Code to get nicknames from peer certs

svn:r627

1 files changed, 33 insertions, 3 deletions

diff --git a/src/common/tortls.c b/src/common/tortls.c
index 75a7f7704a..6b32c46d5b 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -12,6 +12,9 @@
 #include "./util.h"
 #include "./log.h"
 
+/* Copied from or.h */
+#define LEGAL_NICKNAME_CHARACTERS "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+
 #include <assert.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -132,7 +135,6 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
   EVP_PKEY *pkey = NULL;
   X509 *x509 = NULL;
   X509_NAME *name = NULL;
-  BIO *out = NULL;
   int nid;
   int err;
   
@@ -178,8 +180,6 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
  error:
   err = 1;
  done:
-  if (out)
-    BIO_free(out);
   if (x509 && err)
     X509_free(x509);
   if (pkey)
@@ -461,6 +461,36 @@ tor_tls_peer_has_cert(tor_tls *tls)
   return 1;
 }
 
+int
+tor_tls_get_peer_cert_nickname(tor_tls *tls, char *buf, int buflen)
+{
+  X509 *cert = NULL;
+  X509_NAME *name = NULL;
+  int nid;
+  int lenout;
+  int i;
+  
+  if (!(cert = SSL_get_peer_certificate(tls->ssl))) {
+    log_fn(LOG_ERR, "Peer has no certificate");
+    return -1;
+  }
+  if (!(name = X509_get_subject_name(cert))) {
+    log_fn(LOG_ERR, "Peer certificate has no subject name");
+    return -1;
+  }
+  if ((nid = OBJ_txt2nid("commonName")) == NID_undef)
+    return -1;
+  
+  lenout = X509_NAME_get_text_by_NID(name, nid, buf, buflen);
+  if (lenout == -1)
+    return -1;
+  if (strspn(buf, LEGAL_NICKNAME_CHARACTERS) != lenout) {
+    log_fn(LOG_ERR, "Peer certificate nickname has illegal characters.");
+    return -1;
+  }
+  return 0;
+}
+
 /* If the provided tls connection is authenticated and has a
  * certificate that is currently valid and is correctly self-signed,
  * return its public key.  Otherwise return NULL.