[crypto] Allow for X.509 certificates with no common name

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/crypto/cms.c b/src/crypto/cms.c
index ee09dff343d842aae9d62ab909d245fd1e68f27e..660be69e9160dcc302472aa1dfe6ec48e1230354 100644 (file)
--- a/src/crypto/cms.c
+++ b/src/crypto/cms.c
@@ -745,7 +745,8 @@ int cms_verify ( struct cms_signature *sig, userptr_t data, size_t len,
        /* Verify using all signerInfos */
        list_for_each_entry ( info, &sig->info, list ) {
                cert = x509_first ( info->chain );
-               if ( name && ( strcmp ( name, cert->subject.name ) != 0 ) )
+               if ( name && ( ( cert->subject.name == NULL ) ||
+                              ( strcmp ( cert->subject.name, name ) != 0 ) ) )
                        continue;
                if ( ( rc = cms_verify_signer_info ( sig, info, data, len,
                                                     time, root ) ) != 0 )

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index be2e1009dffcb3b72f0fd8e0d7375bcced006603..3261b8eb686b9a6dfeeb1498bade4cb652074670 100644 (file)
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -570,7 +570,7 @@ static int x509_parse_common_name ( struct x509_certificate *cert, char **name,
                        return rc;
                }
 
-               /* Allocate name */
+               /* Allocate and copy name */
                *name = zalloc ( name_cursor.len + 1 /* NUL */ );
                if ( ! *name )
                        return -ENOMEM;
@@ -578,9 +578,9 @@ static int x509_parse_common_name ( struct x509_certificate *cert, char **name,
                return 0;
        }
 
+       /* Certificates may not have a commonName */
        DBGC ( cert, "X509 %p no commonName found:\n", cert );
-       DBGC_HDA ( cert, 0, raw->data, raw->len );
-       return -ENOENT;
+       return 0;
 }
 
 /**

diff --git a/src/net/tls.c b/src/net/tls.c
index 0624215241341129449326215202b01a7bc553eb..3a8a0e05b0fdb9a68c8e4e3a65ffb59fa141f531 100644 (file)
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -1399,7 +1399,8 @@ static int tls_new_certificate ( struct tls_session *tls,
        assert ( cert != NULL );
 
        /* Verify server name */
-       if ( strcmp ( tls->name, cert->subject.name ) != 0 ) {
+       if ( ( cert->subject.name == NULL ) ||
+            ( strcmp ( cert->subject.name, tls->name ) != 0 ) ) {
                DBGC ( tls, "TLS %p server name incorrect (expected %s, got "
                       "%s)\n", tls, tls->name, cert->subject.name );
                return -EACCES_WRONG_NAME;