summaryrefslogtreecommitdiff
path: root/lib/x509/email-verify.c
blob: bb37db09e336c96faee4772e3e5d201976a6a344 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
/*
 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
 * Copyright (C) 2002 Andrew McDonald
 *
 * This file is part of GnuTLS.
 *
 * The GnuTLS is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 *
 */

#include "gnutls_int.h"
#include <str.h>
#include <x509_int.h>
#include <common.h>
#include "errors.h"
#include <system.h>

static int has_embedded_null(const char *str, unsigned size)
{
	if (strlen(str) != size)
		return 1;
	return 0;
}

/**
 * gnutls_x509_crt_check_email:
 * @cert: should contain an gnutls_x509_crt_t type
 * @email: A null terminated string that contains an email address (RFC822)
 * @flags: should be zero
 *
 * This function will check if the given certificate's subject matches
 * the given email address.
 *
 * Returns: non-zero for a successful match, and zero on failure.
 **/
unsigned
gnutls_x509_crt_check_email(gnutls_x509_crt_t cert,
			    const char *email, unsigned int flags)
{
	char rfc822name[MAX_CN];
	size_t rfc822namesize;
	int found_rfc822name = 0;
	int ret = 0;
	int i = 0;
	char *a_email;
	gnutls_datum_t out;

	/* convert the provided email to ACE-Labels domain. */
	ret = _gnutls_idna_email_map(email, strlen(email), &out);
	if (ret < 0) {
		_gnutls_debug_log("unable to convert email %s to IDNA format\n", email);
		a_email = (char*)email;
	} else {
		a_email = (char*)out.data;
	}

	/* try matching against:
	 *  1) an address as an alternative name (subjectAltName) extension
	 *     in the certificate
	 *  2) the EMAIL field in the certificate
	 *
	 *  only try (2) if there is no subjectAltName extension of
	 *  type RFC822Name, and there is a single EMAIL.
	 */

	/* Check through all included subjectAltName extensions, comparing
	 * against all those of type RFC822Name.
	 */
	for (i = 0; !(ret < 0); i++) {

		rfc822namesize = sizeof(rfc822name);
		ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
							   rfc822name,
							   &rfc822namesize,
							   NULL);

		if (ret == GNUTLS_SAN_RFC822NAME) {
			found_rfc822name = 1;

			if (has_embedded_null(rfc822name, rfc822namesize)) {
				_gnutls_debug_log("certificate has %s with embedded null in rfc822name\n", rfc822name);
				continue;
			}

			if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) {
				_gnutls_debug_log("invalid (non-ASCII) email in certificate %.*s\n", (int)rfc822namesize, rfc822name);
				continue;
			}

			ret = _gnutls_hostname_compare(rfc822name, rfc822namesize, a_email, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
			if (ret != 0) {
				ret = 1;
				goto cleanup;
			}
		}
	}

	if (!found_rfc822name) {
		/* did not get the necessary extension, use CN instead
		 */

		/* enforce the RFC6125 (ยง1.8) requirement that only
		 * a single CN must be present */
		rfc822namesize = sizeof(rfc822name);
		ret = gnutls_x509_crt_get_dn_by_oid
			(cert, GNUTLS_OID_PKCS9_EMAIL, 1, 0, rfc822name,
			 &rfc822namesize);
		if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
			ret = 0;
			goto cleanup;
		}

		rfc822namesize = sizeof(rfc822name);
		ret = gnutls_x509_crt_get_dn_by_oid
			(cert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, rfc822name,
			 &rfc822namesize);
		if (ret < 0) {
			ret = 0;
			goto cleanup;
		}

		if (has_embedded_null(rfc822name, rfc822namesize)) {
			_gnutls_debug_log("certificate has EMAIL %s with embedded null in name\n", rfc822name);
			ret = 0;
			goto cleanup;
		}

		if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) {
			_gnutls_debug_log("invalid (non-ASCII) email in certificate DN %.*s\n", (int)rfc822namesize, rfc822name);
			ret = 0;
			goto cleanup;
		}

		ret = _gnutls_hostname_compare(rfc822name, rfc822namesize, a_email, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
		if (ret != 0) {
			ret = 1;
			goto cleanup;
		}
	}

	/* not found a matching name
	 */
	ret = 0;
 cleanup:
	if (a_email != email) {
		gnutls_free(a_email);
	}
	return ret;
}