1 /**************************************************************************/
2 /* */
3 /* Copyright (c) Microsoft Corporation. All rights reserved. */
4 /* */
5 /* This software is licensed under the Microsoft Software License */
6 /* Terms for Microsoft Azure RTOS. Full text of the license can be */
7 /* found in the LICENSE file at https://aka.ms/AzureRTOS_EULA */
8 /* and in the root directory of this software. */
9 /* */
10 /**************************************************************************/
11
12
13 /**************************************************************************/
14 /**************************************************************************/
15 /** */
16 /** NetX Secure Component */
17 /** */
18 /** X.509 Digital Certificates */
19 /** */
20 /**************************************************************************/
21 /**************************************************************************/
22
23 #define NX_SECURE_SOURCE_CODE
24
25 #include "nx_secure_x509.h"
26
27 /**************************************************************************/
28 /* */
29 /* FUNCTION RELEASE */
30 /* */
31 /* _nx_secure_x509_common_name_dns_check PORTABLE C */
32 /* 6.1.6 */
33 /* AUTHOR */
34 /* */
35 /* Timothy Stapko, Microsoft Corporation */
36 /* */
37 /* DESCRIPTION */
38 /* */
39 /* This function checks a certificate's Common Name against a Top */
40 /* Level Domain name (TLD) provided by the caller for the purposes of */
41 /* DNS validation of a remote host. This utility function is intended */
42 /* to be called from within a certificate validation callback routine */
43 /* provided by the application. The TLD name should be the top part of */
44 /* the URL used to access the remote host (the "."-separated string */
45 /* before the first slash). */
46 /* */
47 /* NOTE 1: If the Common Name does not match the provided string, the */
48 /* "subject alt name" field is compared as well. */
49 /* */
50 /* NOTE 2: It is important to understand the format of the common name */
51 /* (and subject alt name) in expected certificates. For */
52 /* example, some certificates may use a raw IP address or a */
53 /* wild card. The DNS TLD string must be formatted such that */
54 /* it will match the expected values in received certificates. */
55 /* */
56 /* INPUT */
57 /* */
58 /* certificate Pointer to certificate */
59 /* dns_tld Top-level domain name */
60 /* dns_tls_length Length of TLS in bytes */
61 /* */
62 /* OUTPUT */
63 /* */
64 /* status Validity of certificate */
65 /* */
66 /* CALLS */
67 /* */
68 /* _nx_secure_x509_extension_find Find extension in certificate */
69 /* _nx_secure_x509_subject_alt_names_find */
70 /* Find subject alt names */
71 /* _nx_secure_x509_wildcard_compare Wildcard compare for names */
72 /* */
73 /* CALLED BY */
74 /* */
75 /* Application code */
76 /* */
77 /* RELEASE HISTORY */
78 /* */
79 /* DATE NAME DESCRIPTION */
80 /* */
81 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */
82 /* 09-30-2020 Timothy Stapko Modified comment(s), */
83 /* resulting in version 6.1 */
84 /* 04-02-2021 Timothy Stapko Modified comment(s), */
85 /* removed dependency on TLS, */
86 /* resulting in version 6.1.6 */
87 /* */
88 /**************************************************************************/
_nx_secure_x509_common_name_dns_check(NX_SECURE_X509_CERT * certificate,const UCHAR * dns_tld,UINT dns_tld_length)89 UINT _nx_secure_x509_common_name_dns_check(NX_SECURE_X509_CERT *certificate, const UCHAR *dns_tld,
90 UINT dns_tld_length)
91 {
92 INT compare_value;
93 UINT status;
94 const UCHAR *common_name;
95 USHORT common_name_len;
96 NX_SECURE_X509_EXTENSION alt_name_extension;
97
98 /* Get access to our certificate fields. */
99 common_name = certificate -> nx_secure_x509_distinguished_name.nx_secure_x509_common_name;
100 common_name_len = certificate -> nx_secure_x509_distinguished_name.nx_secure_x509_common_name_length;
101
102 /* Compare the given string against the common name. */
103 compare_value = _nx_secure_x509_wildcard_compare(dns_tld, dns_tld_length, common_name, common_name_len);
104
105 if (compare_value == 0)
106 {
107 return(NX_SECURE_X509_SUCCESS);
108 }
109
110 /* Find the subject alt name extension in the certificate. */
111 status = _nx_secure_x509_extension_find(certificate, &alt_name_extension, NX_SECURE_TLS_X509_TYPE_SUBJECT_ALT_NAME);
112
113 /* See if extension present - it is OK if not present! */
114 if (status == NX_SECURE_X509_SUCCESS)
115 {
116 /* Extract the subject alt name string from the parsed extension. */
117 status = _nx_secure_x509_subject_alt_names_find(&alt_name_extension, dns_tld, dns_tld_length, NX_SECURE_X509_SUB_ALT_NAME_TAG_DNSNAME);
118
119 if (status == NX_SECURE_X509_SUCCESS)
120 {
121 return(NX_SECURE_X509_SUCCESS);
122 }
123 }
124
125 /* If we get here, none of the strings matched. */
126 return(NX_SECURE_X509_CERTIFICATE_DNS_MISMATCH);
127 }
128
129
