/src/gnutls/lib/x509/email-verify.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2012 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2002 Andrew McDonald |
4 | | * |
5 | | * This file is part of GnuTLS. |
6 | | * |
7 | | * The GnuTLS is free software; you can redistribute it and/or |
8 | | * modify it under the terms of the GNU Lesser General Public License |
9 | | * as published by the Free Software Foundation; either version 2.1 of |
10 | | * the License, or (at your option) any later version. |
11 | | * |
12 | | * This library is distributed in the hope that it will be useful, but |
13 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
15 | | * Lesser General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU Lesser General Public License |
18 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
19 | | * |
20 | | */ |
21 | | |
22 | | #include "gnutls_int.h" |
23 | | #include <str.h> |
24 | | #include <x509_int.h> |
25 | | #include <common.h> |
26 | | #include "errors.h" |
27 | | #include <system.h> |
28 | | |
29 | | /** |
30 | | * gnutls_x509_crt_check_email: |
31 | | * @cert: should contain an gnutls_x509_crt_t type |
32 | | * @email: A null terminated string that contains an email address (RFC822) |
33 | | * @flags: should be zero |
34 | | * |
35 | | * This function will check if the given certificate's subject matches |
36 | | * the given email address. |
37 | | * |
38 | | * Returns: non-zero for a successful match, and zero on failure. |
39 | | **/ |
40 | | unsigned |
41 | | gnutls_x509_crt_check_email(gnutls_x509_crt_t cert, |
42 | | const char *email, unsigned int flags) |
43 | 0 | { |
44 | 0 | char rfc822name[MAX_CN]; |
45 | 0 | size_t rfc822namesize; |
46 | 0 | int found_rfc822name = 0; |
47 | 0 | int ret = 0; |
48 | 0 | int i = 0; |
49 | 0 | char *a_email; |
50 | 0 | gnutls_datum_t out; |
51 | | |
52 | | /* convert the provided email to ACE-Labels domain. */ |
53 | 0 | ret = _gnutls_idna_email_map(email, strlen(email), &out); |
54 | 0 | if (ret < 0) { |
55 | 0 | _gnutls_debug_log("unable to convert email %s to IDNA format\n", |
56 | 0 | email); |
57 | 0 | a_email = (char *)email; |
58 | 0 | } else { |
59 | 0 | a_email = (char *)out.data; |
60 | 0 | } |
61 | | |
62 | | /* try matching against: |
63 | | * 1) an address as an alternative name (subjectAltName) extension |
64 | | * in the certificate |
65 | | * 2) the EMAIL field in the certificate |
66 | | * |
67 | | * only try (2) if there is no subjectAltName extension of |
68 | | * type RFC822Name, and there is a single EMAIL. |
69 | | */ |
70 | | |
71 | | /* Check through all included subjectAltName extensions, comparing |
72 | | * against all those of type RFC822Name. |
73 | | */ |
74 | 0 | for (i = 0; !(ret < 0); i++) { |
75 | |
|
76 | 0 | rfc822namesize = sizeof(rfc822name); |
77 | 0 | ret = gnutls_x509_crt_get_subject_alt_name(cert, i, |
78 | 0 | rfc822name, |
79 | 0 | &rfc822namesize, |
80 | 0 | NULL); |
81 | |
|
82 | 0 | if (ret == GNUTLS_SAN_RFC822NAME) { |
83 | 0 | found_rfc822name = 1; |
84 | |
|
85 | 0 | if (_gnutls_has_embedded_null |
86 | 0 | (rfc822name, rfc822namesize)) { |
87 | 0 | _gnutls_debug_log |
88 | 0 | ("certificate has %s with embedded null in rfc822name\n", |
89 | 0 | rfc822name); |
90 | 0 | continue; |
91 | 0 | } |
92 | | |
93 | 0 | if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) { |
94 | 0 | _gnutls_debug_log |
95 | 0 | ("invalid (non-ASCII) email in certificate %.*s\n", |
96 | 0 | (int)rfc822namesize, rfc822name); |
97 | 0 | continue; |
98 | 0 | } |
99 | | |
100 | 0 | ret = |
101 | 0 | _gnutls_hostname_compare(rfc822name, rfc822namesize, |
102 | 0 | a_email, |
103 | 0 | GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS); |
104 | 0 | if (ret != 0) { |
105 | 0 | ret = 1; |
106 | 0 | goto cleanup; |
107 | 0 | } |
108 | 0 | } |
109 | 0 | } |
110 | | |
111 | 0 | if (!found_rfc822name) { |
112 | | /* did not get the necessary extension, use CN instead |
113 | | */ |
114 | | |
115 | | /* enforce the RFC6125 (ยง1.8) requirement that only |
116 | | * a single CN must be present */ |
117 | 0 | rfc822namesize = sizeof(rfc822name); |
118 | 0 | ret = gnutls_x509_crt_get_dn_by_oid |
119 | 0 | (cert, GNUTLS_OID_PKCS9_EMAIL, 1, 0, rfc822name, |
120 | 0 | &rfc822namesize); |
121 | 0 | if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { |
122 | 0 | ret = 0; |
123 | 0 | goto cleanup; |
124 | 0 | } |
125 | | |
126 | 0 | rfc822namesize = sizeof(rfc822name); |
127 | 0 | ret = gnutls_x509_crt_get_dn_by_oid |
128 | 0 | (cert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, rfc822name, |
129 | 0 | &rfc822namesize); |
130 | 0 | if (ret < 0) { |
131 | 0 | ret = 0; |
132 | 0 | goto cleanup; |
133 | 0 | } |
134 | | |
135 | 0 | if (_gnutls_has_embedded_null(rfc822name, rfc822namesize)) { |
136 | 0 | _gnutls_debug_log |
137 | 0 | ("certificate has EMAIL %s with embedded null in name\n", |
138 | 0 | rfc822name); |
139 | 0 | ret = 0; |
140 | 0 | goto cleanup; |
141 | 0 | } |
142 | | |
143 | 0 | if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) { |
144 | 0 | _gnutls_debug_log |
145 | 0 | ("invalid (non-ASCII) email in certificate DN %.*s\n", |
146 | 0 | (int)rfc822namesize, rfc822name); |
147 | 0 | ret = 0; |
148 | 0 | goto cleanup; |
149 | 0 | } |
150 | | |
151 | 0 | ret = |
152 | 0 | _gnutls_hostname_compare(rfc822name, rfc822namesize, |
153 | 0 | a_email, |
154 | 0 | GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS); |
155 | 0 | if (ret != 0) { |
156 | 0 | ret = 1; |
157 | 0 | goto cleanup; |
158 | 0 | } |
159 | 0 | } |
160 | | |
161 | | /* not found a matching name |
162 | | */ |
163 | 0 | ret = 0; |
164 | 0 | cleanup: |
165 | 0 | if (a_email != email) { |
166 | 0 | gnutls_free(a_email); |
167 | 0 | } |
168 | 0 | return ret; |
169 | 0 | } |