From: Dr. David von Oheimb Date: Wed, 10 Nov 2021 08:39:55 +0000 (+0100) Subject: X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email addresses... X-Git-Tag: openssl-3.2.0-alpha1~3249 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=317acac5cc0a2cb31bc4b91353c2b752a3989d8a X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email addresses from subject DN Also slightly improve the style of the respective code in crypto/x509/v3_san.c. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17145) --- diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c index 26708aefae..c081f02e19 100644 --- a/crypto/x509/v3_san.c +++ b/crypto/x509/v3_san.c @@ -393,11 +393,11 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, for (i = 0; i < num; i++) { cnf = sk_CONF_VALUE_value(nval, i); - if (!ossl_v3_name_cmp(cnf->name, "email") + if (ossl_v3_name_cmp(cnf->name, "email") == 0 && cnf->value && strcmp(cnf->value, "copy") == 0) { if (!copy_email(ctx, gens, 0)) goto err; - } else if (!ossl_v3_name_cmp(cnf->name, "email") + } else if (ossl_v3_name_cmp(cnf->name, "email") == 0 && cnf->value && strcmp(cnf->value, "move") == 0) { if (!copy_email(ctx, gens, 1)) goto err; @@ -434,10 +434,9 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) return 0; } /* Find the subject name */ - if (ctx->subject_cert) - nm = X509_get_subject_name(ctx->subject_cert); - else - nm = X509_REQ_get_subject_name(ctx->subject_req); + nm = ctx->subject_cert != NULL ? + X509_get_subject_name(ctx->subject_cert) : + X509_REQ_get_subject_name(ctx->subject_req); /* Now add any email address(es) to STACK */ while ((i = X509_NAME_get_index_by_NID(nm, diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod index 820052ba98..8287802e41 100644 --- a/doc/man3/X509V3_set_ctx.pod +++ b/doc/man3/X509V3_set_ctx.pod @@ -22,6 +22,8 @@ Any of I, I, or I may be provided, pointing to a certificate, certification request, or certificate revocation list, respectively. When constructing the subject key identifier of a certificate by computing a hash value of its public key, the public key is taken from I or I. +Similarly, when constructing subject alternative names from any email addresses +contained in a subject DN, the subject DN is taken from I or I. If I or I is provided, I should point to its issuer, for instance to help generating an authority key identifier extension. Note that if I is provided, I may be the same as I, diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index 0114b45505..fb9e562d7f 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -229,9 +229,11 @@ B (a distinguished name), and B. The syntax of each is described in the following paragraphs. -The B option has a special C value, which will automatically -include any email addresses contained in the certificate subject name in -the extension. +The B option has two special values. +C will automatically include any email addresses +contained in the certificate subject name in the extension. +C will automatically move any email addresses +from the certificate subject name to the extension. The IP address used in the B option can be in either IPv4 or IPv6 format.