[icinga-checkins] icinga.org: icinga2/master: Implement support for subjectAltName in SSL certificates

git at icinga.org git at icinga.org
Tue May 17 11:44:09 CEST 2016


Module: icinga2
Branch: master
Commit: 70c8bbcf99acac912dc6740e6c9b9c0558c2c290
URL:    https://git.icinga.org/?p=icinga2.git;a=commit;h=70c8bbcf99acac912dc6740e6c9b9c0558c2c290

Author: Gunnar Beutner <gunnar.beutner at netways.de>
Date:   Thu Apr 21 15:25:57 2016 +0200

Implement support for subjectAltName in SSL certificates

fixes #11556

---

 lib/base/tlsutility.cpp |   42 ++++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)

diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index 5040013..83bb7c1 100644
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -191,19 +191,12 @@ void AddCRLToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String&
 	X509_VERIFY_PARAM_free(param);
 }
 
-/**
- * Retrieves the common name for an X509 certificate.
- *
- * @param certificate The X509 certificate.
- * @returns The common name.
- */
-String GetCertificateCN(const boost::shared_ptr<X509>& certificate)
+static String GetX509NameCN(X509_NAME *name)
 {
 	char errbuf[120];
 	char buffer[256];
 
-	int rc = X509_NAME_get_text_by_NID(X509_get_subject_name(certificate.get()),
-	    NID_commonName, buffer, sizeof(buffer));
+	int rc = X509_NAME_get_text_by_NID(name, NID_commonName, buffer, sizeof(buffer));
 
 	if (rc == -1) {
 		Log(LogCritical, "SSL")
@@ -217,6 +210,17 @@ String GetCertificateCN(const boost::shared_ptr<X509>& certificate)
 }
 
 /**
+ * Retrieves the common name for an X509 certificate.
+ *
+ * @param certificate The X509 certificate.
+ * @returns The common name.
+ */
+String GetCertificateCN(const boost::shared_ptr<X509>& certificate)
+{
+	return GetX509NameCN(X509_get_subject_name(certificate.get()));
+}
+
+/**
  * Retrieves an X509 certificate from the specified file.
  *
  * @param pemfile The filename.
@@ -416,7 +420,6 @@ boost::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NA
 
 	ASN1_INTEGER_set(X509_get_serialNumber(cert), serial);
 
-	X509_EXTENSION *ext;
 	X509V3_CTX ctx;
 	X509V3_set_ctx_nodb(&ctx);
 	X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
@@ -428,12 +431,23 @@ boost::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NA
 	else
 		attr = "critical,CA:FALSE";
 
-	ext = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, const_cast<char *>(attr));
+	X509_EXTENSION *basicConstraintsExt = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, const_cast<char *>(attr));
+
+	if (basicConstraintsExt) {
+		X509_add_ext(cert, basicConstraintsExt, -1);
+		X509_EXTENSION_free(basicConstraintsExt);
+	}
 
-	if (ext)
-		X509_add_ext(cert, ext, -1);
+	String cn = GetX509NameCN(subject);
 
-	X509_EXTENSION_free(ext);
+	if (!cn.Contains(" ") && cn.Contains(".")) {
+		String san = "DNS:" + cn;
+		X509_EXTENSION *subjectAltNameExt = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_alt_name, const_cast<char *>(san.CStr()));
+		if (subjectAltNameExt) {
+			X509_add_ext(cert, subjectAltNameExt, -1);
+			X509_EXTENSION_free(subjectAltNameExt);
+		}
+	}
 
 	X509_sign(cert, cakey, EVP_sha256());
 



More information about the icinga-checkins mailing list