diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2016-07-03 21:41:57 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2016-07-11 23:30:04 +0100 |
| commit | 5bd5dcd49605ca2aa7931599894302a3ac4b0b04 (patch) | |
| tree | 6a0b8a29f6688a2e97b098ee29f690f7b10ed041 /crypto/x509v3 | |
| parent | 1d03b7b893223b1b049cb992e5c57c9a10f5846c (diff) | |
Add nameConstraints commonName checking.
New hostname checking function asn1_valid_host()
Check commonName entries against nameConstraints: any CN components in
EE certificate which look like hostnames are checked against
nameConstraints.
Note that RFC5280 et al only require checking subject alt name against
DNS name constraints.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto/x509v3')
| -rw-r--r-- | crypto/x509v3/v3_ncons.c | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index 413d9e97da..fe3a9078f7 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509v3/v3_ncons.c @@ -9,6 +9,7 @@ #include <stdio.h> #include "internal/cryptlib.h" +#include "internal/asn1_int.h" #include <openssl/asn1t.h> #include <openssl/conf.h> #include <openssl/x509v3.h> @@ -226,6 +227,51 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) } +int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc) +{ + int r, i; + X509_NAME *nm; + + ASN1_STRING stmp; + GENERAL_NAME gntmp; + stmp.flags = 0; + stmp.type = V_ASN1_IA5STRING; + gntmp.type = GEN_DNS; + gntmp.d.dNSName = &stmp; + + nm = X509_get_subject_name(x); + + /* Process any commonName attributes in subject name */ + + for (i = -1;;) { + X509_NAME_ENTRY *ne; + ASN1_STRING *hn; + i = X509_NAME_get_index_by_NID(nm, NID_commonName, i); + if (i == -1) + break; + ne = X509_NAME_get_entry(nm, i); + hn = X509_NAME_ENTRY_get_data(ne); + /* Only process attributes that look like host names */ + if (asn1_valid_host(hn)) { + unsigned char *h; + int hlen = ASN1_STRING_to_UTF8(&h, hn); + if (hlen <= 0) + return X509_V_ERR_OUT_OF_MEM; + + stmp.length = hlen; + stmp.data = h; + + r = nc_match(&gntmp, nc); + + OPENSSL_free(h); + + if (r != X509_V_OK) + return r; + } + } + return X509_V_OK; +} + static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) { GENERAL_SUBTREE *sub; |