2 * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include "crypto/x509.h"
13 #include <openssl/conf.h>
14 #include <openssl/x509v3.h>
17 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
19 STACK_OF(CONF_VALUE) *nval);
20 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
22 STACK_OF(CONF_VALUE) *nval);
23 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
24 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
25 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
26 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
28 const X509V3_EXT_METHOD v3_alt[3] = {
29 {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
32 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
33 (X509V3_EXT_V2I)v2i_subject_alt,
36 {NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
39 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
40 (X509V3_EXT_V2I)v2i_issuer_alt,
43 {NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
46 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
47 NULL, NULL, NULL, NULL},
50 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
52 STACK_OF(CONF_VALUE) *ret)
56 STACK_OF(CONF_VALUE) *tmpret = NULL, *origret = ret;
58 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
59 gen = sk_GENERAL_NAME_value(gens, i);
61 * i2v_GENERAL_NAME allocates ret if it is NULL. If something goes
62 * wrong we need to free the stack - but only if it was empty when we
63 * originally entered this function.
65 tmpret = i2v_GENERAL_NAME(method, gen, ret);
68 sk_CONF_VALUE_pop_free(ret, X509V3_conf_free);
74 return sk_CONF_VALUE_new_null();
78 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
80 STACK_OF(CONF_VALUE) *ret)
83 char oline[256], htmp[5];
88 if (!X509V3_add_value("othername", "<unsupported>", &ret))
93 if (!X509V3_add_value("X400Name", "<unsupported>", &ret))
98 if (!X509V3_add_value("EdiPartyName", "<unsupported>", &ret))
103 if (!x509v3_add_len_value_uchar("email", gen->d.ia5->data,
104 gen->d.ia5->length, &ret))
109 if (!x509v3_add_len_value_uchar("DNS", gen->d.ia5->data,
110 gen->d.ia5->length, &ret))
115 if (!x509v3_add_len_value_uchar("URI", gen->d.ia5->data,
116 gen->d.ia5->length, &ret))
121 if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) == NULL
122 || !X509V3_add_value("DirName", oline, &ret))
128 if (gen->d.ip->length == 4)
129 BIO_snprintf(oline, sizeof(oline), "%d.%d.%d.%d",
130 p[0], p[1], p[2], p[3]);
131 else if (gen->d.ip->length == 16) {
133 for (i = 0; i < 8; i++) {
134 BIO_snprintf(htmp, sizeof(htmp), "%X", p[0] << 8 | p[1]);
141 if (!X509V3_add_value("IP Address", "<invalid>", &ret))
145 if (!X509V3_add_value("IP Address", oline, &ret))
150 i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
151 if (!X509V3_add_value("Registered ID", oline, &ret))
158 int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
164 BIO_printf(out, "othername:<unsupported>");
168 BIO_printf(out, "X400Name:<unsupported>");
172 /* Maybe fix this: it is supported now */
173 BIO_printf(out, "EdiPartyName:<unsupported>");
177 BIO_printf(out, "email:");
178 ASN1_STRING_print(out, gen->d.ia5);
182 BIO_printf(out, "DNS:");
183 ASN1_STRING_print(out, gen->d.ia5);
187 BIO_printf(out, "URI:");
188 ASN1_STRING_print(out, gen->d.ia5);
192 BIO_printf(out, "DirName:");
193 X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
198 if (gen->d.ip->length == 4)
199 BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
200 else if (gen->d.ip->length == 16) {
201 BIO_printf(out, "IP Address");
202 for (i = 0; i < 8; i++) {
203 BIO_printf(out, ":%X", p[0] << 8 | p[1]);
208 BIO_printf(out, "IP Address:<invalid>");
214 BIO_printf(out, "Registered ID:");
215 i2a_ASN1_OBJECT(out, gen->d.rid);
221 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
223 STACK_OF(CONF_VALUE) *nval)
225 const int num = sk_CONF_VALUE_num(nval);
226 GENERAL_NAMES *gens = sk_GENERAL_NAME_new_reserve(NULL, num);
230 X509V3err(X509V3_F_V2I_ISSUER_ALT, ERR_R_MALLOC_FAILURE);
231 sk_GENERAL_NAME_free(gens);
234 for (i = 0; i < num; i++) {
235 CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
237 if (!name_cmp(cnf->name, "issuer")
238 && cnf->value && strcmp(cnf->value, "copy") == 0) {
239 if (!copy_issuer(ctx, gens))
242 GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);
246 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
251 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
255 /* Append subject altname of issuer to issuer alt name of subject */
257 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
264 if (ctx && (ctx->flags == CTX_TEST))
266 if (!ctx || !ctx->issuer_cert) {
267 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_NO_ISSUER_DETAILS);
270 i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
273 if ((ext = X509_get_ext(ctx->issuer_cert, i)) == NULL
274 || (ialt = X509V3_EXT_d2i(ext)) == NULL) {
275 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_ISSUER_DECODE_ERROR);
279 num = sk_GENERAL_NAME_num(ialt);
280 if (!sk_GENERAL_NAME_reserve(gens, num)) {
281 X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
282 sk_GENERAL_NAME_free(ialt);
286 for (i = 0; i < num; i++) {
287 gen = sk_GENERAL_NAME_value(ialt, i);
288 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
290 sk_GENERAL_NAME_free(ialt);
299 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
301 STACK_OF(CONF_VALUE) *nval)
305 const int num = sk_CONF_VALUE_num(nval);
308 gens = sk_GENERAL_NAME_new_reserve(NULL, num);
310 X509V3err(X509V3_F_V2I_SUBJECT_ALT, ERR_R_MALLOC_FAILURE);
311 sk_GENERAL_NAME_free(gens);
315 for (i = 0; i < num; i++) {
316 cnf = sk_CONF_VALUE_value(nval, i);
317 if (!name_cmp(cnf->name, "email")
318 && cnf->value && strcmp(cnf->value, "copy") == 0) {
319 if (!copy_email(ctx, gens, 0))
321 } else if (!name_cmp(cnf->name, "email")
322 && cnf->value && strcmp(cnf->value, "move") == 0) {
323 if (!copy_email(ctx, gens, 1))
327 if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
329 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
334 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
339 * Copy any email addresses in a certificate or request to GENERAL_NAMES
342 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
345 ASN1_IA5STRING *email = NULL;
347 GENERAL_NAME *gen = NULL;
350 if (ctx != NULL && ctx->flags == CTX_TEST)
353 || (ctx->subject_cert == NULL && ctx->subject_req == NULL)) {
354 X509V3err(X509V3_F_COPY_EMAIL, X509V3_R_NO_SUBJECT_DETAILS);
357 /* Find the subject name */
358 if (ctx->subject_cert)
359 nm = X509_get_subject_name(ctx->subject_cert);
361 nm = X509_REQ_get_subject_name(ctx->subject_req);
363 /* Now add any email address(es) to STACK */
364 while ((i = X509_NAME_get_index_by_NID(nm,
365 NID_pkcs9_emailAddress, i)) >= 0) {
366 ne = X509_NAME_get_entry(nm, i);
367 email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
369 X509_NAME_delete_entry(nm, i);
370 X509_NAME_ENTRY_free(ne);
373 if (email == NULL || (gen = GENERAL_NAME_new()) == NULL) {
374 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
379 gen->type = GEN_EMAIL;
380 if (!sk_GENERAL_NAME_push(gens, gen)) {
381 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
390 GENERAL_NAME_free(gen);
391 ASN1_IA5STRING_free(email);
396 GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
397 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
402 const int num = sk_CONF_VALUE_num(nval);
405 gens = sk_GENERAL_NAME_new_reserve(NULL, num);
407 X509V3err(X509V3_F_V2I_GENERAL_NAMES, ERR_R_MALLOC_FAILURE);
408 sk_GENERAL_NAME_free(gens);
412 for (i = 0; i < num; i++) {
413 cnf = sk_CONF_VALUE_value(nval, i);
414 if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
416 sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
420 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
424 GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
425 X509V3_CTX *ctx, CONF_VALUE *cnf)
427 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
430 GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
431 const X509V3_EXT_METHOD *method,
432 X509V3_CTX *ctx, int gen_type, const char *value,
436 GENERAL_NAME *gen = NULL;
439 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_MISSING_VALUE);
446 gen = GENERAL_NAME_new();
448 X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
463 if ((obj = OBJ_txt2obj(value, 0)) == NULL) {
464 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_OBJECT);
465 ERR_add_error_data(2, "value=", value);
474 gen->d.ip = a2i_IPADDRESS_NC(value);
476 gen->d.ip = a2i_IPADDRESS(value);
477 if (gen->d.ip == NULL) {
478 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_IP_ADDRESS);
479 ERR_add_error_data(2, "value=", value);
485 if (!do_dirname(gen, value, ctx)) {
486 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_DIRNAME_ERROR);
492 if (!do_othername(gen, value, ctx)) {
493 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_OTHERNAME_ERROR);
498 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_UNSUPPORTED_TYPE);
503 if ((gen->d.ia5 = ASN1_IA5STRING_new()) == NULL ||
504 !ASN1_STRING_set(gen->d.ia5, (unsigned char *)value,
506 X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
511 gen->type = gen_type;
517 GENERAL_NAME_free(gen);
521 GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
522 const X509V3_EXT_METHOD *method,
523 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
533 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_MISSING_VALUE);
537 if (!name_cmp(name, "email"))
539 else if (!name_cmp(name, "URI"))
541 else if (!name_cmp(name, "DNS"))
543 else if (!name_cmp(name, "RID"))
545 else if (!name_cmp(name, "IP"))
547 else if (!name_cmp(name, "dirName"))
549 else if (!name_cmp(name, "otherName"))
550 type = GEN_OTHERNAME;
552 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_UNSUPPORTED_OPTION);
553 ERR_add_error_data(2, "name=", name);
557 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
561 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
563 char *objtmp = NULL, *p;
566 if ((p = strchr(value, ';')) == NULL)
568 if ((gen->d.otherName = OTHERNAME_new()) == NULL)
571 * Free this up because we will overwrite it. no need to free type_id
572 * because it is static
574 ASN1_TYPE_free(gen->d.otherName->value);
575 if ((gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)) == NULL)
578 objtmp = OPENSSL_strndup(value, objlen);
581 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
582 OPENSSL_free(objtmp);
583 if (!gen->d.otherName->type_id)
588 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
591 STACK_OF(CONF_VALUE) *sk = NULL;
594 if ((nm = X509_NAME_new()) == NULL)
596 sk = X509V3_get_section(ctx, value);
598 X509V3err(X509V3_F_DO_DIRNAME, X509V3_R_SECTION_NOT_FOUND);
599 ERR_add_error_data(2, "section=", value);
602 /* FIXME: should allow other character types... */
603 ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
611 X509V3_section_free(ctx, sk);