diff options
| author | Oliver-Rainer Wittmann <orw@apache.org> | 2014-01-21 16:32:58 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2014-01-22 10:00:20 +0000 |
| commit | 4a56b4ab2c100c506096f1808cca7268e576086c (patch) | |
| tree | 6ac2e1062db60cab65d94b722695131f2a21b9e1 /ucb/source/ucp/webdav/SerfSession.cxx | |
| parent | 17cfcceb4e594e727a28ddaf311d794cd9cc9990 (diff) | |
Resolves: #i123744# consider certificate's Subject Alternative Name...
field when searching for matching certificate host name
(cherry picked from commit 226085ad2004319c5142b392bb4b48ab79c3b747)
Change-Id: I0d1690f75c1aa3288c677823105e21bb6e969f41
Diffstat (limited to 'ucb/source/ucp/webdav/SerfSession.cxx')
| -rw-r--r-- | ucb/source/ucp/webdav/SerfSession.cxx | 44 |
1 files changed, 40 insertions, 4 deletions
diff --git a/ucb/source/ucp/webdav/SerfSession.cxx b/ucb/source/ucp/webdav/SerfSession.cxx index 008b6f13d7ff..bb8c6e17d4da 100644 --- a/ucb/source/ucp/webdav/SerfSession.cxx +++ b/ucb/source/ucp/webdav/SerfSession.cxx @@ -26,7 +26,7 @@ #include "ucbhelper/simplecertificatevalidationrequest.hxx" #include "AprEnv.hxx" -#include <apr_strings.h> +#include <apr/apr_strings.h> #include "DAVAuthListener.hxx" #include "SerfTypes.hxx" @@ -43,6 +43,10 @@ #include <com/sun/star/security/CertificateContainerStatus.hpp> #include <com/sun/star/security/CertificateContainer.hpp> #include <com/sun/star/security/XCertificateContainer.hpp> +#include <com/sun/star/security/CertAltNameEntry.hpp> +#include <com/sun/star/security/XSanExtension.hpp> +#define OID_SUBJECT_ALTERNATIVE_NAME "2.5.29.17" + #include <com/sun/star/ucb/Lock.hpp> #include <com/sun/star/xml/crypto/XSEInitializer.hpp> @@ -461,7 +465,40 @@ apr_status_t SerfSession::verifySerfCertificateChain ( // When the certificate matches the host name then we can use the // result of the verification. - if (isDomainMatch(sServerCertificateSubject)) + bool bHostnameMatchesCertHostnames = false; + { + uno::Sequence< uno::Reference< security::XCertificateExtension > > extensions = xServerCertificate->getExtensions(); + uno::Sequence< security::CertAltNameEntry > altNames; + for (sal_Int32 i = 0 ; i < extensions.getLength(); ++i) + { + uno::Reference< security::XCertificateExtension >element = extensions[i]; + + const rtl::OString aId ( (const sal_Char *)element->getExtensionId().getArray(), element->getExtensionId().getLength()); + if ( aId.equals( OID_SUBJECT_ALTERNATIVE_NAME ) ) + { + uno::Reference< security::XSanExtension > sanExtension ( element, uno::UNO_QUERY ); + altNames = sanExtension->getAlternativeNames(); + break; + } + } + + uno::Sequence< ::rtl::OUString > certHostNames(altNames.getLength() + 1); + certHostNames[0] = sServerCertificateSubject; + for( int n = 0; n < altNames.getLength(); ++n ) + { + if (altNames[n].Type == security::ExtAltNameType_DNS_NAME) + { + altNames[n].Value >>= certHostNames[n+1]; + } + } + + for ( int i = 0; i < certHostNames.getLength() && !bHostnameMatchesCertHostnames; ++i ) + { + bHostnameMatchesCertHostnames = isDomainMatch( certHostNames[i] ); + } + + } + if ( bHostnameMatchesCertHostnames ) { if (nVerificationResult == 0) @@ -508,8 +545,7 @@ apr_status_t SerfSession::verifySerfCertificateChain ( if ( xSelection.is() ) { - uno::Reference< task::XInteractionApprove > xApprove( - xSelection.get(), uno::UNO_QUERY ); + uno::Reference< task::XInteractionApprove > xApprove( xSelection.get(), uno::UNO_QUERY ); if ( xApprove.is() ) { xCertificateContainer->addCertificate( getHostName(), sServerCertificateSubject, sal_True ); |