1 //
2 //
3 // Copyright 2020 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 //     http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #include <grpc/support/port_platform.h>
20 
21 #include "src/core/lib/security/credentials/tls/tls_utils.h"
22 
23 #include <stddef.h>
24 
25 #include "absl/strings/ascii.h"
26 #include "absl/strings/match.h"
27 #include "absl/strings/str_cat.h"
28 
29 #include <grpc/support/log.h>
30 
31 namespace grpc_core {
32 
33 // Based on
34 // https://github.com/grpc/grpc-java/blob/ca12e7a339add0ef48202fb72434b9dc0df41756/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManager.java#L62
VerifySubjectAlternativeName(absl::string_view subject_alternative_name,const std::string & matcher)35 bool VerifySubjectAlternativeName(absl::string_view subject_alternative_name,
36                                   const std::string& matcher) {
37   if (subject_alternative_name.empty() ||
38       absl::StartsWith(subject_alternative_name, ".")) {
39     // Illegal pattern/domain name
40     return false;
41   }
42   if (matcher.empty() || absl::StartsWith(matcher, ".")) {
43     // Illegal domain name
44     return false;
45   }
46   // Normalize \a subject_alternative_name and \a matcher by turning them into
47   // absolute domain names if they are not yet absolute. This is needed because
48   // server certificates do not normally contain absolute names or patterns, but
49   // they should be treated as absolute. At the same time, any
50   // subject_alternative_name presented to this method should also be treated as
51   // absolute for the purposes of matching to the server certificate.
52   std::string normalized_san =
53       absl::EndsWith(subject_alternative_name, ".")
54           ? std::string(subject_alternative_name)
55           : absl::StrCat(subject_alternative_name, ".");
56   std::string normalized_matcher =
57       absl::EndsWith(matcher, ".") ? matcher : absl::StrCat(matcher, ".");
58   absl::AsciiStrToLower(&normalized_san);
59   absl::AsciiStrToLower(&normalized_matcher);
60   if (!absl::StrContains(normalized_san, "*")) {
61     return normalized_san == normalized_matcher;
62   }
63   // WILDCARD PATTERN RULES:
64   // 1. Asterisk (*) is only permitted in the left-most domain name label and
65   //    must be the only character in that label (i.e., must match the whole
66   //    left-most label). For example, *.example.com is permitted, while
67   //    *a.example.com, a*.example.com, a*b.example.com, a.*.example.com are
68   //    not permitted.
69   // 2. Asterisk (*) cannot match across domain name labels.
70   //    For example, *.example.com matches test.example.com but does not match
71   //    sub.test.example.com.
72   // 3. Wildcard patterns for single-label domain names are not permitted.
73   if (!absl::StartsWith(normalized_san, "*.")) {
74     // Asterisk (*) is only permitted in the left-most domain name label and
75     // must be the only character in that label
76     return false;
77   }
78   if (normalized_san == "*.") {
79     // Wildcard pattern for single-label domain name -- not permitted.
80     return false;
81   }
82   absl::string_view suffix = absl::string_view(normalized_san).substr(1);
83   if (absl::StrContains(suffix, "*")) {
84     // Asterisk (*) is not permitted in the suffix
85     return false;
86   }
87   if (!absl::EndsWith(normalized_matcher, suffix)) return false;
88   size_t suffix_start_index = normalized_matcher.length() - suffix.length();
89   // Asterisk matching across domain labels is not permitted.
90   return suffix_start_index <= 0 /* should not happen */ ||
91          normalized_matcher.find_last_of('.', suffix_start_index - 1) ==
92              std::string::npos;
93 }
94 
GetAuthPropertyValue(grpc_auth_context * context,const char * property_name)95 absl::string_view GetAuthPropertyValue(grpc_auth_context* context,
96                                        const char* property_name) {
97   grpc_auth_property_iterator it =
98       grpc_auth_context_find_properties_by_name(context, property_name);
99   const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it);
100   if (prop == nullptr) {
101     gpr_log(GPR_DEBUG, "No value found for %s property.", property_name);
102     return "";
103   }
104   if (grpc_auth_property_iterator_next(&it) != nullptr) {
105     gpr_log(GPR_DEBUG, "Multiple values found for %s property.", property_name);
106     return "";
107   }
108   return absl::string_view(prop->value, prop->value_length);
109 }
110 
GetAuthPropertyArray(grpc_auth_context * context,const char * property_name)111 std::vector<absl::string_view> GetAuthPropertyArray(grpc_auth_context* context,
112                                                     const char* property_name) {
113   std::vector<absl::string_view> values;
114   grpc_auth_property_iterator it =
115       grpc_auth_context_find_properties_by_name(context, property_name);
116   const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it);
117   while (prop != nullptr) {
118     values.emplace_back(prop->value, prop->value_length);
119     prop = grpc_auth_property_iterator_next(&it);
120   }
121   if (values.empty()) {
122     gpr_log(GPR_DEBUG, "No value found for %s property.", property_name);
123   }
124   return values;
125 }
126 
127 }  // namespace grpc_core
128