[crypto] Allow for X.509 certificates with no common name

Signed-off-by: Michael Brown <mcb30@ipxe.org>
ipxe · May 8, 2012 · 0ad8b60 · 0ad8b60
1 parent 6ba7fb7
commit 0ad8b60
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/src/crypto/cms.c b/src/crypto/cms.c
@@ -745,7 +745,8 @@ int cms_verify ( struct cms_signature *sig, userptr_t data, size_t len,
 	/* Verify using all signerInfos */
 	list_for_each_entry ( info, &sig->info, list ) {
 		cert = x509_first ( info->chain );
-		if ( name && ( strcmp ( name, cert->subject.name ) != 0 ) )
+		if ( name && ( ( cert->subject.name == NULL ) ||
+			       ( strcmp ( cert->subject.name, name ) != 0 ) ) )
 			continue;
 		if ( ( rc = cms_verify_signer_info ( sig, info, data, len,
 						     time, root ) ) != 0 )

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
@@ -570,17 +570,17 @@ static int x509_parse_common_name ( struct x509_certificate *cert, char **name,
 			return rc;
 		}
 
-		/* Allocate name */
+		/* Allocate and copy name */
 		*name = zalloc ( name_cursor.len + 1 /* NUL */ );
 		if ( ! *name )
 			return -ENOMEM;
 		memcpy ( *name, name_cursor.data, name_cursor.len );
 		return 0;
 	}
 
+	/* Certificates may not have a commonName */
 	DBGC ( cert, "X509 %p no commonName found:\n", cert );
-	DBGC_HDA ( cert, 0, raw->data, raw->len );
-	return -ENOENT;
+	return 0;
 }
 
 /**

diff --git a/src/net/tls.c b/src/net/tls.c
@@ -1399,7 +1399,8 @@ static int tls_new_certificate ( struct tls_session *tls,
 	assert ( cert != NULL );
 
 	/* Verify server name */
-	if ( strcmp ( tls->name, cert->subject.name ) != 0 ) {
+	if ( ( cert->subject.name == NULL ) ||
+	     ( strcmp ( cert->subject.name, tls->name ) != 0 ) ) {
 		DBGC ( tls, "TLS %p server name incorrect (expected %s, got "
 		       "%s)\n", tls, tls->name, cert->subject.name );
 		return -EACCES_WRONG_NAME;