summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortb <>2025-01-26 20:18:26 +0000
committertb <>2025-01-26 20:18:26 +0000
commitdf05327f43597e9bb318d8a2b4f5ba4653e79b1c (patch)
tree0aeec67dcf3be4c7ea52ab8ca0e1028737c810d0
parentd2f7e48d3d75285ab819059405075d1806694766 (diff)
downloadopenbsd-df05327f43597e9bb318d8a2b4f5ba4653e79b1c.tar.gz
openbsd-df05327f43597e9bb318d8a2b4f5ba4653e79b1c.tar.bz2
openbsd-df05327f43597e9bb318d8a2b4f5ba4653e79b1c.zip
Rework X509_NAME_print()
This is legacy API that we can unexport since nothing uses it directly. Unfortunately we need to keep the functions because there are plenty of things that use it indirectly by passing XN_FLAG_COMPAT to X509_print_ex(). The old implementation parsed the X509_NAME_oneline() output in order to remove the / preceding the (one or two-uppercase letters) name and to insert ", " afterward. This is just stupid in so many ways, not least because there's basically no limit to the garbage that you can stuff into an X.500 name. So rework this and only include the name entries whose short names are one or two letters long. This way, this becomes slightly saner and less fragile. ok jsing
-rw-r--r--src/lib/libcrypto/asn1/t_x509.c98
1 files changed, 65 insertions, 33 deletions
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index 87771ab090..669aec0093 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t_x509.c,v 1.47 2025/01/11 03:00:04 tb Exp $ */ 1/* $OpenBSD: t_x509.c,v 1.48 2025/01/26 20:18:26 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -78,6 +78,7 @@
78#include <openssl/rsa.h> 78#include <openssl/rsa.h>
79#endif 79#endif
80 80
81#include "bytestring.h"
81#include "evp_local.h" 82#include "evp_local.h"
82#include "x509_local.h" 83#include "x509_local.h"
83 84
@@ -490,48 +491,79 @@ ASN1_UTCTIME_print(BIO *bp, const ASN1_UTCTIME *tm)
490} 491}
491LCRYPTO_ALIAS(ASN1_UTCTIME_print); 492LCRYPTO_ALIAS(ASN1_UTCTIME_print);
492 493
493int 494/* NID with SN of 1-2 letters, which X509_NAME_print() historically included. */
494X509_NAME_print(BIO *bp, const X509_NAME *name, int obase) 495static int
496x509_name_entry_include(const X509_NAME_ENTRY *ne)
495{ 497{
496 char *s, *c, *b; 498 int nid;
497 int i;
498 int ret = 0;
499 499
500 b = X509_NAME_oneline(name, NULL, 0); 500 if ((nid = OBJ_obj2nid(ne->object)) == NID_undef)
501 if (b == NULL)
502 return 0; 501 return 0;
503 if (*b == '\0') { 502
504 free(b); 503 switch (nid) {
504 case NID_commonName:
505 case NID_surname:
506 case NID_countryName:
507 case NID_localityName:
508 case NID_stateOrProvinceName:
509 case NID_organizationName:
510 case NID_organizationalUnitName:
511 case NID_givenName:
512 case NID_domainComponent: /* XXX - doesn't really belong here */
505 return 1; 513 return 1;
506 } 514 }
507 s = b + 1; /* skip the first slash */ 515
508 516 return 0;
509 c = s; 517}
510 for (;;) { 518
511 if ((s[0] == '/' && 519int
512 (s[1] >= 'A' && s[1] <= 'Z' && 520X509_NAME_print(BIO *bio, const X509_NAME *name, int obase)
513 (s[2] == '=' || (s[2] >= 'A' && s[2] <= 'Z' && 521{
514 s[3] == '=')))) || s[0] == '\0') { 522 CBB cbb;
515 i = s - c; 523 uint8_t *buf = NULL;
516 if (BIO_write(bp, c, i) != i) 524 size_t buf_len;
525 const X509_NAME_ENTRY *ne;
526 int i;
527 int started = 0;
528 int ret = 0;
529
530 if (!CBB_init(&cbb, 0))
531 goto err;
532
533 for (i = 0; i < sk_X509_NAME_ENTRY_num(name->entries); i++) {
534 ne = sk_X509_NAME_ENTRY_value(name->entries, i);
535
536 if (!x509_name_entry_include(ne))
537 continue;
538
539 if (started) {
540 if (!CBB_add_u8(&cbb, ','))
541 goto err;
542 if (!CBB_add_u8(&cbb, ' '))
517 goto err; 543 goto err;
518 c = s + 1; /* skip following slash */
519 if (*s != '\0') {
520 if (BIO_write(bp, ", ", 2) != 2)
521 goto err;
522 }
523 } 544 }
524 if (*s == '\0') 545
525 break; 546 if (!X509_NAME_ENTRY_add_cbb(&cbb, ne))
526 s++; 547 goto err;
548
549 started = 1;
527 } 550 }
528 551
552 if (!CBB_finish(&cbb, &buf, &buf_len))
553 goto err;
554
555 if (buf_len > INT_MAX)
556 goto err;
557
558 if (BIO_write(bio, buf, buf_len) <= 0)
559 goto err;
560
529 ret = 1; 561 ret = 1;
530 if (0) { 562
531 err: 563 err:
532 X509error(ERR_R_BUF_LIB); 564 CBB_cleanup(&cbb);
533 } 565 free(buf);
534 free(b); 566
535 return (ret); 567 return ret;
536} 568}
537LCRYPTO_ALIAS(X509_NAME_print); 569LCRYPTO_ALIAS(X509_NAME_print);