#include <openssl/x509v3.h>
#include <openssl/ssl.h>

Include dependency graph for XrdTlsNotaryUtils.icc:

This graph shows which files directly or indirectly include this file:

Macros
#define	HOSTNAME_MAX_SIZE 255

Functions
static HostnameValidationResult	matches_common_name (const char hostname, const X509 server_cert)

static HostnameValidationResult	matches_subject_alternative_name (const char hostname, const X509 server_cert)

HostnameValidationResult	validate_hostname (const char hostname, const X509 server_cert)

Macro Definition Documentation

◆ HOSTNAME_MAX_SIZE

#define HOSTNAME_MAX_SIZE 255

Definition at line 47 of file XrdTlsNotaryUtils.icc.

Function Documentation

◆ matches_common_name()

static HostnameValidationResult matches_common_name	(	const char *	hostname,
		const X509 *	server_cert
	)

static

Tries to find a match for hostname in the certificate's Common Name field.

Returns MatchFound if a match was found. Returns MatchNotFound if no matches were found. Returns MalformedCertificate if the Common Name had a NUL character embedded in it. Returns Error if the Common Name could not be extracted.

Definition at line 57 of file XrdTlsNotaryUtils.icc.

                                                                                                    {
         int common_name_loc = -1;
         X509_NAME_ENTRY *common_name_entry = NULL;
         ASN1_STRING *common_name_asn1 = NULL;
         char *common_name_str = NULL;
  
         // Find the position of the CN field in the Subject field of the certificate
         common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1);
         if (common_name_loc < 0) {
                 return Error;
         }
  
         // Extract the CN field
         common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc);
         if (common_name_entry == NULL) {
                 return Error;
         }
  
         // Convert the CN field to a C string
         common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
         if (common_name_asn1 == NULL) {
                 return Error;
         }
         common_name_str = (char *) ASN1_STRING_get0_data(common_name_asn1);
  
         // Make sure there isn't an embedded NUL character in the CN
         if ((size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {
                 return MalformedCertificate;
         }
  
         // Compare expected hostname with the CN
         if (Curl_cert_hostcheck(common_name_str, hostname) == CURL_HOST_MATCH) {
                 return MatchFound;
         }
         else {
                 return MatchNotFound;
         }
 }

References Curl_cert_hostcheck(), CURL_HOST_MATCH, Error, MalformedCertificate, MatchFound, and MatchNotFound.

Referenced by XrdTlsNotary::Validate(), and validate_hostname().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ matches_subject_alternative_name()

static HostnameValidationResult matches_subject_alternative_name	(	const char *	hostname,
		const X509 *	server_cert
	)

static

Tries to find a match for hostname in the certificate's Subject Alternative Name extension.

Returns MatchFound if a match was found. Returns MatchNotFound if no matches were found. Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it. Returns NoSANPresent if the SAN extension was not present in the certificate.

Definition at line 105 of file XrdTlsNotaryUtils.icc.

                                                                                                                 {
         HostnameValidationResult result = MatchNotFound;
         int i;
         int san_names_nb = -1;
         STACK_OF(GENERAL_NAME) *san_names = NULL;
  
         // Try to extract the names within the SAN extension from the certificate
         san_names = static_cast<GENERAL_NAMES *>(
                                 X509_get_ext_d2i((X509 *) server_cert,
                                 NID_subject_alt_name, NULL, NULL));
         if (san_names == NULL) {
                 return NoSANPresent;
         }
         san_names_nb = sk_GENERAL_NAME_num(san_names);
  
         // Check each name within the extension
         for (i=0; i<san_names_nb; i++) {
                 const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
  
                 if (current_name->type == GEN_DNS) {
                         // Current name is a DNS name, let's check it
                         char *dns_name = (char *) ASN1_STRING_get0_data(current_name->d.dNSName);
  
                         // Make sure there isn't an embedded NUL character in the DNS name
                         if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {
                                 result = MalformedCertificate;
                                 break;
                         }
                         else { // Compare expected hostname with the DNS name
                                 if (Curl_cert_hostcheck(dns_name, hostname)
                                     == CURL_HOST_MATCH) {
                                         result = MatchFound;
                                         break;
                                 }
                         }
                 }
         }
         sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
  
         return result;
 }

References Curl_cert_hostcheck(), CURL_HOST_MATCH, MalformedCertificate, MatchFound, MatchNotFound, and NoSANPresent.

Referenced by XrdTlsNotary::Validate(), and validate_hostname().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ validate_hostname()

HostnameValidationResult validate_hostname	(	const char *	hostname,
		const X509 *	server_cert
	)

Validates the server's identity by looking for the expected hostname in the server's certificate. As described in RFC 6125, it first tries to find a match in the Subject Alternative Name extension. If the extension is not present in the certificate, it checks the Common Name instead.

Returns MatchFound if a match was found. Returns MatchNotFound if no matches were found. Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it. Returns Error if there was an error.

Definition at line 159 of file XrdTlsNotaryUtils.icc.

                                                                                           {
         HostnameValidationResult result;
  
         if((hostname == NULL) || (server_cert == NULL))
                 return Error;
  
         // First try the Subject Alternative Names extension
         result = matches_subject_alternative_name(hostname, server_cert);
         if (result == NoSANPresent) {
                 // Extension was not found: try the Common Name
                 result = matches_common_name(hostname, server_cert);
         }
  
         return result;
 }

References Error, matches_common_name(), matches_subject_alternative_name(), and NoSANPresent.

Here is the call graph for this function:

Macros

Functions

Macro Definition Documentation

◆ HOSTNAME_MAX_SIZE

Function Documentation

◆ matches_common_name()

◆ matches_subject_alternative_name()

◆ validate_hostname()