diff --git a/0001-Limit-scope-of-CN-name-constraints.patch b/0001-Limit-scope-of-CN-name-constraints.patch new file mode 100644 index 0000000..4596d6d --- /dev/null +++ b/0001-Limit-scope-of-CN-name-constraints.patch @@ -0,0 +1,802 @@ +From c2c2c7b3f1df94f9a447cc3cf8196579543cc57e Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Fri, 18 May 2018 09:09:51 -0400 +Subject: [PATCH 1/2] Limit scope of CN name constraints + +Don't apply DNS name constraints to the subject CN when there's a +least one DNS-ID subjectAlternativeName. + +Don't apply DNS name constraints to subject CN's that are sufficiently +unlike DNS names. Checked name must have at least two labels, with +all labels non-empty, no trailing '.' and all hyphens must be +internal in each label. In addition to the usual LDH characters, +we also allow "_", since some sites use these for hostnames despite +all the standards. + +Reviewed-by: Matt Caswell +Reviewed-by: Tim Hudson +--- + crypto/asn1/a_strex.c | 50 ----------- + crypto/include/internal/asn1_int.h | 2 - + crypto/x509v3/v3_ncons.c | 140 +++++++++++++++++++++++++---- + test/certs/alt1-cert.pem | 39 ++++---- + test/certs/alt1-key.pem | 52 +++++------ + test/certs/badalt6-cert.pem | 35 ++++---- + test/certs/badalt6-key.pem | 52 +++++------ + test/certs/badalt7-cert.pem | 33 ++++--- + test/certs/badalt7-key.pem | 52 +++++------ + test/certs/badcn1-cert.pem | 20 +++++ + test/certs/badcn1-key.pem | 28 ++++++ + test/certs/goodcn1-cert.pem | 22 +++++ + test/certs/goodcn1-key.pem | 28 ++++++ + test/certs/setup.sh | 25 ++++-- + test/recipes/25-test_verify.t | 8 +- + 15 files changed, 376 insertions(+), 210 deletions(-) + create mode 100644 test/certs/badcn1-cert.pem + create mode 100644 test/certs/badcn1-key.pem + create mode 100644 test/certs/goodcn1-cert.pem + create mode 100644 test/certs/goodcn1-key.pem + +diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c +index 75bc4319c7..ec7ac5a30c 100644 +--- a/crypto/asn1/a_strex.c ++++ b/crypto/asn1/a_strex.c +@@ -613,53 +613,3 @@ int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in) + *out = stmp.data; + return stmp.length; + } +- +-/* Return 1 if host is a valid hostname and 0 otherwise */ +-int asn1_valid_host(const ASN1_STRING *host) +-{ +- int hostlen = host->length; +- const unsigned char *hostptr = host->data; +- int type = host->type; +- int i; +- signed char width = -1; +- unsigned short chflags = 0, prevchflags; +- +- if (type > 0 && type < 31) +- width = tag2nbyte[type]; +- if (width == -1 || hostlen == 0) +- return 0; +- /* Treat UTF8String as width 1 as any MSB set is invalid */ +- if (width == 0) +- width = 1; +- for (i = 0 ; i < hostlen; i+= width) { +- prevchflags = chflags; +- /* Value must be <= 0x7F: check upper bytes are all zeroes */ +- if (width == 4) { +- if (*hostptr++ != 0 || *hostptr++ != 0 || *hostptr++ != 0) +- return 0; +- } else if (width == 2) { +- if (*hostptr++ != 0) +- return 0; +- } +- if (*hostptr > 0x7f) +- return 0; +- chflags = char_type[*hostptr++]; +- if (!(chflags & (CHARTYPE_HOST_ANY | CHARTYPE_HOST_WILD))) { +- /* Nothing else allowed at start or end of string */ +- if (i == 0 || i == hostlen - 1) +- return 0; +- /* Otherwise invalid if not dot or hyphen */ +- if (!(chflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN))) +- return 0; +- /* +- * If previous is dot or hyphen then illegal unless both +- * are hyphens: as .- -. .. are all illegal +- */ +- if (prevchflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN) +- && ((prevchflags & CHARTYPE_HOST_DOT) +- || (chflags & CHARTYPE_HOST_DOT))) +- return 0; +- } +- } +- return 1; +-} +diff --git a/crypto/include/internal/asn1_int.h b/crypto/include/internal/asn1_int.h +index f70e3b47ba..a0c65318d5 100644 +--- a/crypto/include/internal/asn1_int.h ++++ b/crypto/include/internal/asn1_int.h +@@ -90,5 +90,3 @@ struct asn1_pctx_st { + unsigned long oid_flags; + unsigned long str_flags; + } /* ASN1_PCTX */ ; +- +-int asn1_valid_host(const ASN1_STRING *host); +diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c +index 2eec405a36..c4b0551a03 100644 +--- a/crypto/x509v3/v3_ncons.c ++++ b/crypto/x509v3/v3_ncons.c +@@ -297,47 +297,151 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) + + } + ++static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen) ++{ ++ int utf8_length; /* Return type of ASN1_STRING_to_UTF8 */ ++ int i; ++ unsigned char *utf8_value; ++ int isdnsname = 0; ++ ++ /* Don't leave outputs uninitialized */ ++ *dnsid = NULL; ++ *idlen = 0; ++ ++ /*- ++ * Per RFC 6125, DNS-IDs representing internationalized domain names appear ++ * in certificates in A-label encoded form: ++ * ++ * https://tools.ietf.org/html/rfc6125#section-6.4.2 ++ * ++ * The same applies to CNs which are intended to represent DNS names. ++ * However, while in the SAN DNS-IDs are IA5Strings, as CNs they may be ++ * needlessly encoded in 16-bit Unicode. We perform a conversion to UTF-8 ++ * to ensure that we get an ASCII representation of any CNs that are ++ * representable as ASCII, but just not encoded as ASCII. The UTF-8 form ++ * may contain some non-ASCII octets, and that's fine, such CNs are not ++ * valid legacy DNS names. ++ * ++ * Note, 'int' is the return type of ASN1_STRING_to_UTF8() so that's what ++ * we must use for 'utf8_length'. ++ */ ++ if ((utf8_length = ASN1_STRING_to_UTF8(&utf8_value, cn)) < 0) ++ return X509_V_ERR_OUT_OF_MEM; ++ ++ /* ++ * Some certificates have had names that include a *trailing* NUL byte. ++ * Remove these harmless NUL characters. They would otherwise yield false ++ * alarms with the following embedded NUL check. ++ */ ++ while (utf8_length > 0 && utf8_value[utf8_length - 1] == '\0') ++ --utf8_length; ++ ++ /* Reject *embedded* NULs */ ++ if ((size_t)utf8_length != strlen((char *)utf8_value)) ++ return X509_V_ERR_UNSPECIFIED; ++ ++ /* ++ * XXX: Deviation from strict DNS name syntax, also check names with '_' ++ * Check DNS name syntax, any '-' or '.' must be internal, ++ * and on either side of each '.' we can't have a '-' or '.'. ++ * ++ * If the name has just one label, we don't consider it a DNS name. This ++ * means that "CN=sometld" cannot be precluded by DNS name constraints, but ++ * that is not a problem. ++ */ ++ for (i = 0; i < utf8_length; ++i) { ++ unsigned char c = utf8_value[i]; ++ ++ if ((c >= 'a' && c <= 'z') ++ || (c >= 'A' && c <= 'Z') ++ || (c >= '0' && c <= '9') ++ || c == '_') ++ continue; ++ ++ /* Dot and hyphen cannot be first or last. */ ++ if (i > 0 && i < utf8_length - 1) { ++ if (c == '-') ++ continue; ++ /* ++ * Next to a dot the preceding and following characters must not be ++ * another dot or a hyphen. Otherwise, record that the name is ++ * plausible, since it has two or more labels. ++ */ ++ if (c == '.' ++ && utf8_value[i + 1] != '.' ++ && utf8_value[i - 1] != '-' ++ && utf8_value[i + 1] != '-') { ++ isdnsname = 1; ++ continue; ++ } ++ } ++ isdnsname = 0; ++ break; ++ } ++ ++ if (isdnsname) { ++ *dnsid = utf8_value; ++ *idlen = (size_t)utf8_length; ++ return X509_V_OK; ++ } ++ OPENSSL_free(utf8_value); ++ return X509_V_OK; ++} ++ + int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc) + { + int r, i; ++ GENERAL_NAMES *gens = NULL; + X509_NAME *nm; +- + ASN1_STRING stmp; + GENERAL_NAME gntmp; ++ + stmp.flags = 0; + stmp.type = V_ASN1_IA5STRING; + gntmp.type = GEN_DNS; + gntmp.d.dNSName = &stmp; + ++ gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); ++ if (gens != NULL) { ++ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { ++ GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i); ++ ++ if (gen->type == GEN_DNS) { ++ GENERAL_NAMES_free(gens); ++ return X509_V_OK; ++ } ++ } ++ GENERAL_NAMES_free(gens); ++ } ++ + nm = X509_get_subject_name(x); + + /* Process any commonName attributes in subject name */ + + for (i = -1;;) { + X509_NAME_ENTRY *ne; +- ASN1_STRING *hn; ++ ASN1_STRING *cn; ++ unsigned char *idval; ++ size_t idlen; ++ + i = X509_NAME_get_index_by_NID(nm, NID_commonName, i); + if (i == -1) + break; + ne = X509_NAME_get_entry(nm, i); +- hn = X509_NAME_ENTRY_get_data(ne); +- /* Only process attributes that look like host names */ +- if (asn1_valid_host(hn)) { +- unsigned char *h; +- int hlen = ASN1_STRING_to_UTF8(&h, hn); +- if (hlen <= 0) +- return X509_V_ERR_OUT_OF_MEM; ++ cn = X509_NAME_ENTRY_get_data(ne); + +- stmp.length = hlen; +- stmp.data = h; +- +- r = nc_match(&gntmp, nc); +- +- OPENSSL_free(h); ++ /* Only process attributes that look like host names */ ++ if ((r = cn2dnsid(cn, &idval, &idlen)) != X509_V_OK) ++ return r; ++ if (idlen == 0) ++ continue; + +- if (r != X509_V_OK) +- return r; +- } ++ stmp.length = idlen; ++ stmp.data = idval; ++ r = nc_match(&gntmp, nc); ++ OPENSSL_free(idval); ++ if (r != X509_V_OK) ++ return r; + } + return X509_V_OK; + } +diff --git a/test/certs/alt1-cert.pem b/test/certs/alt1-cert.pem +index b94d0eaf9d..d68b0e5193 100644 +--- a/test/certs/alt1-cert.pem ++++ b/test/certs/alt1-cert.pem +@@ -1,22 +1,21 @@ + -----BEGIN CERTIFICATE----- +-MIIDlTCCAn2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +-IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGgxIzAh +-BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu +-Z29vZC5vcmcxEzARBgNVBAMMCkpvZSBCbG9nZ3MxFTATBgNVBAMMDGFueS5nb29k +-LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALAv1X8S8uUpnjTa +-3bv7m1jJbbX7bC9w7k4TfxiU5XL/m3EhN//EUBJSoamy6vFC6oy/6jA8XmptlVrY +-Sp3ZKFdjdZh+CyYZKcrv4JReF2lfRIINn6d6EgcAobGTNwdcv67xuNtMi0meAvmK +-gLjOa/IhCHNC+l8vNDJx/a+7mxH+yNxPL6lC/kJMja6oaYndx74WJpPC22LJ/cCp +-xspKKsoPYYjk0BX9RvbKO8s4b86Wjzzntht+NpQ4LLh9XwPZog11qGE4UIrsV8XA +-YxJrMGQNZd69cnCOz8vnOVCszFOa4qVvXeAGr0iFlZAXbQJevpiiXaXHMEt8C1qH +-xpcW8DcCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUw8nB25NP0gUaFCrOwAO5KzllnREw +-HwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMwCQYDVR0TBAIwADBIBgNV +-HREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNvbYENZ29vZEBnb29kLm9y +-Z4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQBUnDMrg1py +-8/iYXzs11Qbw7bBhc/HQDpu5QVgriaX2zDUpTLSEUV7qZFSHmwWm91ILw2VA1Xni +-ua2sF19o/tJT0ZHpapkfqGpfsym2H04NDMKy0l0fSZhlCB5Kv5wpiFt9hBUrxS/2 +-Dd6Kg+Ka02nD5QBXSAk/xz0FmgezzGGCLjg85/Sfe9Y7tNhQXh3HuGXuJizYccdQ +-Fh1IAFYW3DZoDKS7dDTCltvDEma/2IE684+CRJiA6PH9rYfJ1CCUfAMpyA85CxKT +-P68GDKI++WoUgM8LDfxS0KOL7A9cqcpM2L27hjyEgnqIBPHFfm9fxztBotuCTl5L +-vRlTFVjv65nn ++MIIDgTCCAmmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 ++IE5DIENBIDEwIBcNMTgwNTE2MDIzODEzWhgPMjExODA1MTcwMjM4MTNaMFQxIzAh ++BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRgwFgYDVQQDDA93d3cu ++ZXhhbXBsZS5uZXQxEzARBgNVBAMMCkpvZSBCbG9nZ3MwggEiMA0GCSqGSIb3DQEB ++AQUAA4IBDwAwggEKAoIBAQDTqvf6j+WxCtn4RU8/6uXXgCTcksv6NDXCZ9JAz4Vv ++cQbJfhFbDWpGZQZDOCqwtj+7CSVIraxItHzPlrt36cevsoPmpuqGbHrUaOLneme2 ++x81SXUq0z/DmDvwxVENmRj1u7iCt3sL7awcid4SiotLOY2F1jBazmqprqKZBUiyQ ++XqpSp+9uSav77ydwDXCrQozBdns1YRshgU9omQrTcIqHCj1f9Lo+A2y4+TZYZkvS ++DuUZiTfPTPouR6sopM8JLyAZc+TvFFncEg24N+zz3O3jwH82BZEjzavw92J9npJB ++UXvKb8O9z7UA65WYuL2he7kSQCsPNLoRWZnVpchwr3VHAgMBAAGjgZgwgZUwHQYD ++VR0OBBYEFHvLhGWckFjVXdDI3ds9Wti6zgXAMB8GA1UdIwQYMBaAFAjRm/nm1WRw ++oPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYDVR0RBEEwP4IMd3d3Lmdvb2Qub3Jn ++ggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgA ++ATANBgkqhkiG9w0BAQsFAAOCAQEATVcTyrAxsehdQNrkL6kquXxWlyegJcxvVxUe ++hfh9+Lw4620b2S1/l2YxFM3peLAsRgJOznmJOeG18+y7/kx/3UNqYGY7e8iJQ3Gl ++JwDIJp5JCaUOlodjhMJtRc7jn9RcsL97oizXdcryyWT0vSlM9Pie9NtHG5iq5X4+ ++oL3X8+OG25MOkF2h3YVCEG3vDu7quyTlHc2ebwpdLZRndcOewO2Cap1ettyWXUPP ++Mha6wyJE8LJhrGmrI8Lw+i7gGscP0xYZn3yCLk5BtOabn4dvCiDmb+TPruKQQARw ++BG45LEZzGxz+Ad3xRdZyVi1I67v9YShoYTCpMTSxJaR0erH74g== + -----END CERTIFICATE----- +diff --git a/test/certs/alt1-key.pem b/test/certs/alt1-key.pem +index b5d4d326c5..6df050a38f 100644 +--- a/test/certs/alt1-key.pem ++++ b/test/certs/alt1-key.pem +@@ -1,28 +1,28 @@ + -----BEGIN PRIVATE KEY----- +-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwL9V/EvLlKZ40 +-2t27+5tYyW21+2wvcO5OE38YlOVy/5txITf/xFASUqGpsurxQuqMv+owPF5qbZVa +-2Eqd2ShXY3WYfgsmGSnK7+CUXhdpX0SCDZ+nehIHAKGxkzcHXL+u8bjbTItJngL5 +-ioC4zmvyIQhzQvpfLzQycf2vu5sR/sjcTy+pQv5CTI2uqGmJ3ce+FiaTwttiyf3A +-qcbKSirKD2GI5NAV/Ub2yjvLOG/Olo8857YbfjaUOCy4fV8D2aINdahhOFCK7FfF +-wGMSazBkDWXevXJwjs/L5zlQrMxTmuKlb13gBq9IhZWQF20CXr6Yol2lxzBLfAta +-h8aXFvA3AgMBAAECggEAa073DcqQvhq3DSIw4wm/+DfW5nwXzF1QB6XAR0yI453j +-IuhEnzcGPeKuLBmZFxDWoptRG8fpCZFs4kPSTomxFGizewlp6O5ykfPAKR2VzMwF +-geCiWPL0f+dWlD1Byu4moXsASDE6tL/UuAAvnl+7R2HvL6SfsdGiTQc4qAvvyukM +-szks+MePHSlXmL5Eld7HfKgpvxY1SbYOQU0aPXAQAnLaOT931q+tgZMG6nBWN+pu +-w5bgKCA26BMAAaUAdIIDEa9fjzkpXjElCT4qhJYVKQn9Pb7aSc4jihSpCknqbb9c +-55nW5PWMZJyCbCOUG/SVTblXV+NmhdtwrgUbHImXIQKBgQDcb/7vp+rq06uNx3b4 +-AjTZdzCVbHM8gp7b1GkGD0SncrzX6RxPSzNn7d4AUKY065bwa89A+TRwV8DSo7G8 +-hxjzdU/FKCg8ce0eqoCtWjIT2r+rV2P9dFhfRT5jdOwHrym8LeSGzANjIBNV7FOf +-FIRkQ1BVD0QSPla+26ASqsw60wKBgQDMnEzChQWgAsBelALmGaj/wDdWDUXK8xRg +-s7dG1Sx41SLk39SAjCUYXPyy8IHBitJtPZNDp23tR4/m8Ui1pB2T0EnlzBsuzrZ/ +-0aCbJnQ08FXE8iVajrgce4ZCdT8vkeH8EVhqDpJIlAhoKy3HaoAr4o2/uRoGDpHZ +-iAbDLTEOjQKBgFrp4dXLhkqFNArMShetKUjLLIFj8f7xzDzT1ODH6UO6QYI2xRM6 +-65+gbd/pYzMOOvk7LYYZgXQX7RGyq3oaqcK3Dkg88KNFRUtRfLKCMYcYv9YVu8pr +-cosQTtPMBBCDQI44yziA6aC3OOJGDpLcbmG/lWEPY762cSZUBCfOw147AoGAd8S+ +-AdcPtdwmcrY9BCfdDuea/JoEUon7UaehDqtVvt0z8bk7kIt4Y0x69ttleL8j8aHr +-g9yLsisDhvGR2BFa5t0zhHn3J20E0skINAlMWHieHAyJ5PpJtxJvQpOTCutf1sbo +-dBxXcHiGe0NbJrGmmQmiY6mcHBOHOEgxfSoE3zkCgYAc+ozIr3xmUcooUeA7uqpd +-LvGGqHThGrtXVFIErOIcajC9bHEeZw4Do/oT5L7Wr7pOZ20VUmuRvwytd7IYYTVV +-g+nIyKaMttEaCzHEsO0CQUHexOkJbL4rpc3HiK5hIhL8Yo2L/obQgCxYmvyChpo3 +-sXJAoFllBNfAK3aanFOR1Q== ++MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDTqvf6j+WxCtn4 ++RU8/6uXXgCTcksv6NDXCZ9JAz4VvcQbJfhFbDWpGZQZDOCqwtj+7CSVIraxItHzP ++lrt36cevsoPmpuqGbHrUaOLneme2x81SXUq0z/DmDvwxVENmRj1u7iCt3sL7awci ++d4SiotLOY2F1jBazmqprqKZBUiyQXqpSp+9uSav77ydwDXCrQozBdns1YRshgU9o ++mQrTcIqHCj1f9Lo+A2y4+TZYZkvSDuUZiTfPTPouR6sopM8JLyAZc+TvFFncEg24 ++N+zz3O3jwH82BZEjzavw92J9npJBUXvKb8O9z7UA65WYuL2he7kSQCsPNLoRWZnV ++pchwr3VHAgMBAAECggEACPTB+1sdV+lioaulF8pDoWOtq5uWf+a3o5sq/U0Kk1WP +++PSZnWWq6oGZyzxUKhf8CFjxt+qJUKY6Zbo2AnPk3B1MkXTclYV/iP9LIoo+WzCH ++EoYaBB6MTd+ycg/jri8oqEnxHgo/681yhtXRyePj0ZHI7OVZjI3tyhJfvoHQmuci ++u6qYYUP0GWuyM+kHS11vn6Q1U8nOZWvXpEDXDDdJ7+2QRuv01AXcjFxpbFzkMn2W ++JkhKkCTIQpUU66VMRHwNexi+TR2rRESq0G+fa+6gaVFVIs0vBukq48IeC5W21j1L ++zyftHxci67FlYC9iaiUxDVt3KB+lcukx6Cz5mjtzqQKBgQD/GrAtFfjiXKj9O5ld ++K7dnnBHE8fzyWQWyOfwpVjNAC1J7tgwFvDpBpTHOwS5JnCwMWWM3rkBPRhCusmrF ++AtfE8b643G+cJbTgDuEhGh11QR0p9VWMVFQL9kZxx12PegDtFBfzcfcI3XQwKVKL ++ZbQn4ibW3BKSt9+Nh3APa0s5iwKBgQDUaTxZBajTdzoDd6Pg3warL5BhsxWr2tUQ ++qf+iVoba2Y9NTBdxBht2whSaYweU9kxmeNZvnCu95B8HeRGE69Dxb7IWwpsaxoaf ++ND0NcCF7aPZgx7hvhbHF7duzt3nuv+q5sOuuyHPzm+nF2snAuY3Zg+Bpv3nlYekf ++18aXZdwStQKBgEpF8e9ei1UUl1sLZC6dUMvIw9+sePHye1cVzNYYM9m8sio0qbFt ++ySRdvW+uDRT/dE+wItQOVsj95FOIvM9ZcYr0u4vFGnXDALOPgXqKyPLfn2cc9+hg ++kQvei0oLOrFQWz6rcAHAN6WMHIz9KvxNAzPtg1NhRcMT5/Gj8jt7CK7bAoGAIeKz ++7OO5Phr8F0eDzkDmGHMbDmr6XxMnAGSOUoCJPOqOMN+dsbsusHBfxw1bTUlJgONw ++GhgI5l85EAEhaVoRWCLgfz8GbWwUV9uGjdlAjiZ9f4z9AFWMua2rae0wN4VIVd1C ++i/yQeuF5lsXDf8paNcQTDeus74oCHcFXfhmS1S0CgYB2q8E+H0kFHbUxkIZYwhsM ++r0lTecn+kVsyPPje2UlzfTwvcC9dFIC4ppCdJGUJAwi/PJnr6xNyOH6I1pjUA8ER ++Aofm4Oj2DwX8W+81oO71/RXSfEFUjdOw0H6iRDyvWa1gqftj2/aWjV7Ifdo49thx ++EzX/9GdsRInifN6FfOfo/A== + -----END PRIVATE KEY----- +diff --git a/test/certs/badalt6-cert.pem b/test/certs/badalt6-cert.pem +index fbe040b52c..f41568f6ee 100644 +--- a/test/certs/badalt6-cert.pem ++++ b/test/certs/badalt6-cert.pem +@@ -1,22 +1,21 @@ + -----BEGIN CERTIFICATE----- +-MIIDljCCAn6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +-IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGkxIjAg ++MIIDeDCCAmCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 ++IE5DIENBIDEwIBcNMTgwNTE2MDMyNjMyWhgPMjExODA1MTcwMzI2MzJaMGkxIjAg + BgNVBAoMGUJhZCBOQyBUZXN0IENlcnRpZmljYXRlIDYxFzAVBgNVBAMMDm90aGVy + Lmdvb2Qub3JnMRMwEQYDVQQDDApKb2UgQmxvZ2dzMRUwEwYDVQQDDAxhbnkuZ29v +-ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKz8F/ndKz0vuv +-BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu +-9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd +-7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+ +-6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb +-jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8 +-1L6m8ngXAgMBAAGjgZgwgZUwHQYDVR0OBBYEFBIKyD5bUUNIFxlQJl/rBvvIm0XZ +-MB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYD +-VR0RBEEwP4IMd3d3Lmdvb2Qub3JnggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5v +-cmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG9w0BAQsFAAOCAQEAa2lydA7a +-YgRhYeIuPEtR+bKyDkIKNjvx2IRL/FL70s/IWFWDK1rpsMYLGNa7rWpW5gq4T6zb +-JIwC/770Rw1p+0j9eAC95d2wCEhyNcLdoP4ch7whr0MhxYHUJ8zQGPdQ97DWGoEB +-2seLjrhMrX004TM4UlM+lpjsb88QEcD+kOEhdDTKm0ABUygOr1KRay437mtUhAzb +-WyUbAjKbhgyv6IFRNHKy6YtCMugPihn+Pd1NY6c2ACRVOAUS/+rvVyjxBCATW5Wk +-zAtNIxYgcm3rYRroGYT2BGj8Ic7oqPOWPdGWhsieX0c+y2ZnS727Kwc5tXFfW9By +-GH32QmEN5o5jZQ== ++ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDl46xhstHmmYhp ++XY/FcnQStR4XHtHcNRyvq1perl0fezeCY85KkddGppic5qIWQDL4ViP3HfvhMlDZ ++E0tAjEfr8Auac9gpa2IFVJAzMnnzOkhO6cr5kmid4392tNCG5sUWS99t2Z4f9sOP ++DQKdoN7lnmxnpZqNf9NUERsN5i4fcvErfQZ4LqV5ld810ZAQZUfarn1rg6/U/ADc ++qA0uQgk9RxVgSDt3M5mi8AaC73Be9nAefXQUybzs6J8EfsDijhD85msxs4Fha4pg ++gM+bXHv9C7whxM5F2WTeET0cIcAfE3+jzQlkjcjlS1rTEq4d0Pd+1rXkhMwZeze2 ++KRL2Le8jAgMBAAGjezB5MB0GA1UdDgQWBBRJJljvheyfKr9neNplhIMIFx25QjAf ++BgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMCwGA1Ud ++EQQlMCOBDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG ++9w0BAQsFAAOCAQEAPfRFkpkTsPlH54n/i3kxR8Hw17kUOV0/v39fnNzV+PXS/IIU ++9OFfP7qNeuoWVQKXCwNWGWYXb7O0LNJMJQWWtyXtzWH3rOSxdSRIrTsCVHA41Lbo ++te2nrfnGMtg6em51Do6Kk0JM304sVAWl5OY/eckBmuDgN/5WfZudOLd8Ohv8vZ6U ++ZNoSBNpu1x5gfEPywMUGAgbkNZVpzNAfulx3/D2kWk0qwEKqnphUyaXiTVqO49gr ++n1LwSVdqBcmapBmEO3puV4TBWFwM49iMMNGn0fp/JBVsLjt+q7TK96qGBo/BSEL+ ++e2TXTNpdkn3l+ZK2FYdf7s8fytoe+6o92dN+fA== + -----END CERTIFICATE----- +diff --git a/test/certs/badalt6-key.pem b/test/certs/badalt6-key.pem +index 203a4c7a00..782d69334a 100644 +--- a/test/certs/badalt6-key.pem ++++ b/test/certs/badalt6-key.pem +@@ -1,28 +1,28 @@ + -----BEGIN PRIVATE KEY----- +-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKz8F/ndKz0vuv +-BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu +-9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd +-7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+ +-6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb +-jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8 +-1L6m8ngXAgMBAAECggEBAJNMHK8BAvzTqTPPsfAGu4bTvgxRdKGy609FFAiqxUF3 +-UmQsCZEfgwyqCszFPfSeS43xuPRukObE6L6MV4ls8GwWqvp1nKfCClJX3/9jK6tq +-2tDQ416a7Wb+FvfgW0tDEg7oLKfcqRyAoQFNuxWHbGDiTQlz2dzzFYkzhlzBDUYH +-/pu9qkNFGfYMFwsBUd8pp8zMnv552CCIgalBBFr1hy9q47HBaJPaF2/CjZJmsqkp +-rVMBH7+j0y1DW3JO5rSKcRdz+mgEd9m/yQIazvBPJKxeGza8JfLBuACYFLIoO1S+ +-b8s/zmQPHeZwTxSsM64M1uYi4dmJy0viozLlWsjrE1ECgYEA/GxGG/lB1mL+Hzmc +-kXzWmA2nLPxZXGxMBOYH/n8l4OyDmKi2Bmly7kS0kLdY6gYTVBWFCRcvPxf+UJu9 +-x4NcKDkjXVXSg7Muux3Bh1JoRCOKB2Hk3pqdDe55GcT5bSikkd5PYCNobcnqzSK1 +-HzKveDdukraZxIPFpVs1VM9/gxMCgYEAza+BJUAEWoq925a1RKlMwdXW1ONBhFqU +-fXon15fgycHkiYIBGbGE65Oyz8BwE6jNAT+SwKlNCc6jPAkXvEUpczEi5Rcox8Ec +-hNoXBHcBxHEhtfV2VKX5I9JFAadmvnfS5St7HjRLzE2Y6xym1+fKfnAlSLpdb3W2 +-eRqVBi3F020CgYEA6K/yrQTHwRX+BdC42JCIzSAA1IJG6eDW7skR43NX+pBr+sTD +-DwQTszrYbHLnXst888zmluutXO8EO1Bl0E3yHQ4W4IolhcweLtUOOm0nunA8Y/PE +-48MJNfd34N5nw01s7x5Mc2YQdOxmKvVsmzbA9AO9RTdYZgPGpVh/wA+LDssCgYBh +-F2+G/ekQNF3awhFfD+vDtAVtCLlsmLVvZbJY+sCJfJU8s7mBP2LXMSk/GD/Ph+b9 +-p9zGRSSwdHJpbIFfxeYDEja+nWgKowWrUKd83BBhgmW/Vtc8rfwlBKS+Wx8M2dMb +-iqLbZyRAlICSuzumvyu+84EmC5L/gjlYgUvHVuQDIQKBgHH7q3hrKI5mQ0BR9h75 +-4yP98c+Duz8IsQllIG0gzCiiOYIVTl3uzTCa/E9Sa+jG+kFsCeUDchmC6LmHdF/Z +-ZHfECcQT4B37xMMwvjwNW7E6/FyRx3XC762Fd5vlz3fBuVKburfh1JpfpcO85Wvo +-R1UfsJugW9Yetsqd9WB6q3ln ++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDl46xhstHmmYhp ++XY/FcnQStR4XHtHcNRyvq1perl0fezeCY85KkddGppic5qIWQDL4ViP3HfvhMlDZ ++E0tAjEfr8Auac9gpa2IFVJAzMnnzOkhO6cr5kmid4392tNCG5sUWS99t2Z4f9sOP ++DQKdoN7lnmxnpZqNf9NUERsN5i4fcvErfQZ4LqV5ld810ZAQZUfarn1rg6/U/ADc ++qA0uQgk9RxVgSDt3M5mi8AaC73Be9nAefXQUybzs6J8EfsDijhD85msxs4Fha4pg ++gM+bXHv9C7whxM5F2WTeET0cIcAfE3+jzQlkjcjlS1rTEq4d0Pd+1rXkhMwZeze2 ++KRL2Le8jAgMBAAECggEBAMcDjTTa2GmYWoZUr+UPizqyvsTnMmg/NoFBhy9WJVne ++kpR3kJvvm30XNiEGbCV1GGryL5p7w5UVuPXjhQ7xIkY3feQNC4H361iP93HK7dXJ ++i9V9AfGCdLzSuILsT2Wpm88MifUQIpqrRmqtqakKHkyMFG655409rpYlZNVogl9H ++vzrTE8rjysNMjP+bpbgkxUJfeATw8OYhEwd9ahj/E0r0r2enYhGEP3j+1zYsGdmM ++L2Uy4M+modaAWpZg5pUWpFjxl+V2cSJHdaQc8KYg8Z8RUyzYipFk3YzjP5jtprq5 ++dHf9FqlcXk+MtzcYe+x8mIb3uwZhOtdpnUqe5l+GTyECgYEA9j++rS9sajQzMqp0 ++p+EptacD/p7A3wldIDGEpPJsSQL+vhcigyn4iPCM1pGWR4iuR7Od9RpQSf3Tfnqc ++ZwUJQOpiYpxo1+QlqlBJkDjDRztp+kETZAgzc084ZhwQv9PfYyxa+8layQFhnClt ++Z9G0o4AV1povVeQLO5+9CQZQ4VMCgYEA7v4WuydzlLGKppsJEG8vvieR64mjOfO4 ++gHBMEYnzEeTZPDvIfEfguM1upJCvt5GXp3huVHCAsFgs6kDjVbpIL1A2HzrMPtOa ++MNDSOrpuLcakAgEgx2VFv4TMnA1QKPg3//YCqEqqTJyX0C4OwaADRZJS7YfHp9lg ++mpv90baE8PECgYAv3oxulj15F9SsEL7Es9yr11/La4kK0oMr8vRaLFYoi1CCG3U2 ++Ej6iQEDgpUSVe1iFz8DxGMBq4dDvUV5+GFiIKggeK1GmRk+cICdsxdwQSNh9MZFX ++bNCzpb7M+r+2yrUuTj0RnT7svDwBY3xFJlr7PbcBFNAG3mHgoVjaHEQ0yQKBgHbS ++zepvSv/65bzACFmrbklU0zAQVp9RlcIGE0wFEl0rMvbHon5oHkrDmOcpKLRUJtqU ++/gXtiY4jyPEPIfhVjd44OzB7w2DZRChRKrUYS/9ma9SzSuDYcT0vgat00w4Lm4wf ++fGK//Lvqf3B59cw/CmFkxuZiQ9ooMees9x11adOBAoGBAMdb0r8sAtgh+KTbA8Kq ++guIWiknOk6/LYUTuT3fidPIPbErrUQQR9WWHuXjrj2RyHI/RLjYLFamikvhU7PmE ++jPjPAo4p1a0WBwrYgjGDIRjTVjbUK282vuYkunGWYfgnZurAyjJCndL/eNZuX2F5 ++m1rTfab8O+tOOGKGyzfouD2A + -----END PRIVATE KEY----- +diff --git a/test/certs/badalt7-cert.pem b/test/certs/badalt7-cert.pem +index b515ba43d9..4fa81b3c6f 100644 +--- a/test/certs/badalt7-cert.pem ++++ b/test/certs/badalt7-cert.pem +@@ -1,23 +1,22 @@ + -----BEGIN CERTIFICATE----- +-MIID1DCCArygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +-IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMIGmMTsw ++MIIDtjCCAp6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 ++IE5DIENBIDEwIBcNMTgwNTE2MDMyNzA5WhgPMjExODA1MTcwMzI3MDlaMIGmMTsw + OQYDVQQKHjIAQgBhAGQAIABOAEMAIABUAGUAcwB0ACAAQwBlAHIAdABpAGYAaQBj + AGEAdABlACAANzElMCMGA1UEAx4cAG8AdABoAGUAcgAuAGcAbwBvAGQALgBvAHIA + ZzEdMBsGA1UEAx4UAEoAbwBlACAAQgBsAG8AZwBnAHMxITAfBgNVBAMeGABhAG4A + eQAuAGcAbwBvAGQALgBjAG8AbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +-ggEBANStByWr70u2A49OO+LYu0ivQP+uBu2n3E6RoEYf+op/+JF3clwfMQCGqiSg +-QxOJMHkcu4gJDudRLCSXqHPnR0hOd+mQ5wQQJmLj8A99ImcD2oN5R3V5I4bSlXP9 +-GCq2pFDnwXuEcJ3d2Dt1HYO4jA4Ol/RBT3NIqmwSnQzXv98mjYFpy6AuAIaYGmbh +-1DLWxsTPI2NjNafJYS85NrQDLkTpq48nCmQCJ+ly6Zzu7WuJiDKD1Rxs7ZwgNtLi +-Zhp41TeFHxCbfSFKe9u4rnUmImKxwgc9KuzOLpLAzD9avWpPGHtkCsLFsiw/EJYf +-UdeCXc7tz9WhXZzOk/ffLOcrorMCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUwYsR1XfZ +-2cPcAR7i5i9obalnJcIwHwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMw +-CQYDVR0TBAIwADBIBgNVHREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNv +-bYENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEB +-CwUAA4IBAQAN/klfzMLi2acp5KdH9UZR4XCk3cZBOuMuI0vU+wrU/ETgY6rFhAwY +-gSZsO6vX0mt/G6QfOmY5+kW4FY5XavGhhNVY2x5ATZKvQCf+orIsUHOBxVTjH6az +-uEnxGDRTbjXSkBTCTSoOqdJNeOmEwiaHEVy/atumUW2B2KP5FeBGdud/94c4Q9/O +-WBJ0EICGF6hYTDra63lAjxyARTvocVakIE8zytT1SbU4yO05mYPyNdXxiXikepFE +-phPQWNSLx4EPBIorGCFj7MPDmFCH/+EjDjGz3SNUvqsak6MstzK94KVriQyIHKex +-IL5WuKFm0XSGKTX8SzyMGErMGeriveL2 ++ggEBAOG4PegItzkmJDwlSA/FyVHWLWUIQrnxgS0KSds3On2CMsjDJ+X77B4s1IPI ++yKHuqNbXqV/hJGAxKnZRZe0D6VsmKlYOYpz9QtFxvpo5DwA3q6BTx6sIElFn/lip ++Pbu5ZeIMNeN4bot7x5sBobr6OgidAVaAuqQHHJnD7mQ1s22qY0UqkBqNBhhJWOmx ++YC0Q56WDi9+C7Cy2+kiiSlT4jCZ8m1K0F7tTK5mF0p4HppXmXLzcecZ/Sw8jOqQK ++JM/4UCj/nxWCGYKWkv8zLJtG+ryfZMf15/0Cd1dzHAS9mYU4mFssPdFyT+WFpw7b ++K3TOTXkS/tAPbj0xin2wqBJz8m8CAwEAAaN7MHkwHQYDVR0OBBYEFOWYNq+H1LH6 ++lZUpgijb/S/sAiDsMB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkG ++A1UdEwQCMAAwLAYDVR0RBCUwI4ENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29t ++hwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQAwUxnqq0gBgKmEHIRgZVu10KtOknjt ++p/wEcqQ9METvXb+4/a4U6ftjTgaOrPVjamNFlaoUcTgx2nk2zRsjM+e+tpnxDgRR ++/yoVB3HsISpdeN70s/WYAgvev/FdV3O+JWhUYHdKrDB4DMfPhlRIfSgOymJljo6+ ++wL8qa7lVonF91Im4SCbq4dqtAnbg4ttblQ3yjFfQtuwzyJD/3ism6FQPLbg1K4eu ++1Si0EDL4Fct581Gb5D+NU8PYiwg7Nk8ubNlRHXydoVGDLmT0hLE+/IsPd1M8tMqm ++sifRl2Is+lGVeg4pPHFjB0npTNkaYafu89dz/3PNRRr5If06B+apk4AX + -----END CERTIFICATE----- +diff --git a/test/certs/badalt7-key.pem b/test/certs/badalt7-key.pem +index 50557e8968..b453f1ff30 100644 +--- a/test/certs/badalt7-key.pem ++++ b/test/certs/badalt7-key.pem +@@ -1,28 +1,28 @@ + -----BEGIN PRIVATE KEY----- +-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDUrQclq+9LtgOP +-Tjvi2LtIr0D/rgbtp9xOkaBGH/qKf/iRd3JcHzEAhqokoEMTiTB5HLuICQ7nUSwk +-l6hz50dITnfpkOcEECZi4/APfSJnA9qDeUd1eSOG0pVz/RgqtqRQ58F7hHCd3dg7 +-dR2DuIwODpf0QU9zSKpsEp0M17/fJo2BacugLgCGmBpm4dQy1sbEzyNjYzWnyWEv +-OTa0Ay5E6auPJwpkAifpcumc7u1riYgyg9UcbO2cIDbS4mYaeNU3hR8Qm30hSnvb +-uK51JiJiscIHPSrszi6SwMw/Wr1qTxh7ZArCxbIsPxCWH1HXgl3O7c/VoV2czpP3 +-3yznK6KzAgMBAAECggEADjQ0Kv7tr3fLixGljEP/Vh5mT+02hz7TxueQ9b4DBKcB +-We3JVH+8zRUxXdraP/7EnwIdQDuipC5WrWb3mC4VI64h8hZ8Z1gQyEAC83XfC1RF +-jsxVynG5vrJnyuRXbdre5Ixl7rLsto5vd6EdxINZz0KIQYbvIHr07tzbYlUyelvA +-mu0kYdtbjm2p2AGJJ99zN3EiQ9lZDyiFirOXEA9P/YdKKVlIwpDPbn/TmNY/k6Ul +-mRxgAJKwKiR6Gg3QMdTUKeaXBpKf/pa+5rzR7zxNbiQO3IXOVx7ZzQ2R0Wuivpqk +-yjMaqUa7dDuvtIHJBpJB7TIL6SlQkiS1lEQFhO7EAQKBgQDz30obdymxqQVy7IsH +-NLo5xRX1hRRN9h34Y4qC0JXkCTG1fWJ19KYHod0S5peaIo/ThDVf1UXln6amdCjM +-oIfhmo0baNIdMMpxxBdsdLfUKwyVh8qROaBscPE4FGBUrfEW/wSn1WRYcWh+oda3 +-LuLVf5Qt9a9f6ZYuy1X6dDi8swKBgQDfQJTSFUNkV8yKfMX54x0DcUkiWOu3LaET +-GSu0UXqBVn1Q+u6CUAkh5jA9fpyM5sp9+t5FuwjO+ITHfiNFoD/LCeMUfYVDF7O2 +-uCLTsN+7gTGpKMnfL/rg9exrsfDdsmbQe4BhrUFBsYfKgBlBraL0QGD+25qgU8CS +-CQ6toGCCAQKBgQDCYJskwRoObPXW4AsAN1qnaRtTkjrY2O6SaGSiV7bhByMD0WiF +-M/aR5sXapsj3Jc0Vfi88rzUDDPk7eyJ51wn3G8SUsDuo4Ja7jtxMqctL5PQmyxD+ +-J7xiMrNRS4xscifTeHgxfbh5dgsfw8bsQwaxvPpSl5ytCfWWXqOs+K2wWQKBgBM4 +-Mher8PNQg7FgcILExJipRgyI7zID4ZwNTK/nW86KrZstHx9k2IRslraUkdGnhMM3 +-t671HRsEVhn+h/bUhulp3nzDGZffEH+odocW8QvpYWcYtdha/xQi18mltgC//Q3x +-s+m0yqtnJzONt57p3d99M1x9d2BaFXf9A6B68BQBAoGBAOatu9+wGaIEB//fpaQt +-mnsS2XBJco5gHTjOegCSNe3gQQsB5mhTEekOeMzJ8WLTMVXQVCXx9/8HxKoycbq8 +-M/7ScH1iT/wJTkSsjyeycUgH31GPeRvmo9YU2PsW3NN6ZyNpxWJFdcPYHAzZqJeA +-cZtQWiEyaf026DdR8YBYn6tf ++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhuD3oCLc5JiQ8 ++JUgPxclR1i1lCEK58YEtCknbNzp9gjLIwyfl++weLNSDyMih7qjW16lf4SRgMSp2 ++UWXtA+lbJipWDmKc/ULRcb6aOQ8AN6ugU8erCBJRZ/5YqT27uWXiDDXjeG6Le8eb ++AaG6+joInQFWgLqkBxyZw+5kNbNtqmNFKpAajQYYSVjpsWAtEOelg4vfguwstvpI ++okpU+IwmfJtStBe7UyuZhdKeB6aV5ly83HnGf0sPIzqkCiTP+FAo/58VghmClpL/ ++MyybRvq8n2TH9ef9AndXcxwEvZmFOJhbLD3Rck/lhacO2yt0zk15Ev7QD249MYp9 ++sKgSc/JvAgMBAAECggEAZG2cJawTEXtV7ejMii//Jck8g1JMlfzM86Q7Pizxejw+ ++qjKiguI2qSpbF5NzKRFNz+E+e+lpTN8zPFd1GSJ/Zk2x0n4uBBlu7E9GdcnjUb5z ++Py9njEJYHB4//WS3kdmoag3ywBWqYaceJWpxcga5YXGx0bIO2MJNSGDzpWR7Q9QQ ++tG/lWmno5goY2BxI08BTKSlqNIBkg/rr9jJo3axRcEmbx7hj4vUkAlypFKtmR4dW ++bNo0f6VAd5Y6c9YbnKybR/44lScBksuSkZjm076cbbbp5PpsiLGe/12bqUcwCH+T ++8hRVndmOLdOxC11OZOvMbX6x2uXNh3/Qr/GMyfzZcQKBgQD4we7E9vOygk1J5Vbl ++1zETR9x3dujpBBx3xaHXUSJNUTNwmnZ+0JoFTqPkRmmPMNK7XfZuPymBehtk8WYt ++NnezM2UNTdbfVOnJWnU6igRNGBaDW6F9AezlADBNwIbFVw6RqP4fTUFsmm9TQ/8M ++4kZmmlW4uLZyX0WQO+AJa7NShwKBgQDoSpnQgmWqXMcaHwY2l8fEDuDc41nDoJIm ++/CMppPbr7GkUX4OU785p6E0N0o1ONt+xCBT1lxHwWEeMAKZXrNC1XGpfvhpVZ72v ++VruATDFs1rcL3S2Sty7A+jhFKKXlGeDWNcpaKY8nDvv2uJG0+J3bLprdMqnY/gQ1 ++C+FzyQ6S2QKBgDnHIaRSD6xoo3cEc7iS0O0/ha+hyNtGfy46kyqlx6fZsm73EYrG ++/N86ssp0qFP/7RJj8rcMqKFQMUiy4R6jRg4zY8dBSyU4XczM2+mq4PDfJWuBPvMA ++HXvbHV0R2LvBSrr+W3f9w7Jr9GuMoZLmg5+VPU/YZ1gNVOT5Y0IM5+vFAoGBANx9 ++CzlGvLeTrw1VS3GAaobn1Hr2dlrhTDki9UFvK03PLgK/ksdJRLV0YcdwBt6p6XRB ++hpuC1O087lSuvTXVfJnZacMNUDOm7/7BpeJm8DcuK7tgKwTrSb61A7ppleY7xRWv ++Iy6n6hCaAYIzuWJ85mGJAEhb8apdmqK7bzmXK3UpAoGBALdOvJfqbF0YlHbdQCVi ++ftjtxs/dZKdF1rNARR0VMqUtZX+WP2b6OPXlwux94Cr//iNv5ih3B4Z4LIgTpgBJ ++AKGXEBGMMthAlptC4BcOAEs9cYeWGLAoYk8jpNmXvXjhGqvzhPO2YrX5xy46dVOG ++iiCseyA7Kr8Axt9QhUzoi5f7 + -----END PRIVATE KEY----- +diff --git a/test/certs/badcn1-cert.pem b/test/certs/badcn1-cert.pem +new file mode 100644 +index 0000000000..3b3bad658b +--- /dev/null ++++ b/test/certs/badcn1-cert.pem +@@ -0,0 +1,20 @@ ++-----BEGIN CERTIFICATE----- ++MIIDQDCCAiigAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 ++IE5DIENBIDEwIBcNMTgwNTE2MDI0MTMyWhgPMjExODA1MTcwMjQxMzJaME4xIzAh ++BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu ++Z29vZC5vcmcxEDAOBgNVBAMMB2JhZC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IB ++DwAwggEKAoIBAQDN9WI6OyxnW+R98FqrWwMo3JE165bRB8iQOdDP3xE1+bvUMDYh ++8wFR9gfNrKhqXubJ3lCHKgaApTXNKM/jwrT/pqhF6iNfPIbKAMTT4VZPy4/eI45R ++03Yn+dJnZLDz7BDpnuhORp8XzQqfxSGBX0Rdr17xYOwGHcruwoitRyS/w8p8EKos ++/LIDvjzye5GaPXqXkAkcBcLBpWlgMm+j8xE+LzGw1NVw8vWMSpP2WX9kp7aPbh+A ++jSbT522yHy1r6WeElbSY7WOFvnmgbZ19pUdyz8CN6KKb87dBA0joyWSly5ZsNbjh ++/YuRhCgRExvdQ6kImwdKAfO7RLkxho6jny1HAgMBAAGjXjBcMB0GA1UdDgQWBBT5 ++fenRjyFKUb1XvUnm4GV9kZmONDAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa ++3fVQQzAJBgNVHRMEAjAAMA8GA1UdEQQIMAaHBMCoAAEwDQYJKoZIhvcNAQELBQAD ++ggEBACKtfZCcP/pY8Bu+lb/pGZj5txsmNbJ1l2RVACQA7CGjwfUr7VaQGMuT+FuA ++Erlh+UnEC3R/e1xQwgJeuAXBOWFkxA61isVSrmM7YM6vDB0+t8N9lMUFjPbRyEkM ++A5kaSLPrgSOg7ONsO6YGbaWm1XCoUC6Ilrdzy+ckzklgjYRth99b2d5WrjIxEWIq ++BX2DI2ruetjXYGRzsqSK+O9d4fsqrb5M0ZCNWQZ4WnrMNaAeHWpW6NqSvof/N21x ++WC5zcU7GXLrDigwWPMDLQhVtu4OihWjsqugh6Jl7DxDBhi8JKO6tJQAISHjKaL98 ++yXZFsQ//q7ATwlcHyB81B+X16AI= ++-----END CERTIFICATE----- +diff --git a/test/certs/badcn1-key.pem b/test/certs/badcn1-key.pem +new file mode 100644 +index 0000000000..dbcf4b5d44 +--- /dev/null ++++ b/test/certs/badcn1-key.pem +@@ -0,0 +1,28 @@ ++-----BEGIN PRIVATE KEY----- ++MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDN9WI6OyxnW+R9 ++8FqrWwMo3JE165bRB8iQOdDP3xE1+bvUMDYh8wFR9gfNrKhqXubJ3lCHKgaApTXN ++KM/jwrT/pqhF6iNfPIbKAMTT4VZPy4/eI45R03Yn+dJnZLDz7BDpnuhORp8XzQqf ++xSGBX0Rdr17xYOwGHcruwoitRyS/w8p8EKos/LIDvjzye5GaPXqXkAkcBcLBpWlg ++Mm+j8xE+LzGw1NVw8vWMSpP2WX9kp7aPbh+AjSbT522yHy1r6WeElbSY7WOFvnmg ++bZ19pUdyz8CN6KKb87dBA0joyWSly5ZsNbjh/YuRhCgRExvdQ6kImwdKAfO7RLkx ++ho6jny1HAgMBAAECggEBAKDxiUHx7cATShm0ElZnd6+dtQfKwv8zsuIpm+hk62Ef ++d0zYI+UhrT1sIiryKmV9JaJITOtixtQOxl088D+Obrx8cnC4B84rUTVXpnfgVf9j ++FljDtjpxIZsZmPbc836ZUZoOaICKpVYHD69Mb+NWG+mN2oaLc8VP0L4FXKLzvl7u ++69NQlTPG2CS61BktVqMtWWc/9CvdOwqwVbckyISj9QLUgSXIyB4IP3bjp0RYSpOu ++m3nhuhil1G3c05R4UfiE2d9Er7SBBoQ304ld892YRinSgtZqC1G25uZmWJ3ekAAM ++bg6P0hBd86F/G2TxNdelYrxTazjqZShYi1N48SK6kUECgYEA+51O19Q5XkskD/Dn ++VfaCjSOTFwDlb5ATmVCrJu+13/5IJfmJgWA6xdqfWoqxSOsJzXBEETKWgkahoo4K ++OU1UaBTHEJ588xOpoMzbJkKlb5hPseEQsvu055Ky0euMgmlrALPQQ9e1DUSlowui ++Cq9wCak4dqq9NNs6FMIeGhqczGECgYEA0YxcajJFxPHJsdFCVa4tdy9jgfC64t4Y ++CWDzRfUnuX24ILbW9+olvvoZkMSzoVpiQ9YU8kPJUaOyFrw6jUV5GRHUCMgfkx2Y ++nqe+7aSFmv0Nlo0RMV2PqaOZzlxnG9FzyNE+4PygZqtFhN21b5Idc69k2Ltu7K4J ++J4MG1kMUGqcCgYEA0ttUPEisPtoHgZhntUFczHx4gnmMzH5X/k5876dIqkrFGZXR ++5urGthHtIwpBYZMeZtxjHmpfeRNJ1xjjdnvYdVScMdAvc+ERcSDbsmd9jlR8zNuI ++jAWl576nPoX//TXspu0JZiE5p8HUcRuJkxzMbjwyhje1Ubs6JDU81rFgn2ECgYAG ++3WVNqVX1zMIBzEwzCGC+7dOBt0Q4GHSLIhz2JsDlZ8P3dmX2ezo/Vmwt/POxjod3 ++l3TaNvRKc2VrL0FvzV3ZP2dF3mCCbk7Iq9AqcuBZon6mdvqgNmN1eEGarBZIqAT2 ++CDzaHAyZMHU3lBfUjuHeH1nba9CHenAcVkOME2h+MwKBgQDiHAnTK4ovCNmT5E9i ++03x/wPSH8FZ3Wrb1GMtNlTc7lOtB5eYIvwkaloJkNKHbUDv57V66hnYT6CyH4u45 ++dPtuohtafL9mdScYqmicGLtbLLglSQpJYt4J59hffNZ30E84dKXtyDN7E5P5Z00Z ++8PbOMUy3oK6j+GMP/xRNI76RtA== ++-----END PRIVATE KEY----- +diff --git a/test/certs/goodcn1-cert.pem b/test/certs/goodcn1-cert.pem +new file mode 100644 +index 0000000000..d9205e03b0 +--- /dev/null ++++ b/test/certs/goodcn1-cert.pem +@@ -0,0 +1,22 @@ ++-----BEGIN CERTIFICATE----- ++MIIDkTCCAnmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 ++IE5DIENBIDEwIBcNMTgwNTE2MDI0MDA0WhgPMjExODA1MTcwMjQwMDRaMIGeMSMw ++IQYDVQQKDBpHb29kIE5DIFRlc3QgQ2VydGlmaWNhdGUgMTEVMBMGA1UEAwwMd3d3 ++Lmdvb2Qub3JnMRUwEwYDVQQDDAxhbnkuZ29vZC5jb20xETAPBgNVBAMMCG5vdC4u ++ZG5zMRAwDgYDVQQDDAdub3RAZG5zMREwDwYDVQQDDAhub3QtLmRuczERMA8GA1UE ++AwwIbm90LmRucy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDigxI ++nlYVjHtrFI+Iv/3b0jeZbs1jVnPF6ZREk46BTNAVNZsq24jKFG6yK4n9vKA/JuS7 ++jZe+gMX+sWh/S1IlsNDY8/Io1UsG/s1tmsvE2UrURUX4s8HnqB6AZ4Y9Cp4rSADe ++mD/YdekRf3HFA0IKQvIFRkpegj8uuWwILC0n/ozMNUlNmxCBlOmtFwjFxmNr9Txa ++ZeFvWvvc6oTubAETK4HcjLdimx1tePdd4+0mxJ/akQ3wVzUAI2ysijMmMJDzTxLs ++FPkw4yUtJHK0/H2yJtpoJ4wQjsWd6a8F7wY/pHszAud1M8QZJKQDzkJOMnqLKNLT ++OKw6dm1UG2J7iuqtAgMBAAGjXjBcMB0GA1UdDgQWBBSTKvqap2ab0z/UPrdDgc0V ++m88R3TAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAA ++MA8GA1UdEQQIMAaHBMCoAAEwDQYJKoZIhvcNAQELBQADggEBADcdm62qaOHbIDoa ++5oUjXGHSQjV1g4BFe6DLH5/CZ0wOws3QzfQbPIxJrp3yJgDcQyZNOE/xQlq/nASS ++thU6cUTB07voFVnbotB8YQuNU1wM9TAJOHC9LT1Y0J2GIP6QeXts6Cz6aBlqaQEZ ++IrGRLuKVZePTO0Haup0mZ91XoXs3CBzkSerl0XpFL7BeugSigrhprFRPB4UC3IWb ++pdNar61Wk4bN/COb6utRkK3iYk5YUTqYFib9EG4VBdxYfXv/tiBIGqQLnqPbId6w ++q+McpSEPF1DIcCyL0vEDdIVN0SzxMfnfHMx0Qp0sh2aydIZk4xfEqXHZgZthSrse ++u7nhn7s= ++-----END CERTIFICATE----- +diff --git a/test/certs/goodcn1-key.pem b/test/certs/goodcn1-key.pem +new file mode 100644 +index 0000000000..2ad660c6db +--- /dev/null ++++ b/test/certs/goodcn1-key.pem +@@ -0,0 +1,28 @@ ++-----BEGIN PRIVATE KEY----- ++MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDigxInlYVjHtr ++FI+Iv/3b0jeZbs1jVnPF6ZREk46BTNAVNZsq24jKFG6yK4n9vKA/JuS7jZe+gMX+ ++sWh/S1IlsNDY8/Io1UsG/s1tmsvE2UrURUX4s8HnqB6AZ4Y9Cp4rSADemD/YdekR ++f3HFA0IKQvIFRkpegj8uuWwILC0n/ozMNUlNmxCBlOmtFwjFxmNr9TxaZeFvWvvc ++6oTubAETK4HcjLdimx1tePdd4+0mxJ/akQ3wVzUAI2ysijMmMJDzTxLsFPkw4yUt ++JHK0/H2yJtpoJ4wQjsWd6a8F7wY/pHszAud1M8QZJKQDzkJOMnqLKNLTOKw6dm1U ++G2J7iuqtAgMBAAECggEAeQ1xZVOAf36kuTnVUhdplTii6v3JcQIIUjG0dG/U/P8M ++otS45uNZ36CelvaVStwHaJEvcVzK4EjgSjiSNJvwkxzPbkA3XkgNVptPmdcG5yqO ++RLNOChVeqYdOurdcR1XXbXv57dPbUqpMS2TWjdzieW/QXKuTRsbjTo3D75tJqUO6 ++1Bm4sSM3PogmsQwTP8HlZAmJXuSD+ZSB22Np5pT1dn5TvQU6xeA3NJR4ZO/HEZz4 ++CHJEiOx2BuGD6M0V1ZL6DzEsyIS/KKsvj4I2F4ROAK1j3lSD5VqrYPXn3oEsQdlm ++OW8aVnHPYO6FI0LVLgcIEKxhdwGV3i6v/GRUe0Y9kQKBgQD0Zqn1trAuP5Peiy1K ++Wc91yRjQxQTwSD00hzXMtvKzkEIiLEuVZq9qrqQ2TRRa5xneDGHDuUY9eZY8JwEr ++l7f8CcfYC93PXLyRM2Gaz0jMxZxVPz5w7zssK3DZ+7JvH3nKkCUl7+Y0tH26qTO0 ++wTD9w9jd9bf85SLVgk3zSbUDwwKBgQDM0b2ffZpxyA16h7w8ZBuk1Z+iumrxnn5/ ++lKtffR2b4dZN37KiWw2c265vYhRfe/ANnVuagXb9aRM97yeQloRlWR10AaXJz3EB ++sromqFShkorYRhwZoRiJC0laLG3W76wKMRr2T6TM1UG9gJ0szdGFG/yUDU+9pTRo ++uq514rGgzwKBgQCGtsAgLF7YXzsGg/im7vInnn0LNk4OlAMInS7OdFk7GN0bMQdI ++hp1SVIk3VS1PHetoNbL9y3YoFIj3BxjiCnLjfhClyYSt9BQMhSHbzz31gUc2xfGJ ++FpSrOBawUMh97/+V4/ZV/vIJQyO6a+GQVJzIg9daIUMVJsgYoAaPf6VDOQKBgFyH ++eHnf/XDfpq8vOOuzcgWieG7EduHW72DlohIObNzqRq2BnKraJakyWXh6P6fvTsBn ++0WVYjY/n80hsjVw1k3RRsQuiXupv66aPvqcOLsWbdVxFOBaf/3yR+75gCfMq7Xbh ++PkP+MP5UbVGWE+uUw821mgKsjNSpGKcjhwM8uXBjAoGAFEU3O8gQXfocVB8lxUeU ++c0inLdAIgiw/36NPuW4NwKxzLOmHzlmvn7C98ihnbnGoQ0XBRfLw8siTbD3INgHY ++NA0JeK8Qrt56b6wK14w9RzLQTu9gy1pULW21p1wswdNK4tlxfnnnozISZAYxeqAx ++YMTtYZN77nb+yY4oE6XEugQ= ++-----END PRIVATE KEY----- +diff --git a/test/certs/setup.sh b/test/certs/setup.sh +index 7e1086a224..018e5fc690 100755 +--- a/test/certs/setup.sh ++++ b/test/certs/setup.sh +@@ -241,15 +241,30 @@ NC="$NC excluded;DNS:bad.ok.good.com" + NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \ + ncca1-key ncca1-cert + +-# all subjectAltNames allowed by CA1. ++# all subjectAltNames allowed by CA1. Some CNs are not! + + ./mkcert.sh req alt1-key "O = Good NC Test Certificate 1" \ +- "1.CN=www.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \ ++ "1.CN=www.example.net" "2.CN=Joe Bloggs" | \ + ./mkcert.sh geneealt alt1-key alt1-cert ncca1-key ncca1-cert \ + "DNS.1 = www.good.org" "DNS.2 = any.good.com" \ + "email.1 = good@good.org" "email.2 = any@good.com" \ + "IP = 127.0.0.1" "IP = 192.168.0.1" + ++# all DNS-like CNs allowed by CA1, no DNS SANs. ++ ++./mkcert.sh req goodcn1-key "O = Good NC Test Certificate 1" \ ++ "1.CN=www.good.org" "2.CN=any.good.com" \ ++ "3.CN=not..dns" "4.CN=not@dns" "5.CN=not-.dns" "6.CN=not.dns." | \ ++ ./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \ ++ "IP = 127.0.0.1" "IP = 192.168.0.1" ++ ++# Some DNS-like CNs not permitted by CA1, no DNS SANs. ++ ++./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \ ++ "1.CN=www.good.org" "3.CN=bad.net" | \ ++ ./mkcert.sh geneealt badcn1-key badcn1-cert ncca1-key ncca1-cert \ ++ "IP = 127.0.0.1" "IP = 192.168.0.1" ++ + # no subjectAltNames excluded by CA2. + + ./mkcert.sh req alt2-key "O = Good NC Test Certificate 2" | \ +@@ -293,19 +308,17 @@ NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \ + "email.1 = good@good.org" "email.2 = any@good.com" \ + "IP = 127.0.0.2" + +-# all subject alt names OK but subject CN not allowed by CA1. ++# No DNS-ID SANs and subject CN not allowed by CA1. + ./mkcert.sh req badalt6-key "O = Bad NC Test Certificate 6" \ + "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \ + ./mkcert.sh geneealt badalt6-key badalt6-cert ncca1-key ncca1-cert \ +- "DNS.1 = www.good.org" "DNS.2 = any.good.com" \ + "email.1 = good@good.org" "email.2 = any@good.com" \ + "IP = 127.0.0.1" "IP = 192.168.0.1" + +-# all subject alt names OK but subject CN not allowed by CA1, BMPSTRING ++# No DNS-ID SANS and subject CN not allowed by CA1, BMPSTRING + REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \ + "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \ + ./mkcert.sh geneealt badalt7-key badalt7-cert ncca1-key ncca1-cert \ +- "DNS.1 = www.good.org" "DNS.2 = any.good.com" \ + "email.1 = good@good.org" "email.2 = any@good.com" \ + "IP = 127.0.0.1" "IP = 192.168.0.1" + +diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t +index 11bd43090f..c23e114e06 100644 +--- a/test/recipes/25-test_verify.t ++++ b/test/recipes/25-test_verify.t +@@ -30,7 +30,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 127; ++plan tests => 129; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -326,6 +326,12 @@ ok(verify("alt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ), + ok(verify("alt3-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), + "Name Constraints nested test all permitted"); + ++ok(verify("goodcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), ++ "Name Constraints CNs permitted"); ++ ++ok(!verify("badcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), ++ "Name Constraints CNs not permitted"); ++ + ok(!verify("badalt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints hostname not permitted"); + +-- +2.17.0 + diff --git a/0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch b/0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch new file mode 100644 index 0000000..baa49e7 --- /dev/null +++ b/0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch @@ -0,0 +1,212 @@ +From 6d3cfd13a904a03fc3522da935136dcdd12e9014 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Tue, 22 May 2018 14:46:02 -0400 +Subject: [PATCH 2/2] Skip CN DNS name constraint checks when not needed + +Only check the CN against DNS name contraints if the +`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the +certificate has no DNS subject alternative names or the +`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set. + +Add pertinent documentation, and touch up some stale text about +name checks and DANE. + +Reviewed-by: Matt Caswell +Reviewed-by: Tim Hudson +--- + crypto/x509/x509_vfy.c | 28 ++++++++++++++++++- + crypto/x509v3/v3_ncons.c | 31 +++++++--------------- + doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 21 ++++++++++++--- + doc/crypto/X509_check_host.pod | 7 +++-- + doc/ssl/SSL_set1_host.pod | 2 +- + 5 files changed, 61 insertions(+), 28 deletions(-) + +Index: openssl-1.1.0h/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-1.1.0h.orig/crypto/x509/x509_vfy.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/x509/x509_vfy.c 2018-05-29 10:52:23.753159887 +0200 +@@ -557,6 +557,27 @@ static int check_chain_extensions(X509_S + return 1; + } + ++static int has_san_id(X509 *x, int gtype) ++{ ++ int i; ++ int ret = 0; ++ GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); ++ ++ if (gs == NULL) ++ return 0; ++ ++ for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) { ++ GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i); ++ ++ if (g->type == gtype) { ++ ret = 1; ++ break; ++ } ++ } ++ GENERAL_NAMES_free(gs); ++ return ret; ++} ++ + static int check_name_constraints(X509_STORE_CTX *ctx) + { + int i; +@@ -655,7 +676,12 @@ static int check_name_constraints(X509_S + int rv = NAME_CONSTRAINTS_check(x, nc); + + /* If EE certificate check commonName too */ +- if (rv == X509_V_OK && i == 0) ++ if (rv == X509_V_OK && i == 0 ++ && (ctx->param->hostflags ++ & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT) == 0 ++ && ((ctx->param->hostflags ++ & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT) != 0 ++ || !has_san_id(x, GEN_DNS))) + rv = NAME_CONSTRAINTS_check_CN(x, nc); + + switch (rv) { +Index: openssl-1.1.0h/crypto/x509v3/v3_ncons.c +=================================================================== +--- openssl-1.1.0h.orig/crypto/x509v3/v3_ncons.c 2018-05-29 10:52:23.733159579 +0200 ++++ openssl-1.1.0h/crypto/x509v3/v3_ncons.c 2018-05-29 10:52:23.753159887 +0200 +@@ -299,9 +299,9 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME + + static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen) + { +- int utf8_length; /* Return type of ASN1_STRING_to_UTF8 */ +- int i; ++ int utf8_length; + unsigned char *utf8_value; ++ int i; + int isdnsname = 0; + + /* Don't leave outputs uninitialized */ +@@ -337,8 +337,10 @@ static int cn2dnsid(ASN1_STRING *cn, uns + --utf8_length; + + /* Reject *embedded* NULs */ +- if ((size_t)utf8_length != strlen((char *)utf8_value)) +- return X509_V_ERR_UNSPECIFIED; ++ if ((size_t)utf8_length != strlen((char *)utf8_value)) { ++ OPENSSL_free(utf8_value); ++ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; ++ } + + /* + * XXX: Deviation from strict DNS name syntax, also check names with '_' +@@ -388,11 +390,13 @@ static int cn2dnsid(ASN1_STRING *cn, uns + return X509_V_OK; + } + ++/* ++ * Check CN against DNS-ID name constraints. ++ */ + int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc) + { + int r, i; +- GENERAL_NAMES *gens = NULL; +- X509_NAME *nm; ++ X509_NAME *nm = X509_get_subject_name(x); + ASN1_STRING stmp; + GENERAL_NAME gntmp; + +@@ -401,21 +405,6 @@ int NAME_CONSTRAINTS_check_CN(X509 *x, N + gntmp.type = GEN_DNS; + gntmp.d.dNSName = &stmp; + +- gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); +- if (gens != NULL) { +- for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { +- GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i); +- +- if (gen->type == GEN_DNS) { +- GENERAL_NAMES_free(gens); +- return X509_V_OK; +- } +- } +- GENERAL_NAMES_free(gens); +- } +- +- nm = X509_get_subject_name(x); +- + /* Process any commonName attributes in subject name */ + + for (i = -1;;) { +Index: openssl-1.1.0h/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +=================================================================== +--- openssl-1.1.0h.orig/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2018-05-29 10:52:23.753159887 +0200 +@@ -130,14 +130,29 @@ B clearing any previously specifie + B is NULL, or empty the list of hostnames is cleared, and + name checks are not performed on the peer certificate. If B + is NUL-terminated, B may be zero, otherwise B +-must be set to the length of B. When a hostname is specified, ++must be set to the length of B. ++ ++When a hostname is specified, + certificate verification automatically invokes L + with flags equal to the B argument given to + X509_VERIFY_PARAM_set_hostflags() (default zero). Applications + are strongly advised to use this interface in preference to explicitly +-calling L, hostname checks are out of scope ++calling L, hostname checks may be out of scope + with the DANE-EE(3) certificate usage, and the internal check will +-be suppressed as appropriate when DANE support is added to OpenSSL. ++be suppressed as appropriate when DANE verification is enabled. ++ ++When the subject CommonName will not be ignored, whether as a result of the ++B host flag, or because no DNS subject ++alternative names are present in the certificate, any DNS name constraints in ++issuer certificates apply to the subject CommonName as well as the subject ++alternative name extension. ++ ++When the subject CommonName will be ignored, whether as a result of the ++B host flag, or because some DNS subject ++alternative names are present in the certificate, DNS name constraints in ++issuer certificates will not be applied to the subject DN. ++As described in X509_check_host(3) the B ++flag takes precendence over the B flag. + + X509_VERIFY_PARAM_add1_host() adds B as an additional reference + identifier that can match the peer's certificate. Any previous names +Index: openssl-1.1.0h/doc/crypto/X509_check_host.pod +=================================================================== +--- openssl-1.1.0h.orig/doc/crypto/X509_check_host.pod 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/doc/crypto/X509_check_host.pod 2018-05-29 10:52:23.753159887 +0200 +@@ -93,6 +93,9 @@ consider the subject DN even if the cert + names of the right type (DNS name or email address as appropriate); the default + is to use the subject DN when no corresponding subject alternative names are + present. ++If both B and ++B are specified, the latter takes ++precedence and the subject DN is not checked for matching names. + + If set, B disables wildcard + expansion; this only applies to B. +@@ -128,9 +131,9 @@ NULs. + + Applications are encouraged to use X509_VERIFY_PARAM_set1_host() + rather than explicitly calling L. Host name +-checks are out of scope with the DANE-EE(3) certificate usage, ++checks may be out of scope with the DANE-EE(3) certificate usage, + and the internal checks will be suppressed as appropriate when +-DANE support is added to OpenSSL. ++DANE support is enabled. + + =head1 SEE ALSO + +Index: openssl-1.1.0h/doc/ssl/SSL_set1_host.pod +=================================================================== +--- openssl-1.1.0h.orig/doc/ssl/SSL_set1_host.pod 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/doc/ssl/SSL_set1_host.pod 2018-05-29 10:52:23.753159887 +0200 +@@ -56,7 +56,7 @@ is cleared or freed, or a renegotiation + must not free the return value. + + SSL clients are advised to use these functions in preference to +-explicitly calling L. Hostname checks are out ++explicitly calling L. Hostname checks may be out + of scope with the RFC7671 DANE-EE(3) certificate usage, and the + internal check will be suppressed as appropriate when DANE is + enabled. diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 1f0a56c..ba61e17 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Fri Jun 1 11:37:06 UTC 2018 - vcizek@suse.com + +- Suggest libopenssl1_1-hmac from libopenssl1_1 package to avoid + dependency issues during updates (bsc#1090765) + +------------------------------------------------------------------- +Tue May 29 08:53:01 UTC 2018 - vcizek@suse.com + +- Relax CN name restrictions (bsc#1084011) + * added patches: + 0001-Limit-scope-of-CN-name-constraints.patch + 0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch + ------------------------------------------------------------------- Thu May 10 09:37:19 UTC 2018 - vcizek@suse.com diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 8508a10..bf54f50 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -79,6 +79,9 @@ Patch73: 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch # PATCH-FIX-UPSTREAM (boo#1091961) Patch74: 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch Patch75: openssl-CVE-2018-0737.patch +# PATCH-FIX-UPSTREAM (bsc#1084011) +Patch76: 0001-Limit-scope-of-CN-name-constraints.patch +Patch77: 0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch BuildRequires: bc BuildRequires: ed BuildRequires: pkgconfig @@ -101,6 +104,7 @@ Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security Recommends: ca-certificates-mozilla +Suggests: libopenssl1_1-hmac = %{version}-%{release} # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl1_1_0