public_key: pkix_verify_hostname (RFC 6125)

author: Hans Nilsson <[email protected]> 2016-12-19 18:26:01 +0100
committer: Hans Nilsson <[email protected]> 2017-01-25 16:43:05 +0100
commit: b0c245e8132bb13171e277b1af59c0cec00c9459 (patch)
tree: 4c7ec0b7078b1c2942aee24407c303c079bae1f7 /lib/public_key/test/public_key_SUITE.erl
parent: 941dc6198b0ca34eff7a9b30f986e964cbcccefb (diff)
download: otp-b0c245e8132bb13171e277b1af59c0cec00c9459.tar.gz
otp-b0c245e8132bb13171e277b1af59c0cec00c9459.tar.bz2
otp-b0c245e8132bb13171e277b1af59c0cec00c9459.zip
1 files changed, 111 insertions, 0 deletions
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index cd24819899..615ff32539 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -45,6 +45,9 @@ all() ->
      {group, sign_verify},
      pkix, pkix_countryname, pkix_emailaddress, pkix_path_validation,
      pkix_iso_rsa_oid, pkix_iso_dsa_oid, pkix_crl, general_name,
+     pkix_verify_hostname_cn,
+     pkix_verify_hostname_subjAltName,
+     pkix_verify_hostname_options,
      short_cert_issuer_hash, short_crl_issuer_hash,
      ssh_hostkey_fingerprint_md5_implicit,
      ssh_hostkey_fingerprint_md5,
@@ -814,6 +817,114 @@ pkix_path_validation(Config) when is_list(Config) ->
     ok.
 
 %%--------------------------------------------------------------------
+%% To generate the PEM file contents:
+%%
+%% openssl req -x509 -nodes -newkey rsa:1024 -keyout /dev/null -subj '/C=SE/CN=example.com/CN=*.foo.example.com/CN=a*b.bar.example.com/O=erlang.org' > public_key_SUITE_data/pkix_verify_hostname_cn.pem
+%%
+%% Note that the same pem-file is used in pkix_verify_hostname_options/1
+%%
+%% Subject: C=SE, CN=example.com, CN=*.foo.example.com, CN=a*b.bar.example.com, O=erlang.org
+%% extensions = no subjAltName
+
+pkix_verify_hostname_cn(Config) ->
+    DataDir = proplists:get_value(data_dir, Config),
+    {ok,Bin} = file:read_file(filename:join(DataDir,"pkix_verify_hostname_cn.pem")),
+    Cert = public_key:pkix_decode_cert(element(2,hd(public_key:pem_decode(Bin))), otp),
+
+    %% Check that 1) only CNs are checked,
+    %%            2) an empty label does not match a wildcard and
+    %%            3) a wildcard does not match more than one label
+    false = public_key:pkix_verify_hostname(Cert, [{dns_id,"erlang.org"},
+						   {dns_id,"foo.EXAMPLE.com"},
+						   {dns_id,"b.a.foo.EXAMPLE.com"}]),
+
+    %% Check that a hostname is extracted from a https-uri and used for checking:
+    true =  public_key:pkix_verify_hostname(Cert, [{uri_id,"HTTPS://EXAMPLE.com"}]),
+
+    %% Check wildcard matching one label:
+    true =  public_key:pkix_verify_hostname(Cert, [{dns_id,"a.foo.EXAMPLE.com"}]),
+
+    %% Check wildcard with surrounding chars matches one label:
+    true =  public_key:pkix_verify_hostname(Cert, [{dns_id,"accb.bar.EXAMPLE.com"}]),
+
+    %% Check that a wildcard with surrounding chars matches an empty string:
+    true =  public_key:pkix_verify_hostname(Cert, [{uri_id,"https://ab.bar.EXAMPLE.com"}]).
+
+%%--------------------------------------------------------------------
+%% To generate the PEM file contents:
+%%
+%% openssl req -x509 -nodes -newkey rsa:1024 -keyout /dev/null -extensions SAN -config  public_key_SUITE_data/verify_hostname.conf 2>/dev/null > public_key_SUITE_data/pkix_verify_hostname_subjAltName.pem
+%%
+%% Subject: C=SE, CN=example.com
+%% Subject Alternative Name: DNS:kb.example.org, URI:http://www.example.org, URI:https://wws.example.org
+
+pkix_verify_hostname_subjAltName(Config) ->
+    DataDir = proplists:get_value(data_dir, Config),
+    {ok,Bin} = file:read_file(filename:join(DataDir,"pkix_verify_hostname_subjAltName.pem")),
+    Cert = public_key:pkix_decode_cert(element(2,hd(public_key:pem_decode(Bin))), otp),
+
+    %% Check that neither a uri nor dns hostname matches a CN if subjAltName is present:
+    false = public_key:pkix_verify_hostname(Cert, [{uri_id,"https://example.com"},
+						   {dns_id,"example.com"}]),
+
+    %% Check that a uri_id matches a URI subjAltName:
+    true =  public_key:pkix_verify_hostname(Cert, [{uri_id,"https://wws.example.org"}]),
+
+    %% Check that a dns_id does not match a URI subjAltName:
+    false = public_key:pkix_verify_hostname(Cert, [{dns_id,"www.example.org"},
+						   {dns_id,"wws.example.org"}]),
+
+    %% Check that a dns_id matches a DNS subjAltName:
+    true =  public_key:pkix_verify_hostname(Cert, [{dns_id,"kb.example.org"}]).
+
+%%--------------------------------------------------------------------
+%% Uses the pem-file for pkix_verify_hostname_cn
+%% Subject: C=SE, CN=example.com, CN=*.foo.example.com, CN=a*b.bar.example.com, O=erlang.org
+pkix_verify_hostname_options(Config) ->
+    DataDir = proplists:get_value(data_dir, Config),
+    {ok,Bin} = file:read_file(filename:join(DataDir,"pkix_verify_hostname_cn.pem")),
+    Cert = public_key:pkix_decode_cert(element(2,hd(public_key:pem_decode(Bin))), otp),
+    
+    %% Check that the fail_callback is called and is presented the correct certificate:
+    true = public_key:pkix_verify_hostname(Cert, [{dns_id,"erlang.org"}],
+					   [{fail_callback,
+					     fun(#'OTPCertificate'{}=C) when C==Cert -> 
+						     true; % To test the return value matters
+						(#'OTPCertificate'{}=C) -> 
+						     ct:log("~p:~p: Wrong cert:~n~p~nExpect~n~p",
+							    [?MODULE, ?LINE, C, Cert]),
+						     ct:fail("Wrong cert, see log");
+						(C) -> 
+						     ct:log("~p:~p: Bad cert: ~p",[?MODULE,?LINE,C]),
+						     ct:fail("Bad cert, see log")
+					     end}]),
+    
+    %% Check the callback for user-provided match functions:
+    true =  public_key:pkix_verify_hostname(Cert, [{dns_id,"very.wrong.domain"}],
+					    [{match_fun,
+					      fun("very.wrong.domain", {cn,"example.com"}) ->
+						      true;
+						 (_, _) ->
+						      false
+					      end}]),
+    false = public_key:pkix_verify_hostname(Cert, [{dns_id,"not.example.com"}],
+					    [{match_fun, fun(_, _) -> default end}]),
+    true =  public_key:pkix_verify_hostname(Cert, [{dns_id,"example.com"}],
+					    [{match_fun, fun(_, _) -> default end}]),
+
+    %% Check the callback for user-provided fqdn extraction:
+    true =  public_key:pkix_verify_hostname(Cert, [{uri_id,"some://very.wrong.domain"}],
+					    [{fqdn_fun,
+					      fun({uri_id, "some://very.wrong.domain"}) ->
+						      "example.com";
+						 (_) ->
+						      ""
+					      end}]),
+    true =  public_key:pkix_verify_hostname(Cert, [{uri_id,"https://example.com"}],
+					    [{fqdn_fun, fun(_) -> default end}]),
+    false =  public_key:pkix_verify_hostname(Cert, [{uri_id,"some://very.wrong.domain"}]).
+
+%%--------------------------------------------------------------------
 pkix_iso_rsa_oid() ->
  [{doc, "Test workaround for supporting certs that use ISO oids"
    " 1.3.14.3.2.29 instead of PKIX/PKCS oid"}].
author	Hans Nilsson <[email protected]>	2016-12-19 18:26:01 +0100
committer	Hans Nilsson <[email protected]>	2017-01-25 16:43:05 +0100
commit	b0c245e8132bb13171e277b1af59c0cec00c9459 (patch)
tree	4c7ec0b7078b1c2942aee24407c303c079bae1f7 /lib/public_key/test/public_key_SUITE.erl
parent	941dc6198b0ca34eff7a9b30f986e964cbcccefb (diff)
download	otp-b0c245e8132bb13171e277b1af59c0cec00c9459.tar.gz otp-b0c245e8132bb13171e277b1af59c0cec00c9459.tar.bz2 otp-b0c245e8132bb13171e277b1af59c0cec00c9459.zip