diff options
| author | Niklas Hallqvist <niklas@cvs.openbsd.org> | 2001-01-26 12:35:48 +0000 |
|---|---|---|
| committer | Niklas Hallqvist <niklas@cvs.openbsd.org> | 2001-01-26 12:35:48 +0000 |
| commit | 60b97f8e7e014aee4cd89c6b33da506ee8e0740a (patch) | |
| tree | c58fd76209fe4401c50c564719ea4db107078c52 | |
| parent | e330e56aa56aa7d7d2da12f09e411fc4c6f32a01 (diff) | |
There is no need to check the subjectAltName anymore, since we are in fact
looking up the certificate via the name. The lookup method already
guarantees a match. It is also a problem to look at the subjectAltName
should we have got the certificate with no such name in it. Prodded by
mickey@ although I solved the problem in a different way.
| -rw-r--r-- | sbin/isakmpd/regress/x509/x509test.c | 70 |
1 files changed, 69 insertions, 1 deletions
diff --git a/sbin/isakmpd/regress/x509/x509test.c b/sbin/isakmpd/regress/x509/x509test.c index 2fca1cb8449..b14a0591ddf 100644 --- a/sbin/isakmpd/regress/x509/x509test.c +++ b/sbin/isakmpd/regress/x509/x509test.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509test.c,v 1.12 2001/01/26 11:08:25 niklas Exp $ */ +/* $OpenBSD: x509test.c,v 1.13 2001/01/26 12:35:47 niklas Exp $ */ /* $EOM: x509test.c,v 1.9 2000/12/21 15:24:25 ho Exp $ */ /* @@ -67,6 +67,7 @@ #include "libcrypto.h" #include "log.h" #include "ipsec_num.h" +#include "isakmp_fld.h" #include "x509.h" u_int32_t file_sz; @@ -94,6 +95,73 @@ open_file (char *name) return addr; } +/* + * Check that a certificate has a subjectAltName and that it matches our ID. + */ +int +x509_check_subjectaltname (u_char *id, u_int id_len, X509 *scert) +{ + u_int8_t *altname; + u_int32_t altlen; + int type, idtype, ret; + + type = x509_cert_subjectaltname (scert, &altname, &altlen); + if (!type) + { + log_print ("x509_check_subjectaltname: can't access subjectAltName"); + return 0; + } + + /* + * Now that we have the X509 certicate in native form, get the + * subjectAltName extension and verify that it matches our ID. + */ + + /* XXX Get type of ID. */ + idtype = id[0]; + id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; + id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; + + ret = 0; + switch (idtype) + { + case IPSEC_ID_IPV4_ADDR: + if (type == X509v3_IP_ADDR) + ret = 1; + break; + case IPSEC_ID_FQDN: + if (type == X509v3_DNS_NAME) + ret = 1; + break; + case IPSEC_ID_USER_FQDN: + if (type == X509v3_RFC_NAME) + ret = 1; + break; + default: + ret = 0; + break; + } + + if (!ret) + { + LOG_DBG ((LOG_CRYPTO, 50, + "x509_check_subjectaltname: " + "our ID type (%d) does not match X509 cert ID type (%d)", + idtype, type)); + return 0; + } + + if (altlen != id_len || memcmp (altname, id, id_len) != 0) + { + LOG_DBG ((LOG_CRYPTO, 50, + "x509_check_subjectaltname: " + "our ID does not match X509 cert ID")); + return 0; + } + + return 1; +} + int main (int argc, char *argv[]) { |