2 * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/conf.h>
13 #include <openssl/x509v3.h>
16 DEFINE_STACK_OF(CONF_VALUE)
17 DEFINE_STACK_OF(GENERAL_NAME)
19 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
21 STACK_OF(CONF_VALUE) *nval);
22 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
24 STACK_OF(CONF_VALUE) *nval);
25 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
26 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
27 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
28 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
30 const X509V3_EXT_METHOD v3_alt[3] = {
31 {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
34 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
35 (X509V3_EXT_V2I)v2i_subject_alt,
38 {NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
41 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
42 (X509V3_EXT_V2I)v2i_issuer_alt,
45 {NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
48 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
49 NULL, NULL, NULL, NULL},
52 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
54 STACK_OF(CONF_VALUE) *ret)
58 STACK_OF(CONF_VALUE) *tmpret = NULL, *origret = ret;
60 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
61 gen = sk_GENERAL_NAME_value(gens, i);
63 * i2v_GENERAL_NAME allocates ret if it is NULL. If something goes
64 * wrong we need to free the stack - but only if it was empty when we
65 * originally entered this function.
67 tmpret = i2v_GENERAL_NAME(method, gen, ret);
70 sk_CONF_VALUE_pop_free(ret, X509V3_conf_free);
76 return sk_CONF_VALUE_new_null();
80 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
82 STACK_OF(CONF_VALUE) *ret)
86 char oline[256], htmp[5];
91 switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
92 case NID_id_on_SmtpUTF8Mailbox:
93 if (gen->d.otherName->value->type != V_ASN1_UTF8STRING
94 || !X509V3_add_value_uchar("othername: SmtpUTF8Mailbox:",
95 gen->d.otherName->value->value.utf8string->data,
100 if (gen->d.otherName->value->type != V_ASN1_UTF8STRING
101 || !X509V3_add_value_uchar("othername: XmppAddr:",
102 gen->d.otherName->value->value.utf8string->data,
107 if (gen->d.otherName->value->type != V_ASN1_IA5STRING
108 || !X509V3_add_value_uchar("othername: SRVName:",
109 gen->d.otherName->value->value.ia5string->data,
114 if (gen->d.otherName->value->type != V_ASN1_UTF8STRING
115 || !X509V3_add_value_uchar("othername: UPN:",
116 gen->d.otherName->value->value.utf8string->data,
121 if (gen->d.otherName->value->type != V_ASN1_UTF8STRING
122 || !X509V3_add_value_uchar("othername: NAIRealm:",
123 gen->d.otherName->value->value.utf8string->data,
128 if (OBJ_obj2txt(oline, sizeof(oline), gen->d.otherName->type_id, 0) > 0)
129 snprintf(othername, sizeof(othername), "othername: %s:", oline);
131 strncpy(othername, "othername:", sizeof(othername));
133 /* check if the value is something printable */
134 if (gen->d.otherName->value->type == V_ASN1_IA5STRING) {
135 if (X509V3_add_value_uchar(othername,
136 gen->d.otherName->value->value.ia5string->data,
140 if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
141 if (X509V3_add_value_uchar(othername,
142 gen->d.otherName->value->value.utf8string->data,
146 if (!X509V3_add_value(othername, "<unsupported>", &ret))
153 if (!X509V3_add_value("X400Name", "<unsupported>", &ret))
158 if (!X509V3_add_value("EdiPartyName", "<unsupported>", &ret))
163 if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))
168 if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))
173 if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))
178 if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) == NULL
179 || !X509V3_add_value("DirName", oline, &ret))
185 if (gen->d.ip->length == 4)
186 BIO_snprintf(oline, sizeof(oline), "%d.%d.%d.%d",
187 p[0], p[1], p[2], p[3]);
188 else if (gen->d.ip->length == 16) {
190 for (i = 0; i < 8; i++) {
191 BIO_snprintf(htmp, sizeof(htmp), "%X", p[0] << 8 | p[1]);
198 if (!X509V3_add_value("IP Address", "<invalid>", &ret))
202 if (!X509V3_add_value("IP Address", oline, &ret))
207 i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
208 if (!X509V3_add_value("Registered ID", oline, &ret))
215 int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
222 nid = OBJ_obj2nid(gen->d.otherName->type_id);
223 /* Validate the types are as we expect before we use them */
224 if ((nid == NID_SRVName
225 && gen->d.otherName->value->type != V_ASN1_IA5STRING)
226 || (nid != NID_SRVName
227 && gen->d.otherName->value->type != V_ASN1_UTF8STRING)) {
228 BIO_printf(out, "othername:<unsupported>");
233 case NID_id_on_SmtpUTF8Mailbox:
234 BIO_printf(out, "othername:SmtpUTF8Mailbox:%s",
235 gen->d.otherName->value->value.utf8string->data);
238 BIO_printf(out, "othername:XmppAddr:%s",
239 gen->d.otherName->value->value.utf8string->data);
242 BIO_printf(out, "othername:SRVName:%s",
243 gen->d.otherName->value->value.ia5string->data);
246 BIO_printf(out, "othername:UPN:%s",
247 gen->d.otherName->value->value.utf8string->data);
250 BIO_printf(out, "othername:NAIRealm:%s",
251 gen->d.otherName->value->value.utf8string->data);
254 BIO_printf(out, "othername:<unsupported>");
260 BIO_printf(out, "X400Name:<unsupported>");
264 /* Maybe fix this: it is supported now */
265 BIO_printf(out, "EdiPartyName:<unsupported>");
269 BIO_printf(out, "email:");
270 ASN1_STRING_print(out, gen->d.ia5);
274 BIO_printf(out, "DNS:");
275 ASN1_STRING_print(out, gen->d.ia5);
279 BIO_printf(out, "URI:");
280 ASN1_STRING_print(out, gen->d.ia5);
284 BIO_printf(out, "DirName:");
285 X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
290 if (gen->d.ip->length == 4)
291 BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
292 else if (gen->d.ip->length == 16) {
293 BIO_printf(out, "IP Address");
294 for (i = 0; i < 8; i++) {
295 BIO_printf(out, ":%X", p[0] << 8 | p[1]);
299 BIO_printf(out, "IP Address:<invalid>");
305 BIO_printf(out, "Registered ID:");
306 i2a_ASN1_OBJECT(out, gen->d.rid);
312 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
314 STACK_OF(CONF_VALUE) *nval)
316 const int num = sk_CONF_VALUE_num(nval);
317 GENERAL_NAMES *gens = sk_GENERAL_NAME_new_reserve(NULL, num);
321 X509V3err(X509V3_F_V2I_ISSUER_ALT, ERR_R_MALLOC_FAILURE);
322 sk_GENERAL_NAME_free(gens);
325 for (i = 0; i < num; i++) {
326 CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
328 if (!v3_name_cmp(cnf->name, "issuer")
329 && cnf->value && strcmp(cnf->value, "copy") == 0) {
330 if (!copy_issuer(ctx, gens))
333 GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);
337 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
342 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
346 /* Append subject altname of issuer to issuer alt name of subject */
348 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
355 if (ctx && (ctx->flags == CTX_TEST))
357 if (!ctx || !ctx->issuer_cert) {
358 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_NO_ISSUER_DETAILS);
361 i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
364 if ((ext = X509_get_ext(ctx->issuer_cert, i)) == NULL
365 || (ialt = X509V3_EXT_d2i(ext)) == NULL) {
366 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_ISSUER_DECODE_ERROR);
370 num = sk_GENERAL_NAME_num(ialt);
371 if (!sk_GENERAL_NAME_reserve(gens, num)) {
372 X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
376 for (i = 0; i < num; i++) {
377 gen = sk_GENERAL_NAME_value(ialt, i);
378 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
380 sk_GENERAL_NAME_free(ialt);
389 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
391 STACK_OF(CONF_VALUE) *nval)
395 const int num = sk_CONF_VALUE_num(nval);
398 gens = sk_GENERAL_NAME_new_reserve(NULL, num);
400 X509V3err(X509V3_F_V2I_SUBJECT_ALT, ERR_R_MALLOC_FAILURE);
401 sk_GENERAL_NAME_free(gens);
405 for (i = 0; i < num; i++) {
406 cnf = sk_CONF_VALUE_value(nval, i);
407 if (!v3_name_cmp(cnf->name, "email")
408 && cnf->value && strcmp(cnf->value, "copy") == 0) {
409 if (!copy_email(ctx, gens, 0))
411 } else if (!v3_name_cmp(cnf->name, "email")
412 && cnf->value && strcmp(cnf->value, "move") == 0) {
413 if (!copy_email(ctx, gens, 1))
417 if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
419 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
424 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
429 * Copy any email addresses in a certificate or request to GENERAL_NAMES
432 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
435 ASN1_IA5STRING *email = NULL;
437 GENERAL_NAME *gen = NULL;
440 if (ctx != NULL && ctx->flags == CTX_TEST)
443 || (ctx->subject_cert == NULL && ctx->subject_req == NULL)) {
444 X509V3err(X509V3_F_COPY_EMAIL, X509V3_R_NO_SUBJECT_DETAILS);
447 /* Find the subject name */
448 if (ctx->subject_cert)
449 nm = X509_get_subject_name(ctx->subject_cert);
451 nm = X509_REQ_get_subject_name(ctx->subject_req);
453 /* Now add any email address(es) to STACK */
454 while ((i = X509_NAME_get_index_by_NID(nm,
455 NID_pkcs9_emailAddress, i)) >= 0) {
456 ne = X509_NAME_get_entry(nm, i);
457 email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
459 X509_NAME_delete_entry(nm, i);
460 X509_NAME_ENTRY_free(ne);
463 if (email == NULL || (gen = GENERAL_NAME_new()) == NULL) {
464 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
469 gen->type = GEN_EMAIL;
470 if (!sk_GENERAL_NAME_push(gens, gen)) {
471 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
480 GENERAL_NAME_free(gen);
481 ASN1_IA5STRING_free(email);
486 GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
487 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
492 const int num = sk_CONF_VALUE_num(nval);
495 gens = sk_GENERAL_NAME_new_reserve(NULL, num);
497 X509V3err(X509V3_F_V2I_GENERAL_NAMES, ERR_R_MALLOC_FAILURE);
498 sk_GENERAL_NAME_free(gens);
502 for (i = 0; i < num; i++) {
503 cnf = sk_CONF_VALUE_value(nval, i);
504 if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
506 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
510 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
514 GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
515 X509V3_CTX *ctx, CONF_VALUE *cnf)
517 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
520 GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
521 const X509V3_EXT_METHOD *method,
522 X509V3_CTX *ctx, int gen_type, const char *value,
526 GENERAL_NAME *gen = NULL;
529 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_MISSING_VALUE);
536 gen = GENERAL_NAME_new();
538 X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
553 if ((obj = OBJ_txt2obj(value, 0)) == NULL) {
554 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_OBJECT);
555 ERR_add_error_data(2, "value=", value);
564 gen->d.ip = a2i_IPADDRESS_NC(value);
566 gen->d.ip = a2i_IPADDRESS(value);
567 if (gen->d.ip == NULL) {
568 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_IP_ADDRESS);
569 ERR_add_error_data(2, "value=", value);
575 if (!do_dirname(gen, value, ctx)) {
576 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_DIRNAME_ERROR);
582 if (!do_othername(gen, value, ctx)) {
583 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_OTHERNAME_ERROR);
588 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_UNSUPPORTED_TYPE);
593 if ((gen->d.ia5 = ASN1_IA5STRING_new()) == NULL ||
594 !ASN1_STRING_set(gen->d.ia5, (unsigned char *)value,
596 X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
601 gen->type = gen_type;
607 GENERAL_NAME_free(gen);
611 GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
612 const X509V3_EXT_METHOD *method,
613 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
623 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_MISSING_VALUE);
627 if (!v3_name_cmp(name, "email"))
629 else if (!v3_name_cmp(name, "URI"))
631 else if (!v3_name_cmp(name, "DNS"))
633 else if (!v3_name_cmp(name, "RID"))
635 else if (!v3_name_cmp(name, "IP"))
637 else if (!v3_name_cmp(name, "dirName"))
639 else if (!v3_name_cmp(name, "otherName"))
640 type = GEN_OTHERNAME;
642 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_UNSUPPORTED_OPTION);
643 ERR_add_error_data(2, "name=", name);
647 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
651 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
653 char *objtmp = NULL, *p;
656 if ((p = strchr(value, ';')) == NULL)
658 if ((gen->d.otherName = OTHERNAME_new()) == NULL)
661 * Free this up because we will overwrite it. no need to free type_id
662 * because it is static
664 ASN1_TYPE_free(gen->d.otherName->value);
665 if ((gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)) == NULL)
668 objtmp = OPENSSL_strndup(value, objlen);
671 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
672 OPENSSL_free(objtmp);
673 if (!gen->d.otherName->type_id)
678 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
681 STACK_OF(CONF_VALUE) *sk = NULL;
684 if ((nm = X509_NAME_new()) == NULL)
686 sk = X509V3_get_section(ctx, value);
688 X509V3err(X509V3_F_DO_DIRNAME, X509V3_R_SECTION_NOT_FOUND);
689 ERR_add_error_data(2, "section=", value);
692 /* FIXME: should allow other character types... */
693 ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
701 X509V3_section_free(ctx, sk);