[openssl-commits] [openssl] master update
yang.yang at baishancloud.com
yang.yang at baishancloud.com
Sat Oct 27 04:13:42 UTC 2018
The branch master has been updated
via c23e497da7815bf6ef84461f92339442d3702eda (commit)
from a83dc59afa2e0207180d7218efed19b20d48de95 (commit)
- Log -----------------------------------------------------------------
commit c23e497da7815bf6ef84461f92339442d3702eda
Author: Fraser Tweedale <ftweedal at redhat.com>
Date: Sat Oct 27 12:11:41 2018 +0800
Support GeneralSubtrees with minimum = 0
The Name Constraints extension contains GeneralSubtree values
indicating included or excluded subtrees. It is defined as:
GeneralSubtree ::= SEQUENCE {
base GeneralName,
minimum [0] BaseDistance DEFAULT 0,
maximum [1] BaseDistance OPTIONAL }
RFC 5280 further specifies:
Within this profile, the minimum and maximum fields are not used with
any name forms, thus, the minimum MUST be zero, and maximum MUST be
absent.
Because the minimum fields has DEFAULT 0, and certificates should be
encoded using DER, the situation where minimum = 0 occurs in a
certificate should not arise. Nevertheless, it does arise. For
example, I have seen certificates issued by Microsoft programs that
contain GeneralSubtree values encoded thus.
Enhance the Name Constraints matching routine to handle the case
where minimum is specified. If present, it must be zero. The
maximum field remains prohibited.
Reviewed-by: Paul Yang <yang.yang at baishancloud.com>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7039)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509v3/v3_ncons.c | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 9a2cd5a..8465818 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -14,6 +14,7 @@
#include <openssl/asn1t.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include <openssl/bn.h>
#include "internal/x509_int.h"
#include "ext_dat.h"
@@ -435,6 +436,27 @@ int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
return X509_V_OK;
}
+/*
+ * Return nonzero if the GeneralSubtree has valid 'minimum' field
+ * (must be absent or 0) and valid 'maximum' field (must be absent).
+ */
+static int nc_minmax_valid(GENERAL_SUBTREE *sub) {
+ BIGNUM *bn = NULL;
+ int ok = 1;
+
+ if (sub->maximum)
+ ok = 0;
+
+ if (sub->minimum) {
+ bn = ASN1_INTEGER_to_BN(sub->minimum, NULL);
+ if (bn == NULL || !BN_is_zero(bn))
+ ok = 0;
+ BN_free(bn);
+ }
+
+ return ok;
+}
+
static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
{
GENERAL_SUBTREE *sub;
@@ -449,7 +471,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
if (gen->type != sub->base->type)
continue;
- if (sub->minimum || sub->maximum)
+ if (!nc_minmax_valid(sub))
return X509_V_ERR_SUBTREE_MINMAX;
/* If we already have a match don't bother trying any more */
if (match == 2)
@@ -472,7 +494,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
if (gen->type != sub->base->type)
continue;
- if (sub->minimum || sub->maximum)
+ if (!nc_minmax_valid(sub))
return X509_V_ERR_SUBTREE_MINMAX;
r = nc_match_single(gen, sub->base);
More information about the openssl-commits
mailing list