recongize URI and email address SAN fields

5 years ago · dab3bdde61
parent 185ab84528
commit dab3bdde61
5 changed files with 88 additions and 5 deletions
--- a/src/core/tsi/ssl_transport_security.cc
+++ b/src/core/tsi/ssl_transport_security.cc
@ -350,11 +350,19 @@ static tsi_result add_subject_alt_names_properties_to_peer(
  for (i = 0; i < subject_alt_name_count; i++) {
    GENERAL_NAME* subject_alt_name =
        sk_GENERAL_NAME_value(subject_alt_names, TSI_SIZE_AS_SIZE(i));
-    /* Filter out the non-dns entries names. */
-    if (subject_alt_name->type == GEN_DNS) {
+    if (subject_alt_name->type == GEN_DNS ||
+        subject_alt_name->type == GEN_EMAIL ||
+        subject_alt_name->type == GEN_URI) {
      unsigned char* name = nullptr;
      int name_size;
-      name_size = ASN1_STRING_to_UTF8(&name, subject_alt_name->d.dNSName);
+      if (subject_alt_name->type == GEN_DNS) {
+        name_size = ASN1_STRING_to_UTF8(&name, subject_alt_name->d.dNSName);
+      } else if (subject_alt_name->type == GEN_EMAIL) {
+        name_size = ASN1_STRING_to_UTF8(&name, subject_alt_name->d.rfc822Name);
+      } else {
+        name_size = ASN1_STRING_to_UTF8(
+            &name, subject_alt_name->d.uniformResourceIdentifier);
+      }
      if (name_size < 0) {
        gpr_log(GPR_ERROR, "Could not get utf8 from asn1 string.");
        result = TSI_INTERNAL_ERROR;
@ -703,8 +711,8 @@ static tsi_result populate_ssl_context(
 }

 /* Extracts the CN and the SANs from an X509 cert as a peer object. */
-static tsi_result extract_x509_subject_names_from_pem_cert(const char* pem_cert,
-                                                           tsi_peer* peer) {
+tsi_result extract_x509_subject_names_from_pem_cert(const char* pem_cert,
+                                                    tsi_peer* peer) {
  tsi_result result = TSI_OK;
  X509* cert = nullptr;
  BIO* pem;
--- a/src/core/tsi/ssl_transport_security.h
+++ b/src/core/tsi/ssl_transport_security.h
@ -332,4 +332,8 @@ const tsi_ssl_handshaker_factory_vtable* tsi_ssl_handshaker_factory_swap_vtable(
    tsi_ssl_handshaker_factory* factory,
    tsi_ssl_handshaker_factory_vtable* new_vtable);

+/* Exposed for testing only. */
+tsi_result extract_x509_subject_names_from_pem_cert(const char* pem_cert,
+                                                    tsi_peer* peer);
+
 #endif /* GRPC_CORE_TSI_SSL_TRANSPORT_SECURITY_H */
--- a/src/core/tsi/test_creds/multi-domain.key
+++ b/src/core/tsi/test_creds/multi-domain.key
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA1e+GwyVNsoKu7PqvOf/EubN45rB5o5PQF9A5fBPpiBtKZdvb
+bOouGlulRwaMQOLDZi9M6l/AhE1b207+iSBTn9jSQT0elaYwVtKgb/qoehQjFAG8
+BckPmA9E4SDx2Ug9AtV3rTVs4V2yaDHNSfDSXQ2PS9fuIx7FK5mMnUM2fjskcZqu
+HV5f8McXEtvpuTktnb+KDgETO0Cdu3+rf/RtraTuKZb0kmAgf+KaNWDL2j5QsFKa
+6sT4812Vfwaevm9qKOtzgAFobCwdVt+Ap/B0XWj4CmzJMPN/SXESluoBHszmTi6Q
+mkTEzYbzmD/ObyTxXVKu46kRVmJKXh6BE1wk2QIDAQABAoIBAQDPpS8OFhT14LXc
+Oez9xGyzOaltb3iA9qURl/9TmRggDS0G9IBjlGCvIKio6YgUKoUxl1N2YP3A7Dzt
+/hw8CG5iRda9j48x/R4KB2HFjmscIpNxhcVzcBV8p8VZJdrX5K+jIoKIUcSecY0K
+aNwymlX0D4c4PBtdZy5FBUJgGa64kPQqd+1Ha4cKgD9+oZzSo5Me04cGV7gWqBGt
+qY9KL9j8RGA5m+CHu4Qi2ZXnFlkeH/teXuH5AhFzxeYZG4ZwtXCTjNXxQelVNbYw
+mIOnADvd+RhJoeLZnGdM/gyFfLpJW6rtqva9l4h2qxKxnO3CcYHwac475wE49ukv
+qx027fopAoGBAPTXRsXRHnK+ZZbj1mafFXeM4G+f8QMLxaSP/za6uYKd1BihXurr
+NUhYCQ+d6E+HXnCsYQcfR4AMTSqZRA2XImW4ZW8HRog+OBOn9LDaRcvqlqenKs/Z
+IoOUqaqVTqNF2ukkH4usnBugPvdxiqtIGXCBFlS0st+PwIoBtRYD0u6bAoGBAN+v
+qElfO/LOjzYWsV6bUSxWRp1XFnfxujitkcYbai+AnBITvZ6BcPfcATQ9IIp42HKk
+vQ5PVViN2eCzB0R4I09fSOk/1PPGQM/jzgDQ5Q7zy644ee/lPbryKeFbCOxQtQ50
+0ZRHmQmUW/L9FmNxW1Dx0wcicMC2Bq+VnXvkHVebAoGBAMChpxL4Boasee0PcJ3o
+x9D5S5NHOS32Uxe4G0mJ+25ikn6WZ8FYMOGsMeTRjfcUQB9R4DzkRTLfes7rKvmu
+UOfK/jMufDWxDhmY6RFDiep3tPROt4Y0Bc2UZzDIq8gVq7gGLbOMqH2rxB6WfE1q
+Ommjhlg6mwj9ZrStxzV86LXFAoGAISX22miyiZjywCE8x7hcnyVp8YcmXUAFSMDw
+CVumsMNuXX9vaj3kb9a6lvM4D005RkQDgEtham4bC6F8QjlLgkeslmRPOpD2qdgo
+fxZ123Fljbvw1gwyybF5Y1wKRnrvWeUV6dNyamkB91BqMPJrheNQUo5YBzbyZrLV
+U7bKYmECgYEAj7ekhtCiIUMih8noMfpHR0lJG4VhdfqiVL+w25CgnpZJDa6o7pYD
+F5fMivdfdKaSAOA5mUGN5u6NrTpfFKhHDucpIOM2+WGOzbbWEc/gEDQ/xEyPEhxj
+t4ErMTByrDGKtGuaolNYzAU0SSbCnAAH3L2MRChC9Qv7f5ZVOZX1GPQ=
+-----END RSA PRIVATE KEY-----
--- a/src/core/tsi/test_creds/multi-domain.pem
+++ b/src/core/tsi/test_creds/multi-domain.pem
@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwDCCAqigAwIBAgIUYSe4/8nE/RVUX7e7QeyCmqPWd6AwDQYJKoZIhvcNAQEL
+BQAwODELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G
+A1UECwwGR29vZ2xlMB4XDTE5MDgwNTE4MDYwNVoXDTIwMDgwNDE4MDYwNVowODEL
+MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0GA1UECwwG
+R29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1e+GwyVNsoKu
+7PqvOf/EubN45rB5o5PQF9A5fBPpiBtKZdvbbOouGlulRwaMQOLDZi9M6l/AhE1b
+207+iSBTn9jSQT0elaYwVtKgb/qoehQjFAG8BckPmA9E4SDx2Ug9AtV3rTVs4V2y
+aDHNSfDSXQ2PS9fuIx7FK5mMnUM2fjskcZquHV5f8McXEtvpuTktnb+KDgETO0Cd
+u3+rf/RtraTuKZb0kmAgf+KaNWDL2j5QsFKa6sT4812Vfwaevm9qKOtzgAFobCwd
+Vt+Ap/B0XWj4CmzJMPN/SXESluoBHszmTi6QmkTEzYbzmD/ObyTxXVKu46kRVmJK
+Xh6BE1wk2QIDAQABo4HBMIG+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMIGjBgNV
+HREEgZswgZiCE2Zvby50ZXN0LmRvbWFpbi5jb22CE2Jhci50ZXN0LmRvbWFpbi5j
+b22GIGh0dHBzOi8vZm9vLnRlc3QuZG9tYWluLmNvbS90ZXN0hiBodHRwczovL2Jh
+ci50ZXN0LmRvbWFpbi5jb20vdGVzdIETZm9vQHRlc3QuZG9tYWluLmNvbYETYmFy
+QHRlc3QuZG9tYWluLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAzBhVGeqIntQs9qpK
+xGOjpFTBMzCjYORNAq09Otkc/IBwtPOq0K2as7fp6Vr5DRStN7hDSBrMjZh+XujY
+3GNEv4pIR5fWwrZg/fnNyG5BIUhdq/qtC3JAMqBjno3OJjg1t4KzS4l+ozHeevJA
+qT9t6aodsn1r7w89MfAVGPIw7D3n9n5N4z2b/co17W8B0RyMWX2PmQWkEqn7kId/
+Jj+hmw2n9UV1IU3xhcepxG+wzjFLIB9nsDwgtZogK6f5p9FFBG8raqk6QhVSlRgh
+JmNqmK5+hyUy1zbjGqgfM5eVmQ/A3qWVQTrk3HeTr2hO9GoBHeXQfinjlIhnbbtJ
+xouhvA==
+-----END CERTIFICATE-----
--- a/test/core/tsi/ssl_transport_security_test.cc
+++ b/test/core/tsi/ssl_transport_security_test.cc
@ -790,6 +790,26 @@ void ssl_tsi_test_duplicate_root_certificates() {
  gpr_free(dup_root_cert);
 }

+void ssl_tsi_test_uri_email_subject_alt_names() {
+  char* cert = load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "multi-domain.pem");
+  tsi_peer peer;
+  GPR_ASSERT(extract_x509_subject_names_from_pem_cert(cert, &peer) == TSI_OK);
+  // One for common name, one for certificate, and six for SAN fields.
+  size_t expected_property_count = 8;
+  GPR_ASSERT(peer.property_count == expected_property_count);
+  // Check DNS
+  GPR_ASSERT(check_subject_alt_name(&peer, "foo.test.domain.com") == 1);
+  GPR_ASSERT(check_subject_alt_name(&peer, "bar.test.domain.com") == 1);
+  // Check URI
+  GPR_ASSERT(
+      check_subject_alt_name(&peer, "https://foo.test.domain.com/test") == 1);
+  GPR_ASSERT(
+      check_subject_alt_name(&peer, "https://bar.test.domain.com/test") == 1);
+  // Check email address
+  GPR_ASSERT(check_subject_alt_name(&peer, "foo@test.domain.com") == 1);
+  GPR_ASSERT(check_subject_alt_name(&peer, "bar@test.domain.com") == 1);
+}
+
 int main(int argc, char** argv) {
  grpc::testing::TestEnvironment env(argc, argv);
  grpc_init();
@ -815,6 +835,7 @@ int main(int argc, char** argv) {
  ssl_tsi_test_do_round_trip_odd_buffer_size();
  ssl_tsi_test_handshaker_factory_internals();
  ssl_tsi_test_duplicate_root_certificates();
+  ssl_tsi_test_uri_email_subject_alt_names();
  grpc_shutdown();
  return 0;
 }