From e39d2c702d70b572f5055859142dc4e683926f89 Mon Sep 17 00:00:00 2001 From: Alex Miller Date: Wed, 27 Jun 2018 16:14:34 -0700 Subject: [PATCH] Support Subject Alternative Name verification in TLS Plugin. The TLS code understands three different things it can verify: the subject, the issuer, and the root. The existing code assumes that any attribute we can verify against one of these is also verifyable against the others. For Subject Alternative Name, this might not be true. There exists both Subject Alternative Name and Issuer Alternative Name. This code change allows one to write "I.subjectAltName=Foo", and we'll verifiy a Subject Alt Name against the Issuer, which wouldn't be right. Issuer Alternative Name isn't a requested feature (yet?), so I'm punting on this problem. --- FDBLibTLS/FDBLibTLSVerify.cpp | 2 +- FDBLibTLS/Makefile | 2 +- FDBLibTLS/verify-test.cpp | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/FDBLibTLS/FDBLibTLSVerify.cpp b/FDBLibTLS/FDBLibTLSVerify.cpp index 0c28a2f036..9741f3cafa 100644 --- a/FDBLibTLS/FDBLibTLSVerify.cpp +++ b/FDBLibTLS/FDBLibTLSVerify.cpp @@ -136,7 +136,7 @@ static std::pair splitPair(std::string const& input, c static int abbrevToNID(std::string const& sn) { int nid = NID_undef; - if (sn == "C" || sn == "CN" || sn == "L" || sn == "ST" || sn == "O" || sn == "OU" || sn == "UID" || sn == "DC") + if (sn == "C" || sn == "CN" || sn == "L" || sn == "ST" || sn == "O" || sn == "OU" || sn == "UID" || sn == "DC" || sn == "subjectAltName") nid = OBJ_sn2nid(sn.c_str()); if (nid == NID_undef) throw std::runtime_error("abbrevToNID"); diff --git a/FDBLibTLS/Makefile b/FDBLibTLS/Makefile index c0d0511622..e2f8ec4948 100644 --- a/FDBLibTLS/Makefile +++ b/FDBLibTLS/Makefile @@ -5,7 +5,7 @@ CFLAGS ?= -O2 -g CXXFLAGS ?= -std=c++0x -CFLAGS += -I/usr/local/include +CFLAGS += -I/usr/local/include -I../fdbrpc LDFLAGS += -L/usr/local/lib LIBS += -ltls -lssl -lcrypto diff --git a/FDBLibTLS/verify-test.cpp b/FDBLibTLS/verify-test.cpp index 43eee377bf..d2b3b3e3dc 100644 --- a/FDBLibTLS/verify-test.cpp +++ b/FDBLibTLS/verify-test.cpp @@ -208,6 +208,7 @@ int main(int argc, char **argv) FDBLibTLSVerifyTest("CN=\\61\\62\\63", true, true, {{NID_commonName, "abc"}}, {}, {}), FDBLibTLSVerifyTest("CN=a\\62c", true, true, {{NID_commonName, "abc"}}, {}, {}), FDBLibTLSVerifyTest("CN=a\\01c", true, true, {{NID_commonName, "a\001c"}}, {}, {}), + FDBLibTLSVerifyTest("S.subjectAltName=XYZCorp", true, true, {{NID_subject_alt_name, "XYZCorp"}}, {}, {}), // Invalid cases. FDBLibTLSVerifyTest("Check.Invalid=0"),