test: add script to create 0-dns-cert.pem

0-dns-cert.pem  and 0-dns-key.pem were stored in `test/fixtures/key`
directory, but the cert file cannot be created with the openssl
command via Makefile.

Added a script to create it with using  `asn1.js` and
`asn1.js-rfc5280` and moved them out of key directory and put into
`test/fixtures/0-dns`.

The domains listed in the cert were also changed into example.com and
example.org to show the use for only testing.

Fixes: https://github.com/nodejs/node/issues/10228
PR-URL: https://github.com/nodejs/node/pull/11579
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>

test/fixtures/0-dns/0-dns-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5jYS5l
+eGFtcGxlLmNvbTAeFw0xNzAzMDIwMTMxMjJaFw0yNzAyMjgwMTMxMjJaMBsxGTAX
+BgNVBAMTEGV2aWwuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDFyJT0kv2P9L6iNY6TL7IZonAR8R9ev7iD1tR5ycMEpM/y6WTefIco
+civMcBGVZWtCgkoePHiveH9UIep7HFGB4gxCYDZFYB46yGS0YH2fB5GWXTLYObYa
+zxuEhgFRG0DLIwNDRLW0+0FG3disp7YdRHBtdbL58F/qNORqPEjIpoQxOJc2UqX2
+/gfomJRdFW/PSgN7uH2QwMzRQRIrKmyAFzeuEWVP+UAV4853Yg66PmYpAASyt069
+sE8QNTNE75KrerMmYzH7AmTEGvY8bukrDuVQZce2/lcK2rAE+G6at2eBNMZKOnzR
+y9kWIiJ3rR7+WK55EKelLz0doZFKteu1AgMBAAGjaTBnMGUGA1UdEQReMFyCImdv
+b2QuZXhhbXBsZS5vcmcALmV2aWwuZXhhbXBsZS5jb22CGGp1c3QtYW5vdGhlci5l
+eGFtcGxlLmNvbYcECAgICIcECAgEBIIQbGFzdC5leGFtcGxlLmNvbTANBgkqhkiG
+9w0BAQsFAAOCAQEAvreVoOZO2gpM4Dmzp70D30XZjsK9i0BCsRHBvPLPw3y8B2xg
+BRtOREOI69NU0WGpj5Lbqww5M8M1hjHshiGEu2aXfZ6qM3lENaIMCpKlF9jbm02/
+wmxNaAnS8bDSZyO5rbsGr2tJb4ds7DazmMEKWhOBEpJoOp9rG6SAey+a6MkZ7NEN
+0p3THCqNf3lL1KblPrMvdsyhHPEzv4uT7+YAnLKHwGzbihcWJRsRo5oipWL8ZDhn
+bd3SMWtfRTSWDmghJaHke2xIjDtTwSjHjjPTFsK+rl227W8r4/EQI/X6fTQV2j3T
+7zqrJLF9h9F/v3mo57k6sxsQNZ12XvhuTHC2dA==
+-----END CERTIFICATE-----

test/fixtures/0-dns/0-dns-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAxciU9JL9j/S+ojWOky+yGaJwEfEfXr+4g9bUecnDBKTP8ulk
+3nyHKHIrzHARlWVrQoJKHjx4r3h/VCHqexxRgeIMQmA2RWAeOshktGB9nweRll0y
+2Dm2Gs8bhIYBURtAyyMDQ0S1tPtBRt3YrKe2HURwbXWy+fBf6jTkajxIyKaEMTiX
+NlKl9v4H6JiUXRVvz0oDe7h9kMDM0UESKypsgBc3rhFlT/lAFePOd2IOuj5mKQAE
+srdOvbBPEDUzRO+Sq3qzJmMx+wJkxBr2PG7pKw7lUGXHtv5XCtqwBPhumrdngTTG
+Sjp80cvZFiIid60e/liueRCnpS89HaGRSrXrtQIDAQABAoIBABcGA3j5B3VTi0F8
+tI0jtzrOsvcTt5AjB0qpnnBS8VXADcj8LFbN7jniGIEi5pkahkLmwdQFPBNJFqFn
+lVEheceB1eWAJ7EpwDsdisOIm/cAPY1gagPLrAww4cYqh0q2vnMnL0EMZY6c1Pt3
+5borh8KebewAEIaR2ch8wb4wKFTbAM0DftYBFzHAF88OeCuIpdsk2Tz0sVQbA3/1
+XNLOVcJvDOVIRPEpo2l7RIN33KvDhzpMoV3qVzWxqdccPRZZFU5KmJ6DtouIPT3S
+3WauIL5oVpAyYNJETTyxjBQE4DgFeNX1Wyycgk27EoLcn6Trcs0kNVrmXXblNAtJ
+Nko6g10CgYEA+TjzNjyAXPrOpY88uiPVMAgepEQOnDYtMwasdDVaW3xK9KH1rrhU
+dx1IDTMmOUfyU2qsj5txmJtReQz//1bpd7e73VO8mHQDUubhs2TivgGs+fqzAdmT
+vJsjerfNsxf+4JENzzWmqT/Ybc976Tu55VH5mcRG9Q66fTxdAJ51+8MCgYEAyymF
+gntRMBd9e/KIiqlvcxelo0ahyKEzaJC7/FkZotuSB+kAwpdJ5Unb0FeVQZxNhDPg
+xgsrGOOOvHvfhv7DPU0TQ/vp6VDPdg+N6m/Ow2vr79A2v6s+7gZj3MLiLRFyEF6l
+bxQNGe3qavnm3owUQQCY2RLBKYCFfv/cykYlGycCgYB6etKMRQ+QonIMS2i80f9j
+q5njgM7tVnLAMPdv5QiTDXKI50+mnlBkea9/TTPr0r/03ugPa4VYSnyv0QO+qSfz
+/ggFrbFx+xHnHDCvyVTlrE0mTV7L+fHxLw0wskQVUCWil6cBvow5gXcMAHwVE5U4
+biEMwLlele5wvcm3FClHoQKBgACV/RGUQ3atCqqZ13T26iBd2Bdxc7P9awWJLVGb
+/CvxECm/rUXiY88qeFzQc9i9l6ei8qn/jD9FILtAbDOadnutxjly94i5t+9yOgmM
+Cv+bRxHo+s9wsfzDvfP8B+TzYO3VKAr69tK1UfC/CcBojQJm+wndOPtiqH/mQv++
+VgsPAoGBAJ0aNJe3zb+blvAQ3W4iPSjhyxdMC00x46pr6ds+Y8WygbN6lzCvNDw6
+FFTINBckOs5Z/UWUNbExWYjBHZhLlhhxTezCzvIrwNvgUB8Y4sPk3S4KDsnkyy6f
+/qMmEHlVyKjh2BCNs7PVnWDlfl3vECE7n8dBizFHgja76l1ia+0z
+-----END RSA PRIVATE KEY-----

test/fixtures/0-dns/README.md

@@ -0,0 +1,26 @@
+## Purpose
+The test cert file for use `test/parallel/test-tls-0-dns-altname.js`
+can be created by using `asn1.js` and `asn1.js-rfc5280`,
+
+## How to create a test cert.
+
+```sh
+$ openssl genrsa -out 0-dns-key.pem 2048
+Generating RSA private key, 2048 bit long modulus
+...................+++
+..............................................................................................+++
+e is 65537 (0x10001)
+$ openssl rsa -in 0-dns-key.pem -RSAPublicKey_out -outform der -out 0-dns-rsapub.der
+writing RSA key
+$ npm install
+0-dns@1.0.0 /home/github/node/test/fixtures/0-dns
++-- asn1.js@4.9.1
+| +-- bn.js@4.11.6
+| +-- inherits@2.0.3
+| `-- minimalistic-assert@1.0.0
+`-- asn1.js-rfc5280@1.2.2
+
+$ node ./createCert.js
+$ openssl x509 -text -in 0-dns-cert.pem
+(You can not see evil.example.com in subjectAltName field)
+```

test/fixtures/0-dns/create-cert.js

@@ -0,0 +1,75 @@
+'use strict';
+const asn1 = require('asn1.js');
+const crypto = require('crypto');
+const fs = require('fs');
+const rfc5280 = require('asn1.js-rfc5280');
+const BN = asn1.bignum;
+
+const id_at_commonName = [ 2, 5, 4, 3 ];
+const rsaEncryption = [1, 2, 840, 113549, 1, 1, 1];
+const sha256WithRSAEncryption = [1, 2, 840, 113549, 1, 1, 11];
+const sigalg = 'RSA-SHA256';
+
+const private_key = fs.readFileSync('./0-dns-key.pem');
+// public key file can be generated from the private key with
+// openssl rsa -in 0-dns-key.pem -RSAPublicKey_out -outform der
+// -out 0-dns-rsapub.der
+const public_key = fs.readFileSync('./0-dns-rsapub.der');
+
+const now = Date.now();
+const days = 3650;
+
+const Null_ = asn1.define('Null_', function() {
+  this.null_();
+});
+const null_ = Null_.encode('der');
+
+const PrintStr = asn1.define('PrintStr', function() {
+  this.printstr();
+});
+const issuer = PrintStr.encode('ca.example.com', 'der');
+const subject = PrintStr.encode('evil.example.com', 'der');
+
+const tbs = {
+  version: 'v3',
+  serialNumber: new BN('01', 16),
+  signature: { algorithm: sha256WithRSAEncryption, parameters: null_},
+  issuer: { type: 'rdnSequence',
+            value: [ [{type: id_at_commonName, value: issuer}] ] },
+  validity:
+  { notBefore: { type: 'utcTime', value: now },
+    notAfter: { type: 'utcTime', value: now + days * 86400000} },
+  subject: { type: 'rdnSequence',
+             value: [ [{type: id_at_commonName, value: subject}] ] },
+  subjectPublicKeyInfo:
+  { algorithm: { algorithm: rsaEncryption, parameters: null_},
+    subjectPublicKey: { unused: 0, data: public_key} },
+  extensions:
+  [ { extnID: 'subjectAlternativeName',
+      critical: false,
+      // subjectAltName which contains '\0' character to check CVE-2009-2408
+      extnValue: [
+        { type: 'dNSName', value: 'good.example.org\u0000.evil.example.com' },
+        { type: 'dNSName', value: 'just-another.example.com' },
+        { type: 'iPAddress', value: Buffer.from('08080808', 'hex') },
+        { type: 'iPAddress', value: Buffer.from('08080404', 'hex') },
+        { type: 'dNSName', value: 'last.example.com' } ] }
+  ]
+};
+
+const tbs_der = rfc5280.TBSCertificate.encode(tbs, 'der');
+
+const sign = crypto.createSign(sigalg);
+sign.update(tbs_der);
+const signature = sign.sign(private_key);
+
+const cert = {
+  tbsCertificate: tbs,
+  signatureAlgorithm: { algorithm: sha256WithRSAEncryption, parameters: null_ },
+  signature:
+  { unused: 0,
+    data: signature }
+};
+const pem = rfc5280.Certificate.encode(cert, 'pem', {label: 'CERTIFICATE'});
+
+fs.writeFileSync('./0-dns-cert.pem', pem + '\n');

test/fixtures/0-dns/package.json

@@ -0,0 +1,16 @@
+{
+  "name": "0-dns",
+  "version": "1.0.0",
+  "description": "create certificate for 0-dns test",
+  "main": "createCert.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "SEE LICENSE IN ../../../LICENSE",
+  "private": true,
+  "dependencies": {
+    "asn1.js": "^4.9.1",
+    "asn1.js-rfc5280": "^1.2.2"
+  }
+}

test/fixtures/keys/0-dns-cert.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC/zCCAemgAwIBAgICJxEwCwYJKoZIhvcNAQEFMBUxEzARBgNVBAMWCm9oLm15
-Lmdvc2gwHhcNMTQxMjA4MTM0MTUzWhcNMzQxMjAzMTM0MTUzWjATMREwDwYDVQQD
-FghldmlsLmNvbTCCASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQCsFwwf1dsr
-PdxyTHBreymbFGACLQtaOihGsSkYtIzUEF1aT90YDMzNdoLr4wkwWig5FPRMnjmX
-7pXY9RVbWmwG/M2eku9S62LekUFkeY1W/QftV9LYgAg7wVDA+v3+zk/EMEqADYm6
-W735tzDIKtvx+/3Dd9puQ0TLFNHBxAmTz7YNaJdIUqzs3DWT4zeZQj0RCOyWCjQL
-NfqQ80I7NYFYb4IJqiUY8iOTL5kPi7b5szem5EakQbhufDWun4xGTZk/URZHgYgp
-REbOLTYs2hqbK76biW/Yvwd1l7RsptIvJvkuQ1R/dO1WPv6PLKLTuS1EOHM3YqNH
-o7wDSplOJe5rAgMBAAGhCQMHADEyMzQ1NqIJAwcANzg5YWJjo0swSTBHBgNVHREE
-QDA+ghRnb29nbGUuY29tAC5ldmlsLmNvbYIQanVzdC1hbm90aGVyLmNvbYcECAgI
-CIcECAgEBIIIbGFzdC5jb20wCwYJKoZIhvcNAQEBA4IBAQBAC2n4CIXLnyONTjPc
-qU0wu41wI+IQlb9mi0C7WEd9HumCbskahAp8vTs35DehnSxrl15FG0rABVtTROCv
-eflBKuzwPjtnfZm37UIbQKQUtcxwMQ/zvA83w4GLrLvrFtaQRpXn/RtL/q4CIpQH
-MGaPW1Gs24RVBHxI7OXf9UlUruB1yQLUbbtdBtxZ6pk/B32e3yWowbvG7OxuUL0F
-1w4DD2m+GfbTyZSCfYKP/zMp3xhTxihVfZ2g07ufc51bNCftWKBLHM/QHJmn4pVo
-rrz1vS9nMf/i16zrJ8Xmj61Eo4Aes37lAH5kUiT1VsNxSDcQCiqr1mcj6ByXKNCQ
-wDzO
------END CERTIFICATE-----

test/fixtures/keys/0-dns-key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArBcMH9XbKz3cckxwa3spmxRgAi0LWjooRrEpGLSM1BBdWk/d
-GAzMzXaC6+MJMFooORT0TJ45l+6V2PUVW1psBvzNnpLvUuti3pFBZHmNVv0H7VfS
-2IAIO8FQwPr9/s5PxDBKgA2Julu9+bcwyCrb8fv9w3fabkNEyxTRwcQJk8+2DWiX
-SFKs7Nw1k+M3mUI9EQjslgo0CzX6kPNCOzWBWG+CCaolGPIjky+ZD4u2+bM3puRG
-pEG4bnw1rp+MRk2ZP1EWR4GIKURGzi02LNoamyu+m4lv2L8HdZe0bKbSLyb5LkNU
-f3TtVj7+jyyi07ktRDhzN2KjR6O8A0qZTiXuawIDAQABAoIBABUlW9sJlz3QAyeU
-VvgOEUW6EjYSPOPgY5SULl2XyfpA7IetapiK8huJJXtA0Z88ZNbmyUIk6yTNL2KS
-cwZfrQiKxeVnXrsMq4B3ztY+zWxT+UZj1Ue/K8PT9E1SSiWmSkzsNitX/oWEwmpN
-5VOjWJV6hmsfbhrAb1KZA1FQ+nBMEQrkEFpmFD1nJE8dH5rWNo4YbM/boR/kC93G
-CHOwd2TKNrBa8ZeMOjcyUK9fg15CMkj7uTzfIGkjCM/mXOxvsvTuZ0np7PL7aF+o
-GfSHP/l+B5rxT1GTYjZtpSEgAoqYEFJnnZELklo7KRWB7p2rgyHPElSjQN3xIn5Z
-apNPrBECgYEA26gZGBP+j1Hqrh3nAhOq/t6PMj+V8yz/i2TrraJ1z7GKRGoBUOX9
-ruJGJExfACzgrKl1hL4XRfLdHuooScUqrIxLX7eKHE2nBSd0M40zEKbgIMRhaMsf
-lAFOkxJRHMT7edaVu3MkSfDgFXRbhr+jcdxspzhunHMJVUnC5LgAKHMCgYEAyJAw
-6GF80Uud5oDHo2tGY9uYgMIUN9rmrrFjqstkVB6QMFlyyeI3MHUhiU7qH53yaRCi
-FxuHU6usQFmduwZAKInoPMRhYTYbexe4CYB+C96trwoV7ltDE+a7ZTsEj5kSYvCO
-KLcVTn4mcU0TSpE0MU1XQKP0Ev/mdZ5aYEopvCkCgYEAlkVa3YkYNq5g8btNRbN0
-4SYbKtIrYJChRpjFTyV8mZkpMYKf4dtmANWWDNEekP0iu5y25BgzzcvHkJW6+DTl
-6+OS0Sm8V36cS79hFL99dt/jJyeSSGHl+ZgnTCBU02zDaefuya2M3vTmKGdREk9a
-ntOglYnayjc85Fcw+M4UdZcCgYAFw/9j7smDysSzR6h1jjPr0vhDW1Dxeh1/kCHp
-Wwd7U5WZjji6jQJBJlzccaRRXF0HoC7Is0Xkpd7BytG5+qgFglFmzc5u2PtZQolL
-3KHC/ZfInGWdAIqhG9TvSA8Ngb0BkyDDEuBN7Vp1j12qmxoBANQtS4lMsoaRgwfe
-FMO2YQKBgGv6Ndv+eHWSkqGFOSXU6dXAjOuAji3K1yRlxUg/RS/DCMK+8XQbuh47
-+p998LwvI70JIr4v2PAkO3/HaRILOTRLLvq8O/yqHwrVf+P7AQ8kPm7uUf7kTXat
-DYcKIAp5ddZweyFCgwVm+JMd1E+cpL97RbHCbu7Ct6OD9uLGXCUh
------END RSA PRIVATE KEY-----

test/parallel/test-tls-0-dns-altname.js

@@ -2,6 +2,8 @@
 const common = require('../common');
 const assert = require('assert');
 
+// Check getPeerCertificate can properly handle '\0' for fix CVE-2009-2408.
+
 if (!common.hasCrypto) {
   common.skip('missing crypto');
   return;
@@ -11,8 +13,8 @@ const tls = require('tls');
 const fs = require('fs');
 
 const server = tls.createServer({
-  key: fs.readFileSync(common.fixturesDir + '/keys/0-dns-key.pem'),
-  cert: fs.readFileSync(common.fixturesDir + '/keys/0-dns-cert.pem')
+  key: fs.readFileSync(common.fixturesDir + '/0-dns/0-dns-key.pem'),
+  cert: fs.readFileSync(common.fixturesDir + '/0-dns/0-dns-cert.pem')
 }, function(c) {
   c.once('data', function() {
     c.destroy();
@@ -24,11 +26,11 @@ const server = tls.createServer({
   }, common.mustCall(function() {
     const cert = c.getPeerCertificate();
     assert.strictEqual(cert.subjectaltname,
-                       'DNS:google.com\0.evil.com, ' +
-                           'DNS:just-another.com, ' +
+                       'DNS:good.example.org\0.evil.example.com, ' +
+                           'DNS:just-another.example.com, ' +
                            'IP Address:8.8.8.8, ' +
                            'IP Address:8.8.4.4, ' +
-                           'DNS:last.com');
+                           'DNS:last.example.com');
     c.write('ok');
   }));
 }));