2 * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/conf.h>
13 #include <openssl/x509v3.h>
16 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
18 STACK_OF(CONF_VALUE) *nval);
19 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
21 STACK_OF(CONF_VALUE) *nval);
22 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
23 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
24 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
25 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
27 const X509V3_EXT_METHOD v3_alt[3] = {
28 {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
31 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
32 (X509V3_EXT_V2I)v2i_subject_alt,
35 {NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
38 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
39 (X509V3_EXT_V2I)v2i_issuer_alt,
42 {NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
45 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
46 NULL, NULL, NULL, NULL},
49 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
51 STACK_OF(CONF_VALUE) *ret)
55 STACK_OF(CONF_VALUE) *tmpret = NULL, *origret = ret;
57 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
58 gen = sk_GENERAL_NAME_value(gens, i);
60 * i2v_GENERAL_NAME allocates ret if it is NULL. If something goes
61 * wrong we need to free the stack - but only if it was empty when we
62 * originally entered this function.
64 tmpret = i2v_GENERAL_NAME(method, gen, ret);
67 sk_CONF_VALUE_pop_free(ret, X509V3_conf_free);
73 return sk_CONF_VALUE_new_null();
77 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
79 STACK_OF(CONF_VALUE) *ret)
82 char oline[256], htmp[5];
87 if (!X509V3_add_value("othername", "<unsupported>", &ret))
92 if (!X509V3_add_value("X400Name", "<unsupported>", &ret))
97 if (!X509V3_add_value("EdiPartyName", "<unsupported>", &ret))
102 if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))
107 if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))
112 if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))
117 if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) == NULL
118 || !X509V3_add_value("DirName", oline, &ret))
124 if (gen->d.ip->length == 4)
125 BIO_snprintf(oline, sizeof(oline), "%d.%d.%d.%d",
126 p[0], p[1], p[2], p[3]);
127 else if (gen->d.ip->length == 16) {
129 for (i = 0; i < 8; i++) {
130 BIO_snprintf(htmp, sizeof(htmp), "%X", p[0] << 8 | p[1]);
137 if (!X509V3_add_value("IP Address", "<invalid>", &ret))
141 if (!X509V3_add_value("IP Address", oline, &ret))
146 i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
147 if (!X509V3_add_value("Registered ID", oline, &ret))
154 int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
160 BIO_printf(out, "othername:<unsupported>");
164 BIO_printf(out, "X400Name:<unsupported>");
168 /* Maybe fix this: it is supported now */
169 BIO_printf(out, "EdiPartyName:<unsupported>");
173 BIO_printf(out, "email:");
174 ASN1_STRING_print(out, gen->d.ia5);
178 BIO_printf(out, "DNS:");
179 ASN1_STRING_print(out, gen->d.ia5);
183 BIO_printf(out, "URI:");
184 ASN1_STRING_print(out, gen->d.ia5);
188 BIO_printf(out, "DirName:");
189 X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
194 if (gen->d.ip->length == 4)
195 BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
196 else if (gen->d.ip->length == 16) {
197 BIO_printf(out, "IP Address");
198 for (i = 0; i < 8; i++) {
199 BIO_printf(out, ":%X", p[0] << 8 | p[1]);
204 BIO_printf(out, "IP Address:<invalid>");
210 BIO_printf(out, "Registered ID:");
211 i2a_ASN1_OBJECT(out, gen->d.rid);
217 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
219 STACK_OF(CONF_VALUE) *nval)
221 const int num = sk_CONF_VALUE_num(nval);
222 GENERAL_NAMES *gens = sk_GENERAL_NAME_new_reserve(NULL, num);
226 X509V3err(X509V3_F_V2I_ISSUER_ALT, ERR_R_MALLOC_FAILURE);
227 sk_GENERAL_NAME_free(gens);
230 for (i = 0; i < num; i++) {
231 CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
233 if (!name_cmp(cnf->name, "issuer")
234 && cnf->value && strcmp(cnf->value, "copy") == 0) {
235 if (!copy_issuer(ctx, gens))
238 GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);
242 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
247 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
251 /* Append subject altname of issuer to issuer alt name of subject */
253 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
260 if (ctx && (ctx->flags == CTX_TEST))
262 if (!ctx || !ctx->issuer_cert) {
263 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_NO_ISSUER_DETAILS);
266 i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
269 if ((ext = X509_get_ext(ctx->issuer_cert, i)) == NULL
270 || (ialt = X509V3_EXT_d2i(ext)) == NULL) {
271 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_ISSUER_DECODE_ERROR);
275 num = sk_GENERAL_NAME_num(ialt);
276 if (!sk_GENERAL_NAME_reserve(gens, num)) {
277 X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
281 for (i = 0; i < num; i++) {
282 gen = sk_GENERAL_NAME_value(ialt, i);
283 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
285 sk_GENERAL_NAME_free(ialt);
294 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
296 STACK_OF(CONF_VALUE) *nval)
300 const int num = sk_CONF_VALUE_num(nval);
303 gens = sk_GENERAL_NAME_new_reserve(NULL, num);
305 X509V3err(X509V3_F_V2I_SUBJECT_ALT, ERR_R_MALLOC_FAILURE);
306 sk_GENERAL_NAME_free(gens);
310 for (i = 0; i < num; i++) {
311 cnf = sk_CONF_VALUE_value(nval, i);
312 if (!name_cmp(cnf->name, "email")
313 && cnf->value && strcmp(cnf->value, "copy") == 0) {
314 if (!copy_email(ctx, gens, 0))
316 } else if (!name_cmp(cnf->name, "email")
317 && cnf->value && strcmp(cnf->value, "move") == 0) {
318 if (!copy_email(ctx, gens, 1))
322 if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
324 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
329 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
334 * Copy any email addresses in a certificate or request to GENERAL_NAMES
337 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
340 ASN1_IA5STRING *email = NULL;
342 GENERAL_NAME *gen = NULL;
345 if (ctx != NULL && ctx->flags == CTX_TEST)
348 || (ctx->subject_cert == NULL && ctx->subject_req == NULL)) {
349 X509V3err(X509V3_F_COPY_EMAIL, X509V3_R_NO_SUBJECT_DETAILS);
352 /* Find the subject name */
353 if (ctx->subject_cert)
354 nm = X509_get_subject_name(ctx->subject_cert);
356 nm = X509_REQ_get_subject_name(ctx->subject_req);
358 /* Now add any email address(es) to STACK */
359 while ((i = X509_NAME_get_index_by_NID(nm,
360 NID_pkcs9_emailAddress, i)) >= 0) {
361 ne = X509_NAME_get_entry(nm, i);
362 email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
364 X509_NAME_delete_entry(nm, i);
365 X509_NAME_ENTRY_free(ne);
368 if (email == NULL || (gen = GENERAL_NAME_new()) == NULL) {
369 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
374 gen->type = GEN_EMAIL;
375 if (!sk_GENERAL_NAME_push(gens, gen)) {
376 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
385 GENERAL_NAME_free(gen);
386 ASN1_IA5STRING_free(email);
391 GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
392 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
397 const int num = sk_CONF_VALUE_num(nval);
400 gens = sk_GENERAL_NAME_new_reserve(NULL, num);
402 X509V3err(X509V3_F_V2I_GENERAL_NAMES, ERR_R_MALLOC_FAILURE);
403 sk_GENERAL_NAME_free(gens);
407 for (i = 0; i < num; i++) {
408 cnf = sk_CONF_VALUE_value(nval, i);
409 if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
411 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
415 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
419 GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
420 X509V3_CTX *ctx, CONF_VALUE *cnf)
422 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
425 GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
426 const X509V3_EXT_METHOD *method,
427 X509V3_CTX *ctx, int gen_type, const char *value,
431 GENERAL_NAME *gen = NULL;
434 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_MISSING_VALUE);
441 gen = GENERAL_NAME_new();
443 X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
458 if ((obj = OBJ_txt2obj(value, 0)) == NULL) {
459 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_OBJECT);
460 ERR_add_error_data(2, "value=", value);
469 gen->d.ip = a2i_IPADDRESS_NC(value);
471 gen->d.ip = a2i_IPADDRESS(value);
472 if (gen->d.ip == NULL) {
473 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_IP_ADDRESS);
474 ERR_add_error_data(2, "value=", value);
480 if (!do_dirname(gen, value, ctx)) {
481 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_DIRNAME_ERROR);
487 if (!do_othername(gen, value, ctx)) {
488 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_OTHERNAME_ERROR);
493 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_UNSUPPORTED_TYPE);
498 if ((gen->d.ia5 = ASN1_IA5STRING_new()) == NULL ||
499 !ASN1_STRING_set(gen->d.ia5, (unsigned char *)value,
501 X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
506 gen->type = gen_type;
512 GENERAL_NAME_free(gen);
516 GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
517 const X509V3_EXT_METHOD *method,
518 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
528 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_MISSING_VALUE);
532 if (!name_cmp(name, "email"))
534 else if (!name_cmp(name, "URI"))
536 else if (!name_cmp(name, "DNS"))
538 else if (!name_cmp(name, "RID"))
540 else if (!name_cmp(name, "IP"))
542 else if (!name_cmp(name, "dirName"))
544 else if (!name_cmp(name, "otherName"))
545 type = GEN_OTHERNAME;
547 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_UNSUPPORTED_OPTION);
548 ERR_add_error_data(2, "name=", name);
552 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
556 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
558 char *objtmp = NULL, *p;
561 if ((p = strchr(value, ';')) == NULL)
563 if ((gen->d.otherName = OTHERNAME_new()) == NULL)
566 * Free this up because we will overwrite it. no need to free type_id
567 * because it is static
569 ASN1_TYPE_free(gen->d.otherName->value);
570 if ((gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)) == NULL)
573 objtmp = OPENSSL_strndup(value, objlen);
576 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
577 OPENSSL_free(objtmp);
578 if (!gen->d.otherName->type_id)
583 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
586 STACK_OF(CONF_VALUE) *sk = NULL;
589 if ((nm = X509_NAME_new()) == NULL)
591 sk = X509V3_get_section(ctx, value);
593 X509V3err(X509V3_F_DO_DIRNAME, X509V3_R_SECTION_NOT_FOUND);
594 ERR_add_error_data(2, "section=", value);
597 /* FIXME: should allow other character types... */
598 ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
606 X509V3_section_free(ctx, sk);