X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email addresses...

Also slightly improve the style of the respective code in crypto/x509/v3_san.c.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17145)

diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c
index 26708aefae06db80bbd596daf8471548e17da47a..c081f02e19e41896cd70fbb83c379507a4861499 100644 (file)
--- a/crypto/x509/v3_san.c
+++ b/crypto/x509/v3_san.c
@@ -393,11 +393,11 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
 
     for (i = 0; i < num; i++) {
         cnf = sk_CONF_VALUE_value(nval, i);
-        if (!ossl_v3_name_cmp(cnf->name, "email")
+        if (ossl_v3_name_cmp(cnf->name, "email") == 0
             && cnf->value && strcmp(cnf->value, "copy") == 0) {
             if (!copy_email(ctx, gens, 0))
                 goto err;
-        } else if (!ossl_v3_name_cmp(cnf->name, "email")
+        } else if (ossl_v3_name_cmp(cnf->name, "email") == 0
                    && cnf->value && strcmp(cnf->value, "move") == 0) {
             if (!copy_email(ctx, gens, 1))
                 goto err;
@@ -434,10 +434,9 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
         return 0;
     }
     /* Find the subject name */
-    if (ctx->subject_cert)
-        nm = X509_get_subject_name(ctx->subject_cert);
-    else
-        nm = X509_REQ_get_subject_name(ctx->subject_req);
+    nm = ctx->subject_cert != NULL ?
+        X509_get_subject_name(ctx->subject_cert) :
+        X509_REQ_get_subject_name(ctx->subject_req);
 
     /* Now add any email address(es) to STACK */
     while ((i = X509_NAME_get_index_by_NID(nm,

diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod
index 820052ba984dd511784d961a488a606b71d17fee..8287802e41b2f7756fa1624e34a7a4fb8f03d67d 100644 (file)
--- a/doc/man3/X509V3_set_ctx.pod
+++ b/doc/man3/X509V3_set_ctx.pod
@@ -22,6 +22,8 @@ Any of I<subject>, I<req>, or I<crl> may be provided, pointing to a certificate,
 certification request, or certificate revocation list, respectively.
 When constructing the subject key identifier of a certificate by computing a
 hash value of its public key, the public key is taken from I<subject> or I<req>.
+Similarly, when constructing subject alternative names from any email addresses
+contained in a subject DN, the subject DN is taken from I<subject> or I<req>.
 If I<subject> or I<crl> is provided, I<issuer> should point to its issuer,
 for instance to help generating an authority key identifier extension.
 Note that if I<subject> is provided, I<issuer> may be the same as I<subject>,

diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod
index 0114b45505dd488d4b8f14674155f7e9a2d7bf23..fb9e562d7fa762af08805169220beb82bcf71017 100644 (file)
--- a/doc/man5/x509v3_config.pod
+++ b/doc/man5/x509v3_config.pod
@@ -229,9 +229,11 @@ B<dirName> (a distinguished name),
 and B<otherName>.
 The syntax of each is described in the following paragraphs.
 
-The B<email> option has a special C<copy> value, which will automatically
-include any email addresses contained in the certificate subject name in
-the extension.
+The B<email> option has two special values.
+C<copy> will automatically include any email addresses
+contained in the certificate subject name in the extension.
+C<move> will automatically move any email addresses
+from the certificate subject name to the extension.
 
 The IP address used in the B<IP> option can be in either IPv4 or IPv6 format.