.nomatch.com # Generate Bad Alt Name CN=www.nomatch.com, Alt=www.nomatch.com
generate_test_cert server-badaltname www.nomatch.com www.nomatch.com generate_test_cert server-badaltname www.nomatch.com www.nomatch.com
# Generate Good Alt Name CN=localhost, Alt=localhost
generate_test_cert server-localhost localhost localhost
# Generate Bad Alt Name CN=localhost, Alt=garbage
generate_test_cert server-garbage localhost garbage

BIN
certs/test/server-garbage.der Normal file
View File

Binary file not shown.

75
certs/test/server-garbage.pem Normal file
View File

@ -0,0 +1,75 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8e:d8:a3:08:c6:38:a1:db
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
Validity
Not Before: Jun 27 19:53:20 2018 GMT
Not After : Mar 23 19:53:20 2021 GMT
Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27:
01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6:
f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75:
f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab:
64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e:
86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25:
4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c:
34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6:
8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc:
40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8:
dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3:
e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9:
64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0:
c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77:
ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4:
b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22:
a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f:
ad:d7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:garbage
Signature Algorithm: sha256WithRSAEncryption
57:77:b9:a3:76:83:2a:f1:10:0c:64:02:0a:ad:99:86:55:28:
e4:c0:81:a2:a9:f2:af:6d:48:bd:a5:02:49:01:57:33:a8:85:
57:f6:65:8c:1a:01:7f:79:0f:af:18:d2:a4:df:03:14:48:40:
32:71:f8:44:15:b2:cd:53:d0:53:82:1f:cd:03:a5:68:f6:08:
9a:5a:a7:5e:4b:92:aa:dd:46:d4:2b:c1:81:83:df:75:3d:bc:
b2:64:43:9f:f1:d2:37:cc:b0:6e:75:b4:2c:9f:1c:1a:17:04:
0d:c1:80:a9:9b:64:c6:b4:aa:01:b2:5a:36:20:da:09:80:7f:
93:d7:51:be:aa:c1:58:56:f7:3b:0c:53:99:c3:74:99:64:0f:
e3:7d:4b:78:24:8e:08:76:15:85:15:30:42:6a:65:80:f5:2d:
a5:f4:d9:aa:42:12:5c:cd:68:c7:e7:b8:45:90:2c:dd:52:65:
ae:89:14:6e:5a:27:3c:10:05:ae:16:65:fc:04:12:66:07:13:
62:e6:a7:05:86:16:5a:7a:3d:9c:71:56:cf:a4:47:f5:7a:8a:
5a:bb:a3:d5:47:25:bd:c0:d2:ad:22:af:59:d6:d4:96:a9:b0:
05:f4:38:c7:56:46:19:d5:1b:30:9f:46:2e:a4:59:8b:72:e6:
a7:83:99:13
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIJAI7YowjGOKHbMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD
VQQLDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MR8wHQYJKoZIhvcN
AQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MDYyNzE5NTMyMFoXDTIxMDMyMzE5
NTMyMFowfDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcM
B0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAlsb2NhbGhv
c3QxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu8rwkMLiVzi9O
1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu64CHlci5vLobY
lXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZaHhzpowYqQJt
r8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1Us+FtXxy8I3PR
CQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT0pdz4l0lyWoN
wzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMBAAGjFjAUMBIG
A1UdEQQLMAmCB2dhcmJhZ2UwDQYJKoZIhvcNAQELBQADggEBAFd3uaN2gyrxEAxk
AgqtmYZVKOTAgaKp8q9tSL2lAkkBVzOohVf2ZYwaAX95D68Y0qTfAxRIQDJx+EQV
ss1T0FOCH80DpWj2CJpap15LkqrdRtQrwYGD33U9vLJkQ5/x0jfMsG51tCyfHBoX
BA3BgKmbZMa0qgGyWjYg2gmAf5PXUb6qwVhW9zsMU5nDdJlkD+N9S3gkjgh2FYUV
MEJqZYD1LaX02apCElzNaMfnuEWQLN1SZa6JFG5aJzwQBa4WZfwEEmYHE2LmpwWG
Flp6PZxxVs+kR/V6ilq7o9VHJb3A0q0ir1nW1JapsAX0OMdWRhnVGzCfRi6kWYty
5qeDmRM=
-----END CERTIFICATE-----

BIN
certs/test/server-localhost.der Normal file
View File

Binary file not shown.

75
certs/test/server-localhost.pem Normal file
View File

@ -0,0 +1,75 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e3:7e:ef:46:4d:c8:a3:ab
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
Validity
Not Before: Jun 27 19:53:20 2018 GMT
Not After : Mar 23 19:53:20 2021 GMT
Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27:
01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6:
f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75:
f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab:
64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e:
86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25:
4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c:
34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6:
8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc:
40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8:
dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3:
e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9:
64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0:
c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77:
ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4:
b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22:
a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f:
ad:d7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:localhost
Signature Algorithm: sha256WithRSAEncryption
35:1a:72:99:61:c0:70:0b:5f:12:67:fa:74:f5:01:2b:d2:5a:
77:9f:90:dd:e4:2b:da:b7:dc:02:90:35:2d:41:ab:e3:db:a3:
69:12:00:e7:cc:71:6e:b1:81:9d:77:9b:2f:4f:0a:51:03:d7:
07:45:fe:61:7e:1f:fc:b6:59:49:39:0a:11:73:63:94:a6:3e:
a8:d4:ad:1d:93:fa:5f:cf:ef:fa:52:23:87:7b:d5:ba:56:94:
42:a3:05:61:b5:e5:ad:c2:d2:89:b2:0c:84:d1:30:d6:d7:5c:
2a:b7:29:f1:4d:b9:ca:7f:e1:4c:ff:ac:a9:1b:37:9d:40:fa:
cb:52:45:de:1d:29:ea:61:38:ac:cc:39:0d:46:ee:ff:89:0f:
ca:88:b8:f1:28:6c:2c:5f:6f:c1:27:50:e5:3a:21:be:63:07:
a7:b9:bc:89:18:f6:f2:a3:5d:56:56:18:32:ce:3d:a4:38:1e:
3f:72:3c:12:70:f7:83:74:44:ef:c9:69:fe:9d:ec:5c:e2:d4:
29:6f:73:df:18:43:18:91:a1:d7:dd:77:22:41:f2:f7:35:1d:
47:30:4b:3f:4e:ee:e0:5f:72:36:3a:c7:54:13:ba:0e:0f:e4:
0b:b4:e4:2e:fa:61:36:f5:4b:35:47:a8:06:49:fa:9b:5f:c2:
a2:91:85:d9
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIJAON+70ZNyKOrMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD
VQQLDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MR8wHQYJKoZIhvcN
AQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MDYyNzE5NTMyMFoXDTIxMDMyMzE5
NTMyMFowfDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcM
B0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAlsb2NhbGhv
c3QxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu8rwkMLiVzi9O
1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu64CHlci5vLobY
lXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZaHhzpowYqQJt
r8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1Us+FtXxy8I3PR
CQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT0pdz4l0lyWoN
wzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMBAAGjGDAWMBQG
A1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEANRpymWHAcAtf
Emf6dPUBK9Jad5+Q3eQr2rfcApA1LUGr49ujaRIA58xxbrGBnXebL08KUQPXB0X+
YX4f/LZZSTkKEXNjlKY+qNStHZP6X8/v+lIjh3vVulaUQqMFYbXlrcLSibIMhNEw
1tdcKrcp8U25yn/hTP+sqRs3nUD6y1JF3h0p6mE4rMw5DUbu/4kPyoi48ShsLF9v
wSdQ5TohvmMHp7m8iRj28qNdVlYYMs49pDgeP3I8EnD3g3RE78lp/p3sXOLUKW9z
3xhDGJGh1913IkHy9zUdRzBLP07u4F9yNjrHVBO6Dg/kC7TkLvphNvVLNUeoBkn6
m1/CopGF2Q==
-----END CERTIFICATE-----

24
src/internal.c
View File

@ -9357,6 +9357,29 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
} }
if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) { if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) {
#ifndef WOLFSSL_ALLOW_NO_CN_IN_SAN
/* Per RFC 5280 section 4.2.1.6, "Whenever such identities
* are to be bound into a certificate, the subject
* alternative name extension MUST be used." */
if (args->dCert->altNames) {
if (CheckAltNames(args->dCert,
(char*)ssl->buffers.domainName.buffer) == 0 ) {
WOLFSSL_MSG("DomainName match on alt names failed");
/* try to get peer key still */
ret = DOMAIN_NAME_MISMATCH;
}
}
else {
if (MatchDomainName(
args->dCert->subjectCN,
args->dCert->subjectCNLen,
(char*)ssl->buffers.domainName.buffer) == 0) {
WOLFSSL_MSG("DomainName match on common name failed");
ret = DOMAIN_NAME_MISMATCH;
}
}
#else /* WOLFSSL_ALL_NO_CN_IN_SAN */
/* Old behavior. */
if (MatchDomainName(args->dCert->subjectCN, if (MatchDomainName(args->dCert->subjectCN,
args->dCert->subjectCNLen, args->dCert->subjectCNLen,
(char*)ssl->buffers.domainName.buffer) == 0) { (char*)ssl->buffers.domainName.buffer) == 0) {
@ -9369,6 +9392,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ret = DOMAIN_NAME_MISMATCH; ret = DOMAIN_NAME_MISMATCH;
} }
} }
#endif /* WOLFSSL_ALL_NO_CN_IN_SAN */
} }
/* decode peer key */ /* decode peer key */

13
tests/test-fails.conf
View File

@ -94,3 +94,16 @@
# client ECC bad sig error # client ECC bad sig error
-v 3 -v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256 -l ECDHE-ECDSA-AES128-GCM-SHA256
# server missing CN from alternate names list
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-c ./certs/test/server-garbage.pem
# client missing CN from alternate names list
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-h localhost
-A ./certs/test/server-garbage.pem
-m

12
tests/test.conf
View File

@ -2306,3 +2306,15 @@
-A ./certs/test/server-goodaltwild.pem -A ./certs/test/server-goodaltwild.pem
-m -m
-C -C
# server CN in alternate names list
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-c ./certs/test/server-localhost.pem
# client CN in alternate names list
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-h localhost
-A ./certs/test/server-localhost.pem
-m