upstream/oracle/userland-gate: components/ruby/ruby-18/patches/12-ssl-internal

4528 30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	1	# Fix based on upstream fix to Ruby 2.2.x
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	2	# https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	3
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	4	diff -rup ruby-1.8.7-p374-orig/ext/openssl/lib/openssl/ssl-internal.rb ruby-1.8.7-p374/ext/openssl/lib/openssl/ssl-internal.rb
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	5	--- ruby-1.8.7-p374-orig/ext/openssl/lib/openssl/ssl-internal.rb 2013-06-27 04:22:26.000000000 -0700
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	6	+++ ruby-1.8.7-p374/ext/openssl/lib/openssl/ssl-internal.rb 2015-05-22 09:37:15.297155498 -0700
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	7	@@ -96,8 +96,7 @@ module OpenSSL
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	8	case san.tag
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	9	when 2 # dNSName in GeneralName (RFC5280)
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	10	should_verify_common_name = false
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	11	- reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+")
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	12	- return true if /\A#{reg}\z/i =~ hostname
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	13	+ return true if verify_hostname(hostname, san.value)
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	14	when 7 # iPAddress in GeneralName (RFC5280)
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	15	should_verify_common_name = false
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	16	# follows GENERAL_NAME_print() in x509v3/v3_alt.c
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	17	@@ -112,8 +111,7 @@ module OpenSSL
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	18	if should_verify_common_name
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	19	cert.subject.to_a.each{\|oid, value\|
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	20	if oid == "CN"
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	21	- reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	22	- return true if /\A#{reg}\z/i =~ hostname
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	23	+ return true if verify_hostname(hostname, value)
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	24	end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	25	}
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	26	end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	27	@@ -121,6 +119,57 @@ module OpenSSL
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	28	end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	29	module_function :verify_certificate_identity
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	30
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	31	+ def verify_hostname(hostname, san) # :nodoc:
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	32	+ # RFC 5280, IA5String is limited to the set of ASCII characters
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	33	+ return false if san =~ /[\x80-\xff]/
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	34	+ return false if hostname =~ /[\x80-\xff]/
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	35	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	36	+ # See RFC 6125, section 6.4.1
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	37	+ # Matching is case-insensitive.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	38	+ san_parts = san.downcase.split(".")
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	39	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	40	+ # TODO: this behavior should probably be more strict
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	41	+ return san == hostname if san_parts.size < 2
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	42	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	43	+ # Matching is case-insensitive.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	44	+ host_parts = hostname.downcase.split(".")
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	45	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	46	+ # RFC 6125, section 6.4.3, subitem 2.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	47	+ # If the wildcard character is the only character of the left-most
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	48	+ # label in the presented identifier, the client SHOULD NOT compare
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	49	+ # against anything but the left-most label of the reference
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	50	+ # identifier (e.g., *.example.com would match foo.example.com but
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	51	+ # not bar.foo.example.com or example.com).
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	52	+ return false unless san_parts.size == host_parts.size
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	53	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	54	+ # RFC 6125, section 6.4.3, subitem 1.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	55	+ # The client SHOULD NOT attempt to match a presented identifier in
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	56	+ # which the wildcard character comprises a label other than the
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	57	+ # left-most label (e.g., do not match bar.*.example.net).
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	58	+ return false unless verify_wildcard(host_parts.shift, san_parts.shift)
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	59	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	60	+ san_parts.join(".") == host_parts.join(".")
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	61	+ end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	62	+ module_function :verify_hostname
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	63	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	64	+ def verify_wildcard(domain_component, san_component) # :nodoc:
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	65	+ parts = san_component.split("*", -1)
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	66	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	67	+ return false if parts.size > 2
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	68	+ return san_component == domain_component if parts.size == 1
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	69	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	70	+ # RFC 6125, section 6.4.3, subitem 3.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	71	+ # The client SHOULD NOT attempt to match a presented identifier
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	72	+ # where the wildcard character is embedded within an A-label or
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	73	+ # U-label of an internationalized domain name.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	74	+ return false if domain_component.start_with?("xn--") && san_component != "*"
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	75	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	76	+ parts[0].length + parts[1].length < domain_component.length &&
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	77	+ domain_component.start_with?(parts[0]) &&
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	78	+ domain_component.end_with?(parts[1])
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	79	+ end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	80	+ module_function :verify_wildcard
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	81	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	82	class SSLSocket
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	83	include Buffering
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	84	include SocketForwarder
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	85	diff -rup ruby-1.8.7-p374-orig/test/openssl/test_ssl.rb ruby-1.8.7-p374/test/openssl/test_ssl.rb
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	86	--- ruby-1.8.7-p374-orig/test/openssl/test_ssl.rb 2013-06-27 04:56:26.000000000 -0700
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	87	+++ ruby-1.8.7-p374/test/openssl/test_ssl.rb 2015-05-22 09:20:43.087572444 -0700
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	88	@@ -569,6 +569,157 @@ class OpenSSL::TestSSL < Test::Unit::Tes
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	89	assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	90	assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	91	end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	92	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	93	+ def test_verify_hostname
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	94	+ assert_equal(true, OpenSSL::SSL.verify_hostname("www.example.com", "*.example.com"))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	95	+ assert_equal(false, OpenSSL::SSL.verify_hostname("www.subdomain.example.com", "*.example.com"))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	96	+ end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	97	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	98	+ def test_verify_wildcard
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	99	+ assert_equal(false, OpenSSL::SSL.verify_wildcard("foo", "x*"))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	100	+ assert_equal(true, OpenSSL::SSL.verify_wildcard("foo", "foo"))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	101	+ assert_equal(true, OpenSSL::SSL.verify_wildcard("foo", "f*"))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	102	+ assert_equal(true, OpenSSL::SSL.verify_wildcard("foo", "*"))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	103	+ assert_equal(false, OpenSSL::SSL.verify_wildcard("abc*bcd", "abcd"))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	104	+ assert_equal(false, OpenSSL::SSL.verify_wildcard("xn--qdk4b9b", "x*"))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	105	+ assert_equal(false, OpenSSL::SSL.verify_wildcard("xn--qdk4b9b", "*--qdk4b9b"))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	106	+ assert_equal(true, OpenSSL::SSL.verify_wildcard("xn--qdk4b9b", "xn--qdk4b9b"))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	107	+ end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	108	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	109	+ # Comments in this test is excerpted from http://tools.ietf.org/html/rfc6125#page-27
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	110	+ def test_post_connection_check_wildcard_san
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	111	+ # case-insensitive ASCII comparison
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	112	+ # RFC 6125, section 6.4.1
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	113	+ #
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	114	+ # "..matching of the reference identifier against the presented identifier
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	115	+ # is performed by comparing the set of domain name labels using a
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	116	+ # case-insensitive ASCII comparison, as clarified by [DNS-CASE] (e.g.,
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	117	+ # "WWW.Example.Com" would be lower-cased to "www.example.com" for
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	118	+ # comparison purposes)
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	119	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	120	+ create_cert_with_san('DNS:*.example.com'), 'www.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	121	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	122	+ create_cert_with_san('DNS:*.Example.COM'), 'www.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	123	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	124	+ create_cert_with_san('DNS:*.example.com'), 'WWW.Example.COM'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	125	+ # 1. The client SHOULD NOT attempt to match a presented identifier in
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	126	+ # which the wildcard character comprises a label other than the
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	127	+ # left-most label (e.g., do not match bar.*.example.net).
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	128	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	129	+ create_cert_with_san('DNS:www.*.com'), 'www.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	130	+ # 2. If the wildcard character is the only character of the left-most
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	131	+ # label in the presented identifier, the client SHOULD NOT compare
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	132	+ # against anything but the left-most label of the reference
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	133	+ # identifier (e.g., *.example.com would match foo.example.com but
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	134	+ # not bar.foo.example.com or example.com).
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	135	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	136	+ create_cert_with_san('DNS:*.example.com'), 'foo.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	137	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	138	+ create_cert_with_san('DNS:*.example.com'), 'bar.foo.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	139	+ # 3. The client MAY match a presented identifier in which the wildcard
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	140	+ # character is not the only character of the label (e.g.,
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	141	+ # baz.example.net and baz.example.net and b*z.example.net would
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	142	+ # be taken to match baz1.example.net and foobaz.example.net and
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	143	+ # buzz.example.net, respectively). ...
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	144	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	145	+ create_cert_with_san('DNS:baz*.example.com'), 'baz1.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	146	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	147	+ create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	148	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	149	+ create_cert_with_san('DNS:b*z.example.com'), 'buzz.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	150	+ # Section 6.4.3 of RFC6125 states that client should NOT match identifier
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	151	+ # where wildcard is other than left-most label.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	152	+ #
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	153	+ # Also implicitly mentions the wildcard character only in singular form,
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	154	+ # and discourages matching against more than one wildcard.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	155	+ #
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	156	+ # See RFC 6125, section 7.2, subitem 2.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	157	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	158	+ create_cert_with_san('DNS:b.example.com'), 'abc.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	159	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	160	+ create_cert_with_san('DNS:b.example.com'), 'ab.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	161	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	162	+ create_cert_with_san('DNS:b.example.com'), 'bc.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	163	+ # ... However, the client SHOULD NOT
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	164	+ # attempt to match a presented identifier where the wildcard
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	165	+ # character is embedded within an A-label or U-label [IDNA-DEFS] of
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	166	+ # an internationalized domain name [IDNA-PROTO].
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	167	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	168	+ create_cert_with_san('DNS:xn*.example.com'), 'xn1ca.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	169	+ # part of A-label
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	170	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	171	+ create_cert_with_san('DNS:xn--*.example.com'), 'xn--1ca.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	172	+ # part of U-label
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	173	+ # dNSName in RFC5280 is an IA5String so U-label should NOT be allowed
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	174	+ # regardless of wildcard.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	175	+ #
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	176	+ # See Section 7.2 of RFC 5280:
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	177	+ # IA5String is limited to the set of ASCII characters.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	178	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	179	+ create_cert_with_san('DNS:á*.example.com'), 'á1.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	180	+ end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	181	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	182	+ def test_post_connection_check_wildcard_cn
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	183	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	184	+ create_cert_with_name('*.example.com'), 'www.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	185	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	186	+ create_cert_with_name('*.Example.COM'), 'www.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	187	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	188	+ create_cert_with_name('*.example.com'), 'WWW.Example.COM'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	189	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	190	+ create_cert_with_name('www.*.com'), 'www.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	191	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	192	+ create_cert_with_name('*.example.com'), 'foo.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	193	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	194	+ create_cert_with_name('*.example.com'), 'bar.foo.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	195	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	196	+ create_cert_with_name('baz*.example.com'), 'baz1.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	197	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	198	+ create_cert_with_name('*baz.example.com'), 'foobaz.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	199	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	200	+ create_cert_with_name('b*z.example.com'), 'buzz.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	201	+ # Section 6.4.3 of RFC6125 states that client should NOT match identifier
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	202	+ # where wildcard is other than left-most label.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	203	+ #
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	204	+ # Also implicitly mentions the wildcard character only in singular form,
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	205	+ # and discourages matching against more than one wildcard.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	206	+ #
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	207	+ # See RFC 6125, section 7.2, subitem 2.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	208	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	209	+ create_cert_with_name('b.example.com'), 'abc.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	210	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	211	+ create_cert_with_name('b.example.com'), 'ab.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	212	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	213	+ create_cert_with_name('b.example.com'), 'bc.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	214	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	215	+ create_cert_with_name('xn*.example.com'), 'xn1ca.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	216	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	217	+ create_cert_with_name('xn--*.example.com'), 'xn--1ca.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	218	+ # part of U-label
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	219	+ # Subject in RFC5280 states case-insensitive ASCII comparison.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	220	+ #
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	221	+ # See Section 7.2 of RFC 5280:
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	222	+ # IA5String is limited to the set of ASCII characters.
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	223	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	224	+ create_cert_with_name('á*.example.com'), 'á1.example.com'))
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	225	+ end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	226	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	227	+ def create_cert_with_san(san)
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	228	+ ef = OpenSSL::X509::ExtensionFactory.new
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	229	+ cert = OpenSSL::X509::Certificate.new
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	230	+ cert.subject = OpenSSL::X509::Name.parse("/DC=some/DC=site/CN=Some Site")
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	231	+ ext = ef.create_ext('subjectAltName', san)
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	232	+ cert.add_extension(ext)
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	233	+ cert
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	234	+ end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	235	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	236	+ def create_cert_with_name(name)
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	237	+ cert = OpenSSL::X509::Certificate.new
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	238	+ cert.subject = OpenSSL::X509::Name.new([['DC', 'some'], ['DC', 'site'], ['CN', name]])
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	239	+ cert
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	240	+ end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	241	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	242	+
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	243	end
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	244
30be54ba3f0e 20877842 problem in UTILITY/RUBY April Chin <april.chin@oracle.com> parents: diff changeset	245	end

author	April Chin <april.chin@oracle.com>
	Wed, 17 Jun 2015 14:13:59 -0700
branch	s11u2-sru
changeset 4528	30be54ba3f0e
permissions	-rw-r--r--