[Libreoffice-commits] core.git: ucb/source
Oliver-Rainer Wittmann
orw at apache.org
Wed Jan 22 02:01:00 PST 2014
ucb/source/ucp/webdav/SerfSession.cxx | 44 ++++++++++++++++++++++++++++++----
ucb/source/ucp/webdav/SerfTypes.hxx | 2 -
2 files changed, 41 insertions(+), 5 deletions(-)
New commits:
commit 4a56b4ab2c100c506096f1808cca7268e576086c
Author: Oliver-Rainer Wittmann <orw at apache.org>
Date: Tue Jan 21 16:32:58 2014 +0000
Resolves: #i123744# consider certificate's Subject Alternative Name...
field when searching for matching certificate host name
(cherry picked from commit 226085ad2004319c5142b392bb4b48ab79c3b747)
Change-Id: I0d1690f75c1aa3288c677823105e21bb6e969f41
diff --git a/ucb/source/ucp/webdav/SerfSession.cxx b/ucb/source/ucp/webdav/SerfSession.cxx
index 008b6f1..bb8c6e1 100644
--- a/ucb/source/ucp/webdav/SerfSession.cxx
+++ b/ucb/source/ucp/webdav/SerfSession.cxx
@@ -26,7 +26,7 @@
#include "ucbhelper/simplecertificatevalidationrequest.hxx"
#include "AprEnv.hxx"
-#include <apr_strings.h>
+#include <apr/apr_strings.h>
#include "DAVAuthListener.hxx"
#include "SerfTypes.hxx"
@@ -43,6 +43,10 @@
#include <com/sun/star/security/CertificateContainerStatus.hpp>
#include <com/sun/star/security/CertificateContainer.hpp>
#include <com/sun/star/security/XCertificateContainer.hpp>
+#include <com/sun/star/security/CertAltNameEntry.hpp>
+#include <com/sun/star/security/XSanExtension.hpp>
+#define OID_SUBJECT_ALTERNATIVE_NAME "2.5.29.17"
+
#include <com/sun/star/ucb/Lock.hpp>
#include <com/sun/star/xml/crypto/XSEInitializer.hpp>
@@ -461,7 +465,40 @@ apr_status_t SerfSession::verifySerfCertificateChain (
// When the certificate matches the host name then we can use the
// result of the verification.
- if (isDomainMatch(sServerCertificateSubject))
+ bool bHostnameMatchesCertHostnames = false;
+ {
+ uno::Sequence< uno::Reference< security::XCertificateExtension > > extensions = xServerCertificate->getExtensions();
+ uno::Sequence< security::CertAltNameEntry > altNames;
+ for (sal_Int32 i = 0 ; i < extensions.getLength(); ++i)
+ {
+ uno::Reference< security::XCertificateExtension >element = extensions[i];
+
+ const rtl::OString aId ( (const sal_Char *)element->getExtensionId().getArray(), element->getExtensionId().getLength());
+ if ( aId.equals( OID_SUBJECT_ALTERNATIVE_NAME ) )
+ {
+ uno::Reference< security::XSanExtension > sanExtension ( element, uno::UNO_QUERY );
+ altNames = sanExtension->getAlternativeNames();
+ break;
+ }
+ }
+
+ uno::Sequence< ::rtl::OUString > certHostNames(altNames.getLength() + 1);
+ certHostNames[0] = sServerCertificateSubject;
+ for( int n = 0; n < altNames.getLength(); ++n )
+ {
+ if (altNames[n].Type == security::ExtAltNameType_DNS_NAME)
+ {
+ altNames[n].Value >>= certHostNames[n+1];
+ }
+ }
+
+ for ( int i = 0; i < certHostNames.getLength() && !bHostnameMatchesCertHostnames; ++i )
+ {
+ bHostnameMatchesCertHostnames = isDomainMatch( certHostNames[i] );
+ }
+
+ }
+ if ( bHostnameMatchesCertHostnames )
{
if (nVerificationResult == 0)
@@ -508,8 +545,7 @@ apr_status_t SerfSession::verifySerfCertificateChain (
if ( xSelection.is() )
{
- uno::Reference< task::XInteractionApprove > xApprove(
- xSelection.get(), uno::UNO_QUERY );
+ uno::Reference< task::XInteractionApprove > xApprove( xSelection.get(), uno::UNO_QUERY );
if ( xApprove.is() )
{
xCertificateContainer->addCertificate( getHostName(), sServerCertificateSubject, sal_True );
diff --git a/ucb/source/ucp/webdav/SerfTypes.hxx b/ucb/source/ucp/webdav/SerfTypes.hxx
index b396697..5be06a6 100644
--- a/ucb/source/ucp/webdav/SerfTypes.hxx
+++ b/ucb/source/ucp/webdav/SerfTypes.hxx
@@ -22,7 +22,7 @@
#ifndef INCLUDED_SERFTYPES_HXX
#define INCLUDED_SERFTYPES_HXX
-#include <serf.h>
+#include <serf/serf.h>
typedef serf_connection_t SerfConnection;
More information about the Libreoffice-commits
mailing list