xrootd
Loading...
Searching...
No Matches
XrdTlsNotary.hh
Go to the documentation of this file.
1#ifndef __XRDTLSNOTARY_H__
2#define __XRDTLSNOTARY_H__
3/******************************************************************************/
4/* */
5/* X r d T l s N o t a r y . h h */
6/* */
7/* (c) 2019 by the Board of Trustees of the Leland Stanford, Jr., University */
8/* Produced by Andrew Hanushevsky for Stanford University under contract */
9/* DE-AC02-76-SFO0515 with the Department of Energy */
10/* */
11/* This file is part of the XRootD software suite. */
12/* */
13/* XRootD is free software: you can redistribute it and/or modify it under */
14/* the terms of the GNU Lesser General Public License as published by the */
15/* Free Software Foundation, either version 3 of the License, or (at your */
16/* option) any later version. */
17/* */
18/* XRootD is distributed in the hope that it will be useful, but WITHOUT */
19/* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
20/* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
21/* License for more details. */
22/* */
23/* You should have received a copy of the GNU Lesser General Public License */
24/* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
25/* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
26/* */
27/* The copyright holder's institutional names and contributor's names may not */
28/* be used to endorse or promote products derived from this software without */
29/* specific prior written permission of the institution or contributor. */
30/******************************************************************************/
31
32#include <openssl/ssl.h>
33
34/* This class encapsulates the method to be used for hostname validation.
35 A hostname is valid, as follows:
36 1) When DNS is not allowed to be used:
37 a) If a SAN extension is present and the hostname matches an entry
38 in the extension it is considered valid.
39 b) If there is no SAN extension and use of the common name is
40 allowed and the names match it is considered valid.
41 c) At this point hostname validation has failed.
42 2) When DNS is allowed to be used:
43 a) If a SAN extension is present and the hostname matches an entry
44 in the extension it is considered valid.
45 b) If the common name matches the hostname it is considered valid.
46 c) If reverse lookup of the host IP address matches the name, it
47 is considered valid.
48 d) At this point hostname validation has failed.
49
50 Notice the diference between the two is how we handle SAN matching. When
51 DNS cannot be used the SAN, if present, must match. The fallback is
52 to use the common name. This is selctable as the current recommendation
53 is to require all certificates to have a SAN extension.
54*/
55
56class XrdNetAddrInfo;
57
58class XrdTlsNotary
59{
60public:
61
62//-----------------------------------------------------------------------------
76//-----------------------------------------------------------------------------
77
78static const char *Validate(const SSL *ssl,
79 const char *hName,
80 XrdNetAddrInfo *netInfo=0);
81
82//-----------------------------------------------------------------------------
89//-----------------------------------------------------------------------------
90
91static void UseCN(bool yesno) {cnOK = yesno;}
92
93private:
94
95static bool cnOK;
96};
97#endif
XrdNetAddrInfo
Definition XrdNetAddrInfo.hh:54
XrdTlsNotary
Definition XrdTlsNotary.hh:59
XrdTlsNotary::cnOK
static bool cnOK
Definition XrdTlsNotary.hh:95
XrdTlsNotary::UseCN
static void UseCN(bool yesno)
Definition XrdTlsNotary.hh:91
XrdTlsNotary::Validate
static const char * Validate(const SSL *ssl, const char *hName, XrdNetAddrInfo *netInfo=0)
Generated by doxygen 1.9.8