diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-25 16:46:18 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-11 07:42:22 +0200 |
| commit | da6c691d6d417ad413fdc1e7a7a183d005e7fefd (patch) | |
| tree | f2aafc6b4b593e289ebf52719d8dd6ae427aeefe /crypto/x509 | |
| parent | 89f13ca4342be5b541b0885e3058617e5cce0de8 (diff) | |
| download | openssl-da6c691d6d417ad413fdc1e7a7a183d005e7fefd.tar.gz | |
check_chain_extensions(): Add check that on empty Subject the SAN must be marked critical
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
Diffstat (limited to 'crypto/x509')
| -rw-r--r-- | crypto/x509/v3_purp.c | 3 | ||||
| -rw-r--r-- | crypto/x509/x509_txt.c | 2 | ||||
| -rw-r--r-- | crypto/x509/x509_vfy.c | 10 |
3 files changed, 9 insertions, 6 deletions
diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index bced482df4..2d4098b629 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -608,6 +608,9 @@ int x509v3_cache_extensions(X509 *x) case NID_subject_key_identifier: x->ex_flags |= EXFLAG_SKID_CRITICAL; break; + case NID_subject_alt_name: + x->ex_flags |= EXFLAG_SAN_CRITICAL; + break; default: break; } diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index d4bf31685e..85782a2f86 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -200,6 +200,8 @@ const char *X509_verify_cert_error_string(long n) return "Empty Subject Alternative Name extension"; case X509_V_ERR_CA_BCONS_NOT_CRITICAL: return "Basic Constraints of CA cert not marked critical"; + case X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL: + return "Subject empty and Subject Alt Name extension not critical"; case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL: return "Authority Key Identifier marked critical"; case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL: diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 48c0a2d58d..966733dbb7 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -549,12 +549,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) || x->altname == NULL ) && X509_NAME_entry_count(X509_get_subject_name(x)) == 0) ctx->error = X509_V_ERR_SUBJECT_NAME_EMPTY; - /* - * TODO check: If subject naming information is present only in - * the subjectAltName extension, - * then the subject name MUST be an empty sequence - * and the subjectAltName extension MUST be critical. - */ + if (X509_NAME_entry_count(X509_get_subject_name(x)) == 0 + && x->altname != NULL + && (x->ex_flags & EXFLAG_SAN_CRITICAL) == 0) + ctx->error = X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL; /* Check SAN is non-empty according to RFC 5280 section 4.2.1.6 */ if (x->altname != NULL && sk_GENERAL_NAME_num(x->altname) <= 0) ctx->error = X509_V_ERR_EMPTY_SUBJECT_ALT_NAME; |