NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitaf9e180

committed

Add SSL tests for IP addresses in certificates

This tests some scenarios that already work. A subsequent patch willintroduce more functionality.Author: Jacob Champion <pchampion@vmware.com>Co-authored-by: Kyotaro Horiguchi <horikyota.ntt@gmail.com>Co-authored-by: Daniel Gustafsson <daniel@yesql.se>Discussion:https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com

1 parent5519d5a commitaf9e180Copy full SHA for af9e180

File tree

8 files changed

+147

-1

lines changed

src/test/ssl

8 files changed

+147

-1

lines changed

`‎src/test/ssl/conf/server-ip-cn-only.config`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,12 @@`
	`1`	`+# An OpenSSL format CSR config file for creating a server certificate.`
	`2`	`+#`
	`3`	`+`
	`4`	`+[ req ]`
	`5`	`+distinguished_name = req_distinguished_name`
	`6`	`+prompt = no`
	`7`	`+`
	`8`	`+[ req_distinguished_name ]`
	`9`	`+CN = 192.0.2.1`
	`10`	`+OU = PostgreSQL test suite`
	`11`	`+`
	`12`	`+# No Subject Alternative Names`

`‎src/test/ssl/conf/server-ip-in-dnsname.config`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,18 @@`
	`1`	`+# An OpenSSL format CSR config file for creating a server certificate.`
	`2`	`+#`
	`3`	`+`
	`4`	`+[ req ]`
	`5`	`+distinguished_name = req_distinguished_name`
	`6`	`+req_extensions = v3_req`
	`7`	`+prompt = no`
	`8`	`+`
	`9`	`+[ req_distinguished_name ]`
	`10`	`+OU = PostgreSQL test suite`
	`11`	`+`
	`12`	`+# For Subject Alternative Names`
	`13`	`+[ v3_req ]`
	`14`	`+subjectAltName = @alt_names`
	`15`	`+`
	`16`	`+# Normally IP addresses should not go into a dNSName.`
	`17`	`+[ alt_names ]`
	`18`	`+DNS.1 = 192.0.2.1`

`‎src/test/ssl/ssl/server-ip-cn-only.crt`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,18 @@`
	`1`	`+-----BEGIN CERTIFICATE-----`
	`2`	`+MIIC8TCCAdkCCCAhESkRN1IAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl`
	`3`	`+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg`
	`4`	`+Y2VydHMwHhcNMjExMTI5MTkzNzUyWhcNNDkwNDE2MTkzNzUyWjA0MR4wHAYDVQQL`
	`5`	`+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxEjAQBgNVBAMMCTE5Mi4wLjIuMTCCASIw`
	`6`	`+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWs1uUL71nHYF9Zj6p+M3MpYDvx`
	`7`	`+32iCjVdtH5a2qpSWHXTg0rR8dLX0y92cvOYvMXHRajZT1avpHr8dooPYSVaXpGMK`
	`8`	`+NvF/Qi+WFYovRbP2vmd1yv1cgW/FggbwJFWVobizIz4seyA4d0B2j9fqoi2OFBNP`
	`9`	`+huW664SjF0u3p21tDy+43i2LNUMAKf6dnRR5Vqenath87LEU41tSLudu6NXgbFMk`
	`10`	`+jvfNkl4d0w7YCzeXmklmSI+uaX3PlJJ4NzQO2j8w5BvnKVhNVD0KjgrXZ6nB/8F7`
	`11`	`+Pg3XY+d7rJlwRgXemU6resWQDJ7+UaC9u7I4EIP+9lzCR/nNBqUktpHRmHUCAwEA`
	`12`	`+ATANBgkqhkiG9w0BAQsFAAOCAQEAos1JncV8Yf4UaKl6h1GdYtcVtzFyJvBEnhRD`
	`13`	`+07ldL+TYnfZiX8wK2ssBtM3cg/C78y5bzdUa5XGS83ZKQJFFdhE7PSnrvyNqyIqY`
	`14`	`+ZgNBxto3gyvir+EjO1u9BAB0NP3r3gYoHRDZS1xOPPzt4WgjuUgTLM9k82GsqAbO`
	`15`	`+UrOTOdRnkIqC5xLpa05EnRyJPRsR1w1PRJC2XXKnHIuFjMb4v7UuPwyCcX1P5ioc`
	`16`	`+rQszQcORy/L+k0ezCkyweORg68htjYbBHuwOuiGfok6yKKDMzrTvD3lIslls6eX7`
	`17`	`+4sI3XWqzkPmG9Vsxm9Vu9/Ma+PRO76VyCoIwBd+Ufg5vNXhMmw==`
	`18`	`+-----END CERTIFICATE-----`

`‎src/test/ssl/ssl/server-ip-cn-only.key`

Lines changed: 27 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,27 @@`
	`1`	`+-----BEGIN RSA PRIVATE KEY-----`
	`2`	`+MIIEowIBAAKCAQEA1azW5QvvWcdgX1mPqn4zcylgO/HfaIKNV20flraqlJYddODS`
	`3`	`+tHx0tfTL3Zy85i8xcdFqNlPVq+kevx2ig9hJVpekYwo28X9CL5YVii9Fs/a+Z3XK`
	`4`	`+/VyBb8WCBvAkVZWhuLMjPix7IDh3QHaP1+qiLY4UE0+G5brrhKMXS7enbW0PL7je`
	`5`	`+LYs1QwAp/p2dFHlWp6dq2HzssRTjW1Iu527o1eBsUySO982SXh3TDtgLN5eaSWZI`
	`6`	`+j65pfc+Ukng3NA7aPzDkG+cpWE1UPQqOCtdnqcH/wXs+Dddj53usmXBGBd6ZTqt6`
	`7`	`+xZAMnv5RoL27sjgQg/72XMJH+c0GpSS2kdGYdQIDAQABAoIBAQDNXviU4WnF8rmQ`
	`8`	`+K7bH+dBdqbETLKC8BG7xTrMD2sINWlMpmUUrsEtE7+paMGHnJAj0CoF5gg5m0wN4`
	`9`	`+UXV4H5QtpEad4p14dAYbUreVP2ZRWKEdM7xM1HKcCUu2e22QzObJbXQ8N+iHyX3k`
	`10`	`++Y+7yYrjGiH1hYR0nbnsnAyx++zyYBSQeqzpdQwf/BLY5xZmyYWNfqbckiMpEqMs`
	`11`	`+EmZmGXnCjIipzEC0LQHoSW9PNa92Z9bvuxOKYl8iHYDDXjvMRFoZBSiMXpzHQocb`
	`12`	`+QlQ5F4ayfW2OrOhpNbY7niYM9GN3Bk9TgMP+0BkJE6uuktLYW35LY1M78CCPWcWb`
	`13`	`+npJNK3QBAoGBAOxkGrhAHAysSmtirIyMdvySb76wb/Ukfi+AULKz20FI5j4/GXm9`
	`14`	`+qCb2GeT+FFSUHeSC8f0EFnosRYkdBGruqeZioI+5rUkboYFJPspAHAuvg9kgtfF+`
	`15`	`+kvphD4O4P/foYsEZRx66FHozDbhrrR5UXc7KzqRIASc/D3FOx2UFJLb1AoGBAOdm`
	`16`	`+WcaMvYygl9ZW+ThWAR1xG1X70AGKwrlrpF2hBkWYxSurxSMXnD0DUzC9Nb4EyCaM`
	`17`	`+c2uSqEZOKdW+XfXtK2DnqXKfb3YCVEoGN4gVfyuW/vxii/+ZxLo3md/b3vrkZEVp`
	`18`	`+pfkXy/HoZ71YN7bNpcDpOnhml6vvuCRCYFnI1WuBAoGAC0shB6pwbJ6Sk5zMN47C`
	`19`	`+ZICufAK75o9OxAAyWsdC81SDQ3gKRImuDeZ2CD2nRP8qim9DFl5qoH2a+Nj9DArI`
	`20`	`+7SvLFfK9958tURrpuAnmDRzehLIOXzI33WRjtFxKGhLtHOKTRkGHlur3fdcPF0La`
	`21`	`+lHWV971E6NYXa8diuU3Mmj0CgYBYd+ka3/QYL83dRKNDxp3mg7fPx9ZewI5yFZVh`
	`22`	`+to6PTTkU2Tclk4FIUl0b5TsGyw06r7fxCMENIBUegwmpXGOZSPifuhUDKSDQrE/O`
	`23`	`+12knYTNbitG7hy6Pg3JxA77cbTVo1FuAQHjYo+IFohSq7zTP7FtObOrP8XaVZksw`
	`24`	`+CHiQAQKBgBW4EiA9AAnZ1LOpifAvM7bs0NHg95qTwtAL52WKom2ga2H+lMhxeu6Y`
	`25`	`+hUSytC/f9kALVcYloZhkLYpO07x1gXmy7f4parMjA4Ex+4vfu3kPd8GiNGZ+AUJD`
	`26`	`+nnJ1OINY9ziXJZfju7FpVWpkiuPzWCh6y/o3gZ/veq5mIUxuDMVa`
	`27`	`+-----END RSA PRIVATE KEY-----`

`‎src/test/ssl/ssl/server-ip-in-dnsname.crt`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,18 @@`
	`1`	`+-----BEGIN CERTIFICATE-----`
	`2`	`+MIIC/DCCAeSgAwIBAgIIICIDFRVYUgAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE`
	`3`	`+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl`
	`4`	`+cnZlciBjZXJ0czAeFw0yMjAzMTUyMjU4NTJaFw00OTA3MzEyMjU4NTJaMCAxHjAc`
	`5`	`+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD`
	`6`	`+ggEPADCCAQoCggEBAMpn5bP1/OfBQR/yvOkOBzxArE1j1YShVa2pcj896+CVDEgV`
	`7`	`+N5Hluz7KHU/JYzNZCAHb5WAHuvXxKeoj4Ti5be1KsqO0mN1p+RMN7VlCpCpb0AWT`
	`8`	`+z4z+I8TUhSZnmgghHvfW4RfcZMCcHq1vevVTDxR/cAbDPYpgBCD5F/SZMRyMDw5B`
	`9`	`+7ILLmft0eqA1nCqavyqBCGZvx1ol8N5BfVdrDXp/rN5997khBWQRZ8g84FZyFZXf`
	`10`	`+pwp57eu0OGQDzZFXoEL2t4OVld67K5jcclWVxHY6FGcHjCvyqs48PCPOR84anZwj`
	`11`	`+GsqVOS6250/DWKBQO4KyhkTVf0AW/ICGSMOKkAkCAwEAAaMYMBYwFAYDVR0RBA0w`
	`12`	`+C4IJMTkyLjAuMi4xMA0GCSqGSIb3DQEBCwUAA4IBAQDIAAH0WJKEpbPN0QihN6SF`
	`13`	`+UA5WL4ixsBACo9OIAGkSnKeOeVEG5vvgOna0hjQcOcgtI1oCDLhULcjCuwxiIW6y`
	`14`	`+QntOazyo0sooJr0hEm2WfipvIpQs6W9E1OTcs624BAVfkAwr6WT2VwoIAPcQD2nR`
	`15`	`+tIQhSUIR9J7Q5WbzuQw7pthQhBfW/UPWw7vajel0r1dflbe0Cgp5WGNfp1kYy+Qf`
	`16`	`+XW/YjkstZEP1KFm+TF58uxrIDmYboS8EerUREGQixijbI0AfXjShxtiyS63rbdpo`
	`17`	`+3C0BPj9Yx2VtWi4U0qoef/iLJxJBCLvE/97+duPdKx0AkkOWA9VuenkWLp797UM8`
	`18`	`+-----END CERTIFICATE-----`

`‎src/test/ssl/ssl/server-ip-in-dnsname.key`

Lines changed: 27 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,27 @@`
	`1`	`+-----BEGIN RSA PRIVATE KEY-----`
	`2`	`+MIIEowIBAAKCAQEAymfls/X858FBH/K86Q4HPECsTWPVhKFVralyPz3r4JUMSBU3`
	`3`	`+keW7PsodT8ljM1kIAdvlYAe69fEp6iPhOLlt7Uqyo7SY3Wn5Ew3tWUKkKlvQBZPP`
	`4`	`+jP4jxNSFJmeaCCEe99bhF9xkwJwerW969VMPFH9wBsM9imAEIPkX9JkxHIwPDkHs`
	`5`	`+gsuZ+3R6oDWcKpq/KoEIZm/HWiXw3kF9V2sNen+s3n33uSEFZBFnyDzgVnIVld+n`
	`6`	`+Cnnt67Q4ZAPNkVegQva3g5WV3rsrmNxyVZXEdjoUZweMK/Kqzjw8I85HzhqdnCMa`
	`7`	`+ypU5LrbnT8NYoFA7grKGRNV/QBb8gIZIw4qQCQIDAQABAoIBAA2kPP4JCTeRddMy`
	`8`	`+Z/sJIAG2liZNITnkKcMflXyfrsMfKIm/LFSf+CO+OYWEHDR8vqZpbKcxPi+PRnTq`
	`9`	`+YCaTkM4aZ7nS1S6vEsNu/90xOaFFONr3YFivVDfS3vp8pwv/N3gaumcCSqQUoZis`
	`10`	`+18urAmwuPp2mEQK/f+e9AhlRLdcvlqDyKm+zMrVixK77Hj5JiEkh3rfZ3onHHKGE`
	`11`	`+B7T2XRRqnZ4FCN9qLH2pMGUknZ4MGC9SlCyoerXFodb4DhKWQhJDRLjb8qP96r/E`
	`12`	`+FGSg5WUiAERU/OgODoqZNTeIwIDB/f9NK45dEY3Hw6BsSFfU2VChrlNoVlzFUx2k`
	`13`	`+yaH5Y4ECgYEA8rht3crh3GTy0jBJjNqB2iul8fkG/uiaiSvERWT/+KZnmV1+JGAW`
	`14`	`+h2/wvd5apagOJjqKY0bCHMei/qYF9r4yJnkIy4qNper3QUz7TMCjsWduCm8S834A`
	`15`	`+Z+Vwi3RBGJiQQH9Dfexko5sDjo+w5g4RsH52INCeReInNdxHOv06jZECgYEA1XrR`
	`16`	`+QNwZlxHt3H93YKmKDZXikqW12Cuq6RSwf5VVdeuzV+pUN+/JaSgEuYsBilW7Q5p2`
	`17`	`+gPROi0l8/eUPsBJb+dh1BcGzSjI2Kkzf66QOTG83S7tCPwQhwJUAylFuADvURjPQ`
	`18`	`+qvqNjbQUomdm2QjBzyWtiFbolqxBgM3dnE6R/vkCgYBYGqQexx83LhmKPGbmTwal`
	`19`	`+mARzkg59BxfZRN7IxcG4k0a1v98i+xISdYqwkP7cdOU18Tf8k1mwsrKytrcheqaf`
	`20`	`+mn2bzJ5gJKs9s+DgWmjQ45dpCCqb4hfpnro8lKVwdSifkNKB6gYZ8RHYdMYkq+S1`
	`21`	`+6SGeBbv95/qNrXjZq8POUQKBgHyaDwD4dsdCY79LdvYofrenQHOv3Q+rjTo2JT6S`
	`22`	`+fysww6EQ2M89WiXSgc96Xw/LMl4nDfv+nMmXvyjCRgHS9XRC7yrJAEjSPeM6s4fq`
	`23`	`+XZ4nW/ML/YKiesDZN3jfRoFEaoX/QFBLpcuLzG9uQw1ymwy5RSxK7b7kE+eGQU82`
	`24`	`+XOihAoGBAI3xvT9fG3jRsSuw/8OQBlmDUFZcT0fRPRZ3pg8XlSreAam4b607d2WY`
	`25`	`+u/bBHIclG3CLJ2EFqBtxl9AQeM0OTweF0KmV3dbtdBmaTbnhbK8/NLYnl5+aosEJ`
	`26`	`+YrFKD8k8z6z+mYQs+7bAnfRa53TjfC7f24BpgEQyEfKL2fa3PF+J`
	`27`	`+-----END RSA PRIVATE KEY-----`

`‎src/test/ssl/sslfiles.mk`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@`
`23`	`23`	`#`
`24`	`24`	`SERVERS := server-cn-and-alt-names\`
`25`	`25`	`server-cn-only\`
	`26`	`+server-ip-cn-only\`
	`27`	`+server-ip-in-dnsname\`
`26`	`28`	`server-single-alt-name\`
`27`	`29`	`server-multiple-alt-names\`
`28`	`30`	`server-no-names\`

`‎src/test/ssl/t/001_ssltests.pl`

Lines changed: 25 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -229,6 +229,30 @@ sub switch_server_cert`
`229`	`229`	`qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E/`
`230`	`230`	`);`
`231`	`231`
	`232`	`+# Test with an IP address in the Common Name. This is a strange corner case that`
	`233`	`+# nevertheless is supported, as long as the address string matches exactly.`
	`234`	`+switch_server_cert($node,certfile=>'server-ip-cn-only');`
	`235`	`+`
	`236`	`+$common_connstr =`
	`237`	`+"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
	`238`	`+`
	`239`	`+$node->connect_ok("$common_connstr host=192.0.2.1",`
	`240`	`+"IP address in the Common Name");`
	`241`	`+`
	`242`	`+$node->connect_fails(`
	`243`	`+"$common_connstr host=192.000.002.001",`
	`244`	`+"mismatch between host name and server certificate IP address",`
	`245`	`+expected_stderr=>`
	`246`	`+qr/\Qserver certificate for "192.0.2.1" does not match host name "192.000.002.001"\E/`
	`247`	`+);`
	`248`	`+`
	`249`	`+# Similarly, we'll also match an IP address in a dNSName SAN. (This is`
	`250`	`+# long-standing behavior.)`
	`251`	`+switch_server_cert($node,certfile=>'server-ip-in-dnsname');`
	`252`	`+`
	`253`	`+$node->connect_ok("$common_connstr host=192.0.2.1",`
	`254`	`+"IP address in a dNSName");`
	`255`	`+`
`232`	`256`	`# Test Subject Alternative Names.`
`233`	`257`	`switch_server_cert($node,certfile=>'server-multiple-alt-names');`
`234`	`258`
`@@ -281,7 +305,7 @@ sub switch_server_cert`
`281`	`305`	`qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/`
`282`	`306`	`);`
`283`	`307`
`284`		`-# Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN`
	`308`	`+# Test server certificate with a CN andDNSSANs. Per RFCs 2818 and 6125, the CN`
`285`	`309`	`# should be ignored when the certificate has both.`
`286`	`310`	`switch_server_cert($node,certfile=>'server-cn-and-alt-names');`
`287`	`311`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitaf9e180

File tree

8 files changed

8 files changed

`‎src/test/ssl/conf/server-ip-cn-only.config`

`‎src/test/ssl/conf/server-ip-in-dnsname.config`

`‎src/test/ssl/ssl/server-ip-cn-only.crt`

`‎src/test/ssl/ssl/server-ip-cn-only.key`

`‎src/test/ssl/ssl/server-ip-in-dnsname.crt`

`‎src/test/ssl/ssl/server-ip-in-dnsname.key`

`‎src/test/ssl/sslfiles.mk`

`‎src/test/ssl/t/001_ssltests.pl`

0 commit comments