File: hostname_validation_spec.cr

package info (click to toggle)
crystal 1.14.0%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 24,384 kB
  • sloc: javascript: 6,400; sh: 695; makefile: 269; ansic: 121; python: 105; cpp: 77; xml: 32
file content (100 lines) | stat: -rw-r--r-- 7,820 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
require "spec"
require "openssl/ssl/hostname_validation"

private def openssl_create_cert(subject = nil, san = nil)
  cert = OpenSSL::X509::Certificate.new
  cert.subject = subject if subject
  cert.add_extension(OpenSSL::X509::Extension.new("subjectAltName", san)) if san
  cert.to_unsafe
end

describe OpenSSL::SSL::HostnameValidation do
  describe "validate_hostname" do
    it "matches IP from certificate SAN entries" do
      OpenSSL::SSL::HostnameValidation.validate_hostname("192.168.1.1", openssl_create_cert(san: "IP:192.168.1.1")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("192.168.1.2", openssl_create_cert(san: "IP:192.168.1.1")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchNotFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("::1", openssl_create_cert(san: "IP:::1")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("::1", openssl_create_cert(san: "IP:::2")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchNotFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("0:0:0:0:0:0:0:1", openssl_create_cert(san: "IP:::1")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("fe80:0:0:0:0:0:0:1", openssl_create_cert(san: "IP:fe80::1")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("fe80:0:0:0:0:0:0:2", openssl_create_cert(san: "IP:fe80::1")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchNotFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("fe80:0:1", openssl_create_cert(san: "IP:fe80:0::1")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchNotFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("fe80::0:1", openssl_create_cert(san: "IP:fe80:0::1")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
    end

    it "matches domains from certificate SAN entries" do
      OpenSSL::SSL::HostnameValidation.validate_hostname("example.com", openssl_create_cert(san: "DNS:example.com")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("example.org", openssl_create_cert(san: "DNS:example.com")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchNotFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("foo.example.com", openssl_create_cert(san: "DNS:*.example.com")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
    end

    it "verifies all SAN entries" do
      OpenSSL::SSL::HostnameValidation.validate_hostname("example.com", openssl_create_cert(san: "DNS:example.com,DNS:example.org")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("10.0.3.1", openssl_create_cert(san: "IP:192.168.1.1,IP:10.0.3.1")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("example.com", openssl_create_cert(san: "IP:192.168.1.1,DNS:example.com")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
    end

    it "falls back to CN entry (unless SAN entry is defined)" do
      OpenSSL::SSL::HostnameValidation.validate_hostname("example.com", openssl_create_cert(subject: "CN=example.com")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("example.com", openssl_create_cert(san: "DNS:example.org", subject: "CN=example.com")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchNotFound)
      OpenSSL::SSL::HostnameValidation.validate_hostname("example.org", openssl_create_cert(san: "DNS:example.org", subject: "CN=example.com")).should eq(OpenSSL::SSL::HostnameValidation::Result::MatchFound)
    end
  end

  describe "matches_hostname?" do
    it "skips trailing dot" do
      OpenSSL::SSL::HostnameValidation.matches_hostname?("example.com.", "example.com").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?("example.com", "example.com.").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?(".example.com", "example.com").should be_false
      OpenSSL::SSL::HostnameValidation.matches_hostname?("example.com", ".example.com").should be_false
    end

    it "normalizes case" do
      OpenSSL::SSL::HostnameValidation.matches_hostname?("exAMPLE.cOM", "EXample.Com").should be_true
    end

    it "literal matches" do
      OpenSSL::SSL::HostnameValidation.matches_hostname?("example.com", "example.com").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?("example.com", "www.example.com").should be_false
      OpenSSL::SSL::HostnameValidation.matches_hostname?("www.example.com", "www.example.com").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?("foo.bar.example.com", "bar.example.com").should be_false
      OpenSSL::SSL::HostnameValidation.matches_hostname?("foo.bar.example.com", "foo.bar.example.com").should be_true
    end

    it "wildcard matches according to RFC 6125, section 6.4.3" do
      OpenSSL::SSL::HostnameValidation.matches_hostname?("*.com", "example.com").should be_false
      OpenSSL::SSL::HostnameValidation.matches_hostname?("bar.*.example.com", "bar.foo.example.com").should be_false

      OpenSSL::SSL::HostnameValidation.matches_hostname?("*.example.com", "foo.example.com").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?("*.example.com", "foo.example.org").should be_false
      OpenSSL::SSL::HostnameValidation.matches_hostname?("*.example.com", "bar.foo.example.com").should be_false

      OpenSSL::SSL::HostnameValidation.matches_hostname?("baz*.example.com", "baz1.example.com").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?("baz*.example.com", "baz.example.com").should be_false

      OpenSSL::SSL::HostnameValidation.matches_hostname?("*baz.example.com", "foobaz.example.com").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?("*baz.example.com", "baz.example.com").should be_false

      OpenSSL::SSL::HostnameValidation.matches_hostname?("b*z.example.com", "buzz.example.com").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?("b*z.example.com", "bz.example.com").should be_false

      OpenSSL::SSL::HostnameValidation.matches_hostname?("192.168.0.1", "192.168.0.1").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?("*.168.0.1", "192.168.0.1").should be_false
    end

    it "matches IDNA label" do
      OpenSSL::SSL::HostnameValidation.matches_hostname?("*.example.org", "xn--kcry6tjko.example.org").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?("*.xn--kcry6tjko.example.org", "foo.xn--kcry6tjko.example.org").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?("xn--*.example.org", "xn--kcry6tjko.example.org").should be_false
      OpenSSL::SSL::HostnameValidation.matches_hostname?("xn--kcry6tjko*.example.org", "xn--kcry6tjkofoo.example.org").should be_false
    end

    it "matches leading dot" do
      OpenSSL::SSL::HostnameValidation.matches_hostname?(".example.org", "example.org").should be_false
      OpenSSL::SSL::HostnameValidation.matches_hostname?(".example.org", "xn--kcry6tjko.example.org").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?(".example.org", "foo.example.org").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?(".example.org", "foo.bar.example.org").should be_true
      OpenSSL::SSL::HostnameValidation.matches_hostname?(".example.org", "foo.example.com").should be_false
    end
  end
end