diff options
Diffstat (limited to 'openssl/doc/crypto/X509_check_host.pod')
-rwxr-xr-x | openssl/doc/crypto/X509_check_host.pod | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/openssl/doc/crypto/X509_check_host.pod b/openssl/doc/crypto/X509_check_host.pod new file mode 100755 index 000000000..f8b530df9 --- /dev/null +++ b/openssl/doc/crypto/X509_check_host.pod @@ -0,0 +1,137 @@ +=pod + +=head1 NAME + +X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc - X.509 certificate matching + +=head1 SYNOPSIS + + #include <openssl/x509.h> + + int X509_check_host(X509 *, const char *name, size_t namelen, + unsigned int flags, char **peername); + int X509_check_email(X509 *, const char *address, size_t addresslen, + unsigned int flags); + int X509_check_ip(X509 *, const unsigned char *address, size_t addresslen, + unsigned int flags); + int X509_check_ip_asc(X509 *, const char *address, unsigned int flags); + +=head1 DESCRIPTION + +The certificate matching functions are used to check whether a +certificate matches a given host name, email address, or IP address. +The validity of the certificate and its trust level has to be checked by +other means. + +X509_check_host() checks if the certificate Subject Alternative +Name (SAN) or Subject CommonName (CN) matches the specified host +name, which must be encoded in the preferred name syntax described +in section 3.5 of RFC 1034. By default, wildcards are supported +and they match only in the left-most label; but they may match +part of that label with an explicit prefix or suffix. For example, +by default, the host B<name> "www.example.com" would match a +certificate with a SAN or CN value of "*.example.com", "w*.example.com" +or "*w.example.com". + +Per section 6.4.2 of RFC 6125, B<name> values representing international +domain names must be given in A-label form. The B<namelen> argument +must be the number of characters in the name string or zero in which +case the length is calculated with strlen(B<name>). When B<name> starts +with a dot (e.g ".example.com"), it will be matched by a certificate +valid for any sub-domain of B<name>, (see also +B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> below). + +When the certificate is matched, and B<peername> is not NULL, a +pointer to a copy of the matching SAN or CN from the peer certificate +is stored at the address passed in B<peername>. The application +is responsible for freeing the peername via OPENSSL_free() when it +is no longer needed. + +X509_check_email() checks if the certificate matches the specified +email B<address>. Only the mailbox syntax of RFC 822 is supported, +comments are not allowed, and no attempt is made to normalize quoted +characters. The B<addresslen> argument must be the number of +characters in the address string or zero in which case the length +is calculated with strlen(B<address>). + +X509_check_ip() checks if the certificate matches a specified IPv4 or +IPv6 address. The B<address> array is in binary format, in network +byte order. The length is either 4 (IPv4) or 16 (IPv6). Only +explicitly marked addresses in the certificates are considered; IP +addresses stored in DNS names and Common Names are ignored. + +X509_check_ip_asc() is similar, except that the NUL-terminated +string B<address> is first converted to the internal representation. + +The B<flags> argument is usually 0. It can be the bitwise OR of the +flags: + +=over 4 + +=item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>, + +=item B<X509_CHECK_FLAG_NO_WILDCARDS>, + +=item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>, + +=item B<X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS>. + +=item B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS>. + +=back + +The B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> flag causes the function +to consider the subject DN even if the certificate contains at least +one subject alternative name of the right type (DNS name or email +address as appropriate); the default is to ignore the subject DN +when at least one corresponding subject alternative names is present. + +If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard +expansion; this only applies to B<X509_check_host>. + +If set, B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS> suppresses support +for "*" as wildcard pattern in labels that have a prefix or suffix, +such as: "www*" or "*www"; this only aplies to B<X509_check_host>. + +If set, B<X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS> allows a "*" that +constitutes the complete label of a DNS name (e.g. "*.example.com") +to match more than one label in B<name>; this flag only applies +to B<X509_check_host>. + +If set, B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> restricts B<name> +values which start with ".", that would otherwise match any sub-domain +in the peer certificate, to only match direct child sub-domains. +Thus, for instance, with this flag set a B<name> of ".example.com" +would match a peer certificate with a DNS name of "www.example.com", +but would not match a peer certificate with a DNS name of +"www.sub.example.com"; this flag only applies to B<X509_check_host>. + +=head1 RETURN VALUES + +The functions return 1 for a successful match, 0 for a failed match +and -1 for an internal error: typically a memory allocation failure. + +X509_check_ip_asc() can also return -2 if the IP address string is malformed. + +=head1 NOTES + +Applications are encouraged to use X509_VERIFY_PARAM_set1_host() +rather than explicitly calling L<X509_check_host(3)>. Host name +checks are out of scope with the DANE-EE(3) certificate usage, +and the internal checks will be suppressed as appropriate when +DANE support is added to OpenSSL. + +=head1 SEE ALSO + +L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, +L<X509_VERIFY_PARAM_set1_host(3)|X509_VERIFY_PARAM_set1_host(3)>, +L<X509_VERIFY_PARAM_add1_host(3)|X509_VERIFY_PARAM_add1_host(3)>, +L<X509_VERIFY_PARAM_set1_email(3)|X509_VERIFY_PARAM_set1_email(3)>, +L<X509_VERIFY_PARAM_set1_ip(3)|X509_VERIFY_PARAM_set1_ip(3)>, +L<X509_VERIFY_PARAM_set1_ipasc(3)|X509_VERIFY_PARAM_set1_ipasc(3)> + +=head1 HISTORY + +These functions were added in OpenSSL 1.1.0. + +=cut |