acme: add wildcard support to CSR

2025-03-09 00:00:04 +01:00 · 2019-11-06 18:43:05 +08:00 · 2019-11-06 18:43:05 +08:00 · 34eca205e5
commit 34eca205e5
parent 2bc0b97b45
3 changed files with 39 additions and 5 deletions
--- a/include/libwebsockets/lws-callbacks.h
+++ b/include/libwebsockets/lws-callbacks.h
@ -62,6 +62,7 @@ enum {
 	LWS_TLS_REQ_ELEMENT_LOCALITY,
 	LWS_TLS_REQ_ELEMENT_ORGANIZATION,
 	LWS_TLS_REQ_ELEMENT_COMMON_NAME,
+	LWS_TLS_REQ_ELEMENT_SUBJECT_ALT_NAME,
 	LWS_TLS_REQ_ELEMENT_EMAIL,

 	LWS_TLS_REQ_ELEMENT_COUNT,
--- a/lib/tls/openssl/openssl-server.c
+++ b/lib/tls/openssl/openssl-server.c
@ -868,7 +868,8 @@ static int nid_list[] = {
 	NID_localityName,		/* LWS_TLS_REQ_ELEMENT_LOCALITY */
 	NID_organizationName,		/* LWS_TLS_REQ_ELEMENT_ORGANIZATION */
 	NID_commonName,			/* LWS_TLS_REQ_ELEMENT_COMMON_NAME */
-	NID_organizationalUnitName,	/* LWS_TLS_REQ_ELEMENT_EMAIL */
+	NID_subject_alt_name,		/* LWS_TLS_REQ_ELEMENT_SUBJECT_ALT_NAME */
+	NID_pkcs9_emailAddress,		/* LWS_TLS_REQ_ELEMENT_EMAIL */
 };

 LWS_VISIBLE LWS_EXTERN int
@ -906,15 +907,45 @@ lws_tls_acme_sni_csr_create(struct lws_context *context, const char *elements[],
 		goto bail2;

 	for (n = 0; n < LWS_TLS_REQ_ELEMENT_COUNT; n++)
-		if (lws_tls_openssl_add_nid(subj, nid_list[n], elements[n])) {
-			lwsl_notice("%s: failed to add element %d\n", __func__,
-				    n);
+		if (elements[n] &&
+			lws_tls_openssl_add_nid(subj, nid_list[n],
+				elements[n])) {
+				lwsl_notice("%s: failed to add element %d\n",
+						__func__, n);
 			goto bail3;
 		}

 	if (X509_REQ_set_subject_name(req, subj) != 1)
 		goto bail3;

+	if (elements[LWS_TLS_REQ_ELEMENT_SUBJECT_ALT_NAME]) {
+		STACK_OF(X509_EXTENSION) *exts;
+		X509_EXTENSION *ext;
+		char san[256];
+
+		exts = sk_X509_EXTENSION_new_null();
+		if (!exts)
+			goto bail3;
+
+		lws_snprintf(san, sizeof(san), "DNS:%s,DNS:%s",
+				elements[LWS_TLS_REQ_ELEMENT_COMMON_NAME],
+				elements[LWS_TLS_REQ_ELEMENT_SUBJECT_ALT_NAME]);
+
+		ext = X509V3_EXT_conf_nid(NULL, NULL, NID_subject_alt_name,
+				san);
+		if (!ext) {
+			sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+			goto bail3;
+		}
+		sk_X509_EXTENSION_push(exts, ext);
+
+		if (!X509_REQ_add_extensions(req, exts)) {
+			sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+			goto bail3;
+		}
+		sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+	}
+
 	if (!X509_REQ_sign(req, pkey, EVP_sha256()))
 		goto bail3;

--- a/plugins/acme-client/protocol_lws_acme_client.c
+++ b/plugins/acme-client/protocol_lws_acme_client.c
@ -648,6 +648,7 @@ static const char * const pvo_names[] = {
 	"locality",
 	"organization",
 	"common-name",
+	"subject-alt-name",
 	"email",
 	"directory-url",
 	"auth-path",
@ -822,7 +823,8 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
 		n = 0;
 		for (m = 0; m < (int)LWS_ARRAY_SIZE(pvo_names); m++) {
 			if (!vhd->pvop[m] &&
-			    m >= LWS_TLS_REQ_ELEMENT_COMMON_NAME) {
+				m >= LWS_TLS_REQ_ELEMENT_COMMON_NAME &&
+				m != LWS_TLS_REQ_ELEMENT_SUBJECT_ALT_NAME) {
 				lwsl_notice("%s: require pvo '%s'\n", __func__,
 					    pvo_names[m]);
 				n |= 1;