Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit257eb57

Browse files
committed
Don't reflect unescaped cert data to the logs
Commit3a0e385 introduced a new path for unauthenticated bytes fromthe client certificate to be printed unescaped to the logs. There are ahandful of these already, but it doesn't make sense to keep making theproblem worse. \x-escape any unprintable bytes.The test case introduces a revoked UTF-8 certificate. This requires theaddition of the `-utf8` flag to `openssl req`. Since the existingcertificates all use an ASCII subset, this won't modify the existingcertificates' subjects if/when they get regenerated; this was verifiedexperimentally with $ make sslfiles-clean $ make sslfilesUnfortunately the test can't be run in the CI yet due to a test timingissue; see55828a6.Author: Jacob Champion <jchampion@timescale.com>Discussion:https://www.postgresql.org/message-id/CAAWbhmgsvHrH9wLU2kYc3pOi1KSenHSLAHBbCVmmddW6-mc_=w@mail.gmail.com
1 parent45b1a67 commit257eb57

File tree

11 files changed

+150
-67
lines changed

11 files changed

+150
-67
lines changed

‎src/backend/libpq/be-secure-openssl.c‎

Lines changed: 31 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -27,12 +27,14 @@
2727
#include<netinet/tcp.h>
2828
#include<arpa/inet.h>
2929

30+
#include"common/string.h"
3031
#include"libpq/libpq.h"
3132
#include"miscadmin.h"
3233
#include"pgstat.h"
3334
#include"storage/fd.h"
3435
#include"storage/latch.h"
3536
#include"tcop/tcopprot.h"
37+
#include"utils/builtins.h"
3638
#include"utils/memutils.h"
3739

3840
/*
@@ -1080,16 +1082,16 @@ dummy_ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
10801082
}
10811083

10821084
/*
1083-
* Examines the provided certificate name, and if it's too long to log, modifies
1084-
* and truncates it. The return value is NULL if no truncation was needed; it
1085-
*otherwise points into the middle of theinput string, and should not be
1086-
*freed.
1085+
* Examines the provided certificate name, and if it's too long to log or
1086+
*contains unprintable ASCII, escapesand truncates it. The return value is
1087+
*always a new palloc'd string. (Theinput string is still modified in place,
1088+
*for ease of implementation.)
10871089
*/
10881090
staticchar*
1089-
truncate_cert_name(char*name)
1091+
prepare_cert_name(char*name)
10901092
{
10911093
size_tnamelen=strlen(name);
1092-
char*truncated;
1094+
char*truncated=name;
10931095

10941096
/*
10951097
* Common Names are 64 chars max, so for a common case where the CN is the
@@ -1099,19 +1101,20 @@ truncate_cert_name(char *name)
10991101
*/
11001102
#defineMAXLEN 71
11011103

1102-
if (namelen <=MAXLEN)
1103-
returnNULL;
1104-
1105-
/*
1106-
* Keep the end of the name, not the beginning, since the most specific
1107-
* field is likely to give users the most information.
1108-
*/
1109-
truncated=name+namelen-MAXLEN;
1110-
truncated[0]=truncated[1]=truncated[2]='.';
1104+
if (namelen>MAXLEN)
1105+
{
1106+
/*
1107+
* Keep the end of the name, not the beginning, since the most specific
1108+
* field is likely to give users the most information.
1109+
*/
1110+
truncated=name+namelen-MAXLEN;
1111+
truncated[0]=truncated[1]=truncated[2]='.';
1112+
namelen=MAXLEN;
1113+
}
11111114

11121115
#undef MAXLEN
11131116

1114-
returntruncated;
1117+
returnpg_clean_ascii(truncated,0);
11151118
}
11161119

11171120
/*
@@ -1154,21 +1157,24 @@ verify_cb(int ok, X509_STORE_CTX *ctx)
11541157
{
11551158
char*subject,
11561159
*issuer;
1157-
char*sub_truncated,
1158-
*iss_truncated;
1160+
char*sub_prepared,
1161+
*iss_prepared;
11591162
char*serialno;
11601163
ASN1_INTEGER*sn;
11611164
BIGNUM*b;
11621165

11631166
/*
11641167
* Get the Subject and Issuer for logging, but don't let maliciously
1165-
* huge certs flood the logs.
1168+
* huge certs flood the logs, and don't reflect non-ASCII bytes into it
1169+
* either.
11661170
*/
11671171
subject=X509_NAME_to_cstring(X509_get_subject_name(cert));
1168-
sub_truncated=truncate_cert_name(subject);
1172+
sub_prepared=prepare_cert_name(subject);
1173+
pfree(subject);
11691174

11701175
issuer=X509_NAME_to_cstring(X509_get_issuer_name(cert));
1171-
iss_truncated=truncate_cert_name(issuer);
1176+
iss_prepared=prepare_cert_name(issuer);
1177+
pfree(issuer);
11721178

11731179
/*
11741180
* Pull the serial number, too, in case a Subject is still ambiguous.
@@ -1181,14 +1187,13 @@ verify_cb(int ok, X509_STORE_CTX *ctx)
11811187
appendStringInfoChar(&str,'\n');
11821188
appendStringInfo(&str,
11831189
_("Failed certificate data (unverified): subject \"%s\", serial number %s, issuer \"%s\"."),
1184-
sub_truncated ?sub_truncated :subject,
1185-
serialno ?serialno :_("unknown"),
1186-
iss_truncated ?iss_truncated :issuer);
1190+
sub_prepared,serialno ?serialno :_("unknown"),
1191+
iss_prepared);
11871192

11881193
BN_free(b);
11891194
OPENSSL_free(serialno);
1190-
pfree(issuer);
1191-
pfree(subject);
1195+
pfree(iss_prepared);
1196+
pfree(sub_prepared);
11921197
}
11931198

11941199
/* Store our detail message to be logged later. */
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# An OpenSSL format CSR config file for creating a client certificate.
2+
#
3+
# The certificate contains a non-ASCII CN encoded in UTF-8. It is revoked by the
4+
# client CA.
5+
6+
[ req ]
7+
distinguished_name = req_distinguished_name
8+
prompt = no
9+
10+
[ req_distinguished_name ]
11+
CN = Οδυσσέας
12+
13+
# no extensions in client certs
Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
-----BEGIN X509 CRL-----
2-
MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
3-
b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
4-
MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
5-
MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
6-
GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
7-
Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
8-
AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
9-
w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
10-
tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
2+
MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
3+
b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3
4+
MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy
5+
MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD
6+
ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a
7+
SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7
8+
Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL
9+
rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn
10+
/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx
11+
OyPyZz4xy/EShWy+KUklfOoKRo8=
1112
-----END X509 CRL-----
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIC2DCCAcACCCAiBxgVKBUAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
3+
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
4+
Y2VydHMwHhcNMjIwNzE4MjIyODE1WhcNNDkxMjAzMjIyODE1WjAbMRkwFwYDVQQD
5+
DBDOn860z4XPg8+Dzq3Osc+CMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
6+
AQEAvBiL1mVjTrzZ6sbrvfu746dzh+EEyuJNkCwPeJTtpva2wqqRUMYw05cV5kzi
7+
YQ3UikMP5Yz0FXTeWoahSpJAWeR5XsFx3wOQvRzwi1KWm2CHr/rb7KbPvoZQdXuV
8+
8UeKrQ6PrEvjoarHAUZuWyUC6EnEAGuiKl5yuax5mkTcK5F8pig2/SS/UonX5ar5
9+
58rOUEaIdyZmXtrO86cm5S5Oz3G2naQB3PPPOhtkoGBHikRHiqBPVRpX3w9TIpBL
10+
BZbT4MIZ+fCjZ9wXj4aiDUzPglu6/Tfx9sNcxc6Ilz/XHfPuBVyyjgrny2SrW0W4
11+
KlhU09y+m5gKL358z8tj599DowIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAE47ns
12+
wfceztieaRQtoF+gPcCuImOJqaB7jTE6cQ+aoW/q+sUlOh7AD0IZqhS4o0A4O+ny
13+
MD7kHkpYP+ctHNomsSQRkFTDZ2ZJGcRgxbwMOSvsKcgNOTMGqpXQiP0x0m7QMBGl
14+
EHeu5MqG/IK/ZlH9aOTvSnHegB6ztct/7wXMeFCflsWLp6wvnv9YpddaaXf95Oms
15+
9kwbVYkI1wxaBsAO8VGbJw1YtdErgd65qKTJa45xndtm61i1Jeig5asSNQPwjfZ5
16+
aNHZ9GsSwsc31Q/6iiezbPwgdAi3ih//uB2hznkMhObnqzR3n8Sw9zgL7DdFr2y9
17+
2R7kJuGq6DvlWFYS
18+
-----END CERTIFICATE-----
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
-----BEGIN RSA PRIVATE KEY-----
2+
MIIEpAIBAAKCAQEAvBiL1mVjTrzZ6sbrvfu746dzh+EEyuJNkCwPeJTtpva2wqqR
3+
UMYw05cV5kziYQ3UikMP5Yz0FXTeWoahSpJAWeR5XsFx3wOQvRzwi1KWm2CHr/rb
4+
7KbPvoZQdXuV8UeKrQ6PrEvjoarHAUZuWyUC6EnEAGuiKl5yuax5mkTcK5F8pig2
5+
/SS/UonX5ar558rOUEaIdyZmXtrO86cm5S5Oz3G2naQB3PPPOhtkoGBHikRHiqBP
6+
VRpX3w9TIpBLBZbT4MIZ+fCjZ9wXj4aiDUzPglu6/Tfx9sNcxc6Ilz/XHfPuBVyy
7+
jgrny2SrW0W4KlhU09y+m5gKL358z8tj599DowIDAQABAoIBAQCpdePmUInb0kDy
8+
SCzziOyJ+b8YWB4dOy1uCoQVuvcxSWz2jP1GrIgo2SGdzv7VOcSWnDyiLw9olVYO
9+
cOS3bnQTiMfgGqAgr/Gir4P3wXx2l80nOvcQimj32cJ7VdCNBEtoBopiTCzU5itM
10+
dsvNydaIuIyhZFdBnL33kfAskIVbqbgNyMCuDvhEMGFh7T193j3cKnvcfoHsSoNK
11+
65MT53764P404avgH9+C0W41GvXoMY5BUphUiCwi5TKIvalNP9Gu2LI3R4J3tAE1
12+
QSR/3Jtaunb5izCyi23MZC+mdz9EALeYRmLpXsspbHaPXDpUA67xifCKnX4JUPVf
13+
Op5XcXjhAoGBAN/Jt7TFPypRtbW200zx6F3RmToWRnvgn5vaNTmiy0ivcHJu4MLS
14+
o0yiV3VWksf1PCInK19C1yFo6H2lkhKhvipL62MoRkspOUJcMh42DPPf/RDMhYnF
15+
8MVQ1TlMdg/I4YXGzsrfl93eFERRjWiAt8b58D9OVpWcQNZMPmGztes3AoGBANcr
16+
n8ZmGZ5JDzbc+N9l1bGJuRT6PvH0rpoKjWOyaVMDedAUnCbfq01j42zXMfQLR1nE
17+
67Z6oWrBNNdEJFBhTzTZ+ZYXxpJP/FYJQ19dOCTKN1LQ79OAbSsU0NBLkss4a903
18+
9JQ+zhrEIEaXCTV9sEnp10KrEo6ctuaqMOkVCBj1AoGBAJy/Xb1wq12o/e3ZsQck
19+
Ke4M8ZaOI7CBFUrE/KLyNBElUU3V+/h6MYdr7nZxvT3xt7z0UpzW5HiyUqYvYrFK
20+
OTjHFIjPnOzoYwLoMPKYSVpIealal+54hryucatAszE7MzvQlOfk1SrCcs+nj7Sy
21+
9Aaa6nxtEpiYaZGwtcEZb0LhAoGAJYODjbGLUd9m+ae49CnrAdMDI7cldkW0k0K3
22+
t+QJHOIEQNT3DIf+c7Wwlu9F1EiLHgmJFv12WwhoUAefVSxCBPLj4tkuU6ACXHWs
23+
+1ljSna/An9O8M75OYOdjFNAupGRrLXuvFHe2SfMgMIgZuUM8TYFw6fTym1kLf8K
24+
G/kAumkCgYBBD0TXDDAmVCYECSG1Uz35vm9GitbIe++o2ykO2sdB5mPRiMsfVJw4
25+
bVInkvV6Y2u4ltsNsS/0Y3A2xq/CnYhc7PeIIWFnfoyuHaIM4TIAflpM6qf4lOWE
26+
8Ot31P8Mt5U0cvCBuKpu0r9by66xX6yqKCqTPMSvbL7MCx5ukGYY7g==
27+
-----END RSA PRIVATE KEY-----

‎src/test/ssl/ssl/client.crl‎

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
-----BEGIN X509 CRL-----
2-
MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
3-
b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
4-
MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
5-
MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
6-
GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
7-
Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
8-
AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
9-
w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
10-
tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
2+
MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
3+
b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3
4+
MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy
5+
MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD
6+
ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a
7+
SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7
8+
Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL
9+
rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn
10+
/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx
11+
OyPyZz4xy/EShWy+KUklfOoKRo8=
1112
-----END X509 CRL-----
Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
-----BEGIN X509 CRL-----
2-
MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
3-
b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
4-
MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
5-
MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
6-
GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
7-
Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
8-
AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
9-
w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
10-
tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
2+
MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
3+
b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3
4+
MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy
5+
MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD
6+
ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a
7+
SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7
8+
Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL
9+
rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn
10+
/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx
11+
OyPyZz4xy/EShWy+KUklfOoKRo8=
1112
-----END X509 CRL-----

‎src/test/ssl/ssl/root+client.crl‎

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -10,13 +10,14 @@ SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
1010
+GrJP3XxJ1OC
1111
-----END X509 CRL-----
1212
-----BEGIN X509 CRL-----
13-
MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
14-
b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
15-
MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
16-
MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
17-
GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
18-
Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
19-
AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
20-
w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
21-
tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
13+
MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
14+
b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3
15+
MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy
16+
MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD
17+
ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a
18+
SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7
19+
Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL
20+
rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn
21+
/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx
22+
OyPyZz4xy/EShWy+KUklfOoKRo8=
2223
-----END X509 CRL-----

‎src/test/ssl/sslfiles.mk‎

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@ SERVERS := server-cn-and-alt-names \
3333
server-multiple-alt-names\
3434
server-no-names\
3535
server-revoked
36-
CLIENTS := client client-dn client-revoked client_ext client-long
36+
CLIENTS := client client-dn client-revoked client_ext client-long\
37+
client-revoked-utf8
3738

3839
#
3940
# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
@@ -175,7 +176,7 @@ $(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_c
175176
# The CSRs don't need to persist after a build.
176177
.INTERMEDIATE:$(CERTIFICATES:%=ssl/%.csr)
177178
ssl/%.csr: ssl/%.key conf/%.config
178-
openssl req -new -key$< -out$@ -config conf/$*.config
179+
openssl req -new -utf8 -key$< -out$@ -config conf/$*.config
179180

180181
#
181182
# CA State
@@ -215,8 +216,9 @@ ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_fil
215216
openssl ca -config conf/cas.config -name server_ca -revoke$<
216217
openssl ca -config conf/cas.config -name server_ca -gencrl -out$@
217218

218-
ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt |$(client_ca_state_files)
219-
openssl ca -config conf/cas.config -name client_ca -revoke$<
219+
ssl/client.crl: ssl/client-revoked.crt ssl/client-revoked-utf8.crt ssl/client_ca.crt |$(client_ca_state_files)
220+
openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt
221+
openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt
220222
openssl ca -config conf/cas.config -name client_ca -gencrl -out$@
221223

222224
#

‎src/test/ssl/t/001_ssltests.pl‎

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -793,4 +793,17 @@ sub switch_server_cert
793793
#]
794794
);
795795

796+
# revoked client cert, non-ASCII subject
797+
$node->connect_fails(
798+
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt"
799+
. sslkey('client-revoked-utf8.key'),
800+
"certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory",
801+
expected_stderr=>qr/SSL error: sslv3 alert certificate revoked/,
802+
# temporarily(?) skip this check due to timing issue
803+
#log_like => [
804+
#qr{Client certificate verification failed at depth 0: certificate revoked},
805+
#qr{Failed certificate data \(unverified\): subject "/CN=\\xce\\x9f\\xce\\xb4\\xcf\\x85\\xcf\\x83\\xcf\\x83\\xce\\xad\\xce\\xb1\\xcf\\x82", serial number 2315420958437414144, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
806+
#]
807+
);
808+
796809
done_testing();

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp