help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: gnutls_x509_crt_check_hostname()

From: Simon Josefsson
Subject: [Help-gnutls] Re: gnutls_x509_crt_check_hostname()
Date: Thu, 13 Aug 2009 11:51:13 +0200
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1.50 (gnu/linux) 
Daniel Stenberg <address@hidden> writes:

> On Wed, 12 Aug 2009, Simon Josefsson wrote:
>
>> Can you post the certificate, or create one that exhibits the same problem?
>
> Yes I can. I have the luxury of actually being able to repeat this
> problem within the curl test suite (test 311). This test was just
> added and thus made me notice this flaw...
>
> The exact cerficates used for this test are found here:
> http://cool.haxx.se/cvs.cgi/curl/tests/certs/
>
> The "Server-localhost0h-sv.pem" is used for the server cert, while
> EdelCurlRoot-ca.crt is the cacert.

Looking into this further, I'm not able to reproduce it...  The code
below, that uses your cert, works for me with 2.8.2.  It appears as if
the patch that went into 2.8.2 to fix the security issue is effective.
Am I doing something wrong?

If you can convert the code into a test that incorrectly fails with
2.8.2 (or upcoming 2.8.3) it will be easier for me to fix it.

address@hidden:~$ gcc -o test test.c -lgnutls
address@hidden:~$ ./test
Hostname correctly does not match (0)
address@hidden:~$ 

/Simon

/*
 * Copyright (C) 2007, 2009 Free Software Foundation
 *
 * Author: Simon Josefsson
 *
 * This file is part of GNUTLS.
 *
 * GNUTLS is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * GNUTLS is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with GNUTLS; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
 */

#include <string.h>
#include <stdio.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>

/* Certificate with SAN and CN that match iff you truncate the SAN to
   the embedded NUL. */
char pem[] =
  "X.509 Certificate Information:\n"
  "     Version: 3\n"
  "     Serial Number (hex): 0b5d0a870d09\n"
  "     Issuer: C=NN,O=Edel Curl Arctic Illudium Research Cloud,CN=Nothern 
Nowhere Trust Anchor\n"
  "     Validity:\n"
  "             Not Before: Tue Aug 04 22:07:33 UTC 2009\n"
  "             Not After: Sat Oct 21 22:07:33 UTC 2017\n"
  "     Subject: C=NN,O=Edel Curl Arctic Illudium Research Cloud,CN=localhost\n"
  "     Subject Public Key Algorithm: RSA\n"
  "             Modulus (bits 1024):\n"
  "                     be:67:3b:b4:ea:c0:85:b4:c3:56:c1:a4:96:23:36:f5\n"
  "                     c6:77:aa:ad:e5:c1:dd:ce:c1:9a:97:07:dd:16:90:eb\n"
  "                     f0:38:b5:95:6b:a6:0f:b9:73:4e:7d:82:57:ab:5f:b5\n"
  "                     ba:5c:a0:48:8c:82:77:fd:67:d8:53:44:61:86:a5:06\n"
  "                     19:bf:73:51:68:2e:1a:0a:c5:05:39:ca:3d:ca:83:ed\n"
  "                     07:fe:ae:b7:73:1d:60:dd:ab:9e:0e:7e:02:f3:68:42\n"
  "                     93:27:c8:5f:c5:fa:cb:a9:84:06:2f:f3:66:bd:de:7d\n"
  "                     29:82:57:47:e4:a9:df:bf:8b:bc:c0:46:33:5a:7b:87\n"
  "             Exponent (bits 24):\n"
  "                     01:00:01\n"
  "     Extensions:\n"
  "             Subject Alternative Name (not critical):\n"
  "warning: SAN contains an embedded NUL, replacing with '!'\n"
  "                     DNSname: localhost!h\n"
  "             Key Usage (not critical):\n"
  "                     Key encipherment.\n"
  "             Key Purpose (not critical):\n"
  "                     TLS WWW Server.\n"
  "             Subject Key Identifier (not critical):\n"
  "                     0c37a3db0f73b3388a69d36eb3a7d6d8774eda67\n"
  "             Authority Key Identifier (not critical):\n"
  "                     126b24d24a68b7a1b01ccdbfd64ccc405b7fe040\n"
  "             Basic Constraints (critical):\n"
  "                     Certificate Authority (CA): FALSE\n"
  "     Signature Algorithm: RSA-SHA\n"
  "     Signature:\n"
  "             88:a0:17:77:77:bf:c1:8a:18:4e:a3:94:6e:45:18:31\n"
  "             fa:2f:7b:1f:ee:95:20:d1:cd:40:df:ee:f0:45:2e:e9\n"
  "             e6:cf:c8:77:bd:85:16:d7:9f:18:52:78:3f:ea:9c:86\n"
  "             62:6e:db:90:b0:cd:f1:c1:6f:2d:87:4a:a0:be:b3:dc\n"
  "             6d:e4:6b:d1:da:b9:10:25:7e:35:1f:1b:aa:a7:09:2f\n"
  "             84:77:27:b0:48:a8:6d:54:57:38:35:22:34:03:0f:d4\n"
  "             5d:ab:1c:72:15:b1:d9:89:56:10:12:fb:7d:0d:18:12\n"
  "             a9:0a:38:dc:93:cf:69:ff:75:86:9e:e3:6b:eb:92:6c\n"
  "             55:16:d5:65:8b:d7:9c:5e:4b:82:c8:92:6c:8b:e6:18\n"
  "             a2:f8:8c:65:aa:b6:eb:23:ed:cb:99:db:fc:8b:8e:1d\n"
  "             7a:39:c9:f5:7b:7f:58:7b:ed:01:6c:3c:40:ec:e3:a9\n"
  "             5f:c4:3d:cb:81:17:03:6d:2d:d7:bd:00:5f:c4:79:f2\n"
  "             fb:ab:c6:0e:a2:01:8b:a1:42:73:de:96:29:3e:bf:d7\n"
  "             d9:51:a7:d4:98:07:7f:f0:f4:cd:00:a1:e1:ac:6c:05\n"
  "             ac:ab:93:1b:b0:5c:2c:13:ad:ff:27:dc:80:99:34:66\n"
  "             bd:e3:31:54:d5:b6:3f:ce:d4:08:a3:52:28:61:5e:bd\n"
  "Other Information:\n"
  "     MD5 fingerprint:\n"
  "             0b4d6d944200cdd1639008b24dc0fe0a\n"
  "     SHA-1 fingerprint:\n"
  "             ce85660f5451b0cc12f525577f0eb9411a20c76b\n"
  "     Public Key Id:\n"
  "             a1d18c15e65c7c4935512eeea7ca5d3e6baad4e1\n"
  "\n"
  "-----BEGIN CERTIFICATE-----\n"
  "MIIDQzCCAiugAwIBAgIGC10Khw0JMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYT\n"
  "Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo\n"
  "IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X\n"
  "DTA5MDgwNDIyMDczM1oXDTE3MTAyMTIyMDczM1owVDELMAkGA1UEBhMCTk4xMTAv\n"
  "BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx\n"
  "EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA\n"
  "vmc7tOrAhbTDVsGkliM29cZ3qq3lwd3OwZqXB90WkOvwOLWVa6YPuXNOfYJXq1+1\n"
  "ulygSIyCd/1n2FNEYYalBhm/c1FoLhoKxQU5yj3Kg+0H/q63cx1g3aueDn4C82hC\n"
  "kyfIX8X6y6mEBi/zZr3efSmCV0fkqd+/i7zARjNae4cCAwEAAaOBizCBiDAWBgNV\n"
  "HREEDzANggtsb2NhbGhvc3QAaDALBgNVHQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYB\n"
  "BQUHAwEwHQYDVR0OBBYEFAw3o9sPc7M4imnTbrOn1th3TtpnMB8GA1UdIwQYMBaA\n"
  "FBJrJNJKaLehsBzNv9ZMzEBbf+BAMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEF\n"
  "BQADggEBAIigF3d3v8GKGE6jlG5FGDH6L3sf7pUg0c1A3+7wRS7p5s/Id72FFtef\n"
  "GFJ4P+qchmJu25CwzfHBby2HSqC+s9xt5GvR2rkQJX41HxuqpwkvhHcnsEiobVRX\n"
  "ODUiNAMP1F2rHHIVsdmJVhAS+30NGBKpCjjck89p/3WGnuNr65JsVRbVZYvXnF5L\n"
  "gsiSbIvmGKL4jGWqtusj7cuZ2/yLjh16Ocn1e39Ye+0BbDxA7OOpX8Q9y4EXA20t\n"
  "170AX8R58vurxg6iAYuhQnPelik+v9fZUafUmAd/8PTNAKHhrGwFrKuTG7BcLBOt\n"
  "/yfcgJk0Zr3jMVTVtj/O1AijUihhXr0=\n"
  "-----END CERTIFICATE-----\n";

int
main (void)
{
  gnutls_x509_crt_t cert;
  gnutls_datum_t data;
  int ret;

  ret = gnutls_global_init ();
  if (ret < 0)
    printf ("gnutls_global_init: %d\n", ret);

  ret = gnutls_x509_crt_init (&cert);
  if (ret < 0)
    printf ("gnutls_x509_crt_init: %d\n", ret);

  data.data = pem;
  data.size = strlen (pem);

  ret = gnutls_x509_crt_import (cert, &data, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    printf ("gnutls_x509_crt_import: %d\n", ret);

  ret = gnutls_x509_crt_check_hostname (cert, "localhost");
  if (ret)
    printf ("Hostname incorrectly matches (%d)\n", ret);
  else
    printf ("Hostname correctly does not match (%d)\n", ret);

  gnutls_x509_crt_deinit (cert);

  gnutls_global_deinit ();

  return 0;
}
reply via email to
[Prev in Thread] Current Thread [Next in Thread]