00001 #ifndef __XRDTLSNOTARY_H__ 00002 #define __XRDTLSNOTARY_H__ 00003 /******************************************************************************/ 00004 /* */ 00005 /* X r d T l s N o t a r y . h h */ 00006 /* */ 00007 /* (c) 2019 by the Board of Trustees of the Leland Stanford, Jr., University */ 00008 /* Produced by Andrew Hanushevsky for Stanford University under contract */ 00009 /* DE-AC02-76-SFO0515 with the Department of Energy */ 00010 /* */ 00011 /* This file is part of the XRootD software suite. */ 00012 /* */ 00013 /* XRootD is free software: you can redistribute it and/or modify it under */ 00014 /* the terms of the GNU Lesser General Public License as published by the */ 00015 /* Free Software Foundation, either version 3 of the License, or (at your */ 00016 /* option) any later version. */ 00017 /* */ 00018 /* XRootD is distributed in the hope that it will be useful, but WITHOUT */ 00019 /* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */ 00020 /* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */ 00021 /* License for more details. */ 00022 /* */ 00023 /* You should have received a copy of the GNU Lesser General Public License */ 00024 /* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */ 00025 /* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */ 00026 /* */ 00027 /* The copyright holder's institutional names and contributor's names may not */ 00028 /* be used to endorse or promote products derived from this software without */ 00029 /* specific prior written permission of the institution or contributor. */ 00030 /******************************************************************************/ 00031 00032 #include <openssl/ssl.h> 00033 00034 /* This class encapsulates the method to be used for hostname validation. 00035 A hostname is valid, as follows: 00036 1) When DNS is not allowed to be used: 00037 a) If a SAN extension is present and the hostname matches an entry 00038 in the extension it is considered valid. 00039 b) If there is no SAN extension and use of the common name is 00040 allowed and the names match it is considered valid. 00041 c) At this point hostname validation has failed. 00042 2) When DNS is allowed to be used: 00043 a) If a SAN extension is present and the hostname matches an entry 00044 in the extension it is considered valid. 00045 b) If the common name matches the hostname it is considered valid. 00046 c) If reverse lookup of the host IP address matches the name, it 00047 is considered valid. 00048 d) At this point hostname validation has failed. 00049 00050 Notice the diference between the two is how we handle SAN matching. When 00051 DNS cannot be used the SAN, if present, must match. The fallback is 00052 to use the common name. This is selctable as the current recommendation 00053 is to require all certificates to have a SAN extension. 00054 */ 00055 00056 class XrdNetAddrInfo; 00057 00058 class XrdTlsNotary 00059 { 00060 public: 00061 00062 //----------------------------------------------------------------------------- 00076 //----------------------------------------------------------------------------- 00077 00078 static const char *Validate(const SSL *ssl, 00079 const char *hName, 00080 XrdNetAddrInfo *netInfo=0); 00081 00082 //----------------------------------------------------------------------------- 00089 //----------------------------------------------------------------------------- 00090 00091 static void UseCN(bool yesno) {cnOK = yesno;} 00092 00093 private: 00094 00095 static bool cnOK; 00096 }; 00097 #endif