Skip to content

Commit e42c770

Browse files
committed
Extended subjectAlternativeName and namingConstraint support
It can now handle IP: and URI: Signed-off-by: Stephen Gallagher <[email protected]>
1 parent d460e1e commit e42c770

File tree

3 files changed

+40
-4
lines changed

3 files changed

+40
-4
lines changed

src/authority.c

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
Copyright 2017 by Stephen Gallagher <[email protected]>
1818
*/
1919

20+
#include <string.h>
2021
#include "include/sscg.h"
2122
#include "include/authority.h"
2223
#include "include/x509.h"
@@ -41,6 +42,7 @@ create_private_CA (TALLOC_CTX *mem_ctx,
4142
X509_EXTENSION *ex = NULL;
4243
X509V3_CTX xctx;
4344
char *name_constraint;
45+
char *san;
4446
char *tmp;
4547

4648
tmp_ctx = talloc_new (NULL);
@@ -105,18 +107,35 @@ create_private_CA (TALLOC_CTX *mem_ctx,
105107
{
106108
for (i = 0; options->subject_alt_names[i]; i++)
107109
{
110+
if (!strchr(options->subject_alt_names[i], ':'))
111+
{
112+
san = talloc_asprintf(tmp_ctx, "DNS:%s",
113+
options->subject_alt_names[i]);
114+
}
115+
else
116+
{
117+
san = talloc_strdup(tmp_ctx, options->subject_alt_names[i]);
118+
}
119+
CHECK_MEM(san);
120+
108121
tmp = talloc_asprintf (tmp_ctx,
109-
"%s, permitted;DNS:%s",
122+
"%s, permitted;%s",
110123
name_constraint,
111-
options->subject_alt_names[i]);
124+
san);
125+
talloc_zfree(san);
112126
CHECK_MEM (tmp);
113127
talloc_free (name_constraint);
114128
name_constraint = tmp;
115129
}
116130
}
117131

118132
ex = X509V3_EXT_conf_nid (NULL, NULL, NID_name_constraints, name_constraint);
119-
CHECK_MEM (ex);
133+
if (!ex)
134+
{
135+
ret = EINVAL;
136+
fprintf(stderr, "Invalid name constraint: %s\n", name_constraint);
137+
goto done;
138+
}
120139
sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
121140
talloc_free (name_constraint);
122141

src/sscg.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -263,6 +263,9 @@ main (int argc, const char **argv)
263263
&alternative_names,
264264
0,
265265
_ ("Optional additional valid hostnames for the certificate. "
266+
"In addition to hostnames, this option also accepts explicit values "
267+
"supported by RFC 5280 such as "
268+
"IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy "
266269
"May be specified multiple times."),
267270
_ ("alt.example.com") },
268271
{

src/x509.c

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
#include <openssl/err.h>
2121
#include <openssl/evp.h>
2222

23+
#include <string.h>
2324
#include "include/sscg.h"
2425
#include "include/key.h"
2526
#include "include/x509.h"
@@ -129,6 +130,7 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
129130
X509_NAME *subject;
130131
char *alt_name = NULL;
131132
char *tmp = NULL;
133+
char *san = NULL;
132134
TALLOC_CTX *tmp_ctx;
133135
X509_EXTENSION *ex = NULL;
134136
struct sscg_x509_req *csr;
@@ -255,8 +257,20 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
255257
{
256258
for (i = 0; certinfo->subject_alt_names[i]; i++)
257259
{
260+
if (!strchr(certinfo->subject_alt_names[i], ':'))
261+
{
262+
san = talloc_asprintf(tmp_ctx, "DNS:%s",
263+
certinfo->subject_alt_names[i]);
264+
}
265+
else
266+
{
267+
san = talloc_strdup(tmp_ctx, certinfo->subject_alt_names[i]);
268+
}
269+
CHECK_MEM(san);
270+
258271
tmp = talloc_asprintf (
259-
tmp_ctx, "%s, DNS:%s", alt_name, certinfo->subject_alt_names[i]);
272+
tmp_ctx, "%s, %s", alt_name, san);
273+
talloc_zfree(san);
260274
CHECK_MEM (tmp);
261275
talloc_free (alt_name);
262276
alt_name = tmp;

0 commit comments

Comments
 (0)