Extended subjectAlternativeName and namingConstraint support

It can now handle IP: and URI:

Signed-off-by: Stephen Gallagher <[email protected]>

Author: sgallagher

src/authority.c

@@ -17,6 +17,7 @@
     Copyright 2017 by Stephen Gallagher <[email protected]>
 */
 
+#include <string.h>
 #include "include/sscg.h"
 #include "include/authority.h"
 #include "include/x509.h"
@@ -41,6 +42,7 @@ create_private_CA (TALLOC_CTX *mem_ctx,
   X509_EXTENSION *ex = NULL;
   X509V3_CTX xctx;
   char *name_constraint;
+  char *san;
   char *tmp;
 
   tmp_ctx = talloc_new (NULL);
@@ -105,18 +107,35 @@ create_private_CA (TALLOC_CTX *mem_ctx,
     {
       for (i = 0; options->subject_alt_names[i]; i++)
         {
+          if (!strchr(options->subject_alt_names[i], ':'))
+            {
+              san = talloc_asprintf(tmp_ctx, "DNS:%s",
+                                    options->subject_alt_names[i]);
+            }
+          else
+            {
+              san = talloc_strdup(tmp_ctx, options->subject_alt_names[i]);
+            }
+          CHECK_MEM(san);
+
           tmp = talloc_asprintf (tmp_ctx,
-                                 "%s, permitted;DNS:%s",
+                                 "%s, permitted;%s",
                                  name_constraint,
-                                 options->subject_alt_names[i]);
+                                 san);
+          talloc_zfree(san);
           CHECK_MEM (tmp);
           talloc_free (name_constraint);
           name_constraint = tmp;
         }
     }
 
   ex = X509V3_EXT_conf_nid (NULL, NULL, NID_name_constraints, name_constraint);
-  CHECK_MEM (ex);
+  if (!ex)
+    {
+      ret = EINVAL;
+      fprintf(stderr, "Invalid name constraint: %s\n", name_constraint);
+      goto done;
+    }
   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
   talloc_free (name_constraint);
 

src/sscg.c

@@ -263,6 +263,9 @@ main (int argc, const char **argv)
       &alternative_names,
       0,
       _ ("Optional additional valid hostnames for the certificate. "
+         "In addition to hostnames, this option also accepts explicit values "
+         "supported by RFC 5280 such as "
+         "IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy "
          "May be specified multiple times."),
       _ ("alt.example.com") },
     {

src/x509.c

@@ -20,6 +20,7 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 
+#include <string.h>
 #include "include/sscg.h"
 #include "include/key.h"
 #include "include/x509.h"
@@ -129,6 +130,7 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
   X509_NAME *subject;
   char *alt_name = NULL;
   char *tmp = NULL;
+  char *san = NULL;
   TALLOC_CTX *tmp_ctx;
   X509_EXTENSION *ex = NULL;
   struct sscg_x509_req *csr;
@@ -255,8 +257,20 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
     {
       for (i = 0; certinfo->subject_alt_names[i]; i++)
         {
+          if (!strchr(certinfo->subject_alt_names[i], ':'))
+            {
+              san = talloc_asprintf(tmp_ctx, "DNS:%s",
+                                    certinfo->subject_alt_names[i]);
+            }
+          else
+            {
+              san = talloc_strdup(tmp_ctx, certinfo->subject_alt_names[i]);
+            }
+          CHECK_MEM(san);
+
           tmp = talloc_asprintf (
-            tmp_ctx, "%s, DNS:%s", alt_name, certinfo->subject_alt_names[i]);
+            tmp_ctx, "%s, %s", alt_name, san);
+          talloc_zfree(san);
           CHECK_MEM (tmp);
           talloc_free (alt_name);
           alt_name = tmp;