check_chain_extensions(): Add check that on empty Subject the SAN must be marked...

author Dr. David von Oheimb <David.von.Oheimb@siemens.com>

Tue, 25 Aug 2020 14:46:18 +0000 (16:46 +0200)

committer Dr. David von Oheimb <David.von.Oheimb@siemens.com>

Fri, 11 Sep 2020 05:42:22 +0000 (07:42 +0200)
author Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Tue, 25 Aug 2020 14:46:18 +0000 (16:46 +0200)
committer Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Fri, 11 Sep 2020 05:42:22 +0000 (07:42 +0200)
diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c

index bced482df4f915b5086e721617d5b569529918a6..2d4098b6292af90bde5fe50ebc7f9889513c95a2 100644 (file)
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@@ -608,6 +608,9 @@ int x509v3_cache_extensions(X509 *x)
          case NID_subject_key_identifier:
              x->ex_flags |= EXFLAG_SKID_CRITICAL;
              break;
+        case NID_subject_alt_name:
+            x->ex_flags |= EXFLAG_SAN_CRITICAL;
+            break;
          default:
              break;
          }
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c

index d4bf31685e16055e86183c824aef20434f4cded0..85782a2f86588a6af13d8a12db1ad23aed297536 100644 (file)
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -200,6 +200,8 @@ const char *X509_verify_cert_error_string(long n)
          return "Empty Subject Alternative Name extension";
      case X509_V_ERR_CA_BCONS_NOT_CRITICAL:
          return "Basic Constraints of CA cert not marked critical";
+    case X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL:
+        return "Subject empty and Subject Alt Name extension not critical";
      case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL:
          return "Authority Key Identifier marked critical";
      case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL:
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

index 48c0a2d58d0a8215915863584b9c5f63a7e503f7..966733dbb70117d7a6e8180a5b05b4f377baa422 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -549,12 +549,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                   || x->altname == NULL
                   ) && X509_NAME_entry_count(X509_get_subject_name(x)) == 0)
                  ctx->error = X509_V_ERR_SUBJECT_NAME_EMPTY;
-                /*
-                 * TODO check: If subject naming information is present only in
-                 * the subjectAltName extension,
-                 * then the subject name MUST be an empty sequence
-                 * and the subjectAltName extension MUST be critical.
-                 */
+            if (X509_NAME_entry_count(X509_get_subject_name(x)) == 0
+                    && x->altname != NULL
+                    && (x->ex_flags & EXFLAG_SAN_CRITICAL) == 0)
+                ctx->error = X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL;
              /* Check SAN is non-empty according to RFC 5280 section 4.2.1.6 */
              if (x->altname != NULL && sk_GENERAL_NAME_num(x->altname) <= 0)
                  ctx->error = X509_V_ERR_EMPTY_SUBJECT_ALT_NAME;
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h

index c568b0541c9c9adfc5a47d41ab31409cb66dee0a..53dff234ce1460bcc1c9b9b2d8e73e1bb0a59b36 100644 (file)
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -228,9 +228,10 @@ X509_LOOKUP_ctrl_with_libctx((x), X509_L_ADD_STORE, (name), 0, NULL,           \
  # define X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER     85
  # define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER       86
  # define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME               87
-# define X509_V_ERR_CA_BCONS_NOT_CRITICAL                88
-# define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL    89
-# define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL      90
+# define X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL       88
+# define X509_V_ERR_CA_BCONS_NOT_CRITICAL                89
+# define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL    90
+# define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL      91
  
  /* Certificate verify flags */
  # ifndef OPENSSL_NO_DEPRECATED_1_1_0
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h

index 93f9347ac8b3356dfe3a9e4c83740fde9670ec36..a3ef7ced3a156273ceca7bd3d59571c711ff0933 100644 (file)
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -379,6 +379,7 @@ struct ISSUING_DIST_POINT_st {
  # define EXFLAG_BCONS_CRITICAL   0x10000
  # define EXFLAG_AKID_CRITICAL    0x20000
  # define EXFLAG_SKID_CRITICAL    0x40000
+# define EXFLAG_SAN_CRITICAL     0x80000
  
  # define KU_DIGITAL_SIGNATURE    0x0080
  # define KU_NON_REPUDIATION      0x0040
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>
	Tue, 25 Aug 2020 14:46:18 +0000 (16:46 +0200)
committer	Dr. David von Oheimb <David.von.Oheimb@siemens.com>
	Fri, 11 Sep 2020 05:42:22 +0000 (07:42 +0200)
crypto/x509/v3_purp.c		patch \| blob \| history
crypto/x509/x509_txt.c		patch \| blob \| history
crypto/x509/x509_vfy.c		patch \| blob \| history
include/openssl/x509_vfy.h		patch \| blob \| history
include/openssl/x509v3.h		patch \| blob \| history