XRootD
XrdTlsNotary Class Reference

#include <XrdTlsNotary.hh>

+ Collaboration diagram for XrdTlsNotary:

Static Public Member Functions

static void UseCN (bool yesno)
 
static const char * Validate (const SSL *ssl, const char *hName, XrdNetAddrInfo *netInfo=0)
 

Detailed Description

Definition at line 58 of file XrdTlsNotary.hh.

Member Function Documentation

◆ UseCN()

static void XrdTlsNotary::UseCN ( bool  yesno)
inlinestatic

Indicate whether or not common name may be used in validation.

Parameters
yesno- True if common name may be used, false otherwise. The common name is used only if the cert has no SAN extension or if we are allowed to use the DNS for validation. The default is true but is now deprecated!

Definition at line 91 of file XrdTlsNotary.hh.

91 {cnOK = yesno;}

◆ Validate()

const char * XrdTlsNotary::Validate ( const SSL *  ssl,
const char *  hName,
XrdNetAddrInfo netInfo = 0 
)
static

Validate hostname using peer certificate (usually server's).

Parameters
ssl- pointer to peer's SSL object holding the cert.
hName- pointer to the hostname.
netInfo- Pointer to the XrdNetAddrInfo object for the peer host. This object will be used in a reverse lookup of the IP address to see if the names match as a final fallback. If nil, DNS fallback will not be tried.
Returns
=0 - Hostname has been validated.
!0 - Hostname not validated, return value is pointer to reason. The error message should be formed as follows: Unable to validate host <name>; <returned reason>

Definition at line 56 of file XrdTlsNotary.cc.

58 {
60  bool dnsOK = (addrInfo != 0);
61  bool verChk= true;
62 
63 // Obtain the certificate
64 //
65  X509 *theCert = SSL_get_peer_certificate(ssl);
66  if (!theCert) return "certificate not present.";
67 
68 // Make sure the certificate was verified
69 //
70  if (verChk && (SSL_get_verify_result(ssl) != X509_V_OK))
71  {X509_free(theCert);
72  return "certificate has not been verified.";
73  }
74 
75 // The first step is to check if the hostname can be verified using the SAN
76 // extension. Various version of openSSL have ways of doing this but we
77 // rely on the manual method which works for all versions. Eventually, we
78 // will migrate to the "standard" way of doing this.
79 //
80  rc = matches_subject_alternative_name(hName, theCert);
81  X509_free(theCert);
82  if (rc == MatchFound) return 0;
83 
84 // If a SAN was present then we stop here unless we can use DNS.
85 //
86  if (rc != NoSANPresent && !dnsOK)
87  {if (rc == MatchNotFound) return "hostname not in SAN extension.";
88  return "malformed SAN extension.";
89  }
90 
91 // If we are allowed to use the common name, try that now.
92 //
93  if (cnOK || dnsOK)
94  {rc = matches_common_name(hName, theCert);
95  if (rc == MatchFound) return 0;
96  if (!dnsOK)
97  {if (rc == Error) return "malformed certificate.";
98  return "malformed common name.";
99  }
100  }
101 
102 // The last resort is to try using DNS if so allowed
103 //
104  if (dnsOK)
105  {const char *dnsErr = 0;
106  const char *dnsName = addrInfo->Name(0, &dnsErr);
107  if (dnsName)
108  {if (!strcmp(hName, dnsName)) return 0;
109  return "DNS registered name does not match.";
110  }
111  if (dnsErr) return dnsErr;
112  return "host not registered in DNS.";
113  }
114 
115 // Neither DNS nor common name is allowed here. That means there was no SAN.
116 //
117  return "required SAN extension missing.";
118 }
HostnameValidationResult
@ MatchNotFound
@ NoSANPresent
@ MatchFound
static HostnameValidationResult matches_common_name(const char *hostname, const X509 *server_cert)
static HostnameValidationResult matches_subject_alternative_name(const char *hostname, const X509 *server_cert)

References Macaroons::Error, matches_common_name(), matches_subject_alternative_name(), MatchFound, MatchNotFound, XrdNetAddrInfo::Name(), and NoSANPresent.

Referenced by XrdTlsSocket::Connect().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

The documentation for this class was generated from the following files: