From 5bd5dcd49605ca2aa7931599894302a3ac4b0b04 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 3 Jul 2016 21:41:57 +0100 Subject: Add nameConstraints commonName checking. New hostname checking function asn1_valid_host() Check commonName entries against nameConstraints: any CN components in EE certificate which look like hostnames are checked against nameConstraints. Note that RFC5280 et al only require checking subject alt name against DNS name constraints. Reviewed-by: Richard Levitte --- crypto/x509v3/v3_ncons.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'crypto/x509v3') diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index 413d9e97da..fe3a9078f7 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509v3/v3_ncons.c @@ -9,6 +9,7 @@ #include #include "internal/cryptlib.h" +#include "internal/asn1_int.h" #include #include #include @@ -226,6 +227,51 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) } +int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc) +{ + int r, i; + X509_NAME *nm; + + ASN1_STRING stmp; + GENERAL_NAME gntmp; + stmp.flags = 0; + stmp.type = V_ASN1_IA5STRING; + gntmp.type = GEN_DNS; + gntmp.d.dNSName = &stmp; + + nm = X509_get_subject_name(x); + + /* Process any commonName attributes in subject name */ + + for (i = -1;;) { + X509_NAME_ENTRY *ne; + ASN1_STRING *hn; + i = X509_NAME_get_index_by_NID(nm, NID_commonName, i); + if (i == -1) + break; + ne = X509_NAME_get_entry(nm, i); + hn = X509_NAME_ENTRY_get_data(ne); + /* Only process attributes that look like host names */ + if (asn1_valid_host(hn)) { + unsigned char *h; + int hlen = ASN1_STRING_to_UTF8(&h, hn); + if (hlen <= 0) + return X509_V_ERR_OUT_OF_MEM; + + stmp.length = hlen; + stmp.data = h; + + r = nc_match(&gntmp, nc); + + OPENSSL_free(h); + + if (r != X509_V_OK) + return r; + } + } + return X509_V_OK; +} + static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) { GENERAL_SUBTREE *sub; -- cgit v1.2.3