support for subjectAltName

drieux · drieux · commit 86248012f23a · 2014-04-14T16:40:58.000-07:00
diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
@@ -50,17 +50,78 @@ EOT
     return (%ssl_opts, $self->SUPER::_extra_sock_opts);
 }
 
+#------------------------------------------------------------
+# _cn_match($common_name, $san_name) 
+#  common_name: an IA5String
+#  san_name: subjectAltName
+# initially we were only concerned with the dNSName
+# and the 'left-most' only wildcard as noted in 
+#   https://tools.ietf.org/html/rfc6125#section-6.4.3
+# this method does not match any wildcarding in the
+# domain name as listed in section-6.4.3.3
+#
+sub _cn_match {
+    my( $me, $common_name, $san_name ) = @_;
+
+    # /CN has a '*.' prefix
+    # MUST be an FQDN -- fishing?
+    return 0 if( $common_name =~ /^\*\./ );
+    
+    my $re = q{}; # empty string
+
+     # turn a leading "*." into a regex
+    if( $san_name =~ /^\*\./ ) {
+        $san_name =~ s/\*//;
+        $re = "[^.]+";
+    }
+
+      # quotemeta the rest and match anchored
+    if( $common_name =~ /^$re\Q$san_name\E$/ ) {
+        return 1;
+    }
+    return 0;
+}
+
+#-------------------------------------------------------
+# _in_san( cn, cert )
+#  'cn' of the form  /CN=host_to_check ( "Common Name" form )
+#  'cert' any object that implements a peer_certificate('subjectAltNames') method
+#   which will return an array of  ( type-id, value ) pairings per
+#   http://tools.ietf.org/html/rfc5280#section-4.2.1.6
+# if there is no subjectAltNames there is nothing more to do.
+# currently we have a _cn_match() that will allow for simple compare.
+sub _in_san
+{
+    my($me, $cn, $cert) = @_;
+	
+	  # we can return early if there are no SAN options.
+	my @sans = $cert->peer_certificate('subjectAltNames');
+	return unless scalar @sans; 
+	
+	(my $common_name = $cn) =~ s/.*=//; # strip off the prefix.
+   
+      # get the ( type-id, value ) pairwise
+      # currently only the basic CN to san_name check
+    while( my ( $type_id, $value ) = splice( @sans, 0, 2 ) ) {
+        return 'ok' if $me->_cn_match($common_name,$value);
+    }
+    return;
+}
+
 sub _check_sock
 {
     my($self, $req, $sock) = @_;
     my $check = $req->header("If-SSL-Cert-Subject");
     if (defined $check) {
-	my $cert = $sock->get_peer_certificate ||
-	    die "Missing SSL certificate";
-	my $subject = $cert->subject_name;
-	die "Bad SSL certificate subject: '$subject' !~ /$check/"
-	    unless $subject =~ /$check/;
-	$req->remove_header("If-SSL-Cert-Subject");  # don't pass it on
+        my $cert = $sock->get_peer_certificate ||
+            die "Missing SSL certificate";
+        my $subject = $cert->subject_name;
+        unless ( $subject =~ /$check/ ) {
+            my $ok = $self->_in_san( $check, $cert);
+            die "Bad SSL certificate subject: '$subject' !~ /$check/"
+                unless $ok;
+        }
+        $req->remove_header("If-SSL-Cert-Subject");  # don't pass it on
     }
 }
 
diff --git a/t/method_in_san.t b/t/method_in_san.t
@@ -0,0 +1,109 @@
+use warnings;
+use strict;
+use Test::More tests => 17;
+#--------------------------------------------------------------
+# this is just for testing the '_in_san()' method
+#--------------------------------------------------------------
+use LWP::Protocol::https;
+sub class_under_test { return 'LWP::Protocol::https'; }
+#-----------------------------
+test__in_san();
+test__cn_match();
+
+#-----------------
+sub test__in_san {
+    my $class = class_under_test();
+    can_ok( $class, '_in_san' );
+    {
+        no strict qw(refs);          ## no critic (ProhibitNoStrict)
+        no warnings qw(redefine);    ## no critic (ProhibitNoWarnings)
+
+        # a bit of a monkey patch to make it simpler to test
+        # the various basic cases under test
+        
+        my $p_cert = bless {}, 'fauxCert';
+        my @san_list;
+        my $p_peer_certificate = 'fauxCert::peer_certificate';
+        local *{$p_peer_certificate}  = sub {
+             return @san_list;
+        };
+        
+        #-----------------------------------
+        # We need three simple cases, one without SAN
+        # one with a pass, one with a fail connection.
+        # until we need to deal with more than just the simple dns_match
+        # futureNote: what if we use the 'type_id' -- and need to dispatch
+        # to other than the '_cn_match()' method -- we may want to extend this 
+        # basic list of tests.
+        my @tests = (
+            {
+                'san'   => [],
+                'cn'    => '/CN=foo.bar.baz',
+                'want'  => undef,
+                'label' => 'empty SAN',
+            },
+            {
+                'san'   => [2, '*.bar.baz'],
+                'cn'    => '/CN=foo.bar.baz',
+                'want'  => 'ok',
+                'label' => 'CN matched by wild card SAN',
+            },
+            {
+                'san'   => [2, '*.bar.baz',],
+                'cn'    => '/CN=cat.rat.bat',
+                'want'  => undef,
+                'label' => 'CN not in SAN',
+            }
+        );
+        
+        foreach my $test (@tests) {
+             my ($san, $cn,$want, $label) =  @{$test}{qw(san cn want label)};
+             @san_list = @{$san};
+             my $have = $class->_in_san($cn, $p_cert);
+             is($have, $want, $label);
+        }
+    }
+    return;
+}
+
+sub test__cn_match {
+    my $class = class_under_test();
+    can_ok( $class, '_cn_match' );
+
+    # [ common_name , san_name, must_match , 'label' ]
+
+    my @fail_cases = (
+        ['hostbar.foo' ,'ho*bar.foo'    ,0, 'inline wildcard' ],
+        ['host.cat.foo','host.*.foo'    ,0, 'wildcard between levels' ],
+        ['host.foo.bar','*foo.bar'      ,0, 'wild card without a dot'],
+        ['abcdfoo.com' ,'*.foo.com'     ,0, 'different domain name'],
+        ['*.foo.com'   ,'*.foo.com'     ,0, 'wild card query CN must be FQDN'],
+        ['baz.foo.bar' ,'*.red.foo.bar' ,0, 'wild card from the section below'],
+        ['baz.foo.bar' ,'*.foo.bar.'    ,0, 'extra dot in SAN -- "dns style" dot at the end' ],
+    );
+    my @ok_cases = (
+        ['baz.foo.bar' ,'baz.foo.bar'   ,1, 'matches directly' ],
+        ['baz.foo.bar' ,'*.foo.bar'     ,1, 'matches by wild card' ],
+    );
+    # Include these non-dns-specific-cases, as they could be things that
+    # might be passed in the /CN= and be a part of the SAN, but it is 
+    # not quite clear which way they should be addressed. Nor is it clear
+    # that they should be rejected by the _cn_match()
+    my @non_dns_specific_cases = (
+        ['127.0.0.1'   , '127.0.0.1'    ,1, 'dotQuad notation' ],
+        ['bob@bob.com' , 'bob@bob.com'  ,1, 'email compare' ],
+        ['schem://host', 'schem://host' ,1, 'url compare' ],
+    );
+    my @tests = (@fail_cases, @ok_cases, @non_dns_specific_cases );
+    
+    # now we can just iterate over the groups
+    foreach my $test ( @tests) {
+        my ( $cn, $san_dns, $must_match, $label ) = @{$test};
+        my $match = $class->_cn_match($cn, $san_dns);
+        my $test_label = sprintf("%12s ~ %14s : %s", $cn,$san_dns,$label);
+        is($match, $must_match, $test_label);
+    }
+    
+    return;
+}
+# the end
