1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
|
//===----------------------------------------------------------------------===//
//
// This source file is part of the SwiftNIO open source project
//
// Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors
// Licensed under Apache License v2.0
//
// See LICENSE.txt for license information
// See CONTRIBUTORS.txt for the list of SwiftNIO project authors
//
// SPDX-License-Identifier: Apache-2.0
//
//===----------------------------------------------------------------------===//
import XCTest
import NIO
@testable import NIOSSL
/// This cert contains the following SAN fields:
/// DNS:*.wildcard.example.com - A straightforward wildcard, should be accepted
/// DNS:fo*.example.com - A suffix wildcard, should be accepted
/// DNS:*ar.example.com - A prefix wildcard, should be accepted
/// DNS:b*z.example.com - An infix wildcard
/// DNS:trailing.period.example.com. - A domain with a trailing period, should match
/// DNS:xn--strae-oqa.unicode.example.com. - An IDN A-label, should match.
/// DNS:xn--x*-gia.unicode.example.com. - An IDN A-label with a wildcard, invalid.
/// DNS:weirdwildcard.*.example.com. - A wildcard not in the leftmost label, invalid.
/// DNS:*.*.double.example.com. - Two wildcards, invalid.
/// DNS:*.xn--strae-oqa.example.com. - A wildcard followed by a new IDN A-label, this is fine.
/// A SAN with a null in it, should be ignored.
///
/// This also contains a commonName of httpbin.org.
///
/// Note that to get the NULL into the SAN I needed to edit it by hand, so this cert has
/// an invalid signature. Don't worry about it: it doesn't affect these tests.
private let weirdoPEMCert = """
-----BEGIN CERTIFICATE-----
MIID9TCCAt2gAwIBAgIUK5EI2ZoG1RLBWJ142HK7vjC9plQwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLaHR0cGJpbi5vcmcwHhcNMTcxMTAyMTExNjUzWhcNNDAw
MTAxMDAwMDAwWjAWMRQwEgYDVQQDDAtodHRwYmluLm9yZzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAOYuPFg8hmACy7UL9mxbnkd4+kYGoDFNUi34tSHG
8pGsV+1ZgJH0+p6+DcEVFTRTjG4jmiQHxVV8Uu82u8pvc4Ol/+kGXgIsmkSUOan6
cYNsVJ5W5ZuQe7spL4dilyFPOi7hcP2OgG29NBIYnf4LUlznMF/G1wdKAhAAqeRr
u5HQK/VDw6G85ycxbcaevV6jUd2sslcqMrh4MXP9txZwUdLfXFEP3r0yGhQP48Wm
1NjCG82U1YpykrWGQYqYMXun3/9xVPoy3k+teRHBCcHhIi6qy7V9JDa+STzEzkbh
7JUCUEHz4zJJ6vc1598UcQNW/aTtKeshuyX6NFpvrmkcwv0CAwEAAaOCATkwggE1
MIIBIwYDVR0RBIIBGjCCARaCFioud2lsZGNhcmQuZXhhbXBsZS5jb22CD2ZvKi5l
eGFtcGxlLmNvbYIPKmFyLmV4YW1wbGUuY29tgg9iKnouZXhhbXBsZS5jb22CHHRy
YWlsaW5nLnBlcmlvZC5leGFtcGxlLmNvbS6CInhuLS1zdHJhZS1vcWEudW5pY29k
ZS5leGFtcGxlLmNvbS6CH3huLS14Ki1naWEudW5pY29kZS5leGFtcGxlLmNvbS6C
HHdlaXJkd2lsZGNhcmQuKi5leGFtcGxlLmNvbS6CFyouKi5kb3VibGUuZXhhbXBs
ZS5jb20ughwqLnhuLS1zdHJhZS1vcWEuZXhhbXBsZS5jb20ughFudWwAbC5leGFt
cGxlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBoNHwL0Lix
mtPoxFDA8w/5nF/hP/O+iQKYpR18gLqVZ2gmKgpSVwXZQB9891SKe1RYD8U1zsyt
YbV45wSp3kdBvH6uu26fC2btiXasfiFCieZqyNnqDy1PhPHiVldddeksvf0D1hsk
VwdBkqe3U47vRALvAWk9VVLYBtQuX4kkY4nEM4N+Dt0qW/8ZdIkLlD9pjTY2WC1G
L+KFdw92R9DCEqE0nOUxU85D8Sfsoi19nx2LwhtCA40kuQNUZcW5ZElJ0kwxvd1Z
6FhTJ0ACxsfKo3kS4Z4Zz4aib8D1gRdUrK2oKPFRIzwaoYuJw4gez+aSMqaGReSt
rwIUx8hwcI3A
-----END CERTIFICATE-----
"""
/// Returns whether this system supports resolving IPv6 function.
func ipv6Supported() throws -> Bool {
do {
_ = try SocketAddress.makeAddressResolvingHost("2001:db8::1", port: 443)
return true
} catch SocketAddressError.unknown {
return false
}
}
class IdentityVerificationTest: XCTestCase {
func testCanValidateHostnameInFirstSan() throws {
let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "localhost",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testCanValidateHostnameInSecondSan() throws {
let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testIgnoresTrailingPeriod() throws {
let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "example.com.",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testLowercasesHostnameForSan() throws {
let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "LoCaLhOsT",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testRejectsIncorrectHostname() throws {
let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "httpbin.org",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertFalse(matched)
}
func testAcceptsIpv4Address() throws {
let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: nil,
socketAddress: try .makeAddressResolvingHost("192.168.0.1", port: 443),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testAcceptsIpv6Address() throws {
guard try ipv6Supported() else { return }
let ipv6Address = try SocketAddress.makeAddressResolvingHost("2001:db8::1", port: 443)
let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: nil,
socketAddress: ipv6Address,
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testRejectsIncorrectIpv4Address() throws {
let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: nil,
socketAddress: try .makeAddressResolvingHost("192.168.0.2", port: 443),
leafCertificate: cert)
XCTAssertFalse(matched)
}
func testRejectsIncorrectIpv6Address() throws {
guard try ipv6Supported() else { return }
let ipv6Address = try SocketAddress.makeAddressResolvingHost("2001:db8::2", port: 443)
let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: nil,
socketAddress: ipv6Address,
leafCertificate: cert)
XCTAssertFalse(matched)
}
func testAcceptsWildcards() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "this.wildcard.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testAcceptsSuffixWildcard() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "foo.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testAcceptsPrefixWildcard() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "bar.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testAcceptsInfixWildcard() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "baz.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testIgnoresTrailingPeriodInCert() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "trailing.period.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testRejectsEncodedIDNALabel() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
XCTAssertThrowsError(try validIdentityForService(serverHostname: "straße.unicode.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)) { error in
XCTAssertEqual(error as? NIOSSLExtraError, .serverHostnameImpossibleToMatch)
XCTAssertEqual(String(describing: error),
"NIOSSLExtraError.serverHostnameImpossibleToMatch: The server hostname straße.unicode.example.com cannot be matched due to containing non-DNS characters")
}
}
func testMatchesUnencodedIDNALabel() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "xn--strae-oqa.unicode.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testDoesNotMatchIDNALabelWithWildcard() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "xn--xx-gia.unicode.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertFalse(matched)
}
func testDoesNotMatchNonLeftmostWildcards() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "weirdwildcard.nomatch.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertFalse(matched)
}
func testDoesNotMatchMultipleWildcards() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "one.two.double.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertFalse(matched)
}
func testRejectsWildcardBeforeUnencodedIDNALabel() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
XCTAssertThrowsError(try validIdentityForService(serverHostname: "foo.straße.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)) { error in
XCTAssertEqual(error as? NIOSSLExtraError, .serverHostnameImpossibleToMatch)
XCTAssertEqual(String(describing: error),
"NIOSSLExtraError.serverHostnameImpossibleToMatch: The server hostname foo.straße.example.com cannot be matched due to containing non-DNS characters")
}
}
func testMatchesWildcardBeforeEncodedIDNALabel() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "foo.xn--strae-oqa.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testDoesNotMatchSANWithEmbeddedNULL() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
XCTAssertThrowsError(try validIdentityForService(serverHostname: "nul\u{0000}l.example.com",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)) { error in
XCTAssertEqual(error as? NIOSSLExtraError, .serverHostnameImpossibleToMatch)
XCTAssertEqual(String(describing: error),
"NIOSSLExtraError.serverHostnameImpossibleToMatch: The server hostname nul\u{0000}l.example.com cannot be matched due to containing non-DNS characters")
}
}
func testFallsBackToCommonName() throws {
let cert = try NIOSSLCertificate(bytes: .init(multiCNCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "localhost",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testLowercasesForCommonName() throws {
let cert = try NIOSSLCertificate(bytes: .init(multiCNCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "LoCaLhOsT",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertTrue(matched)
}
func testRejectsUnicodeCommonNameWithUnencodedIDNALabel() throws {
let cert = try NIOSSLCertificate(bytes: .init(unicodeCNCert.utf8), format: .pem)
XCTAssertThrowsError(try validIdentityForService(serverHostname: "straße.org",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)) { error in
XCTAssertEqual(error as? NIOSSLExtraError, .serverHostnameImpossibleToMatch)
XCTAssertEqual(String(describing: error),
"NIOSSLExtraError.serverHostnameImpossibleToMatch: The server hostname straße.org cannot be matched due to containing non-DNS characters")
}
}
func testRejectsUnicodeCommonNameWithEncodedIDNALabel() throws {
let cert = try NIOSSLCertificate(bytes: .init(unicodeCNCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "xn--strae-oqa.org",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertFalse(matched)
}
func testHandlesMissingCommonName() throws {
let cert = try NIOSSLCertificate(bytes: .init(noCNCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "localhost",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertFalse(matched)
}
func testDoesNotFallBackToCNWithSans() throws {
let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)
let matched = try validIdentityForService(serverHostname: "httpbin.org",
socketAddress: try .init(unixDomainSocketPath: "/path"),
leafCertificate: cert)
XCTAssertFalse(matched)
}
}
|
