From 257eb57b50f7c65467bfc2f4d579622fa13f3370 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Tue, 13 Sep 2022 16:10:50 +0200 Subject: [PATCH] Don't reflect unescaped cert data to the logs Commit 3a0e385048 introduced a new path for unauthenticated bytes from the client certificate to be printed unescaped to the logs. There are a handful of these already, but it doesn't make sense to keep making the problem worse. \x-escape any unprintable bytes. The test case introduces a revoked UTF-8 certificate. This requires the addition of the `-utf8` flag to `openssl req`. Since the existing certificates all use an ASCII subset, this won't modify the existing certificates' subjects if/when they get regenerated; this was verified experimentally with $ make sslfiles-clean $ make sslfiles Unfortunately the test can't be run in the CI yet due to a test timing issue; see 55828a6b60. Author: Jacob Champion Discussion: https://www.postgresql.org/message-id/CAAWbhmgsvHrH9wLU2kYc3pOi1KSenHSLAHBbCVmmddW6-mc_=w@mail.gmail.com --- src/backend/libpq/be-secure-openssl.c | 57 ++++++++++--------- src/test/ssl/conf/client-revoked-utf8.config | 13 +++++ src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 19 ++++--- src/test/ssl/ssl/client-revoked-utf8.crt | 18 ++++++ src/test/ssl/ssl/client-revoked-utf8.key | 27 +++++++++ src/test/ssl/ssl/client.crl | 19 ++++--- .../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 19 ++++--- src/test/ssl/ssl/root+client.crl | 19 ++++--- src/test/ssl/sslfiles.mk | 10 ++-- src/test/ssl/t/001_ssltests.pl | 13 +++++ src/test/ssl/t/SSL/Backend/OpenSSL.pm | 3 +- 11 files changed, 150 insertions(+), 67 deletions(-) create mode 100644 src/test/ssl/conf/client-revoked-utf8.config create mode 100644 src/test/ssl/ssl/client-revoked-utf8.crt create mode 100644 src/test/ssl/ssl/client-revoked-utf8.key diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 55d4b29f7e..0356557387 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -27,12 +27,14 @@ #include #include +#include "common/string.h" #include "libpq/libpq.h" #include "miscadmin.h" #include "pgstat.h" #include "storage/fd.h" #include "storage/latch.h" #include "tcop/tcopprot.h" +#include "utils/builtins.h" #include "utils/memutils.h" /* @@ -1080,16 +1082,16 @@ dummy_ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata) } /* - * Examines the provided certificate name, and if it's too long to log, modifies - * and truncates it. The return value is NULL if no truncation was needed; it - * otherwise points into the middle of the input string, and should not be - * freed. + * Examines the provided certificate name, and if it's too long to log or + * contains unprintable ASCII, escapes and truncates it. The return value is + * always a new palloc'd string. (The input string is still modified in place, + * for ease of implementation.) */ static char * -truncate_cert_name(char *name) +prepare_cert_name(char *name) { size_t namelen = strlen(name); - char *truncated; + char *truncated = name; /* * Common Names are 64 chars max, so for a common case where the CN is the @@ -1099,19 +1101,20 @@ truncate_cert_name(char *name) */ #define MAXLEN 71 - if (namelen <= MAXLEN) - return NULL; - - /* - * Keep the end of the name, not the beginning, since the most specific - * field is likely to give users the most information. - */ - truncated = name + namelen - MAXLEN; - truncated[0] = truncated[1] = truncated[2] = '.'; + if (namelen > MAXLEN) + { + /* + * Keep the end of the name, not the beginning, since the most specific + * field is likely to give users the most information. + */ + truncated = name + namelen - MAXLEN; + truncated[0] = truncated[1] = truncated[2] = '.'; + namelen = MAXLEN; + } #undef MAXLEN - return truncated; + return pg_clean_ascii(truncated, 0); } /* @@ -1154,21 +1157,24 @@ verify_cb(int ok, X509_STORE_CTX *ctx) { char *subject, *issuer; - char *sub_truncated, - *iss_truncated; + char *sub_prepared, + *iss_prepared; char *serialno; ASN1_INTEGER *sn; BIGNUM *b; /* * Get the Subject and Issuer for logging, but don't let maliciously - * huge certs flood the logs. + * huge certs flood the logs, and don't reflect non-ASCII bytes into it + * either. */ subject = X509_NAME_to_cstring(X509_get_subject_name(cert)); - sub_truncated = truncate_cert_name(subject); + sub_prepared = prepare_cert_name(subject); + pfree(subject); issuer = X509_NAME_to_cstring(X509_get_issuer_name(cert)); - iss_truncated = truncate_cert_name(issuer); + iss_prepared = prepare_cert_name(issuer); + pfree(issuer); /* * Pull the serial number, too, in case a Subject is still ambiguous. @@ -1181,14 +1187,13 @@ verify_cb(int ok, X509_STORE_CTX *ctx) appendStringInfoChar(&str, '\n'); appendStringInfo(&str, _("Failed certificate data (unverified): subject \"%s\", serial number %s, issuer \"%s\"."), - sub_truncated ? sub_truncated : subject, - serialno ? serialno : _("unknown"), - iss_truncated ? iss_truncated : issuer); + sub_prepared, serialno ? serialno : _("unknown"), + iss_prepared); BN_free(b); OPENSSL_free(serialno); - pfree(issuer); - pfree(subject); + pfree(iss_prepared); + pfree(sub_prepared); } /* Store our detail message to be logged later. */ diff --git a/src/test/ssl/conf/client-revoked-utf8.config b/src/test/ssl/conf/client-revoked-utf8.config new file mode 100644 index 0000000000..ff57e6de8a --- /dev/null +++ b/src/test/ssl/conf/client-revoked-utf8.config @@ -0,0 +1,13 @@ +# An OpenSSL format CSR config file for creating a client certificate. +# +# The certificate contains a non-ASCII CN encoded in UTF-8. It is revoked by the +# client CA. + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +CN = Οδυσσέας + +# no extensions in client certs diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 index d93791b88a..f75eb1c0bc 100644 --- a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 +++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 @@ -1,11 +1,12 @@ -----BEGIN X509 CRL----- -MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ -b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz -MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy -MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z -GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU -Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1 -AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV -w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu -tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0= +MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ +b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3 +MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy +MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD +ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a +SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7 +Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL +rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn +/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx +OyPyZz4xy/EShWy+KUklfOoKRo8= -----END X509 CRL----- diff --git a/src/test/ssl/ssl/client-revoked-utf8.crt b/src/test/ssl/ssl/client-revoked-utf8.crt new file mode 100644 index 0000000000..de471d1e60 --- /dev/null +++ b/src/test/ssl/ssl/client-revoked-utf8.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2DCCAcACCCAiBxgVKBUAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl +c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg +Y2VydHMwHhcNMjIwNzE4MjIyODE1WhcNNDkxMjAzMjIyODE1WjAbMRkwFwYDVQQD +DBDOn860z4XPg8+Dzq3Osc+CMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvBiL1mVjTrzZ6sbrvfu746dzh+EEyuJNkCwPeJTtpva2wqqRUMYw05cV5kzi +YQ3UikMP5Yz0FXTeWoahSpJAWeR5XsFx3wOQvRzwi1KWm2CHr/rb7KbPvoZQdXuV +8UeKrQ6PrEvjoarHAUZuWyUC6EnEAGuiKl5yuax5mkTcK5F8pig2/SS/UonX5ar5 +58rOUEaIdyZmXtrO86cm5S5Oz3G2naQB3PPPOhtkoGBHikRHiqBPVRpX3w9TIpBL +BZbT4MIZ+fCjZ9wXj4aiDUzPglu6/Tfx9sNcxc6Ilz/XHfPuBVyyjgrny2SrW0W4 +KlhU09y+m5gKL358z8tj599DowIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAE47ns +wfceztieaRQtoF+gPcCuImOJqaB7jTE6cQ+aoW/q+sUlOh7AD0IZqhS4o0A4O+ny +MD7kHkpYP+ctHNomsSQRkFTDZ2ZJGcRgxbwMOSvsKcgNOTMGqpXQiP0x0m7QMBGl +EHeu5MqG/IK/ZlH9aOTvSnHegB6ztct/7wXMeFCflsWLp6wvnv9YpddaaXf95Oms +9kwbVYkI1wxaBsAO8VGbJw1YtdErgd65qKTJa45xndtm61i1Jeig5asSNQPwjfZ5 +aNHZ9GsSwsc31Q/6iiezbPwgdAi3ih//uB2hznkMhObnqzR3n8Sw9zgL7DdFr2y9 +2R7kJuGq6DvlWFYS +-----END CERTIFICATE----- diff --git a/src/test/ssl/ssl/client-revoked-utf8.key b/src/test/ssl/ssl/client-revoked-utf8.key new file mode 100644 index 0000000000..86d9697096 --- /dev/null +++ b/src/test/ssl/ssl/client-revoked-utf8.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvBiL1mVjTrzZ6sbrvfu746dzh+EEyuJNkCwPeJTtpva2wqqR +UMYw05cV5kziYQ3UikMP5Yz0FXTeWoahSpJAWeR5XsFx3wOQvRzwi1KWm2CHr/rb +7KbPvoZQdXuV8UeKrQ6PrEvjoarHAUZuWyUC6EnEAGuiKl5yuax5mkTcK5F8pig2 +/SS/UonX5ar558rOUEaIdyZmXtrO86cm5S5Oz3G2naQB3PPPOhtkoGBHikRHiqBP +VRpX3w9TIpBLBZbT4MIZ+fCjZ9wXj4aiDUzPglu6/Tfx9sNcxc6Ilz/XHfPuBVyy +jgrny2SrW0W4KlhU09y+m5gKL358z8tj599DowIDAQABAoIBAQCpdePmUInb0kDy +SCzziOyJ+b8YWB4dOy1uCoQVuvcxSWz2jP1GrIgo2SGdzv7VOcSWnDyiLw9olVYO +cOS3bnQTiMfgGqAgr/Gir4P3wXx2l80nOvcQimj32cJ7VdCNBEtoBopiTCzU5itM +dsvNydaIuIyhZFdBnL33kfAskIVbqbgNyMCuDvhEMGFh7T193j3cKnvcfoHsSoNK +65MT53764P404avgH9+C0W41GvXoMY5BUphUiCwi5TKIvalNP9Gu2LI3R4J3tAE1 +QSR/3Jtaunb5izCyi23MZC+mdz9EALeYRmLpXsspbHaPXDpUA67xifCKnX4JUPVf +Op5XcXjhAoGBAN/Jt7TFPypRtbW200zx6F3RmToWRnvgn5vaNTmiy0ivcHJu4MLS +o0yiV3VWksf1PCInK19C1yFo6H2lkhKhvipL62MoRkspOUJcMh42DPPf/RDMhYnF +8MVQ1TlMdg/I4YXGzsrfl93eFERRjWiAt8b58D9OVpWcQNZMPmGztes3AoGBANcr +n8ZmGZ5JDzbc+N9l1bGJuRT6PvH0rpoKjWOyaVMDedAUnCbfq01j42zXMfQLR1nE +67Z6oWrBNNdEJFBhTzTZ+ZYXxpJP/FYJQ19dOCTKN1LQ79OAbSsU0NBLkss4a903 +9JQ+zhrEIEaXCTV9sEnp10KrEo6ctuaqMOkVCBj1AoGBAJy/Xb1wq12o/e3ZsQck +Ke4M8ZaOI7CBFUrE/KLyNBElUU3V+/h6MYdr7nZxvT3xt7z0UpzW5HiyUqYvYrFK +OTjHFIjPnOzoYwLoMPKYSVpIealal+54hryucatAszE7MzvQlOfk1SrCcs+nj7Sy +9Aaa6nxtEpiYaZGwtcEZb0LhAoGAJYODjbGLUd9m+ae49CnrAdMDI7cldkW0k0K3 +t+QJHOIEQNT3DIf+c7Wwlu9F1EiLHgmJFv12WwhoUAefVSxCBPLj4tkuU6ACXHWs ++1ljSna/An9O8M75OYOdjFNAupGRrLXuvFHe2SfMgMIgZuUM8TYFw6fTym1kLf8K +G/kAumkCgYBBD0TXDDAmVCYECSG1Uz35vm9GitbIe++o2ykO2sdB5mPRiMsfVJw4 +bVInkvV6Y2u4ltsNsS/0Y3A2xq/CnYhc7PeIIWFnfoyuHaIM4TIAflpM6qf4lOWE +8Ot31P8Mt5U0cvCBuKpu0r9by66xX6yqKCqTPMSvbL7MCx5ukGYY7g== +-----END RSA PRIVATE KEY----- diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl index d93791b88a..f75eb1c0bc 100644 --- a/src/test/ssl/ssl/client.crl +++ b/src/test/ssl/ssl/client.crl @@ -1,11 +1,12 @@ -----BEGIN X509 CRL----- -MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ -b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz -MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy -MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z -GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU -Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1 -AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV -w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu -tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0= +MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ +b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3 +MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy +MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD +ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a +SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7 +Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL +rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn +/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx +OyPyZz4xy/EShWy+KUklfOoKRo8= -----END X509 CRL----- diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 index d93791b88a..f75eb1c0bc 100644 --- a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 +++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 @@ -1,11 +1,12 @@ -----BEGIN X509 CRL----- -MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ -b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz -MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy -MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z -GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU -Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1 -AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV -w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu -tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0= +MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ +b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3 +MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy +MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD +ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a +SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7 +Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL +rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn +/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx +OyPyZz4xy/EShWy+KUklfOoKRo8= -----END X509 CRL----- diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl index 02eff4d326..459f48da43 100644 --- a/src/test/ssl/ssl/root+client.crl +++ b/src/test/ssl/ssl/root+client.crl @@ -10,13 +10,14 @@ SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R +GrJP3XxJ1OC -----END X509 CRL----- -----BEGIN X509 CRL----- -MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ -b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz -MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy -MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z -GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU -Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1 -AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV -w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu -tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0= +MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ +b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3 +MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy +MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD +ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a +SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7 +Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL +rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn +/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx +OyPyZz4xy/EShWy+KUklfOoKRo8= -----END X509 CRL----- diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk index 5f67aba795..a843a21d42 100644 --- a/src/test/ssl/sslfiles.mk +++ b/src/test/ssl/sslfiles.mk @@ -33,7 +33,8 @@ SERVERS := server-cn-and-alt-names \ server-multiple-alt-names \ server-no-names \ server-revoked -CLIENTS := client client-dn client-revoked client_ext client-long +CLIENTS := client client-dn client-revoked client_ext client-long \ + client-revoked-utf8 # # To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe @@ -175,7 +176,7 @@ $(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_c # The CSRs don't need to persist after a build. .INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr) ssl/%.csr: ssl/%.key conf/%.config - openssl req -new -key $< -out $@ -config conf/$*.config + openssl req -new -utf8 -key $< -out $@ -config conf/$*.config # # CA State @@ -215,8 +216,9 @@ ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_fil openssl ca -config conf/cas.config -name server_ca -revoke $< openssl ca -config conf/cas.config -name server_ca -gencrl -out $@ -ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files) - openssl ca -config conf/cas.config -name client_ca -revoke $< +ssl/client.crl: ssl/client-revoked.crt ssl/client-revoked-utf8.crt ssl/client_ca.crt | $(client_ca_state_files) + openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt + openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt openssl ca -config conf/cas.config -name client_ca -gencrl -out $@ # diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index fa26212de9..efab2ac194 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -793,4 +793,17 @@ $node->connect_fails( # ] ); +# revoked client cert, non-ASCII subject +$node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt " + . sslkey('client-revoked-utf8.key'), + "certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory", + expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, + # temporarily(?) skip this check due to timing issue +# log_like => [ +# qr{Client certificate verification failed at depth 0: certificate revoked}, +# qr{Failed certificate data \(unverified\): subject "/CN=\\xce\\x9f\\xce\\xb4\\xcf\\x85\\xcf\\x83\\xcf\\x83\\xce\\xad\\xce\\xb1\\xcf\\x82", serial number 2315420958437414144, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, +# ] +); + done_testing(); diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Backend/OpenSSL.pm index a43e64c04f..6386a25323 100644 --- a/src/test/ssl/t/SSL/Backend/OpenSSL.pm +++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm @@ -88,7 +88,8 @@ sub init "client.key", "client-revoked.key", "client-der.key", "client-encrypted-pem.key", "client-encrypted-der.key", "client-dn.key", - "client_ext.key", "client-long.key"); + "client_ext.key", "client-long.key", + "client-revoked-utf8.key"); foreach my $keyfile (@keys) { copy("ssl/$keyfile", "$cert_tempdir/$keyfile")