aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/credentials_manager.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/tls/credentials_manager.cpp')
-rw-r--r--src/lib/tls/credentials_manager.cpp21
1 files changed, 14 insertions, 7 deletions
diff --git a/src/lib/tls/credentials_manager.cpp b/src/lib/tls/credentials_manager.cpp
index 6443bb246..43ba7650a 100644
--- a/src/lib/tls/credentials_manager.cpp
+++ b/src/lib/tls/credentials_manager.cpp
@@ -104,6 +104,17 @@ bool cert_in_some_store(const std::vector<Certificate_Store*>& trusted_CAs,
return false;
}
+Usage_Type choose_leaf_usage(const std::string& ctx)
+ {
+ // These are reversed because ctx is denoting the current perspective
+ if(ctx == "tls-client")
+ return Usage_Type::TLS_SERVER_AUTH;
+ else if(ctx == "tls-server")
+ return Usage_Type::TLS_CLIENT_AUTH;
+ else
+ return Usage_Type::UNSPECIFIED;
+ }
+
}
void Credentials_Manager::verify_certificate_chain(
@@ -120,16 +131,12 @@ void Credentials_Manager::verify_certificate_chain(
auto result = x509_path_validate(cert_chain,
restrictions,
- trusted_CAs);
-
- if(!result.successful_validation())
- throw std::runtime_error("Certificate validation failure: " + result.result_string());
+ trusted_CAs,
+ purported_hostname,
+ choose_leaf_usage(type));
if(!cert_in_some_store(trusted_CAs, result.trust_root()))
throw std::runtime_error("Certificate chain roots in unknown/untrusted CA");
-
- if(purported_hostname != "" && !cert_chain[0].matches_dns_name(purported_hostname))
- throw std::runtime_error("Certificate did not match hostname");
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-12 08:50:19 +0000