1 #include <openssl/x509.h>
2 #include <openssl/x509v3.h>
6 static const char *const names[] =
8 "a", "b", ".", "*", "@",
9 ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",
10 "@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",
11 "*@example.com", "test@*.example.com", "example.com", "www.example.com",
12 "test.www.example.com", "*.example.com", "*.www.example.com",
13 "test.*.example.com", "www.*.com",
14 "example.net", "xn--rger-koa.example.com",
15 "a.example.com", "b.example.com",
16 "postmaster@example.com", "Postmaster@example.com",
17 "postmaster@EXAMPLE.COM",
21 static const char *const exceptions[] =
23 "set CN: host: [*.example.com] matches [a.example.com]",
24 "set CN: host: [*.example.com] matches [b.example.com]",
25 "set CN: host: [*.example.com] matches [www.example.com]",
26 "set CN: host: [*.example.com] matches [xn--rger-koa.example.com]",
27 "set CN: host: [*.www.example.com] matches [test.www.example.com]",
28 "set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",
29 "set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
30 "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",
31 "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
32 "set dnsName: host: [*.example.com] matches [www.example.com]",
33 "set dnsName: host: [*.example.com] matches [a.example.com]",
34 "set dnsName: host: [*.example.com] matches [b.example.com]",
35 "set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com]",
36 "set dnsName: host: [*.www.example.com] matches [test.www.example.com]",
37 "set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",
38 "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",
39 "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
40 "set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
44 static int is_exception(const char *msg)
47 for (p = exceptions; *p; ++p)
48 if (strcmp(msg, *p) == 0)
53 static int set_cn(X509 *crt, ...)
65 nid = va_arg(ap, int);
68 name = va_arg(ap, const char *);
69 if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,
70 (unsigned char *)name,
74 if (!X509_set_subject_name(crt, n))
84 int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
85 X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
86 int nid, int crit, ASN1_OCTET_STRING *data);
87 int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
90 static int set_altname(X509 *crt, ...)
93 GENERAL_NAMES *gens = NULL;
94 GENERAL_NAME *gen = NULL;
95 ASN1_IA5STRING *ia5 = NULL;
98 gens = sk_GENERAL_NAME_new_null();
104 type = va_arg(ap, int);
107 name = va_arg(ap, const char *);
109 gen = GENERAL_NAME_new();
112 ia5 = ASN1_IA5STRING_new();
115 if (!ASN1_STRING_set(ia5, name, -1))
121 GENERAL_NAME_set0_value(gen, type, ia5);
127 sk_GENERAL_NAME_push(gens, gen);
130 if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))
134 ASN1_IA5STRING_free(ia5);
135 GENERAL_NAME_free(gen);
136 GENERAL_NAMES_free(gens);
141 static int set_cn1(X509 *crt, const char *name)
143 return set_cn(crt, NID_commonName, name, 0);
147 static int set_cn_and_email(X509 *crt, const char *name)
149 return set_cn(crt, NID_commonName, name,
150 NID_pkcs9_emailAddress, "dummy@example.com", 0);
153 static int set_cn2(X509 *crt, const char *name)
155 return set_cn(crt, NID_commonName, "dummy value",
156 NID_commonName, name, 0);
159 static int set_cn3(X509 *crt, const char *name)
161 return set_cn(crt, NID_commonName, name,
162 NID_commonName, "dummy value", 0);
165 static int set_email1(X509 *crt, const char *name)
167 return set_cn(crt, NID_pkcs9_emailAddress, name, 0);
170 static int set_email2(X509 *crt, const char *name)
172 return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",
173 NID_pkcs9_emailAddress, name, 0);
176 static int set_email3(X509 *crt, const char *name)
178 return set_cn(crt, NID_pkcs9_emailAddress, name,
179 NID_pkcs9_emailAddress, "dummy@example.com", 0);
182 static int set_email_and_cn(X509 *crt, const char *name)
184 return set_cn(crt, NID_pkcs9_emailAddress, name,
185 NID_commonName, "www.example.org", 0);
188 static int set_altname_dns(X509 *crt, const char *name)
190 return set_altname(crt, GEN_DNS, name, 0);
193 static int set_altname_email(X509 *crt, const char *name)
195 return set_altname(crt, GEN_EMAIL, name, 0);
200 int (*fn)(X509 *, const char *);
206 static const struct set_name_fn name_fns[] =
208 {set_cn1, "set CN", 1, 0},
209 {set_cn2, "set CN", 1, 0},
210 {set_cn3, "set CN", 1, 0},
211 {set_cn_and_email, "set CN", 1, 0},
212 {set_email1, "set emailAddress", 0, 1},
213 {set_email2, "set emailAddress", 0, 1},
214 {set_email3, "set emailAddress", 0, 1},
215 {set_email_and_cn, "set emailAddress", 0, 1},
216 {set_altname_dns, "set dnsName", 1, 0},
217 {set_altname_email, "set rfc822Name", 0, 1},
221 static X509 *make_cert()
225 X509_NAME *issuer = NULL;
229 if (!X509_set_version(crt, 3))
234 X509_NAME_free(issuer);
240 static void check_message(const struct set_name_fn *fn, const char *op,
241 const char *nameincert, int match, const char *name)
246 BIO_snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",
247 fn->name, op, nameincert,
248 match ? "matches" : "does not match", name);
249 if (is_exception(msg))
255 static void run_cert(X509 *crt, const char *nameincert,
256 const struct set_name_fn *fn)
258 const char *const *pname = names;
261 int samename = strcasecmp(nameincert, *pname) == 0;
262 size_t namelen = strlen(*pname);
263 char *name = malloc(namelen);
265 memcpy(name, *pname, namelen);
267 ret = X509_check_host(crt, (const unsigned char *)name,
272 fprintf(stderr, "internal error in X509_check_host");
277 if (ret == 1 && !samename)
279 if (ret == 0 && samename)
284 check_message(fn, "host", nameincert, match, *pname);
286 ret = X509_check_host(crt, (const unsigned char *)name,
287 namelen, X509_CHECK_FLAG_NO_WILDCARDS);
291 fprintf(stderr, "internal error in X509_check_host");
296 if (ret == 1 && !samename)
298 if (ret == 0 && samename)
303 check_message(fn, "host-no-wildcards",
304 nameincert, match, *pname);
306 ret = X509_check_email(crt, (const unsigned char *)name,
311 if (ret && !samename)
313 if (!ret && samename && strchr(nameincert, '@') != NULL)
318 check_message(fn, "email", nameincert, match, *pname);
327 const struct set_name_fn *pfn = name_fns;
329 const char *const *pname = names;
332 X509 *crt = make_cert();
335 fprintf(stderr, "make_cert failed\n");
338 if (!pfn->fn(crt, *pname))
340 fprintf(stderr, "X509 name setting failed\n");
343 run_cert(crt, *pname, pfn);
349 return errors > 0 ? 1 : 0;