Ejemplo n.º 1
0
/**
 * gnutls_x509_name_constraints_check_crt:
 * @nc: the extracted name constraints
 * @type: the type of the constraint to check (of type gnutls_x509_subject_alt_name_t)
 * @cert: the certificate to be checked
 *
 * This function will check the provided certificate names against the constraints in
 * @nc using the RFC5280 rules. It will traverse all the certificate's names and
 * alternative names.
 *
 * Currently this function is limited to DNS
 * names and emails (of type %GNUTLS_SAN_DNSNAME and %GNUTLS_SAN_RFC822NAME).
 *
 * Returns: zero if the provided name is not acceptable, and non-zero otherwise.
 *
 * Since: 3.3.0
 **/
unsigned gnutls_x509_name_constraints_check_crt(gnutls_x509_name_constraints_t nc,
				       gnutls_x509_subject_alt_name_t type,
				       gnutls_x509_crt_t cert)
{
char name[MAX_CN];
size_t name_size;
int ret;
unsigned idx, t, san_type;
gnutls_datum_t n;
unsigned found_one;

	if (is_nc_empty(nc, type) != 0)
		return 1; /* shortcut; no constraints to check */

	if (type == GNUTLS_SAN_RFC822NAME) {
		idx = found_one = 0;
		do {
			name_size = sizeof(name);
			ret = gnutls_x509_crt_get_subject_alt_name2(cert,
				idx++, name, &name_size, &san_type, NULL);
			if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
				break;
			else if (ret < 0)
				return gnutls_assert_val(0);

			if (san_type != GNUTLS_SAN_RFC822NAME)
				continue;

			found_one = 1;
			n.data = (void*)name;
			n.size = name_size;
			t = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME,
				&n);
			if (t == 0)
				return gnutls_assert_val(t);
		} while(ret >= 0);

		/* there is at least a single e-mail. That means that the EMAIL field will
		 * not be used for verifying the identity of the holder. */
		if (found_one != 0)
			return 1;

		do {
			/* ensure there is only a single EMAIL, similarly to CN handling (rfc6125) */
			name_size = sizeof(name);
			ret = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_PKCS9_EMAIL,
							    1, 0, name, &name_size);
			if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
				return gnutls_assert_val(0);

			name_size = sizeof(name);
			ret = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_PKCS9_EMAIL,
							    0, 0, name, &name_size);
			if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
				break;
			else if (ret < 0)
				return gnutls_assert_val(0);

			found_one = 1;
			n.data = (void*)name;
			n.size = name_size;
			t = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME, &n);
			if (t == 0)
				return gnutls_assert_val(t);
		} while(0);

		/* passed */
		if (found_one != 0)
			return 1;
		else {
			/* no name was found. According to RFC5280: 
			 * If no name of the type is in the certificate, the certificate is acceptable.
			 */
			return gnutls_assert_val(1);
		}
	} else if (type == GNUTLS_SAN_DNSNAME) {
		idx = found_one = 0;
		do {
			name_size = sizeof(name);
			ret = gnutls_x509_crt_get_subject_alt_name2(cert,
				idx++, name, &name_size, &san_type, NULL);
			if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
				break;
			else if (ret < 0)
				return gnutls_assert_val(0);

			if (san_type != GNUTLS_SAN_DNSNAME)
				continue;

			found_one = 1;
			n.data = (void*)name;
			n.size = name_size;
			t = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME,
				&n);
			if (t == 0)
				return gnutls_assert_val(t);
		} while(ret >= 0);

		/* there is at least a single DNS name. That means that the CN will
		 * not be used for verifying the identity of the holder. */
		if (found_one != 0)
			return 1;

		/* verify the name constraints against the CN, if the certificate is
		 * not a CA. We do this check only on certificates marked as WWW server,
		 * because that's where the CN check is only performed. */
		if (_gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER, 0) != 0)
		do {
			/* ensure there is only a single CN, according to rfc6125 */
			name_size = sizeof(name);
			ret = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME,
				 			    1, 0, name, &name_size);
			if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
				return gnutls_assert_val(0);

			name_size = sizeof(name);
			ret = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME,
							    0, 0, name, &name_size);
			if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
				break;
			else if (ret < 0)
				return gnutls_assert_val(0);

			found_one = 1;
			n.data = (void*)name;
			n.size = name_size;
			t = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME,
				&n);
			if (t == 0)
				return gnutls_assert_val(t);
		} while(0);

		/* passed */
		if (found_one != 0)
			return 1;
		else {
			/* no name was found. According to RFC5280: 
			 * If no name of the type is in the certificate, the certificate is acceptable.
			 */
			return gnutls_assert_val(1);
		}
	} else if (type == GNUTLS_SAN_IPADDRESS || type == GNUTLS_SAN_URI) {
		return check_unsupported_constraint2(cert, nc, type);
	} else
		return check_unsupported_constraint(nc, type);
}
Ejemplo n.º 2
0
void doit(void)
{
	int ret, suite;
	gnutls_x509_name_constraints_t nc1, nc2;
	gnutls_datum_t name;

	gnutls_global_set_log_function(tls_log_func);
	if (debug)
		gnutls_global_set_log_level(1000);

	/* 0: test the merge permitted name constraints
	 * NC1: permitted DNS org
	 *      permitted DNS ccc.com
	 *      permitted email ccc.com
	 * NC2: permitted DNS org
	 *      permitted DNS aaa.bbb.ccc.com
	 */
	suite = 0;

	ret = gnutls_x509_name_constraints_init(&nc1);
	check_for_error(ret);

	ret = gnutls_x509_name_constraints_init(&nc2);
	check_for_error(ret);

	set_name("org", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	set_name("ccc.com", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	set_name("ccc.com", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_RFC822NAME, &name);
	check_for_error(ret);

	set_name("org", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	set_name("aaa.bbb.ccc.com", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
	check_for_error(ret);

	/* unrelated */
	set_name("xxx.example.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("example.org", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_ACCEPTED, &name);

	set_name("com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("xxx.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("ccc.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	/* check intersection of permitted */
	set_name("xxx.aaa.bbb.ccc.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_ACCEPTED, &name);

	set_name("aaa.bbb.ccc.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_ACCEPTED, &name);

	set_name("xxx.bbb.ccc.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("xxx.ccc.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("ccc.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("ccc.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name);
	check_test_result(suite, ret, NAME_ACCEPTED, &name);

	set_name("xxx.ccc.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	gnutls_x509_name_constraints_deinit(nc1);
	gnutls_x509_name_constraints_deinit(nc2);

	/* 1: test the merge of excluded name constraints
	 * NC1: denied DNS example.com
	 * NC2: denied DNS example.net
	 */
	suite = 1;

	ret = gnutls_x509_name_constraints_init(&nc1);
	check_for_error(ret);

	ret = gnutls_x509_name_constraints_init(&nc2);
	check_for_error(ret);

	set_name("example.com", &name);
	ret = gnutls_x509_name_constraints_add_excluded(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	set_name("example.net", &name);
	ret = gnutls_x509_name_constraints_add_excluded(nc2, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
	check_for_error(ret);

	set_name("xxx.example.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("xxx.example.net", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("example.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("example.net", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("example.org", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_ACCEPTED, &name);

	gnutls_x509_name_constraints_deinit(nc1);
	gnutls_x509_name_constraints_deinit(nc2);

	/* 2: test permitted constraints with empty intersection
	 *    (no permitted nodes remain)
	 * NC1: permitted DNS one.example.com
	 * NC2: permitted DNS two.example.com
	 */
	suite = 2;

	ret = gnutls_x509_name_constraints_init(&nc1);
	check_for_error(ret);

	ret = gnutls_x509_name_constraints_init(&nc2);
	check_for_error(ret);

	set_name("one.example.com", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	set_name("two.example.com", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
	check_for_error(ret);

	set_name("one.example.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("two.example.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("three.example.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("example.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("org", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	gnutls_x509_name_constraints_deinit(nc1);
	gnutls_x509_name_constraints_deinit(nc2);

	/* 3: test more permitted constraints, some with empty intersection
	 * NC1: permitted DNS foo.com
	 *      permitted DNS bar.com
	 *      permitted email redhat.com
	 * NC2: permitted DNS sub.foo.com
	 */
	suite = 3;

	ret = gnutls_x509_name_constraints_init(&nc1);
	check_for_error(ret);

	ret = gnutls_x509_name_constraints_init(&nc2);
	check_for_error(ret);

	set_name("foo.com", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	set_name("bar.com", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	set_name("sub.foo.com", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
	check_for_error(ret);

	set_name("foo.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("bar.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("sub.foo.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_ACCEPTED, &name);

	set_name("anothersub.foo.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	gnutls_x509_name_constraints_deinit(nc1);
	gnutls_x509_name_constraints_deinit(nc2);

	/* 4: test permitted constraints with empty intersection
	 *    almost identical to 2, but extra name constraint of different type
	 *    that remains after intersection
	 * NC1: permitted DNS three.example.com
	 *      permitted email redhat.com
	 * NC2: permitted DNS four.example.com
	 */
	suite = 4;

	ret = gnutls_x509_name_constraints_init(&nc1);
	check_for_error(ret);

	ret = gnutls_x509_name_constraints_init(&nc2);
	check_for_error(ret);

	set_name("three.example.com", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	set_name("redhat.com", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_RFC822NAME, &name);
	check_for_error(ret);

	set_name("four.example.com", &name);
	ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
	check_for_error(ret);

	ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
	check_for_error(ret);

	set_name("three.example.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("four.example.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("five.example.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("example.com", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	set_name("org", &name);
	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
	check_test_result(suite, ret, NAME_REJECTED, &name);

	gnutls_x509_name_constraints_deinit(nc1);
	gnutls_x509_name_constraints_deinit(nc2);

	/* Test footer */

	if (debug)
		success("Test success.\n");
}