From 1f16b36402d4925b3d64ca45d00e8674978b5fa6 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 12 Jun 2018 14:15:34 -0700 Subject: [PATCH] Fixes for `MatchDomainName` to properly detect failures: * Fix `MatchDomainName` to also check for remaining len on success check. * Enhanced `DNS_entry` to include actual ASN.1 length and use it thoughout (was using XSTRLEN). Added additional tests for matching on domain name: * Check for bad common name with embedded null (CN=localhost\0h, Alt=None) - Note: Trouble creating cert with this criteria * Check for bad alternate name with embedded null (CN=www.nomatch.com, Alt=localhost\0h) * Check for bad common name (CN=www.nomatch.com, Alt=None) * Check for bad alternate name (CN=www.nomatch.com, Alt=www.nomatch.com) * Check for good wildcard common name (CN=*localhost, Alt=None) * Check for good wildcard alternate name (CN=www.nomatch.com, Alt=*localhost) --- certs/crl/server-goodaltwildCrl.pem | 38 +++++++++ certs/crl/server-goodcnwildCrl.pem | 38 +++++++++ certs/test/gen-testcerts.sh | 106 +++++++++++++++++++------- certs/test/include.am | 26 ++++--- certs/test/server-badaltname.der | Bin 0 -> 939 bytes certs/test/server-badaltname.pem | 74 ++++++++++++++++++ certs/test/server-badaltnamenull.conf | 17 ----- certs/test/server-badaltnamenull.csr | 17 ----- certs/test/server-badaltnamenull.der | Bin 855 -> 0 bytes certs/test/server-badaltnamenull.key | 27 ------- certs/test/server-badaltnamenull.pem | 72 ----------------- certs/test/server-badaltnull.der | Bin 0 -> 935 bytes certs/test/server-badaltnull.pem | 74 ++++++++++++++++++ certs/test/server-badcn.der | Bin 0 -> 907 bytes certs/test/server-badcn.pem | 70 +++++++++++++++++ certs/test/server-badcnnull.der | Bin 0 -> 973 bytes certs/test/server-badcnnull.pem | 72 +++++++++++++++++ certs/test/server-goodaltwild.der | Bin 0 -> 934 bytes certs/test/server-goodaltwild.pem | 74 ++++++++++++++++++ certs/test/server-goodcnwild.der | Bin 0 -> 895 bytes certs/test/server-goodcnwild.pem | 70 +++++++++++++++++ certs/test/server-nomatch.conf | 16 ---- certs/test/server-nomatch.csr | 17 ----- certs/test/server-nomatch.der | Bin 837 -> 0 bytes certs/test/server-nomatch.key | 27 ------- certs/test/server-nomatch.pem | 69 ----------------- src/internal.c | 14 ++-- tests/test-fails.conf | 47 ++++++++++-- tests/test.conf | 28 +++++++ wolfcrypt/src/asn.c | 17 +++-- wolfssl/wolfcrypt/asn.h | 1 + 31 files changed, 687 insertions(+), 324 deletions(-) create mode 100644 certs/crl/server-goodaltwildCrl.pem create mode 100644 certs/crl/server-goodcnwildCrl.pem create mode 100644 certs/test/server-badaltname.der create mode 100644 certs/test/server-badaltname.pem delete mode 100644 certs/test/server-badaltnamenull.conf delete mode 100644 certs/test/server-badaltnamenull.csr delete mode 100644 certs/test/server-badaltnamenull.der delete mode 100644 certs/test/server-badaltnamenull.key delete mode 100644 certs/test/server-badaltnamenull.pem create mode 100644 certs/test/server-badaltnull.der create mode 100644 certs/test/server-badaltnull.pem create mode 100644 certs/test/server-badcn.der create mode 100644 certs/test/server-badcn.pem create mode 100644 certs/test/server-badcnnull.der create mode 100644 certs/test/server-badcnnull.pem create mode 100644 certs/test/server-goodaltwild.der create mode 100644 certs/test/server-goodaltwild.pem create mode 100644 certs/test/server-goodcnwild.der create mode 100644 certs/test/server-goodcnwild.pem delete mode 100644 certs/test/server-nomatch.conf delete mode 100644 certs/test/server-nomatch.csr delete mode 100644 certs/test/server-nomatch.der delete mode 100644 certs/test/server-nomatch.key delete mode 100644 certs/test/server-nomatch.pem diff --git a/certs/crl/server-goodaltwildCrl.pem b/certs/crl/server-goodaltwildCrl.pem new file mode 100644 index 000000000..3cb2b27f1 --- /dev/null +++ b/certs/crl/server-goodaltwildCrl.pem @@ -0,0 +1,38 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/ST=Montana/L=Bozeman/OU=Engineering/CN=www.nomatch.com/emailAddress=info@wolfssl.com + Last Update: Jun 12 21:08:33 2018 GMT + Next Update: Mar 8 21:08:33 2021 GMT + CRL extensions: + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 25:6a:7f:6a:71:9a:66:67:ed:88:29:d4:ec:37:a5:f2:03:0e: + cd:18:c6:f0:a8:2f:3c:8c:cf:83:d2:0c:60:97:52:73:5f:a2: + c3:76:c4:87:b4:0a:b3:7c:0d:37:64:72:30:d6:cc:58:0c:3e: + b6:ec:d0:1d:a1:19:a2:b6:58:c9:63:28:d5:45:45:8c:2f:f7: + 09:05:7d:5e:09:07:c7:53:01:f3:40:70:5f:6a:c1:1f:2c:36: + 27:8e:a1:bb:a0:94:b2:a5:98:76:f8:be:e1:87:22:d1:21:13: + 64:02:2b:de:9d:65:5a:d7:b6:48:08:b3:03:ce:f4:ef:81:66: + 1a:90:ea:b1:f4:cf:57:e2:1c:71:d6:85:24:c2:89:c2:2b:3d: + 14:00:8a:4a:7c:84:52:d5:f0:92:82:7f:04:84:dd:64:b5:86: + d2:a9:16:b1:0d:4c:57:a4:08:9b:82:4c:76:83:c5:77:3f:83: + ee:1e:2a:ea:0d:1c:5a:ff:a6:d7:00:49:ec:55:9b:8b:9e:a3: + ed:94:20:7a:0c:f0:6b:ca:9f:ec:d9:b5:2b:48:6c:a9:9b:fb: + fd:dd:95:e3:68:2c:83:61:ce:64:02:ac:09:e1:2d:3c:93:81: + e0:2c:87:35:14:7c:ae:fb:68:29:c2:35:55:75:fe:4f:9e:15: + 21:eb:bc:75 +-----BEGIN X509 CRL----- +MIIB3DCBxQIBATANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCVVMxEDAOBgNV +BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVy +aW5nMRgwFgYDVQQDDA93d3cubm9tYXRjaC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu +Zm9Ad29sZnNzbC5jb20XDTE4MDYxMjIxMDgzM1oXDTIxMDMwODIxMDgzM1qgDjAM +MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4IBAQAlan9qcZpmZ+2IKdTsN6Xy +Aw7NGMbwqC88jM+D0gxgl1JzX6LDdsSHtAqzfA03ZHIw1sxYDD627NAdoRmitljJ +YyjVRUWML/cJBX1eCQfHUwHzQHBfasEfLDYnjqG7oJSypZh2+L7hhyLRIRNkAive +nWVa17ZICLMDzvTvgWYakOqx9M9X4hxx1oUkwonCKz0UAIpKfIRS1fCSgn8EhN1k +tYbSqRaxDUxXpAibgkx2g8V3P4PuHirqDRxa/6bXAEnsVZuLnqPtlCB6DPBryp/s +2bUrSGypm/v93ZXjaCyDYc5kAqwJ4S08k4HgLIc1FHyu+2gpwjVVdf5PnhUh67x1 +-----END X509 CRL----- diff --git a/certs/crl/server-goodcnwildCrl.pem b/certs/crl/server-goodcnwildCrl.pem new file mode 100644 index 000000000..5ba972e04 --- /dev/null +++ b/certs/crl/server-goodcnwildCrl.pem @@ -0,0 +1,38 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/ST=Montana/L=Bozeman/OU=Engineering/CN=*localhost/emailAddress=info@wolfssl.com + Last Update: Jun 12 21:08:33 2018 GMT + Next Update: Mar 8 21:08:33 2021 GMT + CRL extensions: + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 7b:61:c6:5b:68:f8:1d:4b:65:f5:67:ee:26:cc:1f:76:fc:70: + 80:55:54:01:66:d9:ba:b0:f5:bc:3e:52:ea:4e:d0:a5:95:eb: + 36:4b:9b:fa:8d:c3:62:3b:9b:e5:5a:8c:4a:50:f4:dc:33:bb: + 8d:d1:41:7f:1b:a7:7e:9a:c5:48:b6:42:85:55:8c:30:ce:16: + 83:e4:f8:20:6d:1d:b4:c6:64:cf:d9:47:19:fa:ee:87:6e:9f: + 61:33:a6:3b:81:24:93:74:e4:33:36:ea:83:42:d5:a0:19:9b: + 91:3c:c4:35:3b:90:37:62:25:fe:a5:2f:6d:2e:ed:02:09:9a: + 8c:9b:c3:2a:eb:90:33:eb:95:60:ff:39:26:ba:63:03:75:a8: + 7e:5b:59:dd:a3:9b:a0:16:ce:aa:96:96:45:9e:53:50:36:bd: + 8d:ef:1e:a3:26:96:94:9f:64:d2:ca:b4:28:21:87:2b:07:1a: + c9:00:28:80:b4:c5:10:f7:28:9b:ff:01:a3:6b:a8:f1:3d:53: + 25:8c:ea:a5:41:43:ec:b5:63:29:51:d8:5a:0b:18:97:59:c2: + f8:0b:6c:ee:99:0a:2d:79:d4:00:8e:ae:36:a5:2e:f6:4f:07: + 0e:85:4c:8d:4b:4b:b2:9f:33:09:0f:ed:59:c2:58:0b:e2:da: + cb:cc:44:f3 +-----BEGIN X509 CRL----- +MIIB1jCBvwIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJVUzEQMA4GA1UE +CAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECwwLRW5naW5lZXJp +bmcxEzARBgNVBAMMCipsb2NhbGhvc3QxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s +ZnNzbC5jb20XDTE4MDYxMjIxMDgzM1oXDTIxMDMwODIxMDgzM1qgDjAMMAoGA1Ud +FAQDAgEBMA0GCSqGSIb3DQEBBQUAA4IBAQB7YcZbaPgdS2X1Z+4mzB92/HCAVVQB +Ztm6sPW8PlLqTtClles2S5v6jcNiO5vlWoxKUPTcM7uN0UF/G6d+msVItkKFVYww +zhaD5PggbR20xmTP2UcZ+u6Hbp9hM6Y7gSSTdOQzNuqDQtWgGZuRPMQ1O5A3YiX+ +pS9tLu0CCZqMm8Mq65Az65Vg/zkmumMDdah+W1ndo5ugFs6qlpZFnlNQNr2N7x6j +JpaUn2TSyrQoIYcrBxrJACiAtMUQ9yib/wGja6jxPVMljOqlQUPstWMpUdhaCxiX +WcL4C2zumQotedQAjq42pS72TwcOhUyNS0uynzMJD+1ZwlgL4trLzETz +-----END X509 CRL----- diff --git a/certs/test/gen-testcerts.sh b/certs/test/gen-testcerts.sh index f51942597..3b6500e1c 100755 --- a/certs/test/gen-testcerts.sh +++ b/certs/test/gen-testcerts.sh @@ -1,43 +1,91 @@ #!/bin/sh -# Generate CN=localhost, AltName=localhost\0h -echo "step 1 create key" -openssl genrsa -out server-badaltnamenull.key 2048 +# Args: 1=FileName, 2=CN, 3=AltName +function build_test_cert_conf { + echo "[ req ]" > $1.conf + echo "prompt = no" >> $1.conf + echo "default_bits = 2048" >> $1.conf + echo "distinguished_name = req_distinguished_name" >> $1.conf + echo "req_extensions = req_ext" >> $1.conf + echo "" >> $1.conf + echo "[ req_distinguished_name ]" >> $1.conf + echo "C = US" >> $1.conf + echo "ST = Montana" >> $1.conf + echo "L = Bozeman" >> $1.conf + echo "OU = Engineering" >> $1.conf + echo "CN = $2" >> $1.conf + echo "emailAddress = info@wolfssl.com" >> $1.conf + echo "" >> $1.conf + echo "[ req_ext ]" >> $1.conf + if [ -n "$3" ]; then + if [[ "$3" != *"DER"* ]]; then + echo "subjectAltName = @alt_names" >> $1.conf + echo "[alt_names]" >> $1.conf + echo "DNS.1 = $3" >> $1.conf + else + echo "subjectAltName = $3" >> $1.conf + fi + fi +} -echo "step 2 create csr" -echo "US\nMontana\nBozeman\nEngineering\nlocalhost\n.\n" | openssl req -new -sha256 -out server-badaltnamenull.csr -key server-badaltnamenull.key -config server-badaltnamenull.conf +# Args: 1=FileName +function generate_test_cert { + rm $1.der + rm $1.pem -echo "step 3 check csr" -openssl req -text -noout -in server-badaltnamenull.csr + echo "step 1 create configuration" + build_test_cert_conf $1 $2 $3 -echo "step 4 create cert" -openssl x509 -req -days 1000 -in server-badaltnamenull.csr -signkey server-badaltnamenull.key \ - -out server-badaltnamenull.pem -extensions req_ext -extfile server-badaltnamenull.conf + echo "step 2 create csr" + openssl req -new -sha256 -out $1.csr -key ../server-key.pem -config $1.conf -echo "step 5 make human reviewable" -openssl x509 -inform pem -in server-badaltnamenull.pem -text > tmp.pem -mv tmp.pem server-badaltnamenull.pem + echo "step 3 check csr" + openssl req -text -noout -in $1.csr -openssl x509 -inform pem -in server-badaltnamenull.pem -outform der -out server-badaltnamenull.der + echo "step 4 create cert" + openssl x509 -req -days 1000 -in $1.csr -signkey ../server-key.pem \ + -out $1.pem -extensions req_ext -extfile $1.conf + rm $1.conf + rm $1.csr + + if [ -n "$4" ]; then + echo "step 5 generate crl" + mkdir ../crl/demoCA + touch ../crl/demoCA/index.txt + echo "01" > ../crl/crlnumber + openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.revoked -keyfile ../server-key.pem -cert $1.pem + rm ../crl/$1Crl.pem + openssl crl -in crl.revoked -text > tmp.pem + mv tmp.pem ../crl/$1Crl.pem + rm crl.revoked + rm -rf ../crl/demoCA + rm ../crl/crlnumber* + fi + + echo "step 6 add cert text information to pem" + openssl x509 -inform pem -in $1.pem -text > tmp.pem + mv tmp.pem $1.pem + + echo "step 7 make binary der version" + openssl x509 -inform pem -in $1.pem -outform der -out $1.der +} -# Generate CN=www.nomatch.com, no AltName -echo "step 1 create key" -openssl genrsa -out server-nomatch.key 2048 +# Generate Good CN=*localhost, Alt=None +generate_test_cert server-goodcnwild *localhost "" 1 -echo "step 2 create csr" -echo "US\nMontana\nBozeman\nEngineering\nwww.nomatch.com\n.\n" | openssl req -new -sha256 -out server-nomatch.csr -key server-nomatch.key -config server-nomatch.conf +# Generate Good CN=www.nomatch.com, Alt=*localhost +generate_test_cert server-goodaltwild www.nomatch.com *localhost 1 -echo "step 3 check csr" -openssl req -text -noout -in server-nomatch.csr +# Generate Bad CN=localhost\0h, Alt=None +# DG: Have not found a way to properly encode null in common name +generate_test_cert server-badcnnull DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68 -echo "step 4 create cert" -openssl x509 -req -days 1000 -in server-nomatch.csr -signkey server-nomatch.key \ - -out server-nomatch.pem -extensions req_ext -extfile server-nomatch.conf +# Generate Bad Name CN=www.nomatch.com, Alt=None +generate_test_cert server-badcn www.nomatch.com -echo "step 5 make human reviewable" -openssl x509 -inform pem -in server-nomatch.pem -text > tmp.pem -mv tmp.pem server-nomatch.pem - -openssl x509 -inform pem -in server-nomatch.pem -outform der -out server-nomatch.der +# Generate Bad Alt CN=www.nomatch.com, Alt=localhost\0h +generate_test_cert server-badaltnull www.nomatch.com DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68 +# Generate Bad Alt Name CN=www.nomatch.com, Alt=www.nomatch.com +generate_test_cert server-badaltname www.nomatch.com www.nomatch.com diff --git a/certs/test/include.am b/certs/test/include.am index 0e8eec225..c1f4a447d 100644 --- a/certs/test/include.am +++ b/certs/test/include.am @@ -20,16 +20,22 @@ EXTRA_DIST += \ EXTRA_DIST += \ certs/test/gen-testcerts.sh \ - certs/test/server-badaltnamenull.conf \ - certs/test/server-badaltnamenull.csr \ - certs/test/server-badaltnamenull.key \ - certs/test/server-badaltnamenull.pem \ - certs/test/server-badaltnamenull.der \ - certs/test/server-nomatch.conf \ - certs/test/server-nomatch.csr \ - certs/test/server-nomatch.key \ - certs/test/server-nomatch.pem \ - certs/test/server-nomatch.der + certs/test/server-goodcnwild.pem \ + certs/test/server-goodcnwild.der \ + certs/test/server-goodcnwild.csr \ + certs/test/server-goodaltwild.pem \ + certs/test/server-goodaltwild.der \ + certs/test/server-badcnnull.pem \ + certs/test/server-badcnnull.der \ + certs/test/server-badcn.pem \ + certs/test/server-badcn.der \ + certs/test/server-badaltnull.pem \ + certs/test/server-badaltnull.der \ + certs/test/server-badaltname.der \ + certs/test/server-badaltname.pem \ + certs/crl/server-goodaltwildCrl.pem \ + certs/crl/server-goodcnwildCrl.pem + EXTRA_DIST += \ certs/test/crit-cert.pem \ diff --git a/certs/test/server-badaltname.der b/certs/test/server-badaltname.der new file mode 100644 index 0000000000000000000000000000000000000000..7c831d6be34cf4d7f03586f7407389f1069f4dd7 GIT binary patch literal 939 zcmXqLVqR|0#MHllnTe5!iIZV}K}*RB|DtXKUN%mxHjlRNyo`*jtPBQ?O@`bCoNUaY zENsF|p}~d%27Dk62M@b%eqKppULs6{orm2izbZ91G0#xMKnSFUn}^#qFFi9aHMJ-+ zFWpeWKnx_x%)?(^UapsypPN{coS~PTpKB;@APcvYlTl0{GcPUQp*%k)t++S`q`*K< zoY&C8z|7Fd$k4#T*f>g@7sxO+uz+$0ha;O9m5>9Ek(GhDiIJbdpox)-sfm%1;lNam zhvAN&3Ujw#a&=T^Og-kh?$aI>gB?@P>HA&#CeyK}X8!LL>Gl6&<^-00?>fc)+*H5+ z;oj;4`ZcRlR*3&O65iel*lgy!ys$&vK`=>Kz1(y9emvF(Z(sui~sMJv=R$Ui=QBcU1=e`n($eLek#LchxgkPO zYSmpmyAJCK+ZQjjPel%mE#v0aD3#sFstMw=kWt_C*_cCF z*o2uvgAD}?_&^*E9(LdSypqJcM3@LW54%%-RcdZxo}q|=5J(Ld54USxdS+f~YEfoh zx}lJP07#UXhchQXIWZ?AzqrIePMp`!!obwP*wDV-Ql3_%~Lq|bY_S;_^g)aPd_Z)A+&O1t?!c5 z>CE3JTw^yhTxzS97v181W<~!(^Z%c2JU`Z4!qW6x{=reBYde%Z8sgm|n&;c6+={Yy zkhNQ;_)^tA=kJP{+YRqs@t?cVVyE$Cwx{VPi;EUYybd=tNc?q#J3jI2%%)7kDmy8L z<<-5i-i!s4l;vBjQ`hg|mwEbQ(qa>Zx~rFr|5e=I8tToxqohuAt8m8df6L?aeiZhc zd;I>&Jh{jJI}{GRzSnTwW#y9ut_wm-*_OK8-?(mtqT`C+pI6sUkkpc2^hIOM=c41M zySrFkUJ9SzzS|>o!PzZQr{)!9@3=L6PW?;&olMM(42+AV3?vN1fDtDv$ii>H+r$lz zJcbP9&;uqFVCXS2tSfsJXRLEx?8KWz>ROUJm3C)tnP&Q3RpxH@?;|UW#5;=@>``9q zdF8Lv^*{UDW1WP&6%uRQV9{jkt$tr?-3oG|Qrd!MIoXSav_}47+=k4)5)9!Ct zZ}?TiRrl(FD5t51Q;xdDob9_-{ddmSQkOH=>TXO6jbWHCzvd$syC%=B)wS|#dL2UB zo|wuCb_#SKO8-C8DD88s*J1NGb0ddp%>dP>2XEZ3PO}#MHfjnTe5!iId^+3Ffjez30;nc-c6$+C196^D;8BvN9MnHW_joaI!In zvaks=g$5f681R8O96ap4`FSOYd5JI)b{=-8{HoO4#5_Y010j$aZXRyey!6bx)YPKP zymUhe12K>&GY@}xdAVL*er{q(a)w@Vey*Xsfh^ooPDU|-%)GRGhw}WKwBq6%kOBia zab80U12aP-BSQlVW8)}sULeERzyiu09FA;aR6-6sMpg#qCPsb+gC<5UrY1&4h67VM z9)>%9D$Lz}$<sd-#mjmmRx;(TKP<_pw?p9Zu`>=^G8elUXSU}Z*)6{8^NYJ{ zi}zIPD{lRp7Ra+VWb?z^c$q!Q#TPl5J4G%D>`XbVbz$K&uRRa1NJSrCaNuBa1;2~A zfzh-EBju?J%XbN1nqK@UR`p~S?_tY?C0jORIyrH^yuq=@SYdO7((+ZWk34*q*nITT zwEH(N_^-Xr#LURRxLC>nk`81AS@;cjo49lGlM{0?@{3CtGLSl%v_&L=uUd?Zb2;U>!`f>Nlj_((X?RUog z`L3~Vl8I&phj>b_-L0yv=C2=C{i@o3J!tx|QtO4;xjhR1EksnFW?E*h(3q&^Ec8-( z0^^g%vUj$y9?xS?zo2-FOJ`Zrfud`^kLJu4dbRDm!o!FBE8cLnY?lSA*fopwqW2y; I@b&3I09FrO`v3p{ literal 0 HcmV?d00001 diff --git a/certs/test/server-badaltnull.pem b/certs/test/server-badaltnull.pem new file mode 100644 index 000000000..b992b0a95 --- /dev/null +++ b/certs/test/server-badaltnull.pem @@ -0,0 +1,74 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 16413372648738711447 (0xe3c80376562ee797) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, OU=Engineering, CN=www.nomatch.com/emailAddress=info@wolfssl.com + Validity + Not Before: Jun 12 21:08:33 2018 GMT + Not After : Mar 8 21:08:33 2021 GMT + Subject: C=US, ST=Montana, L=Bozeman, OU=Engineering, CN=www.nomatch.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27: + 01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6: + f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75: + f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab: + 64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e: + 86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25: + 4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c: + 34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6: + 8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc: + 40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8: + dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3: + e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9: + 64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0: + c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77: + ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4: + b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22: + a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f: + ad:d7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:localhost + Signature Algorithm: sha1WithRSAEncryption + 2e:5d:bf:5a:4a:16:d7:4e:d1:9d:18:07:6c:9a:b5:c3:9c:1c: + a3:75:7b:6c:91:ab:81:d8:f3:39:b9:81:22:5a:ae:ac:6f:47: + 7a:5b:79:6c:17:a7:32:7f:ae:8b:60:1c:e9:2e:fc:2d:be:42: + e8:60:a7:d9:49:d4:71:2a:32:86:0f:14:b1:47:21:97:7a:0f: + 89:e8:60:68:2b:22:22:95:ff:34:4e:42:7c:01:d5:6f:84:58: + 57:bc:1b:85:f1:bb:a9:88:f7:d1:73:3f:b9:5e:fc:f7:28:be: + 92:34:29:68:08:17:64:8d:3e:da:7a:b5:37:eb:e1:7a:fa:7a: + bf:d7:52:97:c6:75:3b:a1:6b:6d:8c:20:ff:38:14:24:e5:69: + 39:69:a8:28:91:26:43:12:e9:1b:90:01:e4:e3:1d:dc:b4:05: + c7:6e:00:27:d0:21:da:0a:2c:a6:82:c0:72:d6:4d:e2:9c:9b: + 12:ea:b6:cf:20:e1:e1:0f:44:52:6c:e8:8f:7f:a6:40:28:27: + 68:c5:46:b9:f5:3e:ee:0e:e5:16:92:e7:b0:e6:2f:2c:fc:77: + 20:98:89:0d:53:c4:92:7b:cd:10:a6:15:74:4a:f8:ac:76:c2: + 7d:7f:85:b2:d5:2c:01:9b:44:a0:aa:07:29:73:2e:5b:bd:c2: + c0:f5:e5:c1 +-----BEGIN CERTIFICATE----- +MIIDozCCAougAwIBAgIJAOPIA3ZWLueXMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIG +A1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMMD3d3dy5ub21hdGNoLmNvbTEfMB0G +CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0xODA2MTIyMTA4MzNaFw0y +MTAzMDgyMTA4MzNaMIGCMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQ +MA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMM +D3d3dy5ub21hdGNoLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv +bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCVCOFXQfJxbbfSRUEn +AWXGRa7yvCQwuJXOL07W9hyIvHyf+6hnf/5cnFF194rKB+c1L4/hvXvAL3yrZKgX +/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/XGQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBj +xfZ/C1loeHOmjBipAm2vwxkBLrgQ48bMQLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9 +ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIj +laF3uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBP +rdcCAwEAAaMaMBgwFgYDVR0RBA8wDYILbG9jYWxob3N0AGgwDQYJKoZIhvcNAQEF +BQADggEBAC5dv1pKFtdO0Z0YB2yatcOcHKN1e2yRq4HY8zm5gSJarqxvR3pbeWwX +pzJ/rotgHOku/C2+Quhgp9lJ1HEqMoYPFLFHIZd6D4noYGgrIiKV/zROQnwB1W+E +WFe8G4Xxu6mI99FzP7le/PcovpI0KWgIF2SNPtp6tTfr4Xr6er/XUpfGdTuha22M +IP84FCTlaTlpqCiRJkMS6RuQAeTjHdy0BcduACfQIdoKLKaCwHLWTeKcmxLqts8g +4eEPRFJs6I9/pkAoJ2jFRrn1Pu4O5RaS57DmLyz8dyCYiQ1TxJJ7zRCmFXRK+Kx2 +wn1/hbLVLAGbRKCqBylzLlu9wsD15cE= +-----END CERTIFICATE----- diff --git a/certs/test/server-badcn.der b/certs/test/server-badcn.der new file mode 100644 index 0000000000000000000000000000000000000000..e54bbc10659bcbf36b9c288bbe23b5e5018b8682 GIT binary patch literal 907 zcmXqLVs1BRV#;5@%*4pV#L3WI_{TD1&tEMAUN%mxHjlRNyo`*jtPBQ?O@`bCoNUaY zENsF|p}~d%27Dk62M@b%eqKppULs6{orm2izbZ91G0#xMKnSFUn}^#qFFi9aHMJ-+ zFWpeWKnx_x%)?(^UapsypPN{coS~PTpKB;@APcvYlTl0{GcPUQp*%k)t++S`q`*K< zoY&C8z|7Fd$k4#T*f>g@7sxO+uz+$0ha;O9m5>9Ek(GhDiIJbdpox)-sfm%1;lNam zhvAN&3Ujw#a&=T^Og-kh?$aI>gB?@P>HA&#CeyK}X8!LL>Gl6&<^-00?>fc)+*H5+ z;oj;4`ZcRlR*3&O6zO+kwJ0hN`pAr#9b*JehWo&Uv-DScZmBwGezhJ^Bw>5 zSAKPyB(42;C2xvr!v>$z3xv)r+`7H>s^Sra=+EB-j=Cwnj5;T`=b`%&{@(gYlh%8^ zI?Wh7?<0G#h?4fk+wSs_qU{U*8Y?qDuN0`6urQgI&GC#^uZiEQ->>{nw7T$4(iCmI zcRsk)Thm%;MNO_%lFwHkQHfX6p81q7dhK!j)YthgTbr2{X3VkZ2)muhv9qhD!q(U6 z&gy-Py*f9_qH1N*C4Vo~D@*uyO>n#XPtK~V3pVI2UUA@$L2Xfnb&eXZx?Q4d*d<>M jBjLl*H7(B{9-BAYNP~A_%SKN%YtdJG;-^=s2Xz1dsHRi# literal 0 HcmV?d00001 diff --git a/certs/test/server-badcn.pem b/certs/test/server-badcn.pem new file mode 100644 index 000000000..ef83f866d --- /dev/null +++ b/certs/test/server-badcn.pem @@ -0,0 +1,70 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 10048089567140838698 (0x8b71fc3968bcfd2a) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, OU=Engineering, CN=www.nomatch.com/emailAddress=info@wolfssl.com + Validity + Not Before: Jun 12 21:08:33 2018 GMT + Not After : Mar 8 21:08:33 2021 GMT + Subject: C=US, ST=Montana, L=Bozeman, OU=Engineering, CN=www.nomatch.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27: + 01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6: + f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75: + f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab: + 64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e: + 86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25: + 4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c: + 34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6: + 8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc: + 40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8: + dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3: + e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9: + 64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0: + c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77: + ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4: + b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22: + a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f: + ad:d7 + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + 21:99:a9:30:5e:1d:61:ba:64:88:4e:a1:15:6d:ea:8b:57:ef: + 40:5e:f7:99:64:12:f8:03:dc:4f:cf:d4:fa:8b:34:62:ad:f1: + d4:6e:94:45:80:b0:4c:cb:a0:12:cc:a1:b5:b7:85:d5:21:c4: + 20:5b:f3:f6:10:c5:46:21:e9:5a:ce:1e:bc:e1:47:a4:0f:8d: + 7f:92:92:af:4a:ea:cb:01:53:9e:f1:07:53:14:22:2b:b1:db: + 47:1f:59:15:87:a0:fd:33:23:03:e7:79:10:7c:90:a1:63:0d: + 06:41:cc:4a:8d:34:4e:ea:fb:ea:4f:c8:85:44:0d:92:29:15: + 85:de:cf:53:85:4b:29:3b:22:a8:7c:6d:3a:62:4c:f5:4c:15: + 18:ea:96:e6:4c:77:a2:eb:48:d7:ca:f5:9f:44:b5:83:02:a1: + 68:9c:38:88:56:db:69:08:b9:8a:7c:78:3d:4d:42:dc:ab:be: + 01:8d:2c:d8:76:5a:7d:1c:67:19:fb:a5:2e:76:60:fe:d6:11: + b7:1f:f9:09:7a:d5:a0:b0:2e:a3:a8:c0:fc:30:7d:72:68:3b: + 6c:26:0d:27:3e:61:1d:56:d2:4d:08:32:13:c3:5b:7c:84:e7: + e1:c6:9e:9b:32:28:0d:a1:84:b1:49:26:3b:15:ea:bc:5f:97: + 7a:27:52:88 +-----BEGIN CERTIFICATE----- +MIIDhzCCAm+gAwIBAgIJAItx/DlovP0qMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIG +A1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMMD3d3dy5ub21hdGNoLmNvbTEfMB0G +CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0xODA2MTIyMTA4MzNaFw0y +MTAzMDgyMTA4MzNaMIGCMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQ +MA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMM +D3d3dy5ub21hdGNoLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv +bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCVCOFXQfJxbbfSRUEn +AWXGRa7yvCQwuJXOL07W9hyIvHyf+6hnf/5cnFF194rKB+c1L4/hvXvAL3yrZKgX +/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/XGQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBj +xfZ/C1loeHOmjBipAm2vwxkBLrgQ48bMQLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9 +ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIj +laF3uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBP +rdcCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAIZmpMF4dYbpkiE6hFW3qi1fvQF73 +mWQS+APcT8/U+os0Yq3x1G6URYCwTMugEsyhtbeF1SHEIFvz9hDFRiHpWs4evOFH +pA+Nf5KSr0rqywFTnvEHUxQiK7HbRx9ZFYeg/TMjA+d5EHyQoWMNBkHMSo00Tur7 +6k/IhUQNkikVhd7PU4VLKTsiqHxtOmJM9UwVGOqW5kx3outI18r1n0S1gwKhaJw4 +iFbbaQi5inx4PU1C3Ku+AY0s2HZafRxnGfulLnZg/tYRtx/5CXrVoLAuo6jA/DB9 +cmg7bCYNJz5hHVbSTQgyE8NbfITn4caemzIoDaGEsUkmOxXqvF+XeidSiA== +-----END CERTIFICATE----- diff --git a/certs/test/server-badcnnull.der b/certs/test/server-badcnnull.der new file mode 100644 index 0000000000000000000000000000000000000000..fe3c521b94a88a3c6b56bc00402e11bef0d80a4b GIT binary patch literal 973 zcmXqLVm@im#I$h%GZP~d6DPykj)?rATXHK6c-c6$+C196^D;8BvN9MnE;i&g;ACSC zWnmL$3Jo?CFyI4mIC$87^Ycm)^Aceq>^$sF`Bka8iFt-120|b;+&tW_dFh#Xsi{So zdFh6h2Ie49W*!3<*B~on11p0RD+?nlgCr}nWGk~YD>Gv&Gea=j0>m{pwlX)dGBB_* zvoMr5kcGR7lTl0{GcPUQp*%k)t++TxFF8NgKu(<3(89pX(8$Qpz{1!#N}LzSFgCD& za)*d7ni!RkgP)O=fw_s1pTVGsk&CH`k&)rRRE~$?j-Lv1w_kE~RA)>*=DP0F9uzyIOh>I3>Ut5a5p|2Y*~z3YME(;~fm zy|x=ui*K!w4&E7We_fJS)&F5~a$q-iiv3#W9ZO|mOg67$Sde`5TRnGVMn&ca9}!k4BOKZ;d7nZ@il@9HF#))$1bqyIMeQmTv01|DnfR3hQt0aC-mz#kF@kYa?o(tvuO1H>{Jle$(?89t>+6S3R1p zeU!IikNxI#>0ayqZJiK1{oB>MH)AqWbF7VOqRPZ>wsEMqOaB$~i7E;cZGWyDLx0w{?dnZV;uUsrqbDz5bD OHpil?OrJ{z?gaom%xAy= literal 0 HcmV?d00001 diff --git a/certs/test/server-badcnnull.pem b/certs/test/server-badcnnull.pem new file mode 100644 index 000000000..dff524a5b --- /dev/null +++ b/certs/test/server-badcnnull.pem @@ -0,0 +1,72 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 12504341600548822697 (0xad88586f52da1ea9) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, OU=Engineering, CN=DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68/emailAddress=info@wolfssl.com + Validity + Not Before: Jun 12 21:08:33 2018 GMT + Not After : Mar 8 21:08:33 2021 GMT + Subject: C=US, ST=Montana, L=Bozeman, OU=Engineering, CN=DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27: + 01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6: + f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75: + f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab: + 64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e: + 86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25: + 4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c: + 34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6: + 8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc: + 40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8: + dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3: + e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9: + 64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0: + c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77: + ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4: + b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22: + a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f: + ad:d7 + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + 2d:66:45:43:2b:7b:10:1e:9a:2d:65:ee:ff:55:c6:44:71:7f: + db:b8:42:ef:e7:e8:d6:ee:b9:7d:58:7d:e6:a9:c9:8b:9d:56: + 89:0d:7f:b2:e7:e8:48:00:ad:81:aa:e2:97:2b:c5:0d:78:bc: + 3f:b3:ae:67:4a:af:fe:b5:90:5d:97:f6:d5:dd:d9:5c:69:65: + 6c:3b:32:7c:5a:76:16:d9:86:08:24:47:1b:fd:16:4c:5a:72: + 56:17:85:1e:aa:e4:4c:28:aa:91:28:e5:ed:95:28:5f:6b:63: + a8:e7:7e:2d:0c:20:e2:7e:0e:57:ab:6d:e7:e4:fc:13:3b:d7: + bb:df:cd:89:55:56:80:b7:45:0c:74:f6:ae:c3:91:b0:10:69: + 3f:13:ff:7e:43:3d:1e:c3:3b:02:ee:ab:27:64:12:bd:b6:70: + 99:c0:d3:6b:22:b8:f5:3c:6b:3f:ab:a0:fd:ba:cc:50:e5:8a: + 67:b3:ec:8b:15:79:bd:db:e3:64:1a:1d:bb:d5:cb:55:8f:40: + 7f:01:ba:e2:32:dc:87:fa:3c:80:dd:37:7f:de:5b:ca:aa:1d: + 63:46:ec:22:c6:4c:1b:bf:74:50:c4:1a:21:b6:7a:ac:3f:55: + c8:bf:ae:69:80:2f:2d:2b:93:aa:0a:67:97:3c:c6:5b:7a:35: + e7:19:51:bd +-----BEGIN CERTIFICATE----- +MIIDyTCCArGgAwIBAgIJAK2IWG9S2h6pMA0GCSqGSIb3DQEBBQUAMIGjMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIG +A1UECwwLRW5naW5lZXJpbmcxOTA3BgNVBAMMMERFUjozMDowZDo4MjowYjo2Yzo2 +Zjo2Mzo2MTo2Yzo2ODo2Zjo3Mzo3NDowMDo2ODEfMB0GCSqGSIb3DQEJARYQaW5m +b0B3b2xmc3NsLmNvbTAeFw0xODA2MTIyMTA4MzNaFw0yMTAzMDgyMTA4MzNaMIGj +MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1h +bjEUMBIGA1UECwwLRW5naW5lZXJpbmcxOTA3BgNVBAMMMERFUjozMDowZDo4Mjow +Yjo2Yzo2Zjo2Mzo2MTo2Yzo2ODo2Zjo3Mzo3NDowMDo2ODEfMB0GCSqGSIb3DQEJ +ARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hnf/5cnFF1 +94rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/XGQ0lT+Fj +Y1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bMQLRpo0Yz +aYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGWSrzh +1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgIvDMg +s1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEALWZF +Qyt7EB6aLWXu/1XGRHF/27hC7+fo1u65fVh95qnJi51WiQ1/sufoSACtgarilyvF +DXi8P7OuZ0qv/rWQXZf21d3ZXGllbDsyfFp2FtmGCCRHG/0WTFpyVheFHqrkTCiq +kSjl7ZUoX2tjqOd+LQwg4n4OV6tt5+T8EzvXu9/NiVVWgLdFDHT2rsORsBBpPxP/ +fkM9HsM7Au6rJ2QSvbZwmcDTayK49TxrP6ug/brMUOWKZ7PsixV5vdvjZBodu9XL +VY9AfwG64jLch/o8gN03f95byqodY0bsIsZMG790UMQaIbZ6rD9VyL+uaYAvLSuT +qgpnlzzGW3o15xlRvQ== +-----END CERTIFICATE----- diff --git a/certs/test/server-goodaltwild.der b/certs/test/server-goodaltwild.der new file mode 100644 index 0000000000000000000000000000000000000000..e82bd88414c4b3e7152b397ab529e9f7f9a34aab GIT binary patch literal 934 zcmXqLVqRp>#MHHbnTe5!iId^{)8chmS2pPw@Un4gwRyCC=VfGMWo0mEY%=6F;ACSC zWnmL$3Jo?CFyI4mIC$87^Ycm)^Aceq>^$sF`Bka8iFt-120|b;+&tW_dFh#Xsi{So zdFh4{24WylW*+|X@^Zbr{M^KnP?Nyg-Jrfd!O1I2_r;sDvDNjI0dIO^o~u22G4yOihf83S3NU#4FGbgb0d)F!U=cfAo z5BF9d(63pYvO@gNso3gW4-}sk>E-LS-I!W@YmId9&UpLllDw+^50jGvySY>B*E;W5 zDidR}c^$)oC+V`m(;WG;3y&TP*+vRi!F=NEU^ z7VoLnSKRtHEs$q#$mWN+@iKdqi!X9AcZysR*qL%z>%zimUV9#1k%~UP;K0G;3Vs)J z1EXmTM#@tcmhTe2G`;vytm?@u-ous&OSWvtbaLW+d4pq*vBKsErRA$$A9?sJvH9qw zY4>kl@LzkKiJ6gsaj~R5exap|_cYpK4olhe7*2OHiYIy%hh14lw>Bssjw$Jx#i!?sAaN5z2(aklA z3DYl@t2(S{JAHJ+_1o+-_>(<0ZoT|vkMx8;7xzyM?q_~8Z_VaC5+{OBnOUSnr>3eu zSN@TkvG|k68a0OE{~2eKW~8z#<==f=a7k4@U!}-1$s_(D2bTLM%sf~lUXp7eQ#7Hs zC_CtGhL=va-`vBdKco%wUYBj(T^G`pzeexLw}?9B(hcip|4D1|dgd_C*_cCF z*o2uvgAD}?_&^*E9(LdSypqJcM3@LW54%%-RcdZxo}q|=5J(L-54USxdS+f~YEfoh zx}mUvAV`#%hf6CbKRGccBfq%BP~JcmZXGA1m_TM;TE0Vheok6(agJVcey)L>IIp3F zftjI^k)eTwv2m0*FOXquU;*V0wDX!6m5>9Bk(GhDiIJbdpox)-sfm%1;lNamhvAN& z3Ujw#a&=T^Og-kh?$aI>gB?@P>HA&#CeyK}X8!LL>Gl6&<^-00?>fc)+*H5+;oj;4 z`ZcRlR*3&O6b;-Czi#qUmNvgr=G>jXuO9fd>C#=3 z*^DQ1P3;~VZfW9{F$!CqcrErYYi?)YALhf0N=@0zl0T-ZT)unwyc=8U6PaH25eDmCFfoDb2FR z94g!ic3&2780zr~SAAW4CX(+)N8c56ub&ylk9WZ60mkc^Mg5Ss4rx47m+B*_cCF z*o2uvgAD}?_&^*E9(LdSypqJcM3@LW54%%-RcdZxo}q|=5J(Ld54USxdS+f~YEfoh zx}ms%C`gootyqzdrP2_lhZ@tG{WK+7;UwvDv15W!}ZK=42%6BHg~++mjnt zKU8T=mHpEDcTHyN$8B5Ls`57HUD>uIRQ{Nqm_@q5Egm~Fa`hsa4?bBN zeQsi&@ZOk0t;`#>E7;HHH}kNbzhYT0U~4)<=4ZKD@YTkTS=^_7xBblBJ!$8I@I}_n zB4-|ystX(nkezsH{SUK_GqJMf<^N<~ZN52W+mnsUHMO6}9siap8+rYaF5@MRg+&WC zeYBtRSN*43>toiXCL5OJxO{LDGb+?S+jPj7mCMHFdAs;^`IUanhveLr@>d<2@qNa^ z(j7%=H>FcmK778eGw1xWjw3x`4DDk3JT)dR*mHdTV 0) { p = (char)XTOLOWER((unsigned char)*pattern++); - if (p == 0) + if (p == '\0') break; if (p == '*') { @@ -7684,8 +7684,9 @@ int MatchDomainName(const char* pattern, int len, const char* str) } } - if (*str == '\0') + if (*str == '\0' && len == 0) { ret = 1; /* success */ + } return ret; } @@ -7705,7 +7706,7 @@ int CheckAltNames(DecodedCert* dCert, char* domain) while (altName) { WOLFSSL_MSG("\tindividual AltName check"); - if (MatchDomainName(altName->name,(int)XSTRLEN(altName->name), domain)){ + if (MatchDomainName(altName->name, altName->len, domain)){ match = 1; break; } @@ -7742,8 +7743,7 @@ static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN) while (altName) { WOLFSSL_MSG("\tindividual AltName check"); - if (MatchDomainName(altName->name, (int)XSTRLEN(altName->name), - domain)) { + if (MatchDomainName(altName->name, altName->len, domain)) { match = 1; *checkCN = 0; break; @@ -7953,7 +7953,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) while (cur != NULL) { if (cur->type == ASN_RFC822_TYPE) { DNS_entry* dnsEntry; - int strLen = (int)XSTRLEN(cur->name); + int strLen = cur->len; dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), x509->heap, DYNAMIC_TYPE_ALTNAME); @@ -7970,7 +7970,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) XFREE(dnsEntry, x509->heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } - + dnsEntry->len = strLen; XMEMCPY(dnsEntry->name, cur->name, strLen); dnsEntry->name[strLen] = '\0'; diff --git a/tests/test-fails.conf b/tests/test-fails.conf index 32fd0c0e1..e9fda3021 100644 --- a/tests/test-fails.conf +++ b/tests/test-fails.conf @@ -1,30 +1,61 @@ -# server bad certificate alt name +# server bad certificate common name has null +# DG: Have not found a way to properly encode null in common name -v 3 -l ECDHE-RSA-AES128-GCM-SHA256 --k ./certs/test/server-badaltnamenull.key --c ./certs/test/server-badaltnamenull.pem +-k ./certs/server-key.pem +-c ./certs/test/server-badcnnull.pem -d -# client bad certificate alt name +# client bad certificate common name has null -v 3 -l ECDHE-RSA-AES128-GCM-SHA256 -h localhost --A ./certs/test/server-badaltnamenull.pem +-A ./certs/test/server-badcnnull.pem +-m +-x + +# server bad certificate alternate name has null +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-k ./certs/server-key.pem +-c ./certs/test/server-badaltnull.pem +-d + +# client bad certificate alternate name has null +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-h localhost +-A ./certs/test/server-badaltnull.pem -m -x # server nomatch common name -v 3 -l ECDHE-RSA-AES128-GCM-SHA256 --k ./certs/test/server-nomatch.key --c ./certs/test/server-nomatch.pem +-k ./certs/server-key.pem +-c ./certs/test/server-badcn.pem -d # client nomatch common name -v 3 -l ECDHE-RSA-AES128-GCM-SHA256 -h localhost --A ./certs/test/server-nomatch.pem +-A ./certs/test/server-badcn.pem +-m +-x + +# server nomatch alternate name +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-k ./certs/server-key.pem +-c ./certs/test/server-badaltname.pem +-d + +# client nomatch alternate name +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-h localhost +-A ./certs/test/server-badaltname.pem -m -x diff --git a/tests/test.conf b/tests/test.conf index 18cb942e5..fdc2b7f5f 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -2246,3 +2246,31 @@ -D certs/dh3072.pem -c certs/client-cert-3072.pem -k certs/client-key-3072.pem + +# server good certificate common name wild +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-k ./certs/server-key.pem +-c ./certs/test/server-goodcnwild.pem +-d + +# client good certificate common name wild +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-h localhost +-A ./certs/test/server-goodcnwild.pem +-m + +# server good certificate alt name wild +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-k ./certs/server-key.pem +-c ./certs/test/server-goodaltwild.pem +-d + +# client good certificate alt name wild +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-h localhost +-A ./certs/test/server-goodaltwild.pem +-m diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index b8eb7b864..500296088 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4203,9 +4203,10 @@ static int GetName(DecodedCert* cert, int nameType) XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } + emailName->len = adv; XMEMCPY(emailName->name, &cert->source[cert->srcIdx], adv); - emailName->name[adv] = 0; + emailName->name[adv] = '\0'; emailName->next = cert->altEmailNames; cert->altEmailNames = emailName; @@ -5547,7 +5548,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) DNS_entry* name = cert->altNames; while (name != NULL) { if (MatchBaseName(ASN_DNS_TYPE, - name->name, (int)XSTRLEN(name->name), + name->name, name->len, base->name, base->nameSz)) { return 0; } @@ -5560,7 +5561,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) DNS_entry* name = cert->altEmailNames; while (name != NULL) { if (MatchBaseName(ASN_RFC822_TYPE, - name->name, (int)XSTRLEN(name->name), + name->name, name->len, base->name, base->nameSz)) { return 0; } @@ -5604,7 +5605,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) while (name != NULL) { matchDns = MatchBaseName(ASN_DNS_TYPE, - name->name, (int)XSTRLEN(name->name), + name->name, name->len, base->name, base->nameSz); name = name->next; } @@ -5619,7 +5620,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) while (name != NULL) { matchEmail = MatchBaseName(ASN_DNS_TYPE, - name->name, (int)XSTRLEN(name->name), + name->name, name->len, base->name, base->nameSz); name = name->next; } @@ -5700,7 +5701,7 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } - + dnsEntry->len = strLen; XMEMCPY(dnsEntry->name, &input[idx], strLen); dnsEntry->name[strLen] = '\0'; @@ -5737,7 +5738,7 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) XFREE(emailEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } - + emailEntry->len = strLen; XMEMCPY(emailEntry->name, &input[idx], strLen); emailEntry->name[strLen] = '\0'; @@ -5808,7 +5809,7 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) XFREE(uriEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } - + uriEntry->len = strLen; XMEMCPY(uriEntry->name, &input[idx], strLen); uriEntry->name[strLen] = '\0'; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 35b372355..039ee34fa 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -439,6 +439,7 @@ typedef struct DNS_entry DNS_entry; struct DNS_entry { DNS_entry* next; /* next on DNS list */ int type; /* i.e. ASN_DNS_TYPE */ + int len; /* actual DNS len */ char* name; /* actual DNS name */ };