diff options
| author | Simon Tatham <anakin@pobox.com> | 2022-06-12 12:04:26 +0300 |
|---|---|---|
| committer | Simon Tatham <anakin@pobox.com> | 2022-06-25 16:32:23 +0300 |
| commit | f579b3c01e2bfd439d493be06b934404e13d3376 (patch) | |
| tree | c89254e418d4536417c55c85a42430b360887620 /windows | |
| parent | 08d58fe13e84a929c72c5d4aa98001279463a79f (diff) | |
Certificate trust scope: change to a boolean-expression system.
This replaces the previous placeholder scheme of having a list of
hostname wildcards with implicit logical-OR semantics (if any wildcard
matched then the certificate would be trusted to sign for that host).
That scheme didn't allow for exceptions within a domain ('everything
in example.com except extra-high-security-machine.example.com'), and
also had no way to specify port numbers.
In the new system, you can still write a hostname wildcard by itself
in the simple case, but now those are just atomic subexpressions in a
boolean-logic domain-specific language I've made up. So if you want
multiple wildcards, you can separate them with || in a single longer
expression, and also you can use && and ! to impose exceptions on top
of that.
Full details of the expression language are in the comment at the top
of utils/cert-expr.c. It'll need documenting properly before release,
of course.
For the sake of backwards compatibility for early adopters who've
already set up configuration in the old system, I've put in some code
that will read the old MatchHosts configuration and automatically
translate it into the equivalent boolean expression (by simply
stringing together the list of wildcards with || between them).
Diffstat (limited to 'windows')
| -rw-r--r-- | windows/storage.c | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/windows/storage.c b/windows/storage.c index 6a48aee6..30147a45 100644 --- a/windows/storage.c +++ b/windows/storage.c @@ -432,19 +432,20 @@ host_ca *host_ca_load(const char *name) if ((s = get_reg_sz(rkey, "PublicKey")) != NULL) hca->ca_public_key = base64_decode_sb(ptrlen_from_asciz(s)); - if ((sb = get_reg_multi_sz(rkey, "MatchHosts")) != NULL) { + if ((s = get_reg_sz(rkey, "Validity")) != NULL) { + hca->validity_expression = strbuf_to_str( + percent_decode_sb(ptrlen_from_asciz(s))); + } else if ((sb = get_reg_multi_sz(rkey, "MatchHosts")) != NULL) { BinarySource src[1]; BinarySource_BARE_INIT_PL(src, ptrlen_from_strbuf(sb)); + CertExprBuilder *eb = cert_expr_builder_new(); const char *wc; - size_t wcsize = 0; - while (wc = get_asciz(src), !get_err(src)) { - sgrowarray(hca->hostname_wildcards, wcsize, - hca->n_hostname_wildcards); - hca->hostname_wildcards[hca->n_hostname_wildcards++] = dupstr(wc); - } + while (wc = get_asciz(src), !get_err(src)) + cert_expr_builder_add(eb, wc); - strbuf_free(sb); + hca->validity_expression = cert_expr_expression(eb); + cert_expr_builder_free(eb); } if (get_reg_dword(rkey, "PermitRSASHA1", &val)) @@ -479,11 +480,10 @@ char *host_ca_save(host_ca *hca) put_reg_sz(rkey, "PublicKey", base64_pubkey->s); strbuf_free(base64_pubkey); - strbuf *wcs = strbuf_new(); - for (size_t i = 0; i < hca->n_hostname_wildcards; i++) - put_asciz(wcs, hca->hostname_wildcards[i]); - put_reg_multi_sz(rkey, "MatchHosts", wcs); - strbuf_free(wcs); + strbuf *validity = percent_encode_sb( + ptrlen_from_asciz(hca->validity_expression), NULL); + put_reg_sz(rkey, "Validity", validity->s); + strbuf_free(validity); put_reg_dword(rkey, "PermitRSASHA1", hca->opts.permit_rsa_sha1); put_reg_dword(rkey, "PermitRSASHA256", hca->opts.permit_rsa_sha256); |