oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hx509: SANs are critical if DN is empty

Browse Source
This commit is contained in:
Nicolas Williams
2019-10-04 11:50:12 -05:00
parent 038ed5ec31
commit 25dbe28291
4 changed files with 29 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
lib/hx509/ca.c
View File

@@ -1087,6 +1087,12 @@ ca_sign(hx509_context context,
tbsc = &c.tbsCertificate; tbsc = &c.tbsCertificate;
/* Default subject Name to empty */
if (tbs->subject == NULL &&
(ret = hx509_empty_name(context, &tbs->subject)))
return ret;
/* Sanity checks */
if (tbs->flags.key == 0) { if (tbs->flags.key == 0) {
ret = EINVAL; ret = EINVAL;
hx509_set_error_string(context, 0, ret, "No public key set"); hx509_set_error_string(context, 0, ret, "No public key set");
@@ -1097,13 +1103,9 @@ ca_sign(hx509_context context,
* will be generated below. * will be generated below.
*/ */
if (!tbs->flags.proxy) { if (!tbs->flags.proxy) {
if (tbs->subject == NULL) {
hx509_set_error_string(context, 0, EINVAL, "No subject name set");
return EINVAL;
}
if (hx509_name_is_null_p(tbs->subject) && tbs->san.len == 0) { if (hx509_name_is_null_p(tbs->subject) && tbs->san.len == 0) {
hx509_set_error_string(context, 0, EINVAL, hx509_set_error_string(context, 0, EINVAL,
"NULL subject and no SubjectAltNames"); "Empty subject and no SubjectAltNames");
return EINVAL; return EINVAL;
} }
} }
@@ -1291,9 +1293,10 @@ ca_sign(hx509_context context,
} }
if (size != data.length) if (size != data.length)
_hx509_abort("internal ASN.1 encoder error"); _hx509_abort("internal ASN.1 encoder error");
ret = add_extension(context, tbsc, 0,
&asn1_oid_id_x509_ce_subjectAltName, /* The SAN extension is critical if the subject Name is empty */
&data); ret = add_extension(context, tbsc, hx509_name_is_null_p(tbs->subject),
&asn1_oid_id_x509_ce_subjectAltName, &data);
free(data.data); free(data.data);
if (ret) if (ret)
goto out; goto out;

1
lib/hx509/libhx509-exports.def
View File

@@ -144,6 +144,7 @@ EXPORTS
hx509_crypto_set_padding hx509_crypto_set_padding
hx509_crypto_set_params hx509_crypto_set_params
hx509_crypto_set_random_key hx509_crypto_set_random_key
hx509_empty_name
hx509_env_add hx509_env_add
hx509_env_add_binding hx509_env_add_binding
hx509_env_find hx509_env_find

18
lib/hx509/name.c
View File

@@ -605,6 +605,19 @@ _hx509_name_modify(hx509_context context,
return 0; return 0;
} }
HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_empty_name(hx509_context context, hx509_name *name)
{
if ((*name = calloc(1, sizeof(**name))) == NULL) {
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
return ENOMEM;
}
(*name)->der_name.element = choice_Name_rdnSequence;
(*name)->der_name.u.rdnSequence.val = 0;
(*name)->der_name.u.rdnSequence.len = 0;
return 0;
}
/** /**
* Parse a string into a hx509 name object. * Parse a string into a hx509 name object.
* *
@@ -972,7 +985,7 @@ _hx509_unparse_Name(const Name *aname, char **str)
} }
/** /**
* Unparse the hx509 name in name into a string. * Check if a name is empty.
* *
* @param name the name to check if its empty/null. * @param name the name to check if its empty/null.
* *
@@ -984,7 +997,8 @@ _hx509_unparse_Name(const Name *aname, char **str)
HX509_LIB_FUNCTION int HX509_LIB_CALL HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_name_is_null_p(const hx509_name name) hx509_name_is_null_p(const hx509_name name)
{ {
return name->der_name.u.rdnSequence.len == 0; return name->der_name.element == choice_Name_rdnSequence &&
name->der_name.u.rdnSequence.len == 0;
} }
/** /**

1
lib/hx509/version-script.map
View File

@@ -137,6 +137,7 @@ HEIMDAL_X509_1.2 {
hx509_crypto_set_padding; hx509_crypto_set_padding;
hx509_crypto_set_params; hx509_crypto_set_params;
hx509_crypto_set_random_key; hx509_crypto_set_random_key;
hx509_empty_name;
hx509_env_add; hx509_env_add;
hx509_env_add_binding; hx509_env_add_binding;
hx509_env_find; hx509_env_find;