Resolves: #i123744# consider certificate's Subject Alternative Name...

field when searching for matching certificate host name (cherry picked from commit 226085ad2004319c5142b392bb4b48ab79c3b747) Change-Id: I0d1690f75c1aa3288c677823105e21bb6e969f41
2014-01-21 16:32:58 +00:00
parent 17cfcceb4e
commit 4a56b4ab2c
2 changed files with 41 additions and 5 deletions
--- a/ucb/source/ucp/webdav/SerfSession.cxx
+++ b/ucb/source/ucp/webdav/SerfSession.cxx
@@ -26,7 +26,7 @@
 #include "ucbhelper/simplecertificatevalidationrequest.hxx"

 #include "AprEnv.hxx"
-#include <apr_strings.h>
+#include <apr/apr_strings.h>

 #include "DAVAuthListener.hxx"
 #include "SerfTypes.hxx"
@@ -43,6 +43,10 @@
 #include <com/sun/star/security/CertificateContainerStatus.hpp>
 #include <com/sun/star/security/CertificateContainer.hpp>
 #include <com/sun/star/security/XCertificateContainer.hpp>
+#include <com/sun/star/security/CertAltNameEntry.hpp>
+#include <com/sun/star/security/XSanExtension.hpp>
+#define OID_SUBJECT_ALTERNATIVE_NAME "2.5.29.17"
+
 #include <com/sun/star/ucb/Lock.hpp>
 #include <com/sun/star/xml/crypto/XSEInitializer.hpp>

@@ -461,7 +465,40 @@ apr_status_t SerfSession::verifySerfCertificateChain (

    // When the certificate matches the host name then we can use the
    // result of the verification.
-    if (isDomainMatch(sServerCertificateSubject))
+    bool bHostnameMatchesCertHostnames = false;
+    {
+        uno::Sequence< uno::Reference< security::XCertificateExtension > > extensions = xServerCertificate->getExtensions();
+        uno::Sequence< security::CertAltNameEntry > altNames;
+        for (sal_Int32 i = 0 ; i < extensions.getLength(); ++i)
+        {
+            uno::Reference< security::XCertificateExtension >element = extensions[i];
+
+            const rtl::OString aId ( (const sal_Char *)element->getExtensionId().getArray(), element->getExtensionId().getLength());
+            if ( aId.equals( OID_SUBJECT_ALTERNATIVE_NAME ) )
+            {
+                uno::Reference< security::XSanExtension > sanExtension ( element, uno::UNO_QUERY );
+                altNames =  sanExtension->getAlternativeNames();
+                break;
+            }
+        }
+
+        uno::Sequence< ::rtl::OUString > certHostNames(altNames.getLength() + 1);
+        certHostNames[0] = sServerCertificateSubject;
+        for( int n = 0; n < altNames.getLength(); ++n )
+        {
+            if (altNames[n].Type ==  security::ExtAltNameType_DNS_NAME)
+            {
+                altNames[n].Value >>= certHostNames[n+1];
+            }
+        }
+
+        for ( int i = 0; i < certHostNames.getLength() && !bHostnameMatchesCertHostnames; ++i )
+        {
+            bHostnameMatchesCertHostnames = isDomainMatch( certHostNames[i] );
+        }
+
+    }
+    if ( bHostnameMatchesCertHostnames )
    {

        if (nVerificationResult == 0)
@@ -508,8 +545,7 @@ apr_status_t SerfSession::verifySerfCertificateChain (

            if ( xSelection.is() )
            {
-                uno::Reference< task::XInteractionApprove > xApprove(
-                    xSelection.get(), uno::UNO_QUERY );
+                uno::Reference< task::XInteractionApprove > xApprove( xSelection.get(), uno::UNO_QUERY );
                if ( xApprove.is() )
                {
                    xCertificateContainer->addCertificate( getHostName(), sServerCertificateSubject,  sal_True );
--- a/ucb/source/ucp/webdav/SerfTypes.hxx
+++ b/ucb/source/ucp/webdav/SerfTypes.hxx
@@ -22,7 +22,7 @@
 #ifndef INCLUDED_SERFTYPES_HXX
 #define INCLUDED_SERFTYPES_HXX

-#include <serf.h>
+#include <serf/serf.h>

 typedef serf_connection_t SerfConnection;