XRootD
XrdTlsNotaryUtils.icc File Reference
#include <openssl/x509v3.h>
#include <openssl/ssl.h>
+ Include dependency graph for XrdTlsNotaryUtils.icc:
+ This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros

#define HOSTNAME_MAX_SIZE   255
 

Functions

static HostnameValidationResult matches_common_name (const char *hostname, const X509 *server_cert)
 
static HostnameValidationResult matches_subject_alternative_name (const char *hostname, const X509 *server_cert)
 
HostnameValidationResult validate_hostname (const char *hostname, const X509 *server_cert)
 

Macro Definition Documentation

◆ HOSTNAME_MAX_SIZE

#define HOSTNAME_MAX_SIZE   255

Definition at line 47 of file XrdTlsNotaryUtils.icc.

Function Documentation

◆ matches_common_name()

static HostnameValidationResult matches_common_name ( const char *  hostname,
const X509 *  server_cert 
)
static

Tries to find a match for hostname in the certificate's Common Name field.

Returns MatchFound if a match was found. Returns MatchNotFound if no matches were found. Returns MalformedCertificate if the Common Name had a NUL character embedded in it. Returns Error if the Common Name could not be extracted.

Definition at line 57 of file XrdTlsNotaryUtils.icc.

57  {
58  int common_name_loc = -1;
59  X509_NAME_ENTRY *common_name_entry = NULL;
60  ASN1_STRING *common_name_asn1 = NULL;
61  char *common_name_str = NULL;
62 
63  // Find the position of the CN field in the Subject field of the certificate
64  common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1);
65  if (common_name_loc < 0) {
66  return Error;
67  }
68 
69  // Extract the CN field
70  common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc);
71  if (common_name_entry == NULL) {
72  return Error;
73  }
74 
75  // Convert the CN field to a C string
76  common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
77  if (common_name_asn1 == NULL) {
78  return Error;
79  }
80 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
81  common_name_str = (char *) ASN1_STRING_get0_data(common_name_asn1);
82 #else
83  common_name_str = (char *) ASN1_STRING_data(common_name_asn1);
84 #endif
85 
86  // Make sure there isn't an embedded NUL character in the CN
87  if ((size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {
88  return MalformedCertificate;
89  }
90 
91  // Compare expected hostname with the CN
92  if (Curl_cert_hostcheck(common_name_str, hostname) == CURL_HOST_MATCH) {
93  return MatchFound;
94  }
95  else {
96  return MatchNotFound;
97  }
98 }
int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
#define CURL_HOST_MATCH
@ MatchNotFound
@ MalformedCertificate
@ MatchFound

References Curl_cert_hostcheck(), CURL_HOST_MATCH, Macaroons::Error, MalformedCertificate, MatchFound, and MatchNotFound.

Referenced by XrdTlsNotary::Validate(), and validate_hostname().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ matches_subject_alternative_name()

static HostnameValidationResult matches_subject_alternative_name ( const char *  hostname,
const X509 *  server_cert 
)
static

Tries to find a match for hostname in the certificate's Subject Alternative Name extension.

Returns MatchFound if a match was found. Returns MatchNotFound if no matches were found. Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it. Returns NoSANPresent if the SAN extension was not present in the certificate.

Definition at line 109 of file XrdTlsNotaryUtils.icc.

109  {
111  int i;
112  int san_names_nb = -1;
113  STACK_OF(GENERAL_NAME) *san_names = NULL;
114 
115  // Try to extract the names within the SAN extension from the certificate
116  san_names = static_cast<GENERAL_NAMES *>(
117  X509_get_ext_d2i((X509 *) server_cert,
118  NID_subject_alt_name, NULL, NULL));
119  if (san_names == NULL) {
120  return NoSANPresent;
121  }
122  san_names_nb = sk_GENERAL_NAME_num(san_names);
123 
124  // Check each name within the extension
125  for (i=0; i<san_names_nb; i++) {
126  const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
127 
128  if (current_name->type == GEN_DNS) {
129  // Current name is a DNS name, let's check it
130 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
131  char *dns_name = (char *) ASN1_STRING_get0_data(current_name->d.dNSName);
132 #else
133  char *dns_name = (char *) ASN1_STRING_data(current_name->d.dNSName);
134 #endif
135 
136  // Make sure there isn't an embedded NUL character in the DNS name
137  if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {
138  result = MalformedCertificate;
139  break;
140  }
141  else { // Compare expected hostname with the DNS name
142  if (Curl_cert_hostcheck(dns_name, hostname)
143  == CURL_HOST_MATCH) {
144  result = MatchFound;
145  break;
146  }
147  }
148  }
149  }
150  sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
151 
152  return result;
153 }
HostnameValidationResult
@ NoSANPresent

References Curl_cert_hostcheck(), CURL_HOST_MATCH, MalformedCertificate, MatchFound, MatchNotFound, and NoSANPresent.

Referenced by XrdTlsNotary::Validate(), and validate_hostname().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ validate_hostname()

HostnameValidationResult validate_hostname ( const char *  hostname,
const X509 *  server_cert 
)

Validates the server's identity by looking for the expected hostname in the server's certificate. As described in RFC 6125, it first tries to find a match in the Subject Alternative Name extension. If the extension is not present in the certificate, it checks the Common Name instead.

Returns MatchFound if a match was found. Returns MatchNotFound if no matches were found. Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it. Returns Error if there was an error.

Definition at line 167 of file XrdTlsNotaryUtils.icc.

167  {
169 
170  if((hostname == NULL) || (server_cert == NULL))
171  return Error;
172 
173  // First try the Subject Alternative Names extension
174  result = matches_subject_alternative_name(hostname, server_cert);
175  if (result == NoSANPresent) {
176  // Extension was not found: try the Common Name
177  result = matches_common_name(hostname, server_cert);
178  }
179 
180  return result;
181 }
static HostnameValidationResult matches_common_name(const char *hostname, const X509 *server_cert)
static HostnameValidationResult matches_subject_alternative_name(const char *hostname, const X509 *server_cert)

References Macaroons::Error, matches_common_name(), matches_subject_alternative_name(), and NoSANPresent.

+ Here is the call graph for this function: