From 36423444ec647e13f971c1ededac146e81a1e95c Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 14 Nov 2010 03:07:44 -0500
Subject: [PATCH] implement tests (and looser constraints on) peer names for
 peers who are clients

---
 Changelog                  |  7 +++++--
 Crypt/Monkeysphere/MSVA.pm | 29 +++++++++++++++++++----------
 tests/basic                | 27 ++++++++++++++++++++++++++-
 3 files changed, 50 insertions(+), 13 deletions(-)

diff --git a/Changelog b/Changelog
index df1a6e7..82c1048 100644
--- a/Changelog
+++ b/Changelog
@@ -11,11 +11,14 @@ msva-perl (0.6~pre) upstream;
   * fixed double-prompting on sites that have more than one User ID
     (closes MS #2567)
   * report server implementation name and version with every query (closes
-    MS # 2564)
+    MS #2564)
   * support x509pem, opensshpubkey, and rfc4716 PKC formats in addition to
     x509der (addresses MS #2566)
+  * add new peer type categorization (closes MS #2568) -- peers of type
+    client can have much more flexible names than regular hostnames we
+    look for for servers.
 
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 29 Oct 2010 03:48:50 -0400
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sun, 14 Nov 2010 03:04:13 -0500
 
 msva-perl (0.5) upstream;
 
diff --git a/Crypt/Monkeysphere/MSVA.pm b/Crypt/Monkeysphere/MSVA.pm
index 507bafe..7920086 100755
--- a/Crypt/Monkeysphere/MSVA.pm
+++ b/Crypt/Monkeysphere/MSVA.pm
@@ -597,13 +597,6 @@
     $data->{peer} = { name => $data->{peer} }
       if (ref($data->{peer}) ne 'HASH');
 
-    if ($data->{peer}->{name} =~ /^($RE{net}{domain})$/) {
-	$data->{peer}->{name} = $1;
-    } else {
-	msvalog('error', "invalid peer name string: %s\n", $data->{peer}->{name});
-	$ret->{message} = sprintf("Invalid peer name string: %s", $data->{peer}->{name});
-	return $status,$ret;
-    }
     if (defined($data->{peer}->{type})) {
       if ($data->{peer}->{type} =~ /^(client|server|peer)$/) {
         $data->{peer}->{type} = $1;
@@ -614,9 +607,6 @@
       }
     }
 
-    msvalog('verbose', "peer: %s\n", $data->{peer}->{name});
-
-    # generate uid string
     my $prefix = $data->{context}.'://';
     if (defined $data->{peer}->{type} &&
         $data->{peer}->{type} eq 'client' &&
@@ -624,7 +614,26 @@
         # exclude them:
         $data->{context} !~ /^(ike|smtp)$/) {
       $prefix = '';
+      # clients can have any one-line User ID without NULL characters
+      # and leading or trailing whitespace
+      if ($data->{peer}->{name} =~ /^([^[:space:]][^\n\0]*[^[:space:]]|[^\0[:space:]])$/) {
+        $data->{peer}->{name} = $1;
+      } else {
+        msvalog('error', "invalid client peer name string: %s\n", $data->{peer}->{name});
+        $ret->{message} = sprintf("Invalid client peer name string: %s", $data->{peer}->{name});
+        return $status, $ret;
+      }
+    } elsif ($data->{peer}->{name} =~ /^($RE{net}{domain})$/) {
+      $data->{peer}->{name} = $1;
+    } else {
+      msvalog('error', "invalid peer name string: %s\n", $data->{peer}->{name});
+      $ret->{message} = sprintf("Invalid peer name string: %s", $data->{peer}->{name});
+      return $status,$ret;
     }
+
+    msvalog('verbose', "peer: %s\n", $data->{peer}->{name});
+
+    # generate uid string
     my $uid = $prefix.$data->{peer}->{name};
     msvalog('verbose', "user ID: %s\n", $uid);
 
diff --git a/tests/basic b/tests/basic
index 8605b13..525aa6d 100755
--- a/tests/basic
+++ b/tests/basic
@@ -60,10 +60,23 @@ for name in x y z ; do
     ssh-keygen -e -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.rfc4716"
 done
 
+# make 2 client certs (A and B) with self-signed certs
+for name in a b ; do 
+    openssl req -x509 -subj "/eMail=${name}@example.net/CN=${name}/" -nodes -sha256 -newkey rsa:1024 -keyout "${WORKDIR}/sec/${name}.key" -outform DER -out "${WORKDIR}/pkc/${name}.x509der"
+    chmod 0400  "${WORKDIR}/sec/${name}.key"
+    openssl x509 -inform DER -outform PEM < "${WORKDIR}/pkc/${name}.x509der" > "${WORKDIR}/pkc/${name}.x509pem"
+    ssh-keygen -y -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.opensshpubkey"
+    ssh-keygen -e -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.rfc4716"
+done
+
 # translate X and Y's keys into OpenPGP cert
 for name in x y; do
     PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "https://${name}.example.net" < "${WORKDIR}/sec/${name}.key" | gpg --import
 done
+# and the same for the clients A and B
+for name in a b; do
+    PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "${name} <${name}@example.net>" < "${WORKDIR}/sec/${name}.key" | gpg --import
+done
 
 runtests() {
     # X should not validate as X or Y or Z:
@@ -72,9 +85,16 @@ runtests() {
             ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
         done
     done
+    # A shouldn't validate as A or B:
+    for name in a b; do
+        for ctype in $CERTTYPES; do
+            ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name} <${name}@example.net>" "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}"
+        done
+    done
     
-    # certify X's OpenPGP cert with CA
+    # certify X and A's OpenPGP cert with CA
     gpg --batch --yes --sign-key https://x.example.net
+    gpg --batch --yes --sign-key a@example.net
 
     echo "Testing bad data:"
     # it should fail if we pass it the wrong kind of data:
@@ -85,11 +105,14 @@ runtests() {
     for ctype in $CERTTYPES; do 
     # X should now validate as X
         "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
+        "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https 'a <a@example.net>' "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}"
         
     # but X should not validate as Y or Z:
         for name in x y z; do
             ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
         done
+        # and A shouldn't validate as B:
+        ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "b <b@example.net>" "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}"
 
     # neither Y nor Z should validate as any of them:
         for src in y z; do
@@ -97,6 +120,8 @@ runtests() {
                 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${targ}.example.net" "${ctype}" < "${WORKDIR}/pkc/${src}.${ctype}"
             done
         done
+        # B should also still not validate as itself:
+        ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "b <b@example.net>" "${ctype}" client < "${WORKDIR}/pkc/b.${ctype}"
     done
 }
 
-- 
2.26.2