From 70c8bbcf99acac912dc6740e6c9b9c0558c2c290 Mon Sep 17 00:00:00 2001 From: Gunnar Beutner Date: Thu, 21 Apr 2016 15:25:57 +0200 Subject: [PATCH] Implement support for subjectAltName in SSL certificates fixes #11556 --- lib/base/tlsutility.cpp | 42 +++++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index 5040013cc..83bb7c1bd 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -191,19 +191,12 @@ void AddCRLToSSLContext(const boost::shared_ptr& context, const String& X509_VERIFY_PARAM_free(param); } -/** - * Retrieves the common name for an X509 certificate. - * - * @param certificate The X509 certificate. - * @returns The common name. - */ -String GetCertificateCN(const boost::shared_ptr& certificate) +static String GetX509NameCN(X509_NAME *name) { char errbuf[120]; char buffer[256]; - int rc = X509_NAME_get_text_by_NID(X509_get_subject_name(certificate.get()), - NID_commonName, buffer, sizeof(buffer)); + int rc = X509_NAME_get_text_by_NID(name, NID_commonName, buffer, sizeof(buffer)); if (rc == -1) { Log(LogCritical, "SSL") @@ -216,6 +209,17 @@ String GetCertificateCN(const boost::shared_ptr& certificate) return buffer; } +/** + * Retrieves the common name for an X509 certificate. + * + * @param certificate The X509 certificate. + * @returns The common name. + */ +String GetCertificateCN(const boost::shared_ptr& certificate) +{ + return GetX509NameCN(X509_get_subject_name(certificate.get())); +} + /** * Retrieves an X509 certificate from the specified file. * @@ -416,7 +420,6 @@ boost::shared_ptr CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NA ASN1_INTEGER_set(X509_get_serialNumber(cert), serial); - X509_EXTENSION *ext; X509V3_CTX ctx; X509V3_set_ctx_nodb(&ctx); X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0); @@ -428,12 +431,23 @@ boost::shared_ptr CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NA else attr = "critical,CA:FALSE"; - ext = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, const_cast(attr)); + X509_EXTENSION *basicConstraintsExt = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, const_cast(attr)); - if (ext) - X509_add_ext(cert, ext, -1); + if (basicConstraintsExt) { + X509_add_ext(cert, basicConstraintsExt, -1); + X509_EXTENSION_free(basicConstraintsExt); + } - X509_EXTENSION_free(ext); + String cn = GetX509NameCN(subject); + + if (!cn.Contains(" ") && cn.Contains(".")) { + String san = "DNS:" + cn; + X509_EXTENSION *subjectAltNameExt = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_alt_name, const_cast(san.CStr())); + if (subjectAltNameExt) { + X509_add_ext(cert, subjectAltNameExt, -1); + X509_EXTENSION_free(subjectAltNameExt); + } + } X509_sign(cert, cakey, EVP_sha256());