Skip to content

Commit

Permalink
test: add script to create 0-dns-cert.pem
Browse files Browse the repository at this point in the history
0-dns-cert.pem  and 0-dns-key.pem were stored in `test/fixtures/key`
directory, but the cert file cannot be created with the openssl
command via Makefile.

Added a script to create it with using  `asn1.js` and
`asn1.js-rfc5280` and moved them out of key directory and put into
`test/fixtures/0-dns`.

The domains listed in the cert were also changed into example.com and
example.org to show the use for only testing.

Fixes: nodejs#10228
PR-URL: nodejs#11579
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Sam Roberts <[email protected]>
  • Loading branch information
shigeki committed Mar 10, 2017
1 parent b98004b commit dacaaa5
Show file tree
Hide file tree
Showing 9 changed files with 170 additions and 51 deletions.
19 changes: 19 additions & 0 deletions test/fixtures/0-dns/0-dns-cert.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDGDCCAgCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5jYS5l
eGFtcGxlLmNvbTAeFw0xNzAzMDIwMTMxMjJaFw0yNzAyMjgwMTMxMjJaMBsxGTAX
BgNVBAMTEGV2aWwuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDFyJT0kv2P9L6iNY6TL7IZonAR8R9ev7iD1tR5ycMEpM/y6WTefIco
civMcBGVZWtCgkoePHiveH9UIep7HFGB4gxCYDZFYB46yGS0YH2fB5GWXTLYObYa
zxuEhgFRG0DLIwNDRLW0+0FG3disp7YdRHBtdbL58F/qNORqPEjIpoQxOJc2UqX2
/gfomJRdFW/PSgN7uH2QwMzRQRIrKmyAFzeuEWVP+UAV4853Yg66PmYpAASyt069
sE8QNTNE75KrerMmYzH7AmTEGvY8bukrDuVQZce2/lcK2rAE+G6at2eBNMZKOnzR
y9kWIiJ3rR7+WK55EKelLz0doZFKteu1AgMBAAGjaTBnMGUGA1UdEQReMFyCImdv
b2QuZXhhbXBsZS5vcmcALmV2aWwuZXhhbXBsZS5jb22CGGp1c3QtYW5vdGhlci5l
eGFtcGxlLmNvbYcECAgICIcECAgEBIIQbGFzdC5leGFtcGxlLmNvbTANBgkqhkiG
9w0BAQsFAAOCAQEAvreVoOZO2gpM4Dmzp70D30XZjsK9i0BCsRHBvPLPw3y8B2xg
BRtOREOI69NU0WGpj5Lbqww5M8M1hjHshiGEu2aXfZ6qM3lENaIMCpKlF9jbm02/
wmxNaAnS8bDSZyO5rbsGr2tJb4ds7DazmMEKWhOBEpJoOp9rG6SAey+a6MkZ7NEN
0p3THCqNf3lL1KblPrMvdsyhHPEzv4uT7+YAnLKHwGzbihcWJRsRo5oipWL8ZDhn
bd3SMWtfRTSWDmghJaHke2xIjDtTwSjHjjPTFsK+rl227W8r4/EQI/X6fTQV2j3T
7zqrJLF9h9F/v3mo57k6sxsQNZ12XvhuTHC2dA==
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions test/fixtures/0-dns/0-dns-key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxciU9JL9j/S+ojWOky+yGaJwEfEfXr+4g9bUecnDBKTP8ulk
3nyHKHIrzHARlWVrQoJKHjx4r3h/VCHqexxRgeIMQmA2RWAeOshktGB9nweRll0y
2Dm2Gs8bhIYBURtAyyMDQ0S1tPtBRt3YrKe2HURwbXWy+fBf6jTkajxIyKaEMTiX
NlKl9v4H6JiUXRVvz0oDe7h9kMDM0UESKypsgBc3rhFlT/lAFePOd2IOuj5mKQAE
srdOvbBPEDUzRO+Sq3qzJmMx+wJkxBr2PG7pKw7lUGXHtv5XCtqwBPhumrdngTTG
Sjp80cvZFiIid60e/liueRCnpS89HaGRSrXrtQIDAQABAoIBABcGA3j5B3VTi0F8
tI0jtzrOsvcTt5AjB0qpnnBS8VXADcj8LFbN7jniGIEi5pkahkLmwdQFPBNJFqFn
lVEheceB1eWAJ7EpwDsdisOIm/cAPY1gagPLrAww4cYqh0q2vnMnL0EMZY6c1Pt3
5borh8KebewAEIaR2ch8wb4wKFTbAM0DftYBFzHAF88OeCuIpdsk2Tz0sVQbA3/1
XNLOVcJvDOVIRPEpo2l7RIN33KvDhzpMoV3qVzWxqdccPRZZFU5KmJ6DtouIPT3S
3WauIL5oVpAyYNJETTyxjBQE4DgFeNX1Wyycgk27EoLcn6Trcs0kNVrmXXblNAtJ
Nko6g10CgYEA+TjzNjyAXPrOpY88uiPVMAgepEQOnDYtMwasdDVaW3xK9KH1rrhU
dx1IDTMmOUfyU2qsj5txmJtReQz//1bpd7e73VO8mHQDUubhs2TivgGs+fqzAdmT
vJsjerfNsxf+4JENzzWmqT/Ybc976Tu55VH5mcRG9Q66fTxdAJ51+8MCgYEAyymF
gntRMBd9e/KIiqlvcxelo0ahyKEzaJC7/FkZotuSB+kAwpdJ5Unb0FeVQZxNhDPg
xgsrGOOOvHvfhv7DPU0TQ/vp6VDPdg+N6m/Ow2vr79A2v6s+7gZj3MLiLRFyEF6l
bxQNGe3qavnm3owUQQCY2RLBKYCFfv/cykYlGycCgYB6etKMRQ+QonIMS2i80f9j
q5njgM7tVnLAMPdv5QiTDXKI50+mnlBkea9/TTPr0r/03ugPa4VYSnyv0QO+qSfz
/ggFrbFx+xHnHDCvyVTlrE0mTV7L+fHxLw0wskQVUCWil6cBvow5gXcMAHwVE5U4
biEMwLlele5wvcm3FClHoQKBgACV/RGUQ3atCqqZ13T26iBd2Bdxc7P9awWJLVGb
/CvxECm/rUXiY88qeFzQc9i9l6ei8qn/jD9FILtAbDOadnutxjly94i5t+9yOgmM
Cv+bRxHo+s9wsfzDvfP8B+TzYO3VKAr69tK1UfC/CcBojQJm+wndOPtiqH/mQv++
VgsPAoGBAJ0aNJe3zb+blvAQ3W4iPSjhyxdMC00x46pr6ds+Y8WygbN6lzCvNDw6
FFTINBckOs5Z/UWUNbExWYjBHZhLlhhxTezCzvIrwNvgUB8Y4sPk3S4KDsnkyy6f
/qMmEHlVyKjh2BCNs7PVnWDlfl3vECE7n8dBizFHgja76l1ia+0z
-----END RSA PRIVATE KEY-----
Binary file added test/fixtures/0-dns/0-dns-rsapub.der
Binary file not shown.
26 changes: 26 additions & 0 deletions test/fixtures/0-dns/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
## Purpose
The test cert file for use `test/parallel/test-tls-0-dns-altname.js`
can be created by using `asn1.js` and `asn1.js-rfc5280`,

## How to create a test cert.

```sh
$ openssl genrsa -out 0-dns-key.pem 2048
Generating RSA private key, 2048 bit long modulus
...................+++
..............................................................................................+++
e is 65537 (0x10001)
$ openssl rsa -in 0-dns-key.pem -RSAPublicKey_out -outform der -out 0-dns-rsapub.der
writing RSA key
$ npm install
[email protected] /home/github/node/test/fixtures/0-dns
+-- [email protected]
| +-- [email protected]
| +-- [email protected]
| `-- [email protected]
`-- [email protected]

$ node ./createCert.js
$ openssl x509 -text -in 0-dns-cert.pem
(You can not see evil.example.com in subjectAltName field)
```
75 changes: 75 additions & 0 deletions test/fixtures/0-dns/create-cert.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
'use strict';
const asn1 = require('asn1.js');
const crypto = require('crypto');
const fs = require('fs');
const rfc5280 = require('asn1.js-rfc5280');
const BN = asn1.bignum;

const id_at_commonName = [ 2, 5, 4, 3 ];
const rsaEncryption = [1, 2, 840, 113549, 1, 1, 1];
const sha256WithRSAEncryption = [1, 2, 840, 113549, 1, 1, 11];
const sigalg = 'RSA-SHA256';

const private_key = fs.readFileSync('./0-dns-key.pem');
// public key file can be generated from the private key with
// openssl rsa -in 0-dns-key.pem -RSAPublicKey_out -outform der
// -out 0-dns-rsapub.der
const public_key = fs.readFileSync('./0-dns-rsapub.der');

const now = Date.now();
const days = 3650;

const Null_ = asn1.define('Null_', function() {
this.null_();
});
const null_ = Null_.encode('der');

const PrintStr = asn1.define('PrintStr', function() {
this.printstr();
});
const issuer = PrintStr.encode('ca.example.com', 'der');
const subject = PrintStr.encode('evil.example.com', 'der');

const tbs = {
version: 'v3',
serialNumber: new BN('01', 16),
signature: { algorithm: sha256WithRSAEncryption, parameters: null_},
issuer: { type: 'rdnSequence',
value: [ [{type: id_at_commonName, value: issuer}] ] },
validity:
{ notBefore: { type: 'utcTime', value: now },
notAfter: { type: 'utcTime', value: now + days * 86400000} },
subject: { type: 'rdnSequence',
value: [ [{type: id_at_commonName, value: subject}] ] },
subjectPublicKeyInfo:
{ algorithm: { algorithm: rsaEncryption, parameters: null_},
subjectPublicKey: { unused: 0, data: public_key} },
extensions:
[ { extnID: 'subjectAlternativeName',
critical: false,
// subjectAltName which contains '\0' character to check CVE-2009-2408
extnValue: [
{ type: 'dNSName', value: 'good.example.org\u0000.evil.example.com' },
{ type: 'dNSName', value: 'just-another.example.com' },
{ type: 'iPAddress', value: Buffer.from('08080808', 'hex') },
{ type: 'iPAddress', value: Buffer.from('08080404', 'hex') },
{ type: 'dNSName', value: 'last.example.com' } ] }
]
};

const tbs_der = rfc5280.TBSCertificate.encode(tbs, 'der');

const sign = crypto.createSign(sigalg);
sign.update(tbs_der);
const signature = sign.sign(private_key);

const cert = {
tbsCertificate: tbs,
signatureAlgorithm: { algorithm: sha256WithRSAEncryption, parameters: null_ },
signature:
{ unused: 0,
data: signature }
};
const pem = rfc5280.Certificate.encode(cert, 'pem', {label: 'CERTIFICATE'});

fs.writeFileSync('./0-dns-cert.pem', pem + '\n');
16 changes: 16 additions & 0 deletions test/fixtures/0-dns/package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"name": "0-dns",
"version": "1.0.0",
"description": "create certificate for 0-dns test",
"main": "createCert.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "SEE LICENSE IN ../../../LICENSE",
"private": true,
"dependencies": {
"asn1.js": "^4.9.1",
"asn1.js-rfc5280": "^1.2.2"
}
}
19 changes: 0 additions & 19 deletions test/fixtures/keys/0-dns-cert.pem

This file was deleted.

27 changes: 0 additions & 27 deletions test/fixtures/keys/0-dns-key.pem

This file was deleted.

12 changes: 7 additions & 5 deletions test/parallel/test-tls-0-dns-altname.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
const common = require('../common');
const assert = require('assert');

// Check getPeerCertificate can properly handle '\0' for fix CVE-2009-2408.

if (!common.hasCrypto) {
common.skip('missing crypto');
return;
Expand All @@ -11,8 +13,8 @@ const tls = require('tls');
const fs = require('fs');

const server = tls.createServer({
key: fs.readFileSync(common.fixturesDir + '/keys/0-dns-key.pem'),
cert: fs.readFileSync(common.fixturesDir + '/keys/0-dns-cert.pem')
key: fs.readFileSync(common.fixturesDir + '/0-dns/0-dns-key.pem'),
cert: fs.readFileSync(common.fixturesDir + '/0-dns/0-dns-cert.pem')
}, function(c) {
c.once('data', function() {
c.destroy();
Expand All @@ -24,11 +26,11 @@ const server = tls.createServer({
}, common.mustCall(function() {
const cert = c.getPeerCertificate();
assert.strictEqual(cert.subjectaltname,
'DNS:google.com\0.evil.com, ' +
'DNS:just-another.com, ' +
'DNS:good.example.org\0.evil.example.com, ' +
'DNS:just-another.example.com, ' +
'IP Address:8.8.8.8, ' +
'IP Address:8.8.4.4, ' +
'DNS:last.com');
'DNS:last.example.com');
c.write('ok');
}));
}));

0 comments on commit dacaaa5

Please sign in to comment.