From e9b0dbb4a95dbc8e328f08d6df6654dcbe13db09 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Wed, 22 Mar 2017 14:49:22 +0100
Subject: ssl: Add hostname check of server certificate

When the server_name_indication is sent automatize the
clients check of that the hostname is present in the
servers certificate. Currently server_name_indication shall
be on the dns_id format. If server_name_indication is disabled
it is up to the user to do its own check in the verify_fun.
---
 lib/ssl/test/make_certs.erl      | 12 +++++++-----
 lib/ssl/test/ssl_basic_SUITE.erl |  4 ++--
 lib/ssl/test/ssl_test_lib.erl    |  4 ++--
 lib/ssl/test/x509_test.erl       | 25 +++++++++++++++++--------
 4 files changed, 28 insertions(+), 17 deletions(-)

(limited to 'lib/ssl/test')

diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl
index e14f7f60c4..74505169a0 100644
--- a/lib/ssl/test/make_certs.erl
+++ b/lib/ssl/test/make_certs.erl
@@ -385,6 +385,7 @@ req_cnf(Root, C) ->
      "subjectAltName	= email:copy\n"].
 
 ca_cnf(Root, C = #config{issuing_distribution_point = true}) ->
+    Hostname = net_adm:localhost(),		    
     ["# Purpose: Configuration for CAs.\n"
      "\n"
      "ROOTDIR	       = " ++ Root ++ "\n"
@@ -434,7 +435,7 @@ ca_cnf(Root, C = #config{issuing_distribution_point = true}) ->
      "keyUsage 		= nonRepudiation, digitalSignature, keyEncipherment\n"
      "subjectKeyIdentifier = hash\n"
      "authorityKeyIdentifier = keyid,issuer:always\n"
-     "subjectAltName	= email:copy\n"
+     "subjectAltName	= DNS.1:" ++ Hostname ++ "\n"
      "issuerAltName	= issuer:copy\n"
      "crlDistributionPoints=@crl_section\n"
 
@@ -449,7 +450,7 @@ ca_cnf(Root, C = #config{issuing_distribution_point = true}) ->
      "keyUsage 		= digitalSignature\n"
      "subjectKeyIdentifier = hash\n"
      "authorityKeyIdentifier = keyid,issuer:always\n"
-     "subjectAltName	= email:copy\n"
+     "subjectAltName	= DNS.1:" ++ Hostname ++ "\n"
      "issuerAltName	= issuer:copy\n"
      "\n"
 
@@ -458,12 +459,13 @@ ca_cnf(Root, C = #config{issuing_distribution_point = true}) ->
      "keyUsage 		= cRLSign, keyCertSign\n"
      "subjectKeyIdentifier = hash\n"
      "authorityKeyIdentifier = keyid:always,issuer:always\n"
-     "subjectAltName	= email:copy\n"
+     "subjectAltName	= DNS.1:" ++ Hostname ++ "\n"
      "issuerAltName	= issuer:copy\n"
      "crlDistributionPoints=@crl_section\n"
     ];
 
 ca_cnf(Root, C = #config{issuing_distribution_point = false}) ->
+  Hostname = net_adm:localhost(),	     
     ["# Purpose: Configuration for CAs.\n"
      "\n"
      "ROOTDIR	          = " ++ Root ++ "\n"
@@ -513,7 +515,7 @@ ca_cnf(Root, C = #config{issuing_distribution_point = false}) ->
      "keyUsage 		= nonRepudiation, digitalSignature, keyEncipherment\n"
      "subjectKeyIdentifier = hash\n"
      "authorityKeyIdentifier = keyid,issuer:always\n"
-     "subjectAltName	= email:copy\n"
+     "subjectAltName	= DNS.1:" ++ Hostname ++ "\n"
      "issuerAltName	= issuer:copy\n"
      %"crlDistributionPoints=@crl_section\n"
 
@@ -528,7 +530,7 @@ ca_cnf(Root, C = #config{issuing_distribution_point = false}) ->
      "keyUsage 		= digitalSignature\n"
      "subjectKeyIdentifier = hash\n"
      "authorityKeyIdentifier = keyid,issuer:always\n"
-     "subjectAltName	= email:copy\n"
+     "subjectAltName	= DNS.1:" ++ Hostname ++ "\n"
      "issuerAltName	= issuer:copy\n"
      "\n"
 
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 018110514c..58870a3419 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -2880,10 +2880,10 @@ der_input(Config) when is_list(Config) ->
 
     Size = ets:info(CADb, size),
 
-    SeverVerifyOpts = ssl_test_lib:ssl_options(server_verification_opts, Config),
+    SeverVerifyOpts = ssl_test_lib:ssl_options(server_opts, Config),
     {ServerCert, ServerKey, ServerCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} |
 								       SeverVerifyOpts]),
-    ClientVerifyOpts = ssl_test_lib:ssl_options(client_verification_opts, Config),
+    ClientVerifyOpts = ssl_test_lib:ssl_options(client_opts, Config),
     {ClientCert, ClientKey, ClientCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} |
 								       ClientVerifyOpts]),
     ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true},
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index f44d1d5523..be9849b9e6 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -34,13 +34,13 @@
 run_where(_) ->
     ClientNode = node(),
     ServerNode = node(),
-    {ok, Host} = rpc:call(ServerNode, inet, gethostname, []),
+    Host = rpc:call(ServerNode, net_adm, localhost, []),
     {ClientNode, ServerNode, Host}.
 
 run_where(_, ipv6) ->
     ClientNode = node(),
     ServerNode = node(),
-    {ok, Host} = rpc:call(ServerNode, inet, gethostname, []),
+    Host = rpc:call(ServerNode, net_adm, localhost, []),
     {ClientNode, ServerNode, Host}.
 
 node_to_hostip(Node) ->
diff --git a/lib/ssl/test/x509_test.erl b/lib/ssl/test/x509_test.erl
index c36e96013b..4da1537ef6 100644
--- a/lib/ssl/test/x509_test.erl
+++ b/lib/ssl/test/x509_test.erl
@@ -105,7 +105,7 @@ root_cert(Role, PrivKey, Opts) ->
                 validity = validity(Opts),  
                 subject = Issuer,
                 subjectPublicKeyInfo = public_key(PrivKey),
-                extensions = extensions(ca, Opts)
+                extensions = extensions(Role, ca, Opts)
                },
      public_key:pkix_sign(OTPTBS, PrivKey).
 
@@ -175,22 +175,27 @@ validity(Opts) ->
     #'Validity'{notBefore={generalTime, Format(DefFrom)},
 		notAfter ={generalTime, Format(DefTo)}}.
 
-extensions(Type, Opts) ->
+extensions(Role, Type, Opts) ->
     Exts  = proplists:get_value(extensions, Opts, []),
-    lists:flatten([extension(Ext) || Ext <- default_extensions(Type, Exts)]).
+    lists:flatten([extension(Ext) || Ext <- default_extensions(Role, Type, Exts)]).
 
 %% Common extension: name_constraints, policy_constraints, ext_key_usage, inhibit_any, 
 %% auth_key_id, subject_key_id, policy_mapping,
 
-default_extensions(ca, Exts) ->
+default_extensions(_, ca, Exts) ->
     Def = [{key_usage,  [keyCertSign, cRLSign]}, 
 	   {basic_constraints, default}],
     add_default_extensions(Def, Exts);
 
-default_extensions(peer, Exts) ->
-    Def = [{key_usage, [digitalSignature, keyAgreement]}],
-    add_default_extensions(Def, Exts).
+default_extensions(server, peer, Exts) ->
+    Hostname = net_adm:localhost(),
+    Def = [{key_usage, [digitalSignature, keyAgreement]},
+           {subject_alt, Hostname}],
+    add_default_extensions(Def, Exts);
     
+default_extensions(_, peer, Exts) ->
+    Exts.
+
 add_default_extensions(Def, Exts) ->
     Filter = fun({Key, _}, D) -> 
                      lists:keydelete(Key, 1, D); 
@@ -228,6 +233,10 @@ extension({key_usage, Value}) ->
     #'Extension'{extnID = ?'id-ce-keyUsage',
                  extnValue = Value,
                  critical = false};
+extension({subject_alt, Hostname}) ->
+    #'Extension'{extnID = ?'id-ce-subjectAltName',
+                 extnValue = [{dNSName, Hostname}],
+                 critical = false};
 extension({Id, Data, Critical}) ->
     #'Extension'{extnID = Id, extnValue = Data, critical = Critical}.
 
@@ -309,7 +318,7 @@ cert(Role, #'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{subject = Iss
                validity = validity(CertOpts),  
                subject = subject(Contact, atom_to_list(Role) ++ Name),
                subjectPublicKeyInfo = public_key(Key),
-               extensions = extensions(Type, 
+               extensions = extensions(Role, Type, 
                                        add_default_extensions([{auth_key_id, {auth_key_oid(Role), Issuer, SNr}}],
                                                               CertOpts))
               },
-- 
cgit v1.2.3