You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by br...@apache.org on 2015/01/30 03:37:48 UTC

svn commit: r1655918 - in /subversion/trunk/subversion: libsvn_subr/x509parse.c tests/libsvn_subr/x509-test.c

Author: breser
Date: Fri Jan 30 02:37:47 2015
New Revision: 1655918

URL: http://svn.apache.org/r1655918
Log:
Try to parse issuerUniqueID, subjectUniqueID and
extensions for every X.509 certificate version (v1, v2 and v3).

If they aren't present, we are fine, but we don't want to throw an error if
they are.  v1 and v2 certificates with the corresponding extra fields are
ill-formed per RFC 5280 s. 4.1, but we suspect they could exist in the real
world.  Other X.509 parsers (e.g., within OpenSSL or Microsoft CryptoAPI)
aren't picky about these certificates.  As long as we are only willing to
display the certificate data in the 'svn auth' command, we can also be less
strict about them.

* subversion/libsvn_subr/x509parse.c
  (svn_x509_parse_cert): Try to parse issuerUniqueID, subjectUniqueID and
   extensions for all known X.509 versions (v1, v2, v3).
  (x509parse_get_hostnames): Do not check CRT->DNSNAMES for null, because
   it is no longer necessary.

  subversion/tests/libsvn_subr/x509-test.c
  (cert_tests): Add a new test case.

Patch by: kotkov

Modified:
    subversion/trunk/subversion/libsvn_subr/x509parse.c
    subversion/trunk/subversion/tests/libsvn_subr/x509-test.c

Modified: subversion/trunk/subversion/libsvn_subr/x509parse.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/x509parse.c?rev=1655918&r1=1655917&r2=1655918&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/x509parse.c (original)
+++ subversion/trunk/subversion/libsvn_subr/x509parse.c Fri Jan 30 02:37:47 2015
@@ -1010,7 +1010,7 @@ x509parse_get_hostnames(svn_x509_certinf
 {
   ci->hostnames = NULL;
 
-  if (crt->dnsnames && crt->dnsnames->nelts > 0)
+  if (crt->dnsnames->nelts > 0)
     {
       int i;
 
@@ -1155,17 +1155,18 @@ svn_x509_parse_cert(svn_x509_certinfo_t
    *      extensions              [3]      EXPLICIT Extensions OPTIONAL
    *                                               -- If present, version shall be v3
    */
-  if (crt->version == 2 || crt->version == 3)
-    SVN_ERR(x509_get_uid(&p, end, &crt->issuer_id, 1));
+  crt->dnsnames = apr_array_make(scratch_pool, 3, sizeof(x509_buf *));
 
-  if (crt->version == 2 || crt->version == 3)
-    SVN_ERR(x509_get_uid(&p, end, &crt->subject_id, 2));
-
-  if (crt->version == 3)
-    {
-      crt->dnsnames = apr_array_make(scratch_pool, 3, sizeof(x509_buf *));
-      SVN_ERR(x509_get_ext(crt->dnsnames, &p, end));
-    }
+  /* Try to parse issuerUniqueID, subjectUniqueID and extensions for *every*
+   * version (X.509 v1, v2 and v3), not just v2 or v3.  If they aren't present,
+   * we are fine, but we don't want to throw an error if they are.  v1 and v2
+   * certificates with the corresponding extra fields are ill-formed per RFC
+   * 5280 s. 4.1, but we suspect they could exist in the real world.  Other
+   * X.509 parsers (e.g., within OpenSSL or Microsoft CryptoAPI) aren't picky
+   * about these certificates, and we also allow them. */
+  SVN_ERR(x509_get_uid(&p, end, &crt->issuer_id, 1));
+  SVN_ERR(x509_get_uid(&p, end, &crt->subject_id, 2));
+  SVN_ERR(x509_get_ext(crt->dnsnames, &p, end));
 
   if (p != end)
     {

Modified: subversion/trunk/subversion/tests/libsvn_subr/x509-test.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/tests/libsvn_subr/x509-test.c?rev=1655918&r1=1655917&r2=1655918&view=diff
==============================================================================
--- subversion/trunk/subversion/tests/libsvn_subr/x509-test.c (original)
+++ subversion/trunk/subversion/tests/libsvn_subr/x509-test.c Fri Jan 30 02:37:47 2015
@@ -437,6 +437,39 @@ static struct x509_test cert_tests[] = {
     "x509v1.example.com",
     "5730dd65a7f77fdf0dfd90e5a53119f38854af29"
   },
+  /* X.509 v1 certificate with an X.509 v3 Subject Alternative Name
+   * extension.  Although these are ill-formed per RFC 5280 s. 4.1, we
+   * suspect that they could exist in the real world.  Make sure we do
+   * not error out, and that we pick up SAN (b.example.com) from the
+   * extension. */
+  { "MIIDLzCCAhcCAQ8wDQYJKoZIhvcNAQEFBQAwKzEpMCcGA1UEAwwgSW50ZXJuZXQg"
+    "V2lkZ2l0cyBJbnRlcm1lZGlhdGUgQ0EwHhcNMTUwMTI5MDAzMzU1WhcNMTYwMTI5"
+    "MDAzMzU1WjByMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjETMBEG"
+    "A1UEBwwKTm9ydGggQmVuZDEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg"
+    "THRkMRYwFAYDVQQDDA1hLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC"
+    "AQ8AMIIBCgKCAQEAs0hj2xPRQZpecqk0Ih1l4juAuQZeSgv3yD/VtSq/9sTBH6iA"
+    "4XjJQcHROYxYaK0QS/qlCjpl+Q3mOaVIu+59TLy3T2YVgqMYmgB453ntuJPkdF1C"
+    "fJ2j19YAQZHHdOFaP1G+auBwjmHns3+MkG4s7EPuJP7TBCcSFlOmz5D4GUui3NVG"
+    "LBYUog1ZhF4oe/7d4jc2Cn8uypNT/Hc1ViIlCT4rFoAirv9Uob+4zjQ3Z18I1Ql1"
+    "t8oszVCj3kKDboEty2RduwPLx/2ztWYBCvFhd49JGdi/nzMi+j2d5HCI3V8W06pN"
+    "mvrVU4G0ImVRa8wpmQCSm2Tp0s42FAVHWw8yMwIDAQABoxwwGjAYBgNVHREEETAP"
+    "gg1iLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQDI/n0NYakuRP/485/A"
+    "dan71qBy3sljjOreq71IfBdtq+GEjCL1B0TD0V338LXki9NicCLeD/MWfceDjV0u"
+    "AjPTxaZEn/NWqXo0mpNC535Y6G46mIHYDGC8JyvCJjaXF+GVstNt6lXzZp2Yn3Si"
+    "K57uVb+zz5zAGSO982I2HACZPnF/oAtp7bwxzwvBsLqSLw3hh0ATVPp6ktE+WMoI"
+    "X75CVcDmU0zjXqzKiFPKeTVjQG6YxgvplMaag/iNngkgEhX4PIrxdIEsHf8l9ogC"
+    "dz51MFxetsC4D2KRq8IblF9i+9r3hlv+Dbf9ovYe9Hu0usloSinImoWOw42iWWmP"
+    "vT4l",
+    "C=US, ST=Washington, L=North Bend, O=Internet Widgits Pty Ltd, "
+    "CN=a.example.com",
+    "2.5.4.6 2.5.4.8 2.5.4.7 2.5.4.10 2.5.4.3",
+    "CN=Internet Widgits Intermediate CA",
+    "2.5.4.3",
+    "2015-01-29T00:33:55.000000Z",
+    "2016-01-29T00:33:55.000000Z",
+    "b.example.com",
+    "47fa5c76fee6e21e37def6da3746bba84a5a09bf"
+  },
   { NULL }
 };