From dab3bdde61ab84c7ed6efc780477b4a2c76b9591 Mon Sep 17 00:00:00 2001 From: Yihua Zhang Date: Mon, 5 Aug 2019 14:42:50 -0700 Subject: [PATCH 1/3] recongize URI and email address SAN fields --- src/core/tsi/ssl_transport_security.cc | 18 +++++++++---- src/core/tsi/ssl_transport_security.h | 4 +++ src/core/tsi/test_creds/multi-domain.key | 27 ++++++++++++++++++++ src/core/tsi/test_creds/multi-domain.pem | 23 +++++++++++++++++ test/core/tsi/ssl_transport_security_test.cc | 21 +++++++++++++++ 5 files changed, 88 insertions(+), 5 deletions(-) create mode 100644 src/core/tsi/test_creds/multi-domain.key create mode 100644 src/core/tsi/test_creds/multi-domain.pem diff --git a/src/core/tsi/ssl_transport_security.cc b/src/core/tsi/ssl_transport_security.cc index d3c8982c847..f3982fa1caa 100644 --- a/src/core/tsi/ssl_transport_security.cc +++ b/src/core/tsi/ssl_transport_security.cc @@ -350,11 +350,19 @@ static tsi_result add_subject_alt_names_properties_to_peer( for (i = 0; i < subject_alt_name_count; i++) { GENERAL_NAME* subject_alt_name = sk_GENERAL_NAME_value(subject_alt_names, TSI_SIZE_AS_SIZE(i)); - /* Filter out the non-dns entries names. */ - if (subject_alt_name->type == GEN_DNS) { + if (subject_alt_name->type == GEN_DNS || + subject_alt_name->type == GEN_EMAIL || + subject_alt_name->type == GEN_URI) { unsigned char* name = nullptr; int name_size; - name_size = ASN1_STRING_to_UTF8(&name, subject_alt_name->d.dNSName); + if (subject_alt_name->type == GEN_DNS) { + name_size = ASN1_STRING_to_UTF8(&name, subject_alt_name->d.dNSName); + } else if (subject_alt_name->type == GEN_EMAIL) { + name_size = ASN1_STRING_to_UTF8(&name, subject_alt_name->d.rfc822Name); + } else { + name_size = ASN1_STRING_to_UTF8( + &name, subject_alt_name->d.uniformResourceIdentifier); + } if (name_size < 0) { gpr_log(GPR_ERROR, "Could not get utf8 from asn1 string."); result = TSI_INTERNAL_ERROR; @@ -703,8 +711,8 @@ static tsi_result populate_ssl_context( } /* Extracts the CN and the SANs from an X509 cert as a peer object. */ -static tsi_result extract_x509_subject_names_from_pem_cert(const char* pem_cert, - tsi_peer* peer) { +tsi_result extract_x509_subject_names_from_pem_cert(const char* pem_cert, + tsi_peer* peer) { tsi_result result = TSI_OK; X509* cert = nullptr; BIO* pem; diff --git a/src/core/tsi/ssl_transport_security.h b/src/core/tsi/ssl_transport_security.h index 0203141e56e..638c088442c 100644 --- a/src/core/tsi/ssl_transport_security.h +++ b/src/core/tsi/ssl_transport_security.h @@ -332,4 +332,8 @@ const tsi_ssl_handshaker_factory_vtable* tsi_ssl_handshaker_factory_swap_vtable( tsi_ssl_handshaker_factory* factory, tsi_ssl_handshaker_factory_vtable* new_vtable); +/* Exposed for testing only. */ +tsi_result extract_x509_subject_names_from_pem_cert(const char* pem_cert, + tsi_peer* peer); + #endif /* GRPC_CORE_TSI_SSL_TRANSPORT_SECURITY_H */ diff --git a/src/core/tsi/test_creds/multi-domain.key b/src/core/tsi/test_creds/multi-domain.key new file mode 100644 index 00000000000..59008191888 --- /dev/null +++ b/src/core/tsi/test_creds/multi-domain.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA1e+GwyVNsoKu7PqvOf/EubN45rB5o5PQF9A5fBPpiBtKZdvb +bOouGlulRwaMQOLDZi9M6l/AhE1b207+iSBTn9jSQT0elaYwVtKgb/qoehQjFAG8 +BckPmA9E4SDx2Ug9AtV3rTVs4V2yaDHNSfDSXQ2PS9fuIx7FK5mMnUM2fjskcZqu +HV5f8McXEtvpuTktnb+KDgETO0Cdu3+rf/RtraTuKZb0kmAgf+KaNWDL2j5QsFKa +6sT4812Vfwaevm9qKOtzgAFobCwdVt+Ap/B0XWj4CmzJMPN/SXESluoBHszmTi6Q +mkTEzYbzmD/ObyTxXVKu46kRVmJKXh6BE1wk2QIDAQABAoIBAQDPpS8OFhT14LXc +Oez9xGyzOaltb3iA9qURl/9TmRggDS0G9IBjlGCvIKio6YgUKoUxl1N2YP3A7Dzt +/hw8CG5iRda9j48x/R4KB2HFjmscIpNxhcVzcBV8p8VZJdrX5K+jIoKIUcSecY0K +aNwymlX0D4c4PBtdZy5FBUJgGa64kPQqd+1Ha4cKgD9+oZzSo5Me04cGV7gWqBGt +qY9KL9j8RGA5m+CHu4Qi2ZXnFlkeH/teXuH5AhFzxeYZG4ZwtXCTjNXxQelVNbYw +mIOnADvd+RhJoeLZnGdM/gyFfLpJW6rtqva9l4h2qxKxnO3CcYHwac475wE49ukv +qx027fopAoGBAPTXRsXRHnK+ZZbj1mafFXeM4G+f8QMLxaSP/za6uYKd1BihXurr +NUhYCQ+d6E+HXnCsYQcfR4AMTSqZRA2XImW4ZW8HRog+OBOn9LDaRcvqlqenKs/Z +IoOUqaqVTqNF2ukkH4usnBugPvdxiqtIGXCBFlS0st+PwIoBtRYD0u6bAoGBAN+v +qElfO/LOjzYWsV6bUSxWRp1XFnfxujitkcYbai+AnBITvZ6BcPfcATQ9IIp42HKk +vQ5PVViN2eCzB0R4I09fSOk/1PPGQM/jzgDQ5Q7zy644ee/lPbryKeFbCOxQtQ50 +0ZRHmQmUW/L9FmNxW1Dx0wcicMC2Bq+VnXvkHVebAoGBAMChpxL4Boasee0PcJ3o +x9D5S5NHOS32Uxe4G0mJ+25ikn6WZ8FYMOGsMeTRjfcUQB9R4DzkRTLfes7rKvmu +UOfK/jMufDWxDhmY6RFDiep3tPROt4Y0Bc2UZzDIq8gVq7gGLbOMqH2rxB6WfE1q +Ommjhlg6mwj9ZrStxzV86LXFAoGAISX22miyiZjywCE8x7hcnyVp8YcmXUAFSMDw +CVumsMNuXX9vaj3kb9a6lvM4D005RkQDgEtham4bC6F8QjlLgkeslmRPOpD2qdgo +fxZ123Fljbvw1gwyybF5Y1wKRnrvWeUV6dNyamkB91BqMPJrheNQUo5YBzbyZrLV +U7bKYmECgYEAj7ekhtCiIUMih8noMfpHR0lJG4VhdfqiVL+w25CgnpZJDa6o7pYD +F5fMivdfdKaSAOA5mUGN5u6NrTpfFKhHDucpIOM2+WGOzbbWEc/gEDQ/xEyPEhxj +t4ErMTByrDGKtGuaolNYzAU0SSbCnAAH3L2MRChC9Qv7f5ZVOZX1GPQ= +-----END RSA PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/multi-domain.pem b/src/core/tsi/test_creds/multi-domain.pem new file mode 100644 index 00000000000..c60d2baef6e --- /dev/null +++ b/src/core/tsi/test_creds/multi-domain.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwDCCAqigAwIBAgIUYSe4/8nE/RVUX7e7QeyCmqPWd6AwDQYJKoZIhvcNAQEL +BQAwODELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G +A1UECwwGR29vZ2xlMB4XDTE5MDgwNTE4MDYwNVoXDTIwMDgwNDE4MDYwNVowODEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0GA1UECwwG +R29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1e+GwyVNsoKu +7PqvOf/EubN45rB5o5PQF9A5fBPpiBtKZdvbbOouGlulRwaMQOLDZi9M6l/AhE1b +207+iSBTn9jSQT0elaYwVtKgb/qoehQjFAG8BckPmA9E4SDx2Ug9AtV3rTVs4V2y +aDHNSfDSXQ2PS9fuIx7FK5mMnUM2fjskcZquHV5f8McXEtvpuTktnb+KDgETO0Cd +u3+rf/RtraTuKZb0kmAgf+KaNWDL2j5QsFKa6sT4812Vfwaevm9qKOtzgAFobCwd +Vt+Ap/B0XWj4CmzJMPN/SXESluoBHszmTi6QmkTEzYbzmD/ObyTxXVKu46kRVmJK +Xh6BE1wk2QIDAQABo4HBMIG+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMIGjBgNV +HREEgZswgZiCE2Zvby50ZXN0LmRvbWFpbi5jb22CE2Jhci50ZXN0LmRvbWFpbi5j +b22GIGh0dHBzOi8vZm9vLnRlc3QuZG9tYWluLmNvbS90ZXN0hiBodHRwczovL2Jh +ci50ZXN0LmRvbWFpbi5jb20vdGVzdIETZm9vQHRlc3QuZG9tYWluLmNvbYETYmFy +QHRlc3QuZG9tYWluLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAzBhVGeqIntQs9qpK +xGOjpFTBMzCjYORNAq09Otkc/IBwtPOq0K2as7fp6Vr5DRStN7hDSBrMjZh+XujY +3GNEv4pIR5fWwrZg/fnNyG5BIUhdq/qtC3JAMqBjno3OJjg1t4KzS4l+ozHeevJA +qT9t6aodsn1r7w89MfAVGPIw7D3n9n5N4z2b/co17W8B0RyMWX2PmQWkEqn7kId/ +Jj+hmw2n9UV1IU3xhcepxG+wzjFLIB9nsDwgtZogK6f5p9FFBG8raqk6QhVSlRgh +JmNqmK5+hyUy1zbjGqgfM5eVmQ/A3qWVQTrk3HeTr2hO9GoBHeXQfinjlIhnbbtJ +xouhvA== +-----END CERTIFICATE----- diff --git a/test/core/tsi/ssl_transport_security_test.cc b/test/core/tsi/ssl_transport_security_test.cc index 5985b0ecaa5..014127a3042 100644 --- a/test/core/tsi/ssl_transport_security_test.cc +++ b/test/core/tsi/ssl_transport_security_test.cc @@ -790,6 +790,26 @@ void ssl_tsi_test_duplicate_root_certificates() { gpr_free(dup_root_cert); } +void ssl_tsi_test_uri_email_subject_alt_names() { + char* cert = load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "multi-domain.pem"); + tsi_peer peer; + GPR_ASSERT(extract_x509_subject_names_from_pem_cert(cert, &peer) == TSI_OK); + // One for common name, one for certificate, and six for SAN fields. + size_t expected_property_count = 8; + GPR_ASSERT(peer.property_count == expected_property_count); + // Check DNS + GPR_ASSERT(check_subject_alt_name(&peer, "foo.test.domain.com") == 1); + GPR_ASSERT(check_subject_alt_name(&peer, "bar.test.domain.com") == 1); + // Check URI + GPR_ASSERT( + check_subject_alt_name(&peer, "https://foo.test.domain.com/test") == 1); + GPR_ASSERT( + check_subject_alt_name(&peer, "https://bar.test.domain.com/test") == 1); + // Check email address + GPR_ASSERT(check_subject_alt_name(&peer, "foo@test.domain.com") == 1); + GPR_ASSERT(check_subject_alt_name(&peer, "bar@test.domain.com") == 1); +} + int main(int argc, char** argv) { grpc::testing::TestEnvironment env(argc, argv); grpc_init(); @@ -815,6 +835,7 @@ int main(int argc, char** argv) { ssl_tsi_test_do_round_trip_odd_buffer_size(); ssl_tsi_test_handshaker_factory_internals(); ssl_tsi_test_duplicate_root_certificates(); + ssl_tsi_test_uri_email_subject_alt_names(); grpc_shutdown(); return 0; } From 8a301a438ac0dfd4311157bd3e62f6880bc19ede Mon Sep 17 00:00:00 2001 From: Yihua Zhang Date: Wed, 7 Aug 2019 14:33:09 -0700 Subject: [PATCH 2/3] revision 1 --- src/core/tsi/ssl_transport_security.cc | 6 +-- src/core/tsi/ssl_transport_security.h | 4 +- src/core/tsi/test_creds/multi-domain.key | 50 ++++++++++---------- src/core/tsi/test_creds/multi-domain.pem | 42 ++++++++-------- test/core/tsi/ssl_transport_security_test.cc | 21 ++++++-- 5 files changed, 69 insertions(+), 54 deletions(-) diff --git a/src/core/tsi/ssl_transport_security.cc b/src/core/tsi/ssl_transport_security.cc index f3982fa1caa..32a96b23f29 100644 --- a/src/core/tsi/ssl_transport_security.cc +++ b/src/core/tsi/ssl_transport_security.cc @@ -711,8 +711,8 @@ static tsi_result populate_ssl_context( } /* Extracts the CN and the SANs from an X509 cert as a peer object. */ -tsi_result extract_x509_subject_names_from_pem_cert(const char* pem_cert, - tsi_peer* peer) { +tsi_result tsi_ssl_extract_x509_subject_names_from_pem_cert( + const char* pem_cert, tsi_peer* peer) { tsi_result result = TSI_OK; X509* cert = nullptr; BIO* pem; @@ -1890,7 +1890,7 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options( } /* TODO(jboeuf): Add revocation verification. */ - result = extract_x509_subject_names_from_pem_cert( + result = tsi_ssl_extract_x509_subject_names_from_pem_cert( options->pem_key_cert_pairs[i].cert_chain, &impl->ssl_context_x509_subject_names[i]); if (result != TSI_OK) break; diff --git a/src/core/tsi/ssl_transport_security.h b/src/core/tsi/ssl_transport_security.h index 638c088442c..04f038ac3b4 100644 --- a/src/core/tsi/ssl_transport_security.h +++ b/src/core/tsi/ssl_transport_security.h @@ -333,7 +333,7 @@ const tsi_ssl_handshaker_factory_vtable* tsi_ssl_handshaker_factory_swap_vtable( tsi_ssl_handshaker_factory_vtable* new_vtable); /* Exposed for testing only. */ -tsi_result extract_x509_subject_names_from_pem_cert(const char* pem_cert, - tsi_peer* peer); +tsi_result tsi_ssl_extract_x509_subject_names_from_pem_cert( + const char* pem_cert, tsi_peer* peer); #endif /* GRPC_CORE_TSI_SSL_TRANSPORT_SECURITY_H */ diff --git a/src/core/tsi/test_creds/multi-domain.key b/src/core/tsi/test_creds/multi-domain.key index 59008191888..74e8122e186 100644 --- a/src/core/tsi/test_creds/multi-domain.key +++ b/src/core/tsi/test_creds/multi-domain.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA1e+GwyVNsoKu7PqvOf/EubN45rB5o5PQF9A5fBPpiBtKZdvb -bOouGlulRwaMQOLDZi9M6l/AhE1b207+iSBTn9jSQT0elaYwVtKgb/qoehQjFAG8 -BckPmA9E4SDx2Ug9AtV3rTVs4V2yaDHNSfDSXQ2PS9fuIx7FK5mMnUM2fjskcZqu -HV5f8McXEtvpuTktnb+KDgETO0Cdu3+rf/RtraTuKZb0kmAgf+KaNWDL2j5QsFKa -6sT4812Vfwaevm9qKOtzgAFobCwdVt+Ap/B0XWj4CmzJMPN/SXESluoBHszmTi6Q -mkTEzYbzmD/ObyTxXVKu46kRVmJKXh6BE1wk2QIDAQABAoIBAQDPpS8OFhT14LXc -Oez9xGyzOaltb3iA9qURl/9TmRggDS0G9IBjlGCvIKio6YgUKoUxl1N2YP3A7Dzt -/hw8CG5iRda9j48x/R4KB2HFjmscIpNxhcVzcBV8p8VZJdrX5K+jIoKIUcSecY0K -aNwymlX0D4c4PBtdZy5FBUJgGa64kPQqd+1Ha4cKgD9+oZzSo5Me04cGV7gWqBGt -qY9KL9j8RGA5m+CHu4Qi2ZXnFlkeH/teXuH5AhFzxeYZG4ZwtXCTjNXxQelVNbYw -mIOnADvd+RhJoeLZnGdM/gyFfLpJW6rtqva9l4h2qxKxnO3CcYHwac475wE49ukv -qx027fopAoGBAPTXRsXRHnK+ZZbj1mafFXeM4G+f8QMLxaSP/za6uYKd1BihXurr -NUhYCQ+d6E+HXnCsYQcfR4AMTSqZRA2XImW4ZW8HRog+OBOn9LDaRcvqlqenKs/Z -IoOUqaqVTqNF2ukkH4usnBugPvdxiqtIGXCBFlS0st+PwIoBtRYD0u6bAoGBAN+v -qElfO/LOjzYWsV6bUSxWRp1XFnfxujitkcYbai+AnBITvZ6BcPfcATQ9IIp42HKk -vQ5PVViN2eCzB0R4I09fSOk/1PPGQM/jzgDQ5Q7zy644ee/lPbryKeFbCOxQtQ50 -0ZRHmQmUW/L9FmNxW1Dx0wcicMC2Bq+VnXvkHVebAoGBAMChpxL4Boasee0PcJ3o -x9D5S5NHOS32Uxe4G0mJ+25ikn6WZ8FYMOGsMeTRjfcUQB9R4DzkRTLfes7rKvmu -UOfK/jMufDWxDhmY6RFDiep3tPROt4Y0Bc2UZzDIq8gVq7gGLbOMqH2rxB6WfE1q -Ommjhlg6mwj9ZrStxzV86LXFAoGAISX22miyiZjywCE8x7hcnyVp8YcmXUAFSMDw -CVumsMNuXX9vaj3kb9a6lvM4D005RkQDgEtham4bC6F8QjlLgkeslmRPOpD2qdgo -fxZ123Fljbvw1gwyybF5Y1wKRnrvWeUV6dNyamkB91BqMPJrheNQUo5YBzbyZrLV -U7bKYmECgYEAj7ekhtCiIUMih8noMfpHR0lJG4VhdfqiVL+w25CgnpZJDa6o7pYD -F5fMivdfdKaSAOA5mUGN5u6NrTpfFKhHDucpIOM2+WGOzbbWEc/gEDQ/xEyPEhxj -t4ErMTByrDGKtGuaolNYzAU0SSbCnAAH3L2MRChC9Qv7f5ZVOZX1GPQ= +MIIEpAIBAAKCAQEAtCJ7xmvXxypNx7d6vV9YWZ3SHtm7+OrnDP9LBokGvpkIUloJ +q6IJxVQPTepJWM7JfXGtWgkdfmUCZjswlQmvbCJSYA8+Y76Sm9M6sf26RsMayxXU +ozWdw227frCpQt2ybor7qOLBBbQ30XbsdxPIwlrJst9Shleey93g56EDkhZWQQMN +8cciakv9zUz6GwRu3XtK4KGtWb3VpsOhf8WAoVQ05o4Cevz3LrY7NcZj2IvIna5V ++E5QxQnRXpd5gNzyE1rbzN3pXmHk2SShGI7sEqgo9HOfu7EufwsfmaCXbuCNGhlS +4YfJvuqZ7ElijUbMnYu3eGKWfjymfp/7qHu87wIDAQABAoIBAQCtgU2BaJy1XN0A +Uo1p3G2IHEioqIazEuesEDaeu9uAOHzYfZs082W/6OC45sLxRHS1XIph38fF19tA +xyBbXbHXURPRLL2ma4hhiUrO6JrEz+Z92LAw6FLmS0q+k8DlBA97BGm0WX0cVmMx +YgAQDkFgWvxOS2b8uWbd7QBVezSqPzN8iV2GNmnEA7FIphqqJbkgEBOxbwJig5Ll +WJ51Q8nWWVZS1AY2kJjf2ndFJgrB3Zbuib0nnmjsG4esB5AS9Fyjadmc+ilU7ceX +y+AdccV2cO0f9k8SBPWHUrRuiuMTcwoQ/r2HN9THaho1QBWPRPjzvXetKLTzRdK0 ++yzEI9x5AoGBAO+CYFKWwt8ylrqQzuGPVYu32RUaVgUtZVsWoF5vzK35WYFCfA+S +qIO+wPs06py79Ytgk/ff5QCz7DRepdlrmyq5ZqZ0xD858H8qzNByySZI0DSJU1wr +7Uw/5vf/+6/1/dmgPrT7HjZyGuvqq1XieBcjonQ5RYooEcjCcCnz9+z9AoGBAMCJ +kApBhTOVBquiXiqEsrbrT7s8u2KbqN9L7E2o5MnfG7sIhrFbY0Bjvdsut1omfBxd +XpTWnyR+OLd6xSpBB5fEBKD21dotwgNmJm+wTAER8ZpohlTLv8gQRHclkFg5chyY +2LJKfssiaXvocKMq3CwM7XAnbI8OTDnwxSqAfCtbAoGBAI7RGGzG90auXNC83pAD +r0gUBb8eqCKIMkMBl/kYA13OLP/1zBJhKlj82wgwQqHZNo64tSL+gAhOQU/tDEo8 +bxcn3LzvLcJh4zWBKQY3HBjXHEfnhyyUCPkJtck1/DetoIQvmJTElPx0R/dbRHV/ +CIsLtahGKmA6inhC8S0jDDhlAoGAX5svglg8q3uB33J17gkMsVYxtlkW94UyGweZ +ZIrMaQ23uG0obSNjKpMcsJ0HAOYBVRhsId5dEgL3aOy2wR+fhJYack9/q6JzJ7ru +tSFG7HUbkr/6jFrMdazWQo/NmHGWH2sql4X0ZixFUvj+DZf30ovsz3dUKclAwriz +P0Kj5ecCgYBbn1REy6+5x6lLO2SIymharMTPSG23GBiwPTSpyMD5WbzqKEQVSSJX +eIaaTPz68HOmgvBZUE7Svbz/OqhDEgZxZG9o7Pr4tsdAUzAt/LNkYA8BOjTnrx7W +ANPvr6b2UHBn26SitdwC5emdsGZIPBGS0XDzznvNwxl2+t14iteEbg== -----END RSA PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/multi-domain.pem b/src/core/tsi/test_creds/multi-domain.pem index c60d2baef6e..cf28b4a6cfa 100644 --- a/src/core/tsi/test_creds/multi-domain.pem +++ b/src/core/tsi/test_creds/multi-domain.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIDwDCCAqigAwIBAgIUYSe4/8nE/RVUX7e7QeyCmqPWd6AwDQYJKoZIhvcNAQEL -BQAwODELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G -A1UECwwGR29vZ2xlMB4XDTE5MDgwNTE4MDYwNVoXDTIwMDgwNDE4MDYwNVowODEL -MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0GA1UECwwG -R29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1e+GwyVNsoKu -7PqvOf/EubN45rB5o5PQF9A5fBPpiBtKZdvbbOouGlulRwaMQOLDZi9M6l/AhE1b -207+iSBTn9jSQT0elaYwVtKgb/qoehQjFAG8BckPmA9E4SDx2Ug9AtV3rTVs4V2y -aDHNSfDSXQ2PS9fuIx7FK5mMnUM2fjskcZquHV5f8McXEtvpuTktnb+KDgETO0Cd -u3+rf/RtraTuKZb0kmAgf+KaNWDL2j5QsFKa6sT4812Vfwaevm9qKOtzgAFobCwd -Vt+Ap/B0XWj4CmzJMPN/SXESluoBHszmTi6QmkTEzYbzmD/ObyTxXVKu46kRVmJK -Xh6BE1wk2QIDAQABo4HBMIG+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMIGjBgNV -HREEgZswgZiCE2Zvby50ZXN0LmRvbWFpbi5jb22CE2Jhci50ZXN0LmRvbWFpbi5j -b22GIGh0dHBzOi8vZm9vLnRlc3QuZG9tYWluLmNvbS90ZXN0hiBodHRwczovL2Jh -ci50ZXN0LmRvbWFpbi5jb20vdGVzdIETZm9vQHRlc3QuZG9tYWluLmNvbYETYmFy -QHRlc3QuZG9tYWluLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAzBhVGeqIntQs9qpK -xGOjpFTBMzCjYORNAq09Otkc/IBwtPOq0K2as7fp6Vr5DRStN7hDSBrMjZh+XujY -3GNEv4pIR5fWwrZg/fnNyG5BIUhdq/qtC3JAMqBjno3OJjg1t4KzS4l+ozHeevJA -qT9t6aodsn1r7w89MfAVGPIw7D3n9n5N4z2b/co17W8B0RyMWX2PmQWkEqn7kId/ -Jj+hmw2n9UV1IU3xhcepxG+wzjFLIB9nsDwgtZogK6f5p9FFBG8raqk6QhVSlRgh -JmNqmK5+hyUy1zbjGqgfM5eVmQ/A3qWVQTrk3HeTr2hO9GoBHeXQfinjlIhnbbtJ -xouhvA== +MIID5DCCAsygAwIBAgIUMmNBVcGnMw2sMASWhdn5IvFktoYwDQYJKoZIhvcNAQEL +BQAwSjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G +A1UECwwGR29vZ2xlMRAwDgYDVQQDDAd4cGlnb3JzMB4XDTE5MDgwNzIxMDY0NVoX +DTIwMDgwNjIxMDY0NVowSjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYD +VQQHDAJTRjEPMA0GA1UECwwGR29vZ2xlMRAwDgYDVQQDDAd4cGlnb3JzMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtCJ7xmvXxypNx7d6vV9YWZ3SHtm7 ++OrnDP9LBokGvpkIUloJq6IJxVQPTepJWM7JfXGtWgkdfmUCZjswlQmvbCJSYA8+ +Y76Sm9M6sf26RsMayxXUozWdw227frCpQt2ybor7qOLBBbQ30XbsdxPIwlrJst9S +hleey93g56EDkhZWQQMN8cciakv9zUz6GwRu3XtK4KGtWb3VpsOhf8WAoVQ05o4C +evz3LrY7NcZj2IvIna5V+E5QxQnRXpd5gNzyE1rbzN3pXmHk2SShGI7sEqgo9HOf +u7EufwsfmaCXbuCNGhlS4YfJvuqZ7ElijUbMnYu3eGKWfjymfp/7qHu87wIDAQAB +o4HBMIG+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMIGjBgNVHREEgZswgZiCE2Zv +by50ZXN0LmRvbWFpbi5jb22CE2Jhci50ZXN0LmRvbWFpbi5jb22BE2Zvb0B0ZXN0 +LmRvbWFpbi5jb22BE2JhckB0ZXN0LmRvbWFpbi5jb22GIGh0dHBzOi8vZm9vLnRl +c3QuZG9tYWluLmNvbS90ZXN0hiBodHRwczovL2Jhci50ZXN0LmRvbWFpbi5jb20v +dGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAIu99zFdybv5OoLNYeyhZsiGjHJQ/ECYr +dp4XeRftwO5lvLUbxDz4nfs7dedDYqk+amfgJsVg9zDykeAslvjmuWHJ1IgACAqm +SlR43gwWt1YMXH7NJ8unAxF3OwGDMdIA5WJfYo2XFz4o55wWCiUbxCpWJYu8hwz6 +6IRmn6hWWsxlflWmgaV5hYKL8bLF13Ku9gZbNFFJw6knyqw+x4b1LwsnKeZGvS7E +EvGVyhMylPVFc0ZZy0TZvk3UOR9TbIMXiztQIWrw30izwPNElvUTzSkAbAg+h6+8 +G7xSZYDr6l81M0a3S2VU75yjMCHKP5/wE9hsfTr/NpWN7w5w5PmqdA== -----END CERTIFICATE----- diff --git a/test/core/tsi/ssl_transport_security_test.cc b/test/core/tsi/ssl_transport_security_test.cc index 014127a3042..c5e6e839b18 100644 --- a/test/core/tsi/ssl_transport_security_test.cc +++ b/test/core/tsi/ssl_transport_security_test.cc @@ -790,13 +790,25 @@ void ssl_tsi_test_duplicate_root_certificates() { gpr_free(dup_root_cert); } -void ssl_tsi_test_uri_email_subject_alt_names() { +void ssl_tsi_test_extract_x509_subject_names() { char* cert = load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "multi-domain.pem"); tsi_peer peer; - GPR_ASSERT(extract_x509_subject_names_from_pem_cert(cert, &peer) == TSI_OK); + GPR_ASSERT(tsi_ssl_extract_x509_subject_names_from_pem_cert(cert, &peer) == + TSI_OK); // One for common name, one for certificate, and six for SAN fields. size_t expected_property_count = 8; GPR_ASSERT(peer.property_count == expected_property_count); + // Check common name + const char* expected_cn = "xpigors"; + const tsi_peer_property* property = tsi_peer_get_property_by_name( + &peer, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY); + GPR_ASSERT(property != nullptr); + GPR_ASSERT( + memcmp(property->value.data, expected_cn, property->value.length) == 0); + // Check certificate data + property = tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY); + GPR_ASSERT(property != nullptr); + GPR_ASSERT(memcmp(property->value.data, cert, property->value.length) == 0); // Check DNS GPR_ASSERT(check_subject_alt_name(&peer, "foo.test.domain.com") == 1); GPR_ASSERT(check_subject_alt_name(&peer, "bar.test.domain.com") == 1); @@ -808,6 +820,9 @@ void ssl_tsi_test_uri_email_subject_alt_names() { // Check email address GPR_ASSERT(check_subject_alt_name(&peer, "foo@test.domain.com") == 1); GPR_ASSERT(check_subject_alt_name(&peer, "bar@test.domain.com") == 1); + // Free memory + gpr_free(cert); + tsi_peer_destruct(&peer); } int main(int argc, char** argv) { @@ -835,7 +850,7 @@ int main(int argc, char** argv) { ssl_tsi_test_do_round_trip_odd_buffer_size(); ssl_tsi_test_handshaker_factory_internals(); ssl_tsi_test_duplicate_root_certificates(); - ssl_tsi_test_uri_email_subject_alt_names(); + ssl_tsi_test_extract_x509_subject_names(); grpc_shutdown(); return 0; } From c414fe06f803a57acda5c29e9ff5fd5cbd9b45d6 Mon Sep 17 00:00:00 2001 From: Yihua Zhang Date: Thu, 8 Aug 2019 09:46:44 -0700 Subject: [PATCH 3/3] add cred data to BUILD files --- src/core/tsi/test_creds/BUILD | 2 ++ test/core/tsi/BUILD | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/core/tsi/test_creds/BUILD b/src/core/tsi/test_creds/BUILD index 732f6d91b26..b83c87de723 100644 --- a/src/core/tsi/test_creds/BUILD +++ b/src/core/tsi/test_creds/BUILD @@ -26,4 +26,6 @@ exports_files([ "badserver.pem", "badclient.key", "badclient.pem", + "multi-domain.key", + "multi-domain.pem", ]) diff --git a/test/core/tsi/BUILD b/test/core/tsi/BUILD index 14578c0e48b..e9faf5c99f3 100644 --- a/test/core/tsi/BUILD +++ b/test/core/tsi/BUILD @@ -74,6 +74,8 @@ grpc_cc_test( "//src/core/tsi/test_creds:server0.pem", "//src/core/tsi/test_creds:server1.key", "//src/core/tsi/test_creds:server1.pem", + "//src/core/tsi/test_creds:multi-domain.key", + "//src/core/tsi/test_creds:multi-domain.pem", ], language = "C++", deps = [