2 * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/conf.h>
13 #include <openssl/x509v3.h>
14 #include <openssl/bio.h>
17 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
19 STACK_OF(CONF_VALUE) *nval);
20 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
22 STACK_OF(CONF_VALUE) *nval);
23 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
24 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
25 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
26 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
28 const X509V3_EXT_METHOD v3_alt[3] = {
29 {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
32 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
33 (X509V3_EXT_V2I)v2i_subject_alt,
36 {NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
39 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
40 (X509V3_EXT_V2I)v2i_issuer_alt,
43 {NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
46 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
47 NULL, NULL, NULL, NULL},
50 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
52 STACK_OF(CONF_VALUE) *ret)
56 STACK_OF(CONF_VALUE) *tmpret = NULL, *origret = ret;
58 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
59 gen = sk_GENERAL_NAME_value(gens, i);
61 * i2v_GENERAL_NAME allocates ret if it is NULL. If something goes
62 * wrong we need to free the stack - but only if it was empty when we
63 * originally entered this function.
65 tmpret = i2v_GENERAL_NAME(method, gen, ret);
68 sk_CONF_VALUE_pop_free(ret, X509V3_conf_free);
74 return sk_CONF_VALUE_new_null();
78 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
80 STACK_OF(CONF_VALUE) *ret)
83 char oline[256], *tmp;
87 switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
88 case NID_id_on_SmtpUTF8Mailbox:
89 if (gen->d.otherName->value->type != V_ASN1_UTF8STRING
90 || !X509V3_add_value_uchar("othername: SmtpUTF8Mailbox:",
91 gen->d.otherName->value->value.utf8string->data,
96 if (gen->d.otherName->value->type != V_ASN1_UTF8STRING
97 || !X509V3_add_value_uchar("othername: XmppAddr:",
98 gen->d.otherName->value->value.utf8string->data,
103 if (gen->d.otherName->value->type != V_ASN1_IA5STRING
104 || !X509V3_add_value_uchar("othername: SRVName:",
105 gen->d.otherName->value->value.ia5string->data,
110 if (gen->d.otherName->value->type != V_ASN1_UTF8STRING
111 || !X509V3_add_value_uchar("othername: UPN:",
112 gen->d.otherName->value->value.utf8string->data,
117 if (gen->d.otherName->value->type != V_ASN1_UTF8STRING
118 || !X509V3_add_value_uchar("othername: NAIRealm:",
119 gen->d.otherName->value->value.utf8string->data,
124 if (OBJ_obj2txt(oline, sizeof(oline), gen->d.otherName->type_id, 0) > 0)
125 BIO_snprintf(othername, sizeof(othername), "othername: %s:",
128 OPENSSL_strlcpy(othername, "othername:", sizeof(othername));
130 /* check if the value is something printable */
131 if (gen->d.otherName->value->type == V_ASN1_IA5STRING) {
132 if (X509V3_add_value_uchar(othername,
133 gen->d.otherName->value->value.ia5string->data,
137 if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
138 if (X509V3_add_value_uchar(othername,
139 gen->d.otherName->value->value.utf8string->data,
143 if (!X509V3_add_value(othername, "<unsupported>", &ret))
150 if (!X509V3_add_value("X400Name", "<unsupported>", &ret))
155 if (!X509V3_add_value("EdiPartyName", "<unsupported>", &ret))
160 if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))
165 if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))
170 if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))
175 if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) == NULL
176 || !X509V3_add_value("DirName", oline, &ret))
181 tmp = ipaddr_to_asc(gen->d.ip->data, gen->d.ip->length);
182 if (tmp == NULL || !X509V3_add_value("IP Address", tmp, &ret))
188 i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
189 if (!X509V3_add_value("Registered ID", oline, &ret))
196 int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
203 nid = OBJ_obj2nid(gen->d.otherName->type_id);
204 /* Validate the types are as we expect before we use them */
205 if ((nid == NID_SRVName
206 && gen->d.otherName->value->type != V_ASN1_IA5STRING)
207 || (nid != NID_SRVName
208 && gen->d.otherName->value->type != V_ASN1_UTF8STRING)) {
209 BIO_printf(out, "othername:<unsupported>");
214 case NID_id_on_SmtpUTF8Mailbox:
215 BIO_printf(out, "othername:SmtpUTF8Mailbox:%s",
216 gen->d.otherName->value->value.utf8string->data);
219 BIO_printf(out, "othername:XmppAddr:%s",
220 gen->d.otherName->value->value.utf8string->data);
223 BIO_printf(out, "othername:SRVName:%s",
224 gen->d.otherName->value->value.ia5string->data);
227 BIO_printf(out, "othername:UPN:%s",
228 gen->d.otherName->value->value.utf8string->data);
231 BIO_printf(out, "othername:NAIRealm:%s",
232 gen->d.otherName->value->value.utf8string->data);
235 BIO_printf(out, "othername:<unsupported>");
241 BIO_printf(out, "X400Name:<unsupported>");
245 /* Maybe fix this: it is supported now */
246 BIO_printf(out, "EdiPartyName:<unsupported>");
250 BIO_printf(out, "email:");
251 ASN1_STRING_print(out, gen->d.ia5);
255 BIO_printf(out, "DNS:");
256 ASN1_STRING_print(out, gen->d.ia5);
260 BIO_printf(out, "URI:");
261 ASN1_STRING_print(out, gen->d.ia5);
265 BIO_printf(out, "DirName:");
266 X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
270 tmp = ipaddr_to_asc(gen->d.ip->data, gen->d.ip->length);
273 BIO_printf(out, "IP Address:%s", tmp);
278 BIO_printf(out, "Registered ID:");
279 i2a_ASN1_OBJECT(out, gen->d.rid);
285 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
287 STACK_OF(CONF_VALUE) *nval)
289 const int num = sk_CONF_VALUE_num(nval);
290 GENERAL_NAMES *gens = sk_GENERAL_NAME_new_reserve(NULL, num);
294 X509V3err(X509V3_F_V2I_ISSUER_ALT, ERR_R_MALLOC_FAILURE);
295 sk_GENERAL_NAME_free(gens);
298 for (i = 0; i < num; i++) {
299 CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
301 if (!v3_name_cmp(cnf->name, "issuer")
302 && cnf->value && strcmp(cnf->value, "copy") == 0) {
303 if (!copy_issuer(ctx, gens))
306 GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);
310 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
315 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
319 /* Append subject altname of issuer to issuer alt name of subject */
321 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
328 if (ctx && (ctx->flags == CTX_TEST))
330 if (!ctx || !ctx->issuer_cert) {
331 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_NO_ISSUER_DETAILS);
334 i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
337 if ((ext = X509_get_ext(ctx->issuer_cert, i)) == NULL
338 || (ialt = X509V3_EXT_d2i(ext)) == NULL) {
339 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_ISSUER_DECODE_ERROR);
343 num = sk_GENERAL_NAME_num(ialt);
344 if (!sk_GENERAL_NAME_reserve(gens, num)) {
345 X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
349 for (i = 0; i < num; i++) {
350 gen = sk_GENERAL_NAME_value(ialt, i);
351 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
353 sk_GENERAL_NAME_free(ialt);
362 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
364 STACK_OF(CONF_VALUE) *nval)
368 const int num = sk_CONF_VALUE_num(nval);
371 gens = sk_GENERAL_NAME_new_reserve(NULL, num);
373 X509V3err(X509V3_F_V2I_SUBJECT_ALT, ERR_R_MALLOC_FAILURE);
374 sk_GENERAL_NAME_free(gens);
378 for (i = 0; i < num; i++) {
379 cnf = sk_CONF_VALUE_value(nval, i);
380 if (!v3_name_cmp(cnf->name, "email")
381 && cnf->value && strcmp(cnf->value, "copy") == 0) {
382 if (!copy_email(ctx, gens, 0))
384 } else if (!v3_name_cmp(cnf->name, "email")
385 && cnf->value && strcmp(cnf->value, "move") == 0) {
386 if (!copy_email(ctx, gens, 1))
390 if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
392 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
397 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
402 * Copy any email addresses in a certificate or request to GENERAL_NAMES
405 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
408 ASN1_IA5STRING *email = NULL;
410 GENERAL_NAME *gen = NULL;
413 if (ctx != NULL && ctx->flags == CTX_TEST)
416 || (ctx->subject_cert == NULL && ctx->subject_req == NULL)) {
417 X509V3err(X509V3_F_COPY_EMAIL, X509V3_R_NO_SUBJECT_DETAILS);
420 /* Find the subject name */
421 if (ctx->subject_cert)
422 nm = X509_get_subject_name(ctx->subject_cert);
424 nm = X509_REQ_get_subject_name(ctx->subject_req);
426 /* Now add any email address(es) to STACK */
427 while ((i = X509_NAME_get_index_by_NID(nm,
428 NID_pkcs9_emailAddress, i)) >= 0) {
429 ne = X509_NAME_get_entry(nm, i);
430 email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
432 X509_NAME_delete_entry(nm, i);
433 X509_NAME_ENTRY_free(ne);
436 if (email == NULL || (gen = GENERAL_NAME_new()) == NULL) {
437 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
442 gen->type = GEN_EMAIL;
443 if (!sk_GENERAL_NAME_push(gens, gen)) {
444 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
453 GENERAL_NAME_free(gen);
454 ASN1_IA5STRING_free(email);
459 GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
460 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
465 const int num = sk_CONF_VALUE_num(nval);
468 gens = sk_GENERAL_NAME_new_reserve(NULL, num);
470 X509V3err(X509V3_F_V2I_GENERAL_NAMES, ERR_R_MALLOC_FAILURE);
471 sk_GENERAL_NAME_free(gens);
475 for (i = 0; i < num; i++) {
476 cnf = sk_CONF_VALUE_value(nval, i);
477 if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
479 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
483 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
487 GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
488 X509V3_CTX *ctx, CONF_VALUE *cnf)
490 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
493 GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
494 const X509V3_EXT_METHOD *method,
495 X509V3_CTX *ctx, int gen_type, const char *value,
499 GENERAL_NAME *gen = NULL;
502 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_MISSING_VALUE);
509 gen = GENERAL_NAME_new();
511 X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
526 if ((obj = OBJ_txt2obj(value, 0)) == NULL) {
527 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_OBJECT);
528 ERR_add_error_data(2, "value=", value);
537 gen->d.ip = a2i_IPADDRESS_NC(value);
539 gen->d.ip = a2i_IPADDRESS(value);
540 if (gen->d.ip == NULL) {
541 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_IP_ADDRESS);
542 ERR_add_error_data(2, "value=", value);
548 if (!do_dirname(gen, value, ctx)) {
549 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_DIRNAME_ERROR);
555 if (!do_othername(gen, value, ctx)) {
556 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_OTHERNAME_ERROR);
561 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_UNSUPPORTED_TYPE);
566 if ((gen->d.ia5 = ASN1_IA5STRING_new()) == NULL ||
567 !ASN1_STRING_set(gen->d.ia5, (unsigned char *)value,
569 X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
574 gen->type = gen_type;
580 GENERAL_NAME_free(gen);
584 GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
585 const X509V3_EXT_METHOD *method,
586 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
596 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_MISSING_VALUE);
600 if (!v3_name_cmp(name, "email"))
602 else if (!v3_name_cmp(name, "URI"))
604 else if (!v3_name_cmp(name, "DNS"))
606 else if (!v3_name_cmp(name, "RID"))
608 else if (!v3_name_cmp(name, "IP"))
610 else if (!v3_name_cmp(name, "dirName"))
612 else if (!v3_name_cmp(name, "otherName"))
613 type = GEN_OTHERNAME;
615 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_UNSUPPORTED_OPTION);
616 ERR_add_error_data(2, "name=", name);
620 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
624 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
626 char *objtmp = NULL, *p;
629 if ((p = strchr(value, ';')) == NULL)
631 if ((gen->d.otherName = OTHERNAME_new()) == NULL)
634 * Free this up because we will overwrite it. no need to free type_id
635 * because it is static
637 ASN1_TYPE_free(gen->d.otherName->value);
638 if ((gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)) == NULL)
641 objtmp = OPENSSL_strndup(value, objlen);
644 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
645 OPENSSL_free(objtmp);
646 if (!gen->d.otherName->type_id)
651 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
654 STACK_OF(CONF_VALUE) *sk = NULL;
657 if ((nm = X509_NAME_new()) == NULL)
659 sk = X509V3_get_section(ctx, value);
661 X509V3err(X509V3_F_DO_DIRNAME, X509V3_R_SECTION_NOT_FOUND);
662 ERR_add_error_data(2, "section=", value);
665 /* FIXME: should allow other character types... */
666 ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
674 X509V3_section_free(ctx, sk);