From 7d02ac57c576a1aa0331b25a473f085e1b04dfe0 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Thu, 28 Sep 2017 13:19:33 +0200 Subject: public_key: Added IP4 address checks to hostname_verification tests --- lib/public_key/test/public_key_SUITE.erl | 40 ++++++++++++++++++++++ .../pkix_verify_hostname_subjAltName_IP.pem | 13 +++++++ .../public_key_SUITE_data/verify_hostname_ip.conf | 17 +++++++++ 3 files changed, 70 insertions(+) create mode 100644 lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem create mode 100644 lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf (limited to 'lib/public_key/test') diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index 374fb20375..6741a2e30c 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -47,6 +47,7 @@ all() -> pkix_iso_rsa_oid, pkix_iso_dsa_oid, pkix_crl, general_name, pkix_verify_hostname_cn, pkix_verify_hostname_subjAltName, + pkix_verify_hostname_subjAltName_IP, pkix_verify_hostname_options, pkix_test_data_all_default, pkix_test_data, @@ -984,6 +985,45 @@ pkix_verify_hostname_options(Config) -> [{fqdn_fun, fun(_) -> default end}]), false = public_key:pkix_verify_hostname(Cert, [{uri_id,"some://very.wrong.domain"}]). +%%-------------------------------------------------------------------- +%% To generate the PEM file contents: +%% +%% openssl req -x509 -nodes -newkey rsa:1024 -keyout /dev/null -extensions SAN -config public_key_SUITE_data/verify_hostname_ip.conf 2>/dev/null > public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem +%% +%% Subject: C=SE, CN=example.com +%% Subject Alternative Name: DNS:1.2.3.4, IP=5.6.7.8, URI:https://10.11.12.13 + +pkix_verify_hostname_subjAltName_IP(Config) -> + DataDir = proplists:get_value(data_dir, Config), + {ok,Bin} = file:read_file(filename:join(DataDir,"pkix_verify_hostname_subjAltName_IP.pem")), + Cert = public_key:pkix_decode_cert(element(2,hd(public_key:pem_decode(Bin))), otp), + + %% Print the tests that a matchfun has to handle + catch public_key:pkix_verify_hostname(Cert, [{some_tag,"some.domain"}, + {some_other_tag,[a,b,3,4]}], + [{match_fun, + fun(Ref,Pres) -> + ct:pal("~p:~p:~nRef : ~p~nPres: ~p",[?MODULE,?LINE,Ref,Pres]), + false + end}]), + + false = public_key:pkix_verify_hostname(Cert, [{uri_id,"https://10.11.12.14"}]), + true = public_key:pkix_verify_hostname(Cert, [{uri_id,"https://10.11.12.13"}]), + true = public_key:pkix_verify_hostname(Cert, [{dns_id,"1.2.3.4"}]), + false = public_key:pkix_verify_hostname(Cert, [{dns_id,"5.6.7.8"}]), + true = public_key:pkix_verify_hostname(Cert, [{ip,[5,6,7,8]}], + [{match_fun, + fun({ip,IPref},{iPAddress,IPpres}) -> + ct:pal("~p:~p: IPref=~p, IPpres=~p",[?MODULE,?LINE,IPref,IPpres]), + IPref == IPpres; + (Ref,Pres) -> + ct:pal("~p:~p:~nRef : ~p~nPres: ~p",[?MODULE,?LINE,Ref,Pres]), + default + end}]). + + + + %%-------------------------------------------------------------------- pkix_iso_rsa_oid() -> [{doc, "Test workaround for supporting certs that use ISO oids" diff --git a/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem new file mode 100644 index 0000000000..e83dfdb646 --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7TCCAVagAwIBAgIJAJftQyvUMLESMA0GCSqGSIb3DQEBCwUAMB8xCzAJBgNV +BAYTAlNFMRAwDgYDVQQDEwc1LjYuNy44MB4XDTE3MDkyODExMTY0MFoXDTE3MTAy +ODExMTY0MFowHzELMAkGA1UEBhMCU0UxEDAOBgNVBAMTBzUuNi43LjgwgZ8wDQYJ +KoZIhvcNAQEBBQADgY0AMIGJAoGBAK1jLhGZcI0D5RzcUBjXuQ1636gaIlArdM4b +woLpJIh2Tk4pCbEv6hOX0KTl8qPs8lCMOIOvQmoZwj0Ia1B5By9xHybJ30pNIoLy +iqOdFwjlqTjhBVR1NjmcwgIRW1f/fqQ0pQznyIo/OwieNYlCwWzIUx1ZBLlwKAfZ +YWozJaLZAgMBAAGjMTAvMC0GA1UdEQQmMCSCBzEuMi4zLjSHBAUGBwiGE2h0dHBz +Oi8vMTAuMTEuMTIuMTMwDQYJKoZIhvcNAQELBQADgYEADapgA5dTBSrQMTAOGI7h +SFpaF1y9EHSnCxofugR2EJNyNyPELFBQ9etIgU8fw67D495OSfy/3X3ngNAFOuds +OENGq0JyBrO+HsgexslKF7LGc0oFlHfuZwyO7MLNFTG9dHG393dqduwGsEAuFh09 +SvMMJh3VTEHu6P+9O8YusdI= +-----END CERTIFICATE----- diff --git a/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf new file mode 100644 index 0000000000..2b905e2c4f --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf @@ -0,0 +1,17 @@ +[req] +prompt = no +distinguished_name = DN + +[DN] +C=SE +CN=example.com +CN=5.6.7.8 + +[SAN] +subjectAltName = @alt_names + +[alt_names] +DNS = 1.2.3.4 +IP = 5.6.7.8 +URI = https://10.11.12.13 + -- cgit v1.2.3 From 28e032d29013203bd32917ee495cc202f0bb6b4e Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Thu, 28 Sep 2017 16:46:42 +0200 Subject: public_key: verify ip (both v4 and v6) --- lib/public_key/test/public_key_SUITE.erl | 24 +++++++++------------- .../pkix_verify_hostname_subjAltName_IP.pem | 22 ++++++++++---------- .../public_key_SUITE_data/verify_hostname_ip.conf | 3 ++- 3 files changed, 23 insertions(+), 26 deletions(-) (limited to 'lib/public_key/test') diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index 6741a2e30c..0077c7908c 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -991,7 +991,7 @@ pkix_verify_hostname_options(Config) -> %% openssl req -x509 -nodes -newkey rsa:1024 -keyout /dev/null -extensions SAN -config public_key_SUITE_data/verify_hostname_ip.conf 2>/dev/null > public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem %% %% Subject: C=SE, CN=example.com -%% Subject Alternative Name: DNS:1.2.3.4, IP=5.6.7.8, URI:https://10.11.12.13 +%% Subject Alternative Name: DNS:1.2.3.4, DNS: abcd:ef::1, IP:5.6.7.8, URI:https://10.11.12.13 pkix_verify_hostname_subjAltName_IP(Config) -> DataDir = proplists:get_value(data_dir, Config), @@ -1000,28 +1000,24 @@ pkix_verify_hostname_subjAltName_IP(Config) -> %% Print the tests that a matchfun has to handle catch public_key:pkix_verify_hostname(Cert, [{some_tag,"some.domain"}, - {some_other_tag,[a,b,3,4]}], + {ip, {5,6,7,8}} + ], [{match_fun, fun(Ref,Pres) -> ct:pal("~p:~p:~nRef : ~p~nPres: ~p",[?MODULE,?LINE,Ref,Pres]), false end}]), - false = public_key:pkix_verify_hostname(Cert, [{uri_id,"https://10.11.12.14"}]), + false = public_key:pkix_verify_hostname(Cert, [{uri_id,"https://1.2.3.4"}]), true = public_key:pkix_verify_hostname(Cert, [{uri_id,"https://10.11.12.13"}]), true = public_key:pkix_verify_hostname(Cert, [{dns_id,"1.2.3.4"}]), + true = public_key:pkix_verify_hostname(Cert, [{dns_id,<<"1.2.3.4">>}]), false = public_key:pkix_verify_hostname(Cert, [{dns_id,"5.6.7.8"}]), - true = public_key:pkix_verify_hostname(Cert, [{ip,[5,6,7,8]}], - [{match_fun, - fun({ip,IPref},{iPAddress,IPpres}) -> - ct:pal("~p:~p: IPref=~p, IPpres=~p",[?MODULE,?LINE,IPref,IPpres]), - IPref == IPpres; - (Ref,Pres) -> - ct:pal("~p:~p:~nRef : ~p~nPres: ~p",[?MODULE,?LINE,Ref,Pres]), - default - end}]). - - + true = public_key:pkix_verify_hostname(Cert, [{ip, "aBcD:ef:0::0:1"}]), + true = public_key:pkix_verify_hostname(Cert, [{ip, {16#abcd,16#ef,0,0,0,0,0,1}}]), + true = public_key:pkix_verify_hostname(Cert, [{ip, "5.6.7.8"}]), + true = public_key:pkix_verify_hostname(Cert, [{ip, <<"5.6.7.8">>}]), + true = public_key:pkix_verify_hostname(Cert, [{ip, {5,6,7,8}}]). %%-------------------------------------------------------------------- diff --git a/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem index e83dfdb646..f9ffb257b5 100644 --- a/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem +++ b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem @@ -1,13 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIB7TCCAVagAwIBAgIJAJftQyvUMLESMA0GCSqGSIb3DQEBCwUAMB8xCzAJBgNV -BAYTAlNFMRAwDgYDVQQDEwc1LjYuNy44MB4XDTE3MDkyODExMTY0MFoXDTE3MTAy -ODExMTY0MFowHzELMAkGA1UEBhMCU0UxEDAOBgNVBAMTBzUuNi43LjgwgZ8wDQYJ -KoZIhvcNAQEBBQADgY0AMIGJAoGBAK1jLhGZcI0D5RzcUBjXuQ1636gaIlArdM4b -woLpJIh2Tk4pCbEv6hOX0KTl8qPs8lCMOIOvQmoZwj0Ia1B5By9xHybJ30pNIoLy -iqOdFwjlqTjhBVR1NjmcwgIRW1f/fqQ0pQznyIo/OwieNYlCwWzIUx1ZBLlwKAfZ -YWozJaLZAgMBAAGjMTAvMC0GA1UdEQQmMCSCBzEuMi4zLjSHBAUGBwiGE2h0dHBz -Oi8vMTAuMTEuMTIuMTMwDQYJKoZIhvcNAQELBQADgYEADapgA5dTBSrQMTAOGI7h -SFpaF1y9EHSnCxofugR2EJNyNyPELFBQ9etIgU8fw67D495OSfy/3X3ngNAFOuds -OENGq0JyBrO+HsgexslKF7LGc0oFlHfuZwyO7MLNFTG9dHG393dqduwGsEAuFh09 -SvMMJh3VTEHu6P+9O8YusdI= +MIIB/zCCAWigAwIBAgIJAMoSejmTjwAGMA0GCSqGSIb3DQEBCwUAMB8xCzAJBgNV +BAYTAlNFMRAwDgYDVQQDEwc1LjYuNy44MB4XDTE3MDkyODE0MDAxNVoXDTE3MTAy +ODE0MDAxNVowHzELMAkGA1UEBhMCU0UxEDAOBgNVBAMTBzUuNi43LjgwgZ8wDQYJ +KoZIhvcNAQEBBQADgY0AMIGJAoGBAMUPU89KwVbTCDkyxQSz3wprMbZTLe35K6jm +Q7oY1rJyVXjsFHwZrFqqNMScEyX40rJhczQ2Z9etEX6qYLbdb/DZeFcKo14fR583 +QMFZC+qqpLWHdvjaQN0KwD99VFeZIGpRgywG8SR+BXZjDHUkGsMrikAEJtf0Tgih +IPyiFtiJAgMBAAGjQzBBMD8GA1UdEQQ4MDaCBzEuMi4zLjSHBAUGBwiHEKvNAO8A +AAAAAAAAAAAAAAGGE2h0dHBzOi8vMTAuMTEuMTIuMTMwDQYJKoZIhvcNAQELBQAD +gYEAtWVeQaRFZ0kH/pzSWMSsOCUrjbwlWRwDNbagNKoM6nCRv0QQ59fG6XrVZwR3 +c0s5arlMh3U2+bjKE+Iq9+b/lN1lGzf8iaAqBNa7KptwTSUEY3TiNG5X0zlSXKTI +3z7AaUEtghL9ImCPj5V3tVksqWd7U0zLmeeLZnM+wGAL9Hc= -----END CERTIFICATE----- diff --git a/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf index 2b905e2c4f..0a738f2586 100644 --- a/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf +++ b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf @@ -12,6 +12,7 @@ subjectAltName = @alt_names [alt_names] DNS = 1.2.3.4 -IP = 5.6.7.8 +IP.1 = 5.6.7.8 +IP.2 = abcd:ef::1 URI = https://10.11.12.13 -- cgit v1.2.3