1.\" $OpenBSD: X509_check_host.3,v 1.5 2019/08/23 12:23:39 schwarze Exp $ 2.\" full merge up to: OpenSSL 6738bf14 Feb 13 12:51:29 2018 +0000 3.\" 4.\" This file was written by Florian Weimer <fweimer@redhat.com> and 5.\" Viktor Dukhovni <openssl-users@dukhovni.org>. 6.\" Copyright (c) 2012, 2014, 2015, 2016 The OpenSSL Project. 7.\" All rights reserved. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 16.\" 2. Redistributions in binary form must reproduce the above copyright 17.\" notice, this list of conditions and the following disclaimer in 18.\" the documentation and/or other materials provided with the 19.\" distribution. 20.\" 21.\" 3. All advertising materials mentioning features or use of this 22.\" software must display the following acknowledgment: 23.\" "This product includes software developed by the OpenSSL Project 24.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 25.\" 26.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27.\" endorse or promote products derived from this software without 28.\" prior written permission. For written permission, please contact 29.\" openssl-core@openssl.org. 30.\" 31.\" 5. Products derived from this software may not be called "OpenSSL" 32.\" nor may "OpenSSL" appear in their names without prior written 33.\" permission of the OpenSSL Project. 34.\" 35.\" 6. Redistributions of any form whatsoever must retain the following 36.\" acknowledgment: 37.\" "This product includes software developed by the OpenSSL Project 38.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" 39.\" 40.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51.\" OF THE POSSIBILITY OF SUCH DAMAGE. 52.\" 53.Dd $Mdocdate: August 23 2019 $ 54.Dt X509_CHECK_HOST 3 55.Os 56.Sh NAME 57.Nm X509_check_host , 58.Nm X509_check_email , 59.Nm X509_check_ip , 60.Nm X509_check_ip_asc 61.Nd X.509 certificate matching 62.Sh SYNOPSIS 63.In openssl/x509v3.h 64.Ft int 65.Fo X509_check_host 66.Fa "X509 *x" 67.Fa "const char *name" 68.Fa "size_t namelen" 69.Fa "unsigned int flags" 70.Fa "char **peername" 71.Fc 72.Ft int 73.Fo X509_check_email 74.Fa "X509 *x" 75.Fa "const char *address" 76.Fa "size_t addresslen" 77.Fa "unsigned int flags" 78.Fc 79.Ft int 80.Fo X509_check_ip 81.Fa "X509 *x" 82.Fa "const unsigned char *address" 83.Fa "size_t addresslen" 84.Fa "unsigned int flags" 85.Fc 86.Ft int 87.Fo X509_check_ip_asc 88.Fa "X509 *x" 89.Fa "const char *address" 90.Fa "unsigned int flags" 91.Fc 92.Sh DESCRIPTION 93The certificate matching functions are used to check whether a 94certificate matches a given host name, email address, or IP address. 95The validity of the certificate and its trust level has to be checked by 96other means. 97.Pp 98.Fn X509_check_host 99checks if the certificate Subject Alternative Name (SAN) or Subject 100CommonName (CN) matches the specified host name, which must be encoded 101in the preferred name syntax described in section 3.5 of RFC 1034. 102By default, wildcards are supported and they match only in the 103left-most label; they may match part of that label with an 104explicit prefix or suffix. 105For example, by default, the host 106.Fa name 107.Qq www.example.com 108would match a certificate with a SAN or CN value of 109.Qq *.example.com , 110.Qq w*.example.com 111or 112.Qq *w.example.com . 113.Pp 114Per section 6.4.2 of RFC 6125, 115.Fa name 116values representing international domain names must be given in A-label 117form. 118The 119.Fa namelen 120argument must be the number of characters in the name string or zero, in 121which case the length is calculated with 122.Fn strlen name . 123When 124.Fa name 125starts with a dot (e.g.\& 126.Qq .example.com ) , 127it will be matched by a certificate valid for any sub-domain of 128.Fa name ; 129see also 130.Fa X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 131below. 132.Pp 133When the certificate is matched and 134.Fa peername 135is not 136.Dv NULL , 137a pointer to a copy of the matching SAN or CN from the peer 138certificate is stored at the address passed in 139.Fa peername . 140The application is responsible for freeing the peername via 141.Xr free 3 142when it is no longer needed. 143.Pp 144.Fn X509_check_email 145checks if the certificate matches the specified email 146.Fa address . 147Only the mailbox syntax of RFC 822 is supported. 148Comments are not allowed, 149and no attempt is made to normalize quoted characters. 150The 151.Fa addresslen 152argument must be the number of characters in the address string or zero, 153in which case the length is calculated with 154.Fn strlen address . 155.Pp 156.Fn X509_check_ip 157checks if the certificate matches a specified IPv4 or IPv6 address. 158The 159.Fa address 160array is in binary format, in network byte order. 161The length is either 4 (IPv4) or 16 (IPv6). 162Only explicitly marked addresses in the certificates are considered; 163IP addresses stored in DNS names and Common Names are ignored. 164.Pp 165.Fn X509_check_ip_asc 166is similar, except that the NUL-terminated string 167.Fa address 168is first converted to the internal representation. 169.Pp 170The 171.Fa flags 172argument is usually 0, but it can be the bitwise OR of the following 173flags. 174.Pp 175The 176.Dv X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 177flag causes the function to consider the subject DN even if the 178certificate contains at least one subject alternative name of the right 179type (DNS name or email address as appropriate); the default is to 180ignore the subject DN when at least one corresponding subject 181alternative names is present. 182.Pp 183The remaining flags are only meaningful for 184.Fn X509_check_host . 185.Pp 186The 187.Dv X509_CHECK_FLAG_NO_WILDCARDS 188flag disables wildcard expansion. 189.Pp 190The 191.Dv X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 192flag suppresses support for 193.Qq * 194as a wildcard pattern in labels that have a 195prefix or suffix, such as 196.Qq www* 197or 198.Qq *www . 199.Pp 200The 201.Dv X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 202flag allows a 203.Qq * 204that constitutes the complete label of a DNS name (e.g.\& 205.Qq *.example.com ) 206to match more than one label in 207.Fa name . 208.Pp 209The 210.Dv X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 211flag restricts 212.Fa name 213values which start with 214.Qq \&. , 215that would otherwise match any sub-domain in the peer certificate, 216to only match direct child sub-domains. 217Thus, for instance, with this flag set a 218.Fa name 219of 220.Qq .example.com 221would match a peer certificate with a DNS name of 222.Qq www.example.com , 223but would not match a peer certificate with a DNS name of 224.Qq www.sub.example.com . 225.Sh RETURN VALUES 226The functions return 1 for a successful match, 0 for a failed match and 227-1 for an internal error: typically a memory allocation failure or an 228ASN.1 decoding error. 229.Pp 230All functions can also return -2 if the input is malformed. 231For example, 232.Fn X509_check_host 233returns -2 if the provided 234.Fa name 235contains embedded NUL bytes. 236.Sh SEE ALSO 237.Xr X509_EXTENSION_new 3 , 238.Xr X509_get1_email 3 , 239.Xr X509_new 3 240.Sh HISTORY 241These functions first appeared in OpenSSL 1.0.2 242and have been available since 243.Ox 6.1 . 244