diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto index da68e8af5076..c1a3f5b33b34 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -314,13 +314,29 @@ message SubjectAltNameMatcher { DNS = 2; URI = 3; IP_ADDRESS = 4; + OTHER_NAME = 5; } // Specification of type of SAN. Note that the default enum value is an invalid choice. SanType san_type = 1 [(validate.rules).enum = {defined_only: true not_in: 0}]; // Matcher for SAN value. + // + // The string matching for OTHER_NAME SAN values depends on their ASN.1 type: + // + // * OBJECT: Validated against its dotted numeric notation (e.g., "1.2.3.4") + // * BOOLEAN: Validated against strings "true" or "false" + // * INTEGER/ENUMERATED: Validated against a string containing the integer value + // * NULL: Validated against an empty string + // * Other types: Validated directly against the string value type.matcher.v3.StringMatcher matcher = 2 [(validate.rules).message = {required: true}]; + + // OID Value which is required if OTHER_NAME SAN type is used. + // For example, UPN OID is 1.3.6.1.4.1.311.20.2.3 + // (Reference: http://oid-info.com/get/1.3.6.1.4.1.311.20.2.3). + // + // If set for SAN types other than OTHER_NAME, it will be ignored. + string oid = 3; } // [#next-free-field: 18] diff --git a/changelogs/current.yaml b/changelogs/current.yaml index bbf3e9ebafb5..348a1eb46d7a 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -414,6 +414,12 @@ new_features: Added :ref:`strip_failure_response ` to allow stripping the failure response details from the JWT authentication filter. +- area: tls + change: | + added support to match against ``OtherName`` SAN Type under :ref:`match_typed_subject_alt_names + `. + An additional field ``oid`` is added to :ref:`SubjectAltNameMatcher + ` to support this change. deprecated: - area: tracing diff --git a/source/common/ssl/certificate_validation_context_config_impl.cc b/source/common/ssl/certificate_validation_context_config_impl.cc index 4f030296efcd..e6c9264024c8 100644 --- a/source/common/ssl/certificate_validation_context_config_impl.cc +++ b/source/common/ssl/certificate_validation_context_config_impl.cc @@ -100,6 +100,7 @@ CertificateValidationContextConfigImpl::getSubjectAltNameMatchers( } // Handle deprecated string type san matchers without san type specified, by // creating a matcher for each supported type. + // Note: This does not handle otherName type for (const envoy::type::matcher::v3::StringMatcher& matcher : config.match_subject_alt_names()) { static constexpr std::array< envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::SanType, 4> diff --git a/source/common/tls/cert_validator/san_matcher.cc b/source/common/tls/cert_validator/san_matcher.cc index 0229ca1c1273..99dc011c6b6c 100644 --- a/source/common/tls/cert_validator/san_matcher.cc +++ b/source/common/tls/cert_validator/san_matcher.cc @@ -18,6 +18,11 @@ bool StringSanMatcher::match(const GENERAL_NAME* general_name) const { if (general_name->type != general_name_type_) { return false; } + if (general_name->type == GEN_OTHERNAME) { + if (OBJ_cmp(general_name->d.otherName->type_id, general_name_oid_.get())) { + return false; + } + } // For DNS SAN, if the StringMatcher type is exact, we have to follow DNS matching semantics. const std::string san = Utility::generalNameAsString(general_name); return general_name->type == GEN_DNS && @@ -32,7 +37,7 @@ SanMatcherPtr createStringSanMatcher( Server::Configuration::CommonFactoryContext& context) { // Verify that a new san type has not been added. static_assert(envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::SanType_MAX == - 4); + 5); switch (matcher.san_type()) { PANIC_ON_PROTO_ENUM_SENTINEL_VALUES; @@ -44,6 +49,15 @@ SanMatcherPtr createStringSanMatcher( return SanMatcherPtr{std::make_unique(GEN_URI, matcher.matcher(), context)}; case envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::IP_ADDRESS: return SanMatcherPtr{std::make_unique(GEN_IPADD, matcher.matcher(), context)}; + case envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::OTHER_NAME: { + // Invalid/Empty OID returns a nullptr from OBJ_txt2obj + bssl::UniquePtr oid(OBJ_txt2obj(matcher.oid().c_str(), 0)); + if (oid == nullptr) { + return nullptr; + } + return SanMatcherPtr{std::make_unique(GEN_OTHERNAME, matcher.matcher(), + context, std::move(oid))}; + } case envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::SAN_TYPE_UNSPECIFIED: PANIC("unhandled value"); } diff --git a/source/common/tls/cert_validator/san_matcher.h b/source/common/tls/cert_validator/san_matcher.h index 2a8af500a10b..135cf17f701c 100644 --- a/source/common/tls/cert_validator/san_matcher.h +++ b/source/common/tls/cert_validator/san_matcher.h @@ -35,12 +35,15 @@ class StringSanMatcher : public SanMatcher { bool match(const GENERAL_NAME* general_name) const override; ~StringSanMatcher() override = default; StringSanMatcher(int general_name_type, envoy::type::matcher::v3::StringMatcher matcher, - Server::Configuration::CommonFactoryContext& context) - : general_name_type_(general_name_type), matcher_(matcher, context) {} + Server::Configuration::CommonFactoryContext& context, + bssl::UniquePtr&& general_name_oid = nullptr) + : general_name_type_(general_name_type), matcher_(matcher, context), + general_name_oid_(std::move(general_name_oid)) {} private: const int general_name_type_; const Matchers::StringMatcherImpl matcher_; + bssl::UniquePtr general_name_oid_; }; SanMatcherPtr createStringSanMatcher( diff --git a/source/common/tls/utility.cc b/source/common/tls/utility.cc index 4ca9f26ed614..6df4276a4e99 100644 --- a/source/common/tls/utility.cc +++ b/source/common/tls/utility.cc @@ -226,6 +226,136 @@ std::string Utility::generalNameAsString(const GENERAL_NAME* general_name) { } break; } + case GEN_OTHERNAME: { + ASN1_TYPE* value = general_name->d.otherName->value; + if (value == nullptr) { + break; + } + switch (value->type) { + case V_ASN1_NULL: + break; + case V_ASN1_BOOLEAN: + san = value->value.boolean ? "true" : "false"; + break; + case V_ASN1_ENUMERATED: + case V_ASN1_INTEGER: { + BIGNUM san_bn; + BN_init(&san_bn); + value->type == V_ASN1_ENUMERATED ? ASN1_ENUMERATED_to_BN(value->value.enumerated, &san_bn) + : ASN1_INTEGER_to_BN(value->value.integer, &san_bn); + char* san_char = BN_bn2dec(&san_bn); + BN_free(&san_bn); + if (san_char != nullptr) { + san.assign(san_char); + OPENSSL_free(san_char); + } + break; + } + case V_ASN1_OBJECT: { + char tmp_obj[256]; // OID Max length + int obj_len = OBJ_obj2txt(tmp_obj, 256, value->value.object, 1); + if (obj_len > 256 || obj_len < 0) { + break; + } + san.assign(tmp_obj); + break; + } + case V_ASN1_BIT_STRING: { + ASN1_BIT_STRING* tmp_str = value->value.bit_string; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + case V_ASN1_OCTET_STRING: { + ASN1_OCTET_STRING* tmp_str = value->value.octet_string; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + case V_ASN1_PRINTABLESTRING: { + ASN1_PRINTABLESTRING* tmp_str = value->value.printablestring; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + case V_ASN1_T61STRING: { + ASN1_T61STRING* tmp_str = value->value.t61string; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + case V_ASN1_IA5STRING: { + ASN1_IA5STRING* tmp_str = value->value.ia5string; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + case V_ASN1_GENERALSTRING: { + ASN1_GENERALSTRING* tmp_str = value->value.generalstring; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + case V_ASN1_BMPSTRING: { + // `ASN1_BMPSTRING` is encoded using `UCS-4`, which needs conversion to UTF-8. + unsigned char* tmp = nullptr; + if (ASN1_STRING_to_UTF8(&tmp, value->value.bmpstring) < 0) { + break; + } + san.assign(reinterpret_cast(tmp)); + OPENSSL_free(tmp); + break; + } + case V_ASN1_UNIVERSALSTRING: { + // `ASN1_UNIVERSALSTRING` is encoded using `UCS-4`, which needs conversion to UTF-8. + unsigned char* tmp = nullptr; + if (ASN1_STRING_to_UTF8(&tmp, value->value.universalstring) < 0) { + break; + } + san.assign(reinterpret_cast(tmp)); + OPENSSL_free(tmp); + break; + } + case V_ASN1_UTCTIME: { + ASN1_UTCTIME* tmp_str = value->value.utctime; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + case V_ASN1_GENERALIZEDTIME: { + ASN1_GENERALIZEDTIME* tmp_str = value->value.generalizedtime; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + case V_ASN1_VISIBLESTRING: { + ASN1_VISIBLESTRING* tmp_str = value->value.visiblestring; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + case V_ASN1_UTF8STRING: { + ASN1_UTF8STRING* tmp_str = value->value.utf8string; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + case V_ASN1_SET: { + ASN1_STRING* tmp_str = value->value.set; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + case V_ASN1_SEQUENCE: { + ASN1_STRING* tmp_str = value->value.sequence; + san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + ASN1_STRING_length(tmp_str)); + break; + } + default: + break; + } + } } return san; } diff --git a/test/common/tls/cert_validator/default_validator_test.cc b/test/common/tls/cert_validator/default_validator_test.cc index 7d1b8cd5e3bc..b876ca65df6a 100644 --- a/test/common/tls/cert_validator/default_validator_test.cc +++ b/test/common/tls/cert_validator/default_validator_test.cc @@ -47,6 +47,375 @@ TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameDNSMatched) { EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); } +// All OtherName SAN tests below are matched against an expected OID +// and an expected SAN value + +// Test to check if the cert has an OtherName SAN +// of UTF8String type with value containing "example.com" +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_othername_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 0)); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with a Boolean type value "true" +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameBooleanTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.5.5.7.8.7", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("true")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with an Enumerated type value "5" +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameEnumeratedTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.1", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("5")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with an Integer type value "5464". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameIntegerTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.5.5.7.8.3", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("5464")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with an Object type value "1.3.6.1.4.1.311.20.2.3". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameObjectTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.5.2.2", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("1.3.6.1.4.1.311.20.2.3")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN with a NULL type. +// NULL value is matched against an empty string since matcher is required. +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameNullTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with a BitString type value "01010101". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameBitStringTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("01010101")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with an OctetString type value "48656C6C6F20576F726C64". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameOctetStringTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.4", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("48656C6C6F20576F726C64")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with a PrintableString type value "PrintableStringExample". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNamePrintableStringTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.5", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("PrintableStringExample")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with a T61String type value "T61StringExample". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameT61StringTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.6", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("T61StringExample")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with a IA5String type value "IA5StringExample". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameIA5StringTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.7", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("IA5StringExample")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with a GeneralStringExample type value "GeneralStringExample". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameGeneralStringTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.8", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("GeneralStringExample")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with an UniversalStringExample type value "UniversalStringExample". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameUniversalStringTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.9", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("UniversalStringExample")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with an UTCTime type value "230616120000Z". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameUtcTimeTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.10", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("230616120000Z")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with a GeneralizedTime type value "20230616120000Z". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameGeneralizedTimeTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.11", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("20230616120000Z")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with a VisibleString type value "VisibleStringExample". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameVisibleStringTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.12", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("VisibleStringExample")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with an UTF8 String type value "UTF8StringExample". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameUTF8StringTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.13", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("UTF8StringExample")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN +// with a `BMPString` type value "BMPStringExample". +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameBmpStringTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.14", 0)); + matcher.MergeFrom(TestUtility::createExactMatcher("BMPStringExample")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN with a SET type +// containing select values "test1" and "test2". +// SET is a non-primitive type containing multiple values and is DER-encoded. +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameSetTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 0)); + matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw(.*test1.*test2.*)raw")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +// Test to check if the cert has an OtherName SAN with a SEQUENCE type +// containing select values "test3" and "test4". +// SEQUENCE is a non-primitive type containing multiple values and is DER-encoded. +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameSequenceTypeMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 0)); + matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw(.*test3.*test4.*)raw")); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameDnsAndOtherNameMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_dns_and_othername_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 0)); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back( + SanMatcherPtr{std::make_unique(GEN_DNS, matcher, context)}); + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameIncorrectOidMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_othername_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.2", 0)); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_FALSE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + +TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameIncorrectValueMatched) { + NiceMock context; + + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/common/tls/test_data/san_othername_cert.pem")); + envoy::type::matcher::v3::StringMatcher matcher; + matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.net)raw")); + bssl::UniquePtr oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 0)); + std::vector subject_alt_name_matchers; + subject_alt_name_matchers.push_back(SanMatcherPtr{ + std::make_unique(GEN_OTHERNAME, matcher, context, std::move(oid))}); + EXPECT_FALSE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); +} + TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameIncorrectTypeMatched) { NiceMock context; diff --git a/test/common/tls/cert_validator/san_matcher_test.cc b/test/common/tls/cert_validator/san_matcher_test.cc index 3b330866a379..42fe9cd41673 100644 --- a/test/common/tls/cert_validator/san_matcher_test.cc +++ b/test/common/tls/cert_validator/san_matcher_test.cc @@ -30,6 +30,10 @@ TEST(SanMatcherConfigTest, TestValidSanType) { envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher san_matcher; san_matcher.mutable_matcher()->set_exact("foo.example"); san_matcher.set_san_type(san_type); + if (san_type == + envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::OTHER_NAME) { + san_matcher.set_oid("1.3.6.1.4.1.311.20.2.3"); // Set dummy OID + } if (san_type == envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher:: SAN_TYPE_UNSPECIFIED) { EXPECT_DEATH(createStringSanMatcher(san_matcher, context), "unhandled value"); @@ -42,6 +46,17 @@ TEST(SanMatcherConfigTest, TestValidSanType) { } } +// Verify that setting Invalid OID for OtherName SAN results in a panic. +TEST(SanMatcherConfigTest, TestInvalidOidOtherNameSanType) { + NiceMock context; + envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher san_matcher; + san_matcher.mutable_matcher()->set_exact("foo.example"); + san_matcher.set_oid("1.3.6.1.4.1.311.20.2.ffff"); + san_matcher.set_san_type( + envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::OTHER_NAME); + EXPECT_EQ(createStringSanMatcher(san_matcher, context), nullptr); +} + TEST(SanMatcherConfigTest, UnspecifiedSanType) { NiceMock context; envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher san_matcher; diff --git a/test/common/tls/test_data/README.md b/test/common/tls/test_data/README.md index 6b16516074cf..57c7b5a114d0 100644 --- a/test/common/tls/test_data/README.md +++ b/test/common/tls/test_data/README.md @@ -29,6 +29,19 @@ There are 15 identities: - **SAN With URI**: It has the certificate *san_uri_cert.pem*, which is signed by the **CA** using the config *san_uri_cert.cfg*. The certificate has SAN field of URI type. *san_uri_key.pem* is its private key. +- **SAN With OtherName**: It has the certificate *san_othername_cert.pem*, which is signed + by the **CA** using the config *san_othername_cert.cfg*. The certificate has SAN + field of OtherName(UPN) type. *san_othername_key.pem* is its private key. +- **SAN With OtherName and DNS**: It has the certificate *san_dns_and_othername_cert.pem*, which is signed + by the **CA** using the config *san_dns_and_othername_cert.cfg*. The certificate has two SAN + fields, one DNS and one OtherName(UPN) type. *san_dns_and_othername_key.key* is its private key. +- **SAN With Multiple Othername**: It has the certificate *san_multiple_othername_cert.pem*, which is signed + by the **CA** using the config *san_dns_and_othername_cert.cfg*. The certificate has 5 SAN fields + of NULL, ENUMERATED, INTEGER, BOOLEAN and OBJECT types. *san_multiple_othername_key.pem* is its private key. +- **SAN With Multiple Othername (String Type)**: It has the certificate + *san_multiple_othername_string_type_cert.pem*, which is signed by the **CA** using the config + *san_multiple_othername_string_type_key.cfg*. The certificate has two SANfields, one DNS and one + OtherName(UPN) type. *san_multiple_othername_string_type_key.pem* is its private key. - **Password-protected**: The password-protected certificate *password_protected_cert.pem*, using the config *san_uri_cert.cfg*. *password_protected_key.pem* is its private key encrypted using the password supplied in *password_protected_password.txt*. diff --git a/test/common/tls/test_data/certs.sh b/test/common/tls/test_data/certs.sh index 3c78220a084f..cfc93a6abe45 100755 --- a/test/common/tls/test_data/certs.sh +++ b/test/common/tls/test_data/certs.sh @@ -234,6 +234,22 @@ generate_x509_cert san_uri ca generate_rsa_key san_ip generate_x509_cert san_ip ca +# Generate san_othername_cert.pem. +generate_rsa_key san_othername +generate_x509_cert san_othername ca + +# Generate san_dns_and_othername_cert.pem. +generate_rsa_key san_multiple_othername +generate_x509_cert san_multiple_othername ca + +# Generate san_multiple_othername_string_type.pem. +generate_rsa_key san_multiple_othername_string_type +generate_x509_cert san_multiple_othername_string_type ca + +# Generate san_dns_and_othername_cert.pem. +generate_rsa_key san_dns_and_othername +generate_x509_cert san_dns_and_othername ca + # Concatenate san_ip_cert.pem and Test Intermediate CA (intermediate_ca_cert.pem) to create valid certificate chain. cat san_ip_cert.pem intermediate_ca_cert.pem > san_ip_chain.pem diff --git a/test/common/tls/test_data/san_dns_and_othername_cert.cfg b/test/common/tls/test_data/san_dns_and_othername_cert.cfg new file mode 100644 index 000000000000..6fb9d225dbe4 --- /dev/null +++ b/test/common/tls/test_data/san_dns_and_othername_cert.cfg @@ -0,0 +1,37 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +countryName_default = US +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Test Server +commonName_default = Test Server +commonName_max = 64 + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash + +[v3_ca] +basicConstraints = critical, CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[alt_names] +DNS.1 = server1.example.com +otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:server1.example.com diff --git a/test/common/tls/test_data/san_dns_and_othername_cert.pem b/test/common/tls/test_data/san_dns_and_othername_cert.pem new file mode 100644 index 000000000000..6b8ccd2eea06 --- /dev/null +++ b/test/common/tls/test_data/san_dns_and_othername_cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQTCCAymgAwIBAgIUOdN440ZeucQGIFJ7uRJczkvWIIowDQYJKoZIhvcNAQEL +BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjQwNjAxMjIyMTMxWhcNMjYw +NjAxMjIyMTMxWjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ +THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4ciZSrbe8JTZivyiEUdTjPHpWZp3dNuqf +1dZduzAl9aQG8CMQhidwgI721TVRLYwDum1Eusky+nq3+X0JOBBsrs6A+mGZu/Em +W2PLmpJhAmsQG9iqOhgJuoAUmexCD/Zrv1HQJYsCEKZCV7qjbScj3qvwFDW+Zs4R +/Q8/pzMpQV6ktC+n4cc81DAK6AUZVeMmRSFefNudloZNNYyKI0XOuURMBi/+ZN+G +L/xzzzzFzH1Q9QLVAL+ySxquhuwqLp2md7Ed/821+DZvLJfKrW2nDDcQIC8FEIfy +w92WHv4Qth12f0jx/GR1AFTUiGgeNyQbjJU+bkfBmyRXDPe5EQ8RAgMBAAGjgcIw +gb8wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMEMGA1UdEQQ8MDqCE3NlcnZlcjEuZXhhbXBsZS5jb22gIwYK +KwYBBAGCNxQCA6AVDBNzZXJ2ZXIxLmV4YW1wbGUuY29tMB0GA1UdDgQWBBQwzMfn +25vM1z02zWxMuZChTnm8wjAfBgNVHSMEGDAWgBTQumAzod6zDNdAA8q1kU0sEGXw +mzANBgkqhkiG9w0BAQsFAAOCAQEAaSGH+VONB4BbU12K3xuCsdWYixfJFmNdhEvw +SLGqAY7z2PnybNzgRaGMBPrcgL8Uw88faqbGCVd6ewsnesvUz9VACTksT9XjaCkW +h3xF7W4GbrJQWU02vHOLUda0/89VLdpQcM76z4ZRCKDHrCNO/4ncOXl87haKAELz +8QwhDIk09nEDbDdOYCQAG51iRTVBRmBnT2hShof89z1c0rRgEMLQ5u8EXk7rtAXu +Mldg1N5ll93l7aC87/8iqNWX+3j8P1ynmjbjclpTrMbHk/q4lybDcsjTpjOJgSSZ +dP2MpZEfAXL/taDEf2siOUxmjFO9gIoGTjlM4SoNvA5IVyHefw== +-----END CERTIFICATE----- diff --git a/test/common/tls/test_data/san_dns_and_othername_cert_info.h b/test/common/tls/test_data/san_dns_and_othername_cert_info.h new file mode 100644 index 000000000000..143543312963 --- /dev/null +++ b/test/common/tls/test_data/san_dns_and_othername_cert_info.h @@ -0,0 +1,13 @@ +#pragma once + +// NOLINT(namespace-envoy) +constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_256_HASH[] = + "10b81b089fa82a542ef4637cd058e8a8ce9aac13703bc7c0f3b18eecd0bafa01"; +constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_1_HASH[] = + "b2cdaab75e39c57abb9134271432a15a7078a83c"; +constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_SPKI[] = + "orMj1YQ0Kw6uh/WkfJ/IITdlgbQTF+Lb1Jj+b6R+J+w="; +constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_SERIAL[] = + "39d378e3465eb9c40620527bb9125cce4bd6208a"; +constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_NOT_BEFORE[] = "Jun 1 22:21:31 2024 GMT"; +constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_NOT_AFTER[] = "Jun 1 22:21:31 2026 GMT"; diff --git a/test/common/tls/test_data/san_dns_and_othername_key.pem b/test/common/tls/test_data/san_dns_and_othername_key.pem new file mode 100644 index 000000000000..38ce99ea8d21 --- /dev/null +++ b/test/common/tls/test_data/san_dns_and_othername_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4ciZSrbe8JTZi +vyiEUdTjPHpWZp3dNuqf1dZduzAl9aQG8CMQhidwgI721TVRLYwDum1Eusky+nq3 ++X0JOBBsrs6A+mGZu/EmW2PLmpJhAmsQG9iqOhgJuoAUmexCD/Zrv1HQJYsCEKZC +V7qjbScj3qvwFDW+Zs4R/Q8/pzMpQV6ktC+n4cc81DAK6AUZVeMmRSFefNudloZN +NYyKI0XOuURMBi/+ZN+GL/xzzzzFzH1Q9QLVAL+ySxquhuwqLp2md7Ed/821+DZv +LJfKrW2nDDcQIC8FEIfyw92WHv4Qth12f0jx/GR1AFTUiGgeNyQbjJU+bkfBmyRX +DPe5EQ8RAgMBAAECggEAHxShL5J1YR92LCqhJbbyZD5HMTMGjAXagIeUoWPPJ75e +XwrtJbYthDAtpxtjaiP+MYyjKA8/ozcBIepJLxoC7oWAZ8yJUNISP0/sH52S6ATz +zJmcp4a1kUIbnh0X6kPtVte87hG9fGIY2hoVab+Vdl5p48FMEyMYu4BEpwnCPcOs +RpZokVAyuJnqlPhcxU0BctmjmGQIFHqQ7G0stbukfispbR6+iZoo8ltVh0lemBS9 +hJ1E2SCXQSiC6m/0+I1jRA3kgmyB/0XArpXP+TmTcNiiNyDtSbMQmtw1v1Z8CPfB +2LJGIMhmICQ9BwUvNHAPbG7hHyQU2bM4GIERL8lmHwKBgQDpciPHbLxOtmmAyY5w +gmONYiou/EjizmSWdxTHPcsnzlqUUw7ds+1ieNLUn3icaWhwzY4zJ6lHT0ZqmzHB +w7TuIBK5BgBmqUQIYMv45Rn+r3na5nP080QqBrkr3ZXOhfg5uPAwiFbKEsRMJZ/2 +CP6PiaRTIUtjKvb3buHmF06x1wKBgQDKRBWu28vo9TUY6ssLzlfK8CK5rprWqdXd +LQUZ13f/XEd4KFgfNBG77jDBQxaXbP4G2VDHTLCOzA6egWY3qN6BGDv+wD7Q7yde +HT+KOuGMvrT00MgdlrLfTBjGM0BC1GeFc90UnBOfWumWKa5551btdTazoYe7EIyD +JZghnlx5VwKBgDrmAF71cUFOxqmmsNh0HVfzl38JSf5nYnuQCd8HGTWu262mkw6e +sdrxbwgUQCL+eUpUoncHn68NMk/9Xf1sOj8GOpMSD5HXTQHsIipm6zsV3OG82S7J +Hb6Yual2m7BinrE5lug3zeXn/DzWFVjHBisC6EHNGa8ojOz6veYGpWU7AoGAL2fF +rTXWlMLjrvNYo2u5J9cgTGSf5a/ob+4dQ/E8Lp1yIrdR7/5EKceppaITqWniH7jP +NebDerRYuM2bJ3BstdT4OrzT/CQRFf3E5qDmPBZ2Uuqb/FNVmQA8zjc02HTvzldZ +eXsbHj4wgQFD405VEVJnf7JcHXvDcvlcroRvKAECgYEA3aPHpiHEoXAPyUSAvZuh +OwM6+GIxWJpqZ+EFqIfTO7BPWnZT0skjxJlMAgTO+LJaczcU49ooXWeFcNFBr9sJ +iyd70CBXrmQQjMzRwafbAHach/o4LREphtr73Q6xvE2OCvFqCHQkB1mRRl9Ikoe5 +lO/82VvYXXW/iiNsFxvOQ+w= +-----END PRIVATE KEY----- diff --git a/test/common/tls/test_data/san_multiple_othername_cert.cfg b/test/common/tls/test_data/san_multiple_othername_cert.cfg new file mode 100644 index 000000000000..ac7556cd1be8 --- /dev/null +++ b/test/common/tls/test_data/san_multiple_othername_cert.cfg @@ -0,0 +1,41 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +countryName_default = US +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Test Server +commonName_default = Test Server +commonName_max = 64 + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash + +[v3_ca] +basicConstraints = critical, CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[alt_names] +otherName.1 = 1.3.6.1.5.5.7.8.7;BOOLEAN:true +otherName.2 = 1.3.6.1.4.1.311.20.2.1;ENUMERATED:5 +otherName.3 = 1.3.6.1.5.5.7.8.3;INTEGER:5464 +otherName.4 = 1.3.6.1.5.2.2;OBJECT:1.3.6.1.4.1.311.20.2.3 +otherName.5 = 1.3.6.1.4.1.311.20.2.3;NULL: + diff --git a/test/common/tls/test_data/san_multiple_othername_cert.pem b/test/common/tls/test_data/san_multiple_othername_cert.pem new file mode 100644 index 000000000000..8502ccea1c13 --- /dev/null +++ b/test/common/tls/test_data/san_multiple_othername_cert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEZzCCA0+gAwIBAgIUYMY2k+ExGUq1HxP0rNwxBdokgFcwDQYJKoZIhvcNAQEL +BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjQwNjA4MDUzNDU0WhcNMjYw +NjA4MDUzNDU0WjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ +THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOfxPpXuRJBWsAA0lsPhPYY0dbRNUHF2gN +SLLnPtNiNrQ3FW30U5rCG7tL8EoWK9OI48li8EKvU0LzuxJrZsu7JSqkuOLJntpX +N1qcp8AsawyvAKWbY9MC8h9d/QpNWEUNFivbcg2XMKHCIdjm37Wu75/B8kDP9uC4 +QpHcs90VrMe3cm8G9GCgP+kGr3YZVxeNBTT/t7nKFir9K+t+1T/BpP3fd6li9a61 +Qjyece2aEi4p+GMjFJICRLa/eHmA/GlIbn99d5H51clH1oRQ5BYNgBJJ9z85NgJZ +Nhy4Yk4eNeE/o1n2s4aZQrcr8C/32QUKcApjzFaqmbPBq4Yr7ZsrAgMBAAGjgegw +geUwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMGkGA1UdEQRiMGCgDwYIKwYBBQUHCAegAwEB/6ARBgorBgEE +AYI3FAIBoAMKAQWgEAYIKwYBBQUHCAOgBAICFVigFgYGKwYBBQICoAwGCisGAQQB +gjcUAgOgEAYKKwYBBAGCNxQCA6ACBQAwHQYDVR0OBBYEFAihz/5otdvcS7Yx9g9i +j00nO48/MB8GA1UdIwQYMBaAFEmZclc8R2TQpc5VDVyAgf/Gg1J5MA0GCSqGSIb3 +DQEBCwUAA4IBAQCP4B5R8BDLalXpmiKAQuGAylJLu3hQ/L/4/9hz9Lzuqkjkf5PA +J49EYfCwl1dHKNXnD47m9v/t0Bf1V/fk7DdWublHNGLnnSSTXbCTOcRqswqfbWe7 +m/eRoZdTM42oON1MNF9PGoGstZrZkH3wzPPdsJwEP2ahWEbvMxmO8kgrslyw1cpE +Rm2bvsiqCZBkieHoYD5fE5tADBHi1+byUUTBZWPgoNOvJLoPcaFjU2Pfspuv9bhV +9J46OTI3BkYFebLXCeP8D11EGXa/OgHyS21hIHcIKrS13STdeuOBftX9lYoc7Wea +atmMcw8vRehWJU/IuXWiHY8CDi1Xyl8tcCVY +-----END CERTIFICATE----- diff --git a/test/common/tls/test_data/san_multiple_othername_cert_info.h b/test/common/tls/test_data/san_multiple_othername_cert_info.h new file mode 100644 index 000000000000..e5fb16fc4a7f --- /dev/null +++ b/test/common/tls/test_data/san_multiple_othername_cert_info.h @@ -0,0 +1,13 @@ +#pragma once + +// NOLINT(namespace-envoy) +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_CERT_256_HASH[] = + "86f54db08902ae7434103b175c54b0941b769ba2603d94178cf1ab077496663d"; +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_CERT_1_HASH[] = + "8e55e60f04e0eba9bb542c549348c3458e3af11a"; +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_CERT_SPKI[] = + "A9W0Y6EHfbfUBN/3zxyBWWKkOajQdPcxYy2hjNIeWSQ="; +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_CERT_SERIAL[] = + "60c63693e131194ab51f13f4acdc3105da248057"; +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_CERT_NOT_BEFORE[] = "Jun 8 05:34:54 2024 GMT"; +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_CERT_NOT_AFTER[] = "Jun 8 05:34:54 2026 GMT"; diff --git a/test/common/tls/test_data/san_multiple_othername_key.pem b/test/common/tls/test_data/san_multiple_othername_key.pem new file mode 100644 index 000000000000..9b5b39fc75f2 --- /dev/null +++ b/test/common/tls/test_data/san_multiple_othername_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOfxPpXuRJBWsA +A0lsPhPYY0dbRNUHF2gNSLLnPtNiNrQ3FW30U5rCG7tL8EoWK9OI48li8EKvU0Lz +uxJrZsu7JSqkuOLJntpXN1qcp8AsawyvAKWbY9MC8h9d/QpNWEUNFivbcg2XMKHC +Idjm37Wu75/B8kDP9uC4QpHcs90VrMe3cm8G9GCgP+kGr3YZVxeNBTT/t7nKFir9 +K+t+1T/BpP3fd6li9a61Qjyece2aEi4p+GMjFJICRLa/eHmA/GlIbn99d5H51clH +1oRQ5BYNgBJJ9z85NgJZNhy4Yk4eNeE/o1n2s4aZQrcr8C/32QUKcApjzFaqmbPB +q4Yr7ZsrAgMBAAECggEAY+ITKxSj3vBYd/qfBtUmO0qWZv7t/k6jnZ1XMETy8bRd +SrG6bG8OUisg11QlOgE8AqCQNqPZ1b20CnooKDxieqU5MdFencERgxN66IC6E6I6 +UeJBuN654FhmtMtjstLqH7DkSPMrwMCc1e8SYGbAlpxBDgrUr+OOgoJs1LFJ1SPN +2M3/6o1hWEfK/OlxrD3sd05L2vogQgyBQ4aJUf3HLMZXJx5iJMbzap/EeVXk/b6K +Odm6vtumaAL0q2CI5NsIbPCC2KK/0xw7jvmRSf9mb3PzEjuiDTn7mUuykTfDChEU +Fxtfq5ECXQlfGqKrGoFu48yV3mttBGv3yk7SraYdvQKBgQD1OslT/PEZR6ll28WI +xIAlh/QCHLmpIBWSp16KfQB+K+KZTOvRDkbUkX5O+rAxlJIH6U+jqwzeA5CzCPI8 +8jdFRd1f/APdqINpkbfzQo6lAUUhCc6dlN45wfbV6nptGoIFN0cUgOjZLtTTVI2/ +x9IpiNmH9CvcRAEzCEOAZVnShQKBgQDXkMxbmEtKHFKiiyzeclS0atqO3pEyPrZI ++eZTXgVpBQhdRLao35L+ay0dsU38CA5mqxiAR+BQ/KtT56V/vUYfIOlRd9ZT5n9c +kHU5O8cOuH3N0UmSzeEfUwjMwCqjQgE22Fn0l3tJc6dZxecZEiOFxynOiUfWRhuW +h7ZbFyUd7wKBgQCnWbrS6ibOjaz4qgYf05lwA1ttpZS96ftO3ZETCUMw11oILAox +3IBRyAhedY2QCEevxnRmyPA7AkvZIh3Noa4+Q/NS8XTh64HipWLXS3B1Amzeowax +W0pcOBXu3dk2Y4Sfcp27TE2bCO6MWYNygTbWyWFJ+kOESZRX8ye9k2y80QKBgQCj +zMRsaUn0k5b7KjQ7B7dzrKpM27SK8HpE85dgC9aimY9kh90gb1rb9oa+xEbU1y5S +N3qTp4o9H/Hz/NaWPTW2W6TPIfd7o29t39sjVVgJyIjXx0tXwRdqXQcXxoHfsj0H +9thL8ntdMgOdRLM5Kr5RXihXZ5ttp7I47QDVML4kgwKBgF+V4dpMIXBLkO6aVta1 +CBoQgds6dxEKb3LFIf/I0bfBhPgbmpqMLEwwJOtpkQLVUayoJ16CYhw2N02PR6Xh +E9zeuhpzn7MZira2OAsAqzMbfYkiZvvG4ocYsAbZB52pl1x/EtnG00B3IZplP5Vl +k8CjywzwgcTeJQc3J2aZpg+6 +-----END PRIVATE KEY----- diff --git a/test/common/tls/test_data/san_multiple_othername_string_type_cert.cfg b/test/common/tls/test_data/san_multiple_othername_string_type_cert.cfg new file mode 100644 index 000000000000..3907a6046c46 --- /dev/null +++ b/test/common/tls/test_data/san_multiple_othername_string_type_cert.cfg @@ -0,0 +1,59 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +countryName_default = US +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Test Server +commonName_default = Test Server +commonName_max = 64 + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash + +[v3_ca] +basicConstraints = critical, CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# OtherNames 1, 13 and 14 contain the same OID to help tests simulate +# certs with OtherName SAN having same OID, but multiple & different SAN values +[alt_names] +otherName.1 = 1.3.6.1.4.1.311.20.2.3;BITSTRING:01010101 +otherName.2 = 1.3.6.1.4.1.311.20.2.4;OCTETSTRING:48656C6C6F20576F726C64 +otherName.3 = 1.3.6.1.4.1.311.20.2.5;PRINTABLESTRING:PrintableStringExample +otherName.4 = 1.3.6.1.4.1.311.20.2.6;T61STRING:T61StringExample +otherName.5 = 1.3.6.1.4.1.311.20.2.7;IA5STRING:IA5StringExample +otherName.6 = 1.3.6.1.4.1.311.20.2.8;GENERALSTRING:GeneralStringExample +otherName.7 = 1.3.6.1.4.1.311.20.2.9;UNIVERSALSTRING:UniversalStringExample +otherName.8 = 1.3.6.1.4.1.311.20.2.10;UTCTIME:230616120000Z +otherName.9 = 1.3.6.1.4.1.311.20.2.11;GENERALIZEDTIME:20230616120000Z +otherName.10 = 1.3.6.1.4.1.311.20.2.12;VISIBLESTRING:VisibleStringExample +otherName.11 = 1.3.6.1.4.1.311.20.2.13;UTF8STRING:UTF8StringExample +otherName.12 = 1.3.6.1.4.1.311.20.2.14;BMPSTRING:BMPStringExample +otherName.13 = 1.3.6.1.4.1.311.20.2.3;SET:test_set +otherName.14 = 1.3.6.1.4.1.311.20.2.3;SEQUENCE:test_sequence + +[test_set] +field1 = UTF8:test1 +field2 = UTF8:test2 + +[test_sequence] +field1 = UTF8:test3 +field2 = UTF8:test4 diff --git a/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem b/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem new file mode 100644 index 000000000000..e871488d63b0 --- /dev/null +++ b/test/common/tls/test_data/san_multiple_othername_string_type_cert.pem @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIGSTCCBTGgAwIBAgIUGQ0pXoKJwThBxYJ94e/AeW5ELnUwDQYJKoZIhvcNAQEL +BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjQwNjI3MjEyNTUxWhcNMjYw +NjI3MjEyNTUxWjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ +THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkIyDAeOKpM8eJYhQ8oTvDt2c2NXVX3Rwv +5+DxpdzJLNuYld9ox87zOgRXHLYRz/G+3exRXqIVRAy1BYQfHMcLAvTYvCiRmG5C +zH24ulfwCpA0xvAGcuCMVPK4PgXLdWNgTpscQm4jsYC0AC8YNwIUdsWpYk6jgQtJ +jOBHyfSrPFulZn1D8h9gRBdV2ufks0aM7lzSFBCH5wSFPJWNcw0RLi5xtQu9F+7I +pntYlDAx7KtwBz8s1mobAqt71J46lC72/dy9XIFTY9ba4uhWN+1OwWFf3WCcxYk2 +19IW8kcNWm7tBUY/kYoqkTt7dnUsx0rmAGMxtoiw117o+A682mL9AgMBAAGjggLJ +MIICxTAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEF +BQcDAgYIKwYBBQUHAwEwggJHBgNVHREEggI+MIICOqAZBgorBgEEAYI3FAIDoAsD +CQAwMTAxMDEwMaAmBgorBgEEAYI3FAIEoBgEFjQ4NjU2QzZDNkYyMDU3NkY3MjZD +NjSgJgYKKwYBBAGCNxQCBaAYExZQcmludGFibGVTdHJpbmdFeGFtcGxloCAGCisG +AQQBgjcUAgagEhQQVDYxU3RyaW5nRXhhbXBsZaAgBgorBgEEAYI3FAIHoBIWEElB +NVN0cmluZ0V4YW1wbGWgJAYKKwYBBAGCNxQCCKAWGxRHZW5lcmFsU3RyaW5nRXhh +bXBsZaBoBgorBgEEAYI3FAIJoFocWAAAAFUAAABuAAAAaQAAAHYAAABlAAAAcgAA +AHMAAABhAAAAbAAAAFMAAAB0AAAAcgAAAGkAAABuAAAAZwAAAEUAAAB4AAAAYQAA +AG0AAABwAAAAbAAAAGWgHQYKKwYBBAGCNxQCCqAPFw0yMzA2MTYxMjAwMDBaoB8G +CisGAQQBgjcUAgugERgPMjAyMzA2MTYxMjAwMDBaoCQGCisGAQQBgjcUAgygFhoU +VmlzaWJsZVN0cmluZ0V4YW1wbGWgIQYKKwYBBAGCNxQCDaATDBFVVEY4U3RyaW5n +RXhhbXBsZaAwBgorBgEEAYI3FAIOoCIeIABCAE0AUABTAHQAcgBpAG4AZwBFAHgA +YQBtAHAAbABloB4GCisGAQQBgjcUAgOgEDEODAV0ZXN0MQwFdGVzdDKgHgYKKwYB +BAGCNxQCA6AQMA4MBXRlc3QzDAV0ZXN0NDAdBgNVHQ4EFgQU/dAL0UislarYY6eq +U2dNi85py6wwHwYDVR0jBBgwFoAU5YZRBAklIKJnd3qqjq32OKSSLyAwDQYJKoZI +hvcNAQELBQADggEBAJBkQTW+26Gw/2WnMrpPzvosQaYf4EXz7040I/18PFQfTmU0 +zPl2QhDbFQsF8G6b0QuO+BHOe731nEA/He45wy1Tvd/uj00666T5wUvAhwP+5T6a +EsotvSi6mMsV0XlFjUeuj5ixa2C4yWHehoKl3F0qjjIIi/pvcaO2HfCxevibRffw +i0e4NMydOjvhwMmdXsXKmF/kJt/Wk4a7nLjOG9Pf0FQmnE13zCFKyKwJtCBUX0or +6PgcYCrq90BJSmm2mgLNSp9DqMup6H27fL4zrP1ci6/ifSAlJVl1IkyQWkysSOvS +s9eQgzbVhnyo+Rg8h+sy0dwdyj8b+V+VQYUJKd0= +-----END CERTIFICATE----- diff --git a/test/common/tls/test_data/san_multiple_othername_string_type_cert_info.h b/test/common/tls/test_data/san_multiple_othername_string_type_cert_info.h new file mode 100644 index 000000000000..ba9619f6ebed --- /dev/null +++ b/test/common/tls/test_data/san_multiple_othername_string_type_cert_info.h @@ -0,0 +1,15 @@ +#pragma once + +// NOLINT(namespace-envoy) +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_STRING_TYPE_CERT_256_HASH[] = + "b58cbd751e678a4e5dd1fc951a0b53913db3842815b55fc5331c72a14320385a"; +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_STRING_TYPE_CERT_1_HASH[] = + "a69337434d38c8dc12dc723a104287870ab89098"; +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_STRING_TYPE_CERT_SPKI[] = + "M85GIHaa7VOnqLYZHqTEckGgCLJbKas17MNyQF0v7/U="; +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_STRING_TYPE_CERT_SERIAL[] = + "190d295e8289c13841c5827de1efc0796e442e75"; +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_STRING_TYPE_CERT_NOT_BEFORE[] = + "Jun 27 21:25:51 2024 GMT"; +constexpr char TEST_SAN_MULTIPLE_OTHERNAME_STRING_TYPE_CERT_NOT_AFTER[] = + "Jun 27 21:25:51 2026 GMT"; diff --git a/test/common/tls/test_data/san_multiple_othername_string_type_key.pem b/test/common/tls/test_data/san_multiple_othername_string_type_key.pem new file mode 100644 index 000000000000..521847d929b2 --- /dev/null +++ b/test/common/tls/test_data/san_multiple_othername_string_type_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCkIyDAeOKpM8eJ +YhQ8oTvDt2c2NXVX3Rwv5+DxpdzJLNuYld9ox87zOgRXHLYRz/G+3exRXqIVRAy1 +BYQfHMcLAvTYvCiRmG5CzH24ulfwCpA0xvAGcuCMVPK4PgXLdWNgTpscQm4jsYC0 +AC8YNwIUdsWpYk6jgQtJjOBHyfSrPFulZn1D8h9gRBdV2ufks0aM7lzSFBCH5wSF +PJWNcw0RLi5xtQu9F+7IpntYlDAx7KtwBz8s1mobAqt71J46lC72/dy9XIFTY9ba +4uhWN+1OwWFf3WCcxYk219IW8kcNWm7tBUY/kYoqkTt7dnUsx0rmAGMxtoiw117o ++A682mL9AgMBAAECggEAG/O6gmSjzwZZIwmPojKgC6jKXCY29U9bm0HtIiHpq13n +CMFvMjgiw3OcJRyn2fk0dVl0QvgveJkl49cMZMMBF5w5h8ZlT0Qq9Ne/ykt7qc6W +t9IwMpzyJhvaWOuBD6DOW2qPijy65nu2TBEi9Af8I/GFIF80Pq59dllWIYugTd+7 +9I2cNwrambRClPSC5wXAb7jWfaQyoKZH+Gyl8NnQNXaDpeb2OLfHRzAzVjvTB/aH +X9eSQ/QapL4H5Fnoly3B6wUike/nEHM7fYPWikw+RFXJo7JsMLOOhQjyO5lD3fuO +wwRAbsIsgntv8p8qdADXTBYdlMqUenEudQacSxg/CQKBgQDQo3kqUnNKSnqsh5kk +BDGQCsVbzWqtQGEu7yn/PHpzZMBdFlSWhFu6GZUkmPcZI5Nyh28Cwm7bEOpflNf3 +D4C6KHyDzq3+c/eG2AvE4HgCpaUglaesOy1DdSEnjXXXPxaawPKwrxOgKhWKTbnA +FGep7fI0ACEhtkX2lUxdLVQK2QKBgQDJZZDv3HdD88p0TXjV7wuo/7PSny6Fw4OA +34tlf+DUdMKdg6n+Jhe7e5RG86e6HMH1clAVYwnxV3tsdYZ5dpb+urhuBwlGZUYi +Z9aXrPE8kB5hkWXY6vk1BwOqwnlzLXaRFXwL4bYQkVipkVoqg6a+1F3aoAqSitjc +ODxgTjQaxQKBgChHJuEQwckZz8z28I2PcbIJIkiyw2FnCFvzN/xaRJl6XdiaswHL +05l9ztkd3rYvtAtsMfYqaxRHk7eYGIlNqOBHaKJZiCWTZbnWg48idoisSdCck54g +XoCjYB8upA1F1KtTjIanhfZpqXblwnJefhTEJvn6/GpxsdgEwpVKZushAoGAAZne +GhoNlKu2e1A2WrUIybImstDzJLsWK4sbZ5Ypqma3OVtXmZ6h56qm1h2PwsoBvLrI +6jKcXJ/OamFQzVxk/OdtGerSZw3dDd73dMM6M7oNk8b9IUlU69f/bncXUhQVcjfS +gaGsudr98nMmXVoolDHKATfufZW+/Zkw2a8leOUCgYBFuAZHHYBreah7yOrvETfZ +BE0UjPk1/b1c+bGNQRz0WlTYKkdeIqHNatQVcZsZQ/blzFaoMwvMZFa8ZBDyCsm0 +JXpnrqCgKYcT7Sfp/YtPmbKeDCNOGJeVTDI2Ykib/ziC8NSJ/htor5jB+HFhMdbU +1QoTB5W6OYh+uEpBnfTahA== +-----END PRIVATE KEY----- diff --git a/test/common/tls/test_data/san_othername_cert.cfg b/test/common/tls/test_data/san_othername_cert.cfg new file mode 100644 index 000000000000..192d8958a27b --- /dev/null +++ b/test/common/tls/test_data/san_othername_cert.cfg @@ -0,0 +1,36 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +countryName_default = US +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Test Server +commonName_default = Test Server +commonName_max = 64 + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash + +[v3_ca] +basicConstraints = critical, CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[alt_names] +otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:server1.example.com diff --git a/test/common/tls/test_data/san_othername_cert.pem b/test/common/tls/test_data/san_othername_cert.pem new file mode 100644 index 000000000000..fa4237a49db6 --- /dev/null +++ b/test/common/tls/test_data/san_othername_cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIUOdN440ZeucQGIFJ7uRJczkvWIIkwDQYJKoZIhvcNAQEL +BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjQwNjAxMjIyMTMxWhcNMjYw +NjAxMjIyMTMxWjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ +THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKnvJaESqyoF10NLh5GlMhF3Zom7D1AxiK +RIrdkHW0w8NloVSgTZvNrBQi7Iz1xfMw9Ep63qmlJGaNZcl0jf8bU8MtVP6prJNf +tBMzl+nj6sK7xYHXl7CpDwX+rg5pYovgNGdaJAFmpbteuHhqZ8Yeh5tSSLWNdjmA +c5mdl219kh5stVjMyetgjr2qaZsx99ze0syERmmE83OpSMVGtswsBv8ElPVnlEVI +qLPBpHawFjbBrCiCoxYyLGnJ3ZAnaVrZ1J4VX2PfqEj90KtSRUwuIyUe0QgTh1dX +ui56DHQWjy5lIDJl8DzeS53FZcegmYqGSyAj52+g4JAdPeQp1pyxAgMBAAGjga0w +gaowDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMC4GA1UdEQQnMCWgIwYKKwYBBAGCNxQCA6AVDBNzZXJ2ZXIx +LmV4YW1wbGUuY29tMB0GA1UdDgQWBBTD9LZP+nM7iX7wehpdAfg1ItRpnDAfBgNV +HSMEGDAWgBTQumAzod6zDNdAA8q1kU0sEGXwmzANBgkqhkiG9w0BAQsFAAOCAQEA +P4eYX5yZYGyOUEWVlozTazrytA/gjsVn3UXmFD/BBVCYMxzBF5VSmYFnfxHuqCjM +hkYT6aeToaEaCb0CUoQjZNun8/mTsq/m3FoZ9wTf4kdJuNk/ynlzHz5iYyGxvS0D +H5KyVRi5HHJDvi+caDov802MNi86IlT7qyQjqQ0tstgVFVnJdaaPyjlLjm6feYK5 +qs3/or6EoMowh3sWLE49RRjfN79m+1Ku+ttfyTFVR83uYGoMGHN30yFbajwo4OGV +Rmg8DCh/dZA8YZART7QM5T4gbu2SFCVvbH2+rBmJp04udHdaxLjdv4+uCejWAzID +UVEqd3E0cM8o9yEZxxVuKA== +-----END CERTIFICATE----- diff --git a/test/common/tls/test_data/san_othername_cert_info.h b/test/common/tls/test_data/san_othername_cert_info.h new file mode 100644 index 000000000000..e0632b3fe5e7 --- /dev/null +++ b/test/common/tls/test_data/san_othername_cert_info.h @@ -0,0 +1,10 @@ +#pragma once + +// NOLINT(namespace-envoy) +constexpr char TEST_SAN_OTHERNAME_CERT_256_HASH[] = + "b7d8db1c1e02cc191acc30b6a1749b83c9e14e7a0059a67ca6b5344569731e22"; +constexpr char TEST_SAN_OTHERNAME_CERT_1_HASH[] = "b0f044fd07a9554b0ecca7376e5233199ab8d781"; +constexpr char TEST_SAN_OTHERNAME_CERT_SPKI[] = "PoqTwnrbRJFeMFOcDRfMJoeYUSuZLXAlYPQl6m4R/JE="; +constexpr char TEST_SAN_OTHERNAME_CERT_SERIAL[] = "39d378e3465eb9c40620527bb9125cce4bd62089"; +constexpr char TEST_SAN_OTHERNAME_CERT_NOT_BEFORE[] = "Jun 1 22:21:31 2024 GMT"; +constexpr char TEST_SAN_OTHERNAME_CERT_NOT_AFTER[] = "Jun 1 22:21:31 2026 GMT"; diff --git a/test/common/tls/test_data/san_othername_key.pem b/test/common/tls/test_data/san_othername_key.pem new file mode 100644 index 000000000000..95599c02d8c2 --- /dev/null +++ b/test/common/tls/test_data/san_othername_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKnvJaESqyoF10 +NLh5GlMhF3Zom7D1AxiKRIrdkHW0w8NloVSgTZvNrBQi7Iz1xfMw9Ep63qmlJGaN +Zcl0jf8bU8MtVP6prJNftBMzl+nj6sK7xYHXl7CpDwX+rg5pYovgNGdaJAFmpbte +uHhqZ8Yeh5tSSLWNdjmAc5mdl219kh5stVjMyetgjr2qaZsx99ze0syERmmE83Op +SMVGtswsBv8ElPVnlEVIqLPBpHawFjbBrCiCoxYyLGnJ3ZAnaVrZ1J4VX2PfqEj9 +0KtSRUwuIyUe0QgTh1dXui56DHQWjy5lIDJl8DzeS53FZcegmYqGSyAj52+g4JAd +PeQp1pyxAgMBAAECgf9j1P16trKncAAFIN76qr1bavpHkF2pI3nMi7EJy7yXZYyw +90WcAwjPSu7MdShauMnw5ZZSuStkXv2YcuLXAKBrkQe7u8TJk6GjJ0fI1GvVBDnW +3BlNGLdKAYPcDNj6jB2KeutiPFLpgoECQRCURwCW/NvuAbSSCXK04/M9I1kvVP3Q +ATxbgGN/wl+aUxudB5pqKX68SAWzYNCZS48Lsmmh3lHIkXC4laKDl9ykLHPVRMex +G2Ttt1IyS4ATjS7A1rZsZmy1Y7UzXjPyO5OfADK8FpTeMYHZ/3zLIn5YNlBa6AIa +7R7QtJfukfHFVEzL8t/YLQUBRZ2SuIIMR7VFI2sCgYEA+LsfH8XzPm0rRqIcEHgu +8jqfrqsuqjGQUQn7bW5YaAk4b1k3d2SWsh64XuWG60YJEKd8pEqCKFnA/EqcLuDT +b+4w1t88O67jIjjYc3BgRnvpX8Jv8IEJQsva8/N5yByDz1biuVGhKU4CQTv9Ljj2 +OAbbsNcrV1pceWNwMshNqMcCgYEA0IraZP7XmiViMr578oUHNxN3uovij6PuMmG2 +tTKXRWOFgfn28RrMONwBuovhmBvXaeo8P7fUEUMWzp8Sux6nUWnGrq6tmO2iHVSH +9EmSS5qTepttp9Vzn054k40X28tQpDRD8I3BKEby+GUhMceLlOz1I77BUnx5I7Kg +Ov4eRscCgYEA00CqiKPpmoXCEbWxvFM3HEiqQwHlGmwKNKoTv7fOol3ibsAJmf/2 +9cWdtguf8ceD/38hH7Cgp4DDpgQAbthI/HIDTRxA3jgFdZVuUW2Kd5LafZh41n3h +zbeyeSu7rTh6wuj6m4c3KAu3Yox+1nlOtfstMB8wEnsOu5K3QopZWxUCgYEAgCq2 +apfNPil3nqQ/XR+w/YJzdSz/wzQG8uPm/JnpKnYt2WIdCLVlihR843+Q2IFT9P5G +pQp/xVQsMjTFuEbwojKWL0mf23tAxTHslJCa3uhTd2kLDbk75E7AAD8YyLa+Cw0s +LC2S5wQj09GjgwqWmKLBToSwH9fsQ6pGm7sONIUCgYEArQXsPaMNSLamb0L61ppu +nOUIVWeqM2kG2dYOvNrYG8T1xcr0VCuR5tgTSkfLvaqBjOguCan+sZXxwTCcWZjC +Jj3i81Vnc9D7+E2kiu5aYZ6z1zE9YcQz5EgL4kJpJbo8qRW1Rb2cFw9LEPIYxRyI +LTPqHEfHVqwh7xFtefGtFGA= +-----END PRIVATE KEY----- diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index c179dd256411..c7a74df4c2a1 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -464,6 +464,7 @@ UDP UDS UHV UNC +UPN URI URL USEVC