Add nameConstraints commonName checking.

New hostname checking function asn1_valid_host() Check commonName entries against nameConstraints: any CN components in EE certificate which look like hostnames are checked against nameConstraints. Note that RFC5280 et al only require checking subject alt name against DNS name constraints. Reviewed-by: Richard Levitte <levitte@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2016-07-03 21:41:57 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2016-07-11 23:30:04 +0100
commit: 5bd5dcd49605ca2aa7931599894302a3ac4b0b04 (patch)
tree: 6a0b8a29f6688a2e97b098ee29f690f7b10ed041 /crypto/x509/x509_vfy.c
parent: 1d03b7b893223b1b049cb992e5c57c9a10f5846c (diff)
download: openssl-5bd5dcd49605ca2aa7931599894302a3ac4b0b04.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index c8ebc50857..469a0a8693 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -651,6 +651,10 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
             if (nc) {
                 int rv = NAME_CONSTRAINTS_check(x, nc);
 
+                /* If EE certificate check commonName too */
+                if (rv == X509_V_OK && i == 0)
+                    rv = NAME_CONSTRAINTS_check_CN(x, nc);
+
                 switch (rv) {
                 case X509_V_OK:
                     break;
author	Dr. Stephen Henson <steve@openssl.org>	2016-07-03 21:41:57 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2016-07-11 23:30:04 +0100
commit	5bd5dcd49605ca2aa7931599894302a3ac4b0b04 (patch)
tree	6a0b8a29f6688a2e97b098ee29f690f7b10ed041 /crypto/x509/x509_vfy.c
parent	1d03b7b893223b1b049cb992e5c57c9a10f5846c (diff)
download	openssl-5bd5dcd49605ca2aa7931599894302a3ac4b0b04.tar.gz