in wangle/ssl/SSLContextManager.cpp [714:765]
void SSLContextManager::verifyCertNames(
const std::shared_ptr<folly::SSLContext>& sslCtx,
const std::string& description,
std::string& groupIdentity,
std::unique_ptr<std::list<std::string>>& subjectAltName,
const std::string& lastCertPath,
bool firstCert) const {
X509* x509 = getX509(sslCtx->getSSLCtx());
if (!x509) {
throw std::runtime_error(
folly::to<std::string>("Certificate: ", description, " is invalid"));
}
auto guard = folly::makeGuard([x509] { X509_free(x509); });
auto identityResult = getCertIdentity(*x509);
auto& identity = identityResult.first;
if (!identity) {
throw std::runtime_error(
folly::to<string>("Cannot get identity for X509 ", description));
}
auto altName = SSLUtil::getSubjectAltName(x509);
VLOG(3) << "cert " << description << " Identity: " << *identity;
if (altName) {
altName->sort();
VLOG(3) << "cert " << description << " SAN: " << flattenList(*altName);
} else {
VLOG(3) << "cert " << description << " SAN: "
<< "{none}";
}
if (firstCert) {
groupIdentity = *identity;
subjectAltName = std::move(altName);
} else {
if (groupIdentity != *identity) {
throw std::runtime_error(folly::to<string>(
"X509 ",
description,
" does not have same identity as ",
lastCertPath));
}
if (altName == nullptr) {
if (subjectAltName != nullptr) {
throw std::runtime_error(folly::to<string>(
"X509 ", description, " does not have same SAN as ", lastCertPath));
}
} else {
if ((subjectAltName == nullptr) || (*altName != *subjectAltName)) {
throw std::runtime_error(folly::to<string>(
"X509 ", description, " does not have same SAN as ", lastCertPath));
}
}
}
}