Merge branch 'common-name'

Add support for parsing common/alt names for SSL requests. Fixes #63
WordPress · Oct 6, 2013 · 450f400 · 450f400
2 parents ca0f58b + e91c06b
commit 450f400
Show file tree

Hide file tree

Showing 8 changed files with 433 additions and 28 deletions.
diff --git a/library/Requests.php b/library/Requests.php
@@ -839,4 +839,25 @@ public static function compatible_gzinflate($gzData) {
 
 		return false;
 	}
+
+	public static function match_domain($host, $reference) {
+		// Check for a direct match
+		if ($host === $reference) {
+			return true;
+		}
+
+		// Calculate the valid wildcard match if the host is not an IP address
+		// Also validates that the host has 3 parts or more, as per Firefox's
+		// ruleset.
+		$parts = explode('.', $host);
+		if (ip2long($host) === false && count($parts) >= 3) {
+			$parts[0] = '*';
+			$wildcard = implode('.', $parts);
+			if ($wildcard === $reference) {
+				return true;
+			}
+		}
+
+		return false;
+	}
 }
diff --git a/library/Requests/SSL.php b/library/Requests/SSL.php
@@ -0,0 +1,151 @@
+<?php
+/**
+ * SSL utilities for Requests
+ *
+ * @package Requests
+ * @subpackage Utilities
+ */
+
+/**
+ * SSL utilities for Requests
+ *
+ * Collection of utilities for working with and verifying SSL certificates.
+ *
+ * @package Requests
+ * @subpackage Utilities
+ */
+class Requests_SSL {
+	/**
+	 * Verify the certificate against common name and subject alternative names
+	 *
+	 * Unfortunately, PHP doesn't check the certificate against the alternative
+	 * names, leading things like 'https://www.github.com/' to be invalid.
+	 * Instead
+	 *
+	 * @see http://tools.ietf.org/html/rfc2818#section-3.1 RFC2818, Section 3.1
+	 *
+	 * @throws Requests_Exception On not obtaining a match for the host (`fsockopen.ssl.no_match`)
+	 * @param string $host Host name to verify against
+	 * @param resource $context Stream context
+	 * @return bool
+	 */
+	public static function verify_certificate($host, $cert) {
+		// Calculate the valid wildcard match if the host is not an IP address
+		$parts = explode('.', $host);
+		if (ip2long($host) === false) {
+			$parts[0] = '*';
+		}
+		$wildcard = implode('.', $parts);
+
+		$has_dns_alt = false;
+
+		// Check the subjectAltName
+		if (!empty($cert['extensions']) && !empty($cert['extensions']['subjectAltName'])) {
+			$altnames = explode(',', $cert['extensions']['subjectAltName']);
+			foreach ($altnames as $altname) {
+				$altname = trim($altname);
+				if (strpos($altname, 'DNS:') !== 0)
+					continue;
+
+				$has_dns_alt = true;
+
+				// Strip the 'DNS:' prefix and trim whitespace
+				$altname = trim(substr($altname, 4));
+
+				// Check for a match
+				if (self::match_domain($host, $altname) === true) {
+					return true;
+				}
+			}
+		}
+
+		// Fall back to checking the common name if we didn't get any dNSName
+		// alt names, as per RFC2818
+		if (!$has_dns_alt && !empty($cert['subject']['CN'])) {
+			// Check for a match
+			if (self::match_domain($host, $cert['subject']['CN']) === true) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	/**
+	 * Verify that a reference name is valid
+	 *
+	 * Verifies a dNSName for HTTPS usage, (almost) as per Firefox's rules:
+	 * - Wildcards can only occur in a name with more than 3 components
+	 * - Wildcards can only occur as the last character in the first
+	 *   component
+	 * - Wildcards may be preceded by additional characters
+	 *
+	 * We modify these rules to be a bit stricter and only allow the wildcard
+	 * character to be the full first component; that is, with the exclusion of
+	 * the third rule.
+	 *
+	 * @param string $reference Reference dNSName
+	 * @return boolean Is the name valid?
+	 */
+	public static function verify_reference_name($reference) {
+		$parts = explode('.', $reference);
+
+		// Check the first part of the name
+		$first = array_shift($parts);
+
+		if (strpos($first, '*') !== false) {
+			// Check that the wildcard is the full part
+			if ($first !== '*') {
+				return false;
+			}
+
+			// Check that we have at least 3 components (including first)
+			if (count($parts) < 2) {
+				return false;
+			}
+		}
+
+		// Check the remaining parts
+		foreach ($parts as $part) {
+			if (strpos($part, '*') !== false) {
+				return false;
+			}
+		}
+
+		// Nothing found, verified!
+		return true;
+	}
+
+	/**
+	 * Match a hostname against a dNSName reference
+	 *
+	 * @param string $host Requested host
+	 * @param string $reference dNSName to match against
+	 * @return boolean Does the domain match?
+	 */
+	public static function match_domain($host, $reference) {
+		// Check if the reference is blacklisted first
+		if (self::verify_reference_name($reference) !== true) {
+			return false;
+		}
+
+		// Check for a direct match
+		if ($host === $reference) {
+			return true;
+		}
+
+		// Calculate the valid wildcard match if the host is not an IP address
+		// Also validates that the host has 3 parts or more, as per Firefox's
+		// ruleset.
+		if (ip2long($host) === false) {
+			$parts = explode('.', $host);
+			$parts[0] = '*';
+			$wildcard = implode('.', $parts);
+			if ($wildcard === $reference) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+}
diff --git a/library/Requests/Transport/cacert.pem b/library/Requests/Transport/cacert.pem
@@ -16,6 +16,30 @@
 
 # @(#) $RCSfile: certdata.txt,v $ $Revision: 1.87 $ $Date: 2012/12/29 16:32:45 $
 
+EE Certification Centre Root CA
+===============================
+-----BEGIN CERTIFICATE-----
+MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQG
+EwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEoMCYGA1UEAwwfRUUgQ2Vy
+dGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYGCSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIw
+MTAxMDMwMTAxMDMwWhgPMjAzMDEyMTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlB
+UyBTZXJ0aWZpdHNlZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRy
+ZSBSb290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUyeuuOF0+W2Ap7kaJjbMeM
+TC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvObntl8jixwKIy72KyaOBhU8E2lf/slLo2
+rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIwWFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw
+93X2PaRka9ZP585ArQ/dMtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtN
+P2MbRMNE1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYDVR0T
+AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/zQas8fElyalL1BSZ
+MEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEF
+BQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEFBQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+Rj
+xY6hUFaTlrg4wCQiZrxTFGGVv9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqM
+lIpPnTX/dqQGE5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u
+uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIWiAYLtqZLICjU
+3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/vGVCJYMzpJJUPwssd8m92kMfM
+dcGWxZ0=
+-----END CERTIFICATE-----
+
 GTE CyberTrust Global Root
 ==========================
 -----BEGIN CERTIFICATE-----
@@ -3528,27 +3552,3 @@ ucpH9sry9uetuUg/vBa3wW306gmv7PO15wWeph6KU1HWk4HMdJP2udqmJQV0eVp+QD6CSyYRMG7h
 P0HHRwA11fXT91Q+gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuIml
 e9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4pTpPDpFQUWw==
 -----END CERTIFICATE-----
-
-EE Certification Centre Root CA
-===============================
------BEGIN CERTIFICATE-----
-MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQG
-EwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEoMCYGA1UEAwwfRUUgQ2Vy
-dGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYGCSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIw
-MTAxMDMwMTAxMDMwWhgPMjAzMDEyMTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlB
-UyBTZXJ0aWZpdHNlZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRy
-ZSBSb290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUyeuuOF0+W2Ap7kaJjbMeM
-TC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvObntl8jixwKIy72KyaOBhU8E2lf/slLo2
-rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIwWFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw
-93X2PaRka9ZP585ArQ/dMtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtN
-P2MbRMNE1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYDVR0T
-AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/zQas8fElyalL1BSZ
-MEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEF
-BQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEFBQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+Rj
-xY6hUFaTlrg4wCQiZrxTFGGVv9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqM
-lIpPnTX/dqQGE5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u
-uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIWiAYLtqZLICjU
-3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/vGVCJYMzpJJUPwssd8m92kMfM
-dcGWxZ0=
------END CERTIFICATE-----
diff --git a/library/Requests/Transport/fsockopen.php b/library/Requests/Transport/fsockopen.php
@@ -47,6 +47,7 @@ public function request($url, $headers = array(), $data = array(), $options = ar
 		$url_parts = parse_url($url);
 		$host = $url_parts['host'];
 		$context = stream_context_create();
+		$verifyname = false;
 
 		// HTTPS support
 		if (isset($url_parts['scheme']) && strtolower($url_parts['scheme']) === 'https') {
@@ -55,7 +56,10 @@ public function request($url, $headers = array(), $data = array(), $options = ar
 
 			$context_options = array(
 				'verify_peer' => true,
+				// 'CN_match' => $host,
+				'capture_peer_cert' => true
 			);
+			$verifyname = true;
 
 			// SNI, if enabled (OpenSSL >=0.9.8j)
 			if (defined('OPENSSL_TLSEXT_SERVER_NAME') && OPENSSL_TLSEXT_SERVER_NAME) {
@@ -73,6 +77,10 @@ public function request($url, $headers = array(), $data = array(), $options = ar
 				}
 			}
 
+			if (isset($options['verifyname']) && $options['verifyname'] === false) {
+				$verifyname = false;
+			}
+
 			stream_context_set_option($context, array('ssl' => $context_options));
 		}
 		else {
@@ -95,6 +103,12 @@ public function request($url, $headers = array(), $data = array(), $options = ar
 
 		restore_error_handler();
 
+		if ($verifyname) {
+			if (!$this->verify_certificate_from_context($host, $context)) {
+				throw new Requests_Exception('SSL certificate did not match the requested domain name', 'ssl.no_match');
+			}
+		}
+
 		if (!$fp) {
 			if ($errno === 0) {
 				// Connection issue
@@ -326,6 +340,35 @@ public function connect_error_handler($errno, $errstr) {
 		return true;
 	}
 
+	/**
+	 * Verify the certificate against common name and subject alternative names
+	 *
+	 * Unfortunately, PHP doesn't check the certificate against the alternative
+	 * names, leading things like 'https://www.github.com/' to be invalid.
+	 * Instead
+	 *
+	 * @see http://tools.ietf.org/html/rfc2818#section-3.1 RFC2818, Section 3.1
+	 *
+	 * @throws Requests_Exception On failure to connect via TLS (`fsockopen.ssl.connect_error`)
+	 * @throws Requests_Exception On not obtaining a match for the host (`fsockopen.ssl.no_match`)
+	 * @param string $host Host name to verify against
+	 * @param resource $context Stream context
+	 * @return bool
+	 */
+	public function verify_certificate_from_context($host, $context) {
+		$meta = stream_context_get_options($context);
+
+		// If we don't have SSL options, then we couldn't make the connection at
+		// all
+		if (empty($meta) || empty($meta['ssl']) || empty($meta['ssl']['peer_certificate'])) {
+			throw new Requests_Exception(rtrim($this->connect_error), 'ssl.connect_error');
+		}
+
+		$cert = openssl_x509_parse($meta['ssl']['peer_certificate']);
+
+		return Requests_SSL::verify_certificate($host, $cert);
+	}
+
 	/**
 	 * Whether this transport is valid
 	 *