Resolves: #i123744# consider certificate's Subject Alternative Name...

field when searching for matching certificate host name

(cherry picked from commit 226085ad2004319c5142b392bb4b48ab79c3b747)

Change-Id: I0d1690f75c1aa3288c677823105e21bb6e969f41

2 files changed, 41 insertions, 5 deletions

diff --git a/ucb/source/ucp/webdav/SerfSession.cxx b/ucb/source/ucp/webdav/SerfSession.cxx
index 008b6f13d7ff..bb8c6e17d4da 100644
--- a/ucb/source/ucp/webdav/SerfSession.cxx
+++ b/ucb/source/ucp/webdav/SerfSession.cxx
@@ -26,7 +26,7 @@
 #include "ucbhelper/simplecertificatevalidationrequest.hxx"
 
 #include "AprEnv.hxx"
-#include <apr_strings.h>
+#include <apr/apr_strings.h>
 
 #include "DAVAuthListener.hxx"
 #include "SerfTypes.hxx"
@@ -43,6 +43,10 @@
 #include <com/sun/star/security/CertificateContainerStatus.hpp>
 #include <com/sun/star/security/CertificateContainer.hpp>
 #include <com/sun/star/security/XCertificateContainer.hpp>
+#include <com/sun/star/security/CertAltNameEntry.hpp>
+#include <com/sun/star/security/XSanExtension.hpp>
+#define OID_SUBJECT_ALTERNATIVE_NAME "2.5.29.17"
+
 #include <com/sun/star/ucb/Lock.hpp>
 #include <com/sun/star/xml/crypto/XSEInitializer.hpp>
 
@@ -461,7 +465,40 @@ apr_status_t SerfSession::verifySerfCertificateChain (
 
     // When the certificate matches the host name then we can use the
     // result of the verification.
-    if (isDomainMatch(sServerCertificateSubject))
+    bool bHostnameMatchesCertHostnames = false;
+    {
+        uno::Sequence< uno::Reference< security::XCertificateExtension > > extensions = xServerCertificate->getExtensions();
+        uno::Sequence< security::CertAltNameEntry > altNames;
+        for (sal_Int32 i = 0 ; i < extensions.getLength(); ++i)
+        {
+            uno::Reference< security::XCertificateExtension >element = extensions[i];
+
+            const rtl::OString aId ( (const sal_Char *)element->getExtensionId().getArray(), element->getExtensionId().getLength());
+            if ( aId.equals( OID_SUBJECT_ALTERNATIVE_NAME ) )
+            {
+                uno::Reference< security::XSanExtension > sanExtension ( element, uno::UNO_QUERY );
+                altNames =  sanExtension->getAlternativeNames();
+                break;
+            }
+        }
+
+        uno::Sequence< ::rtl::OUString > certHostNames(altNames.getLength() + 1);
+        certHostNames[0] = sServerCertificateSubject;
+        for( int n = 0; n < altNames.getLength(); ++n )
+        {
+            if (altNames[n].Type ==  security::ExtAltNameType_DNS_NAME)
+            {
+                altNames[n].Value >>= certHostNames[n+1];
+            }
+        }
+
+        for ( int i = 0; i < certHostNames.getLength() && !bHostnameMatchesCertHostnames; ++i )
+        {
+            bHostnameMatchesCertHostnames = isDomainMatch( certHostNames[i] );
+        }
+
+    }
+    if ( bHostnameMatchesCertHostnames )
     {
 
         if (nVerificationResult == 0)
@@ -508,8 +545,7 @@ apr_status_t SerfSession::verifySerfCertificateChain (
 
             if ( xSelection.is() )
             {
-                uno::Reference< task::XInteractionApprove > xApprove(
-                    xSelection.get(), uno::UNO_QUERY );
+                uno::Reference< task::XInteractionApprove > xApprove( xSelection.get(), uno::UNO_QUERY );
                 if ( xApprove.is() )
                 {
                     xCertificateContainer->addCertificate( getHostName(), sServerCertificateSubject,  sal_True );
diff --git a/ucb/source/ucp/webdav/SerfTypes.hxx b/ucb/source/ucp/webdav/SerfTypes.hxx
index b396697be9f7..5be06a6c1fbe 100644
--- a/ucb/source/ucp/webdav/SerfTypes.hxx
+++ b/ucb/source/ucp/webdav/SerfTypes.hxx
@@ -22,7 +22,7 @@
 #ifndef INCLUDED_SERFTYPES_HXX
 #define INCLUDED_SERFTYPES_HXX
 
-#include <serf.h>
+#include <serf/serf.h>
 
 typedef serf_connection_t SerfConnection;