Coverage Report

Created: 2026-05-16 07:57

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/gnutls/lib/x509/email-verify.c
Line
Count
Source
1
/*
2
 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3
 * Copyright (C) 2002 Andrew McDonald
4
 *
5
 * This file is part of GnuTLS.
6
 *
7
 * The GnuTLS is free software; you can redistribute it and/or
8
 * modify it under the terms of the GNU Lesser General Public License
9
 * as published by the Free Software Foundation; either version 2.1 of
10
 * the License, or (at your option) any later version.
11
 *
12
 * This library is distributed in the hope that it will be useful, but
13
 * WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15
 * Lesser General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU Lesser General Public License
18
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
19
 *
20
 */
21
22
#include "gnutls_int.h"
23
#include "str.h"
24
#include "x509_int.h"
25
#include "common.h"
26
#include "errors.h"
27
#include "system.h"
28
29
/**
30
 * gnutls_x509_crt_check_email:
31
 * @cert: should contain an gnutls_x509_crt_t type
32
 * @email: A null terminated string that contains an email address (RFC822)
33
 * @flags: should be zero
34
 *
35
 * This function will check if the given certificate's subject matches
36
 * the given email address.
37
 *
38
 * Returns: non-zero for a successful match, and zero on failure.
39
 **/
40
unsigned gnutls_x509_crt_check_email(gnutls_x509_crt_t cert, const char *email,
41
             unsigned int flags)
42
0
{
43
0
  char rfc822name[MAX_CN];
44
0
  size_t rfc822namesize;
45
0
  bool dn_fallback_allowed = true;
46
0
  int ret = 0;
47
0
  int i = 0;
48
0
  char *a_email;
49
0
  gnutls_datum_t out;
50
51
  /* convert the provided email to ACE-Labels domain. */
52
0
  ret = _gnutls_idna_email_map(email, strlen(email), &out);
53
0
  if (ret < 0) {
54
0
    _gnutls_debug_log("unable to convert email %s to IDNA format\n",
55
0
          email);
56
0
    a_email = (char *)email;
57
0
  } else {
58
0
    a_email = (char *)out.data;
59
0
  }
60
61
  /* try matching against:
62
   *  1) an address as an alternative name (subjectAltName) extension
63
   *     in the certificate
64
   *  2) the EMAIL field in the certificate
65
   *
66
   *  only try (2) if there is no subjectAltName extension of
67
   *  type RFC822Name, and there is a single EMAIL.
68
   */
69
70
  /* Check through all included subjectAltName extensions, comparing
71
   * against all those of type RFC822Name.
72
   */
73
0
  for (i = 0; !(ret < 0); i++) {
74
0
    rfc822namesize = sizeof(rfc822name);
75
0
    ret = gnutls_x509_crt_get_subject_alt_name(
76
0
      cert, i, rfc822name, &rfc822namesize, NULL);
77
78
0
    if (ret < 0) {
79
0
      if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
80
        /* oversized SAN; proceed without DN fallback */
81
0
        _gnutls_debug_log("oversized SAN ignored, "
82
0
              "disabling DN fallback\n");
83
0
        dn_fallback_allowed = false;
84
0
        ret = 0;
85
0
        continue;
86
0
      }
87
0
      if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
88
0
        gnutls_assert();
89
0
      break;
90
0
    }
91
92
0
    if (ret == GNUTLS_SAN_RFC822NAME) {
93
0
      dn_fallback_allowed = false;
94
95
0
      if (memchr(rfc822name, '\0', rfc822namesize)) {
96
0
        _gnutls_debug_log(
97
0
          "certificate has %s with embedded null in rfc822name\n",
98
0
          rfc822name);
99
0
        continue;
100
0
      }
101
102
0
      if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) {
103
0
        _gnutls_debug_log(
104
0
          "invalid (non-ASCII) email in certificate %.*s\n",
105
0
          (int)rfc822namesize, rfc822name);
106
0
        continue;
107
0
      }
108
109
0
      ret = _gnutls_hostname_compare(
110
0
        rfc822name, rfc822namesize, a_email,
111
0
        GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
112
0
      if (ret != 0) {
113
0
        ret = 1;
114
0
        goto cleanup;
115
0
      }
116
0
    }
117
0
  }
118
119
0
  if (dn_fallback_allowed) {
120
    /* did not get the necessary extension, use DN email instead */
121
122
    /* only a single one must be present */
123
0
    rfc822namesize = sizeof(rfc822name);
124
0
    ret = gnutls_x509_crt_get_dn_by_oid(cert,
125
0
                GNUTLS_OID_PKCS9_EMAIL, 1,
126
0
                0, rfc822name,
127
0
                &rfc822namesize);
128
0
    if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
129
0
      ret = 0;
130
0
      goto cleanup;
131
0
    }
132
133
0
    rfc822namesize = sizeof(rfc822name);
134
0
    ret = gnutls_x509_crt_get_dn_by_oid(cert,
135
0
                GNUTLS_OID_PKCS9_EMAIL, 0,
136
0
                0, rfc822name,
137
0
                &rfc822namesize);
138
0
    if (ret < 0) {
139
0
      ret = 0;
140
0
      goto cleanup;
141
0
    }
142
143
0
    if (memchr(rfc822name, '\0', rfc822namesize)) {
144
0
      _gnutls_debug_log(
145
0
        "certificate has EMAIL %s with embedded null in name\n",
146
0
        rfc822name);
147
0
      ret = 0;
148
0
      goto cleanup;
149
0
    }
150
151
0
    if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) {
152
0
      _gnutls_debug_log(
153
0
        "invalid (non-ASCII) email in certificate DN %.*s\n",
154
0
        (int)rfc822namesize, rfc822name);
155
0
      ret = 0;
156
0
      goto cleanup;
157
0
    }
158
159
0
    ret = _gnutls_hostname_compare(
160
0
      rfc822name, rfc822namesize, a_email,
161
0
      GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
162
0
    if (ret != 0) {
163
0
      ret = 1;
164
0
      goto cleanup;
165
0
    }
166
0
  }
167
168
  /* not found a matching name
169
   */
170
0
  ret = 0;
171
0
cleanup:
172
0
  if (a_email != email) {
173
    gnutls_free(a_email);
174
0
  }
175
0
  return ret;
176
0
}