summaryrefslogtreecommitdiffstats
path: root/src/crypto
diff options
context:
space:
mode:
authorMichael Brown2014-04-01 12:36:11 +0200
committerMichael Brown2014-04-01 12:36:11 +0200
commit93acb5d8d0635b8f7726bd993cde4a90a6b1d723 (patch)
tree90773ae6c34c7b7b049c3a62759a8aeef6af0906 /src/crypto
parent[crypto] Add support for subjectAltName and wildcard certificates (diff)
downloadipxe-93acb5d8d0635b8f7726bd993cde4a90a6b1d723.tar.gz
ipxe-93acb5d8d0635b8f7726bd993cde4a90a6b1d723.tar.xz
ipxe-93acb5d8d0635b8f7726bd993cde4a90a6b1d723.zip
[crypto] Allow wildcard matches on commonName as well as subjectAltName
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/crypto')
-rw-r--r--src/crypto/x509.c18
1 files changed, 8 insertions, 10 deletions
diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 8e503f3b..0502efa2 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1410,13 +1410,9 @@ static int x509_check_dnsname ( struct x509_certificate *cert,
( memcmp ( name, dnsname, len ) == 0 ) ) )
return -ENOENT;
- if ( name == fullname ) {
- DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches \"%s\"\n",
- cert, x509_name ( cert ), name );
- } else {
- DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches \"%s\" "
- "(via \"*.%s\")\n", cert, x509_name ( cert ),
- fullname, name );
+ if ( name != fullname ) {
+ DBGC2 ( cert, "X509 %p \"%s\" found wildcard match for "
+ "\"*.%s\"\n", cert, x509_name ( cert ), name );
}
return 0;
}
@@ -1465,8 +1461,7 @@ int x509_check_name ( struct x509_certificate *cert, const char *name ) {
int rc;
/* Check commonName */
- if ( ( strlen ( name ) == common_name->len ) &&
- ( memcmp ( name, common_name->data, common_name->len ) == 0 ) ) {
+ if ( x509_check_dnsname ( cert, common_name, name ) == 0 ) {
DBGC2 ( cert, "X509 %p \"%s\" commonName matches \"%s\"\n",
cert, x509_name ( cert ), name );
return 0;
@@ -1477,8 +1472,11 @@ int x509_check_name ( struct x509_certificate *cert, const char *name ) {
sizeof ( alt_name ) );
for ( ; alt_name.len ; asn1_skip_any ( &alt_name ) ) {
if ( ( rc = x509_check_alt_name ( cert, &alt_name,
- name ) ) == 0 )
+ name ) ) == 0 ) {
+ DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches "
+ "\"%s\"\n", cert, x509_name ( cert ), name );
return 0;
+ }
}
DBGC ( cert, "X509 %p \"%s\" does not match name \"%s\"\n",