x509: add bare-bones awareness of SRV virtual SAN

There's no support for constraints, no certtool support, no nothing.
Just added what's easy to add because I needed a virtual SAN for them.

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 03d5e339282b0516a879b69556046c90f10d7656..25348d146205bca98edf37887f201c54f13f6370 100644 (file)
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2698,6 +2698,7 @@ void gnutls_psk_set_server_params_function(gnutls_psk_server_credentials_t res,
  * @GNUTLS_SAN_OTHERNAME_XMPP: Virtual SAN, used by certain functions for convenience.
  * @GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL: Virtual SAN, used by certain functions for convenience.
  * @GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL: Virtual SAN, used by certain functions for convenience.
+ * @GNUTLS_SAN_OTHERNAME_SRV: Virtual SAN, used by certain functions for convenience.
  *
  * Enumeration of different subject alternative names types.
  */
@@ -2715,7 +2716,8 @@ typedef enum gnutls_x509_subject_alt_name_t {
           Used by gnutls_x509_crt_get_subject_alt_othername_oid.  */
        GNUTLS_SAN_OTHERNAME_XMPP = 1000,
        GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL,
-       GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL
+       GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL,
+       GNUTLS_SAN_OTHERNAME_SRV
 } gnutls_x509_subject_alt_name_t;
 
 struct gnutls_openpgp_crt_int;

diff --git a/lib/x509/common.h b/lib/x509/common.h
index f039af15b580db9899cc2299988381058826c300..ed9409f624b346aeae54e45cd461fc3362288fe2 100644 (file)
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -107,6 +107,7 @@
 #define XMPP_OID "1.3.6.1.5.5.7.8.5"
 #define KRB5_PRINCIPAL_OID "1.3.6.1.5.2.2"
 #define MSUSER_PRINCIPAL_NAME_OID "1.3.6.1.4.1.311.20.2.3"
+#define SRV_OID "1.3.6.1.5.5.7.8.7"
 #define PKIX1_RSA_PSS_MGF1_OID "1.2.840.113549.1.1.8"
 #define PKIX1_RSA_OAEP_P_SPECIFIED_OID "1.9"
 

diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index 16cee68d783b2579692dddb66393003b63b5ca7f..56d6a0d70fdcfc9bcfe70485a000b74a26bee13f 100644 (file)
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -544,7 +544,8 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type,
        if (type != GNUTLS_SAN_DNSNAME && type != GNUTLS_SAN_RFC822NAME &&
            type != GNUTLS_SAN_DN && type != GNUTLS_SAN_URI &&
            type != GNUTLS_SAN_IPADDRESS &&
-           type != GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL) {
+           type != GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL &&
+           type != GNUTLS_SAN_OTHERNAME_SRV) {
                return gnutls_assert_val(GNUTLS_E_X509_UNKNOWN_SAN);
        }
 

diff --git a/lib/x509/output.c b/lib/x509/output.c
index 4e983c659f74f4a51109b62bfb61b1a2a8b1e387..78ad9cad70dd725f18b94f17ed0d2511357288a7 100644 (file)
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -121,6 +121,7 @@ static void print_name(gnutls_buffer_st *str, const char *prefix, unsigned type,
        if ((type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_OTHERNAME_XMPP ||
             type == GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL ||
             type == GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL ||
+            type == GNUTLS_SAN_OTHERNAME_SRV ||
             type == GNUTLS_SAN_RFC822NAME || type == GNUTLS_SAN_URI) &&
            sname != NULL && strlen(sname) != name->size) {
                adds(str, _("warning: SAN contains an embedded NUL, "
@@ -180,6 +181,11 @@ static void print_name(gnutls_buffer_st *str, const char *prefix, unsigned type,
                     name->size, NON_NULL(name->data));
                break;
 
+       case GNUTLS_SAN_OTHERNAME_SRV:
+               addf(str, _("%sSRVName: %.*s\n"), prefix, name->size,
+                    NON_NULL(name->data));
+               break;
+
        default:
                addf(str, _("%sUnknown name: "), prefix);
                _gnutls_buffer_hexprint(str, name->data, name->size);

diff --git a/lib/x509/virt-san.c b/lib/x509/virt-san.c
index 6067ad1276cedb334cf883c817ae96d5b95c8192..1ac521efd7aeafa00be0b4394739a78420fcbd39 100644 (file)
--- a/lib/x509/virt-san.c
+++ b/lib/x509/virt-san.c
@@ -45,6 +45,9 @@ static int san_othername_to_virtual(const char *oid, size_t size)
                         memcmp(oid, MSUSER_PRINCIPAL_NAME_OID,
                                sizeof(MSUSER_PRINCIPAL_NAME_OID) - 1) == 0)
                        return GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL;
+               else if ((unsigned)size == (sizeof(SRV_OID) - 1) &&
+                        memcmp(oid, SRV_OID, sizeof(SRV_OID) - 1) == 0)
+                       return GNUTLS_SAN_OTHERNAME_SRV;
        }
 
        return GNUTLS_SAN_OTHERNAME;
@@ -59,6 +62,8 @@ static const char *virtual_to_othername_oid(unsigned type)
                return KRB5_PRINCIPAL_OID;
        case GNUTLS_SAN_OTHERNAME_MSUSERPRINCIPAL:
                return MSUSER_PRINCIPAL_NAME_OID;
+       case GNUTLS_SAN_OTHERNAME_SRV:
+               return SRV_OID;
        default:
                return NULL;
        }
@@ -118,6 +123,15 @@ int _gnutls_alt_name_assign_virt_type(struct name_st *name, unsigned type,
                                return gnutls_assert_val(ret);
                        break;
 
+               case GNUTLS_SAN_OTHERNAME_SRV:
+                       ret = _gnutls_x509_encode_string(ASN1_ETYPE_IA5_STRING,
+                                                        san->data, san->size,
+                                                        &encoded);
+                       if (ret < 0)
+                               return gnutls_assert_val(ret);
+                       name->san = _gnutls_take_datum(&encoded);
+                       break;
+
                default:
                        return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
                }
@@ -191,6 +205,15 @@ int gnutls_x509_othername_to_virtual(const char *oid,
                        return ret;
                }
                return 0;
+       case GNUTLS_SAN_OTHERNAME_SRV:
+               ret = _gnutls_x509_decode_string(ASN1_ETYPE_IA5_STRING,
+                                                othername->data,
+                                                othername->size, virt, 0);
+               if (ret < 0) {
+                       gnutls_assert();
+                       return ret;
+               }
+               return 0;
        default:
                return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
        }

diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index a8e59482d966505db28101ab259d7a2e30682b6e..502fa75c4484cd7a6832fc57f95ce42737c4017c 100644 (file)
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -1562,7 +1562,8 @@ inline static int is_type_printable(int type)
 {
        if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
            type == GNUTLS_SAN_URI || type == GNUTLS_SAN_OTHERNAME_XMPP ||
-           type == GNUTLS_SAN_OTHERNAME || type == GNUTLS_SAN_REGISTERED_ID)
+           type == GNUTLS_SAN_OTHERNAME_SRV || type == GNUTLS_SAN_OTHERNAME ||
+           type == GNUTLS_SAN_REGISTERED_ID)
                return 1;
        else
                return 0;