nodejs · shigeki · Feb 27, 2017 · Mar 1, 2017 · Mar 2, 2017
diff --git a/test/fixtures/0-dns/0-dns-cert.pem b/test/fixtures/0-dns/0-dns-cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5jYS5l
+eGFtcGxlLmNvbTAeFw0xNzAzMDIwMTMxMjJaFw0yNzAyMjgwMTMxMjJaMBsxGTAX
+BgNVBAMTEGV2aWwuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDFyJT0kv2P9L6iNY6TL7IZonAR8R9ev7iD1tR5ycMEpM/y6WTefIco
+civMcBGVZWtCgkoePHiveH9UIep7HFGB4gxCYDZFYB46yGS0YH2fB5GWXTLYObYa
+zxuEhgFRG0DLIwNDRLW0+0FG3disp7YdRHBtdbL58F/qNORqPEjIpoQxOJc2UqX2
+/gfomJRdFW/PSgN7uH2QwMzRQRIrKmyAFzeuEWVP+UAV4853Yg66PmYpAASyt069
+sE8QNTNE75KrerMmYzH7AmTEGvY8bukrDuVQZce2/lcK2rAE+G6at2eBNMZKOnzR
+y9kWIiJ3rR7+WK55EKelLz0doZFKteu1AgMBAAGjaTBnMGUGA1UdEQReMFyCImdv
+b2QuZXhhbXBsZS5vcmcALmV2aWwuZXhhbXBsZS5jb22CGGp1c3QtYW5vdGhlci5l
+eGFtcGxlLmNvbYcECAgICIcECAgEBIIQbGFzdC5leGFtcGxlLmNvbTANBgkqhkiG
+9w0BAQsFAAOCAQEAvreVoOZO2gpM4Dmzp70D30XZjsK9i0BCsRHBvPLPw3y8B2xg
+BRtOREOI69NU0WGpj5Lbqww5M8M1hjHshiGEu2aXfZ6qM3lENaIMCpKlF9jbm02/
+wmxNaAnS8bDSZyO5rbsGr2tJb4ds7DazmMEKWhOBEpJoOp9rG6SAey+a6MkZ7NEN
+0p3THCqNf3lL1KblPrMvdsyhHPEzv4uT7+YAnLKHwGzbihcWJRsRo5oipWL8ZDhn
+bd3SMWtfRTSWDmghJaHke2xIjDtTwSjHjjPTFsK+rl227W8r4/EQI/X6fTQV2j3T
+7zqrJLF9h9F/v3mo57k6sxsQNZ12XvhuTHC2dA==
+-----END CERTIFICATE-----
diff --git a/test/fixtures/0-dns/0-dns-key.pem b/test/fixtures/0-dns/0-dns-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAxciU9JL9j/S+ojWOky+yGaJwEfEfXr+4g9bUecnDBKTP8ulk
+3nyHKHIrzHARlWVrQoJKHjx4r3h/VCHqexxRgeIMQmA2RWAeOshktGB9nweRll0y
+2Dm2Gs8bhIYBURtAyyMDQ0S1tPtBRt3YrKe2HURwbXWy+fBf6jTkajxIyKaEMTiX
+NlKl9v4H6JiUXRVvz0oDe7h9kMDM0UESKypsgBc3rhFlT/lAFePOd2IOuj5mKQAE
+srdOvbBPEDUzRO+Sq3qzJmMx+wJkxBr2PG7pKw7lUGXHtv5XCtqwBPhumrdngTTG
+Sjp80cvZFiIid60e/liueRCnpS89HaGRSrXrtQIDAQABAoIBABcGA3j5B3VTi0F8
+tI0jtzrOsvcTt5AjB0qpnnBS8VXADcj8LFbN7jniGIEi5pkahkLmwdQFPBNJFqFn
+lVEheceB1eWAJ7EpwDsdisOIm/cAPY1gagPLrAww4cYqh0q2vnMnL0EMZY6c1Pt3
+5borh8KebewAEIaR2ch8wb4wKFTbAM0DftYBFzHAF88OeCuIpdsk2Tz0sVQbA3/1
+XNLOVcJvDOVIRPEpo2l7RIN33KvDhzpMoV3qVzWxqdccPRZZFU5KmJ6DtouIPT3S
+3WauIL5oVpAyYNJETTyxjBQE4DgFeNX1Wyycgk27EoLcn6Trcs0kNVrmXXblNAtJ
+Nko6g10CgYEA+TjzNjyAXPrOpY88uiPVMAgepEQOnDYtMwasdDVaW3xK9KH1rrhU
+dx1IDTMmOUfyU2qsj5txmJtReQz//1bpd7e73VO8mHQDUubhs2TivgGs+fqzAdmT
+vJsjerfNsxf+4JENzzWmqT/Ybc976Tu55VH5mcRG9Q66fTxdAJ51+8MCgYEAyymF
+gntRMBd9e/KIiqlvcxelo0ahyKEzaJC7/FkZotuSB+kAwpdJ5Unb0FeVQZxNhDPg
+xgsrGOOOvHvfhv7DPU0TQ/vp6VDPdg+N6m/Ow2vr79A2v6s+7gZj3MLiLRFyEF6l
+bxQNGe3qavnm3owUQQCY2RLBKYCFfv/cykYlGycCgYB6etKMRQ+QonIMS2i80f9j
+q5njgM7tVnLAMPdv5QiTDXKI50+mnlBkea9/TTPr0r/03ugPa4VYSnyv0QO+qSfz
+/ggFrbFx+xHnHDCvyVTlrE0mTV7L+fHxLw0wskQVUCWil6cBvow5gXcMAHwVE5U4
+biEMwLlele5wvcm3FClHoQKBgACV/RGUQ3atCqqZ13T26iBd2Bdxc7P9awWJLVGb
+/CvxECm/rUXiY88qeFzQc9i9l6ei8qn/jD9FILtAbDOadnutxjly94i5t+9yOgmM
+Cv+bRxHo+s9wsfzDvfP8B+TzYO3VKAr69tK1UfC/CcBojQJm+wndOPtiqH/mQv++
+VgsPAoGBAJ0aNJe3zb+blvAQ3W4iPSjhyxdMC00x46pr6ds+Y8WygbN6lzCvNDw6
+FFTINBckOs5Z/UWUNbExWYjBHZhLlhhxTezCzvIrwNvgUB8Y4sPk3S4KDsnkyy6f
+/qMmEHlVyKjh2BCNs7PVnWDlfl3vECE7n8dBizFHgja76l1ia+0z
+-----END RSA PRIVATE KEY-----
diff --git a/test/fixtures/0-dns/0-dns-rsapub.der b/test/fixtures/0-dns/0-dns-rsapub.der
diff --git a/test/fixtures/0-dns/README.md b/test/fixtures/0-dns/README.md
@@ -0,0 +1,26 @@
+## Purpose
+The test cert file for use `test/parallel/test-tls-0-dns-altname.js`
+can be created by using `asn1.js` and `asn1.js-rfc5280`,
+
+## How to create a test cert.
+
+```sh
+$ openssl genrsa -out 0-dns-key.pem 2048
+Generating RSA private key, 2048 bit long modulus
+...................+++
+..............................................................................................+++
+e is 65537 (0x10001)
+$ openssl rsa -in 0-dns-key.pem -RSAPublicKey_out -outform der -out 0-dns-rsapub.der
+writing RSA key
+$ npm install
+0-dns@1.0.0 /home/github/node/test/fixtures/0-dns
++-- asn1.js@4.9.1
+| +-- bn.js@4.11.6
+| +-- inherits@2.0.3
+| `-- minimalistic-assert@1.0.0
+`-- asn1.js-rfc5280@1.2.2
+
+$ node ./createCert.js
+$ openssl x509 -text -in 0-dns-cert.pem
+(You can not see evil.example.com in subjectAltName field)
+```
diff --git a/test/fixtures/0-dns/create-cert.js b/test/fixtures/0-dns/create-cert.js
@@ -0,0 +1,75 @@
+'use strict';
+const asn1 = require('asn1.js');
+const crypto = require('crypto');
+const fs = require('fs');
+const rfc5280 = require('asn1.js-rfc5280');
+const BN = asn1.bignum;
+
+const id_at_commonName = [ 2, 5, 4, 3 ];
+const rsaEncryption = [1, 2, 840, 113549, 1, 1, 1];
+const sha256WithRSAEncryption = [1, 2, 840, 113549, 1, 1, 11];
+const sigalg = 'RSA-SHA256';
+
+const private_key = fs.readFileSync('./0-dns-key.pem');
+// public key file can be generated from the private key with
+// openssl rsa -in 0-dns-key.pem -RSAPublicKey_out -outform der
+// -out 0-dns-rsapub.der
+const public_key = fs.readFileSync('./0-dns-rsapub.der');
+
+const now = Date.now();
+const days = 3650;
+
+const Null_ = asn1.define('Null_', function() {
+  this.null_();
+});
+const null_ = Null_.encode('der');
+
+const PrintStr = asn1.define('PrintStr', function() {
+  this.printstr();
+});
+const issuer = PrintStr.encode('ca.example.com', 'der');
+const subject = PrintStr.encode('evil.example.com', 'der');
+
+const tbs = {
+  version: 'v3',
+  serialNumber: new BN('01', 16),
+  signature: { algorithm: sha256WithRSAEncryption, parameters: null_},
+  issuer: { type: 'rdnSequence',
+            value: [ [{type: id_at_commonName, value: issuer}] ] },
+  validity:
+  { notBefore: { type: 'utcTime', value: now },
+    notAfter: { type: 'utcTime', value: now + days * 86400000} },
+  subject: { type: 'rdnSequence',
+             value: [ [{type: id_at_commonName, value: subject}] ] },
+  subjectPublicKeyInfo:
+  { algorithm: { algorithm: rsaEncryption, parameters: null_},
+    subjectPublicKey: { unused: 0, data: public_key} },
+  extensions:
+  [ { extnID: 'subjectAlternativeName',
+      critical: false,
+      // subjectAltName which contains '\0' character to check CVE-2009-2408
+      extnValue: [
+        { type: 'dNSName', value: 'good.example.org\u0000.evil.example.com' },
+        { type: 'dNSName', value: 'just-another.example.com' },
+        { type: 'iPAddress', value: Buffer.from('08080808', 'hex') },
+        { type: 'iPAddress', value: Buffer.from('08080404', 'hex') },
+        { type: 'dNSName', value: 'last.example.com' } ] }
+  ]
+};
+
+const tbs_der = rfc5280.TBSCertificate.encode(tbs, 'der');
+
+const sign = crypto.createSign(sigalg);
+sign.update(tbs_der);
+const signature = sign.sign(private_key);
+
+const cert = {
+  tbsCertificate: tbs,
+  signatureAlgorithm: { algorithm: sha256WithRSAEncryption, parameters: null_ },
+  signature:
+  { unused: 0,
+    data: signature }
+};
+const pem = rfc5280.Certificate.encode(cert, 'pem', {label: 'CERTIFICATE'});
+
+fs.writeFileSync('./0-dns-cert.pem', pem + '\n');
diff --git a/test/fixtures/0-dns/package.json b/test/fixtures/0-dns/package.json
@@ -0,0 +1,16 @@
+{
+  "name": "0-dns",
+  "version": "1.0.0",
+  "description": "create certificate for 0-dns test",
+  "main": "createCert.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "SEE LICENSE IN ../../../LICENSE",
+  "private": true,
+  "dependencies": {
+    "asn1.js": "^4.9.1",
+    "asn1.js-rfc5280": "^1.2.2"
+  }
+}
diff --git a/test/fixtures/keys/0-dns-cert.pem b/test/fixtures/keys/0-dns-cert.pem
diff --git a/test/fixtures/keys/0-dns-key.pem b/test/fixtures/keys/0-dns-key.pem
diff --git a/test/parallel/test-tls-0-dns-altname.js b/test/parallel/test-tls-0-dns-altname.js
@@ -2,6 +2,8 @@
 const common = require('../common');
 const assert = require('assert');
 
+// Check getPeerCertificate can properly handle '\0' for fix CVE-2009-2408.
+
 if (!common.hasCrypto) {
   common.skip('missing crypto');
   return;
@@ -11,8 +13,8 @@ const tls = require('tls');
 const fs = require('fs');
 
 const server = tls.createServer({
-  key: fs.readFileSync(common.fixturesDir + '/keys/0-dns-key.pem'),
-  cert: fs.readFileSync(common.fixturesDir + '/keys/0-dns-cert.pem')
+  key: fs.readFileSync(common.fixturesDir + '/0-dns/0-dns-key.pem'),
+  cert: fs.readFileSync(common.fixturesDir + '/0-dns/0-dns-cert.pem')
 }, function(c) {
   c.once('data', function() {
     c.destroy();
@@ -24,11 +26,11 @@ const server = tls.createServer({
   }, common.mustCall(function() {
     const cert = c.getPeerCertificate();
     assert.strictEqual(cert.subjectaltname,
-                       'DNS:google.com\0.evil.com, ' +
-                           'DNS:just-another.com, ' +
+                       'DNS:good.example.org\0.evil.example.com, ' +
+                           'DNS:just-another.example.com, ' +
                            'IP Address:8.8.8.8, ' +
                            'IP Address:8.8.4.4, ' +
-                           'DNS:last.com');
+                           'DNS:last.example.com');
     c.write('ok');
   }));
 }));