2 COPYRIGHT AND PERMISSION NOTICE
4 Copyright (c) 1996 - 2010, Daniel Stenberg, <daniel@haxx.se>.
8 Permission to use, copy, modify, and distribute this software for any purpose
9 with or without fee is hereby granted, provided that the above copyright
10 notice and this permission notice appear in all copies.
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
13 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
15 NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
16 DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
17 OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
18 OR OTHER DEALINGS IN THE SOFTWARE.
20 Except as contained in this notice, the name of a copyright holder shall not
21 be used in advertising or otherwise to promote the sale, use or other dealings
22 in this Software without prior written authorization of the copyright holder.
24 /* simplified to a basic host name check */
25 #include <openssl/x509_vfy.h>
26 #include <openssl/x509v3.h>
32 /** @fn static bool cert_hostcheck(const char *hostname, char *pattern)
33 * Verifies that the hostname matches against the pattern specified.
34 * Handles wildcard patterns and ignores the distinction between upper and lower
35 * case letters. Note: Ported over from ssluse.c in curl (7.1.16) lib Note:
36 * Explicit pattern match disabled as we do not use that for processing node
37 * certificate. Note: No longer ignores the distinction between upper and lower
38 * case letters. Our certificate is generated with lowercase letters.
39 * @return true if matches, false otherwise
40 * @param hostname The hostname we want to check. e.g: vault.trustcommerce.com
41 * @param pattern The pattern we wish to match against. e.g: *.trustcommerce.com
44 cert_hostcheck(const char* pattern
, const char* hostname
)
46 if (!hostname
|| !pattern
|| !*hostname
|| !*pattern
)
48 if (!strcmp(hostname
, pattern
))
52 /** @fn static bool checkCertificate(X509 *cert, char *host)
53 * Provides validation of the hostname associated with a certificate.
54 * See RFC2818 - Server Identity for an overview of the concept.
55 * This implementation is based off the one found in curl-7.16.1: ssluse.c
56 * but we treat the subjectAltName as a recommendation... so if it fails,
57 * we will proceed to the CN check.
58 * The rationale for this is that we are not always using HTTP (over SSL)
59 * and its more of a certification generation / CA issue and we want
60 * maximum interoperability (as opposed to strict compliance).
61 * @param cert The X509 certificate in question.
62 * @param host The hostname or ip we wish to check.
63 * @return true if matches, false otherwise
66 checkCertificate(X509
* cert
, const char* host
)
70 STACK_OF(GENERAL_NAME
) * altnames
;
71 unsigned char nulstr
[] = { '\0' };
72 unsigned char* peer_CN
= nulstr
;
80 altnames
= (STACK_OF(GENERAL_NAME
)*)(X509_get_ext_d2i(
81 cert
, NID_subject_alt_name
, NULL
, NULL
));
83 if (altnames
!= NULL
) {
84 int numalts
= sk_GENERAL_NAME_num(altnames
);
85 for (i
= 0; (i
< numalts
) && (matched
== false); i
++) {
86 const GENERAL_NAME
* check
= sk_GENERAL_NAME_value(altnames
, i
);
87 #if OPENSSL_VERSION_NUMBER < 0x10100000L
88 const char* altptr
= (char*)(ASN1_STRING_data(check
->d
.ia5
));
90 const char* altptr
= (char*)(ASN1_STRING_get0_data(check
->d
.ia5
));
93 switch (check
->type
) {
95 altlen
= ASN1_STRING_length(check
->d
.ia5
);
96 if (altlen
== strlen(host
) && cert_hostcheck(altptr
, host
))
100 altlen
= ASN1_STRING_length(check
->d
.ia5
);
101 if (altlen
== strlen(host
) && !memcmp(altptr
, host
, altlen
))
106 GENERAL_NAMES_free(altnames
);
107 if (matched
!= false)
113 name
= X509_get_subject_name(cert
);
117 // get the last CN found in the subject (supposedly its the most distinguished
119 while ((j
= X509_NAME_get_index_by_NID(name
, NID_commonName
, i
)) >= 0)
125 tmp
= X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name
, i
));
126 /* workaround for version of openssl < 0.9.7d */
127 if (tmp
&& ASN1_STRING_type(tmp
) == V_ASN1_UTF8STRING
) {
128 j
= ASN1_STRING_length(tmp
);
130 peer_CN
= (unsigned char*)(OPENSSL_malloc(j
+ 1));
132 #if OPENSSL_VERSION_NUMBER < 0x10100000L
133 memcpy(peer_CN
, ASN1_STRING_data(tmp
), j
);
135 memcpy(peer_CN
, ASN1_STRING_get0_data(tmp
), j
);
141 j
= ASN1_STRING_to_UTF8(&peer_CN
, tmp
);
144 if (peer_CN
== nulstr
)
148 return false; // the cn isnt missing in virtually all cases
149 else if (!cert_hostcheck((char*)(peer_CN
), host
))
155 OPENSSL_free(peer_CN
);
160 TCLinkDefaultValidate(int x
, void* cert
)
162 if (x
!= 0 || cert
== NULL
)
164 return !checkCertificate((X509
*)cert
, "pgw1.trustcommerce.com");