From af9e180495507a2b01f1bc31b7ea5125b8385903 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Fri, 1 Apr 2022 14:06:23 +0200 Subject: [PATCH] Add SSL tests for IP addresses in certificates This tests some scenarios that already work. A subsequent patch will introduce more functionality. Author: Jacob Champion Co-authored-by: Kyotaro Horiguchi Co-authored-by: Daniel Gustafsson Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com --- src/test/ssl/conf/server-ip-cn-only.config | 12 +++++++++ src/test/ssl/conf/server-ip-in-dnsname.config | 18 +++++++++++++ src/test/ssl/ssl/server-ip-cn-only.crt | 18 +++++++++++++ src/test/ssl/ssl/server-ip-cn-only.key | 27 +++++++++++++++++++ src/test/ssl/ssl/server-ip-in-dnsname.crt | 18 +++++++++++++ src/test/ssl/ssl/server-ip-in-dnsname.key | 27 +++++++++++++++++++ src/test/ssl/sslfiles.mk | 2 ++ src/test/ssl/t/001_ssltests.pl | 26 +++++++++++++++++- 8 files changed, 147 insertions(+), 1 deletion(-) create mode 100644 src/test/ssl/conf/server-ip-cn-only.config create mode 100644 src/test/ssl/conf/server-ip-in-dnsname.config create mode 100644 src/test/ssl/ssl/server-ip-cn-only.crt create mode 100644 src/test/ssl/ssl/server-ip-cn-only.key create mode 100644 src/test/ssl/ssl/server-ip-in-dnsname.crt create mode 100644 src/test/ssl/ssl/server-ip-in-dnsname.key diff --git a/src/test/ssl/conf/server-ip-cn-only.config b/src/test/ssl/conf/server-ip-cn-only.config new file mode 100644 index 0000000000..585d8bdae8 --- /dev/null +++ b/src/test/ssl/conf/server-ip-cn-only.config @@ -0,0 +1,12 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +CN = 192.0.2.1 +OU = PostgreSQL test suite + +# No Subject Alternative Names diff --git a/src/test/ssl/conf/server-ip-in-dnsname.config b/src/test/ssl/conf/server-ip-in-dnsname.config new file mode 100644 index 0000000000..b15649aef7 --- /dev/null +++ b/src/test/ssl/conf/server-ip-in-dnsname.config @@ -0,0 +1,18 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# + +[ req ] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[ req_distinguished_name ] +OU = PostgreSQL test suite + +# For Subject Alternative Names +[ v3_req ] +subjectAltName = @alt_names + +# Normally IP addresses should not go into a dNSName. +[ alt_names ] +DNS.1 = 192.0.2.1 diff --git a/src/test/ssl/ssl/server-ip-cn-only.crt b/src/test/ssl/ssl/server-ip-cn-only.crt new file mode 100644 index 0000000000..9bf015cf18 --- /dev/null +++ b/src/test/ssl/ssl/server-ip-cn-only.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdkCCCAhESkRN1IAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl +c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg +Y2VydHMwHhcNMjExMTI5MTkzNzUyWhcNNDkwNDE2MTkzNzUyWjA0MR4wHAYDVQQL +DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxEjAQBgNVBAMMCTE5Mi4wLjIuMTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWs1uUL71nHYF9Zj6p+M3MpYDvx +32iCjVdtH5a2qpSWHXTg0rR8dLX0y92cvOYvMXHRajZT1avpHr8dooPYSVaXpGMK +NvF/Qi+WFYovRbP2vmd1yv1cgW/FggbwJFWVobizIz4seyA4d0B2j9fqoi2OFBNP +huW664SjF0u3p21tDy+43i2LNUMAKf6dnRR5Vqenath87LEU41tSLudu6NXgbFMk +jvfNkl4d0w7YCzeXmklmSI+uaX3PlJJ4NzQO2j8w5BvnKVhNVD0KjgrXZ6nB/8F7 +Pg3XY+d7rJlwRgXemU6resWQDJ7+UaC9u7I4EIP+9lzCR/nNBqUktpHRmHUCAwEA +ATANBgkqhkiG9w0BAQsFAAOCAQEAos1JncV8Yf4UaKl6h1GdYtcVtzFyJvBEnhRD +07ldL+TYnfZiX8wK2ssBtM3cg/C78y5bzdUa5XGS83ZKQJFFdhE7PSnrvyNqyIqY +ZgNBxto3gyvir+EjO1u9BAB0NP3r3gYoHRDZS1xOPPzt4WgjuUgTLM9k82GsqAbO +UrOTOdRnkIqC5xLpa05EnRyJPRsR1w1PRJC2XXKnHIuFjMb4v7UuPwyCcX1P5ioc +rQszQcORy/L+k0ezCkyweORg68htjYbBHuwOuiGfok6yKKDMzrTvD3lIslls6eX7 +4sI3XWqzkPmG9Vsxm9Vu9/Ma+PRO76VyCoIwBd+Ufg5vNXhMmw== +-----END CERTIFICATE----- diff --git a/src/test/ssl/ssl/server-ip-cn-only.key b/src/test/ssl/ssl/server-ip-cn-only.key new file mode 100644 index 0000000000..1966530e72 --- /dev/null +++ b/src/test/ssl/ssl/server-ip-cn-only.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA1azW5QvvWcdgX1mPqn4zcylgO/HfaIKNV20flraqlJYddODS +tHx0tfTL3Zy85i8xcdFqNlPVq+kevx2ig9hJVpekYwo28X9CL5YVii9Fs/a+Z3XK +/VyBb8WCBvAkVZWhuLMjPix7IDh3QHaP1+qiLY4UE0+G5brrhKMXS7enbW0PL7je +LYs1QwAp/p2dFHlWp6dq2HzssRTjW1Iu527o1eBsUySO982SXh3TDtgLN5eaSWZI +j65pfc+Ukng3NA7aPzDkG+cpWE1UPQqOCtdnqcH/wXs+Dddj53usmXBGBd6ZTqt6 +xZAMnv5RoL27sjgQg/72XMJH+c0GpSS2kdGYdQIDAQABAoIBAQDNXviU4WnF8rmQ +K7bH+dBdqbETLKC8BG7xTrMD2sINWlMpmUUrsEtE7+paMGHnJAj0CoF5gg5m0wN4 +UXV4H5QtpEad4p14dAYbUreVP2ZRWKEdM7xM1HKcCUu2e22QzObJbXQ8N+iHyX3k ++Y+7yYrjGiH1hYR0nbnsnAyx++zyYBSQeqzpdQwf/BLY5xZmyYWNfqbckiMpEqMs +EmZmGXnCjIipzEC0LQHoSW9PNa92Z9bvuxOKYl8iHYDDXjvMRFoZBSiMXpzHQocb +QlQ5F4ayfW2OrOhpNbY7niYM9GN3Bk9TgMP+0BkJE6uuktLYW35LY1M78CCPWcWb +npJNK3QBAoGBAOxkGrhAHAysSmtirIyMdvySb76wb/Ukfi+AULKz20FI5j4/GXm9 +qCb2GeT+FFSUHeSC8f0EFnosRYkdBGruqeZioI+5rUkboYFJPspAHAuvg9kgtfF+ +kvphD4O4P/foYsEZRx66FHozDbhrrR5UXc7KzqRIASc/D3FOx2UFJLb1AoGBAOdm +WcaMvYygl9ZW+ThWAR1xG1X70AGKwrlrpF2hBkWYxSurxSMXnD0DUzC9Nb4EyCaM +c2uSqEZOKdW+XfXtK2DnqXKfb3YCVEoGN4gVfyuW/vxii/+ZxLo3md/b3vrkZEVp +pfkXy/HoZ71YN7bNpcDpOnhml6vvuCRCYFnI1WuBAoGAC0shB6pwbJ6Sk5zMN47C +ZICufAK75o9OxAAyWsdC81SDQ3gKRImuDeZ2CD2nRP8qim9DFl5qoH2a+Nj9DArI +7SvLFfK9958tURrpuAnmDRzehLIOXzI33WRjtFxKGhLtHOKTRkGHlur3fdcPF0La +lHWV971E6NYXa8diuU3Mmj0CgYBYd+ka3/QYL83dRKNDxp3mg7fPx9ZewI5yFZVh +to6PTTkU2Tclk4FIUl0b5TsGyw06r7fxCMENIBUegwmpXGOZSPifuhUDKSDQrE/O +12knYTNbitG7hy6Pg3JxA77cbTVo1FuAQHjYo+IFohSq7zTP7FtObOrP8XaVZksw +CHiQAQKBgBW4EiA9AAnZ1LOpifAvM7bs0NHg95qTwtAL52WKom2ga2H+lMhxeu6Y +hUSytC/f9kALVcYloZhkLYpO07x1gXmy7f4parMjA4Ex+4vfu3kPd8GiNGZ+AUJD +nnJ1OINY9ziXJZfju7FpVWpkiuPzWCh6y/o3gZ/veq5mIUxuDMVa +-----END RSA PRIVATE KEY----- diff --git a/src/test/ssl/ssl/server-ip-in-dnsname.crt b/src/test/ssl/ssl/server-ip-in-dnsname.crt new file mode 100644 index 0000000000..78ad8d99c8 --- /dev/null +++ b/src/test/ssl/ssl/server-ip-in-dnsname.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC/DCCAeSgAwIBAgIIICIDFRVYUgAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE +Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl +cnZlciBjZXJ0czAeFw0yMjAzMTUyMjU4NTJaFw00OTA3MzEyMjU4NTJaMCAxHjAc +BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMpn5bP1/OfBQR/yvOkOBzxArE1j1YShVa2pcj896+CVDEgV +N5Hluz7KHU/JYzNZCAHb5WAHuvXxKeoj4Ti5be1KsqO0mN1p+RMN7VlCpCpb0AWT +z4z+I8TUhSZnmgghHvfW4RfcZMCcHq1vevVTDxR/cAbDPYpgBCD5F/SZMRyMDw5B +7ILLmft0eqA1nCqavyqBCGZvx1ol8N5BfVdrDXp/rN5997khBWQRZ8g84FZyFZXf +pwp57eu0OGQDzZFXoEL2t4OVld67K5jcclWVxHY6FGcHjCvyqs48PCPOR84anZwj +GsqVOS6250/DWKBQO4KyhkTVf0AW/ICGSMOKkAkCAwEAAaMYMBYwFAYDVR0RBA0w +C4IJMTkyLjAuMi4xMA0GCSqGSIb3DQEBCwUAA4IBAQDIAAH0WJKEpbPN0QihN6SF +UA5WL4ixsBACo9OIAGkSnKeOeVEG5vvgOna0hjQcOcgtI1oCDLhULcjCuwxiIW6y +QntOazyo0sooJr0hEm2WfipvIpQs6W9E1OTcs624BAVfkAwr6WT2VwoIAPcQD2nR +tIQhSUIR9J7Q5WbzuQw7pthQhBfW/UPWw7vajel0r1dflbe0Cgp5WGNfp1kYy+Qf +XW/YjkstZEP1KFm+TF58uxrIDmYboS8EerUREGQixijbI0AfXjShxtiyS63rbdpo +3C0BPj9Yx2VtWi4U0qoef/iLJxJBCLvE/97+duPdKx0AkkOWA9VuenkWLp797UM8 +-----END CERTIFICATE----- diff --git a/src/test/ssl/ssl/server-ip-in-dnsname.key b/src/test/ssl/ssl/server-ip-in-dnsname.key new file mode 100644 index 0000000000..ba319b001e --- /dev/null +++ b/src/test/ssl/ssl/server-ip-in-dnsname.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAymfls/X858FBH/K86Q4HPECsTWPVhKFVralyPz3r4JUMSBU3 +keW7PsodT8ljM1kIAdvlYAe69fEp6iPhOLlt7Uqyo7SY3Wn5Ew3tWUKkKlvQBZPP +jP4jxNSFJmeaCCEe99bhF9xkwJwerW969VMPFH9wBsM9imAEIPkX9JkxHIwPDkHs +gsuZ+3R6oDWcKpq/KoEIZm/HWiXw3kF9V2sNen+s3n33uSEFZBFnyDzgVnIVld+n +Cnnt67Q4ZAPNkVegQva3g5WV3rsrmNxyVZXEdjoUZweMK/Kqzjw8I85HzhqdnCMa +ypU5LrbnT8NYoFA7grKGRNV/QBb8gIZIw4qQCQIDAQABAoIBAA2kPP4JCTeRddMy +Z/sJIAG2liZNITnkKcMflXyfrsMfKIm/LFSf+CO+OYWEHDR8vqZpbKcxPi+PRnTq +YCaTkM4aZ7nS1S6vEsNu/90xOaFFONr3YFivVDfS3vp8pwv/N3gaumcCSqQUoZis +18urAmwuPp2mEQK/f+e9AhlRLdcvlqDyKm+zMrVixK77Hj5JiEkh3rfZ3onHHKGE +B7T2XRRqnZ4FCN9qLH2pMGUknZ4MGC9SlCyoerXFodb4DhKWQhJDRLjb8qP96r/E +FGSg5WUiAERU/OgODoqZNTeIwIDB/f9NK45dEY3Hw6BsSFfU2VChrlNoVlzFUx2k +yaH5Y4ECgYEA8rht3crh3GTy0jBJjNqB2iul8fkG/uiaiSvERWT/+KZnmV1+JGAW +h2/wvd5apagOJjqKY0bCHMei/qYF9r4yJnkIy4qNper3QUz7TMCjsWduCm8S834A +Z+Vwi3RBGJiQQH9Dfexko5sDjo+w5g4RsH52INCeReInNdxHOv06jZECgYEA1XrR +QNwZlxHt3H93YKmKDZXikqW12Cuq6RSwf5VVdeuzV+pUN+/JaSgEuYsBilW7Q5p2 +gPROi0l8/eUPsBJb+dh1BcGzSjI2Kkzf66QOTG83S7tCPwQhwJUAylFuADvURjPQ +qvqNjbQUomdm2QjBzyWtiFbolqxBgM3dnE6R/vkCgYBYGqQexx83LhmKPGbmTwal +mARzkg59BxfZRN7IxcG4k0a1v98i+xISdYqwkP7cdOU18Tf8k1mwsrKytrcheqaf +mn2bzJ5gJKs9s+DgWmjQ45dpCCqb4hfpnro8lKVwdSifkNKB6gYZ8RHYdMYkq+S1 +6SGeBbv95/qNrXjZq8POUQKBgHyaDwD4dsdCY79LdvYofrenQHOv3Q+rjTo2JT6S +fysww6EQ2M89WiXSgc96Xw/LMl4nDfv+nMmXvyjCRgHS9XRC7yrJAEjSPeM6s4fq +XZ4nW/ML/YKiesDZN3jfRoFEaoX/QFBLpcuLzG9uQw1ymwy5RSxK7b7kE+eGQU82 +XOihAoGBAI3xvT9fG3jRsSuw/8OQBlmDUFZcT0fRPRZ3pg8XlSreAam4b607d2WY +u/bBHIclG3CLJ2EFqBtxl9AQeM0OTweF0KmV3dbtdBmaTbnhbK8/NLYnl5+aosEJ +YrFKD8k8z6z+mYQs+7bAnfRa53TjfC7f24BpgEQyEfKL2fa3PF+J +-----END RSA PRIVATE KEY----- diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk index 7ed3a30f5c..7a28d82f95 100644 --- a/src/test/ssl/sslfiles.mk +++ b/src/test/ssl/sslfiles.mk @@ -23,6 +23,8 @@ # SERVERS := server-cn-and-alt-names \ server-cn-only \ + server-ip-cn-only \ + server-ip-in-dnsname \ server-single-alt-name \ server-multiple-alt-names \ server-no-names \ diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index d8eeb085da..fabbe1570a 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -229,6 +229,30 @@ $node->connect_fails( qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E/ ); +# Test with an IP address in the Common Name. This is a strange corner case that +# nevertheless is supported, as long as the address string matches exactly. +switch_server_cert($node, certfile => 'server-ip-cn-only'); + +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + +$node->connect_ok("$common_connstr host=192.0.2.1", + "IP address in the Common Name"); + +$node->connect_fails( + "$common_connstr host=192.000.002.001", + "mismatch between host name and server certificate IP address", + expected_stderr => + qr/\Qserver certificate for "192.0.2.1" does not match host name "192.000.002.001"\E/ +); + +# Similarly, we'll also match an IP address in a dNSName SAN. (This is +# long-standing behavior.) +switch_server_cert($node, certfile => 'server-ip-in-dnsname'); + +$node->connect_ok("$common_connstr host=192.0.2.1", + "IP address in a dNSName"); + # Test Subject Alternative Names. switch_server_cert($node, certfile => 'server-multiple-alt-names'); @@ -281,7 +305,7 @@ $node->connect_fails( qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/ ); -# Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN +# Test server certificate with a CN and DNS SANs. Per RFCs 2818 and 6125, the CN # should be ignored when the certificate has both. switch_server_cert($node, certfile => 'server-cn-and-alt-names');