commit 51052e322f4d4e4f75d3cf3d000a363244696013 Author: Jacob Champion Date: Tue Mar 15 16:02:15 2022 -0700 squash! libpq: allow IP address SANs in server certs Per discussion on list, add tests for the (counter-intuitive) standing behavior that matches IP addresses embedded in dNSName SANs. diff --git a/src/test/ssl/conf/server-ip-in-dnsname.config b/src/test/ssl/conf/server-ip-in-dnsname.config new file mode 100644 index 0000000000..b15649aef7 --- /dev/null +++ b/src/test/ssl/conf/server-ip-in-dnsname.config @@ -0,0 +1,18 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# + +[ req ] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[ req_distinguished_name ] +OU = PostgreSQL test suite + +# For Subject Alternative Names +[ v3_req ] +subjectAltName = @alt_names + +# Normally IP addresses should not go into a dNSName. +[ alt_names ] +DNS.1 = 192.0.2.1 diff --git a/src/test/ssl/ssl/server-ip-in-dnsname.crt b/src/test/ssl/ssl/server-ip-in-dnsname.crt new file mode 100644 index 0000000000..78ad8d99c8 --- /dev/null +++ b/src/test/ssl/ssl/server-ip-in-dnsname.crt @@ -0,0 +1,70 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2315416547509162496 (0x2022031515585200) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test CA for PostgreSQL SSL regression test server certs + Validity + Not Before: Mar 15 22:58:52 2022 GMT + Not After : Jul 31 22:58:52 2049 GMT + Subject: OU = PostgreSQL test suite + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ca:67:e5:b3:f5:fc:e7:c1:41:1f:f2:bc:e9:0e: + 07:3c:40:ac:4d:63:d5:84:a1:55:ad:a9:72:3f:3d: + eb:e0:95:0c:48:15:37:91:e5:bb:3e:ca:1d:4f:c9: + 63:33:59:08:01:db:e5:60:07:ba:f5:f1:29:ea:23: + e1:38:b9:6d:ed:4a:b2:a3:b4:98:dd:69:f9:13:0d: + ed:59:42:a4:2a:5b:d0:05:93:cf:8c:fe:23:c4:d4: + 85:26:67:9a:08:21:1e:f7:d6:e1:17:dc:64:c0:9c: + 1e:ad:6f:7a:f5:53:0f:14:7f:70:06:c3:3d:8a:60: + 04:20:f9:17:f4:99:31:1c:8c:0f:0e:41:ec:82:cb: + 99:fb:74:7a:a0:35:9c:2a:9a:bf:2a:81:08:66:6f: + c7:5a:25:f0:de:41:7d:57:6b:0d:7a:7f:ac:de:7d: + f7:b9:21:05:64:11:67:c8:3c:e0:56:72:15:95:df: + a7:0a:79:ed:eb:b4:38:64:03:cd:91:57:a0:42:f6: + b7:83:95:95:de:bb:2b:98:dc:72:55:95:c4:76:3a: + 14:67:07:8c:2b:f2:aa:ce:3c:3c:23:ce:47:ce:1a: + 9d:9c:23:1a:ca:95:39:2e:b6:e7:4f:c3:58:a0:50: + 3b:82:b2:86:44:d5:7f:40:16:fc:80:86:48:c3:8a: + 90:09 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:192.0.2.1 + Signature Algorithm: sha256WithRSAEncryption + c8:00:01:f4:58:92:84:a5:b3:cd:d1:08:a1:37:a4:85:50:0e: + 56:2f:88:b1:b0:10:02:a3:d3:88:00:69:12:9c:a7:8e:79:51: + 06:e6:fb:e0:3a:76:b4:86:34:1c:39:c8:2d:23:5a:02:0c:b8: + 54:2d:c8:c2:bb:0c:62:21:6e:b2:42:7b:4e:6b:3c:a8:d2:ca: + 28:26:bd:21:12:6d:96:7e:2a:6f:22:94:2c:e9:6f:44:d4:e4: + dc:b3:ad:b8:04:05:5f:90:0c:2b:e9:64:f6:57:0a:08:00:f7: + 10:0f:69:d1:b4:84:21:49:42:11:f4:9e:d0:e5:66:f3:b9:0c: + 3b:a6:d8:50:84:17:d6:fd:43:d6:c3:bb:da:8d:e9:74:af:57: + 5f:95:b7:b4:0a:0a:79:58:63:5f:a7:59:18:cb:e4:1f:5d:6f: + d8:8e:4b:2d:64:43:f5:28:59:be:4c:5e:7c:bb:1a:c8:0e:66: + 1b:a1:2f:04:7a:b5:11:10:64:22:c6:28:db:23:40:1f:5e:34: + a1:c6:d8:b2:4b:ad:eb:6d:da:68:dc:2d:01:3e:3f:58:c7:65: + 6d:5a:2e:14:d2:aa:1e:7f:f8:8b:27:12:41:08:bb:c4:ff:de: + fe:76:e3:dd:2b:1d:00:92:43:96:03:d5:6e:7a:79:16:2e:9e: + fd:ed:43:3c +-----BEGIN CERTIFICATE----- +MIIC/DCCAeSgAwIBAgIIICIDFRVYUgAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE +Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl +cnZlciBjZXJ0czAeFw0yMjAzMTUyMjU4NTJaFw00OTA3MzEyMjU4NTJaMCAxHjAc +BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMpn5bP1/OfBQR/yvOkOBzxArE1j1YShVa2pcj896+CVDEgV +N5Hluz7KHU/JYzNZCAHb5WAHuvXxKeoj4Ti5be1KsqO0mN1p+RMN7VlCpCpb0AWT +z4z+I8TUhSZnmgghHvfW4RfcZMCcHq1vevVTDxR/cAbDPYpgBCD5F/SZMRyMDw5B +7ILLmft0eqA1nCqavyqBCGZvx1ol8N5BfVdrDXp/rN5997khBWQRZ8g84FZyFZXf +pwp57eu0OGQDzZFXoEL2t4OVld67K5jcclWVxHY6FGcHjCvyqs48PCPOR84anZwj +GsqVOS6250/DWKBQO4KyhkTVf0AW/ICGSMOKkAkCAwEAAaMYMBYwFAYDVR0RBA0w +C4IJMTkyLjAuMi4xMA0GCSqGSIb3DQEBCwUAA4IBAQDIAAH0WJKEpbPN0QihN6SF +UA5WL4ixsBACo9OIAGkSnKeOeVEG5vvgOna0hjQcOcgtI1oCDLhULcjCuwxiIW6y +QntOazyo0sooJr0hEm2WfipvIpQs6W9E1OTcs624BAVfkAwr6WT2VwoIAPcQD2nR +tIQhSUIR9J7Q5WbzuQw7pthQhBfW/UPWw7vajel0r1dflbe0Cgp5WGNfp1kYy+Qf +XW/YjkstZEP1KFm+TF58uxrIDmYboS8EerUREGQixijbI0AfXjShxtiyS63rbdpo +3C0BPj9Yx2VtWi4U0qoef/iLJxJBCLvE/97+duPdKx0AkkOWA9VuenkWLp797UM8 +-----END CERTIFICATE----- diff --git a/src/test/ssl/ssl/server-ip-in-dnsname.key b/src/test/ssl/ssl/server-ip-in-dnsname.key new file mode 100644 index 0000000000..ba319b001e --- /dev/null +++ b/src/test/ssl/ssl/server-ip-in-dnsname.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAymfls/X858FBH/K86Q4HPECsTWPVhKFVralyPz3r4JUMSBU3 +keW7PsodT8ljM1kIAdvlYAe69fEp6iPhOLlt7Uqyo7SY3Wn5Ew3tWUKkKlvQBZPP +jP4jxNSFJmeaCCEe99bhF9xkwJwerW969VMPFH9wBsM9imAEIPkX9JkxHIwPDkHs +gsuZ+3R6oDWcKpq/KoEIZm/HWiXw3kF9V2sNen+s3n33uSEFZBFnyDzgVnIVld+n +Cnnt67Q4ZAPNkVegQva3g5WV3rsrmNxyVZXEdjoUZweMK/Kqzjw8I85HzhqdnCMa +ypU5LrbnT8NYoFA7grKGRNV/QBb8gIZIw4qQCQIDAQABAoIBAA2kPP4JCTeRddMy +Z/sJIAG2liZNITnkKcMflXyfrsMfKIm/LFSf+CO+OYWEHDR8vqZpbKcxPi+PRnTq +YCaTkM4aZ7nS1S6vEsNu/90xOaFFONr3YFivVDfS3vp8pwv/N3gaumcCSqQUoZis +18urAmwuPp2mEQK/f+e9AhlRLdcvlqDyKm+zMrVixK77Hj5JiEkh3rfZ3onHHKGE +B7T2XRRqnZ4FCN9qLH2pMGUknZ4MGC9SlCyoerXFodb4DhKWQhJDRLjb8qP96r/E +FGSg5WUiAERU/OgODoqZNTeIwIDB/f9NK45dEY3Hw6BsSFfU2VChrlNoVlzFUx2k +yaH5Y4ECgYEA8rht3crh3GTy0jBJjNqB2iul8fkG/uiaiSvERWT/+KZnmV1+JGAW +h2/wvd5apagOJjqKY0bCHMei/qYF9r4yJnkIy4qNper3QUz7TMCjsWduCm8S834A +Z+Vwi3RBGJiQQH9Dfexko5sDjo+w5g4RsH52INCeReInNdxHOv06jZECgYEA1XrR +QNwZlxHt3H93YKmKDZXikqW12Cuq6RSwf5VVdeuzV+pUN+/JaSgEuYsBilW7Q5p2 +gPROi0l8/eUPsBJb+dh1BcGzSjI2Kkzf66QOTG83S7tCPwQhwJUAylFuADvURjPQ +qvqNjbQUomdm2QjBzyWtiFbolqxBgM3dnE6R/vkCgYBYGqQexx83LhmKPGbmTwal +mARzkg59BxfZRN7IxcG4k0a1v98i+xISdYqwkP7cdOU18Tf8k1mwsrKytrcheqaf +mn2bzJ5gJKs9s+DgWmjQ45dpCCqb4hfpnro8lKVwdSifkNKB6gYZ8RHYdMYkq+S1 +6SGeBbv95/qNrXjZq8POUQKBgHyaDwD4dsdCY79LdvYofrenQHOv3Q+rjTo2JT6S +fysww6EQ2M89WiXSgc96Xw/LMl4nDfv+nMmXvyjCRgHS9XRC7yrJAEjSPeM6s4fq +XZ4nW/ML/YKiesDZN3jfRoFEaoX/QFBLpcuLzG9uQw1ymwy5RSxK7b7kE+eGQU82 +XOihAoGBAI3xvT9fG3jRsSuw/8OQBlmDUFZcT0fRPRZ3pg8XlSreAam4b607d2WY +u/bBHIclG3CLJ2EFqBtxl9AQeM0OTweF0KmV3dbtdBmaTbnhbK8/NLYnl5+aosEJ +YrFKD8k8z6z+mYQs+7bAnfRa53TjfC7f24BpgEQyEfKL2fa3PF+J +-----END RSA PRIVATE KEY----- diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk index f9be5ffdba..d6a3870079 100644 --- a/src/test/ssl/sslfiles.mk +++ b/src/test/ssl/sslfiles.mk @@ -27,6 +27,7 @@ SERVERS := server-cn-and-alt-names \ server-ip-cn-only \ server-ip-cn-and-alt-names \ server-ip-cn-and-dns-alt-names \ + server-ip-in-dnsname \ server-single-alt-name \ server-multiple-alt-names \ server-ip-alt-names \ diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 6c73c0f9ea..07e5b71d8c 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -266,6 +266,13 @@ $node->connect_fails( qr/\Qserver certificate for "192.0.2.1" does not match host name "192.000.002.001"\E/ ); +# Similarly, we'll also match an IP address in a dNSName SAN. (This is +# long-standing behavior.) +switch_server_cert($node, 'server-ip-in-dnsname'); + +$node->connect_ok("$common_connstr host=192.0.2.1", + "IP address in a dNSName"); + # Test Subject Alternative Names. switch_server_cert($node, 'server-multiple-alt-names');