Handle critical subjectAltName extension

For XMPP servers, when extracting the SRV-ID and XmppAddr names from the subjectAltName extension, need to take into account that the subjectAltName extension may be marked as critical, in which case there will be the DER encoding of TRUE (0101FF) between the DER encoding of the subjectAltName extension's OID (0603551D11) and the tag for OCTET STRING (04).
This commit is contained in:
David Cooper 2018-09-26 09:59:52 -04:00
parent e0f5c7513a
commit c4db88526f
1 changed files with 10 additions and 1 deletions

View File

@ -7005,7 +7005,16 @@ compare_server_name_to_cert() {
# For XMPP hosts, in addition to checking for a matching DNS name, # For XMPP hosts, in addition to checking for a matching DNS name,
# should also check for a matching SRV-ID or XmppAddr identifier. # should also check for a matching SRV-ID or XmppAddr identifier.
dercert="$($OPENSSL x509 -in "$cert" -outform DER 2>>$ERRFILE | hexdump -v -e '16/1 "%02X"')" dercert="$($OPENSSL x509 -in "$cert" -outform DER 2>>$ERRFILE | hexdump -v -e '16/1 "%02X"')"
dercert="${dercert##*0603551D1104}" # Look for the beginning of the subjectAltName extension. It
# will begin with the OID (2.5.29.17 = 0603551D11). After the OID
# there may be an indication that the extension is critical (0101FF).
# Finally will be the tag indicating that the value of the extension is
# encoded as an OCTET STRING (04).
if [[ "$dercert" =~ 0603551D110101FF04 ]]; then
dercert="${dercert##*0603551D110101FF04}"
else
dercert="${dercert##*0603551D1104}"
fi
# Skip over the encoding of the length of the OCTET STRING. # Skip over the encoding of the length of the OCTET STRING.
if [[ "${dercert:0:1}" == "8" ]]; then if [[ "${dercert:0:1}" == "8" ]]; then
i="${dercert:1:1}" i="${dercert:1:1}"