Return-Path: 
 <commits-return-39180-apmail-subversion-commits-archive=subversion.apache.org@subversion.apache.org>
X-Original-To: apmail-subversion-commits-archive@minotaur.apache.org
Delivered-To: apmail-subversion-commits-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id E5E9117E9D
	for <apmail-subversion-commits-archive@minotaur.apache.org>;
 Fri, 30 Jan 2015 02:37:47 +0000 (UTC)
Received: (qmail 15169 invoked by uid 500); 30 Jan 2015 02:37:48 -0000
Delivered-To: apmail-subversion-commits-archive@subversion.apache.org
Received: (qmail 15141 invoked by uid 500); 30 Jan 2015 02:37:48 -0000
Mailing-List: contact commits-help@subversion.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@subversion.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@subversion.apache.org>
List-Post: <mailto:commits@subversion.apache.org>
List-Id: <commits.subversion.apache.org>
Reply-To: dev@subversion.apache.org
Delivered-To: mailing list commits@subversion.apache.org
Received: (qmail 15130 invoked by uid 99); 30 Jan 2015 02:37:48 -0000
Received: from eris.apache.org (HELO hades.apache.org) (140.211.11.105)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 Jan 2015 02:37:48 +0000
Received: from hades.apache.org (localhost [127.0.0.1])
	by hades.apache.org (ASF Mail Server at hades.apache.org) with ESMTP id
 3B6FCAC003E;
	Fri, 30 Jan 2015 02:37:48 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1655918 - in /subversion/trunk/subversion:
 libsvn_subr/x509parse.c tests/libsvn_subr/x509-test.c
Date: Fri, 30 Jan 2015 02:37:48 -0000
To: commits@subversion.apache.org
From: breser@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20150130023748.3B6FCAC003E@hades.apache.org>

Author: breser
Date: Fri Jan 30 02:37:47 2015
New Revision: 1655918

URL: http://svn.apache.org/r1655918
Log:
Try to parse issuerUniqueID, subjectUniqueID and
extensions for every X.509 certificate version (v1, v2 and v3).

If they aren't present, we are fine, but we don't want to throw an error if
they are.  v1 and v2 certificates with the corresponding extra fields are
ill-formed per RFC 5280 s. 4.1, but we suspect they could exist in the real
world.  Other X.509 parsers (e.g., within OpenSSL or Microsoft CryptoAPI)
aren't picky about these certificates.  As long as we are only willing to
display the certificate data in the 'svn auth' command, we can also be less
strict about them.

* subversion/libsvn_subr/x509parse.c
  (svn_x509_parse_cert): Try to parse issuerUniqueID, subjectUniqueID and
   extensions for all known X.509 versions (v1, v2, v3).
  (x509parse_get_hostnames): Do not check CRT->DNSNAMES for null, because
   it is no longer necessary.

  subversion/tests/libsvn_subr/x509-test.c
  (cert_tests): Add a new test case.

Patch by: kotkov

Modified:
    subversion/trunk/subversion/libsvn_subr/x509parse.c
    subversion/trunk/subversion/tests/libsvn_subr/x509-test.c

Modified: subversion/trunk/subversion/libsvn_subr/x509parse.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/x509parse.c?rev=1655918&r1=1655917&r2=1655918&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/x509parse.c (original)
+++ subversion/trunk/subversion/libsvn_subr/x509parse.c Fri Jan 30 02:37:47 2015
@@ -1010,7 +1010,7 @@ x509parse_get_hostnames(svn_x509_certinf
 {
   ci->hostnames = NULL;
 
-  if (crt->dnsnames && crt->dnsnames->nelts > 0)
+  if (crt->dnsnames->nelts > 0)
     {
       int i;
 
@@ -1155,17 +1155,18 @@ svn_x509_parse_cert(svn_x509_certinfo_t
    *      extensions              [3]      EXPLICIT Extensions OPTIONAL
    *                                               -- If present, version shall be v3
    */
-  if (crt->version == 2 || crt->version == 3)
-    SVN_ERR(x509_get_uid(&p, end, &crt->issuer_id, 1));
+  crt->dnsnames = apr_array_make(scratch_pool, 3, sizeof(x509_buf *));
 
-  if (crt->version == 2 || crt->version == 3)
-    SVN_ERR(x509_get_uid(&p, end, &crt->subject_id, 2));
-
-  if (crt->version == 3)
-    {
-      crt->dnsnames = apr_array_make(scratch_pool, 3, sizeof(x509_buf *));
-      SVN_ERR(x509_get_ext(crt->dnsnames, &p, end));
-    }
+  /* Try to parse issuerUniqueID, subjectUniqueID and extensions for *every*
+   * version (X.509 v1, v2 and v3), not just v2 or v3.  If they aren't present,
+   * we are fine, but we don't want to throw an error if they are.  v1 and v2
+   * certificates with the corresponding extra fields are ill-formed per RFC
+   * 5280 s. 4.1, but we suspect they could exist in the real world.  Other
+   * X.509 parsers (e.g., within OpenSSL or Microsoft CryptoAPI) aren't picky
+   * about these certificates, and we also allow them. */
+  SVN_ERR(x509_get_uid(&p, end, &crt->issuer_id, 1));
+  SVN_ERR(x509_get_uid(&p, end, &crt->subject_id, 2));
+  SVN_ERR(x509_get_ext(crt->dnsnames, &p, end));
 
   if (p != end)
     {

Modified: subversion/trunk/subversion/tests/libsvn_subr/x509-test.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/tests/libsvn_subr/x509-test.c?rev=1655918&r1=1655917&r2=1655918&view=diff
==============================================================================
--- subversion/trunk/subversion/tests/libsvn_subr/x509-test.c (original)
+++ subversion/trunk/subversion/tests/libsvn_subr/x509-test.c Fri Jan 30 02:37:47 2015
@@ -437,6 +437,39 @@ static struct x509_test cert_tests[] = {
     "x509v1.example.com",
     "5730dd65a7f77fdf0dfd90e5a53119f38854af29"
   },
+  /* X.509 v1 certificate with an X.509 v3 Subject Alternative Name
+   * extension.  Although these are ill-formed per RFC 5280 s. 4.1, we
+   * suspect that they could exist in the real world.  Make sure we do
+   * not error out, and that we pick up SAN (b.example.com) from the
+   * extension. */
+  { "MIIDLzCCAhcCAQ8wDQYJKoZIhvcNAQEFBQAwKzEpMCcGA1UEAwwgSW50ZXJuZXQg"
+    "V2lkZ2l0cyBJbnRlcm1lZGlhdGUgQ0EwHhcNMTUwMTI5MDAzMzU1WhcNMTYwMTI5"
+    "MDAzMzU1WjByMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjETMBEG"
+    "A1UEBwwKTm9ydGggQmVuZDEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg"
+    "THRkMRYwFAYDVQQDDA1hLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC"
+    "AQ8AMIIBCgKCAQEAs0hj2xPRQZpecqk0Ih1l4juAuQZeSgv3yD/VtSq/9sTBH6iA"
+    "4XjJQcHROYxYaK0QS/qlCjpl+Q3mOaVIu+59TLy3T2YVgqMYmgB453ntuJPkdF1C"
+    "fJ2j19YAQZHHdOFaP1G+auBwjmHns3+MkG4s7EPuJP7TBCcSFlOmz5D4GUui3NVG"
+    "LBYUog1ZhF4oe/7d4jc2Cn8uypNT/Hc1ViIlCT4rFoAirv9Uob+4zjQ3Z18I1Ql1"
+    "t8oszVCj3kKDboEty2RduwPLx/2ztWYBCvFhd49JGdi/nzMi+j2d5HCI3V8W06pN"
+    "mvrVU4G0ImVRa8wpmQCSm2Tp0s42FAVHWw8yMwIDAQABoxwwGjAYBgNVHREEETAP"
+    "gg1iLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQDI/n0NYakuRP/485/A"
+    "dan71qBy3sljjOreq71IfBdtq+GEjCL1B0TD0V338LXki9NicCLeD/MWfceDjV0u"
+    "AjPTxaZEn/NWqXo0mpNC535Y6G46mIHYDGC8JyvCJjaXF+GVstNt6lXzZp2Yn3Si"
+    "K57uVb+zz5zAGSO982I2HACZPnF/oAtp7bwxzwvBsLqSLw3hh0ATVPp6ktE+WMoI"
+    "X75CVcDmU0zjXqzKiFPKeTVjQG6YxgvplMaag/iNngkgEhX4PIrxdIEsHf8l9ogC"
+    "dz51MFxetsC4D2KRq8IblF9i+9r3hlv+Dbf9ovYe9Hu0usloSinImoWOw42iWWmP"
+    "vT4l",
+    "C=US, ST=Washington, L=North Bend, O=Internet Widgits Pty Ltd, "
+    "CN=a.example.com",
+    "2.5.4.6 2.5.4.8 2.5.4.7 2.5.4.10 2.5.4.3",
+    "CN=Internet Widgits Intermediate CA",
+    "2.5.4.3",
+    "2015-01-29T00:33:55.000000Z",
+    "2016-01-29T00:33:55.000000Z",
+    "b.example.com",
+    "47fa5c76fee6e21e37def6da3746bba84a5a09bf"
+  },
   { NULL }
 };