Add support for oid 2.5.29.17 RFC822Name

This is needed to be able to retreive email from the Subject
Alternative Name from the certificate.

Signed-off-by: Johannes Sjøkvist <johannes@konsept-it.no>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc/sample.config

@@ -226,7 +226,7 @@ try-mtu-discovery = false
 # The object identifier that will be used to read the user ID in the client 
 # certificate. The object identifier should be part of the certificate's DN
 # Useful OIDs are: 
-#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name)
 cert-user-oid = 0.9.2342.19200300.100.1.1
 
 # The object identifier that will be used to read the user group in the 

src/config.c

@@ -447,7 +447,7 @@ static void figure_auth_funcs(struct perm_cfg_st *config, char **auth, unsigned
 				if (c_strncasecmp(auth[j], avail_auth_types[i].name, avail_auth_types[i].name_size) == 0) {
 					if (avail_auth_types[i].get_brackets_string)
 						config->auth[x].additional = avail_auth_types[i].get_brackets_string(config, auth[j]+avail_auth_types[i].name_size);
-				
+
 					config->auth[x].name = talloc_strdup(config, avail_auth_types[i].name);
 					fprintf(stderr, NOTESTR"enabling '%s' as authentication method\n", avail_auth_types[i].name);
 
@@ -1153,6 +1153,13 @@ static void check_cfg(struct perm_cfg_st *perm_config)
 		exit(1);
 	}
 
+	if (perm_config->config->cert_req != 0 && perm_config->config->cert_user_oid != NULL) {
+		if (!c_isdigit(perm_config->config->cert_user_oid[0]) && strcmp(perm_config->config->cert_user_oid, "SAN(rfc822name)") != 0) {
+			fprintf(stderr, ERRSTR"the option 'cert-user-oid' has a unsupported value\n");
+			exit(1);
+		}
+	}
+
 	if (perm_config->unix_conn_file != NULL && (perm_config->config->cert_req != 0)) {
 		if (perm_config->config->listen_proxy_proto == 0) {
 			fprintf(stderr, ERRSTR"the option 'listen-clear-file' cannot be combined with 'auth=certificate'\n");

src/ocserv-args.def

@@ -325,7 +325,7 @@ try-mtu-discovery = false
 # The object identifier that will be used to read the user ID in the client 
 # certificate. The object identifier should be part of the certificate's DN
 # Useful OIDs are: 
-#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name)
 #cert-user-oid = 0.9.2342.19200300.100.1.1
 
 # The object identifier that will be used to read the user group in the 

src/worker-auth.c

@@ -450,8 +450,28 @@ int get_cert_names(worker_st * ws, const gnutls_datum_t * raw)
 		goto fail;
 	}
 
-	size = sizeof(ws->cert_username);
-	if (ws->config->cert_user_oid) {	/* otherwise certificate username is ignored */
+	if (strcmp(ws->config->cert_user_oid, "SAN(rfc822name)") == 0) {	/* check for RFC822Name */
+		for (i = 0;; i++) {
+			size = sizeof(ws->cert_username);
+			ret =
+			    gnutls_x509_crt_get_subject_alt_name(crt, i,
+								 ws->
+								 cert_username,
+								 &size, NULL);
+			if (ret < 0)
+				break;
+			if (ret == GNUTLS_SAN_RFC822NAME) {
+				oclog(ws, LOG_INFO,
+				      "RFC822NAME (%s) retrieved",
+				      ws->cert_username);
+				break;
+			}
+		}
+		if (ret != 0) {
+			ret = 1;
+		}
+	} else if (ws->config->cert_user_oid) {	/* otherwise certificate username is ignored */
+		size = sizeof(ws->cert_username);
 		ret =
 		    gnutls_x509_crt_get_dn_by_oid(crt,
 					  ws->config->cert_user_oid, 0,
@@ -459,6 +479,7 @@ int get_cert_names(worker_st * ws, const gnutls_datum_t * raw)
 	} else {
 		ret = gnutls_x509_crt_get_dn(crt, ws->cert_username, &size);
 	}
+
 	if (ret < 0) {
 		if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
 			oclog(ws, LOG_ERR, "certificate's username exceed the maximum buffer size (%u)",