shithub: plan9front

Download patch

ref: e9aed242ccf6c569491b34e5455e9ea9b78cd29a
parent: eeb0f9a9dad1c09ba2c0985b1af2c99b1bebe4c1
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun Jun 20 19:33:13 EDT 2021

libsec: emulate openssl asn1 when generating x509 csr

when trying to request certificates from letsencrypt,
their test api would reject our csr because of
"tuncated sequence" unless we force subectAltName
by passing multiple domains (as comma separated list).

apparently, we need to provide the context specific tag
"cont [ 0 ]" for the extensions even when we do have
any extensions for the csr (triggered when we need to
have subjectAltNames).

for this, we change mkcont() to take a Elist* instead,
which then can be nil when not used. also put the tag
number argument first, which makes it easier to read.

--- a/sys/src/libsec/port/x509.c	Sun Jun 20 13:07:33 2021
+++ b/sys/src/libsec/port/x509.c	Sun Jun 20 19:33:13 2021
@@ -2576,9 +2576,9 @@
 }
 
 static Elem
-mkcont(Elem e, int num)
+mkcont(int num, Elist *l)
 {
-	e = mkseq(mkel(e, nil));
+	Elem e = mkseq(l);
 	e.tag.class = Context;
 	e.tag.num = num;
 	return e;
@@ -2592,7 +2592,7 @@
 
 	for(i=0; i<nelem(DN_oid); i++){
 		if(strstr(s, DN_oid[i].prefix) != nil)
-			return mkcont(mkDN(s), 4); /* DN */
+			return mkcont(4, mkel(mkDN(s), nil)); /* DN */
 	}
 	e = mkstring(s, IA5String);
 	e.tag.class = Context;
@@ -2652,12 +2652,13 @@
 	if((sl = mkaltnames(alts)) != nil)
 		xl = mkextel(mkseq(sl), (Ints*)&oid_subjectAltName, xl);
 	if(xl != nil){
-		if(req) return mkel(mkcont(mkseq(
-			mkel(mkoid((Ints*)&oid_extensionRequest),
-			mkel(mkset(mkel(mkseq(xl), nil)), nil))), 0), nil);
-		return mkel(mkcont(mkseq(xl), 3), nil);
+		xl = mkel(mkseq(xl), nil);
+		if(req)
+			xl = mkel(mkseq(
+				mkel(mkoid((Ints*)&oid_extensionRequest),
+				mkel(mkset(xl), nil))), nil);
 	}
-	return nil;
+	return xl;
 }
 
 static char*
@@ -2763,7 +2764,7 @@
 	alts = splitalts(subj);
 
 	e = mkseq(
-		mkel(mkcont(mkint(2), 0),
+		mkel(mkcont(0, mkel(mkint(2), nil)),
 		mkel(mkint(serial),
 		mkel(mkalg(sigalg),
 		mkel(mkDN(subj),
@@ -2776,7 +2777,7 @@
 			mkel(mkalg(ALG_rsaEncryption),
 			mkel(mkbits(pkbytes->data, pkbytes->len),
 			nil))),
-		mkextensions(alts, 0)))))))));
+		mkel(mkcont(3, mkextensions(alts, 0)), nil)))))))));
 	freebytes(pkbytes);
 	if(encode(e, &certinfobytes) != ASN_OK)
 		goto errret;
@@ -2842,7 +2843,7 @@
 			mkel(mkalg(ALG_rsaEncryption),
 			mkel(mkbits(pkbytes->data, pkbytes->len),
 			nil))),
-		mkextensions(alts, 1)))));
+		mkel(mkcont(0, mkextensions(alts, 1)), nil)))));
 	freebytes(pkbytes);
 	if(encode(e, &certinfobytes) != ASN_OK)
 		goto errret;