From: Dr. David von Oheimb Date: Wed, 10 Nov 2021 08:39:55 +0000 (+0100) Subject: X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email addresses... X-Git-Tag: openssl-3.0.1~41 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=ab3311576e3ab1a1e876061fcd885c9c09daddd8 X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email addresses from subject DN Also slightly improve the style of the respective code in crypto/x509/v3_san.c. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17145) (cherry picked from commit 317acac5cc0a2cb31bc4b91353c2b752a3989d8a) --- diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c index 26708aefae..c081f02e19 100644 --- a/crypto/x509/v3_san.c +++ b/crypto/x509/v3_san.c @@ -393,11 +393,11 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, for (i = 0; i < num; i++) { cnf = sk_CONF_VALUE_value(nval, i); - if (!ossl_v3_name_cmp(cnf->name, "email") + if (ossl_v3_name_cmp(cnf->name, "email") == 0 && cnf->value && strcmp(cnf->value, "copy") == 0) { if (!copy_email(ctx, gens, 0)) goto err; - } else if (!ossl_v3_name_cmp(cnf->name, "email") + } else if (ossl_v3_name_cmp(cnf->name, "email") == 0 && cnf->value && strcmp(cnf->value, "move") == 0) { if (!copy_email(ctx, gens, 1)) goto err; @@ -434,10 +434,9 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) return 0; } /* Find the subject name */ - if (ctx->subject_cert) - nm = X509_get_subject_name(ctx->subject_cert); - else - nm = X509_REQ_get_subject_name(ctx->subject_req); + nm = ctx->subject_cert != NULL ? + X509_get_subject_name(ctx->subject_cert) : + X509_REQ_get_subject_name(ctx->subject_req); /* Now add any email address(es) to STACK */ while ((i = X509_NAME_get_index_by_NID(nm, diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod index 820052ba98..8287802e41 100644 --- a/doc/man3/X509V3_set_ctx.pod +++ b/doc/man3/X509V3_set_ctx.pod @@ -22,6 +22,8 @@ Any of I, I, or I may be provided, pointing to a certificate, certification request, or certificate revocation list, respectively. When constructing the subject key identifier of a certificate by computing a hash value of its public key, the public key is taken from I or I. +Similarly, when constructing subject alternative names from any email addresses +contained in a subject DN, the subject DN is taken from I or I. If I or I is provided, I should point to its issuer, for instance to help generating an authority key identifier extension. Note that if I is provided, I may be the same as I, diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index 2a3afee27f..1830092394 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -228,9 +228,11 @@ B (a distinguished name), and B. The syntax of each is described in the following paragraphs. -The B option has a special C value, which will automatically -include any email addresses contained in the certificate subject name in -the extension. +The B option has two special values. +C will automatically include any email addresses +contained in the certificate subject name in the extension. +C will automatically move any email addresses +from the certificate subject name to the extension. The IP address used in the B option can be in either IPv4 or IPv6 format.