From 71c23e2a74efa4cfaddc25450f491c8b687a9ee3 Mon Sep 17 00:00:00 2001 From: sthen Date: Fri, 17 Sep 2021 20:02:24 +0000 Subject: [PATCH] Fix subjectAlternativeName (SAN) generation for CSRs. CA/B Forum baseline requirements require that it's used in certificates so it makes sense to generate a CSR compliant with this, additionally it replaces rather than adds to the name in the certificate's subject which we weren't handling correctly. Diff from wolf at wolfsden/cz, ok florian@ --- usr.sbin/acme-client/keyproc.c | 82 +++++++++++++++++----------------- 1 file changed, 40 insertions(+), 42 deletions(-) diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c index 1b58b4575c8..96ece27396b 100644 --- a/usr.sbin/acme-client/keyproc.c +++ b/usr.sbin/acme-client/keyproc.c @@ -1,4 +1,4 @@ -/* $Id: keyproc.c,v 1.15 2019/06/15 16:16:31 florian Exp $ */ +/* $Id: keyproc.c,v 1.16 2021/09/17 20:02:24 sthen Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons * @@ -174,53 +174,51 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, * TODO: is this the best way of doing this? */ - if (altsz > 1) { - nid = NID_subject_alt_name; - if ((exts = sk_X509_EXTENSION_new_null()) == NULL) { - warnx("sk_X509_EXTENSION_new_null"); + nid = NID_subject_alt_name; + if ((exts = sk_X509_EXTENSION_new_null()) == NULL) { + warnx("sk_X509_EXTENSION_new_null"); + goto out; + } + /* Initialise to empty string. */ + if ((sans = strdup("")) == NULL) { + warn("strdup"); + goto out; + } + sansz = strlen(sans) + 1; + + /* + * For each SAN entry, append it to the string. + * We need a single SAN entry for all of the SAN + * domains: NOT an entry per domain! + */ + + for (i = 0; i < altsz; i++) { + cc = asprintf(&san, "%sDNS:%s", + i ? "," : "", alts[i]); + if (cc == -1) { + warn("asprintf"); goto out; } - /* Initialise to empty string. */ - if ((sans = strdup("")) == NULL) { - warn("strdup"); + pp = recallocarray(sans, sansz, sansz + strlen(san), 1); + if (pp == NULL) { + warn("recallocarray"); goto out; } - sansz = strlen(sans) + 1; - - /* - * For each SAN entry, append it to the string. - * We need a single SAN entry for all of the SAN - * domains: NOT an entry per domain! - */ - - for (i = 1; i < altsz; i++) { - cc = asprintf(&san, "%sDNS:%s", - i > 1 ? "," : "", alts[i]); - if (cc == -1) { - warn("asprintf"); - goto out; - } - pp = recallocarray(sans, sansz, sansz + strlen(san), 1); - if (pp == NULL) { - warn("recallocarray"); - goto out; - } - sans = pp; - sansz += strlen(san); - strlcat(sans, san, sansz); - free(san); - san = NULL; - } + sans = pp; + sansz += strlen(san); + strlcat(sans, san, sansz); + free(san); + san = NULL; + } - if (!add_ext(exts, nid, sans)) { - warnx("add_ext"); - goto out; - } else if (!X509_REQ_add_extensions(x, exts)) { - warnx("X509_REQ_add_extensions"); - goto out; - } - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + if (!add_ext(exts, nid, sans)) { + warnx("add_ext"); + goto out; + } else if (!X509_REQ_add_extensions(x, exts)) { + warnx("X509_REQ_add_extensions"); + goto out; } + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); /* Sign the X509 request using SHA256. */ -- 2.20.1