Skip to content

test: add script to create 0-dns-cert.pem #11579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
shigeki wants to merge 3 commits into from
Closed

test: add script to create 0-dns-cert.pem #11579

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6212086
test: add script to create 0-dns-cert.pem
shigeki Feb 27, 2017
fd05b71
fixup
shigeki Mar 1, 2017
68cd928
add newline to pem
shigeki Mar 2, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fixup
  • Loading branch information
@shigeki
shigeki committed Mar 1, 2017
commit fd05b715ce4ff466fd7fc18b09ff6e87b03930c5
2 changes: 1 addition & 1 deletion test/fixtures/0-dns/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,5 @@ $ npm install

$ node ./createCert.js
$ openssl x509 -text -in 0-dns-cert.pem
(You can not see evel.example.com in subjectAltName field)
(You can not see evil.example.com in subjectAltName field)
```
62 changes: 31 additions & 31 deletions test/fixtures/0-dns/createCert.js → test/fixtures/0-dns/create-cert.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
'use strict';
Copy link
Copy Markdown
Contributor

@sam-github sam-github Feb 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

js files would be named create-cert.js

Copy link
Copy Markdown
Contributor Author

@shigeki shigeki Mar 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

const fs = require('fs');
const asn1 = require('asn1.js');
const crypto = require('crypto');
const fs = require('fs');
const rfc5280 = require('asn1.js-rfc5280');
const asn1 = require('asn1.js');
const BN = asn1.bignum;
Copy link
Copy Markdown
Contributor

@sam-github sam-github Feb 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sort requires

Copy link
Copy Markdown
Contributor Author

@shigeki shigeki Mar 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed


const id_at_commonName = [ 2, 5, 4, 3 ];
Copy link
Copy Markdown
Contributor

@sam-github sam-github Feb 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

inconsistent casing, sometimes snake_case, sometimes camelCase, it looks like test/fixtures doesn't get linted

Copy link
Copy Markdown
Contributor Author

@shigeki shigeki Mar 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

id_at_commonName is named after the ASN.1 notation in RFC5280 which would come from OID name.

Expand All @@ -12,7 +12,7 @@ const sigalg = 'RSA-SHA256';

const private_key = fs.readFileSync('./0-dns-key.pem');
// public key file can be generated from the private key with
// openssl rsa -in 0-dns-key.pem -RSAPublicKey_out -outform der \
// openssl rsa -in 0-dns-key.pem -RSAPublicKey_out -outform der
// -out 0-dns-rsapub.der
const public_key = fs.readFileSync('./0-dns-rsapub.der');

Expand All @@ -30,32 +30,32 @@ const PrintStr = asn1.define('PrintStr', function() {
const issuer = PrintStr.encode('ca.example.com', 'der');
const subject = PrintStr.encode('evil.example.com', 'der');

const tbs =
{ version: 'v3',
serialNumber: new BN('01', 16),
signature: { algorithm: sha256WithRSAEncryption, parameters: null_},
issuer: { type: 'rdnSequence',
value: [ [{type: id_at_commonName, value: issuer}] ] },
validity:
{ notBefore: { type: 'utcTime', value: now },
notAfter: { type: 'utcTime', value: now + days * 86400000} },
subject: { type: 'rdnSequence',
value: [ [{type: id_at_commonName, value: subject}] ] },
subjectPublicKeyInfo:
{ algorithm: { algorithm: rsaEncryption, parameters: null_},
subjectPublicKey: { unused: 0, data: public_key} },
extensions:
[ { extnID: 'subjectAlternativeName',
critical: false,
// subjectAltName which contains '\0' character to check CVE-2009-2408
extnValue: [
{ type: 'dNSName', value: 'good.example.org\u0000.evil.example.com' },
{ type: 'dNSName', value: 'just-another.example.com' },
{ type: 'iPAddress', value: Buffer.from('08080808', 'hex') },
{ type: 'iPAddress', value: Buffer.from('08080404', 'hex') },
{ type: 'dNSName', value: 'last.example.com' } ] }
]
};
const tbs = {
version: 'v3',
serialNumber: new BN('01', 16),
signature: { algorithm: sha256WithRSAEncryption, parameters: null_},
issuer: { type: 'rdnSequence',
value: [ [{type: id_at_commonName, value: issuer}] ] },
validity:
{ notBefore: { type: 'utcTime', value: now },
notAfter: { type: 'utcTime', value: now + days * 86400000} },
subject: { type: 'rdnSequence',
value: [ [{type: id_at_commonName, value: subject}] ] },
subjectPublicKeyInfo:
{ algorithm: { algorithm: rsaEncryption, parameters: null_},
subjectPublicKey: { unused: 0, data: public_key} },
extensions:
[ { extnID: 'subjectAlternativeName',
critical: false,
// subjectAltName which contains '\0' character to check CVE-2009-2408
extnValue: [
{ type: 'dNSName', value: 'good.example.org\u0000.evil.example.com' },
{ type: 'dNSName', value: 'just-another.example.com' },
{ type: 'iPAddress', value: Buffer.from('08080808', 'hex') },
{ type: 'iPAddress', value: Buffer.from('08080404', 'hex') },
{ type: 'dNSName', value: 'last.example.com' } ] }
]
};

const tbs_der = rfc5280.TBSCertificate.encode(tbs, 'der');

Expand All @@ -65,10 +65,10 @@ const signature = sign.sign(private_key);

const cert = {
tbsCertificate: tbs,
signatureAlgorithm: { algorithm: sha256WithRSAEncryption, parameters: null_},
signatureAlgorithm: { algorithm: sha256WithRSAEncryption, parameters: null_ },
signature:
{ unused: 0,
data: signature}
data: signature }
};
const pem = rfc5280.Certificate.encode(cert, 'pem', {label: 'CERTIFICATE'});

Expand Down
2 changes: 1 addition & 1 deletion test/parallel/test-tls-0-dns-altname.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
const common = require('../common');
const assert = require('assert');

// check getPeerCertificate can properly handle '\0' for fix CVE-2009-2408
// Check getPeerCertificate can properly handle '\0' for fix CVE-2009-2408.

if (!common.hasCrypto) {
common.skip('missing crypto');
Expand Down