From 36423444ec647e13f971c1ededac146e81a1e95c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Sun, 14 Nov 2010 03:07:44 -0500 Subject: [PATCH] implement tests (and looser constraints on) peer names for peers who are clients --- Changelog | 7 +++++-- Crypt/Monkeysphere/MSVA.pm | 29 +++++++++++++++++++---------- tests/basic | 27 ++++++++++++++++++++++++++- 3 files changed, 50 insertions(+), 13 deletions(-) diff --git a/Changelog b/Changelog index df1a6e7..82c1048 100644 --- a/Changelog +++ b/Changelog @@ -11,11 +11,14 @@ msva-perl (0.6~pre) upstream; * fixed double-prompting on sites that have more than one User ID (closes MS #2567) * report server implementation name and version with every query (closes - MS # 2564) + MS #2564) * support x509pem, opensshpubkey, and rfc4716 PKC formats in addition to x509der (addresses MS #2566) + * add new peer type categorization (closes MS #2568) -- peers of type + client can have much more flexible names than regular hostnames we + look for for servers. - -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 29 Oct 2010 03:48:50 -0400 + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 14 Nov 2010 03:04:13 -0500 msva-perl (0.5) upstream; diff --git a/Crypt/Monkeysphere/MSVA.pm b/Crypt/Monkeysphere/MSVA.pm index 507bafe..7920086 100755 --- a/Crypt/Monkeysphere/MSVA.pm +++ b/Crypt/Monkeysphere/MSVA.pm @@ -597,13 +597,6 @@ $data->{peer} = { name => $data->{peer} } if (ref($data->{peer}) ne 'HASH'); - if ($data->{peer}->{name} =~ /^($RE{net}{domain})$/) { - $data->{peer}->{name} = $1; - } else { - msvalog('error', "invalid peer name string: %s\n", $data->{peer}->{name}); - $ret->{message} = sprintf("Invalid peer name string: %s", $data->{peer}->{name}); - return $status,$ret; - } if (defined($data->{peer}->{type})) { if ($data->{peer}->{type} =~ /^(client|server|peer)$/) { $data->{peer}->{type} = $1; @@ -614,9 +607,6 @@ } } - msvalog('verbose', "peer: %s\n", $data->{peer}->{name}); - - # generate uid string my $prefix = $data->{context}.'://'; if (defined $data->{peer}->{type} && $data->{peer}->{type} eq 'client' && @@ -624,7 +614,26 @@ # exclude them: $data->{context} !~ /^(ike|smtp)$/) { $prefix = ''; + # clients can have any one-line User ID without NULL characters + # and leading or trailing whitespace + if ($data->{peer}->{name} =~ /^([^[:space:]][^\n\0]*[^[:space:]]|[^\0[:space:]])$/) { + $data->{peer}->{name} = $1; + } else { + msvalog('error', "invalid client peer name string: %s\n", $data->{peer}->{name}); + $ret->{message} = sprintf("Invalid client peer name string: %s", $data->{peer}->{name}); + return $status, $ret; + } + } elsif ($data->{peer}->{name} =~ /^($RE{net}{domain})$/) { + $data->{peer}->{name} = $1; + } else { + msvalog('error', "invalid peer name string: %s\n", $data->{peer}->{name}); + $ret->{message} = sprintf("Invalid peer name string: %s", $data->{peer}->{name}); + return $status,$ret; } + + msvalog('verbose', "peer: %s\n", $data->{peer}->{name}); + + # generate uid string my $uid = $prefix.$data->{peer}->{name}; msvalog('verbose', "user ID: %s\n", $uid); diff --git a/tests/basic b/tests/basic index 8605b13..525aa6d 100755 --- a/tests/basic +++ b/tests/basic @@ -60,10 +60,23 @@ for name in x y z ; do ssh-keygen -e -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.rfc4716" done +# make 2 client certs (A and B) with self-signed certs +for name in a b ; do + openssl req -x509 -subj "/eMail=${name}@example.net/CN=${name}/" -nodes -sha256 -newkey rsa:1024 -keyout "${WORKDIR}/sec/${name}.key" -outform DER -out "${WORKDIR}/pkc/${name}.x509der" + chmod 0400 "${WORKDIR}/sec/${name}.key" + openssl x509 -inform DER -outform PEM < "${WORKDIR}/pkc/${name}.x509der" > "${WORKDIR}/pkc/${name}.x509pem" + ssh-keygen -y -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.opensshpubkey" + ssh-keygen -e -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.rfc4716" +done + # translate X and Y's keys into OpenPGP cert for name in x y; do PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "https://${name}.example.net" < "${WORKDIR}/sec/${name}.key" | gpg --import done +# and the same for the clients A and B +for name in a b; do + PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "${name} <${name}@example.net>" < "${WORKDIR}/sec/${name}.key" | gpg --import +done runtests() { # X should not validate as X or Y or Z: @@ -72,9 +85,16 @@ runtests() { ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}" done done + # A shouldn't validate as A or B: + for name in a b; do + for ctype in $CERTTYPES; do + ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name} <${name}@example.net>" "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}" + done + done - # certify X's OpenPGP cert with CA + # certify X and A's OpenPGP cert with CA gpg --batch --yes --sign-key https://x.example.net + gpg --batch --yes --sign-key a@example.net echo "Testing bad data:" # it should fail if we pass it the wrong kind of data: @@ -85,11 +105,14 @@ runtests() { for ctype in $CERTTYPES; do # X should now validate as X "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "${ctype}" < "${WORKDIR}/pkc/x.${ctype}" + "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https 'a <a@example.net>' "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}" # but X should not validate as Y or Z: for name in x y z; do ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}" done + # and A shouldn't validate as B: + ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "b <b@example.net>" "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}" # neither Y nor Z should validate as any of them: for src in y z; do @@ -97,6 +120,8 @@ runtests() { ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${targ}.example.net" "${ctype}" < "${WORKDIR}/pkc/${src}.${ctype}" done done + # B should also still not validate as itself: + ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "b <b@example.net>" "${ctype}" client < "${WORKDIR}/pkc/b.${ctype}" done } -- 2.26.2