v3_utl.c 36 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287
  1. /*
  2. * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /* X509 v3 extension utilities */
  10. #include "e_os.h"
  11. #include "internal/cryptlib.h"
  12. #include <stdio.h>
  13. #include "crypto/ctype.h"
  14. #include <openssl/conf.h>
  15. #include <openssl/crypto.h>
  16. #include <openssl/x509v3.h>
  17. #include "crypto/x509.h"
  18. #include <openssl/bn.h>
  19. #include "ext_dat.h"
  20. DEFINE_STACK_OF(CONF_VALUE)
  21. DEFINE_STACK_OF(GENERAL_NAME)
  22. DEFINE_STACK_OF(ACCESS_DESCRIPTION)
  23. DEFINE_STACK_OF(X509_EXTENSION)
  24. DEFINE_STACK_OF_STRING()
  25. static char *strip_spaces(char *name);
  26. static int sk_strcmp(const char *const *a, const char *const *b);
  27. static STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,
  28. GENERAL_NAMES *gens);
  29. static void str_free(OPENSSL_STRING str);
  30. static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
  31. const ASN1_IA5STRING *email);
  32. static int ipv4_from_asc(unsigned char *v4, const char *in);
  33. static int ipv6_from_asc(unsigned char *v6, const char *in);
  34. static int ipv6_cb(const char *elem, int len, void *usr);
  35. static int ipv6_hex(unsigned char *out, const char *in, int inlen);
  36. /* Add a CONF_VALUE name value pair to stack */
  37. int X509V3_add_value(const char *name, const char *value,
  38. STACK_OF(CONF_VALUE) **extlist)
  39. {
  40. CONF_VALUE *vtmp = NULL;
  41. char *tname = NULL, *tvalue = NULL;
  42. int sk_allocated = (*extlist == NULL);
  43. if (name && (tname = OPENSSL_strdup(name)) == NULL)
  44. goto err;
  45. if (value && (tvalue = OPENSSL_strdup(value)) == NULL)
  46. goto err;
  47. if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)
  48. goto err;
  49. if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL)
  50. goto err;
  51. vtmp->section = NULL;
  52. vtmp->name = tname;
  53. vtmp->value = tvalue;
  54. if (!sk_CONF_VALUE_push(*extlist, vtmp))
  55. goto err;
  56. return 1;
  57. err:
  58. X509V3err(X509V3_F_X509V3_ADD_VALUE, ERR_R_MALLOC_FAILURE);
  59. if (sk_allocated) {
  60. sk_CONF_VALUE_free(*extlist);
  61. *extlist = NULL;
  62. }
  63. OPENSSL_free(vtmp);
  64. OPENSSL_free(tname);
  65. OPENSSL_free(tvalue);
  66. return 0;
  67. }
  68. int X509V3_add_value_uchar(const char *name, const unsigned char *value,
  69. STACK_OF(CONF_VALUE) **extlist)
  70. {
  71. return X509V3_add_value(name, (const char *)value, extlist);
  72. }
  73. /* Free function for STACK_OF(CONF_VALUE) */
  74. void X509V3_conf_free(CONF_VALUE *conf)
  75. {
  76. if (!conf)
  77. return;
  78. OPENSSL_free(conf->name);
  79. OPENSSL_free(conf->value);
  80. OPENSSL_free(conf->section);
  81. OPENSSL_free(conf);
  82. }
  83. int X509V3_add_value_bool(const char *name, int asn1_bool,
  84. STACK_OF(CONF_VALUE) **extlist)
  85. {
  86. if (asn1_bool)
  87. return X509V3_add_value(name, "TRUE", extlist);
  88. return X509V3_add_value(name, "FALSE", extlist);
  89. }
  90. int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
  91. STACK_OF(CONF_VALUE) **extlist)
  92. {
  93. if (asn1_bool)
  94. return X509V3_add_value(name, "TRUE", extlist);
  95. return 1;
  96. }
  97. static char *bignum_to_string(const BIGNUM *bn)
  98. {
  99. char *tmp, *ret;
  100. size_t len;
  101. /*
  102. * Display large numbers in hex and small numbers in decimal. Converting to
  103. * decimal takes quadratic time and is no more useful than hex for large
  104. * numbers.
  105. */
  106. if (BN_num_bits(bn) < 128)
  107. return BN_bn2dec(bn);
  108. tmp = BN_bn2hex(bn);
  109. if (tmp == NULL)
  110. return NULL;
  111. len = strlen(tmp) + 3;
  112. ret = OPENSSL_malloc(len);
  113. if (ret == NULL) {
  114. X509V3err(X509V3_F_BIGNUM_TO_STRING, ERR_R_MALLOC_FAILURE);
  115. OPENSSL_free(tmp);
  116. return NULL;
  117. }
  118. /* Prepend "0x", but place it after the "-" if negative. */
  119. if (tmp[0] == '-') {
  120. OPENSSL_strlcpy(ret, "-0x", len);
  121. OPENSSL_strlcat(ret, tmp + 1, len);
  122. } else {
  123. OPENSSL_strlcpy(ret, "0x", len);
  124. OPENSSL_strlcat(ret, tmp, len);
  125. }
  126. OPENSSL_free(tmp);
  127. return ret;
  128. }
  129. char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a)
  130. {
  131. BIGNUM *bntmp = NULL;
  132. char *strtmp = NULL;
  133. if (!a)
  134. return NULL;
  135. if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL
  136. || (strtmp = bignum_to_string(bntmp)) == NULL)
  137. X509V3err(X509V3_F_I2S_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
  138. BN_free(bntmp);
  139. return strtmp;
  140. }
  141. char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a)
  142. {
  143. BIGNUM *bntmp = NULL;
  144. char *strtmp = NULL;
  145. if (!a)
  146. return NULL;
  147. if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL
  148. || (strtmp = bignum_to_string(bntmp)) == NULL)
  149. X509V3err(X509V3_F_I2S_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
  150. BN_free(bntmp);
  151. return strtmp;
  152. }
  153. ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
  154. {
  155. BIGNUM *bn = NULL;
  156. ASN1_INTEGER *aint;
  157. int isneg, ishex;
  158. int ret;
  159. if (value == NULL) {
  160. X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_INVALID_NULL_VALUE);
  161. return NULL;
  162. }
  163. bn = BN_new();
  164. if (bn == NULL) {
  165. X509V3err(X509V3_F_S2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
  166. return NULL;
  167. }
  168. if (value[0] == '-') {
  169. value++;
  170. isneg = 1;
  171. } else {
  172. isneg = 0;
  173. }
  174. if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
  175. value += 2;
  176. ishex = 1;
  177. } else {
  178. ishex = 0;
  179. }
  180. if (ishex)
  181. ret = BN_hex2bn(&bn, value);
  182. else
  183. ret = BN_dec2bn(&bn, value);
  184. if (!ret || value[ret]) {
  185. BN_free(bn);
  186. X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_BN_DEC2BN_ERROR);
  187. return NULL;
  188. }
  189. if (isneg && BN_is_zero(bn))
  190. isneg = 0;
  191. aint = BN_to_ASN1_INTEGER(bn, NULL);
  192. BN_free(bn);
  193. if (!aint) {
  194. X509V3err(X509V3_F_S2I_ASN1_INTEGER,
  195. X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
  196. return NULL;
  197. }
  198. if (isneg)
  199. aint->type |= V_ASN1_NEG;
  200. return aint;
  201. }
  202. int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
  203. STACK_OF(CONF_VALUE) **extlist)
  204. {
  205. char *strtmp;
  206. int ret;
  207. if (!aint)
  208. return 1;
  209. if ((strtmp = i2s_ASN1_INTEGER(NULL, aint)) == NULL)
  210. return 0;
  211. ret = X509V3_add_value(name, strtmp, extlist);
  212. OPENSSL_free(strtmp);
  213. return ret;
  214. }
  215. int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
  216. {
  217. const char *btmp;
  218. if ((btmp = value->value) == NULL)
  219. goto err;
  220. if (strcmp(btmp, "TRUE") == 0
  221. || strcmp(btmp, "true") == 0
  222. || strcmp(btmp, "Y") == 0
  223. || strcmp(btmp, "y") == 0
  224. || strcmp(btmp, "YES") == 0
  225. || strcmp(btmp, "yes") == 0) {
  226. *asn1_bool = 0xff;
  227. return 1;
  228. }
  229. if (strcmp(btmp, "FALSE") == 0
  230. || strcmp(btmp, "false") == 0
  231. || strcmp(btmp, "N") == 0
  232. || strcmp(btmp, "n") == 0
  233. || strcmp(btmp, "NO") == 0
  234. || strcmp(btmp, "no") == 0) {
  235. *asn1_bool = 0;
  236. return 1;
  237. }
  238. err:
  239. X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,
  240. X509V3_R_INVALID_BOOLEAN_STRING);
  241. X509V3_conf_err(value);
  242. return 0;
  243. }
  244. int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
  245. {
  246. ASN1_INTEGER *itmp;
  247. if ((itmp = s2i_ASN1_INTEGER(NULL, value->value)) == NULL) {
  248. X509V3_conf_err(value);
  249. return 0;
  250. }
  251. *aint = itmp;
  252. return 1;
  253. }
  254. #define HDR_NAME 1
  255. #define HDR_VALUE 2
  256. /*
  257. * #define DEBUG
  258. */
  259. STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
  260. {
  261. char *p, *q, c;
  262. char *ntmp, *vtmp;
  263. STACK_OF(CONF_VALUE) *values = NULL;
  264. char *linebuf;
  265. int state;
  266. /* We are going to modify the line so copy it first */
  267. linebuf = OPENSSL_strdup(line);
  268. if (linebuf == NULL) {
  269. X509V3err(X509V3_F_X509V3_PARSE_LIST, ERR_R_MALLOC_FAILURE);
  270. goto err;
  271. }
  272. state = HDR_NAME;
  273. ntmp = NULL;
  274. /* Go through all characters */
  275. for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') && (c != '\n');
  276. p++) {
  277. switch (state) {
  278. case HDR_NAME:
  279. if (c == ':') {
  280. state = HDR_VALUE;
  281. *p = 0;
  282. ntmp = strip_spaces(q);
  283. if (!ntmp) {
  284. X509V3err(X509V3_F_X509V3_PARSE_LIST,
  285. X509V3_R_INVALID_NULL_NAME);
  286. goto err;
  287. }
  288. q = p + 1;
  289. } else if (c == ',') {
  290. *p = 0;
  291. ntmp = strip_spaces(q);
  292. q = p + 1;
  293. if (!ntmp) {
  294. X509V3err(X509V3_F_X509V3_PARSE_LIST,
  295. X509V3_R_INVALID_NULL_NAME);
  296. goto err;
  297. }
  298. X509V3_add_value(ntmp, NULL, &values);
  299. }
  300. break;
  301. case HDR_VALUE:
  302. if (c == ',') {
  303. state = HDR_NAME;
  304. *p = 0;
  305. vtmp = strip_spaces(q);
  306. if (!vtmp) {
  307. X509V3err(X509V3_F_X509V3_PARSE_LIST,
  308. X509V3_R_INVALID_NULL_VALUE);
  309. goto err;
  310. }
  311. X509V3_add_value(ntmp, vtmp, &values);
  312. ntmp = NULL;
  313. q = p + 1;
  314. }
  315. }
  316. }
  317. if (state == HDR_VALUE) {
  318. vtmp = strip_spaces(q);
  319. if (!vtmp) {
  320. X509V3err(X509V3_F_X509V3_PARSE_LIST,
  321. X509V3_R_INVALID_NULL_VALUE);
  322. goto err;
  323. }
  324. X509V3_add_value(ntmp, vtmp, &values);
  325. } else {
  326. ntmp = strip_spaces(q);
  327. if (!ntmp) {
  328. X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
  329. goto err;
  330. }
  331. X509V3_add_value(ntmp, NULL, &values);
  332. }
  333. OPENSSL_free(linebuf);
  334. return values;
  335. err:
  336. OPENSSL_free(linebuf);
  337. sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
  338. return NULL;
  339. }
  340. /* Delete leading and trailing spaces from a string */
  341. static char *strip_spaces(char *name)
  342. {
  343. char *p, *q;
  344. /* Skip over leading spaces */
  345. p = name;
  346. while (*p && ossl_isspace(*p))
  347. p++;
  348. if (*p == '\0')
  349. return NULL;
  350. q = p + strlen(p) - 1;
  351. while ((q != p) && ossl_isspace(*q))
  352. q--;
  353. if (p != q)
  354. q[1] = 0;
  355. if (*p == '\0')
  356. return NULL;
  357. return p;
  358. }
  359. /*
  360. * V2I name comparison function: returns zero if 'name' matches cmp or cmp.*
  361. */
  362. int v3_name_cmp(const char *name, const char *cmp)
  363. {
  364. int len, ret;
  365. char c;
  366. len = strlen(cmp);
  367. if ((ret = strncmp(name, cmp, len)))
  368. return ret;
  369. c = name[len];
  370. if (!c || (c == '.'))
  371. return 0;
  372. return 1;
  373. }
  374. static int sk_strcmp(const char *const *a, const char *const *b)
  375. {
  376. return strcmp(*a, *b);
  377. }
  378. STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
  379. {
  380. GENERAL_NAMES *gens;
  381. STACK_OF(OPENSSL_STRING) *ret;
  382. gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
  383. ret = get_email(X509_get_subject_name(x), gens);
  384. sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
  385. return ret;
  386. }
  387. STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
  388. {
  389. AUTHORITY_INFO_ACCESS *info;
  390. STACK_OF(OPENSSL_STRING) *ret = NULL;
  391. int i;
  392. info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
  393. if (!info)
  394. return NULL;
  395. for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
  396. ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
  397. if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
  398. if (ad->location->type == GEN_URI) {
  399. if (!append_ia5
  400. (&ret, ad->location->d.uniformResourceIdentifier))
  401. break;
  402. }
  403. }
  404. }
  405. AUTHORITY_INFO_ACCESS_free(info);
  406. return ret;
  407. }
  408. STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
  409. {
  410. GENERAL_NAMES *gens;
  411. STACK_OF(X509_EXTENSION) *exts;
  412. STACK_OF(OPENSSL_STRING) *ret;
  413. exts = X509_REQ_get_extensions(x);
  414. gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
  415. ret = get_email(X509_REQ_get_subject_name(x), gens);
  416. sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
  417. sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
  418. return ret;
  419. }
  420. static STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,
  421. GENERAL_NAMES *gens)
  422. {
  423. STACK_OF(OPENSSL_STRING) *ret = NULL;
  424. X509_NAME_ENTRY *ne;
  425. const ASN1_IA5STRING *email;
  426. GENERAL_NAME *gen;
  427. int i = -1;
  428. /* Now add any email address(es) to STACK */
  429. /* First supplied X509_NAME */
  430. while ((i = X509_NAME_get_index_by_NID(name,
  431. NID_pkcs9_emailAddress, i)) >= 0) {
  432. ne = X509_NAME_get_entry(name, i);
  433. email = X509_NAME_ENTRY_get_data(ne);
  434. if (!append_ia5(&ret, email))
  435. return NULL;
  436. }
  437. for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
  438. gen = sk_GENERAL_NAME_value(gens, i);
  439. if (gen->type != GEN_EMAIL)
  440. continue;
  441. if (!append_ia5(&ret, gen->d.ia5))
  442. return NULL;
  443. }
  444. return ret;
  445. }
  446. static void str_free(OPENSSL_STRING str)
  447. {
  448. OPENSSL_free(str);
  449. }
  450. static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
  451. const ASN1_IA5STRING *email)
  452. {
  453. char *emtmp;
  454. /* First some sanity checks */
  455. if (email->type != V_ASN1_IA5STRING)
  456. return 1;
  457. if (!email->data || !email->length)
  458. return 1;
  459. if (*sk == NULL)
  460. *sk = sk_OPENSSL_STRING_new(sk_strcmp);
  461. if (*sk == NULL)
  462. return 0;
  463. /* Don't add duplicates */
  464. if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
  465. return 1;
  466. emtmp = OPENSSL_strdup((char *)email->data);
  467. if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
  468. OPENSSL_free(emtmp); /* free on push failure */
  469. X509_email_free(*sk);
  470. *sk = NULL;
  471. return 0;
  472. }
  473. return 1;
  474. }
  475. void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
  476. {
  477. sk_OPENSSL_STRING_pop_free(sk, str_free);
  478. }
  479. typedef int (*equal_fn) (const unsigned char *pattern, size_t pattern_len,
  480. const unsigned char *subject, size_t subject_len,
  481. unsigned int flags);
  482. /* Skip pattern prefix to match "wildcard" subject */
  483. static void skip_prefix(const unsigned char **p, size_t *plen,
  484. size_t subject_len,
  485. unsigned int flags)
  486. {
  487. const unsigned char *pattern = *p;
  488. size_t pattern_len = *plen;
  489. /*
  490. * If subject starts with a leading '.' followed by more octets, and
  491. * pattern is longer, compare just an equal-length suffix with the
  492. * full subject (starting at the '.'), provided the prefix contains
  493. * no NULs.
  494. */
  495. if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
  496. return;
  497. while (pattern_len > subject_len && *pattern) {
  498. if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) &&
  499. *pattern == '.')
  500. break;
  501. ++pattern;
  502. --pattern_len;
  503. }
  504. /* Skip if entire prefix acceptable */
  505. if (pattern_len == subject_len) {
  506. *p = pattern;
  507. *plen = pattern_len;
  508. }
  509. }
  510. /* Compare while ASCII ignoring case. */
  511. static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
  512. const unsigned char *subject, size_t subject_len,
  513. unsigned int flags)
  514. {
  515. skip_prefix(&pattern, &pattern_len, subject_len, flags);
  516. if (pattern_len != subject_len)
  517. return 0;
  518. while (pattern_len != 0) {
  519. unsigned char l = *pattern;
  520. unsigned char r = *subject;
  521. /* The pattern must not contain NUL characters. */
  522. if (l == 0)
  523. return 0;
  524. if (l != r) {
  525. if ('A' <= l && l <= 'Z')
  526. l = (l - 'A') + 'a';
  527. if ('A' <= r && r <= 'Z')
  528. r = (r - 'A') + 'a';
  529. if (l != r)
  530. return 0;
  531. }
  532. ++pattern;
  533. ++subject;
  534. --pattern_len;
  535. }
  536. return 1;
  537. }
  538. /* Compare using memcmp. */
  539. static int equal_case(const unsigned char *pattern, size_t pattern_len,
  540. const unsigned char *subject, size_t subject_len,
  541. unsigned int flags)
  542. {
  543. skip_prefix(&pattern, &pattern_len, subject_len, flags);
  544. if (pattern_len != subject_len)
  545. return 0;
  546. return !memcmp(pattern, subject, pattern_len);
  547. }
  548. /*
  549. * RFC 5280, section 7.5, requires that only the domain is compared in a
  550. * case-insensitive manner.
  551. */
  552. static int equal_email(const unsigned char *a, size_t a_len,
  553. const unsigned char *b, size_t b_len,
  554. unsigned int unused_flags)
  555. {
  556. size_t i = a_len;
  557. if (a_len != b_len)
  558. return 0;
  559. /*
  560. * We search backwards for the '@' character, so that we do not have to
  561. * deal with quoted local-parts. The domain part is compared in a
  562. * case-insensitive manner.
  563. */
  564. while (i > 0) {
  565. --i;
  566. if (a[i] == '@' || b[i] == '@') {
  567. if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0))
  568. return 0;
  569. break;
  570. }
  571. }
  572. if (i == 0)
  573. i = a_len;
  574. return equal_case(a, i, b, i, 0);
  575. }
  576. /*
  577. * Compare the prefix and suffix with the subject, and check that the
  578. * characters in-between are valid.
  579. */
  580. static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
  581. const unsigned char *suffix, size_t suffix_len,
  582. const unsigned char *subject, size_t subject_len,
  583. unsigned int flags)
  584. {
  585. const unsigned char *wildcard_start;
  586. const unsigned char *wildcard_end;
  587. const unsigned char *p;
  588. int allow_multi = 0;
  589. int allow_idna = 0;
  590. if (subject_len < prefix_len + suffix_len)
  591. return 0;
  592. if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags))
  593. return 0;
  594. wildcard_start = subject + prefix_len;
  595. wildcard_end = subject + (subject_len - suffix_len);
  596. if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags))
  597. return 0;
  598. /*
  599. * If the wildcard makes up the entire first label, it must match at
  600. * least one character.
  601. */
  602. if (prefix_len == 0 && *suffix == '.') {
  603. if (wildcard_start == wildcard_end)
  604. return 0;
  605. allow_idna = 1;
  606. if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS)
  607. allow_multi = 1;
  608. }
  609. /* IDNA labels cannot match partial wildcards */
  610. if (!allow_idna &&
  611. subject_len >= 4 && strncasecmp((char *)subject, "xn--", 4) == 0)
  612. return 0;
  613. /* The wildcard may match a literal '*' */
  614. if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*')
  615. return 1;
  616. /*
  617. * Check that the part matched by the wildcard contains only
  618. * permitted characters and only matches a single label unless
  619. * allow_multi is set.
  620. */
  621. for (p = wildcard_start; p != wildcard_end; ++p)
  622. if (!(('0' <= *p && *p <= '9') ||
  623. ('A' <= *p && *p <= 'Z') ||
  624. ('a' <= *p && *p <= 'z') ||
  625. *p == '-' || (allow_multi && *p == '.')))
  626. return 0;
  627. return 1;
  628. }
  629. #define LABEL_START (1 << 0)
  630. #define LABEL_END (1 << 1)
  631. #define LABEL_HYPHEN (1 << 2)
  632. #define LABEL_IDNA (1 << 3)
  633. static const unsigned char *valid_star(const unsigned char *p, size_t len,
  634. unsigned int flags)
  635. {
  636. const unsigned char *star = 0;
  637. size_t i;
  638. int state = LABEL_START;
  639. int dots = 0;
  640. for (i = 0; i < len; ++i) {
  641. /*
  642. * Locate first and only legal wildcard, either at the start
  643. * or end of a non-IDNA first and not final label.
  644. */
  645. if (p[i] == '*') {
  646. int atstart = (state & LABEL_START);
  647. int atend = (i == len - 1 || p[i + 1] == '.');
  648. /*-
  649. * At most one wildcard per pattern.
  650. * No wildcards in IDNA labels.
  651. * No wildcards after the first label.
  652. */
  653. if (star != NULL || (state & LABEL_IDNA) != 0 || dots)
  654. return NULL;
  655. /* Only full-label '*.example.com' wildcards? */
  656. if ((flags & X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
  657. && (!atstart || !atend))
  658. return NULL;
  659. /* No 'foo*bar' wildcards */
  660. if (!atstart && !atend)
  661. return NULL;
  662. star = &p[i];
  663. state &= ~LABEL_START;
  664. } else if (('a' <= p[i] && p[i] <= 'z')
  665. || ('A' <= p[i] && p[i] <= 'Z')
  666. || ('0' <= p[i] && p[i] <= '9')) {
  667. if ((state & LABEL_START) != 0
  668. && len - i >= 4 && strncasecmp((char *)&p[i], "xn--", 4) == 0)
  669. state |= LABEL_IDNA;
  670. state &= ~(LABEL_HYPHEN | LABEL_START);
  671. } else if (p[i] == '.') {
  672. if ((state & (LABEL_HYPHEN | LABEL_START)) != 0)
  673. return NULL;
  674. state = LABEL_START;
  675. ++dots;
  676. } else if (p[i] == '-') {
  677. /* no domain/subdomain starts with '-' */
  678. if ((state & LABEL_START) != 0)
  679. return NULL;
  680. state |= LABEL_HYPHEN;
  681. } else {
  682. return NULL;
  683. }
  684. }
  685. /*
  686. * The final label must not end in a hyphen or ".", and
  687. * there must be at least two dots after the star.
  688. */
  689. if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2)
  690. return NULL;
  691. return star;
  692. }
  693. /* Compare using wildcards. */
  694. static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
  695. const unsigned char *subject, size_t subject_len,
  696. unsigned int flags)
  697. {
  698. const unsigned char *star = NULL;
  699. /*
  700. * Subject names starting with '.' can only match a wildcard pattern
  701. * via a subject sub-domain pattern suffix match.
  702. */
  703. if (!(subject_len > 1 && subject[0] == '.'))
  704. star = valid_star(pattern, pattern_len, flags);
  705. if (star == NULL)
  706. return equal_nocase(pattern, pattern_len,
  707. subject, subject_len, flags);
  708. return wildcard_match(pattern, star - pattern,
  709. star + 1, (pattern + pattern_len) - star - 1,
  710. subject, subject_len, flags);
  711. }
  712. /*
  713. * Compare an ASN1_STRING to a supplied string. If they match return 1. If
  714. * cmp_type > 0 only compare if string matches the type, otherwise convert it
  715. * to UTF8.
  716. */
  717. static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
  718. unsigned int flags, const char *b, size_t blen,
  719. char **peername)
  720. {
  721. int rv = 0;
  722. if (!a->data || !a->length)
  723. return 0;
  724. if (cmp_type > 0) {
  725. if (cmp_type != a->type)
  726. return 0;
  727. if (cmp_type == V_ASN1_IA5STRING)
  728. rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
  729. else if (a->length == (int)blen && !memcmp(a->data, b, blen))
  730. rv = 1;
  731. if (rv > 0 && peername)
  732. *peername = OPENSSL_strndup((char *)a->data, a->length);
  733. } else {
  734. int astrlen;
  735. unsigned char *astr;
  736. astrlen = ASN1_STRING_to_UTF8(&astr, a);
  737. if (astrlen < 0) {
  738. /*
  739. * -1 could be an internal malloc failure or a decoding error from
  740. * malformed input; we can't distinguish.
  741. */
  742. return -1;
  743. }
  744. rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
  745. if (rv > 0 && peername)
  746. *peername = OPENSSL_strndup((char *)astr, astrlen);
  747. OPENSSL_free(astr);
  748. }
  749. return rv;
  750. }
  751. static int do_x509_check(X509 *x, const char *chk, size_t chklen,
  752. unsigned int flags, int check_type, char **peername)
  753. {
  754. GENERAL_NAMES *gens = NULL;
  755. const X509_NAME *name = NULL;
  756. int i;
  757. int cnid = NID_undef;
  758. int alt_type;
  759. int san_present = 0;
  760. int rv = 0;
  761. equal_fn equal;
  762. /* See below, this flag is internal-only */
  763. flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
  764. if (check_type == GEN_EMAIL) {
  765. cnid = NID_pkcs9_emailAddress;
  766. alt_type = V_ASN1_IA5STRING;
  767. equal = equal_email;
  768. } else if (check_type == GEN_DNS) {
  769. cnid = NID_commonName;
  770. /* Implicit client-side DNS sub-domain pattern */
  771. if (chklen > 1 && chk[0] == '.')
  772. flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
  773. alt_type = V_ASN1_IA5STRING;
  774. if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
  775. equal = equal_nocase;
  776. else
  777. equal = equal_wildcard;
  778. } else {
  779. alt_type = V_ASN1_OCTET_STRING;
  780. equal = equal_case;
  781. }
  782. if (chklen == 0)
  783. chklen = strlen(chk);
  784. gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
  785. if (gens) {
  786. for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
  787. GENERAL_NAME *gen;
  788. ASN1_STRING *cstr;
  789. gen = sk_GENERAL_NAME_value(gens, i);
  790. if (gen->type != check_type)
  791. continue;
  792. san_present = 1;
  793. if (check_type == GEN_EMAIL)
  794. cstr = gen->d.rfc822Name;
  795. else if (check_type == GEN_DNS)
  796. cstr = gen->d.dNSName;
  797. else
  798. cstr = gen->d.iPAddress;
  799. /* Positive on success, negative on error! */
  800. if ((rv = do_check_string(cstr, alt_type, equal, flags,
  801. chk, chklen, peername)) != 0)
  802. break;
  803. }
  804. GENERAL_NAMES_free(gens);
  805. if (rv != 0)
  806. return rv;
  807. if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
  808. return 0;
  809. }
  810. /* We're done if CN-ID is not pertinent */
  811. if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
  812. return 0;
  813. i = -1;
  814. name = X509_get_subject_name(x);
  815. while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {
  816. const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);
  817. const ASN1_STRING *str = X509_NAME_ENTRY_get_data(ne);
  818. /* Positive on success, negative on error! */
  819. if ((rv = do_check_string(str, -1, equal, flags,
  820. chk, chklen, peername)) != 0)
  821. return rv;
  822. }
  823. return 0;
  824. }
  825. int X509_check_host(X509 *x, const char *chk, size_t chklen,
  826. unsigned int flags, char **peername)
  827. {
  828. if (chk == NULL)
  829. return -2;
  830. /*
  831. * Embedded NULs are disallowed, except as the last character of a
  832. * string of length 2 or more (tolerate caller including terminating
  833. * NUL in string length).
  834. */
  835. if (chklen == 0)
  836. chklen = strlen(chk);
  837. else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
  838. return -2;
  839. if (chklen > 1 && chk[chklen - 1] == '\0')
  840. --chklen;
  841. return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
  842. }
  843. int X509_check_email(X509 *x, const char *chk, size_t chklen,
  844. unsigned int flags)
  845. {
  846. if (chk == NULL)
  847. return -2;
  848. /*
  849. * Embedded NULs are disallowed, except as the last character of a
  850. * string of length 2 or more (tolerate caller including terminating
  851. * NUL in string length).
  852. */
  853. if (chklen == 0)
  854. chklen = strlen((char *)chk);
  855. else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
  856. return -2;
  857. if (chklen > 1 && chk[chklen - 1] == '\0')
  858. --chklen;
  859. return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
  860. }
  861. int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
  862. unsigned int flags)
  863. {
  864. if (chk == NULL)
  865. return -2;
  866. return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
  867. }
  868. int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
  869. {
  870. unsigned char ipout[16];
  871. size_t iplen;
  872. if (ipasc == NULL)
  873. return -2;
  874. iplen = (size_t)a2i_ipadd(ipout, ipasc);
  875. if (iplen == 0)
  876. return -2;
  877. return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
  878. }
  879. char *ipaddr_to_asc(unsigned char *p, int len)
  880. {
  881. char buf[40], *out;
  882. switch (len) {
  883. case 4: /* IPv4 */
  884. BIO_snprintf(buf, sizeof(buf), "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
  885. break;
  886. /* TODO possibly combine with static i2r_address() in v3_addr.c */
  887. case 16: /* IPv6 */
  888. for (out = buf; out < buf + 8 * 3; out += 3) {
  889. BIO_snprintf(out, 3 + 1, "%X:", p[0] << 8 | p[1]);
  890. p += 2;
  891. }
  892. out[-1] = '\0';
  893. break;
  894. default:
  895. BIO_snprintf(buf, sizeof(buf), "<invalid length=%d>", len);
  896. break;
  897. }
  898. return OPENSSL_strdup(buf);
  899. }
  900. /*
  901. * Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible
  902. * with RFC3280.
  903. */
  904. ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
  905. {
  906. unsigned char ipout[16];
  907. ASN1_OCTET_STRING *ret;
  908. int iplen;
  909. /* If string contains a ':' assume IPv6 */
  910. iplen = a2i_ipadd(ipout, ipasc);
  911. if (!iplen)
  912. return NULL;
  913. ret = ASN1_OCTET_STRING_new();
  914. if (ret == NULL)
  915. return NULL;
  916. if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
  917. ASN1_OCTET_STRING_free(ret);
  918. return NULL;
  919. }
  920. return ret;
  921. }
  922. ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
  923. {
  924. ASN1_OCTET_STRING *ret = NULL;
  925. unsigned char ipout[32];
  926. char *iptmp = NULL, *p;
  927. int iplen1, iplen2;
  928. p = strchr(ipasc, '/');
  929. if (p == NULL)
  930. return NULL;
  931. iptmp = OPENSSL_strdup(ipasc);
  932. if (iptmp == NULL)
  933. return NULL;
  934. p = iptmp + (p - ipasc);
  935. *p++ = 0;
  936. iplen1 = a2i_ipadd(ipout, iptmp);
  937. if (!iplen1)
  938. goto err;
  939. iplen2 = a2i_ipadd(ipout + iplen1, p);
  940. OPENSSL_free(iptmp);
  941. iptmp = NULL;
  942. if (!iplen2 || (iplen1 != iplen2))
  943. goto err;
  944. ret = ASN1_OCTET_STRING_new();
  945. if (ret == NULL)
  946. goto err;
  947. if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
  948. goto err;
  949. return ret;
  950. err:
  951. OPENSSL_free(iptmp);
  952. ASN1_OCTET_STRING_free(ret);
  953. return NULL;
  954. }
  955. int a2i_ipadd(unsigned char *ipout, const char *ipasc)
  956. {
  957. /* If string contains a ':' assume IPv6 */
  958. if (strchr(ipasc, ':')) {
  959. if (!ipv6_from_asc(ipout, ipasc))
  960. return 0;
  961. return 16;
  962. } else {
  963. if (!ipv4_from_asc(ipout, ipasc))
  964. return 0;
  965. return 4;
  966. }
  967. }
  968. static int ipv4_from_asc(unsigned char *v4, const char *in)
  969. {
  970. int a0, a1, a2, a3;
  971. if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
  972. return 0;
  973. if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
  974. || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
  975. return 0;
  976. v4[0] = a0;
  977. v4[1] = a1;
  978. v4[2] = a2;
  979. v4[3] = a3;
  980. return 1;
  981. }
  982. typedef struct {
  983. /* Temporary store for IPV6 output */
  984. unsigned char tmp[16];
  985. /* Total number of bytes in tmp */
  986. int total;
  987. /* The position of a zero (corresponding to '::') */
  988. int zero_pos;
  989. /* Number of zeroes */
  990. int zero_cnt;
  991. } IPV6_STAT;
  992. static int ipv6_from_asc(unsigned char *v6, const char *in)
  993. {
  994. IPV6_STAT v6stat;
  995. v6stat.total = 0;
  996. v6stat.zero_pos = -1;
  997. v6stat.zero_cnt = 0;
  998. /*
  999. * Treat the IPv6 representation as a list of values separated by ':'.
  1000. * The presence of a '::' will parse as one, two or three zero length
  1001. * elements.
  1002. */
  1003. if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
  1004. return 0;
  1005. /* Now for some sanity checks */
  1006. if (v6stat.zero_pos == -1) {
  1007. /* If no '::' must have exactly 16 bytes */
  1008. if (v6stat.total != 16)
  1009. return 0;
  1010. } else {
  1011. /* If '::' must have less than 16 bytes */
  1012. if (v6stat.total == 16)
  1013. return 0;
  1014. /* More than three zeroes is an error */
  1015. if (v6stat.zero_cnt > 3) {
  1016. return 0;
  1017. /* Can only have three zeroes if nothing else present */
  1018. } else if (v6stat.zero_cnt == 3) {
  1019. if (v6stat.total > 0)
  1020. return 0;
  1021. } else if (v6stat.zero_cnt == 2) {
  1022. /* Can only have two zeroes if at start or end */
  1023. if ((v6stat.zero_pos != 0)
  1024. && (v6stat.zero_pos != v6stat.total))
  1025. return 0;
  1026. } else {
  1027. /* Can only have one zero if *not* start or end */
  1028. if ((v6stat.zero_pos == 0)
  1029. || (v6stat.zero_pos == v6stat.total))
  1030. return 0;
  1031. }
  1032. }
  1033. /* Format result */
  1034. if (v6stat.zero_pos >= 0) {
  1035. /* Copy initial part */
  1036. memcpy(v6, v6stat.tmp, v6stat.zero_pos);
  1037. /* Zero middle */
  1038. memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
  1039. /* Copy final part */
  1040. if (v6stat.total != v6stat.zero_pos)
  1041. memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
  1042. v6stat.tmp + v6stat.zero_pos,
  1043. v6stat.total - v6stat.zero_pos);
  1044. } else {
  1045. memcpy(v6, v6stat.tmp, 16);
  1046. }
  1047. return 1;
  1048. }
  1049. static int ipv6_cb(const char *elem, int len, void *usr)
  1050. {
  1051. IPV6_STAT *s = usr;
  1052. /* Error if 16 bytes written */
  1053. if (s->total == 16)
  1054. return 0;
  1055. if (len == 0) {
  1056. /* Zero length element, corresponds to '::' */
  1057. if (s->zero_pos == -1)
  1058. s->zero_pos = s->total;
  1059. /* If we've already got a :: its an error */
  1060. else if (s->zero_pos != s->total)
  1061. return 0;
  1062. s->zero_cnt++;
  1063. } else {
  1064. /* If more than 4 characters could be final a.b.c.d form */
  1065. if (len > 4) {
  1066. /* Need at least 4 bytes left */
  1067. if (s->total > 12)
  1068. return 0;
  1069. /* Must be end of string */
  1070. if (elem[len])
  1071. return 0;
  1072. if (!ipv4_from_asc(s->tmp + s->total, elem))
  1073. return 0;
  1074. s->total += 4;
  1075. } else {
  1076. if (!ipv6_hex(s->tmp + s->total, elem, len))
  1077. return 0;
  1078. s->total += 2;
  1079. }
  1080. }
  1081. return 1;
  1082. }
  1083. /*
  1084. * Convert a string of up to 4 hex digits into the corresponding IPv6 form.
  1085. */
  1086. static int ipv6_hex(unsigned char *out, const char *in, int inlen)
  1087. {
  1088. unsigned char c;
  1089. unsigned int num = 0;
  1090. int x;
  1091. if (inlen > 4)
  1092. return 0;
  1093. while (inlen--) {
  1094. c = *in++;
  1095. num <<= 4;
  1096. x = OPENSSL_hexchar2int(c);
  1097. if (x < 0)
  1098. return 0;
  1099. num |= (char)x;
  1100. }
  1101. out[0] = num >> 8;
  1102. out[1] = num & 0xff;
  1103. return 1;
  1104. }
  1105. int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
  1106. unsigned long chtype)
  1107. {
  1108. CONF_VALUE *v;
  1109. int i, mval, spec_char, plus_char;
  1110. char *p, *type;
  1111. if (!nm)
  1112. return 0;
  1113. for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
  1114. v = sk_CONF_VALUE_value(dn_sk, i);
  1115. type = v->name;
  1116. /*
  1117. * Skip past any leading X. X: X, etc to allow for multiple instances
  1118. */
  1119. for (p = type; *p; p++) {
  1120. #ifndef CHARSET_EBCDIC
  1121. spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
  1122. #else
  1123. spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
  1124. || (*p == os_toascii['.']));
  1125. #endif
  1126. if (spec_char) {
  1127. p++;
  1128. if (*p)
  1129. type = p;
  1130. break;
  1131. }
  1132. }
  1133. #ifndef CHARSET_EBCDIC
  1134. plus_char = (*type == '+');
  1135. #else
  1136. plus_char = (*type == os_toascii['+']);
  1137. #endif
  1138. if (plus_char) {
  1139. mval = -1;
  1140. type++;
  1141. } else {
  1142. mval = 0;
  1143. }
  1144. if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
  1145. (unsigned char *)v->value, -1, -1,
  1146. mval))
  1147. return 0;
  1148. }
  1149. return 1;
  1150. }