KDE 4.6 API Reference KIO
ksslpeerinfo.cpp
Go to the documentation of this file.
00001 /* This file is part of the KDE project 00002 * 00003 * Copyright (C) 2000-2003 George Staikos <staikos@kde.org> 00004 * 00005 * This library is free software; you can redistribute it and/or 00006 * modify it under the terms of the GNU Library General Public 00007 * License as published by the Free Software Foundation; either 00008 * version 2 of the License, or (at your option) any later version. 00009 * 00010 * This library is distributed in the hope that it will be useful, 00011 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00012 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 00013 * Library General Public License for more details. 00014 * 00015 * You should have received a copy of the GNU Library General Public License 00016 * along with this library; see the file COPYING.LIB. If not, write to 00017 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, 00018 * Boston, MA 02110-1301, USA. 00019 */ 00020 00021 #include "ksslpeerinfo.h" 00022 00023 #include <config.h> 00024 #include <ksslconfig.h> 00025 00026 #include <QtCore/QRegExp> 00027 #include <QtCore/QUrl> 00028 00029 #include <kdebug.h> 00030 00031 #include "ksslx509map.h" 00032 00033 class KSSLPeerInfoPrivate { 00034 public: 00035 KSSLPeerInfoPrivate() {} 00036 ~KSSLPeerInfoPrivate() { } 00037 QString peerHost; 00038 }; 00039 00040 00041 00042 KSSLPeerInfo::KSSLPeerInfo() 00043 :d(new KSSLPeerInfoPrivate) 00044 { 00045 } 00046 00047 KSSLPeerInfo::~KSSLPeerInfo() { 00048 delete d; 00049 } 00050 00051 KSSLCertificate& KSSLPeerInfo::getPeerCertificate() { 00052 return m_cert; 00053 } 00054 00055 void KSSLPeerInfo::setPeerHost(const QString &realHost) { 00056 d->peerHost = realHost.trimmed(); 00057 while(d->peerHost.endsWith('.')) 00058 d->peerHost.truncate(d->peerHost.length()-1); 00059 00060 d->peerHost = QString::fromLatin1(QUrl::toAce(d->peerHost)); 00061 } 00062 00063 bool KSSLPeerInfo::certMatchesAddress() { 00064 #ifdef KSSL_HAVE_SSL 00065 KSSLX509Map certinfo(m_cert.getSubject()); 00066 QStringList cns = certinfo.getValue("CN").split(QRegExp("[ \n\r]"), QString::SkipEmptyParts); 00067 cns += m_cert.subjAltNames(); 00068 00069 for (QStringList::const_iterator cn = cns.constBegin(); cn != cns.constEnd(); ++cn) { 00070 if (cnMatchesAddress((*cn).trimmed().toLower())) 00071 return true; 00072 } 00073 00074 #endif 00075 00076 return false; 00077 } 00078 00079 00080 bool KSSLPeerInfo::cnMatchesAddress(QString cn) { 00081 #ifdef KSSL_HAVE_SSL 00082 QRegExp rx; 00083 00084 kDebug(7029) << "Matching CN=[" << cn << "] to [" 00085 << d->peerHost << "]" << endl; 00086 00087 // Check for invalid characters 00088 if (QRegExp("[^a-zA-Z0-9\\.\\*\\-]").indexIn(cn) >= 0) { 00089 kDebug(7029) << "CN contains invalid characters! Failing."; 00090 return false; 00091 } 00092 00093 // Domains can legally end with '.'s. We don't need them though. 00094 while(cn.endsWith('.')) 00095 cn.truncate(cn.length()-1); 00096 00097 // Do not let empty CN's get by!! 00098 if (cn.isEmpty()) 00099 return false; 00100 00101 // Check for IPv4 address 00102 rx.setPattern("[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"); 00103 if (rx.exactMatch(d->peerHost)) 00104 return d->peerHost == cn; 00105 00106 // Check for IPv6 address here... 00107 rx.setPattern("^\\[.*\\]$"); 00108 if (rx.exactMatch(d->peerHost)) 00109 return d->peerHost == cn; 00110 00111 if (cn.contains('*')) { 00112 // First make sure that there are at least two valid parts 00113 // after the wildcard (*). 00114 QStringList parts = cn.split('.', QString::SkipEmptyParts); 00115 00116 while (parts.count() > 2) 00117 parts.removeFirst(); 00118 00119 if (parts.count() != 2) { 00120 return false; // we don't allow *.root - that's bad 00121 } 00122 00123 if (parts[0].contains('*') || parts[1].contains('*')) { 00124 return false; 00125 } 00126 00127 // RFC2818 says that *.example.com should match against 00128 // foo.example.com but not bar.foo.example.com 00129 // (ie. they must have the same number of parts) 00130 if (QRegExp(cn, Qt::CaseInsensitive, QRegExp::Wildcard).exactMatch(d->peerHost) && 00131 cn.split('.', QString::SkipEmptyParts).count() == 00132 d->peerHost.split('.', QString::SkipEmptyParts).count()) 00133 return true; 00134 00135 // *.example.com must match example.com also. Sigh.. 00136 if (cn.startsWith(QLatin1String("*."))) { 00137 QString chopped = cn.mid(2); 00138 if (chopped == d->peerHost) { 00139 return true; 00140 } 00141 } 00142 return false; 00143 } 00144 00145 // We must have an exact match in this case (insensitive though) 00146 // (note we already did .toLower()) 00147 if (cn == d->peerHost) 00148 return true; 00149 #endif 00150 return false; 00151 } 00152 00153 00154 void KSSLPeerInfo::reset() { 00155 d->peerHost.clear(); 00156 } 00157 00158 00159 const QString& KSSLPeerInfo::peerHost() const { 00160 return d->peerHost; 00161 } 00162
