case NID_subject_key_identifier:
x->ex_flags |= EXFLAG_SKID_CRITICAL;
break;
+ case NID_subject_alt_name:
+ x->ex_flags |= EXFLAG_SAN_CRITICAL;
+ break;
default:
break;
}
return "Empty Subject Alternative Name extension";
case X509_V_ERR_CA_BCONS_NOT_CRITICAL:
return "Basic Constraints of CA cert not marked critical";
+ case X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL:
+ return "Subject empty and Subject Alt Name extension not critical";
case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL:
return "Authority Key Identifier marked critical";
case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL:
|| x->altname == NULL
) && X509_NAME_entry_count(X509_get_subject_name(x)) == 0)
ctx->error = X509_V_ERR_SUBJECT_NAME_EMPTY;
- /*
- * TODO check: If subject naming information is present only in
- * the subjectAltName extension,
- * then the subject name MUST be an empty sequence
- * and the subjectAltName extension MUST be critical.
- */
+ if (X509_NAME_entry_count(X509_get_subject_name(x)) == 0
+ && x->altname != NULL
+ && (x->ex_flags & EXFLAG_SAN_CRITICAL) == 0)
+ ctx->error = X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL;
/* Check SAN is non-empty according to RFC 5280 section 4.2.1.6 */
if (x->altname != NULL && sk_GENERAL_NAME_num(x->altname) <= 0)
ctx->error = X509_V_ERR_EMPTY_SUBJECT_ALT_NAME;
# define X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER 85
# define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER 86
# define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME 87
-# define X509_V_ERR_CA_BCONS_NOT_CRITICAL 88
-# define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 89
-# define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 90
+# define X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL 88
+# define X509_V_ERR_CA_BCONS_NOT_CRITICAL 89
+# define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 90
+# define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 91
/* Certificate verify flags */
# ifndef OPENSSL_NO_DEPRECATED_1_1_0
# define EXFLAG_BCONS_CRITICAL 0x10000
# define EXFLAG_AKID_CRITICAL 0x20000
# define EXFLAG_SKID_CRITICAL 0x40000
+# define EXFLAG_SAN_CRITICAL 0x80000
# define KU_DIGITAL_SIGNATURE 0x0080
# define KU_NON_REPUDIATION 0x0040