source-git / gnutls

Clone
Source Code
GIT

Blame lib/x509/email-verify.c

c8 c8s master
  1.   ca5948f81dd31339b411bde50ba161fd45abb378
  2.   lib
  3.   x509
  4.   email-verify.c
Blob History Raw
Packit Service 4684c1 
/*
Packit Service 4684c1 
 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
Packit Service 4684c1 
 * Copyright (C) 2002 Andrew McDonald
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * This file is part of GnuTLS.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * The GnuTLS is free software; you can redistribute it and/or
Packit Service 4684c1 
 * modify it under the terms of the GNU Lesser General Public License
Packit Service 4684c1 
 * as published by the Free Software Foundation; either version 2.1 of
Packit Service 4684c1 
 * the License, or (at your option) any later version.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * This library is distributed in the hope that it will be useful, but
Packit Service 4684c1 
 * WITHOUT ANY WARRANTY; without even the implied warranty of
Packit Service 4684c1 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Packit Service 4684c1 
 * Lesser General Public License for more details.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * You should have received a copy of the GNU Lesser General Public License
Packit Service 4684c1 
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
Packit Service 4684c1 
 *
Packit Service 4684c1 
 */
Packit Service 4684c1
Packit Service 4684c1 
#include "gnutls_int.h"
Packit Service 4684c1 
#include <str.h>
Packit Service 4684c1 
#include <x509_int.h>
Packit Service 4684c1 
#include <common.h>
Packit Service 4684c1 
#include "errors.h"
Packit Service 4684c1 
#include <system.h>
Packit Service 4684c1
Packit Service 4684c1 
/**
Packit Service 4684c1 
 * gnutls_x509_crt_check_email:
Packit Service 4684c1 
 * @cert: should contain an gnutls_x509_crt_t type
Packit Service 4684c1 
 * @email: A null terminated string that contains an email address (RFC822)
Packit Service 4684c1 
 * @flags: should be zero
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * This function will check if the given certificate's subject matches
Packit Service 4684c1 
 * the given email address.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * Returns: non-zero for a successful match, and zero on failure.
Packit Service 4684c1 
 **/
Packit Service 4684c1 
unsigned
Packit Service 4684c1 
gnutls_x509_crt_check_email(gnutls_x509_crt_t cert,
Packit Service 4684c1 
			    const char *email, unsigned int flags)
Packit Service 4684c1 
{
Packit Service 4684c1 
	char rfc822name[MAX_CN];
Packit Service 4684c1 
	size_t rfc822namesize;
Packit Service 4684c1 
	int found_rfc822name = 0;
Packit Service 4684c1 
	int ret = 0;
Packit Service 4684c1 
	int i = 0;
Packit Service 4684c1 
	char *a_email;
Packit Service 4684c1 
	gnutls_datum_t out;
Packit Service 4684c1
Packit Service 4684c1 
	/* convert the provided email to ACE-Labels domain. */
Packit Service 4684c1 
	ret = _gnutls_idna_email_map(email, strlen(email), &out;;
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		_gnutls_debug_log("unable to convert email %s to IDNA format\n", email);
Packit Service 4684c1 
		a_email = (char*)email;
Packit Service 4684c1 
	} else {
Packit Service 4684c1 
		a_email = (char*)out.data;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	/* try matching against:
Packit Service 4684c1 
	 *  1) an address as an alternative name (subjectAltName) extension
Packit Service 4684c1 
	 *     in the certificate
Packit Service 4684c1 
	 *  2) the EMAIL field in the certificate
Packit Service 4684c1 
	 *
Packit Service 4684c1 
	 *  only try (2) if there is no subjectAltName extension of
Packit Service 4684c1 
	 *  type RFC822Name, and there is a single EMAIL.
Packit Service 4684c1 
	 */
Packit Service 4684c1
Packit Service 4684c1 
	/* Check through all included subjectAltName extensions, comparing
Packit Service 4684c1 
	 * against all those of type RFC822Name.
Packit Service 4684c1 
	 */
Packit Service 4684c1 
	for (i = 0; !(ret < 0); i++) {
Packit Service 4684c1
Packit Service 4684c1 
		rfc822namesize = sizeof(rfc822name);
Packit Service 4684c1 
		ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
Packit Service 4684c1 
							   rfc822name,
Packit Service 4684c1 
							   &rfc822namesize,
Packit Service 4684c1 
							   NULL);
Packit Service 4684c1
Packit Service 4684c1 
		if (ret == GNUTLS_SAN_RFC822NAME) {
Packit Service 4684c1 
			found_rfc822name = 1;
Packit Service 4684c1
Packit Service 4684c1 
			if (_gnutls_has_embedded_null(rfc822name, rfc822namesize)) {
Packit Service 4684c1 
				_gnutls_debug_log("certificate has %s with embedded null in rfc822name\n", rfc822name);
Packit Service 4684c1 
				continue;
Packit Service 4684c1 
			}
Packit Service 4684c1
Packit Service 4684c1 
			if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) {
Packit Service 4684c1 
				_gnutls_debug_log("invalid (non-ASCII) email in certificate %.*s\n", (int)rfc822namesize, rfc822name);
Packit Service 4684c1 
				continue;
Packit Service 4684c1 
			}
Packit Service 4684c1
Packit Service 4684c1 
			ret = _gnutls_hostname_compare(rfc822name, rfc822namesize, a_email, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
Packit Service 4684c1 
			if (ret != 0) {
Packit Service 4684c1 
				ret = 1;
Packit Service 4684c1 
				goto cleanup;
Packit Service 4684c1 
			}
Packit Service 4684c1 
		}
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (!found_rfc822name) {
Packit Service 4684c1 
		/* did not get the necessary extension, use CN instead
Packit Service 4684c1 
		 */
Packit Service 4684c1
Packit Service 4684c1 
		/* enforce the RFC6125 (ยง1.8) requirement that only
Packit Service 4684c1 
		 * a single CN must be present */
Packit Service 4684c1 
		rfc822namesize = sizeof(rfc822name);
Packit Service 4684c1 
		ret = gnutls_x509_crt_get_dn_by_oid
Packit Service 4684c1 
			(cert, GNUTLS_OID_PKCS9_EMAIL, 1, 0, rfc822name,
Packit Service 4684c1 
			 &rfc822namesize);
Packit Service 4684c1 
		if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
Packit Service 4684c1 
			ret = 0;
Packit Service 4684c1 
			goto cleanup;
Packit Service 4684c1 
		}
Packit Service 4684c1
Packit Service 4684c1 
		rfc822namesize = sizeof(rfc822name);
Packit Service 4684c1 
		ret = gnutls_x509_crt_get_dn_by_oid
Packit Service 4684c1 
			(cert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, rfc822name,
Packit Service 4684c1 
			 &rfc822namesize);
Packit Service 4684c1 
		if (ret < 0) {
Packit Service 4684c1 
			ret = 0;
Packit Service 4684c1 
			goto cleanup;
Packit Service 4684c1 
		}
Packit Service 4684c1
Packit Service 4684c1 
		if (_gnutls_has_embedded_null(rfc822name, rfc822namesize)) {
Packit Service 4684c1 
			_gnutls_debug_log("certificate has EMAIL %s with embedded null in name\n", rfc822name);
Packit Service 4684c1 
			ret = 0;
Packit Service 4684c1 
			goto cleanup;
Packit Service 4684c1 
		}
Packit Service 4684c1
Packit Service 4684c1 
		if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) {
Packit Service 4684c1 
			_gnutls_debug_log("invalid (non-ASCII) email in certificate DN %.*s\n", (int)rfc822namesize, rfc822name);
Packit Service 4684c1 
			ret = 0;
Packit Service 4684c1 
			goto cleanup;
Packit Service 4684c1 
		}
Packit Service 4684c1
Packit Service 4684c1 
		ret = _gnutls_hostname_compare(rfc822name, rfc822namesize, a_email, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
Packit Service 4684c1 
		if (ret != 0) {
Packit Service 4684c1 
			ret = 1;
Packit Service 4684c1 
			goto cleanup;
Packit Service 4684c1 
		}
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	/* not found a matching name
Packit Service 4684c1 
	 */
Packit Service 4684c1 
	ret = 0;
Packit Service 4684c1 
 cleanup:
Packit Service 4684c1 
	if (a_email != email) {
Packit Service 4684c1 
		gnutls_free(a_email);
Packit Service 4684c1 
	}
Packit Service 4684c1 
	return ret;
Packit Service 4684c1 
}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation