From aa9815081d6374f7380bdbd6e8998a044f37d033 Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Mon, 27 Feb 2017 18:50:59 +0900 Subject: [PATCH] test: add script to create 0-dns-cert.pem 0-dns-cert.pem and 0-dns-key.pem were stored in `test/fixtures/key` directory, but the cert file cannot be created with the openssl command via Makefile. Added a script to create it with using `asn1.js` and `asn1.js-rfc5280` and moved them out of key directory and put into `test/fixtures/0-dns`. The domains listed in the cert were also changed into example.com and example.org to show the use for only testing. Fixes: https://github.com/nodejs/node/issues/10228 PR-URL: https://github.com/nodejs/node/pull/11579 Reviewed-By: James M Snell Reviewed-By: Sam Roberts --- test/fixtures/0-dns/0-dns-cert.pem | 19 ++++++ test/fixtures/0-dns/0-dns-key.pem | 27 +++++++++ test/fixtures/0-dns/0-dns-rsapub.der | Bin 0 -> 270 bytes test/fixtures/0-dns/README.md | 26 ++++++++ test/fixtures/0-dns/create-cert.js | 75 ++++++++++++++++++++++++ test/fixtures/0-dns/package.json | 16 +++++ test/fixtures/keys/0-dns-cert.pem | 19 ------ test/fixtures/keys/0-dns-key.pem | 27 --------- test/parallel/test-tls-0-dns-altname.js | 12 ++-- 9 files changed, 170 insertions(+), 51 deletions(-) create mode 100644 test/fixtures/0-dns/0-dns-cert.pem create mode 100644 test/fixtures/0-dns/0-dns-key.pem create mode 100644 test/fixtures/0-dns/0-dns-rsapub.der create mode 100644 test/fixtures/0-dns/README.md create mode 100644 test/fixtures/0-dns/create-cert.js create mode 100644 test/fixtures/0-dns/package.json delete mode 100644 test/fixtures/keys/0-dns-cert.pem delete mode 100644 test/fixtures/keys/0-dns-key.pem diff --git a/test/fixtures/0-dns/0-dns-cert.pem b/test/fixtures/0-dns/0-dns-cert.pem new file mode 100644 index 00000000000000..03a4db3e2d8501 --- /dev/null +++ b/test/fixtures/0-dns/0-dns-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDGDCCAgCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5jYS5l +eGFtcGxlLmNvbTAeFw0xNzAzMDIwMTMxMjJaFw0yNzAyMjgwMTMxMjJaMBsxGTAX +BgNVBAMTEGV2aWwuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDFyJT0kv2P9L6iNY6TL7IZonAR8R9ev7iD1tR5ycMEpM/y6WTefIco +civMcBGVZWtCgkoePHiveH9UIep7HFGB4gxCYDZFYB46yGS0YH2fB5GWXTLYObYa +zxuEhgFRG0DLIwNDRLW0+0FG3disp7YdRHBtdbL58F/qNORqPEjIpoQxOJc2UqX2 +/gfomJRdFW/PSgN7uH2QwMzRQRIrKmyAFzeuEWVP+UAV4853Yg66PmYpAASyt069 +sE8QNTNE75KrerMmYzH7AmTEGvY8bukrDuVQZce2/lcK2rAE+G6at2eBNMZKOnzR +y9kWIiJ3rR7+WK55EKelLz0doZFKteu1AgMBAAGjaTBnMGUGA1UdEQReMFyCImdv +b2QuZXhhbXBsZS5vcmcALmV2aWwuZXhhbXBsZS5jb22CGGp1c3QtYW5vdGhlci5l +eGFtcGxlLmNvbYcECAgICIcECAgEBIIQbGFzdC5leGFtcGxlLmNvbTANBgkqhkiG +9w0BAQsFAAOCAQEAvreVoOZO2gpM4Dmzp70D30XZjsK9i0BCsRHBvPLPw3y8B2xg +BRtOREOI69NU0WGpj5Lbqww5M8M1hjHshiGEu2aXfZ6qM3lENaIMCpKlF9jbm02/ +wmxNaAnS8bDSZyO5rbsGr2tJb4ds7DazmMEKWhOBEpJoOp9rG6SAey+a6MkZ7NEN +0p3THCqNf3lL1KblPrMvdsyhHPEzv4uT7+YAnLKHwGzbihcWJRsRo5oipWL8ZDhn +bd3SMWtfRTSWDmghJaHke2xIjDtTwSjHjjPTFsK+rl227W8r4/EQI/X6fTQV2j3T +7zqrJLF9h9F/v3mo57k6sxsQNZ12XvhuTHC2dA== +-----END CERTIFICATE----- diff --git a/test/fixtures/0-dns/0-dns-key.pem b/test/fixtures/0-dns/0-dns-key.pem new file mode 100644 index 00000000000000..4e2fdb5fc61e0e --- /dev/null +++ b/test/fixtures/0-dns/0-dns-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAxciU9JL9j/S+ojWOky+yGaJwEfEfXr+4g9bUecnDBKTP8ulk +3nyHKHIrzHARlWVrQoJKHjx4r3h/VCHqexxRgeIMQmA2RWAeOshktGB9nweRll0y +2Dm2Gs8bhIYBURtAyyMDQ0S1tPtBRt3YrKe2HURwbXWy+fBf6jTkajxIyKaEMTiX +NlKl9v4H6JiUXRVvz0oDe7h9kMDM0UESKypsgBc3rhFlT/lAFePOd2IOuj5mKQAE +srdOvbBPEDUzRO+Sq3qzJmMx+wJkxBr2PG7pKw7lUGXHtv5XCtqwBPhumrdngTTG +Sjp80cvZFiIid60e/liueRCnpS89HaGRSrXrtQIDAQABAoIBABcGA3j5B3VTi0F8 +tI0jtzrOsvcTt5AjB0qpnnBS8VXADcj8LFbN7jniGIEi5pkahkLmwdQFPBNJFqFn +lVEheceB1eWAJ7EpwDsdisOIm/cAPY1gagPLrAww4cYqh0q2vnMnL0EMZY6c1Pt3 +5borh8KebewAEIaR2ch8wb4wKFTbAM0DftYBFzHAF88OeCuIpdsk2Tz0sVQbA3/1 +XNLOVcJvDOVIRPEpo2l7RIN33KvDhzpMoV3qVzWxqdccPRZZFU5KmJ6DtouIPT3S +3WauIL5oVpAyYNJETTyxjBQE4DgFeNX1Wyycgk27EoLcn6Trcs0kNVrmXXblNAtJ +Nko6g10CgYEA+TjzNjyAXPrOpY88uiPVMAgepEQOnDYtMwasdDVaW3xK9KH1rrhU +dx1IDTMmOUfyU2qsj5txmJtReQz//1bpd7e73VO8mHQDUubhs2TivgGs+fqzAdmT +vJsjerfNsxf+4JENzzWmqT/Ybc976Tu55VH5mcRG9Q66fTxdAJ51+8MCgYEAyymF +gntRMBd9e/KIiqlvcxelo0ahyKEzaJC7/FkZotuSB+kAwpdJ5Unb0FeVQZxNhDPg +xgsrGOOOvHvfhv7DPU0TQ/vp6VDPdg+N6m/Ow2vr79A2v6s+7gZj3MLiLRFyEF6l +bxQNGe3qavnm3owUQQCY2RLBKYCFfv/cykYlGycCgYB6etKMRQ+QonIMS2i80f9j +q5njgM7tVnLAMPdv5QiTDXKI50+mnlBkea9/TTPr0r/03ugPa4VYSnyv0QO+qSfz +/ggFrbFx+xHnHDCvyVTlrE0mTV7L+fHxLw0wskQVUCWil6cBvow5gXcMAHwVE5U4 +biEMwLlele5wvcm3FClHoQKBgACV/RGUQ3atCqqZ13T26iBd2Bdxc7P9awWJLVGb +/CvxECm/rUXiY88qeFzQc9i9l6ei8qn/jD9FILtAbDOadnutxjly94i5t+9yOgmM +Cv+bRxHo+s9wsfzDvfP8B+TzYO3VKAr69tK1UfC/CcBojQJm+wndOPtiqH/mQv++ +VgsPAoGBAJ0aNJe3zb+blvAQ3W4iPSjhyxdMC00x46pr6ds+Y8WygbN6lzCvNDw6 +FFTINBckOs5Z/UWUNbExWYjBHZhLlhhxTezCzvIrwNvgUB8Y4sPk3S4KDsnkyy6f +/qMmEHlVyKjh2BCNs7PVnWDlfl3vECE7n8dBizFHgja76l1ia+0z +-----END RSA PRIVATE KEY----- diff --git a/test/fixtures/0-dns/0-dns-rsapub.der b/test/fixtures/0-dns/0-dns-rsapub.der new file mode 100644 index 0000000000000000000000000000000000000000..263a4b8293dd0ef752e74ae4b459bed5b0a88fca GIT binary patch literal 270 zcmV+p0rCDYf&mHwf&l>l#mJQOlKqeLzM?gblP|IvqHq!MA6~z>gVxk}$-@Ms&+_SH z-h78Bax2Vm5tU_YLV`*jJb15oe^eprdmK@L;tWDyHbr0_I>=0Z|)3%Oe9rM76a0K}Ox!tf#geL~w0&via~|>NMnPJV?llFXMr@vN;-Ve%h?tpB6qDG{#dSg U5T~UtJsqKuO10~?0s{d60X%Gbh5!Hn literal 0 HcmV?d00001 diff --git a/test/fixtures/0-dns/README.md b/test/fixtures/0-dns/README.md new file mode 100644 index 00000000000000..650970a2c5a5cf --- /dev/null +++ b/test/fixtures/0-dns/README.md @@ -0,0 +1,26 @@ +## Purpose +The test cert file for use `test/parallel/test-tls-0-dns-altname.js` +can be created by using `asn1.js` and `asn1.js-rfc5280`, + +## How to create a test cert. + +```sh +$ openssl genrsa -out 0-dns-key.pem 2048 +Generating RSA private key, 2048 bit long modulus +...................+++ +..............................................................................................+++ +e is 65537 (0x10001) +$ openssl rsa -in 0-dns-key.pem -RSAPublicKey_out -outform der -out 0-dns-rsapub.der +writing RSA key +$ npm install +0-dns@1.0.0 /home/github/node/test/fixtures/0-dns ++-- asn1.js@4.9.1 +| +-- bn.js@4.11.6 +| +-- inherits@2.0.3 +| `-- minimalistic-assert@1.0.0 +`-- asn1.js-rfc5280@1.2.2 + +$ node ./createCert.js +$ openssl x509 -text -in 0-dns-cert.pem +(You can not see evil.example.com in subjectAltName field) +``` diff --git a/test/fixtures/0-dns/create-cert.js b/test/fixtures/0-dns/create-cert.js new file mode 100644 index 00000000000000..7a353906e4bbec --- /dev/null +++ b/test/fixtures/0-dns/create-cert.js @@ -0,0 +1,75 @@ +'use strict'; +const asn1 = require('asn1.js'); +const crypto = require('crypto'); +const fs = require('fs'); +const rfc5280 = require('asn1.js-rfc5280'); +const BN = asn1.bignum; + +const id_at_commonName = [ 2, 5, 4, 3 ]; +const rsaEncryption = [1, 2, 840, 113549, 1, 1, 1]; +const sha256WithRSAEncryption = [1, 2, 840, 113549, 1, 1, 11]; +const sigalg = 'RSA-SHA256'; + +const private_key = fs.readFileSync('./0-dns-key.pem'); +// public key file can be generated from the private key with +// openssl rsa -in 0-dns-key.pem -RSAPublicKey_out -outform der +// -out 0-dns-rsapub.der +const public_key = fs.readFileSync('./0-dns-rsapub.der'); + +const now = Date.now(); +const days = 3650; + +const Null_ = asn1.define('Null_', function() { + this.null_(); +}); +const null_ = Null_.encode('der'); + +const PrintStr = asn1.define('PrintStr', function() { + this.printstr(); +}); +const issuer = PrintStr.encode('ca.example.com', 'der'); +const subject = PrintStr.encode('evil.example.com', 'der'); + +const tbs = { + version: 'v3', + serialNumber: new BN('01', 16), + signature: { algorithm: sha256WithRSAEncryption, parameters: null_}, + issuer: { type: 'rdnSequence', + value: [ [{type: id_at_commonName, value: issuer}] ] }, + validity: + { notBefore: { type: 'utcTime', value: now }, + notAfter: { type: 'utcTime', value: now + days * 86400000} }, + subject: { type: 'rdnSequence', + value: [ [{type: id_at_commonName, value: subject}] ] }, + subjectPublicKeyInfo: + { algorithm: { algorithm: rsaEncryption, parameters: null_}, + subjectPublicKey: { unused: 0, data: public_key} }, + extensions: + [ { extnID: 'subjectAlternativeName', + critical: false, + // subjectAltName which contains '\0' character to check CVE-2009-2408 + extnValue: [ + { type: 'dNSName', value: 'good.example.org\u0000.evil.example.com' }, + { type: 'dNSName', value: 'just-another.example.com' }, + { type: 'iPAddress', value: Buffer.from('08080808', 'hex') }, + { type: 'iPAddress', value: Buffer.from('08080404', 'hex') }, + { type: 'dNSName', value: 'last.example.com' } ] } + ] +}; + +const tbs_der = rfc5280.TBSCertificate.encode(tbs, 'der'); + +const sign = crypto.createSign(sigalg); +sign.update(tbs_der); +const signature = sign.sign(private_key); + +const cert = { + tbsCertificate: tbs, + signatureAlgorithm: { algorithm: sha256WithRSAEncryption, parameters: null_ }, + signature: + { unused: 0, + data: signature } +}; +const pem = rfc5280.Certificate.encode(cert, 'pem', {label: 'CERTIFICATE'}); + +fs.writeFileSync('./0-dns-cert.pem', pem + '\n'); diff --git a/test/fixtures/0-dns/package.json b/test/fixtures/0-dns/package.json new file mode 100644 index 00000000000000..667600c7d08521 --- /dev/null +++ b/test/fixtures/0-dns/package.json @@ -0,0 +1,16 @@ +{ + "name": "0-dns", + "version": "1.0.0", + "description": "create certificate for 0-dns test", + "main": "createCert.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "author": "", + "license": "SEE LICENSE IN ../../../LICENSE", + "private": true, + "dependencies": { + "asn1.js": "^4.9.1", + "asn1.js-rfc5280": "^1.2.2" + } +} diff --git a/test/fixtures/keys/0-dns-cert.pem b/test/fixtures/keys/0-dns-cert.pem deleted file mode 100644 index 6cfc6c43c460d7..00000000000000 --- a/test/fixtures/keys/0-dns-cert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC/zCCAemgAwIBAgICJxEwCwYJKoZIhvcNAQEFMBUxEzARBgNVBAMWCm9oLm15 -Lmdvc2gwHhcNMTQxMjA4MTM0MTUzWhcNMzQxMjAzMTM0MTUzWjATMREwDwYDVQQD -FghldmlsLmNvbTCCASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQCsFwwf1dsr -PdxyTHBreymbFGACLQtaOihGsSkYtIzUEF1aT90YDMzNdoLr4wkwWig5FPRMnjmX -7pXY9RVbWmwG/M2eku9S62LekUFkeY1W/QftV9LYgAg7wVDA+v3+zk/EMEqADYm6 -W735tzDIKtvx+/3Dd9puQ0TLFNHBxAmTz7YNaJdIUqzs3DWT4zeZQj0RCOyWCjQL -NfqQ80I7NYFYb4IJqiUY8iOTL5kPi7b5szem5EakQbhufDWun4xGTZk/URZHgYgp -REbOLTYs2hqbK76biW/Yvwd1l7RsptIvJvkuQ1R/dO1WPv6PLKLTuS1EOHM3YqNH -o7wDSplOJe5rAgMBAAGhCQMHADEyMzQ1NqIJAwcANzg5YWJjo0swSTBHBgNVHREE -QDA+ghRnb29nbGUuY29tAC5ldmlsLmNvbYIQanVzdC1hbm90aGVyLmNvbYcECAgI -CIcECAgEBIIIbGFzdC5jb20wCwYJKoZIhvcNAQEBA4IBAQBAC2n4CIXLnyONTjPc -qU0wu41wI+IQlb9mi0C7WEd9HumCbskahAp8vTs35DehnSxrl15FG0rABVtTROCv -eflBKuzwPjtnfZm37UIbQKQUtcxwMQ/zvA83w4GLrLvrFtaQRpXn/RtL/q4CIpQH -MGaPW1Gs24RVBHxI7OXf9UlUruB1yQLUbbtdBtxZ6pk/B32e3yWowbvG7OxuUL0F -1w4DD2m+GfbTyZSCfYKP/zMp3xhTxihVfZ2g07ufc51bNCftWKBLHM/QHJmn4pVo -rrz1vS9nMf/i16zrJ8Xmj61Eo4Aes37lAH5kUiT1VsNxSDcQCiqr1mcj6ByXKNCQ -wDzO ------END CERTIFICATE----- diff --git a/test/fixtures/keys/0-dns-key.pem b/test/fixtures/keys/0-dns-key.pem deleted file mode 100644 index d292789554d798..00000000000000 --- a/test/fixtures/keys/0-dns-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArBcMH9XbKz3cckxwa3spmxRgAi0LWjooRrEpGLSM1BBdWk/d -GAzMzXaC6+MJMFooORT0TJ45l+6V2PUVW1psBvzNnpLvUuti3pFBZHmNVv0H7VfS -2IAIO8FQwPr9/s5PxDBKgA2Julu9+bcwyCrb8fv9w3fabkNEyxTRwcQJk8+2DWiX -SFKs7Nw1k+M3mUI9EQjslgo0CzX6kPNCOzWBWG+CCaolGPIjky+ZD4u2+bM3puRG -pEG4bnw1rp+MRk2ZP1EWR4GIKURGzi02LNoamyu+m4lv2L8HdZe0bKbSLyb5LkNU -f3TtVj7+jyyi07ktRDhzN2KjR6O8A0qZTiXuawIDAQABAoIBABUlW9sJlz3QAyeU -VvgOEUW6EjYSPOPgY5SULl2XyfpA7IetapiK8huJJXtA0Z88ZNbmyUIk6yTNL2KS -cwZfrQiKxeVnXrsMq4B3ztY+zWxT+UZj1Ue/K8PT9E1SSiWmSkzsNitX/oWEwmpN -5VOjWJV6hmsfbhrAb1KZA1FQ+nBMEQrkEFpmFD1nJE8dH5rWNo4YbM/boR/kC93G -CHOwd2TKNrBa8ZeMOjcyUK9fg15CMkj7uTzfIGkjCM/mXOxvsvTuZ0np7PL7aF+o -GfSHP/l+B5rxT1GTYjZtpSEgAoqYEFJnnZELklo7KRWB7p2rgyHPElSjQN3xIn5Z -apNPrBECgYEA26gZGBP+j1Hqrh3nAhOq/t6PMj+V8yz/i2TrraJ1z7GKRGoBUOX9 -ruJGJExfACzgrKl1hL4XRfLdHuooScUqrIxLX7eKHE2nBSd0M40zEKbgIMRhaMsf -lAFOkxJRHMT7edaVu3MkSfDgFXRbhr+jcdxspzhunHMJVUnC5LgAKHMCgYEAyJAw -6GF80Uud5oDHo2tGY9uYgMIUN9rmrrFjqstkVB6QMFlyyeI3MHUhiU7qH53yaRCi -FxuHU6usQFmduwZAKInoPMRhYTYbexe4CYB+C96trwoV7ltDE+a7ZTsEj5kSYvCO -KLcVTn4mcU0TSpE0MU1XQKP0Ev/mdZ5aYEopvCkCgYEAlkVa3YkYNq5g8btNRbN0 -4SYbKtIrYJChRpjFTyV8mZkpMYKf4dtmANWWDNEekP0iu5y25BgzzcvHkJW6+DTl -6+OS0Sm8V36cS79hFL99dt/jJyeSSGHl+ZgnTCBU02zDaefuya2M3vTmKGdREk9a -ntOglYnayjc85Fcw+M4UdZcCgYAFw/9j7smDysSzR6h1jjPr0vhDW1Dxeh1/kCHp -Wwd7U5WZjji6jQJBJlzccaRRXF0HoC7Is0Xkpd7BytG5+qgFglFmzc5u2PtZQolL -3KHC/ZfInGWdAIqhG9TvSA8Ngb0BkyDDEuBN7Vp1j12qmxoBANQtS4lMsoaRgwfe -FMO2YQKBgGv6Ndv+eHWSkqGFOSXU6dXAjOuAji3K1yRlxUg/RS/DCMK+8XQbuh47 -+p998LwvI70JIr4v2PAkO3/HaRILOTRLLvq8O/yqHwrVf+P7AQ8kPm7uUf7kTXat -DYcKIAp5ddZweyFCgwVm+JMd1E+cpL97RbHCbu7Ct6OD9uLGXCUh ------END RSA PRIVATE KEY----- diff --git a/test/parallel/test-tls-0-dns-altname.js b/test/parallel/test-tls-0-dns-altname.js index 874dc6b235d644..483d256564accd 100644 --- a/test/parallel/test-tls-0-dns-altname.js +++ b/test/parallel/test-tls-0-dns-altname.js @@ -2,6 +2,8 @@ const common = require('../common'); const assert = require('assert'); +// Check getPeerCertificate can properly handle '\0' for fix CVE-2009-2408. + if (!common.hasCrypto) { common.skip('missing crypto'); return; @@ -11,8 +13,8 @@ const tls = require('tls'); const fs = require('fs'); const server = tls.createServer({ - key: fs.readFileSync(common.fixturesDir + '/keys/0-dns-key.pem'), - cert: fs.readFileSync(common.fixturesDir + '/keys/0-dns-cert.pem') + key: fs.readFileSync(common.fixturesDir + '/0-dns/0-dns-key.pem'), + cert: fs.readFileSync(common.fixturesDir + '/0-dns/0-dns-cert.pem') }, function(c) { c.once('data', function() { c.destroy(); @@ -24,11 +26,11 @@ const server = tls.createServer({ }, common.mustCall(function() { const cert = c.getPeerCertificate(); assert.strictEqual(cert.subjectaltname, - 'DNS:google.com\0.evil.com, ' + - 'DNS:just-another.com, ' + + 'DNS:good.example.org\0.evil.example.com, ' + + 'DNS:just-another.example.com, ' + 'IP Address:8.8.8.8, ' + 'IP Address:8.8.4.4, ' + - 'DNS:last.com'); + 'DNS:last.example.com'); c.write('ok'); })); }));