diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-07-03 21:41:57 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-07-11 23:30:04 +0100 |
commit | 5bd5dcd49605ca2aa7931599894302a3ac4b0b04 (patch) | |
tree | 6a0b8a29f6688a2e97b098ee29f690f7b10ed041 /crypto/asn1/charmap.pl | |
parent | 1d03b7b893223b1b049cb992e5c57c9a10f5846c (diff) |
Add nameConstraints commonName checking.
New hostname checking function asn1_valid_host()
Check commonName entries against nameConstraints: any CN components in
EE certificate which look like hostnames are checked against
nameConstraints.
Note that RFC5280 et al only require checking subject alt name against
DNS name constraints.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto/asn1/charmap.pl')
-rw-r--r-- | crypto/asn1/charmap.pl | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/crypto/asn1/charmap.pl b/crypto/asn1/charmap.pl index a3511da072..26ca325223 100644 --- a/crypto/asn1/charmap.pl +++ b/crypto/asn1/charmap.pl @@ -22,6 +22,10 @@ my $PSTRING_CHAR = 0x10; # Valid PrintableString character my $RFC2253_FIRST_ESC = 0x20; # Escaped with \ if first character my $RFC2253_LAST_ESC = 0x40; # Escaped with \ if last character my $RFC2254_ESC = 0x400; # Character escaped \XX +my $HOST_ANY = 0x1000; # Valid hostname character anywhere in label +my $HOST_DOT = 0x2000; # Dot: hostname label separator +my $HOST_HYPHEN = 0x4000; # Hyphen: not valid at start or end. +my $HOST_WILD = 0x8000; # Wildcard character for($i = 0; $i < 128; $i++) { # Set the RFC2253 escape characters (control) @@ -34,7 +38,7 @@ for($i = 0; $i < 128; $i++) { if( ( ( $i >= ord("a")) && ( $i <= ord("z")) ) || ( ( $i >= ord("A")) && ( $i <= ord("Z")) ) || ( ( $i >= ord("0")) && ( $i <= ord("9")) ) ) { - $arr[$i] |= $PSTRING_CHAR; + $arr[$i] |= $PSTRING_CHAR | $HOST_ANY; } } @@ -58,7 +62,7 @@ $arr[ord(";")] |= $NOESC_QUOTE | $RFC2253_ESC; $arr[0] |= $RFC2254_ESC; $arr[ord("(")] |= $RFC2254_ESC; $arr[ord(")")] |= $RFC2254_ESC; -$arr[ord("*")] |= $RFC2254_ESC; +$arr[ord("*")] |= $RFC2254_ESC | $HOST_WILD; $arr[ord("\\")] |= $RFC2254_ESC; # Remaining PrintableString characters @@ -69,8 +73,8 @@ $arr[ord("(")] |= $PSTRING_CHAR; $arr[ord(")")] |= $PSTRING_CHAR; $arr[ord("+")] |= $PSTRING_CHAR; $arr[ord(",")] |= $PSTRING_CHAR; -$arr[ord("-")] |= $PSTRING_CHAR; -$arr[ord(".")] |= $PSTRING_CHAR; +$arr[ord("-")] |= $PSTRING_CHAR | $HOST_HYPHEN; +$arr[ord(".")] |= $PSTRING_CHAR | $HOST_DOT; $arr[ord("/")] |= $PSTRING_CHAR; $arr[ord(":")] |= $PSTRING_CHAR; $arr[ord("=")] |= $PSTRING_CHAR; @@ -91,6 +95,11 @@ print <<EOF; * https://www.openssl.org/source/license.html */ +#define CHARTYPE_HOST_ANY $HOST_ANY +#define CHARTYPE_HOST_DOT $HOST_DOT +#define CHARTYPE_HOST_HYPHEN $HOST_HYPHEN +#define CHARTYPE_HOST_WILD $HOST_WILD + /* * Mask of various character properties */ @@ -100,8 +109,8 @@ EOF print " "; for($i = 0; $i < 128; $i++) { - print("\n ") if($i && (($i % 16) == 0)); - printf(" %2d", $arr[$i]); + print("\n ") if($i && (($i % 12) == 0)); + printf(" %4d", $arr[$i]); print(",") if ($i != 127); } print("\n};\n"); |