XrdTlsNotaryUtils.icc File Reference

#include <openssl/x509v3.h>
#include <openssl/ssl.h>

Include dependency graph for XrdTlsNotaryUtils.icc:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros
#define	HOSTNAME_MAX_SIZE   255

Functions
static HostnameValidationResult	matches_common_name (const char *hostname, const X509 *server_cert)
static HostnameValidationResult	matches_subject_alternative_name (const char *hostname, const X509 *server_cert)
HostnameValidationResult	validate_hostname (const char *hostname, const X509 *server_cert)

Macro Definition Documentation

HOSTNAME_MAX_SIZE

#define HOSTNAME_MAX_SIZE   255

Definition at line 47 of file XrdTlsNotaryUtils.icc.

Function Documentation

matches_common_name()

HostnameValidationResult matches_common_name ( const char * hostname, const X509 * server_cert )

static

Tries to find a match for hostname in the certificate's Common Name field.

Returns MatchFound if a match was found. Returns MatchNotFound if no matches were found. Returns MalformedCertificate if the Common Name had a NUL character embedded in it. Returns Error if the Common Name could not be extracted.

Definition at line 57 of file XrdTlsNotaryUtils.icc.

                                                                                                   {
        int common_name_loc = -1;
        X509_NAME_ENTRY *common_name_entry = NULL;
        ASN1_STRING *common_name_asn1 = NULL;
        char *common_name_str = NULL;
 
        // Find the position of the CN field in the Subject field of the certificate
        common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1);
        if (common_name_loc < 0) {
                return Error;
        }
 
        // Extract the CN field
        common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc);
        if (common_name_entry == NULL) {
                return Error;
        }
 
        // Convert the CN field to a C string
        common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
        if (common_name_asn1 == NULL) {
                return Error;
        }
        common_name_str = (char *) ASN1_STRING_get0_data(common_name_asn1);
 
        // Make sure there isn't an embedded NUL character in the CN
        if ((size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {
                return MalformedCertificate;
        }
 
        // Compare expected hostname with the CN
        if (Curl_cert_hostcheck(common_name_str, hostname) == CURL_HOST_MATCH) {
                return MatchFound;
        }
        else {
                return MatchNotFound;
        }
}

References Curl_cert_hostcheck(), CURL_HOST_MATCH, Error, MalformedCertificate, MatchFound, and MatchNotFound.

Referenced by XrdTlsNotary::Validate(), and validate_hostname().

Here is the call graph for this function:

Here is the caller graph for this function:

matches_subject_alternative_name()

HostnameValidationResult matches_subject_alternative_name ( const char * hostname, const X509 * server_cert )

static

Tries to find a match for hostname in the certificate's Subject Alternative Name extension.

Returns MatchFound if a match was found. Returns MatchNotFound if no matches were found. Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it. Returns NoSANPresent if the SAN extension was not present in the certificate.

Definition at line 105 of file XrdTlsNotaryUtils.icc.

                                                                                                                {
        HostnameValidationResult result = MatchNotFound;
        int i;
        int san_names_nb = -1;
        STACK_OF(GENERAL_NAME) *san_names = NULL;
 
        // Try to extract the names within the SAN extension from the certificate
        san_names = static_cast<GENERAL_NAMES *>(
                                X509_get_ext_d2i((X509 *) server_cert,
                                NID_subject_alt_name, NULL, NULL));
        if (san_names == NULL) {
                return NoSANPresent;
        }
        san_names_nb = sk_GENERAL_NAME_num(san_names);
 
        // Check each name within the extension
        for (i=0; i<san_names_nb; i++) {
                const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
 
                if (current_name->type == GEN_DNS) {
                        // Current name is a DNS name, let's check it
                        char *dns_name = (char *) ASN1_STRING_get0_data(current_name->d.dNSName);
 
                        // Make sure there isn't an embedded NUL character in the DNS name
                        if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {
                                result = MalformedCertificate;
                                break;
                        }
                        else { // Compare expected hostname with the DNS name
                                if (Curl_cert_hostcheck(dns_name, hostname)
                                    == CURL_HOST_MATCH) {
                                        result = MatchFound;
                                        break;
                                }
                        }
                }
        }
        sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
 
        return result;
}

References Curl_cert_hostcheck(), CURL_HOST_MATCH, MalformedCertificate, MatchFound, MatchNotFound, and NoSANPresent.

Referenced by XrdTlsNotary::Validate(), and validate_hostname().

Here is the call graph for this function:

Here is the caller graph for this function:

validate_hostname()

HostnameValidationResult validate_hostname	(	const char *	hostname,
		const X509 *	server_cert )

Validates the server's identity by looking for the expected hostname in the server's certificate. As described in RFC 6125, it first tries to find a match in the Subject Alternative Name extension. If the extension is not present in the certificate, it checks the Common Name instead.

Returns MatchFound if a match was found. Returns MatchNotFound if no matches were found. Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it. Returns Error if there was an error.

Definition at line 159 of file XrdTlsNotaryUtils.icc.

                                                                                          {
        HostnameValidationResult result;
 
        if((hostname == NULL) || (server_cert == NULL))
                return Error;
 
        // First try the Subject Alternative Names extension
        result = matches_subject_alternative_name(hostname, server_cert);
        if (result == NoSANPresent) {
                // Extension was not found: try the Common Name
                result = matches_common_name(hostname, server_cert);
        }
 
        return result;
}

References Error, matches_common_name(), matches_subject_alternative_name(), and NoSANPresent.

Here is the call graph for this function: