Skip to content

Commit c4d63a0

Browse files
aglagl
committed
crypto/x509: abstract SAN parsing function
We'll need this for handling name constraints during verification. Change-Id: I4ef19d9489fb2a9ae9a62699d81cef92a21fda28 Reviewed-on: https://go-review.googlesource.com/62692 Run-TryBot: Adam Langley <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: David Crawshaw <[email protected]>
1 parent 3079b0a commit c4d63a0

File tree

1 file changed

+27
-17
lines changed

1 file changed

+27
-17
lines changed

src/crypto/x509/x509.go

Lines changed: 27 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1042,7 +1042,7 @@ func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{
10421042
}
10431043
}
10441044

1045-
func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddresses []net.IP, err error) {
1045+
func forEachSAN(extension []byte, callback func(tag int, data []byte) error) error {
10461046
// RFC 5280, 4.2.1.6
10471047

10481048
// SubjectAltName ::= GeneralNames
@@ -1060,40 +1060,50 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre
10601060
// iPAddress [7] OCTET STRING,
10611061
// registeredID [8] OBJECT IDENTIFIER }
10621062
var seq asn1.RawValue
1063-
var rest []byte
1064-
if rest, err = asn1.Unmarshal(value, &seq); err != nil {
1065-
return
1063+
rest, err := asn1.Unmarshal(extension, &seq)
1064+
if err != nil {
1065+
return err
10661066
} else if len(rest) != 0 {
1067-
err = errors.New("x509: trailing data after X.509 extension")
1068-
return
1067+
return errors.New("x509: trailing data after X.509 extension")
10691068
}
10701069
if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
1071-
err = asn1.StructuralError{Msg: "bad SAN sequence"}
1072-
return
1070+
return asn1.StructuralError{Msg: "bad SAN sequence"}
10731071
}
10741072

10751073
rest = seq.Bytes
10761074
for len(rest) > 0 {
10771075
var v asn1.RawValue
10781076
rest, err = asn1.Unmarshal(rest, &v)
10791077
if err != nil {
1080-
return
1078+
return err
1079+
}
1080+
1081+
if err := callback(v.Tag, v.Bytes); err != nil {
1082+
return err
10811083
}
1082-
switch v.Tag {
1084+
}
1085+
1086+
return nil
1087+
}
1088+
1089+
func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddresses []net.IP, err error) {
1090+
err = forEachSAN(value, func(tag int, data []byte) error {
1091+
switch tag {
10831092
case 1:
1084-
emailAddresses = append(emailAddresses, string(v.Bytes))
1093+
emailAddresses = append(emailAddresses, string(data))
10851094
case 2:
1086-
dnsNames = append(dnsNames, string(v.Bytes))
1095+
dnsNames = append(dnsNames, string(data))
10871096
case 7:
1088-
switch len(v.Bytes) {
1097+
switch len(data) {
10891098
case net.IPv4len, net.IPv6len:
1090-
ipAddresses = append(ipAddresses, v.Bytes)
1099+
ipAddresses = append(ipAddresses, data)
10911100
default:
1092-
err = errors.New("x509: certificate contained IP address of length " + strconv.Itoa(len(v.Bytes)))
1093-
return
1101+
return errors.New("x509: certificate contained IP address of length " + strconv.Itoa(len(data)))
10941102
}
10951103
}
1096-
}
1104+
1105+
return nil
1106+
})
10971107

10981108
return
10991109
}

0 commit comments

Comments
 (0)