envoyproxy · ggreenway · Jun 27, 2024 · Jun 1, 2024 · Jun 1, 2024 · Jun 1, 2024
diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto
@@ -314,13 +314,21 @@ message SubjectAltNameMatcher {
     DNS = 2;
     URI = 3;
     IP_ADDRESS = 4;
+    OTHER_NAME = 5;
   }
 
   // Specification of type of SAN. Note that the default enum value is an invalid choice.
   SanType san_type = 1 [(validate.rules).enum = {defined_only: true not_in: 0}];
 
   // Matcher for SAN value.
   type.matcher.v3.StringMatcher matcher = 2 [(validate.rules).message = {required: true}];
+
+  // OID Value which is required if OTHER_NAME SAN type is used.
+  // For example, UPN OID is 1.3.6.1.4.1.311.20.2.3
+  // (Reference: http://oid-info.com/get/1.3.6.1.4.1.311.20.2.3).
+  //
+  // If set for SAN types other than OTHER_NAME, it will be ignored.
+  string oid = 3;
 }
 
 // [#next-free-field: 18]

diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -214,6 +214,12 @@ new_features:
     added :ref:`stat_prefix
     <envoy_v3_api_field_extensions.access_loggers.open_telemetry.v3.OpenTelemetryAccessLogConfig.stat_prefix>`
     configuration to support additional stat prefix for the OpenTelemetry logger.
+- area: tls
+  change: |
+    added support to match against ``OtherName`` SAN Type under :ref:`match_typed_subject_alt_names
+    <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
+    An additional field ``oid`` is added to :ref:`SubjectAltNameMatcher
+    <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SubjectAltNameMatcher>` to support this change.
 
 deprecated:
 - area: tracing

diff --git a/source/common/ssl/certificate_validation_context_config_impl.cc b/source/common/ssl/certificate_validation_context_config_impl.cc
@@ -100,6 +100,7 @@ CertificateValidationContextConfigImpl::getSubjectAltNameMatchers(
   }
   // Handle deprecated string type san matchers without san type specified, by
   // creating a matcher for each supported type.
+  // Note: This does not handle otherName type
   for (const envoy::type::matcher::v3::StringMatcher& matcher : config.match_subject_alt_names()) {
     static constexpr std::array<
         envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::SanType, 4>

diff --git a/source/common/tls/cert_validator/san_matcher.cc b/source/common/tls/cert_validator/san_matcher.cc
@@ -18,6 +18,11 @@ bool StringSanMatcher::match(const GENERAL_NAME* general_name) const {
   if (general_name->type != general_name_type_) {
     return false;
   }
+  if (general_name->type == GEN_OTHERNAME) {
+    if (OBJ_cmp(general_name->d.otherName->type_id, general_name_oid_.get())) {
+      return false;
+    }
+  }
   // For DNS SAN, if the StringMatcher type is exact, we have to follow DNS matching semantics.
   const std::string san = Utility::generalNameAsString(general_name);
   return general_name->type == GEN_DNS &&
@@ -32,7 +37,7 @@ SanMatcherPtr createStringSanMatcher(
     Server::Configuration::CommonFactoryContext& context) {
   // Verify that a new san type has not been added.
   static_assert(envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::SanType_MAX ==
-                4);
+                5);
 
   switch (matcher.san_type()) {
     PANIC_ON_PROTO_ENUM_SENTINEL_VALUES;
@@ -44,6 +49,15 @@ SanMatcherPtr createStringSanMatcher(
     return SanMatcherPtr{std::make_unique<StringSanMatcher>(GEN_URI, matcher.matcher(), context)};
   case envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::IP_ADDRESS:
     return SanMatcherPtr{std::make_unique<StringSanMatcher>(GEN_IPADD, matcher.matcher(), context)};
+  case envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::OTHER_NAME: {
+    // Invalid/Empty OID returns a nullptr from OBJ_txt2obj
+    bssl::UniquePtr<ASN1_OBJECT> oid(OBJ_txt2obj(matcher.oid().c_str(), 0));
+    if (oid == nullptr) {
+      return nullptr;
+    };
+    return SanMatcherPtr{std::make_unique<StringSanMatcher>(GEN_OTHERNAME, matcher.matcher(),
+                                                            context, std::move(oid))};
+  }
   case envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::SAN_TYPE_UNSPECIFIED:
     PANIC("unhandled value");
   }

diff --git a/source/common/tls/cert_validator/san_matcher.h b/source/common/tls/cert_validator/san_matcher.h
@@ -35,12 +35,15 @@ class StringSanMatcher : public SanMatcher {
   bool match(const GENERAL_NAME* general_name) const override;
   ~StringSanMatcher() override = default;
   StringSanMatcher(int general_name_type, envoy::type::matcher::v3::StringMatcher matcher,
-                   Server::Configuration::CommonFactoryContext& context)
-      : general_name_type_(general_name_type), matcher_(matcher, context) {}
+                   Server::Configuration::CommonFactoryContext& context,
+                   bssl::UniquePtr<ASN1_OBJECT>&& general_name_oid = nullptr)
+      : general_name_type_(general_name_type), matcher_(matcher, context),
+        general_name_oid_(std::move(general_name_oid)) {}
 
 private:
   const int general_name_type_;
   const Matchers::StringMatcherImpl<envoy::type::matcher::v3::StringMatcher> matcher_;
+  bssl::UniquePtr<ASN1_OBJECT> general_name_oid_;
 };
 
 SanMatcherPtr createStringSanMatcher(

diff --git a/source/common/tls/utility.cc b/source/common/tls/utility.cc
@@ -226,6 +226,10 @@ std::string Utility::generalNameAsString(const GENERAL_NAME* general_name) {
     }
     break;
   }
+  case GEN_OTHERNAME:
+    str = general_name->d.otherName->value->value.asn1_string;
+    san.assign(reinterpret_cast<const char*>(ASN1_STRING_data(str)), ASN1_STRING_length(str));
+    break;
   }
   return san;
 }

diff --git a/test/common/tls/cert_validator/default_validator_test.cc b/test/common/tls/cert_validator/default_validator_test.cc
@@ -47,6 +47,50 @@ TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameDNSMatched) {
   EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers));
 }
 
+TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameMatched) {
+  NiceMock<Server::Configuration::MockServerFactoryContext> context;
+
+  bssl::UniquePtr<X509> cert = readCertFromFile(TestEnvironment::substitute(
+      "{{ test_rundir }}/test/common/tls/test_data/san_othername_cert.pem"));
+  envoy::type::matcher::v3::StringMatcher matcher;
+  matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw"));
+  bssl::UniquePtr<ASN1_OBJECT> oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 0));
+  std::vector<SanMatcherPtr> subject_alt_name_matchers;
+  subject_alt_name_matchers.push_back(SanMatcherPtr{
+      std::make_unique<StringSanMatcher>(GEN_OTHERNAME, matcher, context, std::move(oid))});
+  EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers));
+}
+
+TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameDnsAndOtherNameMatched) {
+  NiceMock<Server::Configuration::MockServerFactoryContext> context;
+
+  bssl::UniquePtr<X509> cert = readCertFromFile(TestEnvironment::substitute(
+      "{{ test_rundir }}/test/common/tls/test_data/san_dns_and_othername_cert.pem"));
+  envoy::type::matcher::v3::StringMatcher matcher;
+  matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw"));
+  bssl::UniquePtr<ASN1_OBJECT> oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 0));
+  std::vector<SanMatcherPtr> subject_alt_name_matchers;
+  subject_alt_name_matchers.push_back(
+      SanMatcherPtr{std::make_unique<StringSanMatcher>(GEN_DNS, matcher, context)});
+  subject_alt_name_matchers.push_back(SanMatcherPtr{
+      std::make_unique<StringSanMatcher>(GEN_OTHERNAME, matcher, context, std::move(oid))});
+  EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers));
+}
+
+TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameOtherNameIncorrectOidMatched) {
+  NiceMock<Server::Configuration::MockServerFactoryContext> context;
+
+  bssl::UniquePtr<X509> cert = readCertFromFile(TestEnvironment::substitute(
+      "{{ test_rundir }}/test/common/tls/test_data/san_othername_cert.pem"));
+  envoy::type::matcher::v3::StringMatcher matcher;
+  matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw"));
+  bssl::UniquePtr<ASN1_OBJECT> oid(OBJ_txt2obj("1.3.6.1.4.1.311.20.2.2", 0));
+  std::vector<SanMatcherPtr> subject_alt_name_matchers;
+  subject_alt_name_matchers.push_back(SanMatcherPtr{
+      std::make_unique<StringSanMatcher>(GEN_OTHERNAME, matcher, context, std::move(oid))});
+  EXPECT_FALSE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers));
+}
+
 TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameIncorrectTypeMatched) {
   NiceMock<Server::Configuration::MockServerFactoryContext> context;
 

diff --git a/test/common/tls/cert_validator/san_matcher_test.cc b/test/common/tls/cert_validator/san_matcher_test.cc
@@ -30,6 +30,10 @@ TEST(SanMatcherConfigTest, TestValidSanType) {
     envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher san_matcher;
     san_matcher.mutable_matcher()->set_exact("foo.example");
     san_matcher.set_san_type(san_type);
+    if (san_type ==
+        envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::OTHER_NAME) {
+      san_matcher.set_oid("1.3.6.1.4.1.311.20.2.3"); // Set dummy OID
+    }
     if (san_type == envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::
                         SAN_TYPE_UNSPECIFIED) {
       EXPECT_DEATH(createStringSanMatcher(san_matcher, context), "unhandled value");
@@ -42,6 +46,17 @@ TEST(SanMatcherConfigTest, TestValidSanType) {
   }
 }
 
+// Verify that setting Invalid OID for OtherName SAN results in a panic.
+TEST(SanMatcherConfigTest, TestInvalidOidOtherNameSanType) {
+  NiceMock<Server::Configuration::MockServerFactoryContext> context;
+  envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher san_matcher;
+  san_matcher.mutable_matcher()->set_exact("foo.example");
+  san_matcher.set_oid("1.3.6.1.4.1.311.20.2.ffff");
+  san_matcher.set_san_type(
+      envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::OTHER_NAME);
+  EXPECT_EQ(createStringSanMatcher(san_matcher, context), nullptr);
+}
+
 TEST(SanMatcherConfigTest, UnspecifiedSanType) {
   NiceMock<Server::Configuration::MockServerFactoryContext> context;
   envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher san_matcher;

diff --git a/test/common/tls/test_data/README.md b/test/common/tls/test_data/README.md
@@ -29,6 +29,12 @@ There are 15 identities:
 - **SAN With URI**: It has the certificate *san_uri_cert.pem*, which is signed
   by the **CA** using the config *san_uri_cert.cfg*. The certificate has SAN
   field of URI type. *san_uri_key.pem* is its private key.
+- **SAN With OtherName**: It has the certificate *san_othername_cert.pem*, which is signed
+  by the **CA** using the config *san_othername_cert.cfg*. The certificate has SAN
+  field of OtherName(UPN) type. *san_othername_key.pem* is its private key.
+- **SAN With OtherName and DNS**: It has the certificate *san_othername_cert.pem*, which is signed
+  by the **CA** using the config *san_dns_and_othername_cert.cfg*. The certificate has two SAN
+  fields, one DNS and one OtherName(UPN) type. *san_dns_and_othername_key.pem* is its private key.
 - **Password-protected**: The password-protected certificate *password_protected_cert.pem*,
   using the config *san_uri_cert.cfg*. *password_protected_key.pem* is
   its private key encrypted using the password supplied in *password_protected_password.txt*.

diff --git a/test/common/tls/test_data/certs.sh b/test/common/tls/test_data/certs.sh
@@ -234,6 +234,14 @@ generate_x509_cert san_uri ca
 generate_rsa_key san_ip
 generate_x509_cert san_ip ca
 
+# Generate san_othername_cert.pem.
+generate_rsa_key san_othername
+generate_x509_cert san_othername ca
+
+# Generate san_dns_and_othername_cert.pem.
+generate_rsa_key san_dns_and_othername
+generate_x509_cert san_dns_and_othername ca
+
 # Concatenate san_ip_cert.pem and Test Intermediate CA (intermediate_ca_cert.pem) to create valid certificate chain.
 cat san_ip_cert.pem intermediate_ca_cert.pem > san_ip_chain.pem
 

diff --git a/test/common/tls/test_data/san_dns_and_othername_cert.cfg b/test/common/tls/test_data/san_dns_and_othername_cert.cfg
@@ -0,0 +1,37 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+countryName_default = US
+stateOrProvinceName = California
+stateOrProvinceName_default = California
+localityName = San Francisco
+localityName_default = San Francisco
+organizationName = Lyft
+organizationName_default = Lyft
+organizationalUnitName = Lyft Engineering
+organizationalUnitName_default = Lyft Engineering
+commonName = Test Server
+commonName_default = Test Server
+commonName_max  = 64
+
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+subjectKeyIdentifier = hash
+
+[v3_ca]
+basicConstraints = critical, CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+[alt_names]
+DNS.1 = server1.example.com
+otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:server1.example.com
diff --git a/test/common/tls/test_data/san_dns_and_othername_cert.pem b/test/common/tls/test_data/san_dns_and_othername_cert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQTCCAymgAwIBAgIUOdN440ZeucQGIFJ7uRJczkvWIIowDQYJKoZIhvcNAQEL
+BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
+aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjQwNjAxMjIyMTMxWhcNMjYw
+NjAxMjIyMTMxWjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW
+MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ
+THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4ciZSrbe8JTZivyiEUdTjPHpWZp3dNuqf
+1dZduzAl9aQG8CMQhidwgI721TVRLYwDum1Eusky+nq3+X0JOBBsrs6A+mGZu/Em
+W2PLmpJhAmsQG9iqOhgJuoAUmexCD/Zrv1HQJYsCEKZCV7qjbScj3qvwFDW+Zs4R
+/Q8/pzMpQV6ktC+n4cc81DAK6AUZVeMmRSFefNudloZNNYyKI0XOuURMBi/+ZN+G
+L/xzzzzFzH1Q9QLVAL+ySxquhuwqLp2md7Ed/821+DZvLJfKrW2nDDcQIC8FEIfy
+w92WHv4Qth12f0jx/GR1AFTUiGgeNyQbjJU+bkfBmyRXDPe5EQ8RAgMBAAGjgcIw
+gb8wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH
+AwIGCCsGAQUFBwMBMEMGA1UdEQQ8MDqCE3NlcnZlcjEuZXhhbXBsZS5jb22gIwYK
+KwYBBAGCNxQCA6AVDBNzZXJ2ZXIxLmV4YW1wbGUuY29tMB0GA1UdDgQWBBQwzMfn
+25vM1z02zWxMuZChTnm8wjAfBgNVHSMEGDAWgBTQumAzod6zDNdAA8q1kU0sEGXw
+mzANBgkqhkiG9w0BAQsFAAOCAQEAaSGH+VONB4BbU12K3xuCsdWYixfJFmNdhEvw
+SLGqAY7z2PnybNzgRaGMBPrcgL8Uw88faqbGCVd6ewsnesvUz9VACTksT9XjaCkW
+h3xF7W4GbrJQWU02vHOLUda0/89VLdpQcM76z4ZRCKDHrCNO/4ncOXl87haKAELz
+8QwhDIk09nEDbDdOYCQAG51iRTVBRmBnT2hShof89z1c0rRgEMLQ5u8EXk7rtAXu
+Mldg1N5ll93l7aC87/8iqNWX+3j8P1ynmjbjclpTrMbHk/q4lybDcsjTpjOJgSSZ
+dP2MpZEfAXL/taDEf2siOUxmjFO9gIoGTjlM4SoNvA5IVyHefw==
+-----END CERTIFICATE-----
diff --git a/test/common/tls/test_data/san_dns_and_othername_cert_info.h b/test/common/tls/test_data/san_dns_and_othername_cert_info.h
@@ -0,0 +1,13 @@
+#pragma once
+
+// NOLINT(namespace-envoy)
+constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_256_HASH[] =
+    "10b81b089fa82a542ef4637cd058e8a8ce9aac13703bc7c0f3b18eecd0bafa01";
+constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_1_HASH[] =
+    "b2cdaab75e39c57abb9134271432a15a7078a83c";
+constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_SPKI[] =
+    "orMj1YQ0Kw6uh/WkfJ/IITdlgbQTF+Lb1Jj+b6R+J+w=";
+constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_SERIAL[] =
+    "39d378e3465eb9c40620527bb9125cce4bd6208a";
+constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_NOT_BEFORE[] = "Jun  1 22:21:31 2024 GMT";
+constexpr char TEST_SAN_DNS_AND_OTHERNAME_CERT_NOT_AFTER[] = "Jun  1 22:21:31 2026 GMT";
diff --git a/test/common/tls/test_data/san_dns_and_othername_key.pem b/test/common/tls/test_data/san_dns_and_othername_key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4ciZSrbe8JTZi
+vyiEUdTjPHpWZp3dNuqf1dZduzAl9aQG8CMQhidwgI721TVRLYwDum1Eusky+nq3
++X0JOBBsrs6A+mGZu/EmW2PLmpJhAmsQG9iqOhgJuoAUmexCD/Zrv1HQJYsCEKZC
+V7qjbScj3qvwFDW+Zs4R/Q8/pzMpQV6ktC+n4cc81DAK6AUZVeMmRSFefNudloZN
+NYyKI0XOuURMBi/+ZN+GL/xzzzzFzH1Q9QLVAL+ySxquhuwqLp2md7Ed/821+DZv
+LJfKrW2nDDcQIC8FEIfyw92WHv4Qth12f0jx/GR1AFTUiGgeNyQbjJU+bkfBmyRX
+DPe5EQ8RAgMBAAECggEAHxShL5J1YR92LCqhJbbyZD5HMTMGjAXagIeUoWPPJ75e
+XwrtJbYthDAtpxtjaiP+MYyjKA8/ozcBIepJLxoC7oWAZ8yJUNISP0/sH52S6ATz
+zJmcp4a1kUIbnh0X6kPtVte87hG9fGIY2hoVab+Vdl5p48FMEyMYu4BEpwnCPcOs
+RpZokVAyuJnqlPhcxU0BctmjmGQIFHqQ7G0stbukfispbR6+iZoo8ltVh0lemBS9
+hJ1E2SCXQSiC6m/0+I1jRA3kgmyB/0XArpXP+TmTcNiiNyDtSbMQmtw1v1Z8CPfB
+2LJGIMhmICQ9BwUvNHAPbG7hHyQU2bM4GIERL8lmHwKBgQDpciPHbLxOtmmAyY5w
+gmONYiou/EjizmSWdxTHPcsnzlqUUw7ds+1ieNLUn3icaWhwzY4zJ6lHT0ZqmzHB
+w7TuIBK5BgBmqUQIYMv45Rn+r3na5nP080QqBrkr3ZXOhfg5uPAwiFbKEsRMJZ/2
+CP6PiaRTIUtjKvb3buHmF06x1wKBgQDKRBWu28vo9TUY6ssLzlfK8CK5rprWqdXd
+LQUZ13f/XEd4KFgfNBG77jDBQxaXbP4G2VDHTLCOzA6egWY3qN6BGDv+wD7Q7yde
+HT+KOuGMvrT00MgdlrLfTBjGM0BC1GeFc90UnBOfWumWKa5551btdTazoYe7EIyD
+JZghnlx5VwKBgDrmAF71cUFOxqmmsNh0HVfzl38JSf5nYnuQCd8HGTWu262mkw6e
+sdrxbwgUQCL+eUpUoncHn68NMk/9Xf1sOj8GOpMSD5HXTQHsIipm6zsV3OG82S7J
+Hb6Yual2m7BinrE5lug3zeXn/DzWFVjHBisC6EHNGa8ojOz6veYGpWU7AoGAL2fF
+rTXWlMLjrvNYo2u5J9cgTGSf5a/ob+4dQ/E8Lp1yIrdR7/5EKceppaITqWniH7jP
+NebDerRYuM2bJ3BstdT4OrzT/CQRFf3E5qDmPBZ2Uuqb/FNVmQA8zjc02HTvzldZ
+eXsbHj4wgQFD405VEVJnf7JcHXvDcvlcroRvKAECgYEA3aPHpiHEoXAPyUSAvZuh
+OwM6+GIxWJpqZ+EFqIfTO7BPWnZT0skjxJlMAgTO+LJaczcU49ooXWeFcNFBr9sJ
+iyd70CBXrmQQjMzRwafbAHach/o4LREphtr73Q6xvE2OCvFqCHQkB1mRRl9Ikoe5
+lO/82VvYXXW/iiNsFxvOQ+w=
+-----END PRIVATE KEY-----
diff --git a/test/common/tls/test_data/san_othername_cert.cfg b/test/common/tls/test_data/san_othername_cert.cfg
@@ -0,0 +1,36 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+countryName_default = US
+stateOrProvinceName = California
+stateOrProvinceName_default = California
+localityName = San Francisco
+localityName_default = San Francisco
+organizationName = Lyft
+organizationName_default = Lyft
+organizationalUnitName = Lyft Engineering
+organizationalUnitName_default = Lyft Engineering
+commonName = Test Server
+commonName_default = Test Server
+commonName_max  = 64
+
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+subjectKeyIdentifier = hash
+
+[v3_ca]
+basicConstraints = critical, CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+[alt_names]
+otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:server1.example.com
diff --git a/test/common/tls/test_data/san_othername_cert.pem b/test/common/tls/test_data/san_othername_cert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIUOdN440ZeucQGIFJ7uRJczkvWIIkwDQYJKoZIhvcNAQEL
+BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
+aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjQwNjAxMjIyMTMxWhcNMjYw
+NjAxMjIyMTMxWjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW
+MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ
+THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKnvJaESqyoF10NLh5GlMhF3Zom7D1AxiK
+RIrdkHW0w8NloVSgTZvNrBQi7Iz1xfMw9Ep63qmlJGaNZcl0jf8bU8MtVP6prJNf
+tBMzl+nj6sK7xYHXl7CpDwX+rg5pYovgNGdaJAFmpbteuHhqZ8Yeh5tSSLWNdjmA
+c5mdl219kh5stVjMyetgjr2qaZsx99ze0syERmmE83OpSMVGtswsBv8ElPVnlEVI
+qLPBpHawFjbBrCiCoxYyLGnJ3ZAnaVrZ1J4VX2PfqEj90KtSRUwuIyUe0QgTh1dX
+ui56DHQWjy5lIDJl8DzeS53FZcegmYqGSyAj52+g4JAdPeQp1pyxAgMBAAGjga0w
+gaowDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH
+AwIGCCsGAQUFBwMBMC4GA1UdEQQnMCWgIwYKKwYBBAGCNxQCA6AVDBNzZXJ2ZXIx
+LmV4YW1wbGUuY29tMB0GA1UdDgQWBBTD9LZP+nM7iX7wehpdAfg1ItRpnDAfBgNV
+HSMEGDAWgBTQumAzod6zDNdAA8q1kU0sEGXwmzANBgkqhkiG9w0BAQsFAAOCAQEA
+P4eYX5yZYGyOUEWVlozTazrytA/gjsVn3UXmFD/BBVCYMxzBF5VSmYFnfxHuqCjM
+hkYT6aeToaEaCb0CUoQjZNun8/mTsq/m3FoZ9wTf4kdJuNk/ynlzHz5iYyGxvS0D
+H5KyVRi5HHJDvi+caDov802MNi86IlT7qyQjqQ0tstgVFVnJdaaPyjlLjm6feYK5
+qs3/or6EoMowh3sWLE49RRjfN79m+1Ku+ttfyTFVR83uYGoMGHN30yFbajwo4OGV
+Rmg8DCh/dZA8YZART7QM5T4gbu2SFCVvbH2+rBmJp04udHdaxLjdv4+uCejWAzID
+UVEqd3E0cM8o9yEZxxVuKA==
+-----END CERTIFICATE-----
diff --git a/test/common/tls/test_data/san_othername_cert_info.h b/test/common/tls/test_data/san_othername_cert_info.h
@@ -0,0 +1,10 @@
+#pragma once
+
+// NOLINT(namespace-envoy)
+constexpr char TEST_SAN_OTHERNAME_CERT_256_HASH[] =
+    "b7d8db1c1e02cc191acc30b6a1749b83c9e14e7a0059a67ca6b5344569731e22";
+constexpr char TEST_SAN_OTHERNAME_CERT_1_HASH[] = "b0f044fd07a9554b0ecca7376e5233199ab8d781";
+constexpr char TEST_SAN_OTHERNAME_CERT_SPKI[] = "PoqTwnrbRJFeMFOcDRfMJoeYUSuZLXAlYPQl6m4R/JE=";
+constexpr char TEST_SAN_OTHERNAME_CERT_SERIAL[] = "39d378e3465eb9c40620527bb9125cce4bd62089";
+constexpr char TEST_SAN_OTHERNAME_CERT_NOT_BEFORE[] = "Jun  1 22:21:31 2024 GMT";
+constexpr char TEST_SAN_OTHERNAME_CERT_NOT_AFTER[] = "Jun  1 22:21:31 2026 GMT";