Verifying the peer name on the X509 Certs correctly.
- The SANs take precedence over the CN.
- The CN is only checked if there are no SANs.
- Fixing the tests as the test cert did not list *.test.google.com in
the SANs. Will fix the test cert another time...
diff --git a/src/core/tsi/ssl_transport_security.c b/src/core/tsi/ssl_transport_security.c
index 92fcb96..f1a5274 100644
--- a/src/core/tsi/ssl_transport_security.c
+++ b/src/core/tsi/ssl_transport_security.c
@@ -1282,25 +1282,18 @@
int tsi_ssl_peer_matches_name(const tsi_peer* peer, const char* name) {
size_t i = 0;
- const tsi_peer_property* property = tsi_peer_get_property_by_name(
- peer, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
- if (property == NULL || property->type != TSI_PEER_PROPERTY_TYPE_STRING) {
- gpr_log(GPR_ERROR, "Invalid x509 subject common name property.");
- return 0;
- }
- if (does_entry_match_name(property->value.string.data,
- property->value.string.length, name)) {
- return 1;
- }
+ size_t san_count = 0;
- property = tsi_peer_get_property_by_name(
+ /* Check the SAN first. */
+ const tsi_peer_property* property = tsi_peer_get_property_by_name(
peer, TSI_X509_SUBJECT_ALTERNATIVE_NAMES_PEER_PROPERTY);
if (property == NULL || property->type != TSI_PEER_PROPERTY_TYPE_LIST) {
gpr_log(GPR_ERROR, "Invalid x509 subject alternative names property.");
return 0;
}
- for (i = 0; i < property->value.list.child_count; i++) {
+ san_count = property->value.list.child_count;
+ for (i = 0; i < san_count; i++) {
const tsi_peer_property* alt_name_property =
&property->value.list.children[i];
if (alt_name_property->type != TSI_PEER_PROPERTY_TYPE_STRING) {
@@ -1312,5 +1305,20 @@
return 1;
}
}
+
+ /* If there's no SAN, try the CN. */
+ if (san_count == 0) {
+ property = tsi_peer_get_property_by_name(
+ peer, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
+ if (property == NULL || property->type != TSI_PEER_PROPERTY_TYPE_STRING) {
+ gpr_log(GPR_ERROR, "Invalid x509 subject common name property.");
+ return 0;
+ }
+ if (does_entry_match_name(property->value.string.data,
+ property->value.string.length, name)) {
+ return 1;
+ }
+ }
+
return 0; /* Not found. */
}
diff --git a/src/node/test/interop_sanity_test.js b/src/node/test/interop_sanity_test.js
index 8dc933e..6b3aa3d 100644
--- a/src/node/test/interop_sanity_test.js
+++ b/src/node/test/interop_sanity_test.js
@@ -40,7 +40,7 @@
var port;
-var name_override = 'foo.test.google.com';
+var name_override = 'foo.test.google.fr';
describe('Interop tests', function() {
before(function(done) {
diff --git a/src/php/tests/interop/interop_client.php b/src/php/tests/interop/interop_client.php
index 5a09fc7..82ca438 100755
--- a/src/php/tests/interop/interop_client.php
+++ b/src/php/tests/interop/interop_client.php
@@ -215,7 +215,7 @@
new Grpc\BaseStub(
$server_address,
[
- 'grpc.ssl_target_name_override' => 'foo.test.google.com',
+ 'grpc.ssl_target_name_override' => 'foo.test.google.fr',
'credentials' => $credentials
]));
diff --git a/src/php/tests/unit_tests/SecureEndToEndTest.php b/src/php/tests/unit_tests/SecureEndToEndTest.php
index b19ac80..c23dd79 100755
--- a/src/php/tests/unit_tests/SecureEndToEndTest.php
+++ b/src/php/tests/unit_tests/SecureEndToEndTest.php
@@ -47,7 +47,7 @@
$this->channel = new Grpc\Channel(
'localhost:' . $port,
[
- 'grpc.ssl_target_name_override' => 'foo.test.google.com',
+ 'grpc.ssl_target_name_override' => 'foo.test.google.fr',
'credentials' => $credentials
]);
}
diff --git a/src/ruby/bin/interop/interop_client.rb b/src/ruby/bin/interop/interop_client.rb
index 76402b7..380ceb1 100755
--- a/src/ruby/bin/interop/interop_client.rb
+++ b/src/ruby/bin/interop/interop_client.rb
@@ -291,7 +291,7 @@
# validates the the command line options, returning them as a Hash.
def parse_args
args = Args.new
- args.host_override = 'foo.test.google.com'
+ args.host_override = 'foo.test.google.fr'
OptionParser.new do |opts|
opts.on('--oauth_scope scope',
'Scope for OAuth tokens') { |v| args['oauth_scope'] = v }
diff --git a/src/ruby/bin/math_client.rb b/src/ruby/bin/math_client.rb
index cb085d4..db254ef 100755
--- a/src/ruby/bin/math_client.rb
+++ b/src/ruby/bin/math_client.rb
@@ -127,7 +127,7 @@
if options['secure']
stub_opts = {
:creds => test_creds,
- GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.com'
+ GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.fr'
}
p stub_opts
p options['host']
diff --git a/src/ruby/bin/noproto_client.rb b/src/ruby/bin/noproto_client.rb
index 4471052..f3fd110 100755
--- a/src/ruby/bin/noproto_client.rb
+++ b/src/ruby/bin/noproto_client.rb
@@ -89,7 +89,7 @@
if options['secure']
stub_opts = {
:creds => test_creds,
- GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.com'
+ GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.fr'
}
p stub_opts
p options['host']
diff --git a/src/ruby/spec/client_server_spec.rb b/src/ruby/spec/client_server_spec.rb
index 52c9857..030ff32 100644
--- a/src/ruby/spec/client_server_spec.rb
+++ b/src/ruby/spec/client_server_spec.rb
@@ -353,7 +353,7 @@
@server = GRPC::Core::Server.new(@server_queue, nil, server_creds)
server_port = @server.add_http2_port(server_host, true)
@server.start
- args = { Channel::SSL_TARGET => 'foo.test.google.com' }
+ args = { Channel::SSL_TARGET => 'foo.test.google.fr' }
@ch = Channel.new("0.0.0.0:#{server_port}", args,
GRPC::Core::Credentials.new(certs[0], nil, nil))
end
diff --git a/src/ruby/spec/generic/client_stub_spec.rb b/src/ruby/spec/generic/client_stub_spec.rb
index 297a133..adf354f 100644
--- a/src/ruby/spec/generic/client_stub_spec.rb
+++ b/src/ruby/spec/generic/client_stub_spec.rb
@@ -116,7 +116,7 @@
host = FAKE_HOST
blk = proc do
opts = {
- GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.com',
+ GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.fr',
a_channel_arg: 'an_arg',
creds: GRPC::Core::Credentials.new(certs[0], nil, nil)
}