Subject Alt Name Matching

1. Added certificates for localhost where the CN and SAN match and differ. 2. Change subject name matching so the CN is checked if the SAN list doesn't exit, and only check the SAN list if present. 3. Added a test case for the CN/SAN mismatch. 4. Old matching behavior restored with build option WOLFSSL_ALLOW_NO_CN_IN_SAN. 5. Add test case for a correct certificate. Note: The test for the garbage certificate should fail. If you enable the old behavior, that test case will start succeeding, causing the test to fail.
2018-07-02 13:39:11 -07:00
parent 33b72a3dfe
commit adb3cc5a5a
8 changed files with 206 additions and 0 deletions
--- a/certs/test/gen-testcerts.sh
+++ b/certs/test/gen-testcerts.sh
@@ -95,3 +95,9 @@ generate_test_cert server-badaltnull www.nomatch.com DER:30:0d:82:0b:6c:6f:63:61

 # Generate Bad Alt Name CN=www.nomatch.com, Alt=www.nomatch.com
 generate_test_cert server-badaltname www.nomatch.com www.nomatch.com
+
+# Generate Good Alt Name CN=localhost, Alt=localhost
+generate_test_cert server-localhost localhost localhost
+
+# Generate Bad Alt Name CN=localhost, Alt=garbage
+generate_test_cert server-garbage localhost garbage
--- a/certs/test/server-garbage.der
+++ b/certs/test/server-garbage.der
--- a/certs/test/server-garbage.pem
+++ b/certs/test/server-garbage.pem
@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            8e:d8:a3:08:c6:38:a1:db
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Jun 27 19:53:20 2018 GMT
+            Not After : Mar 23 19:53:20 2021 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27:
+                    01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6:
+                    f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75:
+                    f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab:
+                    64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e:
+                    86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25:
+                    4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c:
+                    34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6:
+                    8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc:
+                    40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8:
+                    dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3:
+                    e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9:
+                    64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0:
+                    c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77:
+                    ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4:
+                    b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22:
+                    a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f:
+                    ad:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:garbage
+    Signature Algorithm: sha256WithRSAEncryption
+         57:77:b9:a3:76:83:2a:f1:10:0c:64:02:0a:ad:99:86:55:28:
+         e4:c0:81:a2:a9:f2:af:6d:48:bd:a5:02:49:01:57:33:a8:85:
+         57:f6:65:8c:1a:01:7f:79:0f:af:18:d2:a4:df:03:14:48:40:
+         32:71:f8:44:15:b2:cd:53:d0:53:82:1f:cd:03:a5:68:f6:08:
+         9a:5a:a7:5e:4b:92:aa:dd:46:d4:2b:c1:81:83:df:75:3d:bc:
+         b2:64:43:9f:f1:d2:37:cc:b0:6e:75:b4:2c:9f:1c:1a:17:04:
+         0d:c1:80:a9:9b:64:c6:b4:aa:01:b2:5a:36:20:da:09:80:7f:
+         93:d7:51:be:aa:c1:58:56:f7:3b:0c:53:99:c3:74:99:64:0f:
+         e3:7d:4b:78:24:8e:08:76:15:85:15:30:42:6a:65:80:f5:2d:
+         a5:f4:d9:aa:42:12:5c:cd:68:c7:e7:b8:45:90:2c:dd:52:65:
+         ae:89:14:6e:5a:27:3c:10:05:ae:16:65:fc:04:12:66:07:13:
+         62:e6:a7:05:86:16:5a:7a:3d:9c:71:56:cf:a4:47:f5:7a:8a:
+         5a:bb:a3:d5:47:25:bd:c0:d2:ad:22:af:59:d6:d4:96:a9:b0:
+         05:f4:38:c7:56:46:19:d5:1b:30:9f:46:2e:a4:59:8b:72:e6:
+         a7:83:99:13
+-----BEGIN CERTIFICATE-----
+MIIDkTCCAnmgAwIBAgIJAI7YowjGOKHbMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD
+VQQLDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MR8wHQYJKoZIhvcN
+AQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MDYyNzE5NTMyMFoXDTIxMDMyMzE5
+NTMyMFowfDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcM
+B0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAlsb2NhbGhv
+c3QxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu8rwkMLiVzi9O
+1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu64CHlci5vLobY
+lXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZaHhzpowYqQJt
+r8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1Us+FtXxy8I3PR
+CQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT0pdz4l0lyWoN
+wzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMBAAGjFjAUMBIG
+A1UdEQQLMAmCB2dhcmJhZ2UwDQYJKoZIhvcNAQELBQADggEBAFd3uaN2gyrxEAxk
+AgqtmYZVKOTAgaKp8q9tSL2lAkkBVzOohVf2ZYwaAX95D68Y0qTfAxRIQDJx+EQV
+ss1T0FOCH80DpWj2CJpap15LkqrdRtQrwYGD33U9vLJkQ5/x0jfMsG51tCyfHBoX
+BA3BgKmbZMa0qgGyWjYg2gmAf5PXUb6qwVhW9zsMU5nDdJlkD+N9S3gkjgh2FYUV
+MEJqZYD1LaX02apCElzNaMfnuEWQLN1SZa6JFG5aJzwQBa4WZfwEEmYHE2LmpwWG
+Flp6PZxxVs+kR/V6ilq7o9VHJb3A0q0ir1nW1JapsAX0OMdWRhnVGzCfRi6kWYty
+5qeDmRM=
+-----END CERTIFICATE-----
--- a/certs/test/server-localhost.der
+++ b/certs/test/server-localhost.der
--- a/certs/test/server-localhost.pem
+++ b/certs/test/server-localhost.pem
@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            e3:7e:ef:46:4d:c8:a3:ab
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Jun 27 19:53:20 2018 GMT
+            Not After : Mar 23 19:53:20 2021 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27:
+                    01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6:
+                    f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75:
+                    f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab:
+                    64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e:
+                    86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25:
+                    4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c:
+                    34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6:
+                    8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc:
+                    40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8:
+                    dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3:
+                    e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9:
+                    64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0:
+                    c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77:
+                    ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4:
+                    b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22:
+                    a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f:
+                    ad:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:localhost
+    Signature Algorithm: sha256WithRSAEncryption
+         35:1a:72:99:61:c0:70:0b:5f:12:67:fa:74:f5:01:2b:d2:5a:
+         77:9f:90:dd:e4:2b:da:b7:dc:02:90:35:2d:41:ab:e3:db:a3:
+         69:12:00:e7:cc:71:6e:b1:81:9d:77:9b:2f:4f:0a:51:03:d7:
+         07:45:fe:61:7e:1f:fc:b6:59:49:39:0a:11:73:63:94:a6:3e:
+         a8:d4:ad:1d:93:fa:5f:cf:ef:fa:52:23:87:7b:d5:ba:56:94:
+         42:a3:05:61:b5:e5:ad:c2:d2:89:b2:0c:84:d1:30:d6:d7:5c:
+         2a:b7:29:f1:4d:b9:ca:7f:e1:4c:ff:ac:a9:1b:37:9d:40:fa:
+         cb:52:45:de:1d:29:ea:61:38:ac:cc:39:0d:46:ee:ff:89:0f:
+         ca:88:b8:f1:28:6c:2c:5f:6f:c1:27:50:e5:3a:21:be:63:07:
+         a7:b9:bc:89:18:f6:f2:a3:5d:56:56:18:32:ce:3d:a4:38:1e:
+         3f:72:3c:12:70:f7:83:74:44:ef:c9:69:fe:9d:ec:5c:e2:d4:
+         29:6f:73:df:18:43:18:91:a1:d7:dd:77:22:41:f2:f7:35:1d:
+         47:30:4b:3f:4e:ee:e0:5f:72:36:3a:c7:54:13:ba:0e:0f:e4:
+         0b:b4:e4:2e:fa:61:36:f5:4b:35:47:a8:06:49:fa:9b:5f:c2:
+         a2:91:85:d9
+-----BEGIN CERTIFICATE-----
+MIIDkzCCAnugAwIBAgIJAON+70ZNyKOrMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD
+VQQLDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MR8wHQYJKoZIhvcN
+AQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MDYyNzE5NTMyMFoXDTIxMDMyMzE5
+NTMyMFowfDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcM
+B0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAlsb2NhbGhv
+c3QxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu8rwkMLiVzi9O
+1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu64CHlci5vLobY
+lXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZaHhzpowYqQJt
+r8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1Us+FtXxy8I3PR
+CQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT0pdz4l0lyWoN
+wzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMBAAGjGDAWMBQG
+A1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEANRpymWHAcAtf
+Emf6dPUBK9Jad5+Q3eQr2rfcApA1LUGr49ujaRIA58xxbrGBnXebL08KUQPXB0X+
+YX4f/LZZSTkKEXNjlKY+qNStHZP6X8/v+lIjh3vVulaUQqMFYbXlrcLSibIMhNEw
+1tdcKrcp8U25yn/hTP+sqRs3nUD6y1JF3h0p6mE4rMw5DUbu/4kPyoi48ShsLF9v
+wSdQ5TohvmMHp7m8iRj28qNdVlYYMs49pDgeP3I8EnD3g3RE78lp/p3sXOLUKW9z
+3xhDGJGh1913IkHy9zUdRzBLP07u4F9yNjrHVBO6Dg/kC7TkLvphNvVLNUeoBkn6
+m1/CopGF2Q==
+-----END CERTIFICATE-----