diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-07-03 21:41:57 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-07-11 23:30:04 +0100 |
commit | 5bd5dcd49605ca2aa7931599894302a3ac4b0b04 (patch) | |
tree | 6a0b8a29f6688a2e97b098ee29f690f7b10ed041 /crypto/x509/x509_vfy.c | |
parent | 1d03b7b893223b1b049cb992e5c57c9a10f5846c (diff) | |
download | openssl-5bd5dcd49605ca2aa7931599894302a3ac4b0b04.tar.gz |
Add nameConstraints commonName checking.
New hostname checking function asn1_valid_host()
Check commonName entries against nameConstraints: any CN components in
EE certificate which look like hostnames are checked against
nameConstraints.
Note that RFC5280 et al only require checking subject alt name against
DNS name constraints.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto/x509/x509_vfy.c')
-rw-r--r-- | crypto/x509/x509_vfy.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index c8ebc50857..469a0a8693 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -651,6 +651,10 @@ static int check_name_constraints(X509_STORE_CTX *ctx) if (nc) { int rv = NAME_CONSTRAINTS_check(x, nc); + /* If EE certificate check commonName too */ + if (rv == X509_V_OK && i == 0) + rv = NAME_CONSTRAINTS_check_CN(x, nc); + switch (rv) { case X509_V_OK: break; |