Skip to content
Snippets Groups Projects
Commit d82a1021 authored by Roxie Linden's avatar Roxie Linden
Browse files

Fix issue parsing wildcard cns in certificates

CR: Karina
parent a42dcc3f
No related branches found
No related tags found
No related merge requests found
......@@ -782,23 +782,49 @@ bool _cert_hostname_wildcard_match(const std::string& hostname, const std::strin
{
std::string new_hostname = hostname;
std::string new_cn = common_name;
int subdomain_pos = new_hostname.find_first_of('.');
int subcn_pos = new_cn.find_first_of('.');
while((subcn_pos != std::string::npos) && (subdomain_pos != std::string::npos))
// find the last '.' in the hostname and the match name.
int subdomain_pos = new_hostname.find_last_of('.');
int subcn_pos = new_cn.find_last_of('.');
// if the last char is a '.', strip it
if(subdomain_pos == (new_hostname.length()-1))
{
new_hostname = new_hostname.substr(0, subdomain_pos);
subdomain_pos = new_hostname.find_last_of('.');
}
if(subcn_pos == (new_cn.length()-1))
{
// snip out the first subdomain and cn element
new_cn = new_cn.substr(0, subcn_pos);
subcn_pos = new_cn.find_last_of('.');
}
if(!_cert_subdomain_wildcard_match(new_hostname.substr(0, subdomain_pos),
new_cn.substr(0, subcn_pos)))
// Check to see if there are any further '.' in the string.
while((subcn_pos != std::string::npos) && (subdomain_pos != std::string::npos))
{
// snip out last subdomain in both the match string and the hostname
// The last bit for 'my.current.host.com' would be 'com'
std::string cn_part = new_cn.substr(subcn_pos+1, std::string::npos);
std::string hostname_part = new_hostname.substr(subdomain_pos+1, std::string::npos);
if(!_cert_subdomain_wildcard_match(new_hostname.substr(subdomain_pos+1, std::string::npos),
cn_part))
{
return FALSE;
}
new_hostname = new_hostname.substr(subdomain_pos+1, std::string::npos);
new_cn = new_cn.substr(subcn_pos+1, std::string::npos);
subdomain_pos = new_hostname.find_first_of('.');
subcn_pos = new_cn.find_first_of('.');
new_hostname = new_hostname.substr(0, subdomain_pos);
new_cn = new_cn.substr(0, subcn_pos);
subdomain_pos = new_hostname.find_last_of('.');
subcn_pos = new_cn.find_last_of('.');
}
// check to see if the most significant portion of the common name is '*'. If so, we can
// simply return success as child domains are also matched.
if(new_cn == "*")
{
// if it's just a '*' we support all child domains as well, so '*.
return TRUE;
}
return _cert_subdomain_wildcard_match(new_hostname, new_cn);
}
......
......@@ -702,12 +702,18 @@ namespace tut
{
ensure("simple name match",
_cert_hostname_wildcard_match("foo", "foo"));
ensure("simple name match, with end period",
_cert_hostname_wildcard_match("foo.", "foo."));
ensure("simple name match, with begin period",
_cert_hostname_wildcard_match(".foo", ".foo"));
ensure("simple name match, with mismatched period cn",
_cert_hostname_wildcard_match("foo.", "foo"));
ensure("simple name match, with mismatched period hostname",
_cert_hostname_wildcard_match("foo", "foo."));
ensure("simple name match, with subdomain",
_cert_hostname_wildcard_match("foo.bar", "foo.bar"));
......@@ -772,11 +778,26 @@ namespace tut
ensure("end periods",
_cert_hostname_wildcard_match("foo.bar.com.", "*.b*r.com."));
ensure("mismatch end period",
!_cert_hostname_wildcard_match("foo.bar.com.", "*.b*r.com"));
ensure("match end period",
_cert_hostname_wildcard_match("foo.bar.com.", "*.b*r.com"));
ensure("match end period2",
_cert_hostname_wildcard_match("foo.bar.com", "*.b*r.com."));
ensure("wildcard mismatch",
!_cert_hostname_wildcard_match("bar.com", "*.bar.com"));
ensure("wildcard match",
_cert_hostname_wildcard_match("foo.bar.com", "*.bar.com"));
ensure("wildcard match",
_cert_hostname_wildcard_match("foo.foo.bar.com", "*.bar.com"));
ensure("wildcard match",
_cert_hostname_wildcard_match("foo.foo.bar.com", "*.*.com"));
ensure("mismatch end period2",
!_cert_hostname_wildcard_match("foo.bar.com", "*.b*r.com."));
ensure("wildcard mismatch",
!_cert_hostname_wildcard_match("foo.foo.bar.com", "*.foo.com"));
}
// test cert chain
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment