Blob Blame History Raw
use strict;
use warnings;
use Test::More;
use IO::Socket::SSL;
use IO::Socket::SSL::Utils;

my @tests = tests();
plan tests => 0+@tests;

my ($ca,$key) = CERT_create( CA => 1);
for my $test (@tests) {
    SKIP: {
	my ($expect_match,$hostname,$cn,$san_dns,$san_ip) = @$test;
	my (@san,$ip6);
	push @san, map { [ "DNS", $_ ] } $san_dns =~m{([^,\s]+)}g if $san_dns;
	for( ($san_ip||'') =~m{([^,\s]+)}g ) {
	    if ( my @h = m{^x(.{4})(.{4})(.{4})(.{4})(.{4})(.{4})(.{4})(.{4})$}) {
		$_ = join(':',@h);
		$ip6 = 1;
	    push @san, [ "IP", $_ ];
	my $idn = $hostname =~m{[^a-zA-Z0-9_.\-]};

	my $diag = "$hostname: cn=$cn san=".
	    join(",", map { "$_->[0]:$_->[1]" } @san);
	$diag =~s{([\\\x00-\x1f\x7f-\xff])}{ sprintf("\\x%02x",ord($1)) }esg;

	if ($ip6 && !IO::Socket::SSL->can_ipv6) {
	    skip "no IPv6 support - $diag",1;
	if ($idn && ! eval { IO::Socket::SSL::idn_to_ascii("fo") }) {
	    skip "no IDNA library installed - $diag",1

	my %cert = (
	    subject => length($cn) ? { CN => $cn }:{},
	    @san ? ( subjectAltNames => \@san ):(),
	    issuer_cert => $ca,
	    issuer_key => $key,
	    key => $key
	my $cert;
	eval { ($cert) = CERT_create(%cert) };
	if ($@) {
	    skip "failed to create cert: $diag\n$@",1

	my $match = IO::Socket::SSL::verify_hostname_of_cert($hostname,$cert,'www')||0;
	if ( $match == $expect_match ) {
	} else {
	    fail("$match != $expect_match |$diag");
	    #warn PEM_cert2string($cert);


# based on 
# 16.5.2014
# format: [ expect_match, hostname, CN, san_dns, san_ip ]

sub tests {(
    [ 1, '', '' ],
    [ 1, 'f', 'f' ],
    [ 0, 'h', 'i' ],
    [ 1, '', '*' ],
    [ 1, '', '', '*,*,*,*' ],
    [ 1, '',  '', ',*.*,*,*.test.FR,www' ],
    [ 0, '', '.uk' ],
    [ 0, '', '?' ],
    [ 0, '', '(www|ftp)' ],
    [ 0, '', "\0" ], 

# CERT_create just strips everything after \0 so we get not the expected
# certificate and thus cannot run this test
#   [ 0, '', '', "\0*,\0,\0" ],

    [ 0, '', '' ],
    [ 0, '', '', ',*,*.org' ],
    [ 0, '', 'w*' ],
    [ 0, '', 'ww*' ],
    [ 0, '', 'ww*' ],
    [ 1, '', 'w*' ],
    [ 0, '', 'w*' ],
    [ 1, '', 'wa*' ],
    [ 1, '', '*' ],

# disabled test: we don't accept URL encoded hostnames
#   [ 1, '', '', '' ],

# disabled test: & is not allowed in hostname - and CN should not
# allow URL encoding
#   [ 1, 'www&', '' ],

    # Common name must not be used if subject alternative name was provided.
    [ 0, '',  '', '*,*.jp,,www.*' ],
    [ 0, '', '', '*,*.*,*.*,*,' ],

# I think they got this test wrong
# common name should not be checked only if SAN contains DNS names
# so in this case common name should be checked -> match
# corrected test therefore
#   [ 0, '', '', '', '' ],
    [ 1, '', '', '', '' ],

    [ 0, '', '', '' ],

    # IDN tests
    [ 1, '', '' ],
    [ 1, '', '*' ],
    [ 0, '', '', '*,xn--poema-*,xn--*,*' ],

# There should be no * certificates and public suffix catches this.
# So this example is bad and we change it to
#   [ 1, '', '*' ],
    [ 1, '', '*' ],

    # The following are adapted from the  examples quoted from
    #  (e.g., * would match but
    #   not or
    [ 1, '', '*' ],
    [ 0, '', '*' ],
    [ 0, '', '*' ],
    #   (e.g., baz* and * and b* would
    #   be taken to match and and
    #, respectively)
    [ 1, '', 'baz*' ],
    [ 1, '', '*' ],
    [ 1, '', 'b*' ],
    # Wildcards should not be valid unless there are at least three name
    # components.

# There should be no * certificates and public suffix catches this.
# So change example to * instead
#   [ 1,  '', '*' ],
    [ 1,  '', '*' ],
    [ 0, '', '*.com' ],
    [ 0, '', '*.us' ],
    [ 0, 'foo', '*' ],
    # Multiple wildcards are not valid.
    [ 0, '', '*.*.com' ],
    [ 0, '', '*.bar.*.com' ],
    # Absolute vs relative DNS name tests. Although not explicitly specified
    # in RFC 6125, absolute reference names (those ending in a .) should
    # match either absolute or relative presented names.
    [ 1, '', '' ],
    [ 1, '', '' ],
    [ 1, '', '' ],
    [ 1, 'f', 'f.' ],
    [ 1, 'f.', 'f' ],
    [ 1, 'f.', 'f.' ],
    [ 1, '', '*' ],
    [ 1, '', '*' ],
    [ 1, '', '*' ],
    [ 0, '.', '.' ],
    [ 0, '', '*.com.' ],
    [ 0, '', '*.com' ],
    [ 0, '', '*.com.' ],
    [ 0, 'foo.', '*.' ],
    # IP addresses in common name; IPv4 only.
    [ 1, '', '' ],
    [ 1, '', '' ],

# we expect proper IP and not this junk, so we will not allow these
#   [ 1,  '676768', '' ],
#   [ 1,  '1.2.3', '' ],
    [ 0, '', '' ],
    [ 0, '', '' ],
    [ 0, 'FEDC:ba98:7654:3210:FEDC:BA98:7654:3210', 'FEDC:BA98:7654:3210:FEDC:ba98:7654:3210' ],
    [ 0, '1111:2222:3333:4444:5555:6666:7777:8888', '1111:2222:3333:4444:5555:6666:7777:8888' ],
    [ 0, '::', '[::]' ],
    # No wildcard matching in valid IP addresses
    [ 0, '::', '*.9.5.5' ],
    [ 0, '2010:836B:4179::836B:4179', '*:836B:4179::836B:4179' ],
    [ 0, '', '*.168.1.11' ],
    [ 0, 'FEDC:BA98:7654:3210:FEDC:BA98:7654:3210', '*.]' ],
    # IP addresses in subject alternative name (common name ignored)
    [ 1, '', '', '', '' ],
# we expect proper IP and not this junk, so we will not allow this
#   [ 1,  '14.15', '', '', '' ],

# according to RFC2818 common name should be checked if no DNS entries in SAN
# so this must match if we match IP in common name -> changed expected result
#   [ 0, '', '', '', ',' ],
    [ 1, '', '', '', ',' ],

    [ 0, '', '', 'foo' ],
    [ 1, '::', '', '', 'x00000000000000000000000004050607' ],
    [ 0, '::', '::', '::', 'x00000000000000000000000006070808,x0000000000000000000000000607080a,xff000000000000000000000006070809,' ],
    [ 1, 'FE80::200:f8ff:fe21:67cf', '', '', 'x00000000000000000000000006070808,xfe800000000000000200f8fffe2167cf,xff0000000000000000000000060708ff,' ],
    # Numeric only hostnames (none of these are considered valid IP addresses).
    [ 0,  '12345.6', '12345.6' ],
    [ 0, '', '', '1*,*,1*.2.3.512,*.2.3.512', ''],
    [ 0, '', '*.' ],

# IP address should not be matched against SAN DNS entry -> skip test
#   [ 1, '', '', '' ],

    # Invalid host names.

# this cert cannot be created currently
#   [ 0, "junk)(£)\$*!\@~\0", "junk)(£)\$*!\@~\0" ],

    [ 0, 'www.*.com', 'www.*.com' ],
    [ 0, 'w$', 'w$' ],
    [ 0, 'nocolonallowed:example', '', 'nocolonallowed:example' ],
    [ 0, 'www-1.[::FFFF:]', '*.[::FFFF:]' ],
    [ 0, '[::]', '', '', 'x00000000000000000000000004050609' ],