[thirdparty/openssl.git] / crypto / x509v3 / v3nametest.c

#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <string.h>

static const char *const names[] =
	{
	"a", "b", ".", "*", "@",
	".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",
	"@@", "**",
	"*.com", "*com", "*.*.com", "*com", "com*", "*example.com",
	"*@example.com", "test@*.example.com",
	"example.com", "www.example.com", "test.www.example.com",
	"*.example.com", "*.www.example.com", "test.*.example.com", "www.*.com",
	"example.net", "xn--rger-koa.example.com",
	"a.example.com", "b.example.com",
	"postmaster@example.com", "Postmaster@example.com",
	"postmaster@EXAMPLE.COM",
	NULL
	};

static const char *const exceptions[] =
	{
	"set CN: host: [*.example.com] does not match [*.example.com]",
	"set CN: host: [*.example.com] matches [a.example.com]",
	"set CN: host: [*.example.com] matches [b.example.com]",
	"set CN: host: [*.example.com] matches [www.example.com]",
	"set CN: host: [test.*.example.com] does not match [test.*.example.com]",
	"set CN: host: [test.*.example.com] matches [test.www.example.com]",
	"set CN: host: [*.www.example.com] does not match [*.www.example.com]",
	"set CN: host: [*.www.example.com] matches [test.www.example.com]",
	"set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",
	"set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
	"set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",
	"set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
	"set dnsName: host: [*.example.com] matches [www.example.com]",
	"set dnsName: host: [*.example.com] does not match [*.example.com]",
	"set dnsName: host: [*.example.com] matches [a.example.com]",
	"set dnsName: host: [*.example.com] matches [b.example.com]",
	"set dnsName: host: [*.www.example.com] matches [test.www.example.com]",
	"set dnsName: host: [*.www.example.com] does not match [*.www.example.com]",
	"set dnsName: host: [test.*.example.com] matches [test.www.example.com]",
	"set dnsName: host: [test.*.example.com] does not match [test.*.example.com]",
	"set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",
	"set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",
	"set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
	"set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
	NULL
	};

static int is_exception(const char *msg)
	{
	const char *const *p;
	for (p = exceptions; *p; ++p)
		if (strcmp(msg, *p) == 0)
			return 1;
	return 0;
	}

static int set_cn(X509 *crt, ...)
	{
	int ret = 0;
	X509_NAME *n = NULL;
	va_list ap;
	va_start(ap, crt);
	n = X509_NAME_new();
	if (n == NULL)
		goto out;
	while (1) {
		int nid;
		const char *name;
		nid = va_arg(ap, int);
		if (nid == 0)
			break;
		name = va_arg(ap, const char *);
		if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,
							(unsigned char *)name,
						-1, -1, 1))
			goto out;
	}
	if (!X509_set_subject_name(crt, n))
		goto out;
	ret = 1;
 out:
	X509_NAME_free(n);
	va_end(ap);
	return ret;
	}

/*
int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
			int nid, int crit, ASN1_OCTET_STRING *data);
int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
*/

static int set_altname(X509 *crt, ...)
	{
	int ret = 0;
	GENERAL_NAMES *gens = NULL;
	GENERAL_NAME *gen = NULL;
	ASN1_IA5STRING *ia5 = NULL;
	va_list ap;
	va_start(ap, crt);
	gens = sk_GENERAL_NAME_new_null();
	if (gens == NULL)
		goto out;
	while (1) {
		int type;
		const char *name;
		type = va_arg(ap, int);
		if (type == 0)
			break;
		name = va_arg(ap, const char *);

		gen = GENERAL_NAME_new();
		if (gen == NULL)
			goto out;
		ia5 = ASN1_IA5STRING_new();
		if (ia5 == NULL)
			goto out;
		if (!ASN1_STRING_set(ia5, name, -1))
			goto out;
		switch (type)
			{
			case GEN_EMAIL:
			case GEN_DNS:
				GENERAL_NAME_set0_value(gen, type, ia5);
				ia5 = NULL;
				break;
			default:
				abort();
			}
		sk_GENERAL_NAME_push(gens, gen);
		gen = NULL;
	}
	if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))
		goto out;
	ret = 1;
 out:
	ASN1_IA5STRING_free(ia5);
	GENERAL_NAME_free(gen);
	GENERAL_NAMES_free(gens);
	va_end(ap);
	return ret;
	}

static int set_cn1(X509 *crt, const char *name)
	{
	return set_cn(crt, NID_commonName, name, 0);
	}


static int set_cn_and_email(X509 *crt, const char *name)
	{
	return set_cn(crt, NID_commonName, name,
		      NID_pkcs9_emailAddress, "dummy@example.com", 0);
	}

static int set_cn2(X509 *crt, const char *name)
	{
	return set_cn(crt, NID_commonName, "dummy value",
		      NID_commonName, name, 0);
	}

static int set_cn3(X509 *crt, const char *name)
	{
	return set_cn(crt, NID_commonName, name,
		      NID_commonName, "dummy value", 0);
	}

static int set_email1(X509 *crt, const char *name)
	{
	return set_cn(crt, NID_pkcs9_emailAddress, name, 0);
	}

static int set_email2(X509 *crt, const char *name)
	{
	return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",
		      NID_pkcs9_emailAddress, name, 0);
	}

static int set_email3(X509 *crt, const char *name)
	{
	return set_cn(crt, NID_pkcs9_emailAddress, name,
		      NID_pkcs9_emailAddress, "dummy@example.com", 0);
	}

static int set_email_and_cn(X509 *crt, const char *name)
	{
	return set_cn(crt, NID_pkcs9_emailAddress, name,
		      NID_commonName, "www.example.org", 0);
	}

static int set_altname_dns(X509 *crt, const char *name)
	{
	return set_altname(crt, GEN_DNS, name, 0);
	}

static int set_altname_email(X509 *crt, const char *name)
	{
	return set_altname(crt, GEN_EMAIL, name, 0);
	}

struct set_name_fn
	{
	int (*fn)(X509 *, const char *);
	const char *name;
	int host;
	int email;
	};

static const struct set_name_fn name_fns[] =
	{
	{set_cn1, "set CN", 1, 0},
	{set_cn2, "set CN", 1, 0},
	{set_cn3, "set CN", 1, 0},
	{set_cn_and_email, "set CN", 1, 0},
	{set_email1, "set emailAddress", 0, 1},
	{set_email2, "set emailAddress", 0, 1},
	{set_email3, "set emailAddress", 0, 1},
	{set_email_and_cn, "set emailAddress", 0, 1},
	{set_altname_dns, "set dnsName", 1, 0},
	{set_altname_email, "set rfc822Name", 0, 1},
	{NULL, NULL, 0}
	};

static X509 *make_cert()
	{
	X509 *ret = NULL;
	X509 *crt = NULL;
	X509_NAME *issuer = NULL;
	crt = X509_new();
	if (crt == NULL)
		goto out;
	if (!X509_set_version(crt, 3))
		goto out;
	ret = crt;
	crt = NULL;
 out:
	X509_NAME_free(issuer);
	return ret;
	}

static int errors;

static void check_message(const struct set_name_fn *fn, const char *op,
			  const char *nameincert, int match, const char *name)
	{
	char msg[1024];
	if (match < 0)
		return;
	snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",
		 fn->name, op, nameincert,
		 match ? "matches" : "does not match", name);
	if (is_exception(msg))
		return;
	puts(msg);
	++errors;
	}

static void run_cert(X509 *crt, const char *nameincert,
		     const struct set_name_fn *fn)
	{
	const char *const *pname = names;
	while (*pname)
		{
		int samename = strcasecmp(nameincert, *pname) == 0;
		size_t namelen = strlen(*pname);
		char *name = malloc(namelen);
		int match, ret;
		memcpy(name, *pname, namelen);

		ret = X509_check_host(crt, (const unsigned char *)name,
				      namelen, 0);
		match = -1;
		if (fn->host)
			{
			if (ret && !samename)
				match = 1;
			if (!ret && samename)
				match = 0;
			}
		else if (ret)
			match = 1;
		check_message(fn, "host", nameincert, match, *pname);

		ret = X509_check_host(crt, (const unsigned char *)name,
				      namelen, X509_CHECK_FLAG_NO_WILDCARDS);
		match = -1;
		if (fn->host)
			{
			if (ret && !samename)
				match = 1;
			if (!ret && samename)
				match = 0;
			}
		else if (ret)
			match = 1;
		check_message(fn, "host-no-wildcards",
			      nameincert, match, *pname);

		ret = X509_check_email(crt, (const unsigned char *)name,
				       namelen, 0);
		match = -1;
		if (fn->email)
			{
			if (ret && !samename)
				match = 1;
			if (!ret && samename && strchr(nameincert, '@') != NULL)
				match = 0;
			}
		else if (ret)
			match = 1;
		check_message(fn, "email", nameincert, match, *pname);
		++pname;
		free(name);
		}
	}

int
main(void)
	{
	const struct set_name_fn *pfn = name_fns;
	while (pfn->name) {
		const char *const *pname = names;
		while (*pname)
			{
			X509 *crt = make_cert();
			if (crt == NULL)
				{
				fprintf(stderr, "make_cert failed\n");
				return 1;
				}
			if (!pfn->fn(crt, *pname))
				{
				fprintf(stderr, "X509 name setting failed\n");
				return 1;
				}
			run_cert(crt, *pname, pfn);
			X509_free(crt);
			++pname;
			}
		++pfn;
	}
	return errors > 0 ? 1 : 0;
	}
Commit	Line	Data
d88926f1 DSH	1	#include <openssl/x509.h>
	2	#include <openssl/x509v3.h>
	3	#include <string.h>
	4
	5	static const char *const names[] =
	6	{
	7	"a", "b", ".", "*", "@",
	8	".a", "a.", ".b", "b.", ".", ".", "@", "@", "a@", "@a", "b@", "..",
	9	"@@", "**",
	10	".com", "com", "..com", "com", "com", "*example.com",
	11	"@example.com", "test@.example.com",
	12	"example.com", "www.example.com", "test.www.example.com",
	13	".example.com", ".www.example.com", "test..example.com", "www..com",
	14	"example.net", "xn--rger-koa.example.com",
	15	"a.example.com", "b.example.com",
	16	"postmaster@example.com", "Postmaster@example.com",
	17	"postmaster@EXAMPLE.COM",
	18	NULL
	19	};
	20
	21	static const char *const exceptions[] =
	22	{
	23	"set CN: host: [.example.com] does not match [.example.com]",
	24	"set CN: host: [*.example.com] matches [a.example.com]",
	25	"set CN: host: [*.example.com] matches [b.example.com]",
	26	"set CN: host: [*.example.com] matches [www.example.com]",
	27	"set CN: host: [test..example.com] does not match [test..example.com]",
	28	"set CN: host: [test.*.example.com] matches [test.www.example.com]",
	29	"set CN: host: [.www.example.com] does not match [.www.example.com]",
	30	"set CN: host: [*.www.example.com] matches [test.www.example.com]",
	31	"set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",
	32	"set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
	33	"set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",
	34	"set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
	35	"set dnsName: host: [*.example.com] matches [www.example.com]",
	36	"set dnsName: host: [.example.com] does not match [.example.com]",
	37	"set dnsName: host: [*.example.com] matches [a.example.com]",
	38	"set dnsName: host: [*.example.com] matches [b.example.com]",
	39	"set dnsName: host: [*.www.example.com] matches [test.www.example.com]",
	40	"set dnsName: host: [.www.example.com] does not match [.www.example.com]",
	41	"set dnsName: host: [test.*.example.com] matches [test.www.example.com]",
	42	"set dnsName: host: [test..example.com] does not match [test..example.com]",
	43	"set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",
	44	"set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",
	45	"set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
	46	"set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
	47	NULL
	48	};
	49
	50	static int is_exception(const char *msg)
	51	{
	52	const char const p;
	53	for (p = exceptions; *p; ++p)
	54	if (strcmp(msg, *p) == 0)
	55	return 1;
	56	return 0;
	57	}
	58
	59	static int set_cn(X509 *crt, ...)
	60	{
	61	int ret = 0;
	62	X509_NAME *n = NULL;
	63	va_list ap;
	64	va_start(ap, crt);
65	n = X509_NAME_new();
66	if (n == NULL)
67	goto out;
68	while (1) {
69	int nid;
70	const char *name;
71	nid = va_arg(ap, int);
72	if (nid == 0)
73	break;
74	name = va_arg(ap, const char *);
75	if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,
76	(unsigned char *)name,
77	-1, -1, 1))
78	goto out;
79	}
80	if (!X509_set_subject_name(crt, n))
81	goto out;
82	ret = 1;
83	out:
84	X509_NAME_free(n);
85	va_end(ap);
86	return ret;
87	}
88
89	/*
90	int X509_add_ext(X509 x, X509_EXTENSION ex, int loc);
91	X509_EXTENSION X509_EXTENSION_create_by_NID(X509_EXTENSION *ex,
92	int nid, int crit, ASN1_OCTET_STRING *data);
93	int X509_add_ext(X509 x, X509_EXTENSION ex, int loc);
94	*/
95
96	static int set_altname(X509 *crt, ...)
97	{
98	int ret = 0;
99	GENERAL_NAMES *gens = NULL;
100	GENERAL_NAME *gen = NULL;
101	ASN1_IA5STRING *ia5 = NULL;
102	va_list ap;
103	va_start(ap, crt);
104	gens = sk_GENERAL_NAME_new_null();
105	if (gens == NULL)
106	goto out;
107	while (1) {
108	int type;
109	const char *name;
110	type = va_arg(ap, int);
111	if (type == 0)
112	break;
113	name = va_arg(ap, const char *);
114
115	gen = GENERAL_NAME_new();
116	if (gen == NULL)
117	goto out;
118	ia5 = ASN1_IA5STRING_new();
119	if (ia5 == NULL)
120	goto out;
121	if (!ASN1_STRING_set(ia5, name, -1))
122	goto out;
123	switch (type)
124	{
125	case GEN_EMAIL:
126	case GEN_DNS:
127	GENERAL_NAME_set0_value(gen, type, ia5);
128	ia5 = NULL;
129	break;
130	default:
131	abort();
132	}
133	sk_GENERAL_NAME_push(gens, gen);
134	gen = NULL;
135	}
136	if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))
137	goto out;
138	ret = 1;
139	out:
140	ASN1_IA5STRING_free(ia5);
141	GENERAL_NAME_free(gen);
142	GENERAL_NAMES_free(gens);
143	va_end(ap);
144	return ret;
145	}
146
147	static int set_cn1(X509 crt, const char name)
148	{
149	return set_cn(crt, NID_commonName, name, 0);
150	}
151
152
153	static int set_cn_and_email(X509 crt, const char name)
154	{
155	return set_cn(crt, NID_commonName, name,
156	NID_pkcs9_emailAddress, "dummy@example.com", 0);
157	}
158
159	static int set_cn2(X509 crt, const char name)
160	{
161	return set_cn(crt, NID_commonName, "dummy value",
162	NID_commonName, name, 0);
163	}
164
165	static int set_cn3(X509 crt, const char name)
166	{
167	return set_cn(crt, NID_commonName, name,
168	NID_commonName, "dummy value", 0);
169	}
170
171	static int set_email1(X509 crt, const char name)
172	{
173	return set_cn(crt, NID_pkcs9_emailAddress, name, 0);
174	}
175
176	static int set_email2(X509 crt, const char name)
177	{
178	return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",
179	NID_pkcs9_emailAddress, name, 0);
180	}
181
182	static int set_email3(X509 crt, const char name)
183	{
184	return set_cn(crt, NID_pkcs9_emailAddress, name,
185	NID_pkcs9_emailAddress, "dummy@example.com", 0);
186	}
187
188	static int set_email_and_cn(X509 crt, const char name)
189	{
190	return set_cn(crt, NID_pkcs9_emailAddress, name,
191	NID_commonName, "www.example.org", 0);
192	}
193
194	static int set_altname_dns(X509 crt, const char name)
195	{
196	return set_altname(crt, GEN_DNS, name, 0);
197	}
198
199	static int set_altname_email(X509 crt, const char name)
200	{
201	return set_altname(crt, GEN_EMAIL, name, 0);
202	}
203
204	struct set_name_fn
205	{
206	int (fn)(X509 , const char *);
207	const char *name;
208	int host;
209	int email;
210	};
211
212	static const struct set_name_fn name_fns[] =
213	{
214	{set_cn1, "set CN", 1, 0},
215	{set_cn2, "set CN", 1, 0},
216	{set_cn3, "set CN", 1, 0},
217	{set_cn_and_email, "set CN", 1, 0},
218	{set_email1, "set emailAddress", 0, 1},
219	{set_email2, "set emailAddress", 0, 1},
220	{set_email3, "set emailAddress", 0, 1},
221	{set_email_and_cn, "set emailAddress", 0, 1},
222	{set_altname_dns, "set dnsName", 1, 0},
223	{set_altname_email, "set rfc822Name", 0, 1},
224	{NULL, NULL, 0}
225	};
226
227	static X509 *make_cert()
228	{
229	X509 *ret = NULL;
230	X509 *crt = NULL;
231	X509_NAME *issuer = NULL;
232	crt = X509_new();
233	if (crt == NULL)
234	goto out;
235	if (!X509_set_version(crt, 3))
236	goto out;
237	ret = crt;
238	crt = NULL;
239	out:
240	X509_NAME_free(issuer);
241	return ret;
242	}
243
244	static int errors;
245
246	static void check_message(const struct set_name_fn fn, const char op,
247	const char nameincert, int match, const char name)
248	{
249	char msg[1024];
250	if (match < 0)
251	return;
252	snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",
253	fn->name, op, nameincert,
254	match ? "matches" : "does not match", name);
255	if (is_exception(msg))
256	return;
257	puts(msg);
258	++errors;
259	}
260
261	static void run_cert(X509 crt, const char nameincert,
262	const struct set_name_fn *fn)
263	{
264	const char const pname = names;
265	while (*pname)
266	{
267	int samename = strcasecmp(nameincert, *pname) == 0;
268	size_t namelen = strlen(*pname);
269	char *name = malloc(namelen);
270	int match, ret;
271	memcpy(name, *pname, namelen);
272
273	ret = X509_check_host(crt, (const unsigned char *)name,
274	namelen, 0);
275	match = -1;
276	if (fn->host)
277	{
278	if (ret && !samename)
279	match = 1;
280	if (!ret && samename)
281	match = 0;
282	}
283	else if (ret)
284	match = 1;
285	check_message(fn, "host", nameincert, match, *pname);
286
287	ret = X509_check_host(crt, (const unsigned char *)name,
288	namelen, X509_CHECK_FLAG_NO_WILDCARDS);
289	match = -1;
290	if (fn->host)
291	{
292	if (ret && !samename)
293	match = 1;
294	if (!ret && samename)
295	match = 0;
296	}
297	else if (ret)
298	match = 1;
299	check_message(fn, "host-no-wildcards",
300	nameincert, match, *pname);
301
302	ret = X509_check_email(crt, (const unsigned char *)name,
303	namelen, 0);
304	match = -1;
305	if (fn->email)
306	{
307	if (ret && !samename)
308	match = 1;
309	if (!ret && samename && strchr(nameincert, '@') != NULL)
310	match = 0;
311	}
312	else if (ret)
313	match = 1;
314	check_message(fn, "email", nameincert, match, *pname);
315	++pname;
316	free(name);
317	}
318	}
319
320	int
321	main(void)
322	{
323	const struct set_name_fn *pfn = name_fns;
324	while (pfn->name) {
325	const char const pname = names;
326	while (*pname)
327	{
328	X509 *crt = make_cert();
329	if (crt == NULL)
330	{
331	fprintf(stderr, "make_cert failed\n");
332	return 1;
333	}
334	if (!pfn->fn(crt, *pname))
335	{
336	fprintf(stderr, "X509 name setting failed\n");
337	return 1;
338	}
339	run_cert(crt, *pname, pfn);
340	X509_free(crt);
341	++pname;
342	}
343	++pfn;
344	}
345	return errors > 0 ? 1 : 0;
346	}