In ssl_check_public_cert(), also take dNSNames in the subjectAltName

extension into account when checking the cert against the configured ServerName. PR 32652, PR 47051. Replace SSL_X509_getCN() by SSL_X509_getIDs(), which returns an array of a cert's DNS-IDs and CN-IDs (terms as coined by RFC 6125). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1176752 13f79535-47bb-0310-9956-ffa450edef68
2025-08-05 16:55:50 +03:00 · 2011-09-28 06:52:39 +00:00
parent 9b5b43cc2b
commit 2160d8594c
4 changed files with 96 additions and 31 deletions
--- a/modules/ssl/ssl_util_ssl.c
+++ b/modules/ssl/ssl_util_ssl.c
@@ -329,25 +329,54 @@ char *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, unsigned int maxlen)
    return result;
 }

-/* retrieve subject CommonName of certificate */
-BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)
+/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
+BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
 {
-    X509_NAME *xsn;
-    X509_NAME_ENTRY *xsne;
-    int i, nid;
+    STACK_OF(GENERAL_NAME) *names;
+    BIO *bio;
+    X509_NAME *subj;
+    char **cpp;
+    int i, n;

-    xsn = X509_get_subject_name(xs);
-    for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
-                                           xsn->entries); i++) {
-        xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
-                                        xsn->entries, i);
-        nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
-        if (nid == NID_commonName) {
-            *cppCN = SSL_X509_NAME_ENTRY_to_string(p, xsne);
-            return TRUE;
-        }
+    if (!x509 || !(*ids = apr_array_make(p, 0, sizeof(char *)))) {
+        *ids = NULL;
+        return FALSE;
    }
-    return FALSE;
+
+    /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
+    if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL)) &&
+        (bio = BIO_new(BIO_s_mem()))) {
+        GENERAL_NAME *name;
+
+        for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
+            name = sk_GENERAL_NAME_value(names, i);
+            if (name->type == GEN_DNS) {
+                ASN1_STRING_print_ex(bio, name->d.ia5, ASN1_STRFLGS_ESC_CTRL|
+                                     ASN1_STRFLGS_UTF8_CONVERT);
+                n = BIO_pending(bio);
+                if (n > 0) {
+                    cpp = (char **)apr_array_push(*ids);
+                    *cpp = apr_palloc(p, n+1);
+                    n = BIO_read(bio, *cpp, n);
+                    (*cpp)[n] = NUL;
+                }
+            }
+        }
+        BIO_free(bio);
+    }
+
+    if (names)
+        sk_GENERAL_NAME_free(names);
+
+    /* Second, the CN-IDs (commonName attributes in the subject DN) */
+    subj = X509_get_subject_name(x509);
+    i = -1;
+    while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) {
+        cpp = (char **)apr_array_push(*ids);
+        *cpp = SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
+    }
+
+    return apr_is_empty_array(*ids) ? FALSE : TRUE;
 }

 /*  _________________________________________________________________