1 //
2 //
3 // Copyright 2020 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include <grpc/support/port_platform.h>
20
21 #include "src/core/lib/security/credentials/tls/tls_utils.h"
22
23 #include "absl/strings/ascii.h"
24 #include "absl/strings/match.h"
25 #include "absl/strings/str_cat.h"
26
27 namespace grpc_core {
28
29 // Based on
30 // https://github.com/grpc/grpc-java/blob/ca12e7a339add0ef48202fb72434b9dc0df41756/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManager.java#L62
VerifySubjectAlternativeName(absl::string_view subject_alternative_name,const std::string & matcher)31 bool VerifySubjectAlternativeName(absl::string_view subject_alternative_name,
32 const std::string& matcher) {
33 if (subject_alternative_name.empty() ||
34 absl::StartsWith(subject_alternative_name, ".")) {
35 // Illegal pattern/domain name
36 return false;
37 }
38 if (matcher.empty() || absl::StartsWith(matcher, ".")) {
39 // Illegal domain name
40 return false;
41 }
42 // Normalize \a subject_alternative_name and \a matcher by turning them into
43 // absolute domain names if they are not yet absolute. This is needed because
44 // server certificates do not normally contain absolute names or patterns, but
45 // they should be treated as absolute. At the same time, any
46 // subject_alternative_name presented to this method should also be treated as
47 // absolute for the purposes of matching to the server certificate.
48 std::string normalized_san =
49 absl::EndsWith(subject_alternative_name, ".")
50 ? std::string(subject_alternative_name)
51 : absl::StrCat(subject_alternative_name, ".");
52 std::string normalized_matcher =
53 absl::EndsWith(matcher, ".") ? matcher : absl::StrCat(matcher, ".");
54 absl::AsciiStrToLower(&normalized_san);
55 absl::AsciiStrToLower(&normalized_matcher);
56 if (!absl::StrContains(normalized_san, "*")) {
57 return normalized_san == normalized_matcher;
58 }
59 // WILDCARD PATTERN RULES:
60 // 1. Asterisk (*) is only permitted in the left-most domain name label and
61 // must be the only character in that label (i.e., must match the whole
62 // left-most label). For example, *.example.com is permitted, while
63 // *a.example.com, a*.example.com, a*b.example.com, a.*.example.com are
64 // not permitted.
65 // 2. Asterisk (*) cannot match across domain name labels.
66 // For example, *.example.com matches test.example.com but does not match
67 // sub.test.example.com.
68 // 3. Wildcard patterns for single-label domain names are not permitted.
69 if (!absl::StartsWith(normalized_san, "*.")) {
70 // Asterisk (*) is only permitted in the left-most domain name label and
71 // must be the only character in that label
72 return false;
73 }
74 if (normalized_san == "*.") {
75 // Wildcard pattern for single-label domain name -- not permitted.
76 return false;
77 }
78 absl::string_view suffix = absl::string_view(normalized_san).substr(1);
79 if (absl::StrContains(suffix, "*")) {
80 // Asterisk (*) is not permitted in the suffix
81 return false;
82 }
83 if (!absl::EndsWith(normalized_matcher, suffix)) return false;
84 int suffix_start_index = normalized_matcher.length() - suffix.length();
85 // Asterisk matching across domain labels is not permitted.
86 return suffix_start_index <= 0 /* should not happen */ ||
87 normalized_matcher.find_last_of('.', suffix_start_index - 1) ==
88 std::string::npos;
89 }
90
91 } // namespace grpc_core
92