/src/gnutls/lib/x509/email-verify.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2012 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2002 Andrew McDonald |
4 | | * |
5 | | * This file is part of GnuTLS. |
6 | | * |
7 | | * The GnuTLS is free software; you can redistribute it and/or |
8 | | * modify it under the terms of the GNU Lesser General Public License |
9 | | * as published by the Free Software Foundation; either version 2.1 of |
10 | | * the License, or (at your option) any later version. |
11 | | * |
12 | | * This library is distributed in the hope that it will be useful, but |
13 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
15 | | * Lesser General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU Lesser General Public License |
18 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
19 | | * |
20 | | */ |
21 | | |
22 | | #include "gnutls_int.h" |
23 | | #include "str.h" |
24 | | #include "x509_int.h" |
25 | | #include "common.h" |
26 | | #include "errors.h" |
27 | | #include "system.h" |
28 | | |
29 | | /** |
30 | | * gnutls_x509_crt_check_email: |
31 | | * @cert: should contain an gnutls_x509_crt_t type |
32 | | * @email: A null terminated string that contains an email address (RFC822) |
33 | | * @flags: should be zero |
34 | | * |
35 | | * This function will check if the given certificate's subject matches |
36 | | * the given email address. |
37 | | * |
38 | | * Returns: non-zero for a successful match, and zero on failure. |
39 | | **/ |
40 | | unsigned gnutls_x509_crt_check_email(gnutls_x509_crt_t cert, const char *email, |
41 | | unsigned int flags) |
42 | 0 | { |
43 | 0 | char rfc822name[MAX_CN]; |
44 | 0 | size_t rfc822namesize; |
45 | 0 | int found_rfc822name = 0; |
46 | 0 | int ret = 0; |
47 | 0 | int i = 0; |
48 | 0 | char *a_email; |
49 | 0 | gnutls_datum_t out; |
50 | | |
51 | | /* convert the provided email to ACE-Labels domain. */ |
52 | 0 | ret = _gnutls_idna_email_map(email, strlen(email), &out); |
53 | 0 | if (ret < 0) { |
54 | 0 | _gnutls_debug_log("unable to convert email %s to IDNA format\n", |
55 | 0 | email); |
56 | 0 | a_email = (char *)email; |
57 | 0 | } else { |
58 | 0 | a_email = (char *)out.data; |
59 | 0 | } |
60 | | |
61 | | /* try matching against: |
62 | | * 1) an address as an alternative name (subjectAltName) extension |
63 | | * in the certificate |
64 | | * 2) the EMAIL field in the certificate |
65 | | * |
66 | | * only try (2) if there is no subjectAltName extension of |
67 | | * type RFC822Name, and there is a single EMAIL. |
68 | | */ |
69 | | |
70 | | /* Check through all included subjectAltName extensions, comparing |
71 | | * against all those of type RFC822Name. |
72 | | */ |
73 | 0 | for (i = 0; !(ret < 0); i++) { |
74 | 0 | rfc822namesize = sizeof(rfc822name); |
75 | 0 | ret = gnutls_x509_crt_get_subject_alt_name( |
76 | 0 | cert, i, rfc822name, &rfc822namesize, NULL); |
77 | |
|
78 | 0 | if (ret == GNUTLS_SAN_RFC822NAME) { |
79 | 0 | found_rfc822name = 1; |
80 | |
|
81 | 0 | if (memchr(rfc822name, '\0', rfc822namesize)) { |
82 | 0 | _gnutls_debug_log( |
83 | 0 | "certificate has %s with embedded null in rfc822name\n", |
84 | 0 | rfc822name); |
85 | 0 | continue; |
86 | 0 | } |
87 | | |
88 | 0 | if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) { |
89 | 0 | _gnutls_debug_log( |
90 | 0 | "invalid (non-ASCII) email in certificate %.*s\n", |
91 | 0 | (int)rfc822namesize, rfc822name); |
92 | 0 | continue; |
93 | 0 | } |
94 | | |
95 | 0 | ret = _gnutls_hostname_compare( |
96 | 0 | rfc822name, rfc822namesize, a_email, |
97 | 0 | GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS); |
98 | 0 | if (ret != 0) { |
99 | 0 | ret = 1; |
100 | 0 | goto cleanup; |
101 | 0 | } |
102 | 0 | } |
103 | 0 | } |
104 | | |
105 | 0 | if (!found_rfc822name) { |
106 | | /* did not get the necessary extension, use CN instead |
107 | | */ |
108 | | |
109 | | /* enforce the RFC6125 (ยง1.8) requirement that only |
110 | | * a single CN must be present */ |
111 | 0 | rfc822namesize = sizeof(rfc822name); |
112 | 0 | ret = gnutls_x509_crt_get_dn_by_oid(cert, |
113 | 0 | GNUTLS_OID_PKCS9_EMAIL, 1, |
114 | 0 | 0, rfc822name, |
115 | 0 | &rfc822namesize); |
116 | 0 | if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { |
117 | 0 | ret = 0; |
118 | 0 | goto cleanup; |
119 | 0 | } |
120 | | |
121 | 0 | rfc822namesize = sizeof(rfc822name); |
122 | 0 | ret = gnutls_x509_crt_get_dn_by_oid(cert, |
123 | 0 | GNUTLS_OID_PKCS9_EMAIL, 0, |
124 | 0 | 0, rfc822name, |
125 | 0 | &rfc822namesize); |
126 | 0 | if (ret < 0) { |
127 | 0 | ret = 0; |
128 | 0 | goto cleanup; |
129 | 0 | } |
130 | | |
131 | 0 | if (memchr(rfc822name, '\0', rfc822namesize)) { |
132 | 0 | _gnutls_debug_log( |
133 | 0 | "certificate has EMAIL %s with embedded null in name\n", |
134 | 0 | rfc822name); |
135 | 0 | ret = 0; |
136 | 0 | goto cleanup; |
137 | 0 | } |
138 | | |
139 | 0 | if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) { |
140 | 0 | _gnutls_debug_log( |
141 | 0 | "invalid (non-ASCII) email in certificate DN %.*s\n", |
142 | 0 | (int)rfc822namesize, rfc822name); |
143 | 0 | ret = 0; |
144 | 0 | goto cleanup; |
145 | 0 | } |
146 | | |
147 | 0 | ret = _gnutls_hostname_compare( |
148 | 0 | rfc822name, rfc822namesize, a_email, |
149 | 0 | GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS); |
150 | 0 | if (ret != 0) { |
151 | 0 | ret = 1; |
152 | 0 | goto cleanup; |
153 | 0 | } |
154 | 0 | } |
155 | | |
156 | | /* not found a matching name |
157 | | */ |
158 | 0 | ret = 0; |
159 | 0 | cleanup: |
160 | 0 | if (a_email != email) { |
161 | 0 | gnutls_free(a_email); |
162 | 0 | } |
163 | 0 | return ret; |
164 | 0 | } |