From: Nikos Mavrogiannopoulos Date: Wed, 25 Mar 2015 08:42:16 +0000 (+0100) Subject: Added gnutls_x509_crt_check_email(), gnutls_openpgp_crt_check_email() and GNUTLS_DT_R... X-Git-Tag: gnutls_3_4_0~127 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d3fedf9da0df6a6097c368679356b2fc1058c6f3;p=thirdparty%2Fgnutls.git Added gnutls_x509_crt_check_email(), gnutls_openpgp_crt_check_email() and GNUTLS_DT_RFC822NAME --- diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index ff007b4044..9d32f1d5be 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -506,6 +506,7 @@ _gnutls_x509_get_raw_crt_expiration_time(const gnutls_datum_t * cert) -*/ static int _gnutls_openpgp_crt_verify_peers(gnutls_session_t session, + gnutls_x509_subject_alt_name_t type, const char *hostname, unsigned int *status) { @@ -547,7 +548,7 @@ _gnutls_openpgp_crt_verify_peers(gnutls_session_t session, /* Verify certificate */ ret = - _gnutls_openpgp_verify_key(cred, hostname, + _gnutls_openpgp_verify_key(cred, type, hostname, &info->raw_certificate_list[0], peer_certificate_list_size, verify_flags, @@ -653,8 +654,8 @@ gnutls_typed_vdata_st data; * using gnutls_certificate_set_verify_flags(). See the documentation * of gnutls_certificate_verify_peers2() for details in the verification process. * - * The acceptable @data types are %GNUTLS_DT_DNS_HOSTNAME and %GNUTLS_DT_KEY_PURPOSE_OID. - * The former accepts as data a null-terminated hostname, and the latter a null-terminated + * The acceptable @data types are %GNUTLS_DT_DNS_HOSTNAME, %GNUTLS_DT_RFC822NAME and %GNUTLS_DT_KEY_PURPOSE_OID. + * The former two accept as data a null-terminated hostname or email address, and the latter a null-terminated * object identifier (e.g., %GNUTLS_KP_TLS_WWW_SERVER). * If a DNS hostname is provided then this function will compare * the hostname in the certificate against the given. If names do not match the @@ -675,7 +676,7 @@ gnutls_certificate_verify_peers(gnutls_session_t session, { cert_auth_info_t info; const char *hostname = NULL; - unsigned i; + unsigned i, type = 0; CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); @@ -696,11 +697,18 @@ gnutls_certificate_verify_peers(gnutls_session_t session, case GNUTLS_CRT_OPENPGP: for (i=0;i + * + */ + +#include +#include +#include +#include +#include +#include +#include + +static int has_embedded_null(const char *str, unsigned size) +{ + if (strlen(str) != size) + return 1; + return 0; +} + +/** + * gnutls_x509_crt_check_email: + * @cert: should contain an gnutls_x509_crt_t type + * @email: A null terminated string that contains an email address (RFC822) + * @flags: should be zero + * + * This function will check if the given certificate's subject matches + * the given email address. + * + * Returns: non-zero for a successful match, and zero on failure. + **/ +int +gnutls_x509_crt_check_email(gnutls_x509_crt_t cert, + const char *email, unsigned int flags) +{ + char rfc822name[MAX_CN]; + size_t rfc822namesize; + int found_rfc822name = 0; + int ret = 0, rc; + int i = 0; + char *a_email; + char *a_rfc822name; + + /* convert the provided email to ACE-Labels domain. */ + rc = idna_to_ascii_8z (email, &a_email, 0); + if (rc != IDNA_SUCCESS) { + _gnutls_debug_log("unable to convert email %s to IDNA format: %s\n", email, idna_strerror (rc)); + a_email = (char*)email; + } + + /* try matching against: + * 1) an address as an alternative name (subjectAltName) extension + * in the certificate + * 2) the EMAIL field in the certificate + * + * only try (2) if there is no subjectAltName extension of + * type RFC822Name, and there is a single EMAIL. + */ + + /* Check through all included subjectAltName extensions, comparing + * against all those of type RFC822Name. + */ + for (i = 0; !(ret < 0); i++) { + + rfc822namesize = sizeof(rfc822name); + ret = gnutls_x509_crt_get_subject_alt_name(cert, i, + rfc822name, + &rfc822namesize, + NULL); + + if (ret == GNUTLS_SAN_RFC822NAME) { + found_rfc822name = 1; + + if (has_embedded_null(rfc822name, rfc822namesize)) { + _gnutls_debug_log("certificate has %s with embedded null in rfc822name\n", rfc822name); + continue; + } + + rc = idna_to_ascii_8z (rfc822name, &a_rfc822name, 0); + if (rc != IDNA_SUCCESS) { + _gnutls_debug_log("unable to convert rfc822name %s to IDNA format: %s\n", rfc822name, idna_strerror (rc)); + continue; + } + + ret = _gnutls_hostname_compare(a_rfc822name, strlen(a_rfc822name), a_email, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS); + idn_free(a_rfc822name); + + if (ret != 0) { + ret = 1; + goto cleanup; + } + } + } + + if (!found_rfc822name) { + /* did not get the necessary extension, use CN instead + */ + + /* enforce the RFC6125 (§1.8) requirement that only + * a single CN must be present */ + rfc822namesize = sizeof(rfc822name); + ret = gnutls_x509_crt_get_dn_by_oid + (cert, GNUTLS_OID_PKCS9_EMAIL, 1, 0, rfc822name, + &rfc822namesize); + if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + ret = 0; + goto cleanup; + } + + rfc822namesize = sizeof(rfc822name); + ret = gnutls_x509_crt_get_dn_by_oid + (cert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, rfc822name, + &rfc822namesize); + if (ret < 0) { + ret = 0; + goto cleanup; + } + + if (has_embedded_null(rfc822name, rfc822namesize)) { + _gnutls_debug_log("certificate has EMAIL %s with embedded null in name\n", rfc822name); + ret = 0; + goto cleanup; + } + + rc = idna_to_ascii_8z (rfc822name, &a_rfc822name, 0); + if (rc != IDNA_SUCCESS) { + _gnutls_debug_log("unable to convert EMAIL %s to IDNA format: %s\n", rfc822name, idna_strerror (rc)); + ret = 0; + goto cleanup; + } + + ret = _gnutls_hostname_compare(a_rfc822name, strlen(a_rfc822name), a_email, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS); + + idn_free(a_rfc822name); + + if (ret != 0) { + ret = 1; + goto cleanup; + } + } + + /* not found a matching name + */ + ret = 0; + cleanup: + if (a_email != email) { + idn_free(a_email); + } + return ret; +} diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 6e3a4be20e..2729976bbe 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -1106,7 +1106,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, unsigned int i; uint32_t hash; gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH]; - const char *hostname = NULL, *purpose = NULL; + const char *hostname = NULL, *purpose = NULL, *email = NULL; unsigned hostname_size = 0; if (cert_list == NULL || cert_list_size < 1) @@ -1118,6 +1118,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, if (data[i].size > 0) { hostname_size = data[i].size; } + if (email != NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + } else if (data[i].type == GNUTLS_DT_RFC822NAME) { + email = (void*)data[i].data; + if (hostname != NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); } else if (data[i].type == GNUTLS_DT_KEY_PURPOSE_OID) { purpose = (void*)data[i].data; } @@ -1220,6 +1224,13 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, *voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID; } + if (email) { + ret = + gnutls_x509_crt_check_email(cert_list[0], email, 0); + if (ret == 0) + *voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID; + } + /* CRL checks follow */ if (*voutput != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS))