3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
6 /* ====================================================================
7 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com). */
61 #include <openssl/conf.h>
62 #include <openssl/err.h>
63 #include <openssl/mem.h>
64 #include <openssl/obj.h>
65 #include <openssl/x509v3.h>
67 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
69 STACK_OF(CONF_VALUE) *nval);
70 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
72 STACK_OF(CONF_VALUE) *nval);
73 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
74 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
75 static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
76 static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
78 const X509V3_EXT_METHOD v3_alt[] = {
79 {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
82 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
83 (X509V3_EXT_V2I)v2i_subject_alt,
86 {NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
89 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
90 (X509V3_EXT_V2I)v2i_issuer_alt,
93 {NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
96 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
97 NULL, NULL, NULL, NULL},
100 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
102 STACK_OF(CONF_VALUE) *ret)
106 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
107 gen = sk_GENERAL_NAME_value(gens, i);
108 ret = i2v_GENERAL_NAME(method, gen, ret);
111 return sk_CONF_VALUE_new_null();
115 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
117 STACK_OF(CONF_VALUE) *ret)
120 char oline[256], htmp[5];
124 if (!X509V3_add_value("othername", "<unsupported>", &ret))
129 if (!X509V3_add_value("X400Name", "<unsupported>", &ret))
134 if (!X509V3_add_value("EdiPartyName", "<unsupported>", &ret))
139 if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))
144 if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))
149 if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))
154 if (X509_NAME_oneline(gen->d.dirn, oline, 256) == NULL
155 || !X509V3_add_value("DirName", oline, &ret))
161 if (gen->d.ip->length == 4)
162 BIO_snprintf(oline, sizeof oline,
163 "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
164 else if (gen->d.ip->length == 16) {
166 for (i = 0; i < 8; i++) {
167 BIO_snprintf(htmp, sizeof htmp, "%X", p[0] << 8 | p[1]);
169 BUF_strlcat(oline, htmp, sizeof(oline));
171 BUF_strlcat(oline, ":", sizeof(oline));
174 if (!X509V3_add_value("IP Address", "<invalid>", &ret))
178 if (!X509V3_add_value("IP Address", oline, &ret))
183 i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
184 if (!X509V3_add_value("Registered ID", oline, &ret))
191 int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
197 BIO_printf(out, "othername:<unsupported>");
201 BIO_printf(out, "X400Name:<unsupported>");
205 /* Maybe fix this: it is supported now */
206 BIO_printf(out, "EdiPartyName:<unsupported>");
210 BIO_printf(out, "email:%s", gen->d.ia5->data);
214 BIO_printf(out, "DNS:%s", gen->d.ia5->data);
218 BIO_printf(out, "URI:%s", gen->d.ia5->data);
222 BIO_printf(out, "DirName: ");
223 X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
228 if (gen->d.ip->length == 4)
229 BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
230 else if (gen->d.ip->length == 16) {
231 BIO_printf(out, "IP Address");
232 for (i = 0; i < 8; i++) {
233 BIO_printf(out, ":%X", p[0] << 8 | p[1]);
238 BIO_printf(out, "IP Address:<invalid>");
244 BIO_printf(out, "Registered ID");
245 i2a_ASN1_OBJECT(out, gen->d.rid);
251 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
253 STACK_OF(CONF_VALUE) *nval)
255 GENERAL_NAMES *gens = NULL;
258 if (!(gens = sk_GENERAL_NAME_new_null())) {
259 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
262 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
263 cnf = sk_CONF_VALUE_value(nval, i);
264 if (!name_cmp(cnf->name, "issuer") && cnf->value &&
265 !strcmp(cnf->value, "copy")) {
266 if (!copy_issuer(ctx, gens))
270 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
272 sk_GENERAL_NAME_push(gens, gen);
277 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
281 /* Append subject altname of issuer to issuer alt name of subject */
283 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
290 if (ctx && (ctx->flags == CTX_TEST))
292 if (!ctx || !ctx->issuer_cert) {
293 OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_ISSUER_DETAILS);
296 i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
299 if (!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
300 !(ialt = X509V3_EXT_d2i(ext))) {
301 OPENSSL_PUT_ERROR(X509V3, X509V3_R_ISSUER_DECODE_ERROR);
305 for (j = 0; j < sk_GENERAL_NAME_num(ialt); j++) {
306 gen = sk_GENERAL_NAME_value(ialt, j);
307 if (!sk_GENERAL_NAME_push(gens, gen)) {
308 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
312 sk_GENERAL_NAME_free(ialt);
321 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
323 STACK_OF(CONF_VALUE) *nval)
325 GENERAL_NAMES *gens = NULL;
328 if (!(gens = sk_GENERAL_NAME_new_null())) {
329 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
332 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
333 cnf = sk_CONF_VALUE_value(nval, i);
334 if (!name_cmp(cnf->name, "email") && cnf->value &&
335 !strcmp(cnf->value, "copy")) {
336 if (!copy_email(ctx, gens, 0))
338 } else if (!name_cmp(cnf->name, "email") && cnf->value &&
339 !strcmp(cnf->value, "move")) {
340 if (!copy_email(ctx, gens, 1))
344 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
346 sk_GENERAL_NAME_push(gens, gen);
351 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
356 * Copy any email addresses in a certificate or request to GENERAL_NAMES
359 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
362 ASN1_IA5STRING *email = NULL;
364 GENERAL_NAME *gen = NULL;
366 if (ctx != NULL && ctx->flags == CTX_TEST)
368 if (!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
369 OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_SUBJECT_DETAILS);
372 /* Find the subject name */
373 if (ctx->subject_cert)
374 nm = X509_get_subject_name(ctx->subject_cert);
376 nm = X509_REQ_get_subject_name(ctx->subject_req);
378 /* Now add any email address(es) to STACK */
380 while ((i = X509_NAME_get_index_by_NID(nm,
381 NID_pkcs9_emailAddress, i)) >= 0) {
382 ne = X509_NAME_get_entry(nm, i);
383 email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
385 X509_NAME_delete_entry(nm, i);
386 X509_NAME_ENTRY_free(ne);
389 if (!email || !(gen = GENERAL_NAME_new())) {
390 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
395 gen->type = GEN_EMAIL;
396 if (!sk_GENERAL_NAME_push(gens, gen)) {
397 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
406 GENERAL_NAME_free(gen);
407 M_ASN1_IA5STRING_free(email);
412 GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
413 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
416 GENERAL_NAMES *gens = NULL;
419 if (!(gens = sk_GENERAL_NAME_new_null())) {
420 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
423 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
424 cnf = sk_CONF_VALUE_value(nval, i);
425 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
427 sk_GENERAL_NAME_push(gens, gen);
431 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
435 GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
436 X509V3_CTX *ctx, CONF_VALUE *cnf)
438 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
441 GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
442 const X509V3_EXT_METHOD *method,
443 X509V3_CTX *ctx, int gen_type, char *value,
447 GENERAL_NAME *gen = NULL;
450 OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE);
457 gen = GENERAL_NAME_new();
459 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
474 if (!(obj = OBJ_txt2obj(value, 0))) {
475 OPENSSL_PUT_ERROR(X509V3, X509V3_R_BAD_OBJECT);
476 ERR_add_error_data(2, "value=", value);
485 gen->d.ip = a2i_IPADDRESS_NC(value);
487 gen->d.ip = a2i_IPADDRESS(value);
488 if (gen->d.ip == NULL) {
489 OPENSSL_PUT_ERROR(X509V3, X509V3_R_BAD_IP_ADDRESS);
490 ERR_add_error_data(2, "value=", value);
496 if (!do_dirname(gen, value, ctx)) {
497 OPENSSL_PUT_ERROR(X509V3, X509V3_R_DIRNAME_ERROR);
503 if (!do_othername(gen, value, ctx)) {
504 OPENSSL_PUT_ERROR(X509V3, X509V3_R_OTHERNAME_ERROR);
509 OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNSUPPORTED_TYPE);
514 if (!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
515 !ASN1_STRING_set(gen->d.ia5, (unsigned char *)value,
517 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
522 gen->type = gen_type;
528 GENERAL_NAME_free(gen);
532 GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
533 const X509V3_EXT_METHOD *method,
534 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
544 OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE);
548 if (!name_cmp(name, "email"))
550 else if (!name_cmp(name, "URI"))
552 else if (!name_cmp(name, "DNS"))
554 else if (!name_cmp(name, "RID"))
556 else if (!name_cmp(name, "IP"))
558 else if (!name_cmp(name, "dirName"))
560 else if (!name_cmp(name, "otherName"))
561 type = GEN_OTHERNAME;
563 OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNSUPPORTED_OPTION);
564 ERR_add_error_data(2, "name=", name);
568 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
572 static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
574 char *objtmp = NULL, *p;
576 if (!(p = strchr(value, ';')))
578 if (!(gen->d.otherName = OTHERNAME_new()))
581 * Free this up because we will overwrite it. no need to free type_id
582 * because it is static
584 ASN1_TYPE_free(gen->d.otherName->value);
585 if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
588 objtmp = OPENSSL_malloc(objlen + 1);
591 BUF_strlcpy(objtmp, value, objlen + 1);
592 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
593 OPENSSL_free(objtmp);
594 if (!gen->d.otherName->type_id)
599 static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
602 STACK_OF(CONF_VALUE) *sk = NULL;
603 X509_NAME *nm = X509_NAME_new();
606 sk = X509V3_get_section(ctx, value);
608 OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);
609 ERR_add_error_data(2, "section=", value);
612 /* FIXME: should allow other character types... */
613 if (!X509V3_NAME_from_section(nm, sk, MBSTRING_ASC))
621 X509V3_section_free(ctx, sk);