8000 Add SSL tests for IP addresses in certificates · postgrespro/postgres@af9e180 · GitHub
[go: up one dir, main page]

Skip to content
  • Commit af9e180

    Browse files
    peterehorigutidanielgustafsson
    committed
    Add SSL tests for IP addresses in certificates
    This tests some scenarios that already work. A subsequent patch will introduce more functionality. Author: Jacob Champion <pchampion@vmware.com> Co-authored-by: Kyotaro Horiguchi <horikyota.ntt@gmail.com> Co-authored-by: Daniel Gustafsson <daniel@yesql.se> Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com
    1 parent 5519d5a commit af9e180

    8 files changed

    +147
    -1
    lines changed
    Lines changed: 12 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -0,0 +1,12 @@
    1+
    # An OpenSSL format CSR config file for creating a server certificate.
    2+
    #
    3+
    4+
    [ req ]
    5+
    distinguished_name = req_distinguished_name
    6+
    prompt = no
    7+
    8+
    [ req_distinguished_name ]
    9+
    CN = 192.0.2.1
    10+
    OU = PostgreSQL test suite
    11+
    12+
    # No Subject Alternative Names
    Lines changed: 18 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -0,0 +1,18 @@
    1+
    # An OpenSSL format CSR config file for creating a server certificate.
    2+
    #
    3+
    4+
    [ req ]
    5+
    distinguished_name = req_distinguished_name
    6+
    req_extensions = v3_req
    7+
    prompt = no
    8+
    9+
    [ req_distinguished_name ]
    10+
    OU = PostgreSQL test suite
    11+
    12+
    # For Subject Alternative Names
    13+
    [ v3_req ]
    14+
    subjectAltName = @alt_names
    15+
    16+
    # Normally IP addresses should not go into a dNSName.
    17+
    [ alt_names ]
    18+
    DNS.1 = 192.0.2.1
    Lines changed: 18 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -0,0 +1,18 @@
    1+
    -----BEGIN CERTIFICATE-----
    2+
    MIIC8TCCAdkCCCAhESkRN1IAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
    3+
    c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
    4+
    Y2VydHMwHhcNMjExMTI5MTkzNzUyWhcNNDkwNDE2MTkzNzUyWjA0MR4wHAYDVQQL
    5+
    DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxEjAQBgNVBAMMCTE5Mi4wLjIuMTCCASIw
    6+
    DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWs1uUL71nHYF9Zj6p+M3MpYDvx
    7+
    32iCjVdtH5a2qpSWHXTg0rR8dLX0y92cvOYvMXHRajZT1avpHr8dooPYSVaXpGMK
    8+
    NvF/Qi+WFYovRbP2vmd1yv1cgW/FggbwJFWVobizIz4seyA4d0B2j9fqoi2OFBNP
    9+
    huW664SjF0u3p21tDy+43i2LNUMAKf6dnRR5Vqenath87LEU41tSLudu6NXgbFMk
    10+
    jvfNkl4d0w7YCzeXmklmSI+uaX3PlJJ4NzQO2j8w5BvnKVhNVD0KjgrXZ6nB/8F7
    11+
    Pg3XY+d7rJlwRgXemU6resWQDJ7+UaC9u7I4EIP+9lzCR/nNBqUktpHRmHUCAwEA
    12+
    ATANBgkqhkiG9w0BAQsFAAOCAQEAos1JncV8Yf4UaKl6h1GdYtcVtzFyJvBEnhRD
    13+
    07ldL+TYnfZiX8wK2ssBtM3cg/C78y5bzdUa5XGS83ZKQJFFdhE7PSnrvyNqyIqY
    14+
    ZgNBxto3gyvir+EjO1u9BAB0NP3r3gYoHRDZS1xOPPzt4WgjuUgTLM9k82GsqAbO
    15+
    UrOTOdRnkIqC5xLpa05EnRyJPRsR1w1PRJC2XXKnHIuFjMb4v7UuPwyCcX1P5ioc
    16+
    rQszQcORy/L+k0ezCkyweORg68htjYbBHuwOuiGfok6yKKDMzrTvD3lIslls6eX7
    17+
    4sI3XWqzkPmG9Vsxm9Vu9/Ma+PRO76VyCoIwBd+Ufg5vNXhMmw==
    18+
    -----END CERTIFICATE-----
    Lines changed: 27 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -0,0 +1,27 @@
    1+
    -----BEGIN RSA PRIVATE KEY-----
    2+
    MIIEowIBAAKCAQEA1azW5QvvWcdgX1mPqn4zcylgO/HfaIKNV20flraqlJYddODS
    3+
    tHx0tfTL3Zy85i8xcdFqNlPVq+kevx2ig9hJVpekYwo28X9CL5YVii9Fs/a+Z3XK
    4+
    /VyBb8WCBvAkVZWhuLMjPix7IDh3QHaP1+qiLY4UE0+G5brrhKMXS7enbW0PL7je
    5+
    LYs1QwAp/p2dFHlWp6dq2HzssRTjW1Iu527o1eBsUySO982SXh3TDtgLN5eaSWZI
    6+
    j65pfc+Ukng3NA7aPzDkG+cpWE1UPQqOCtdnqcH/wXs+Dddj53usmXBGBd6ZTqt6
    7+
    xZAMnv5RoL27sjgQg/72XMJH+c0GpSS2kdGYdQIDAQABAoIBAQDNXviU4WnF8rmQ
    8+
    K7bH+dBdqbETLKC8BG7xTrMD2sINWlMpmUUrsEtE7+paMGHnJAj0CoF5gg5m0wN4
    9+
    UXV4H5QtpEad4p14dAYbUreVP2ZRWKEdM7xM1HKcCUu2e22QzObJbXQ8N+iHyX3k
    10+
    +Y+7yYrjGiH1hYR0nbnsnAyx++zyYBSQeqzpdQwf/BLY5xZmyYWNfqbckiMpEqMs
    11+
    EmZmGXnCjIipzEC0LQHoSW9PNa92Z9bvuxOKYl8iHYDDXjvMRFoZBSiMXpzHQocb
    12+
    QlQ5F4ayfW2OrOhpNbY7niYM9GN3Bk9TgMP+0BkJE6uuktLYW35LY1M78CCPWcWb
    13+
    npJNK3QBAoGBAOxkGrhAHAysSmtirIyMdvySb76wb/Ukfi+AULKz20FI5j4/GXm9
    14+
    qCb2GeT+FFSUHeSC8f0EFnosRYkdBGruqeZioI+5rUkboYFJPspAHAuvg9kgtfF+
    15+
    kvphD4O4P/foYsEZRx66FHozDbhrrR5UXc7KzqRIASc/D3FOx2UFJLb1AoGBAOdm
    16+
    WcaMvYygl9ZW+ThWAR1xG1X70AGKwrlrpF2hBkWYxSurxSMXnD0DUzC9Nb4EyCaM
    17+
    c2uSqEZOKdW+XfXtK2DnqXKfb3YCVEoGN4gVfyuW/vxii/+ZxLo3md/b3vrkZEVp
    18+
    pfkXy/HoZ71YN7bNpcDpOnhml6vvuCRCYFnI1WuBAoGAC0shB6pwbJ6Sk5zMN47C
    19+
    ZICufAK75o9OxAAyWsdC81SDQ3gKRImuDeZ2CD2nRP8qim9DFl5qoH2a+Nj9DArI
    20+
    7SvLFfK9958tURrpuAnmDRzehLIOXzI33WRjtFxKGhLtHOKTRkGHlur3fdcPF0La
    21+
    lHWV971E6NYXa8diuU3Mmj0CgYBYd+ka3/QYL83dRKNDxp3mg7fPx9ZewI5yFZVh
    22+
    to6PTTkU2Tclk4FIUl0b5TsGyw06r7fxCMENIBUegwmpXGOZSPifuhUDKSDQrE/O
    23+
    12knYTNbitG7hy6Pg3JxA77cbTVo1FuAQHjYo+IFohSq7zTP7FtObOrP8XaVZksw
    24+
    CHiQAQKBgBW4EiA9AAnZ1LOpifAvM7bs0NHg95qTwtAL52WKom2ga2H+lMhxeu6Y
    25+
    hUSytC/f9kALVcYloZhkLYpO07x1gXmy7f4parMjA4Ex+4vfu3kPd8GiNGZ+AUJD
    26+
    nnJ1OINY9ziXJZfju7FpVWpkiuPzWCh6y/o3gZ/veq5mIUxuDMVa
    27+
    -----END RSA PRIVATE KEY-----
    Lines changed: 18 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -0,0 +1,18 @@
    1+
    -----BEGIN CERTIFICATE-----
    2+
    MIIC/DCCAeSgAwIBAgIIICIDFRVYUgAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
    3+
    Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
    4+
    cnZlciBjZXJ0czAeFw0yMjAzMTUyMjU4NTJaFw00OTA3MzEyMjU4NTJaMCAxHjAc
    5+
    BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
    6+
    ggEPADCCAQoCggEBAMpn5bP1/OfBQR/yvOkOBzxArE1j1YShVa2pcj896+CVDEgV
    7+
    N5Hluz7KHU/JYzNZCAHb5WAHuvXxKeoj4Ti5be1KsqO0mN1p+RMN7VlCpCpb0AWT
    8+
    z4z+I8TUhSZnmgghHvfW4RfcZMCcHq1vevVTDxR/cAbDPYpgBCD5F/SZMRyMDw5B
    9+
    7ILLmft0eqA1nCqavyqBCGZvx1ol8N5BfVdrDXp/rN5997khBWQRZ8g84FZyFZXf
    10+
    pwp57eu0OGQDzZFXoEL2t4OVld67K5jcclWVxHY6FGcHjCvyqs48PCPOR84anZwj
    11+
    GsqVOS6250/DWKBQO4KyhkTVf0AW/ICGSMOKkAkCAwEAAaMYMBYwFAYDVR0RBA0w
    12+
    C4IJMTkyLjAuMi4xMA0GCSqGSIb3DQEBCwUAA4IBAQDIAAH0WJKEpbPN0QihN6SF
    13+
    UA5WL4ixsBACo9OIAGkSnKeOeVEG5vvgOna0hjQcOcgtI1oCDLhULcjCuwxiIW6y
    14+
    QntOazyo0sooJr0hEm2WfipvIpQs6W9E1OTcs624BAVfkAwr6WT2VwoIAPcQD2nR
    15+
    tIQhSUIR9J7Q5WbzuQw7pthQhBfW/UPWw7vajel0r1dflbe0Cgp5WGNfp1kYy+Qf
    16+
    XW/YjkstZEP1KFm+TF58uxrIDmYboS8EerUREGQixijbI0AfXjShxtiyS63rbdpo
    17+
    3C0BPj9Yx2VtWi4U0qoef/iLJxJBCLvE/97+duPdKx0AkkOWA9VuenkWLp797UM8
    18+
    -----END CERTIFICATE-----
    Lines changed: 27 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -0,0 +1,27 @@
    1+
    -----BEGIN RSA PRIVATE KEY-----
    2+
    MIIEowIBAAKCAQEAymfls/X858FBH/K86Q4HPECsTWPVhKFVralyPz3r4JUMSBU3
    3+
    keW7PsodT8ljM1kIAdvlYAe69fEp6iPhOLlt7Uqyo7SY3Wn5Ew3tWUKkKlvQBZPP
    4+
    jP4jxNSFJmeaCCEe99bhF9xkwJwerW969VMPFH9wBsM9imAEIPkX9JkxHIwPDkHs
    5+
    gsuZ+3R6oDWcKpq/KoEIZm/HWiXw3kF9V2sNen+s3n33uSEFZBFnyDzgVnIVld+n
    6+
    Cnnt67Q4ZAPNkVegQva3g5WV3rsrmNxyVZXEdjoUZweMK/Kqzjw8I85HzhqdnCMa
    7+
    ypU5LrbnT8NYoFA7grKGRNV/QBb8gIZIw4qQCQIDAQABAoIBAA2kPP4JCTeRddMy
    8+
    Z/sJIAG2liZNITnkKcMflXyfrsMfKIm/LFSf+CO+OYWEHDR8vqZpbKcxPi+PRnTq
    9+
    YCaTkM4aZ7nS1S6vEsNu/90xOaFFONr3YFivVDfS3vp8pwv/N3gaumcCSqQUoZis
    10+
    18urAmwuPp2mEQK/f+e9AhlRLdcvlqDyKm+zMrVixK77Hj5JiEkh3rfZ3onHHKGE
    11+
    B7T2XRRqnZ4FCN9qLH2pMGUknZ4MGC9SlCyoerXFodb4DhKWQhJDRLjb8qP96r/E
    12+
    FGSg5WUiAERU/OgODoqZNTeIwIDB/f9NK45dEY3Hw6BsSFfU2VChrlNoVlzFUx2k
    13+
    yaH5Y4ECgYEA8rht3crh3GTy0jBJjNqB2iul8fkG/uiaiSvERWT/+KZnmV1+JGAW
    14+
    h2/wvd5apagOJjqKY0bCHMei/qYF9r4yJnkIy4qNper3QUz7TMCjsWduCm8S834A
    15+
    Z+Vwi3RBGJiQQH9Dfexko5sDjo+w5g4RsH52INCeReInNdxHOv06jZECgYEA1XrR
    16+
    QNwZlxHt3H93YKmKDZXikqW12Cuq6RSwf5VVdeuzV+pUN+/JaSgEuYsBilW7Q5p2
    17+
    gPROi0l8/eUPsBJb+dh1BcGzSjI2Kkzf66QOTG83S7tCPwQhwJUAylFuADvURjPQ
    18+
    qvqNjbQUomdm2QjBzyWtiFbolqxBgM3dnE6R/vkCgYBYGqQexx83LhmKPGbmTwal
    19+
    mARzkg59BxfZRN7IxcG4k0a1v98i+xISdYqwkP7cdOU18Tf8k1mwsrKytrcheqaf
    20+
    mn2bzJ5gJKs9s+DgWmjQ45dpCCqb4hfpnro8lKVwdSifkNKB6gYZ8RHYdMYkq+S1
    21+
    6SGeBbv95/qNrXjZq8POUQKBgHyaDwD4dsdCY79LdvYofrenQHOv3Q+rjTo2JT6S
    22+
    fysww6EQ2M89WiXSgc96Xw/LMl4nDfv+nMmXvyjCRgHS9XRC7yrJAEjSPeM6s4fq
    23+
    XZ4nW/ML/YKiesDZN3jfRoFEaoX/QFBLpcuLzG9uQw1ymwy5RSxK7b7kE+eGQU82
    24+
    XOihAoGBAI3xvT9fG3jRsSuw/8OQBlmDUFZcT0fRPRZ3pg8XlSreAam4b607d2WY
    25+
    u/bBHIclG3CLJ2EFqBtxl9AQeM0OTweF0KmV3dbtdBmaTbnhbK8/NLYnl5+aosEJ
    26+
    YrFKD8k8z6z+mYQs+7bAnfRa53TjfC7f24BpgEQyEfKL2fa3PF+J
    27+
    -----END RSA PRIVATE KEY-----

    src/test/ssl/sslfiles.mk

    Lines changed: 2 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -23,6 +23,8 @@
    2323
    #
    2424
    SERVERS := server-cn-and-alt-names \
    2525
    server-cn-only \
    26+
    server-ip-cn-only \
    27+
    server-ip-in-dnsname \
    2628
    server-single-alt-name \
    2729
    server-multiple-alt-names \
    2830
    server-no-names \

    src/test/ssl/t/001_ssltests.pl

    Lines changed: 25 additions & 1 deletion
    Original file line numberDiff line numberDiff line change
    @@ -229,6 +229,30 @@ sub switch_server_cert
    229229
    qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E/
    230230
    );
    231231

    232+
    # Test with an IP address in the Common Name. This is a strange corner case that
    233+
    # nevertheless is supported, as long as the address string matches exactly.
    234+
    switch_server_cert($node, certfile => 'server-ip-cn-only');
    235+
    236+
    $common_connstr =
    237+
    "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
    238+
    239+
    $node->connect_ok("$common_connstr host=192.0.2.1",
    240+
    "IP address in the Common Name");
    241+
    242+
    $node->connect_fails(
    243+
    "$common_connstr host=192.000.002.001",
    244+
    "mismatch between host name and server certificate IP address",
    245+
    expected_stderr =>
    246+
    qr/\Qserver certificate for "192.0.2.1" does not match host name "192.000.002.001"\E/
    247+
    );
    248+
    249+
    # Similarly, we'll also match an IP address in a dNSName SAN. (This is
    250+
    # long-standing behavior.)
    251+
    switch_server_cert($node, certfile => 'server-ip-in-dnsname');
    252+
    253+
    $node->connect_ok("$common_connstr host=192.0.2.1",
    254+
    "IP address in a dNSName");
    255+
    232256
    # Test Subject Alternative Names.
    233257
    switch_server_cert($node, certfile => 'server-multiple-alt-names');
    234258

    @@ -281,7 +305,7 @@ sub switch_server_cert
    281305
    qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/
    282306
    );
    283307

    284-
    # Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN
    308+
    # Test server certificate with a CN and DNS SANs. Per RFCs 2818 and 6125, the CN
    285309
    # should be ignored when the certificate has both.
    286310
    switch_server_cert($node, certfile => 'server-cn-and-alt-names');
    287311

    0 commit comments

    Comments
     (0)
    0