From 2d9e35927577ef4c602534b650d6cdfd5d4314ea Mon Sep 17 00:00:00 2001 From: Jens Alfke Date: Tue, 29 Oct 2019 15:03:37 -0700 Subject: [PATCH 01/20] Parsing v3 extensions from a CSR A parsed CSR struct (`mbedtls_x509_csr`) now includes some of the X.509v3 extensions included in the CSR -- the key usage, Netscape cert-type, and Subject Alternative Names. Author: Jens Alfke Signed-off-by: Przemek Stekiel --- include/mbedtls/x509.h | 9 +++ include/mbedtls/x509_csr.h | 4 + library/x509_crt.c | 18 ++--- library/x509_csr.c | 152 +++++++++++++++++++++++++++++++++++++ 4 files changed, 174 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 52fadad17..a98748cdc 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -370,6 +370,15 @@ int mbedtls_x509_write_names(unsigned char **p, unsigned char *start, int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start, const char *oid, size_t oid_len, unsigned char *sig, size_t size); +int x509_get_ns_cert_type(unsigned char **p, + const unsigned char *end, + unsigned char *ns_cert_type); +int x509_get_key_usage(unsigned char **p, + const unsigned char *end, + unsigned int *key_usage); +int x509_get_subject_alt_name(unsigned char **p, + const unsigned char *end, + mbedtls_x509_sequence *subject_alt_name); #define MBEDTLS_X509_SAFE_SNPRINTF \ do { \ diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index 50998c42b..216a0a2e9 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -58,6 +58,10 @@ typedef struct mbedtls_x509_csr { mbedtls_pk_context pk; /**< Container for the public key context. */ + unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */ + unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ + mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */ + mbedtls_x509_buf sig_oid; mbedtls_x509_buf MBEDTLS_PRIVATE(sig); mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ diff --git a/library/x509_crt.c b/library/x509_crt.c index 033009797..e02d18e05 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -562,9 +562,9 @@ static int x509_get_basic_constraints(unsigned char **p, return 0; } -static int x509_get_ns_cert_type(unsigned char **p, - const unsigned char *end, - unsigned char *ns_cert_type) +int x509_get_ns_cert_type(unsigned char **p, + const unsigned char *end, + unsigned char *ns_cert_type) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_x509_bitstring bs = { 0, 0, NULL }; @@ -583,9 +583,9 @@ static int x509_get_ns_cert_type(unsigned char **p, return 0; } -static int x509_get_key_usage(unsigned char **p, - const unsigned char *end, - unsigned int *key_usage) +int x509_get_key_usage(unsigned char **p, + const unsigned char *end, + unsigned int *key_usage) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t i; @@ -660,9 +660,9 @@ static int x509_get_ext_key_usage(unsigned char **p, * NOTE: we list all types, but only use dNSName and otherName * of type HwModuleName, as defined in RFC 4108, at this point. */ -static int x509_get_subject_alt_name(unsigned char **p, - const unsigned char *end, - mbedtls_x509_sequence *subject_alt_name) +int x509_get_subject_alt_name(unsigned char **p, + const unsigned char *end, + mbedtls_x509_sequence *subject_alt_name) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len, tag_len; diff --git a/library/x509_csr.c b/library/x509_csr.c index 0c664d908..824d17a75 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -69,6 +69,153 @@ static int x509_csr_get_version(unsigned char **p, return 0; } +/* + * Parse CSR extension requests in DER format + */ +static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, + unsigned char **p, const unsigned char *end) +{ + int ret; + size_t len; + unsigned char *end_ext_data; + + while (*p < end) { + mbedtls_x509_buf extn_oid = { 0, 0, NULL }; + int ext_type = 0; + + /* Read sequence tag */ + if ((ret = mbedtls_asn1_get_tag(p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + } + + end_ext_data = *p + len; + + /* Get extension ID */ + if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len, + MBEDTLS_ASN1_OID)) != 0) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + } + + extn_oid.tag = MBEDTLS_ASN1_OID; + extn_oid.p = *p; + *p += extn_oid.len; + + /* Data should be octet string type */ + if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len, + MBEDTLS_ASN1_OCTET_STRING)) != 0) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + } + if (*p + len != end_ext_data) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + + if (mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type) == 0) { + switch (ext_type) { + case MBEDTLS_X509_EXT_KEY_USAGE: + /* Parse key usage */ + if ((ret = x509_get_key_usage(p, end_ext_data, + &csr->key_usage)) != 0) { + return ret; + } + break; + + case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: + /* Parse subject alt name */ + if ((ret = x509_get_subject_alt_name(p, end_ext_data, + &csr->subject_alt_names)) != 0) { + return ret; + } + break; + + case MBEDTLS_X509_EXT_NS_CERT_TYPE: + /* Parse netscape certificate type */ + if ((ret = x509_get_ns_cert_type(p, end_ext_data, + &csr->ns_cert_type)) != 0) { + return ret; + } + break; + default: + break; + } + } + + *p = end_ext_data; + } + + if (*p != end) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + + return 0; +} + +/* + * Parse CSR attributes in DER format + */ +static int x509_csr_parse_attributes(mbedtls_x509_csr *csr, + const unsigned char *start, const unsigned char *end) +{ + int ret; + size_t len; + unsigned char *end_attr_data; + unsigned char **p = (unsigned char **) &start; + + while (*p < end) { + mbedtls_x509_buf attr_oid = { 0, 0, NULL }; + + if ((ret = mbedtls_asn1_get_tag(p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + } + end_attr_data = *p + len; + + /* Get attribute ID */ + if ((ret = mbedtls_asn1_get_tag(p, end_attr_data, &attr_oid.len, + MBEDTLS_ASN1_OID)) != 0) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + } + + attr_oid.tag = MBEDTLS_ASN1_OID; + attr_oid.p = *p; + *p += attr_oid.len; + + /* Check that this is an extension-request attribute */ + if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS9_CSR_EXT_REQ, &attr_oid) == 0) { + if ((ret = mbedtls_asn1_get_tag(p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET)) != 0) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + } + + if ((ret = mbedtls_asn1_get_tag(p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != + 0) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + } + + if ((ret = x509_csr_parse_extensions(csr, p, *p + len)) != 0) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + } + + if (*p != end_attr_data) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + } + + *p = end_attr_data; + } + + if (*p != end) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + + return 0; +} + /* * Parse a CSR in DER format */ @@ -197,6 +344,11 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr, return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret); } + if ((ret = x509_csr_parse_attributes(csr, p, p + len)) != 0) { + mbedtls_x509_csr_free(csr); + return ret; + } + p += len; end = csr->raw.p + csr->raw.len; From cbaf3167dd30db772834d40e1a456f6d666bca77 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 12 Jan 2023 12:58:02 +0100 Subject: [PATCH 02/20] mbedtls_x509_csr_info: Add parsing code for v3 csr extensions Signed-off-by: Przemek Stekiel --- include/mbedtls/x509.h | 8 ++++++ include/mbedtls/x509_csr.h | 2 ++ library/x509_crt.c | 16 ++++++------ library/x509_csr.c | 52 +++++++++++++++++++++++++++++++++++++- 4 files changed, 69 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index a98748cdc..57e072771 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -379,6 +379,14 @@ int x509_get_key_usage(unsigned char **p, int x509_get_subject_alt_name(unsigned char **p, const unsigned char *end, mbedtls_x509_sequence *subject_alt_name); +int x509_info_subject_alt_name(char **buf, size_t *size, + const mbedtls_x509_sequence + *subject_alt_name, + const char *prefix); +int x509_info_cert_type(char **buf, size_t *size, + unsigned char ns_cert_type); +int x509_info_key_usage(char **buf, size_t *size, + unsigned int key_usage); #define MBEDTLS_X509_SAFE_SNPRINTF \ do { \ diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index 216a0a2e9..0c204be06 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -62,6 +62,8 @@ typedef struct mbedtls_x509_csr { unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */ + int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */ + mbedtls_x509_buf sig_oid; mbedtls_x509_buf MBEDTLS_PRIVATE(sig); mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ diff --git a/library/x509_crt.c b/library/x509_crt.c index e02d18e05..261525d38 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1849,10 +1849,10 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, } #if !defined(MBEDTLS_X509_REMOVE_INFO) -static int x509_info_subject_alt_name(char **buf, size_t *size, - const mbedtls_x509_sequence - *subject_alt_name, - const char *prefix) +int x509_info_subject_alt_name(char **buf, size_t *size, + const mbedtls_x509_sequence + *subject_alt_name, + const char *prefix) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t i; @@ -1965,8 +1965,8 @@ static int x509_info_subject_alt_name(char **buf, size_t *size, if (ns_cert_type & (type)) \ PRINT_ITEM(name); -static int x509_info_cert_type(char **buf, size_t *size, - unsigned char ns_cert_type) +int x509_info_cert_type(char **buf, size_t *size, + unsigned char ns_cert_type) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t n = *size; @@ -1992,8 +1992,8 @@ static int x509_info_cert_type(char **buf, size_t *size, if (key_usage & (code)) \ PRINT_ITEM(name); -static int x509_info_key_usage(char **buf, size_t *size, - unsigned int key_usage) +int x509_info_key_usage(char **buf, size_t *size, + unsigned int key_usage) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t n = *size; diff --git a/library/x509_csr.c b/library/x509_csr.c index 824d17a75..f1c4c6654 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -111,7 +111,19 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; } - if (mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type) == 0) { + /* + * Detect supported extensions + */ + ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type); + + if (ret == 0) { + /* Forbid repeated extensions */ + if ((csr->ext_types & ext_type) != 0) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS; + } + + csr->ext_types |= ext_type; + switch (ext_type) { case MBEDTLS_X509_EXT_KEY_USAGE: /* Parse key usage */ @@ -497,6 +509,44 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix, (int) mbedtls_pk_get_bitlen(&csr->pk)); MBEDTLS_X509_SAFE_SNPRINTF; + /* + * Optional extensions + */ + + if (csr->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { + ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + + if ((ret = x509_info_subject_alt_name(&p, &n, + &csr->subject_alt_names, + prefix)) != 0) { + return ret; + } + } + + if (csr->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) { + ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + + if ((ret = x509_info_cert_type(&p, &n, csr->ns_cert_type)) != 0) { + return ret; + } + } + + if (csr->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) { + ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + + if ((ret = x509_info_key_usage(&p, &n, csr->key_usage)) != 0) { + return ret; + } + } + + if (csr->ext_types != 0) { + ret = mbedtls_snprintf(p, n, "\n"); + MBEDTLS_X509_SAFE_SNPRINTF; + } + return (int) (size - n); } #endif /* MBEDTLS_X509_REMOVE_INFO */ From e7fbbb3fbd0bffd78cfdc7704df84aaa137f8d46 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 12 Jan 2023 15:30:45 +0100 Subject: [PATCH 03/20] Generate csr files to test v3 extensions Signed-off-by: Przemek Stekiel --- tests/data_files/Makefile | 9 +++++++++ tests/data_files/test-ca.opensslconf | 14 ++++++++++++++ tests/data_files/test_csr_v3_all.csr | 12 ++++++++++++ tests/data_files/test_csr_v3_keyUsage.csr | 10 ++++++++++ tests/data_files/test_csr_v3_nsCertType.csr | 10 ++++++++++ tests/data_files/test_csr_v3_subjectAltName.csr | 11 +++++++++++ 6 files changed, 66 insertions(+) create mode 100644 tests/data_files/test_csr_v3_all.csr create mode 100644 tests/data_files/test_csr_v3_keyUsage.csr create mode 100644 tests/data_files/test_csr_v3_nsCertType.csr create mode 100644 tests/data_files/test_csr_v3_subjectAltName.csr diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 388b0ce41..a87e0cc06 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -93,6 +93,15 @@ cert_example_multi.csr: rsa_pkcs1_1024_clear.pem cert_example_multi.crt: cert_example_multi.csr $(OPENSSL) x509 -req -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) -extfile $(test_ca_config_file) -extensions dns_alt_names -passin "pass:$(test_ca_pwd_rsa)" -set_serial 17 -days 3653 -sha256 -in $< > $@ +test_csr_v3_keyUsage.csr: rsa_pkcs1_1024_clear.pem + $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -out $@ -reqexts csr_ext_v3_keyUsage +test_csr_v3_subjectAltName.csr: rsa_pkcs1_1024_clear.pem + $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -out $@ -reqexts csr_ext_v3_subjectAltName +test_csr_v3_nsCertType.csr: rsa_pkcs1_1024_clear.pem + $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -out $@ -reqexts csr_ext_v3_nsCertType +test_csr_v3_all.csr: rsa_pkcs1_1024_clear.pem + $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -out $@ -reqexts csr_ext_v3_all + $(test_ca_key_file_rsa_alt):test-ca.opensslconf $(OPENSSL) genrsa -out $@ 2048 test-ca-alt.csr: $(test_ca_key_file_rsa_alt) $(test_ca_config_file) diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf index b2c2fa1bc..bd127609e 100644 --- a/tests/data_files/test-ca.opensslconf +++ b/tests/data_files/test-ca.opensslconf @@ -82,3 +82,17 @@ fullname=URI:http://pki.example.com/ # these IPs are the ascii values for 'abcd' and 'abcd.example.com' [tricky_ip_san] subjectAltName=IP:97.98.99.100,IP:6162:6364:2e65:7861:6d70:6c65:2e63:6f6d + +[csr_ext_v3_keyUsage] +keyUsage = digitalSignature, keyEncipherment + +[csr_ext_v3_subjectAltName] +subjectAltName=DNS:example.com, DNS:example.net, DNS:*.example.org + +[csr_ext_v3_nsCertType] +nsCertType=server + +[csr_ext_v3_all] +keyUsage = cRLSign +subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name +nsCertType=client diff --git a/tests/data_files/test_csr_v3_all.csr b/tests/data_files/test_csr_v3_all.csr new file mode 100644 index 000000000..fecca328a --- /dev/null +++ b/tests/data_files/test_csr_v3_all.csr @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBsTCCARoCAQAwDzENMAsGA1UEAwwEZXRjZDCBnzANBgkqhkiG9w0BAQEFAAOB +jQAwgYkCgYEAxziSxcP0cBAIa/gTNezzARyKJQ+VgjYeqh6WElUarPh7dTMLcFcz +nNmV8U1MRDfIvsSgP+RkPNPzyQJDPcN8W455qgmEroITNwq/hWm9KjVibLH+5Kzg +QrJBfHvknScUmywHa45DPT9sdjpGmhxwDSWdvAjHQPzYAjdi/33r/C0CAwEAAaBi +MGAGCSqGSIb3DQEJDjFTMFEwCwYDVR0PBAQDAgECMC8GA1UdEQQoMCagJAYIKwYB +BQUHCASgGDAWBgcrBgEEAREDBAsxMjOAgQCBgDMyMTARBglghkgBhvhCAQEEBAMC +B4AwDQYJKoZIhvcNAQELBQADgYEAk9a+49SVlwdJJKBhvfDQ0I6pqB+Uglsg7jvo +AIgIQwY5wRy4Y2wT4CPu3zGyRxQlgqPH/JL3ZmiL9NoYXMrMbJ4Sy82y2iyW31Qq +8taoZ6jJfmusmURU7uQPOK1g/Io2ryumuGRlsIK1aa/aqeYG1xs34+F0UX3pGxf+ +nIeQXuM= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/test_csr_v3_keyUsage.csr b/tests/data_files/test_csr_v3_keyUsage.csr new file mode 100644 index 000000000..c22b392c9 --- /dev/null +++ b/tests/data_files/test_csr_v3_keyUsage.csr @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBbDCB1gIBADAPMQ0wCwYDVQQDDARldGNkMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDHOJLFw/RwEAhr+BM17PMBHIolD5WCNh6qHpYSVRqs+Ht1MwtwVzOc +2ZXxTUxEN8i+xKA/5GQ80/PJAkM9w3xbjnmqCYSughM3Cr+Fab0qNWJssf7krOBC +skF8e+SdJxSbLAdrjkM9P2x2OkaaHHANJZ28CMdA/NgCN2L/fev8LQIDAQABoB4w +HAYJKoZIhvcNAQkOMQ8wDTALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADgYEA +rKFX2WcYZNns9j0YL+SlR/EnR53r5xFeiMa8lqj7DbjvxXly97JjkTM8qgiYDbsd +r3EsRCtf6sGoxpCWIT370zToUYQndKJFthlnM9w6san7t3QcryDpYXvSTft0O3/X +nypfGe7QuEYl0R/XKxlot1HzGCqaZB0QonfxxAFE3Tw= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/test_csr_v3_nsCertType.csr b/tests/data_files/test_csr_v3_nsCertType.csr new file mode 100644 index 000000000..039874330 --- /dev/null +++ b/tests/data_files/test_csr_v3_nsCertType.csr @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBcjCB3AIBADAPMQ0wCwYDVQQDDARldGNkMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDHOJLFw/RwEAhr+BM17PMBHIolD5WCNh6qHpYSVRqs+Ht1MwtwVzOc +2ZXxTUxEN8i+xKA/5GQ80/PJAkM9w3xbjnmqCYSughM3Cr+Fab0qNWJssf7krOBC +skF8e+SdJxSbLAdrjkM9P2x2OkaaHHANJZ28CMdA/NgCN2L/fev8LQIDAQABoCQw +IgYJKoZIhvcNAQkOMRUwEzARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEL +BQADgYEAYDqW7nG8/adwpHZXhmMSgdJmzovjOfMCRRe1FshTLSMmcB64wkZNuCc6 +5rLdubZpZtvA0pCp8pHqhdi6Mhl5dP7ZHxJgcW2jG1ZvxuoC65r1w+SH05RdLS0G +IX2MEfp0J9hR4hVXJt4FbFtGmzkHi114oTMFMRWq84KiMrUugnM= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/test_csr_v3_subjectAltName.csr b/tests/data_files/test_csr_v3_subjectAltName.csr new file mode 100644 index 000000000..65808c58e --- /dev/null +++ b/tests/data_files/test_csr_v3_subjectAltName.csr @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBkzCB/QIBADAPMQ0wCwYDVQQDDARldGNkMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDHOJLFw/RwEAhr+BM17PMBHIolD5WCNh6qHpYSVRqs+Ht1MwtwVzOc +2ZXxTUxEN8i+xKA/5GQ80/PJAkM9w3xbjnmqCYSughM3Cr+Fab0qNWJssf7krOBC +skF8e+SdJxSbLAdrjkM9P2x2OkaaHHANJZ28CMdA/NgCN2L/fev8LQIDAQABoEUw +QwYJKoZIhvcNAQkOMTYwNDAyBgNVHREEKzApggtleGFtcGxlLmNvbYILZXhhbXBs +ZS5uZXSCDSouZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADgYEAUyi46hqfD91x +TVRf+IeI3rDf1gSu0IMZuoR5xr2jf/+Oq747gmH+ET2Yfgo96LWQpMVkuOaa68Hj +0r4wvLgV3Re2dO4obHF9AVftZYTcLQ/GK/X3fvT1si7ynv9cfBRdHp4TBlSxeG+a +c9kTX4hTnt3G106vea9FHgCpfG+AkV4= +-----END CERTIFICATE REQUEST----- From 46a4a4987efe223e47c4c314fc2535e5fe5d8e27 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 12 Jan 2023 15:40:59 +0100 Subject: [PATCH 04/20] Add tests to very parsing of CSR v3 extensions Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_x509parse.data | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 002f3dc41..7a39e035d 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -350,6 +350,22 @@ X509 CSR Information RSA with SHA-256 - Microsoft header depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_info:"data_files/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" +X509 CSR Information v3 extensions #1 (all) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +mbedtls_x509_csr_info:"data_files/test_csr_v3_all.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n" + +X509 CSR Information v3 extensions #2 (nsCertType only) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +mbedtls_x509_csr_info:"data_files/test_csr_v3_nsCertType.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n" + +X509 CSR Information v3 extensions #3 (subjectAltName only) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +mbedtls_x509_csr_info:"data_files/test_csr_v3_subjectAltName.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n" + +X509 CSR Information v3 extensions #4 (keyUsage only) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +mbedtls_x509_csr_info:"data_files/test_csr_v3_keyUsage.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n" + X509 Verify Information: empty x509_verify_info:0:"":"" From 685d472db3fbb4c5bffd46957aaa2b092eb470ee Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 13 Jan 2023 10:16:40 +0100 Subject: [PATCH 05/20] Adapt expected output of existing tests Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_x509parse.data | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 7a39e035d..d2c322f69 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -308,43 +308,43 @@ mbedtls_x509_csr_info:"data_files/server1.req.commas.sha256":"CSR version \: 1 X509 CSR Information EC with SHA1 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n" +mbedtls_x509_csr_info:"data_files/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information EC with SHA224 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n" +mbedtls_x509_csr_info:"data_files/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information EC with SHA256 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n" +mbedtls_x509_csr_info:"data_files/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information EC with SHA384 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n" +mbedtls_x509_csr_info:"data_files/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information EC with SHA512 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n" +mbedtls_x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information RSA-PSS with SHA1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n" +mbedtls_x509_csr_info:"data_files/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information RSA-PSS with SHA224 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n" +mbedtls_x509_csr_info:"data_files/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information RSA-PSS with SHA256 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n" +mbedtls_x509_csr_info:"data_files/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information RSA-PSS with SHA384 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n" +mbedtls_x509_csr_info:"data_files/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information RSA-PSS with SHA512 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n" +mbedtls_x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information RSA with SHA-256 - Microsoft header depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C @@ -2589,7 +2589,7 @@ x509_parse_rsassa_pss_params:"a303020102":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN X509 CSR ASN.1 (OK) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n":0 +mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n":0 X509 CSR ASN.1 (bad first tag) mbedtls_x509_csr_parse:"3100":"":MBEDTLS_ERR_X509_INVALID_FORMAT From 21c37288e5d4747e1ec898abcc212ef8a7b19f68 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 16 Jan 2023 08:47:49 +0100 Subject: [PATCH 06/20] Adapt function names Signed-off-by: Przemek Stekiel --- include/mbedtls/x509.h | 36 +++++++++++++-------------- library/x509_crt.c | 56 +++++++++++++++++++++--------------------- library/x509_csr.c | 22 ++++++++--------- 3 files changed, 57 insertions(+), 57 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 57e072771..abd36b8ee 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -148,7 +148,7 @@ /* * X.509 v3 Key Usage Extension flags - * Reminder: update x509_info_key_usage() when adding new flags. + * Reminder: update mbedtls_x509_info_key_usage() when adding new flags. */ #define MBEDTLS_X509_KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ #define MBEDTLS_X509_KU_NON_REPUDIATION (0x40) /* bit 1 */ @@ -370,23 +370,23 @@ int mbedtls_x509_write_names(unsigned char **p, unsigned char *start, int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start, const char *oid, size_t oid_len, unsigned char *sig, size_t size); -int x509_get_ns_cert_type(unsigned char **p, - const unsigned char *end, - unsigned char *ns_cert_type); -int x509_get_key_usage(unsigned char **p, - const unsigned char *end, - unsigned int *key_usage); -int x509_get_subject_alt_name(unsigned char **p, - const unsigned char *end, - mbedtls_x509_sequence *subject_alt_name); -int x509_info_subject_alt_name(char **buf, size_t *size, - const mbedtls_x509_sequence - *subject_alt_name, - const char *prefix); -int x509_info_cert_type(char **buf, size_t *size, - unsigned char ns_cert_type); -int x509_info_key_usage(char **buf, size_t *size, - unsigned int key_usage); +int mbedtls_x509_get_ns_cert_type(unsigned char **p, + const unsigned char *end, + unsigned char *ns_cert_type); +int mbedtls_x509_get_key_usage(unsigned char **p, + const unsigned char *end, + unsigned int *key_usage); +int mbedtls_x509_get_subject_alt_name(unsigned char **p, + const unsigned char *end, + mbedtls_x509_sequence *subject_alt_name); +int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, + const mbedtls_x509_sequence + *subject_alt_name, + const char *prefix); +int mbedtls_x509_info_cert_type(char **buf, size_t *size, + unsigned char ns_cert_type); +int mbedtls_x509_info_key_usage(char **buf, size_t *size, + unsigned int key_usage); #define MBEDTLS_X509_SAFE_SNPRINTF \ do { \ diff --git a/library/x509_crt.c b/library/x509_crt.c index 261525d38..a4eb7128e 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -562,9 +562,9 @@ static int x509_get_basic_constraints(unsigned char **p, return 0; } -int x509_get_ns_cert_type(unsigned char **p, - const unsigned char *end, - unsigned char *ns_cert_type) +int mbedtls_x509_get_ns_cert_type(unsigned char **p, + const unsigned char *end, + unsigned char *ns_cert_type) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_x509_bitstring bs = { 0, 0, NULL }; @@ -583,9 +583,9 @@ int x509_get_ns_cert_type(unsigned char **p, return 0; } -int x509_get_key_usage(unsigned char **p, - const unsigned char *end, - unsigned int *key_usage) +int mbedtls_x509_get_key_usage(unsigned char **p, + const unsigned char *end, + unsigned int *key_usage) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t i; @@ -660,9 +660,9 @@ static int x509_get_ext_key_usage(unsigned char **p, * NOTE: we list all types, but only use dNSName and otherName * of type HwModuleName, as defined in RFC 4108, at this point. */ -int x509_get_subject_alt_name(unsigned char **p, - const unsigned char *end, - mbedtls_x509_sequence *subject_alt_name) +int mbedtls_x509_get_subject_alt_name(unsigned char **p, + const unsigned char *end, + mbedtls_x509_sequence *subject_alt_name) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len, tag_len; @@ -1029,8 +1029,8 @@ static int x509_get_crt_ext(unsigned char **p, case MBEDTLS_X509_EXT_KEY_USAGE: /* Parse key usage */ - if ((ret = x509_get_key_usage(p, end_ext_octet, - &crt->key_usage)) != 0) { + if ((ret = mbedtls_x509_get_key_usage(p, end_ext_octet, + &crt->key_usage)) != 0) { return ret; } break; @@ -1045,16 +1045,16 @@ static int x509_get_crt_ext(unsigned char **p, case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: /* Parse subject alt name */ - if ((ret = x509_get_subject_alt_name(p, end_ext_octet, - &crt->subject_alt_names)) != 0) { + if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_octet, + &crt->subject_alt_names)) != 0) { return ret; } break; case MBEDTLS_X509_EXT_NS_CERT_TYPE: /* Parse netscape certificate type */ - if ((ret = x509_get_ns_cert_type(p, end_ext_octet, - &crt->ns_cert_type)) != 0) { + if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_octet, + &crt->ns_cert_type)) != 0) { return ret; } break; @@ -1849,10 +1849,10 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, } #if !defined(MBEDTLS_X509_REMOVE_INFO) -int x509_info_subject_alt_name(char **buf, size_t *size, - const mbedtls_x509_sequence - *subject_alt_name, - const char *prefix) +int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, + const mbedtls_x509_sequence + *subject_alt_name, + const char *prefix) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t i; @@ -1965,8 +1965,8 @@ int x509_info_subject_alt_name(char **buf, size_t *size, if (ns_cert_type & (type)) \ PRINT_ITEM(name); -int x509_info_cert_type(char **buf, size_t *size, - unsigned char ns_cert_type) +int mbedtls_x509_info_cert_type(char **buf, size_t *size, + unsigned char ns_cert_type) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t n = *size; @@ -1992,8 +1992,8 @@ int x509_info_cert_type(char **buf, size_t *size, if (key_usage & (code)) \ PRINT_ITEM(name); -int x509_info_key_usage(char **buf, size_t *size, - unsigned int key_usage) +int mbedtls_x509_info_key_usage(char **buf, size_t *size, + unsigned int key_usage) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t n = *size; @@ -2167,9 +2167,9 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix); MBEDTLS_X509_SAFE_SNPRINTF; - if ((ret = x509_info_subject_alt_name(&p, &n, - &crt->subject_alt_names, - prefix)) != 0) { + if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n, + &crt->subject_alt_names, + prefix)) != 0) { return ret; } } @@ -2178,7 +2178,7 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix); MBEDTLS_X509_SAFE_SNPRINTF; - if ((ret = x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) { + if ((ret = mbedtls_x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) { return ret; } } @@ -2187,7 +2187,7 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix); MBEDTLS_X509_SAFE_SNPRINTF; - if ((ret = x509_info_key_usage(&p, &n, crt->key_usage)) != 0) { + if ((ret = mbedtls_x509_info_key_usage(&p, &n, crt->key_usage)) != 0) { return ret; } } diff --git a/library/x509_csr.c b/library/x509_csr.c index f1c4c6654..1f133e87f 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -127,24 +127,24 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, switch (ext_type) { case MBEDTLS_X509_EXT_KEY_USAGE: /* Parse key usage */ - if ((ret = x509_get_key_usage(p, end_ext_data, - &csr->key_usage)) != 0) { + if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data, + &csr->key_usage)) != 0) { return ret; } break; case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: /* Parse subject alt name */ - if ((ret = x509_get_subject_alt_name(p, end_ext_data, - &csr->subject_alt_names)) != 0) { + if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data, + &csr->subject_alt_names)) != 0) { return ret; } break; case MBEDTLS_X509_EXT_NS_CERT_TYPE: /* Parse netscape certificate type */ - if ((ret = x509_get_ns_cert_type(p, end_ext_data, - &csr->ns_cert_type)) != 0) { + if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data, + &csr->ns_cert_type)) != 0) { return ret; } break; @@ -517,9 +517,9 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix, ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix); MBEDTLS_X509_SAFE_SNPRINTF; - if ((ret = x509_info_subject_alt_name(&p, &n, - &csr->subject_alt_names, - prefix)) != 0) { + if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n, + &csr->subject_alt_names, + prefix)) != 0) { return ret; } } @@ -528,7 +528,7 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix, ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix); MBEDTLS_X509_SAFE_SNPRINTF; - if ((ret = x509_info_cert_type(&p, &n, csr->ns_cert_type)) != 0) { + if ((ret = mbedtls_x509_info_cert_type(&p, &n, csr->ns_cert_type)) != 0) { return ret; } } @@ -537,7 +537,7 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix, ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix); MBEDTLS_X509_SAFE_SNPRINTF; - if ((ret = x509_info_key_usage(&p, &n, csr->key_usage)) != 0) { + if ((ret = mbedtls_x509_info_key_usage(&p, &n, csr->key_usage)) != 0) { return ret; } } From db128f518ccbb8e902e1234571a0412834a7be1f Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 16 Jan 2023 13:33:19 +0100 Subject: [PATCH 07/20] Allow empty ns_cert_type, key_usage while parsing certificates Signed-off-by: Przemek Stekiel --- library/x509_crt.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/library/x509_crt.c b/library/x509_crt.c index a4eb7128e..f77991eb5 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -573,6 +573,11 @@ int mbedtls_x509_get_ns_cert_type(unsigned char **p, return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } + if (bs.len == 0) { + *ns_cert_type = 0; + return 0; + } + if (bs.len != 1) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, MBEDTLS_ERR_ASN1_INVALID_LENGTH); @@ -595,6 +600,11 @@ int mbedtls_x509_get_key_usage(unsigned char **p, return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } + if (bs.len == 0) { + *key_usage = 0; + return 0; + } + if (bs.len < 1) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, MBEDTLS_ERR_ASN1_INVALID_LENGTH); From cf6ff0fb43b05dbfbb1c549d028298ca4d969bd1 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 17 Jan 2023 10:26:40 +0100 Subject: [PATCH 08/20] Move common functions for crt/csr parsing to x509.c Signed-off-by: Przemek Stekiel --- include/mbedtls/x509.h | 80 ++++++ include/mbedtls/x509_crt.h | 80 ------ library/x509.c | 486 +++++++++++++++++++++++++++++++++++++ library/x509_crt.c | 481 ------------------------------------ 4 files changed, 566 insertions(+), 561 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index abd36b8ee..aa1cd084e 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -250,6 +250,56 @@ typedef struct mbedtls_x509_time { } mbedtls_x509_time; +/** + * From RFC 5280 section 4.2.1.6: + * OtherName ::= SEQUENCE { + * type-id OBJECT IDENTIFIER, + * value [0] EXPLICIT ANY DEFINED BY type-id } + * + * Future versions of the library may add new fields to this structure or + * to its embedded union and structure. + */ +typedef struct mbedtls_x509_san_other_name { + /** + * The type_id is an OID as defined in RFC 5280. + * To check the value of the type id, you should use + * \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf. + */ + mbedtls_x509_buf type_id; /**< The type id. */ + union { + /** + * From RFC 4108 section 5: + * HardwareModuleName ::= SEQUENCE { + * hwType OBJECT IDENTIFIER, + * hwSerialNum OCTET STRING } + */ + struct { + mbedtls_x509_buf oid; /**< The object identifier. */ + mbedtls_x509_buf val; /**< The named value. */ + } + hardware_module_name; + } + value; +} +mbedtls_x509_san_other_name; + +/** + * A structure for holding the parsed Subject Alternative Name, + * according to type. + * + * Future versions of the library may add new fields to this structure or + * to its embedded union and structure. + */ +typedef struct mbedtls_x509_subject_alternative_name { + int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ + union { + mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ + mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */ + } + san; /**< A union of the supported SAN types */ +} +mbedtls_x509_subject_alternative_name; + /** \} name Structures for parsing X.509 certificates, CRLs and CSRs */ /** @@ -326,6 +376,36 @@ int mbedtls_x509_time_is_past(const mbedtls_x509_time *to); */ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); +/** + * \brief This function parses an item in the SubjectAlternativeNames + * extension. + * + * \param san_buf The buffer holding the raw data item of the subject + * alternative name. + * \param san The target structure to populate with the parsed presentation + * of the subject alternative name encoded in \p san_raw. + * + * \note Only "dnsName" and "otherName" of type hardware_module_name + * as defined in RFC 4180 is supported. + * + * \note This function should be called on a single raw data of + * subject alternative name. For example, after successful + * certificate parsing, one must iterate on every item in the + * \p crt->subject_alt_names sequence, and pass it to + * this function. + * + * \warning The target structure contains pointers to the raw data of the + * parsed certificate, and its lifetime is restricted by the + * lifetime of the certificate. + * + * \return \c 0 on success + * \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported + * SAN type. + * \return Another negative value for any other failure. + */ +int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, + mbedtls_x509_subject_alternative_name *san); + /** \} addtogroup x509_module */ /* diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 661f8aa7b..206083502 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -102,56 +102,6 @@ typedef struct mbedtls_x509_crt { } mbedtls_x509_crt; -/** - * From RFC 5280 section 4.2.1.6: - * OtherName ::= SEQUENCE { - * type-id OBJECT IDENTIFIER, - * value [0] EXPLICIT ANY DEFINED BY type-id } - * - * Future versions of the library may add new fields to this structure or - * to its embedded union and structure. - */ -typedef struct mbedtls_x509_san_other_name { - /** - * The type_id is an OID as defined in RFC 5280. - * To check the value of the type id, you should use - * \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf. - */ - mbedtls_x509_buf type_id; /**< The type id. */ - union { - /** - * From RFC 4108 section 5: - * HardwareModuleName ::= SEQUENCE { - * hwType OBJECT IDENTIFIER, - * hwSerialNum OCTET STRING } - */ - struct { - mbedtls_x509_buf oid; /**< The object identifier. */ - mbedtls_x509_buf val; /**< The named value. */ - } - hardware_module_name; - } - value; -} -mbedtls_x509_san_other_name; - -/** - * A structure for holding the parsed Subject Alternative Name, - * according to type. - * - * Future versions of the library may add new fields to this structure or - * to its embedded union and structure. - */ -typedef struct mbedtls_x509_subject_alternative_name { - int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ - union { - mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ - mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */ - } - san; /**< A union of the supported SAN types */ -} -mbedtls_x509_subject_alternative_name; - /** * Build flag from an algorithm/curve identifier (pk, md, ecp) * Since 0 is always XXX_NONE, ignore it. @@ -589,36 +539,6 @@ int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path); int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path); #endif /* MBEDTLS_FS_IO */ -/** - * \brief This function parses an item in the SubjectAlternativeNames - * extension. - * - * \param san_buf The buffer holding the raw data item of the subject - * alternative name. - * \param san The target structure to populate with the parsed presentation - * of the subject alternative name encoded in \p san_raw. - * - * \note Only "dnsName" and "otherName" of type hardware_module_name - * as defined in RFC 4180 is supported. - * - * \note This function should be called on a single raw data of - * subject alternative name. For example, after successful - * certificate parsing, one must iterate on every item in the - * \p crt->subject_alt_names sequence, and pass it to - * this function. - * - * \warning The target structure contains pointers to the raw data of the - * parsed certificate, and its lifetime is restricted by the - * lifetime of the certificate. - * - * \return \c 0 on success - * \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported - * SAN type. - * \return Another negative value for any other failure. - */ -int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, - mbedtls_x509_subject_alternative_name *san); - #if !defined(MBEDTLS_X509_REMOVE_INFO) /** * \brief Returns an informational string about the diff --git a/library/x509.c b/library/x509.c index 1b3701cda..9869b05e5 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1107,4 +1107,490 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from) return 0; } #endif /* MBEDTLS_HAVE_TIME_DATE */ + +/* Common functions for parsing CRT and CSR. */ +#if defined(MBEDTLS_X509_CRT_PARSE_C) || defined(MBEDTLS_X509_CSR_PARSE_C) +/* + * OtherName ::= SEQUENCE { + * type-id OBJECT IDENTIFIER, + * value [0] EXPLICIT ANY DEFINED BY type-id } + * + * HardwareModuleName ::= SEQUENCE { + * hwType OBJECT IDENTIFIER, + * hwSerialNum OCTET STRING } + * + * NOTE: we currently only parse and use otherName of type HwModuleName, + * as defined in RFC 4108. + */ +static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name, + mbedtls_x509_san_other_name *other_name) +{ + int ret = 0; + size_t len; + unsigned char *p = subject_alt_name->p; + const unsigned char *end = p + subject_alt_name->len; + mbedtls_x509_buf cur_oid; + + if ((subject_alt_name->tag & + (MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK)) != + (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME)) { + /* + * The given subject alternative name is not of type "othername". + */ + return MBEDTLS_ERR_X509_BAD_INPUT_DATA; + } + + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_OID)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + cur_oid.tag = MBEDTLS_ASN1_OID; + cur_oid.p = p; + cur_oid.len = len; + + /* + * Only HwModuleName is currently supported. + */ + if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) { + return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; + } + + if (p + len >= end) { + mbedtls_platform_zeroize(other_name, sizeof(*other_name)); + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } + p += len; + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) != + 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID; + other_name->value.hardware_module_name.oid.p = p; + other_name->value.hardware_module_name.oid.len = len; + + if (p + len >= end) { + mbedtls_platform_zeroize(other_name, sizeof(*other_name)); + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } + p += len; + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_OCTET_STRING)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING; + other_name->value.hardware_module_name.val.p = p; + other_name->value.hardware_module_name.val.len = len; + p += len; + if (p != end) { + mbedtls_platform_zeroize(other_name, + sizeof(*other_name)); + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } + return 0; +} + +/* + * SubjectAltName ::= GeneralNames + * + * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + * + * GeneralName ::= CHOICE { + * otherName [0] OtherName, + * rfc822Name [1] IA5String, + * dNSName [2] IA5String, + * x400Address [3] ORAddress, + * directoryName [4] Name, + * ediPartyName [5] EDIPartyName, + * uniformResourceIdentifier [6] IA5String, + * iPAddress [7] OCTET STRING, + * registeredID [8] OBJECT IDENTIFIER } + * + * OtherName ::= SEQUENCE { + * type-id OBJECT IDENTIFIER, + * value [0] EXPLICIT ANY DEFINED BY type-id } + * + * EDIPartyName ::= SEQUENCE { + * nameAssigner [0] DirectoryString OPTIONAL, + * partyName [1] DirectoryString } + * + * NOTE: we list all types, but only use dNSName and otherName + * of type HwModuleName, as defined in RFC 4108, at this point. + */ +int mbedtls_x509_get_subject_alt_name(unsigned char **p, + const unsigned char *end, + mbedtls_x509_sequence *subject_alt_name) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len, tag_len; + mbedtls_asn1_buf *buf; + unsigned char tag; + mbedtls_asn1_sequence *cur = subject_alt_name; + + /* Get main sequence tag */ + if ((ret = mbedtls_asn1_get_tag(p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + if (*p + len != end) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } + + while (*p < end) { + mbedtls_x509_subject_alternative_name dummy_san_buf; + memset(&dummy_san_buf, 0, sizeof(dummy_san_buf)); + + tag = **p; + (*p)++; + if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) != + MBEDTLS_ASN1_CONTEXT_SPECIFIC) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); + } + + /* + * Check that the SAN is structured correctly. + */ + ret = mbedtls_x509_parse_subject_alt_name(&(cur->buf), &dummy_san_buf); + /* + * In case the extension is malformed, return an error, + * and clear the allocated sequences. + */ + if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) { + mbedtls_asn1_sequence_free(subject_alt_name->next); + subject_alt_name->next = NULL; + return ret; + } + + /* Allocate and assign next pointer */ + if (cur->buf.p != NULL) { + if (cur->next != NULL) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS; + } + + cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence)); + + if (cur->next == NULL) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_ALLOC_FAILED); + } + + cur = cur->next; + } + + buf = &(cur->buf); + buf->tag = tag; + buf->p = *p; + buf->len = tag_len; + *p += buf->len; + } + + /* Set final sequence entry's next pointer to NULL */ + cur->next = NULL; + + if (*p != end) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } + + return 0; +} + +int mbedtls_x509_get_ns_cert_type(unsigned char **p, + const unsigned char *end, + unsigned char *ns_cert_type) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_x509_bitstring bs = { 0, 0, NULL }; + + if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + if (bs.len == 0) { + *ns_cert_type = 0; + return 0; + } + + if (bs.len != 1) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_INVALID_LENGTH); + } + + /* Get actual bitstring */ + *ns_cert_type = *bs.p; + return 0; +} + +int mbedtls_x509_get_key_usage(unsigned char **p, + const unsigned char *end, + unsigned int *key_usage) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t i; + mbedtls_x509_bitstring bs = { 0, 0, NULL }; + + if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + if (bs.len == 0) { + *key_usage = 0; + return 0; + } + + if (bs.len < 1) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_INVALID_LENGTH); + } + + /* Get actual bitstring */ + *key_usage = 0; + for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) { + *key_usage |= (unsigned int) bs.p[i] << (8*i); + } + + return 0; +} + +int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, + mbedtls_x509_subject_alternative_name *san) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + switch (san_buf->tag & + (MBEDTLS_ASN1_TAG_CLASS_MASK | + MBEDTLS_ASN1_TAG_VALUE_MASK)) { + /* + * otherName + */ + case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME): + { + mbedtls_x509_san_other_name other_name; + + ret = x509_get_other_name(san_buf, &other_name); + if (ret != 0) { + return ret; + } + + memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name)); + san->type = MBEDTLS_X509_SAN_OTHER_NAME; + memcpy(&san->san.other_name, + &other_name, sizeof(other_name)); + + } + break; + + /* + * dNSName + */ + case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME): + { + memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name)); + san->type = MBEDTLS_X509_SAN_DNS_NAME; + + memcpy(&san->san.unstructured_name, + san_buf, sizeof(*san_buf)); + + } + break; + + /* + * Type not supported + */ + default: + return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; + } + return 0; +} + +#if !defined(MBEDTLS_X509_REMOVE_INFO) +int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, + const mbedtls_x509_sequence + *subject_alt_name, + const char *prefix) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t i; + size_t n = *size; + char *p = *buf; + const mbedtls_x509_sequence *cur = subject_alt_name; + mbedtls_x509_subject_alternative_name san; + int parse_ret; + + while (cur != NULL) { + memset(&san, 0, sizeof(san)); + parse_ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san); + if (parse_ret != 0) { + if (parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) { + ret = mbedtls_snprintf(p, n, "\n%s ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + } else { + ret = mbedtls_snprintf(p, n, "\n%s ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + } + cur = cur->next; + continue; + } + + switch (san.type) { + /* + * otherName + */ + case MBEDTLS_X509_SAN_OTHER_NAME: + { + mbedtls_x509_san_other_name *other_name = &san.san.other_name; + + ret = mbedtls_snprintf(p, n, "\n%s otherName :", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + + if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, + &other_name->value.hardware_module_name.oid) != 0) { + ret = mbedtls_snprintf(p, n, "\n%s hardware module name :", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + ret = + mbedtls_snprintf(p, n, "\n%s hardware type : ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_oid_get_numeric_string(p, + n, + &other_name->value.hardware_module_name.oid); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = + mbedtls_snprintf(p, n, "\n%s hardware serial number : ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + + for (i = 0; i < other_name->value.hardware_module_name.val.len; i++) { + ret = mbedtls_snprintf(p, + n, + "%02X", + other_name->value.hardware_module_name.val.p[i]); + MBEDTLS_X509_SAFE_SNPRINTF; + } + }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ + } + break; + + /* + * dNSName + */ + case MBEDTLS_X509_SAN_DNS_NAME: + { + ret = mbedtls_snprintf(p, n, "\n%s dNSName : ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + if (san.san.unstructured_name.len >= n) { + *p = '\0'; + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + + memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len); + p += san.san.unstructured_name.len; + n -= san.san.unstructured_name.len; + } + break; + + /* + * Type not supported, skip item. + */ + default: + ret = mbedtls_snprintf(p, n, "\n%s ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + break; + } + + cur = cur->next; + } + + *p = '\0'; + + *size = n; + *buf = p; + + return 0; +} + +#define PRINT_ITEM(i) \ + { \ + ret = mbedtls_snprintf(p, n, "%s" i, sep); \ + MBEDTLS_X509_SAFE_SNPRINTF; \ + sep = ", "; \ + } + +#define CERT_TYPE(type, name) \ + if (ns_cert_type & (type)) \ + PRINT_ITEM(name); + +int mbedtls_x509_info_cert_type(char **buf, size_t *size, + unsigned char ns_cert_type) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t n = *size; + char *p = *buf; + const char *sep = ""; + + CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client"); + CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server"); + CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email"); + CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing"); + CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved"); + CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA"); + CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA"); + CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA"); + + *size = n; + *buf = p; + + return 0; +} + +#define KEY_USAGE(code, name) \ + if (key_usage & (code)) \ + PRINT_ITEM(name); + +int mbedtls_x509_info_key_usage(char **buf, size_t *size, + unsigned int key_usage) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t n = *size; + char *p = *buf; + const char *sep = ""; + + KEY_USAGE(MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature"); + KEY_USAGE(MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation"); + KEY_USAGE(MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment"); + KEY_USAGE(MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment"); + KEY_USAGE(MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement"); + KEY_USAGE(MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign"); + KEY_USAGE(MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign"); + KEY_USAGE(MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only"); + KEY_USAGE(MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only"); + + *size = n; + *buf = p; + + return 0; +} +#endif /* MBEDTLS_X509_REMOVE_INFO */ +#endif /* MBEDTLS_X509_CRT_PARSE_C || MBEDTLS_X509_CSR_PARSE_C */ #endif /* MBEDTLS_X509_USE_C */ diff --git a/library/x509_crt.c b/library/x509_crt.c index f77991eb5..5997c8746 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -562,63 +562,6 @@ static int x509_get_basic_constraints(unsigned char **p, return 0; } -int mbedtls_x509_get_ns_cert_type(unsigned char **p, - const unsigned char *end, - unsigned char *ns_cert_type) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_x509_bitstring bs = { 0, 0, NULL }; - - if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); - } - - if (bs.len == 0) { - *ns_cert_type = 0; - return 0; - } - - if (bs.len != 1) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_INVALID_LENGTH); - } - - /* Get actual bitstring */ - *ns_cert_type = *bs.p; - return 0; -} - -int mbedtls_x509_get_key_usage(unsigned char **p, - const unsigned char *end, - unsigned int *key_usage) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t i; - mbedtls_x509_bitstring bs = { 0, 0, NULL }; - - if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); - } - - if (bs.len == 0) { - *key_usage = 0; - return 0; - } - - if (bs.len < 1) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_INVALID_LENGTH); - } - - /* Get actual bitstring */ - *key_usage = 0; - for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) { - *key_usage |= (unsigned int) bs.p[i] << (8*i); - } - - return 0; -} - /* * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId * @@ -643,118 +586,6 @@ static int x509_get_ext_key_usage(unsigned char **p, return 0; } -/* - * SubjectAltName ::= GeneralNames - * - * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName - * - * GeneralName ::= CHOICE { - * otherName [0] OtherName, - * rfc822Name [1] IA5String, - * dNSName [2] IA5String, - * x400Address [3] ORAddress, - * directoryName [4] Name, - * ediPartyName [5] EDIPartyName, - * uniformResourceIdentifier [6] IA5String, - * iPAddress [7] OCTET STRING, - * registeredID [8] OBJECT IDENTIFIER } - * - * OtherName ::= SEQUENCE { - * type-id OBJECT IDENTIFIER, - * value [0] EXPLICIT ANY DEFINED BY type-id } - * - * EDIPartyName ::= SEQUENCE { - * nameAssigner [0] DirectoryString OPTIONAL, - * partyName [1] DirectoryString } - * - * NOTE: we list all types, but only use dNSName and otherName - * of type HwModuleName, as defined in RFC 4108, at this point. - */ -int mbedtls_x509_get_subject_alt_name(unsigned char **p, - const unsigned char *end, - mbedtls_x509_sequence *subject_alt_name) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len, tag_len; - mbedtls_asn1_buf *buf; - unsigned char tag; - mbedtls_asn1_sequence *cur = subject_alt_name; - - /* Get main sequence tag */ - if ((ret = mbedtls_asn1_get_tag(p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); - } - - if (*p + len != end) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); - } - - while (*p < end) { - mbedtls_x509_subject_alternative_name dummy_san_buf; - memset(&dummy_san_buf, 0, sizeof(dummy_san_buf)); - - tag = **p; - (*p)++; - if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); - } - - if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) != - MBEDTLS_ASN1_CONTEXT_SPECIFIC) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); - } - - /* - * Check that the SAN is structured correctly. - */ - ret = mbedtls_x509_parse_subject_alt_name(&(cur->buf), &dummy_san_buf); - /* - * In case the extension is malformed, return an error, - * and clear the allocated sequences. - */ - if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) { - mbedtls_asn1_sequence_free(subject_alt_name->next); - subject_alt_name->next = NULL; - return ret; - } - - /* Allocate and assign next pointer */ - if (cur->buf.p != NULL) { - if (cur->next != NULL) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS; - } - - cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence)); - - if (cur->next == NULL) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_ALLOC_FAILED); - } - - cur = cur->next; - } - - buf = &(cur->buf); - buf->tag = tag; - buf->p = *p; - buf->len = tag_len; - *p += buf->len; - } - - /* Set final sequence entry's next pointer to NULL */ - cur->next = NULL; - - if (*p != end) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); - } - - return 0; -} - /* * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } * @@ -1713,319 +1544,7 @@ cleanup: } #endif /* MBEDTLS_FS_IO */ -/* - * OtherName ::= SEQUENCE { - * type-id OBJECT IDENTIFIER, - * value [0] EXPLICIT ANY DEFINED BY type-id } - * - * HardwareModuleName ::= SEQUENCE { - * hwType OBJECT IDENTIFIER, - * hwSerialNum OCTET STRING } - * - * NOTE: we currently only parse and use otherName of type HwModuleName, - * as defined in RFC 4108. - */ -static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name, - mbedtls_x509_san_other_name *other_name) -{ - int ret = 0; - size_t len; - unsigned char *p = subject_alt_name->p; - const unsigned char *end = p + subject_alt_name->len; - mbedtls_x509_buf cur_oid; - - if ((subject_alt_name->tag & - (MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK)) != - (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME)) { - /* - * The given subject alternative name is not of type "othername". - */ - return MBEDTLS_ERR_X509_BAD_INPUT_DATA; - } - - if ((ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_OID)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); - } - - cur_oid.tag = MBEDTLS_ASN1_OID; - cur_oid.p = p; - cur_oid.len = len; - - /* - * Only HwModuleName is currently supported. - */ - if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) { - return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; - } - - if (p + len >= end) { - mbedtls_platform_zeroize(other_name, sizeof(*other_name)); - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); - } - p += len; - if ((ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) != - 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); - } - - if ((ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); - } - - if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); - } - - other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID; - other_name->value.hardware_module_name.oid.p = p; - other_name->value.hardware_module_name.oid.len = len; - - if (p + len >= end) { - mbedtls_platform_zeroize(other_name, sizeof(*other_name)); - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); - } - p += len; - if ((ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_OCTET_STRING)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); - } - - other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING; - other_name->value.hardware_module_name.val.p = p; - other_name->value.hardware_module_name.val.len = len; - p += len; - if (p != end) { - mbedtls_platform_zeroize(other_name, - sizeof(*other_name)); - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); - } - return 0; -} - -int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, - mbedtls_x509_subject_alternative_name *san) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - switch (san_buf->tag & - (MBEDTLS_ASN1_TAG_CLASS_MASK | - MBEDTLS_ASN1_TAG_VALUE_MASK)) { - /* - * otherName - */ - case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME): - { - mbedtls_x509_san_other_name other_name; - - ret = x509_get_other_name(san_buf, &other_name); - if (ret != 0) { - return ret; - } - - memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name)); - san->type = MBEDTLS_X509_SAN_OTHER_NAME; - memcpy(&san->san.other_name, - &other_name, sizeof(other_name)); - - } - break; - - /* - * dNSName - */ - case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME): - { - memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name)); - san->type = MBEDTLS_X509_SAN_DNS_NAME; - - memcpy(&san->san.unstructured_name, - san_buf, sizeof(*san_buf)); - - } - break; - - /* - * Type not supported - */ - default: - return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; - } - return 0; -} - #if !defined(MBEDTLS_X509_REMOVE_INFO) -int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, - const mbedtls_x509_sequence - *subject_alt_name, - const char *prefix) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t i; - size_t n = *size; - char *p = *buf; - const mbedtls_x509_sequence *cur = subject_alt_name; - mbedtls_x509_subject_alternative_name san; - int parse_ret; - - while (cur != NULL) { - memset(&san, 0, sizeof(san)); - parse_ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san); - if (parse_ret != 0) { - if (parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) { - ret = mbedtls_snprintf(p, n, "\n%s ", prefix); - MBEDTLS_X509_SAFE_SNPRINTF; - } else { - ret = mbedtls_snprintf(p, n, "\n%s ", prefix); - MBEDTLS_X509_SAFE_SNPRINTF; - } - cur = cur->next; - continue; - } - - switch (san.type) { - /* - * otherName - */ - case MBEDTLS_X509_SAN_OTHER_NAME: - { - mbedtls_x509_san_other_name *other_name = &san.san.other_name; - - ret = mbedtls_snprintf(p, n, "\n%s otherName :", prefix); - MBEDTLS_X509_SAFE_SNPRINTF; - - if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, - &other_name->value.hardware_module_name.oid) != 0) { - ret = mbedtls_snprintf(p, n, "\n%s hardware module name :", prefix); - MBEDTLS_X509_SAFE_SNPRINTF; - ret = - mbedtls_snprintf(p, n, "\n%s hardware type : ", prefix); - MBEDTLS_X509_SAFE_SNPRINTF; - - ret = mbedtls_oid_get_numeric_string(p, - n, - &other_name->value.hardware_module_name.oid); - MBEDTLS_X509_SAFE_SNPRINTF; - - ret = - mbedtls_snprintf(p, n, "\n%s hardware serial number : ", prefix); - MBEDTLS_X509_SAFE_SNPRINTF; - - for (i = 0; i < other_name->value.hardware_module_name.val.len; i++) { - ret = mbedtls_snprintf(p, - n, - "%02X", - other_name->value.hardware_module_name.val.p[i]); - MBEDTLS_X509_SAFE_SNPRINTF; - } - }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ - } - break; - - /* - * dNSName - */ - case MBEDTLS_X509_SAN_DNS_NAME: - { - ret = mbedtls_snprintf(p, n, "\n%s dNSName : ", prefix); - MBEDTLS_X509_SAFE_SNPRINTF; - if (san.san.unstructured_name.len >= n) { - *p = '\0'; - return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; - } - - memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len); - p += san.san.unstructured_name.len; - n -= san.san.unstructured_name.len; - } - break; - - /* - * Type not supported, skip item. - */ - default: - ret = mbedtls_snprintf(p, n, "\n%s ", prefix); - MBEDTLS_X509_SAFE_SNPRINTF; - break; - } - - cur = cur->next; - } - - *p = '\0'; - - *size = n; - *buf = p; - - return 0; -} - -#define PRINT_ITEM(i) \ - { \ - ret = mbedtls_snprintf(p, n, "%s" i, sep); \ - MBEDTLS_X509_SAFE_SNPRINTF; \ - sep = ", "; \ - } - -#define CERT_TYPE(type, name) \ - if (ns_cert_type & (type)) \ - PRINT_ITEM(name); - -int mbedtls_x509_info_cert_type(char **buf, size_t *size, - unsigned char ns_cert_type) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t n = *size; - char *p = *buf; - const char *sep = ""; - - CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client"); - CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server"); - CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email"); - CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing"); - CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved"); - CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA"); - CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA"); - CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA"); - - *size = n; - *buf = p; - - return 0; -} - -#define KEY_USAGE(code, name) \ - if (key_usage & (code)) \ - PRINT_ITEM(name); - -int mbedtls_x509_info_key_usage(char **buf, size_t *size, - unsigned int key_usage) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t n = *size; - char *p = *buf; - const char *sep = ""; - - KEY_USAGE(MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature"); - KEY_USAGE(MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation"); - KEY_USAGE(MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment"); - KEY_USAGE(MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment"); - KEY_USAGE(MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement"); - KEY_USAGE(MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign"); - KEY_USAGE(MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign"); - KEY_USAGE(MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only"); - KEY_USAGE(MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only"); - - *size = n; - *buf = p; - - return 0; -} - static int x509_info_ext_key_usage(char **buf, size_t *size, const mbedtls_x509_sequence *extended_key_usage) { From 3f948c96e21c855927bdea999bd7de57e9806f92 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 24 Jan 2023 08:14:23 +0100 Subject: [PATCH 09/20] Fix typo in test dependencies Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_x509parse.data | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index d2c322f69..87eaa3aab 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -351,19 +351,19 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_US mbedtls_x509_csr_info:"data_files/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" X509 CSR Information v3 extensions #1 (all) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_all.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n" X509 CSR Information v3 extensions #2 (nsCertType only) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_nsCertType.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n" X509 CSR Information v3 extensions #3 (subjectAltName only) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_subjectAltName.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n" X509 CSR Information v3 extensions #4 (keyUsage only) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_keyUsage.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n" X509 Verify Information: empty From 160968586b0ae4657d2d5abd35c4a8d073f3f0cd Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 24 Jan 2023 09:24:19 +0100 Subject: [PATCH 10/20] Add negative test cases and use DER format for CSRs Signed-off-by: Przemek Stekiel --- tests/data_files/Makefile | 46 ++++++++++++-- tests/data_files/test_csr_v3_all.csr | Bin 664 -> 437 bytes ...malformed_attributes_extension_request.csr | Bin 0 -> 437 bytes ...ibutes_extension_request_sequence_len1.csr | Bin 0 -> 437 bytes ...ibutes_extension_request_sequence_len2.csr | Bin 0 -> 437 bytes ...ributes_extension_request_sequence_tag.csr | Bin 0 -> 437 bytes ...d_attributes_extension_request_set_tag.csr | Bin 0 -> 437 bytes ...csr_v3_all_malformed_attributes_id_tag.csr | Bin 0 -> 437 bytes ...t_csr_v3_all_malformed_attributes_len1.csr | Bin 0 -> 437 bytes ...t_csr_v3_all_malformed_attributes_len2.csr | Bin 0 -> 437 bytes ..._all_malformed_attributes_sequence_tag.csr | Bin 0 -> 437 bytes ..._v3_all_malformed_duplicated_extension.csr | Bin 0 -> 437 bytes ...r_v3_all_malformed_extension_data_len1.csr | Bin 0 -> 437 bytes ...r_v3_all_malformed_extension_data_len2.csr | Bin 0 -> 437 bytes ...sr_v3_all_malformed_extension_data_tag.csr | Bin 0 -> 437 bytes ..._csr_v3_all_malformed_extension_id_tag.csr | Bin 0 -> 437 bytes ...rmed_extension_key_usage_bitstream_tag.csr | Bin 0 -> 437 bytes ...formed_extension_ns_cert_bitstream_tag.csr | Bin 0 -> 437 bytes ...xtension_subject_alt_name_sequence_tag.csr | Bin 0 -> 437 bytes ...sr_v3_all_malformed_extension_type_oid.csr | Bin 0 -> 437 bytes ..._all_malformed_extensions_sequence_tag.csr | Bin 0 -> 437 bytes tests/data_files/test_csr_v3_keyUsage.csr | Bin 570 -> 368 bytes tests/data_files/test_csr_v3_nsCertType.csr | Bin 578 -> 374 bytes .../data_files/test_csr_v3_subjectAltName.csr | Bin 623 -> 407 bytes tests/suites/test_suite_x509parse.data | 59 ++++++++++++++++++ 25 files changed, 101 insertions(+), 4 deletions(-) create mode 100644 tests/data_files/test_csr_v3_all_malformed_attributes_extension_request.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_attributes_id_tag.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_attributes_len1.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_attributes_len2.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_duplicated_extension.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_extension_data_len1.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_extension_data_len2.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_extension_data_tag.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_extension_id_tag.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_extension_type_oid.csr create mode 100644 tests/data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index a87e0cc06..fbf447c5b 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -94,13 +94,51 @@ cert_example_multi.crt: cert_example_multi.csr $(OPENSSL) x509 -req -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) -extfile $(test_ca_config_file) -extensions dns_alt_names -passin "pass:$(test_ca_pwd_rsa)" -set_serial 17 -days 3653 -sha256 -in $< > $@ test_csr_v3_keyUsage.csr: rsa_pkcs1_1024_clear.pem - $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -out $@ -reqexts csr_ext_v3_keyUsage + $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_keyUsage test_csr_v3_subjectAltName.csr: rsa_pkcs1_1024_clear.pem - $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -out $@ -reqexts csr_ext_v3_subjectAltName + $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_subjectAltName test_csr_v3_nsCertType.csr: rsa_pkcs1_1024_clear.pem - $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -out $@ -reqexts csr_ext_v3_nsCertType + $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_nsCertType test_csr_v3_all.csr: rsa_pkcs1_1024_clear.pem - $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -out $@ -reqexts csr_ext_v3_all + $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_all +test_csr_v3_all_malformed_extensions_sequence_tag.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/300B0603551D0F040403/200B0603551D0F040403/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_extension_id_tag.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/0603551D0F0404030201/0703551D0F0404030201/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_extension_data_tag.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/050403020102302F0603/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_extension_data_len1.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/040503020102302F0603/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_extension_data_len2.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/040303020102302F0603/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/03020102302F0603551D/04020102302F0603551D/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/3026A02406082B060105/4026A02406082B060105/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/04020780300D06092A86/03020780300D06092A86/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_duplicated_extension.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/551D11/551D0F/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_extension_type_oid.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/551D11/551DFF/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_attributes_sequence_tag.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/406006092A864886F70D/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_attributes_id_tag.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/06092A864886F70D0109/07092A864886F70D0109/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_attributes_extension_request.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/2A864886F70D01090E/2A864886F70D01090F/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/31533051300B0603551D/32533051300B0603551D/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3151300B0603551D0F04/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_attributes_len1.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/306106092A864886F70D/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_attributes_len2.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/305906092A864886F70D/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3052300B0603551D0F04/" | xxd -r -p ) > $@ +test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr: test_csr_v3_all.csr + (hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3050300B0603551D0F04/" | xxd -r -p ) > $@ $(test_ca_key_file_rsa_alt):test-ca.opensslconf $(OPENSSL) genrsa -out $@ 2048 diff --git a/tests/data_files/test_csr_v3_all.csr b/tests/data_files/test_csr_v3_all.csr index fecca328ad20c958aee6b15197338b285eedc519..7e717f35733166efe3775e7747901738865de123 100644 GIT binary patch literal 437 zcmXqLV%%uZ#3;qY$Y8*4$ZNpO#vIDR%)^pelAL1DINyMmjZ>@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD?~K9J>SVPR%sWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO}NR_6Fo2;06UjBg5ot`yOAJI-T89WkKTJ4;L=< ztz02Lr72qBo%IWb4i0BF%Y!mIl5>O~D8IXJxXE2awQ2G3Ka;+vWpsbJB@uJ#OwK%^ z(`Pr`(wTNYMC;SF73nKZ)@84m=@Rnp3BSeKgg;$o>$R8dNJ-t$v^8`6t(DK%u1lLg SepnJ%`%+r`-<)dqh3GMn#BPu<|2x^Hh& z5Ve^53sXO2TZSQ|zkDhp8iYUaP2-HAF2or88iN2uM(T3tELcPol%nU8Uz`a>j}crX z%O)#xYoq1}1lbn={-tX zFZ;NJe4lR9QG2-6VI3{FPj2kh1=5@OrRRF%AZ+5L?)qr1R*kG^TeHwrjh-E=jZ+-* zul;Veaz?3%)<(D8t9%4$R1IpEm@DFio9_n6pR{J!!77wdgy;oNedP$@sSV+e~|~t2jORZ|&c&s7wC;xxZ|c(c=IB diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request.csr b/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request.csr new file mode 100644 index 0000000000000000000000000000000000000000..96a11e87378815711b59189560297e724f8b39a2 GIT binary patch literal 437 zcmXqLV%%uZ#3;qY$Y8*4$ZNpO#vIDR%)^pelAL1DINyMmjZ>@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE( zgAD?~K9J>SVPR%sWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO}NR_6Fo2;06UjBg5ot`yOAJI-T89WkKTJ4;L=< ztz02Lr72qBo%IWb4i0BF%Y!mIl5>O~D8IXJxXE2awQ2G3Ka;+vWpsbJB@uJ#OwK%^ z(`Pr`(wTNYMC;SF73nKZ)@84m=@Rnp3BSeKgg;$o>$R8dNJ-t$v^8`6t(DK%u1lLg SepnJ%`%+r`-<@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAIbfK9J>SVPR%sWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO}NR_6Fo2;06UjBg5ot`yOAJI-T89WkKTJ4;L=< ztz02Lr72qBo%IWb4i0BF%Y!mIl5>O~D8IXJxXE2awQ2G3Ka;+vWpsbJB@uJ#OwK%^ z(`Pr`(wTNYMC;SF73nKZ)@84m=@Rnp3BSeKgg;$o>$R8dNJ-t$v^8`6t(DK%u1lLg SepnJ%`%+r`-<@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD?}K9J>SVPR%sWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO}NR_6Fo2;06UjBg5ot`yOAJI-T89WkKTJ4;L=< ztz02Lr72qBo%IWb4i0BF%Y!mIl5>O~D8IXJxXE2awQ2G3Ka;+vWpsbJB@uJ#OwK%^ z(`Pr`(wTNYMC;SF73nKZ)@84m=@Rnp3BSeKgg;$o>$R8dNJ-t$v^8`6t(DK%u1lLg SepnJ%`%+r`-<@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD`0K9J>SVPR%sWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO}NR_6Fo2;06UjBg5ot`yOAJI-T89WkKTJ4;L=< ztz02Lr72qBo%IWb4i0BF%Y!mIl5>O~D8IXJxXE2awQ2G3Ka;+vWpsbJB@uJ#OwK%^ z(`Pr`(wTNYMC;SF73nKZ)@84m=@Rnp3BSeKgg;$o>$R8dNJ-t$v^8`6t(DK%u1lLg SepnJ%`%+r`-<@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CGO zf(-(}K9J>SVPR%sWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO}NR_6Fo2;06UjBg5ot`yOAJI-T89WkKTJ4;L=< ztz02Lr72qBo%IWb4i0BF%Y!mIl5>O~D8IXJxXE2awQ2G3Ka;+vWpsbJB@uJ#OwK%^ z(`Pr`(wTNYMC;SF73nKZ)@84m=@Rnp3BSeKgg;$o>$R8dNJ-t$v^8`6t(DK%u1lLg SepnJ%`%+r`-<@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dKYm;*Wa z41)~P*f& zq0?tK-O`zMKSb-(wH4_rPS$0wnduVp?g_ue+Jrw{X6v<=?MO-8(6lvk{jHVH*se>P TKYmyeSo>01{NJ4R32~1Bg=V0! literal 0 HcmV?d00001 diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_len1.csr b/tests/data_files/test_csr_v3_all_malformed_attributes_len1.csr new file mode 100644 index 0000000000000000000000000000000000000000..01eabffdc1c51a5596b2458740e553b81cac4270 GIT binary patch literal 437 zcmXqLV%%uZ#3;qY$Y8*4$ZNpO#vIDR%)^pelAL1DINyMmjZ>@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!fh_13CE& zgAD?~K9J>SVPR%sWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO}NR_6Fo2;06UjBg5ot`yOAJI-T89WkKTJ4;L=< ztz02Lr72qBo%IWb4i0BF%Y!mIl5>O~D8IXJxXE2awQ2G3Ka;+vWpsbJB@uJ#OwK%^ z(`Pr`(wTNYMC;SF73nKZ)@84m=@Rnp3BSeKgg;$o>$R8dNJ-t$v^8`6t(DK%u1lLg SepnJ%`%+r`-<@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!ft}13CE& zgAD?~K9J>SVPR%sWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO}NR_6Fo2;06UjBg5ot`yOAJI-T89WkKTJ4;L=< ztz02Lr72qBo%IWb4i0BF%Y!mIl5>O~D8IXJxXE2awQ2G3Ka;+vWpsbJB@uJ#OwK%^ z(`Pr`(wTNYMC;SF73nKZ)@84m=@Rnp3BSeKgg;$o>$R8dNJ-t$v^8`6t(DK%u1lLg SepnJ%`%+r`-<@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!>jJ13CE& zgAD?~K9J>SVPR%sWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO}NR_6Fo2;06UjBg5ot`yOAJI-T89WkKTJ4;L=< ztz02Lr72qBo%IWb4i0BF%Y!mIl5>O~D8IXJxXE2awQ2G3Ka;+vWpsbJB@uJ#OwK%^ z(`Pr`(wTNYMC;SF73nKZ)@84m=@Rnp3BSeKgg;$o>$R8dNJ-t$v^8`6t(DK%u1lLg SepnJ%`%+r`-<@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD?~K9J>SVPR%sWHQhPdI!kSFi=~d!p5P^#>mRb&cU)k!a$6T9mr#06l7-MHZ(GB zXk=(?Fg7wY5M<*_X!Brf`{BgM2r`4c0XYb`K|#>SF!|cP$5*CKXZKWDkhu55g$sQv zSIAFkidJ}M{eq!`!lGf(LB z*-f`}rri(G`gCnY`ihfv*=uIHguHvgZ?QJvPnX$x?PWVsQa3bh&0K$L@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD?~K9J>SVP$4wWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO?n7GZT9Qau9HXf}oLM^0j@BuS}iJ?y0gMaqou< z7y4GNke|{Nt?nH|YF!Vi?+-8bCiE~47B`1qem-_tU>zuc0DIdvvy zp3v#Dn{Me$yC0(U>Dr3)6({Sm*UWSYdH00hVr{~oF0=L8%XXxsZfM$?x&GG5XKdG{ U%^yE339Nl7E&gv#`-Hg10EJJWu>b%7 literal 0 HcmV?d00001 diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_data_len2.csr b/tests/data_files/test_csr_v3_all_malformed_extension_data_len2.csr new file mode 100644 index 0000000000000000000000000000000000000000..a49209abe562ff552914f880ef47c9e9ed096e35 GIT binary patch literal 437 zcmXqLV%%uZ#3;qY$Y8*4$ZNpO#vIDR%)^pelAL1DINyMmjZ>@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD?~K9J>SVPnH|YF!Vi?+-8bCiE~47B`1qem-_tU>zuc0DIdvvy zp3v#Dn{Me$yC0(U>Dr3)6({Sm*UWSYdH00hVr{~oF0=L8%XXxsZfM$?x&GG5XKdG{ U%^yE339Nl7E&gv#`-Hg10E3sHuK)l5 literal 0 HcmV?d00001 diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_data_tag.csr b/tests/data_files/test_csr_v3_all_malformed_extension_data_tag.csr new file mode 100644 index 0000000000000000000000000000000000000000..ccae7233b591dedc525f0d597321fee3b8e87c18 GIT binary patch literal 437 zcmXqLV%%uZ#3;qY$Y8*4$ZNpO#vIDR%)^pelAL1DINyMmjZ>@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD?~K9J>SWnpGwWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO?pY4E6@(Am9cCK_kQDYx^EwnL3@_Q)NNo-VYZp z^sQVWKcy*J;hpshh7JyAHp_!DJCbvRA1J@OZ@9@_M73%0@jsKkr)6}1xg`;E>P*f& zq0?tK-O`zMKSb-(wH4_rPS$0wnduVp?g_ue+Jrw{X6v<=?MO-8(6lvk{jHVH*se>P TKYmyeSo>01{NJ4R32~1Bg;1ce literal 0 HcmV?d00001 diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_id_tag.csr b/tests/data_files/test_csr_v3_all_malformed_extension_id_tag.csr new file mode 100644 index 0000000000000000000000000000000000000000..989e40408357d4192c419bac484eb703dc9b5a7a GIT binary patch literal 437 zcmXqLV%%uZ#3;qY$Y8*4$ZNpO#vIDR%)^pelAL1DINyMmjZ>@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD==xY?OQW%*fHn3))v4D^BCkriaoFi=~d!p5P^#>mRb&cU)k!a$6T9mr#06l7-M zHZ(GBXk=(?Fg7wY5M<*_X!Brf`{BgM2r`4c0XYb`K|#>SF!|cP$5*CKXZKWDkhu55 zg$sQvSIAFkidJ}M{eq!`!l zGf(LB*-f`}rri(G`gCnY`ihfv*=uIHguHvgZ?QJvPnX$x?PWVsQa3bh&0K$L@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD?~K9J>SVPRonWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO?n7GZT9Qau9HXf}oLM^0j@BuS}iJ?y0gMaqou< z7y4GNke|{Nt?nH|YF!Vi?+-8bCiE~47B`1qem-_tU>zuc0DIdvvy zp3v#Dn{Me$yC0(U>Dr3)6({Sm*UWSYdH00hVr{~oF0=L8%XXxsZfM$?x&GG5XKdG{ U%^yE339Nl7E&gv#`-Hg10EJGVu>b%7 literal 0 HcmV?d00001 diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr b/tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr new file mode 100644 index 0000000000000000000000000000000000000000..7e717f35733166efe3775e7747901738865de123 GIT binary patch literal 437 zcmXqLV%%uZ#3;qY$Y8*4$ZNpO#vIDR%)^pelAL1DINyMmjZ>@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD?~K9J>SVPR%sWHQhPdPi1}MZ-XCfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO}NR_6Fo2;06UjBg5ot`yOAJI-T89WkKTJ4;L=< ztz02Lr72qBo%IWb4i0BF%Y!mIl5>O~D8IXJxXE2awQ2G3Ka;+vWpsbJB@uJ#OwK%^ z(`Pr`(wTNYMC;SF73nKZ)@84m=@Rnp3BSeKgg;$o>$R8dNJ-t$v^8`6t(DK%u1lLg SepnJ%`%+r`-<@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD?~K9J>SVPR%sWHQhPdPi1}MZ-aDfeIUkHX9==D?10v0to{#Hg+J7g;9{1h1<}` zxS^4uvBB8L&_IxlGoj6cvF(QwBO}NR_6Fo2;06UjBg5ot`yOAJI-T89WkKTJ4;L=< ztz02Lr72qBo%IWb4i0BF%Y!mIl5>O~D8IXJxXE2awQ2G3Ka;+vWpsbJB@uJ#OwK%^ z(`Pr`(wTNYMC;SF73nKZ)@84m=@Rnp3BSeKgg;$o>$R8dNJ-t$v^8`6t(DK%u1lLg SepnJ%`%+r`-<@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD?~K9J>SVPR%sWHQhPdPnv@i-v*P0u?q6Z8k<$R(1}S1ri2gZ0tZD3!@-23%8+> zaYG|RV}r4gp@AS9XF{6?W7`iWMn;es>jALJL?w=9URVVmIq~aBr8Dh*h}NfTE7Dh-tjk_A(CTPvTjU6(e0 T{IDdj_NBD=zd7v_;vNG4M$n<2 literal 0 HcmV?d00001 diff --git a/tests/data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr b/tests/data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr new file mode 100644 index 0000000000000000000000000000000000000000..fecb15efb447947a1815037932f3738d9cc1286c GIT binary patch literal 437 zcmXqLV%%uZ#3;qY$Y8*4$ZNpO#vIDR%)^pelAL1DINyMmjZ>@5qwPB{BO@a#19M|9 zgF#~_Q)45;af?Yu4}U2T;K=?VZ2IOiqfD17|I{Wkxm9x0ghHj({HQK9<}L^~o^x~R zM_(To^Ar1yEUg)-?&6bM0@<+^c1pl(X^QlQj>VHaXT* zKbfm8GFyi|yU*FyKBvseZI(;{uj<@A9LF90++Z?K`d|C{k1i84BLm}tB!dLF13CE& zgAD=|Kt7P=XJKJxVq`MV2XO>hGz`=hsIYNpvoW%=vU9L3kT4KqV+ZnB7zLSGxDAbr z8yXoJ8;p$%4FuUZ6WTl&+kQAPGJ?!tZ$J(LZcq?3GEBa<@9~wX)7d>$79{TdaN$DV z$`$fcnxYlnS-)WD;BaQMJSejxIY;<`^1J(no7_cIn-(AcGwFL;M)#Ln5;3RF)FR?K>|cBO@yVb7L=q zL1QOVV`PH4mINIo4D^ znX4``TZcWn&)L>Kr_9Q2mP`S!>fAjX#~uFMU@}koU;FxxE)z2&1LFcY0~xpjIr$9v z4In;{Mt2k!x?v`C&sN=~jO~G+CA4Ox$Op`r_`!22?Nu5foUEV+8&BbvN2%E3K-aj@9Z7NKBi3 zAQD8jVIvTckAUz!38O#cN}#q4GmPN6v?0J?N4Y$sIl%|cF$O`Co2;g`Sx_LGDD2J9 z&Q#0^1bh#`r^y8HHs81lOO7qy@r+ptW&*B*2m;as3^ZBA9|1^M7^3gB;*8AwU>hBUX;* z44XhAZLm>?&0<_`G}W8F(r{KimbiI-X--u~RPW1Mg0nFf29=Bfnu_gccFP?d?MT(+ zSJdqj-sY}jOxLD;x3L}5R-06Q9-jD~#E&p4CfQe|SZJU3!n|nwha`<0NU^&#-L$q| bChF4@lzG<{%K{9dM)SAucX`6_|6lPNSmUuh diff --git a/tests/data_files/test_csr_v3_nsCertType.csr b/tests/data_files/test_csr_v3_nsCertType.csr index 039874330b8b147aa9bc7e6bc4ae28c10ac6f7a3..cf9588dad174c08f91b4bbd30a9fd0f527a048c5 100644 GIT binary patch literal 374 zcmXqLVk|Ofyu-xEV8Cz4YrxIM9LmDX!;)H(oMO;8-+-5mQ>)FR?K>|cBO@yVb7L=q zL1QOVV`PH4mINIo4D^ znX4``TZcWn&)L>Kr_9Q2mP`S!>fAjX#~uFMU@}koU;FxxE)z2&1LFb}10}cvIr$7l z4TKE@**Fv0JQ&-4I59G^urM>RIUsw28{~;bh6Jl=?+W+)U0$%HEW9mQsPR(Tx$ei7 zpP5|6w~Czz)>T$3klS&{&3A{o)w4}^cW%o}yM5r&gq5ErzG}U(%Sf`au)oUsS06#8~b^rhX literal 578 zcmZ{iIkTcb7)5h_#mg;=MNnQa!Pg7WNTUsIkO?TQ=o4^h%3nXuM3c--?>)h-I^*#t zi25x4!ZcYik6~ERuY`&-)vBnugbT#|>xxk%Qsm zwDVI|Oo*Te#2Uc%V+{yKCoxC0Ai*MxJf$a!g6v0#o3kZH0lQs@v&FHTc0rq^o20vs zf``e~Lv7xRQnT{iuv!l^c2A>W4!YwD*U*-+XPFOD21$-(sQauucgTB50~nmm5ua;iCfR6UEl%^xo?THLyA z(8=mFiAr&gOs+jm|@Mn+Z!=EhzI zgT_v##zuzY7L$%1{!$>ok^Mv1^v!2RnJ!iSsZC~btK_B$g-WgYQC(`xT@Y?O=jPOp zzCJGIC-xm#VE-h==JMy0OwP84YohxqS8=wiYZ5l++TWVFSIaahXXC#oYaTdla;&L- zGFM$>whnuCpR=ufPMMY4ESUmc)wz2(jywFh!DOEFzxMSXT_$Em2F3-h2F`E?a`G9P z8JHLt0ev7V$f9ka*~Fb%k(gVMld6}TpNrt+rIs}DYU#n`@{7`ueaQ{-Wg|nd#*SA~ z^ZD-<`i8{+Xz#eU;r=z2br+f?cePX=+q<~_f8XkT)=i231Z`*3aoN7uI$_DtlpW7z zy*~K((msPdJ4Ek_Z!3AHkyBX982&c3<&G}@G3~G4>%M&5r1xpw|Ckz)Sh;z^Y#|#f f@@Ey_6prr*o_F`yb-(qM>s{p-R@USfm>0t+3=SX)86Xcu7eNJffBkuP$tBlGSAAXGQO{;? zK|&e-K*SH3#SjR|hfl7{+dfD0cIEei2 zA=}TnJ3hzg$IB%xIZokzB7A+8r!7zxRIF8Hw*if7j{1~czHS|ggI86%I_hOB&D4$` zHjhWSYI+YM>Css0LJm%wDaagf>M!r&PMb8ZNmJVfe3NKvz$o2`@{(yT`J+B3|o;jVa&W#UQ%$(#{*Vz$1 zq$F6pl4F2y(7ydIe6u0H0COucp~71`@n#;Us6G6}V~tXgyF9K_v?nwOWR%e8%x)ZQ2er;2pH&`zGwX0~O5 zsC*`Im^(tDTji*iLpXn&SKnWQnU~N%*>@v^*I+8BoJzUbgh!(ezn(gstIMHCP0Oy( Ty`(Z|BI8r~a~Hz#|F855SFgfI diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 87eaa3aab..31c6e6702 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2680,6 +2680,65 @@ mbedtls_x509_csr_parse:"308201193081bf0201003034310b3009060355040613024e4c311130 X509 CSR ASN.1 (invalid version overflow) mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION +# Used test_csr_v3_all.csr as a base for malforming CSR extenstions/attributes +# Please see makefile for data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files) +X509 CSR ASN.1 (attributes: invalid sequence tag) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062406006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (attributes: invalid attribute id) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306007092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (attributes: not extension request) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090F31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n":0 + +X509 CSR ASN.1 (attributes: invalid extenstion request set tag) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E32533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (attributes: invalid extenstion request sequence tag) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533151300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (attributes: invalid len (len > data)) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306106092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (attributes: invalid len (len < data)) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062305906092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + +X509 CSR ASN.1 (attributes: extension request invalid len (len > data)) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533052300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (attributes: extension request invalid len (len < data)) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533050300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (extensions: invalid sequence tag) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051200B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (extensions: invalid extension id tag) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0703551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (extensions: invalid extension data tag) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F050403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (extensions: invalid extension data len (len > data)) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040503020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (extensions: invalid extension data len (len < data)) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040303020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + +X509 CSR ASN.1 (extensions: invalid extension key usage bitstream tag) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040404020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (extensions: invalid extension subject alt name sequence tag) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104284026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (extensions: invalid extension ns cert bitstream tag) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040404020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (extensions: duplicated extension) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D0F04283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA + +X509 CSR ASN.1 (extensions: invalid extension type data) +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551DFF04283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_OID_NOT_FOUND + X509 File parse (no issues) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C x509parse_crt_file:"data_files/server7_int-ca.crt":0 From 86d19461641262ce4064af15cfe597df5a5e2152 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 24 Jan 2023 09:45:19 +0100 Subject: [PATCH 11/20] Fix error codes returned on failures Signed-off-by: Przemek Stekiel --- library/x509_csr.c | 102 ++++++++++++++++++++++++--------------------- 1 file changed, 54 insertions(+), 48 deletions(-) diff --git a/library/x509_csr.c b/library/x509_csr.c index 1f133e87f..1ea77fe97 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -78,7 +78,6 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, int ret; size_t len; unsigned char *end_ext_data; - while (*p < end) { mbedtls_x509_buf extn_oid = { 0, 0, NULL }; int ext_type = 0; @@ -86,7 +85,7 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, /* Read sequence tag */ if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } end_ext_data = *p + len; @@ -94,7 +93,7 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, /* Get extension ID */ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len, MBEDTLS_ASN1_OID)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } extn_oid.tag = MBEDTLS_ASN1_OID; @@ -104,11 +103,12 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, /* Data should be octet string type */ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } + if (*p + len != end_ext_data) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } /* @@ -116,49 +116,54 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, */ ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type); - if (ret == 0) { - /* Forbid repeated extensions */ - if ((csr->ext_types & ext_type) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS; - } + if (ret != 0) { + *p = end_ext_data; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + ret); + } - csr->ext_types |= ext_type; + /* Forbid repeated extensions */ + if ((csr->ext_types & ext_type) != 0) { + return (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_INVALID_DATA)); + } - switch (ext_type) { - case MBEDTLS_X509_EXT_KEY_USAGE: - /* Parse key usage */ - if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data, - &csr->key_usage)) != 0) { - return ret; - } - break; + csr->ext_types |= ext_type; - case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: - /* Parse subject alt name */ - if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data, - &csr->subject_alt_names)) != 0) { - return ret; - } - break; + switch (ext_type) { + case MBEDTLS_X509_EXT_KEY_USAGE: + /* Parse key usage */ + if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data, + &csr->key_usage)) != 0) { + return ret; + } + break; - case MBEDTLS_X509_EXT_NS_CERT_TYPE: - /* Parse netscape certificate type */ - if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data, - &csr->ns_cert_type)) != 0) { - return ret; - } - break; - default: - break; - } + case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: + /* Parse subject alt name */ + if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data, + &csr->subject_alt_names)) != 0) { + return ret; + } + break; + + case MBEDTLS_X509_EXT_NS_CERT_TYPE: + /* Parse netscape certificate type */ + if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data, + &csr->ns_cert_type)) != 0) { + return ret; + } + break; + default: + break; } *p = end_ext_data; } if (*p != end) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } return 0; @@ -180,14 +185,14 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr, if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } end_attr_data = *p + len; /* Get attribute ID */ if ((ret = mbedtls_asn1_get_tag(p, end_attr_data, &attr_oid.len, MBEDTLS_ASN1_OID)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } attr_oid.tag = MBEDTLS_ASN1_OID; @@ -196,24 +201,25 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr, /* Check that this is an extension-request attribute */ if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS9_CSR_EXT_REQ, &attr_oid) == 0) { + if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } if ((ret = x509_csr_parse_extensions(csr, p, *p + len)) != 0) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret; + return ret; } if (*p != end_attr_data) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } } @@ -221,8 +227,8 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr, } if (*p != end) { - return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } return 0; From a46876800075be3f135a9eb230ecc6b93c8d3720 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 24 Jan 2023 15:19:47 +0100 Subject: [PATCH 12/20] Dealocate memory for subject alt names Signed-off-by: Przemek Stekiel --- library/x509_csr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/x509_csr.c b/library/x509_csr.c index 1ea77fe97..3b3aa1cc5 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -581,6 +581,7 @@ void mbedtls_x509_csr_free(mbedtls_x509_csr *csr) #endif mbedtls_asn1_free_named_data_list_shallow(csr->subject.next); + mbedtls_asn1_sequence_free(csr->subject_alt_names.next); if (csr->raw.p != NULL) { mbedtls_platform_zeroize(csr->raw.p, csr->raw.len); From f0e25c72d947280c6e7aecc2dce92aa248a010df Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 25 Jan 2023 09:38:01 +0100 Subject: [PATCH 13/20] Add missing dependencies for negative tests, remove PEM dependency Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_x509parse.data | 27 ++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 31c6e6702..784e137a3 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -351,19 +351,19 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_US mbedtls_x509_csr_info:"data_files/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" X509 CSR Information v3 extensions #1 (all) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_all.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n" X509 CSR Information v3 extensions #2 (nsCertType only) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_nsCertType.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n" X509 CSR Information v3 extensions #3 (subjectAltName only) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_subjectAltName.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n" X509 CSR Information v3 extensions #4 (keyUsage only) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_keyUsage.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n" X509 Verify Information: empty @@ -2683,60 +2683,79 @@ mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSIO # Used test_csr_v3_all.csr as a base for malforming CSR extenstions/attributes # Please see makefile for data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files) X509 CSR ASN.1 (attributes: invalid sequence tag) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062406006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid attribute id) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306007092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: not extension request) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090F31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n":0 X509 CSR ASN.1 (attributes: invalid extenstion request set tag) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E32533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid extenstion request sequence tag) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533151300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid len (len > data)) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306106092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (attributes: invalid len (len < data)) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062305906092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CSR ASN.1 (attributes: extension request invalid len (len > data)) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533052300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (attributes: extension request invalid len (len < data)) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533050300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (extensions: invalid sequence tag) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051200B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension id tag) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0703551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension data tag) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F050403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension data len (len > data)) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040503020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (extensions: invalid extension data len (len < data)) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040303020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CSR ASN.1 (extensions: invalid extension key usage bitstream tag) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040404020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension subject alt name sequence tag) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104284026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension ns cert bitstream tag) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040404020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: duplicated extension) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D0F04283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA X509 CSR ASN.1 (extensions: invalid extension type data) +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551DFF04283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_OID_NOT_FOUND X509 File parse (no issues) From 92cce3fe6dce2f659d6a5985197e1eb44a2dbd85 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 25 Jan 2023 10:33:26 +0100 Subject: [PATCH 14/20] Use extension .csr.der to indicate format Signed-off-by: Przemek Stekiel --- tests/data_files/Makefile | 46 +++++++++--------- ...csr_v3_all.csr => test_csr_v3_all.csr.der} | Bin ...rmed_attributes_extension_request.csr.der} | Bin ...s_extension_request_sequence_len1.csr.der} | Bin ...s_extension_request_sequence_len2.csr.der} | Bin ...es_extension_request_sequence_tag.csr.der} | Bin ...ributes_extension_request_set_tag.csr.der} | Bin ...3_all_malformed_attributes_id_tag.csr.der} | Bin ..._v3_all_malformed_attributes_len1.csr.der} | Bin ..._v3_all_malformed_attributes_len2.csr.der} | Bin ...malformed_attributes_sequence_tag.csr.der} | Bin ...ll_malformed_duplicated_extension.csr.der} | Bin ...all_malformed_extension_data_len1.csr.der} | Bin ...all_malformed_extension_data_len2.csr.der} | Bin ..._all_malformed_extension_data_tag.csr.der} | Bin ...v3_all_malformed_extension_id_tag.csr.der} | Bin ...extension_key_usage_bitstream_tag.csr.der} | Bin ...d_extension_ns_cert_bitstream_tag.csr.der} | Bin ...ion_subject_alt_name_sequence_tag.csr.der} | Bin ..._all_malformed_extension_type_oid.csr.der} | Bin ...malformed_extensions_sequence_tag.csr.der} | Bin ...Usage.csr => test_csr_v3_keyUsage.csr.der} | Bin ...ype.csr => test_csr_v3_nsCertType.csr.der} | Bin ...csr => test_csr_v3_subjectAltName.csr.der} | Bin tests/suites/test_suite_x509parse.data | 10 ++-- 25 files changed, 28 insertions(+), 28 deletions(-) rename tests/data_files/{test_csr_v3_all.csr => test_csr_v3_all.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_attributes_extension_request.csr => test_csr_v3_all_malformed_attributes_extension_request.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr => test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr => test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr => test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr => test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_attributes_id_tag.csr => test_csr_v3_all_malformed_attributes_id_tag.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_attributes_len1.csr => test_csr_v3_all_malformed_attributes_len1.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_attributes_len2.csr => test_csr_v3_all_malformed_attributes_len2.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_attributes_sequence_tag.csr => test_csr_v3_all_malformed_attributes_sequence_tag.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_duplicated_extension.csr => test_csr_v3_all_malformed_duplicated_extension.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_extension_data_len1.csr => test_csr_v3_all_malformed_extension_data_len1.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_extension_data_len2.csr => test_csr_v3_all_malformed_extension_data_len2.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_extension_data_tag.csr => test_csr_v3_all_malformed_extension_data_tag.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_extension_id_tag.csr => test_csr_v3_all_malformed_extension_id_tag.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr => test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr => test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr => test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_extension_type_oid.csr => test_csr_v3_all_malformed_extension_type_oid.csr.der} (100%) rename tests/data_files/{test_csr_v3_all_malformed_extensions_sequence_tag.csr => test_csr_v3_all_malformed_extensions_sequence_tag.csr.der} (100%) rename tests/data_files/{test_csr_v3_keyUsage.csr => test_csr_v3_keyUsage.csr.der} (100%) rename tests/data_files/{test_csr_v3_nsCertType.csr => test_csr_v3_nsCertType.csr.der} (100%) rename tests/data_files/{test_csr_v3_subjectAltName.csr => test_csr_v3_subjectAltName.csr.der} (100%) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index fbf447c5b..f7728ddd7 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -93,51 +93,51 @@ cert_example_multi.csr: rsa_pkcs1_1024_clear.pem cert_example_multi.crt: cert_example_multi.csr $(OPENSSL) x509 -req -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) -extfile $(test_ca_config_file) -extensions dns_alt_names -passin "pass:$(test_ca_pwd_rsa)" -set_serial 17 -days 3653 -sha256 -in $< > $@ -test_csr_v3_keyUsage.csr: rsa_pkcs1_1024_clear.pem +test_csr_v3_keyUsage.csr.der: rsa_pkcs1_1024_clear.pem $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_keyUsage -test_csr_v3_subjectAltName.csr: rsa_pkcs1_1024_clear.pem +test_csr_v3_subjectAltName.csr.der: rsa_pkcs1_1024_clear.pem $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_subjectAltName -test_csr_v3_nsCertType.csr: rsa_pkcs1_1024_clear.pem +test_csr_v3_nsCertType.csr.der: rsa_pkcs1_1024_clear.pem $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_nsCertType -test_csr_v3_all.csr: rsa_pkcs1_1024_clear.pem +test_csr_v3_all.csr.der: rsa_pkcs1_1024_clear.pem $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_all -test_csr_v3_all_malformed_extensions_sequence_tag.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_extensions_sequence_tag.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/300B0603551D0F040403/200B0603551D0F040403/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_extension_id_tag.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_extension_id_tag.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/0603551D0F0404030201/0703551D0F0404030201/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_extension_data_tag.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_extension_data_tag.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/050403020102302F0603/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_extension_data_len1.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_extension_data_len1.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/040503020102302F0603/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_extension_data_len2.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_extension_data_len2.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/040303020102302F0603/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/03020102302F0603551D/04020102302F0603551D/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/3026A02406082B060105/4026A02406082B060105/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/04020780300D06092A86/03020780300D06092A86/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_duplicated_extension.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_duplicated_extension.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/551D11/551D0F/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_extension_type_oid.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_extension_type_oid.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/551D11/551DFF/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_attributes_sequence_tag.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_attributes_sequence_tag.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/406006092A864886F70D/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_attributes_id_tag.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_attributes_id_tag.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/06092A864886F70D0109/07092A864886F70D0109/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_attributes_extension_request.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_attributes_extension_request.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/2A864886F70D01090E/2A864886F70D01090F/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/31533051300B0603551D/32533051300B0603551D/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3151300B0603551D0F04/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_attributes_len1.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_attributes_len1.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/306106092A864886F70D/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_attributes_len2.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_attributes_len2.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/305906092A864886F70D/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3052300B0603551D0F04/" | xxd -r -p ) > $@ -test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr: test_csr_v3_all.csr +test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3050300B0603551D0F04/" | xxd -r -p ) > $@ $(test_ca_key_file_rsa_alt):test-ca.opensslconf diff --git a/tests/data_files/test_csr_v3_all.csr b/tests/data_files/test_csr_v3_all.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all.csr rename to tests/data_files/test_csr_v3_all.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request.csr b/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_attributes_extension_request.csr rename to tests/data_files/test_csr_v3_all_malformed_attributes_extension_request.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr b/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr rename to tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr b/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr rename to tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr b/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr rename to tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr b/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr rename to tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_id_tag.csr b/tests/data_files/test_csr_v3_all_malformed_attributes_id_tag.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_attributes_id_tag.csr rename to tests/data_files/test_csr_v3_all_malformed_attributes_id_tag.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_len1.csr b/tests/data_files/test_csr_v3_all_malformed_attributes_len1.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_attributes_len1.csr rename to tests/data_files/test_csr_v3_all_malformed_attributes_len1.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_len2.csr b/tests/data_files/test_csr_v3_all_malformed_attributes_len2.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_attributes_len2.csr rename to tests/data_files/test_csr_v3_all_malformed_attributes_len2.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr b/tests/data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr rename to tests/data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_duplicated_extension.csr b/tests/data_files/test_csr_v3_all_malformed_duplicated_extension.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_duplicated_extension.csr rename to tests/data_files/test_csr_v3_all_malformed_duplicated_extension.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_data_len1.csr b/tests/data_files/test_csr_v3_all_malformed_extension_data_len1.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_extension_data_len1.csr rename to tests/data_files/test_csr_v3_all_malformed_extension_data_len1.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_data_len2.csr b/tests/data_files/test_csr_v3_all_malformed_extension_data_len2.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_extension_data_len2.csr rename to tests/data_files/test_csr_v3_all_malformed_extension_data_len2.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_data_tag.csr b/tests/data_files/test_csr_v3_all_malformed_extension_data_tag.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_extension_data_tag.csr rename to tests/data_files/test_csr_v3_all_malformed_extension_data_tag.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_id_tag.csr b/tests/data_files/test_csr_v3_all_malformed_extension_id_tag.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_extension_id_tag.csr rename to tests/data_files/test_csr_v3_all_malformed_extension_id_tag.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr b/tests/data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr rename to tests/data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr b/tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr rename to tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr b/tests/data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr rename to tests/data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_type_oid.csr b/tests/data_files/test_csr_v3_all_malformed_extension_type_oid.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_extension_type_oid.csr rename to tests/data_files/test_csr_v3_all_malformed_extension_type_oid.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr b/tests/data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr rename to tests/data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der diff --git a/tests/data_files/test_csr_v3_keyUsage.csr b/tests/data_files/test_csr_v3_keyUsage.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_keyUsage.csr rename to tests/data_files/test_csr_v3_keyUsage.csr.der diff --git a/tests/data_files/test_csr_v3_nsCertType.csr b/tests/data_files/test_csr_v3_nsCertType.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_nsCertType.csr rename to tests/data_files/test_csr_v3_nsCertType.csr.der diff --git a/tests/data_files/test_csr_v3_subjectAltName.csr b/tests/data_files/test_csr_v3_subjectAltName.csr.der similarity index 100% rename from tests/data_files/test_csr_v3_subjectAltName.csr rename to tests/data_files/test_csr_v3_subjectAltName.csr.der diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 784e137a3..e809498d8 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -352,19 +352,19 @@ mbedtls_x509_csr_info:"data_files/server1-ms.req.sha256":"CSR version \: 1\nsu X509 CSR Information v3 extensions #1 (all) depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/test_csr_v3_all.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n" +mbedtls_x509_csr_info:"data_files/test_csr_v3_all.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n" X509 CSR Information v3 extensions #2 (nsCertType only) depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/test_csr_v3_nsCertType.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n" +mbedtls_x509_csr_info:"data_files/test_csr_v3_nsCertType.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n" X509 CSR Information v3 extensions #3 (subjectAltName only) depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/test_csr_v3_subjectAltName.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n" +mbedtls_x509_csr_info:"data_files/test_csr_v3_subjectAltName.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n" X509 CSR Information v3 extensions #4 (keyUsage only) depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/test_csr_v3_keyUsage.csr":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n" +mbedtls_x509_csr_info:"data_files/test_csr_v3_keyUsage.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n" X509 Verify Information: empty x509_verify_info:0:"":"" @@ -2680,7 +2680,7 @@ mbedtls_x509_csr_parse:"308201193081bf0201003034310b3009060355040613024e4c311130 X509 CSR ASN.1 (invalid version overflow) mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION -# Used test_csr_v3_all.csr as a base for malforming CSR extenstions/attributes +# Used test_csr_v3_all.csr.der as a base for malforming CSR extenstions/attributes # Please see makefile for data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files) X509 CSR ASN.1 (attributes: invalid sequence tag) depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO From 94e21e153fc8e0b185df675b6f34b795d86dd06b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 25 Jan 2023 11:08:32 +0100 Subject: [PATCH 15/20] Skip unsupported extensions Signed-off-by: Przemek Stekiel --- library/x509_csr.c | 80 ++++++++++++-------------- tests/suites/test_suite_x509parse.data | 2 +- 2 files changed, 38 insertions(+), 44 deletions(-) diff --git a/library/x509_csr.c b/library/x509_csr.c index 3b3aa1cc5..baa061841 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -112,52 +112,47 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, } /* - * Detect supported extensions + * Detect supported extensions and skip unsupported extensions */ ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type); - if (ret != 0) { - *p = end_ext_data; - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - ret); + if (ret == 0) { + /* Forbid repeated extensions */ + if ((csr->ext_types & ext_type) != 0) { + return (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_INVALID_DATA)); + } + + csr->ext_types |= ext_type; + + switch (ext_type) { + case MBEDTLS_X509_EXT_KEY_USAGE: + /* Parse key usage */ + if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data, + &csr->key_usage)) != 0) { + return ret; + } + break; + + case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: + /* Parse subject alt name */ + if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data, + &csr->subject_alt_names)) != 0) { + return ret; + } + break; + + case MBEDTLS_X509_EXT_NS_CERT_TYPE: + /* Parse netscape certificate type */ + if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data, + &csr->ns_cert_type)) != 0) { + return ret; + } + break; + default: + break; + } } - - /* Forbid repeated extensions */ - if ((csr->ext_types & ext_type) != 0) { - return (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_INVALID_DATA)); - } - - csr->ext_types |= ext_type; - - switch (ext_type) { - case MBEDTLS_X509_EXT_KEY_USAGE: - /* Parse key usage */ - if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data, - &csr->key_usage)) != 0) { - return ret; - } - break; - - case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: - /* Parse subject alt name */ - if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data, - &csr->subject_alt_names)) != 0) { - return ret; - } - break; - - case MBEDTLS_X509_EXT_NS_CERT_TYPE: - /* Parse netscape certificate type */ - if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data, - &csr->ns_cert_type)) != 0) { - return ret; - } - break; - default: - break; - } - *p = end_ext_data; } @@ -201,7 +196,6 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr, /* Check that this is an extension-request attribute */ if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS9_CSR_EXT_REQ, &attr_oid) == 0) { - if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET)) != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index e809498d8..39aab7ce2 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2756,7 +2756,7 @@ mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C0465746364 X509 CSR ASN.1 (extensions: invalid extension type data) depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551DFF04283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_OID_NOT_FOUND +mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551DFF04283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Client\nkey usage \: CRL Sign\n":0 X509 File parse (no issues) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C From d7992df5297b2c30c90b0310883f34a83bab2e56 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 25 Jan 2023 16:19:50 +0100 Subject: [PATCH 16/20] Use input files to parse CSR instead of bytes Additionally fix the generation of test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der which was incorectly malformed. Signed-off-by: Przemek Stekiel --- tests/data_files/Makefile | 2 +- ...ed_extension_ns_cert_bitstream_tag.csr.der | Bin 437 -> 437 bytes tests/suites/test_suite_x509parse.data | 76 +++++++++--------- tests/suites/test_suite_x509parse.function | 24 ++++++ 4 files changed, 63 insertions(+), 39 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index f7728ddd7..eaa9cef40 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -116,7 +116,7 @@ test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der: test_csr_v3 test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/3026A02406082B060105/4026A02406082B060105/" | xxd -r -p ) > $@ test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der: test_csr_v3_all.csr.der - (hexdump -ve '1/1 "%.2X"' $< | sed "s/04020780300D06092A86/03020780300D06092A86/" | xxd -r -p ) > $@ + (hexdump -ve '1/1 "%.2X"' $< | sed "s/03020780300D06092A86/04020780300D06092A86/" | xxd -r -p ) > $@ test_csr_v3_all_malformed_duplicated_extension.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/551D11/551D0F/" | xxd -r -p ) > $@ test_csr_v3_all_malformed_extension_type_oid.csr.der: test_csr_v3_all.csr.der diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der b/tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der index 7e717f35733166efe3775e7747901738865de123..6fdcfc8f39de9b2b1c8e88ea6f2692ac537cfe88 100644 GIT binary patch delta 13 UcmdnWyp?%_93vykWO>GE02|2zjsO4v delta 13 UcmdnWyp?%_93vz1WO>GE02{;ujQ{`u diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 39aab7ce2..fc8d51dfe 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2683,80 +2683,80 @@ mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSIO # Used test_csr_v3_all.csr.der as a base for malforming CSR extenstions/attributes # Please see makefile for data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files) X509 CSR ASN.1 (attributes: invalid sequence tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062406006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid attribute id) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306007092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: not extension request) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090F31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n":0 +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n":0 X509 CSR ASN.1 (attributes: invalid extenstion request set tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E32533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid extenstion request sequence tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533151300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid len (len > data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306106092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (attributes: invalid len (len < data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062305906092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CSR ASN.1 (attributes: extension request invalid len (len > data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533052300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (attributes: extension request invalid len (len < data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533050300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (extensions: invalid sequence tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051200B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension id tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0703551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension data tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F050403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension data len (len > data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040503020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (extensions: invalid extension data len (len < data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040303020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CSR ASN.1 (extensions: invalid extension key usage bitstream tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040404020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension subject alt name sequence tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104284026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension ns cert bitstream tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D1104283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040404020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: duplicated extension) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551D0F04283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_duplicated_extension.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA X509 CSR ASN.1 (extensions: invalid extension type data) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551DFF04283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Client\nkey usage \: CRL Sign\n":0 +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_type_oid.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Client\nkey usage \: CRL Sign\n":0 X509 File parse (no issues) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 5d896bf73..f46bffdd4 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -1169,6 +1169,30 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ +void mbedtls_x509_csr_parse_file(char *csr_file, char *ref_out, int ref_ret) +{ + mbedtls_x509_csr csr; + char my_out[1000]; + int my_ret; + + mbedtls_x509_csr_init(&csr); + memset(my_out, 0, sizeof(my_out)); + + my_ret = mbedtls_x509_csr_parse_file(&csr, csr_file); + TEST_ASSERT(my_ret == ref_ret); + + if (ref_ret == 0) { + size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr); + TEST_ASSERT(my_out_len == strlen(ref_out)); + TEST_ASSERT(strcmp(my_out, ref_out) == 0); + } + +exit: + mbedtls_x509_csr_free(&csr); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void mbedtls_x509_crt_parse_path(char *crt_path, int ret, int nb_crt) { From 32e20919aca51ea348ad50c863c56320e59aa5aa Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 25 Jan 2023 14:26:15 +0100 Subject: [PATCH 17/20] Remove redundant check and add comment to inform about processing of empty extensions Netscape Certificate Management System Administrator's Guide: Extension-Specific Policy Modules, Chapter 18: Extension-Specific Policy Modules, Netscape Certificate Type Extension Policy: > The extension has no default value. A bitstring with no flags set is still technically valid, as it will mean that the certificate has no designated purpose at the time of creation. Signed-off-by: Przemek Stekiel --- library/x509.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/library/x509.c b/library/x509.c index 9869b05e5..81e30e4ac 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1328,6 +1328,8 @@ int mbedtls_x509_get_ns_cert_type(unsigned char **p, return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } + /* A bitstring with no flags set is still technically valid, as it will mean + that the certificate has no designated purpose at the time of creation. */ if (bs.len == 0) { *ns_cert_type = 0; return 0; @@ -1355,16 +1357,13 @@ int mbedtls_x509_get_key_usage(unsigned char **p, return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } + /* A bitstring with no flags set is still technically valid, as it will mean + that the certificate has no designated purpose at the time of creation. */ if (bs.len == 0) { *key_usage = 0; return 0; } - if (bs.len < 1) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_INVALID_LENGTH); - } - /* Get actual bitstring */ *key_usage = 0; for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) { From 36ad5e7ab53fd61cf587ffb467f73031135b77c3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 26 Jan 2023 22:30:45 +0100 Subject: [PATCH 18/20] Fix code style Signed-off-by: Przemek Stekiel --- library/x509_csr.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/library/x509_csr.c b/library/x509_csr.c index baa061841..cd117cbd4 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -119,8 +119,8 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, if (ret == 0) { /* Forbid repeated extensions */ if ((csr->ext_types & ext_type) != 0) { - return (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_INVALID_DATA)); + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_INVALID_DATA); } csr->ext_types |= ext_type; @@ -129,7 +129,7 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, case MBEDTLS_X509_EXT_KEY_USAGE: /* Parse key usage */ if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data, - &csr->key_usage)) != 0) { + &csr->key_usage)) != 0) { return ret; } break; @@ -137,7 +137,7 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: /* Parse subject alt name */ if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data, - &csr->subject_alt_names)) != 0) { + &csr->subject_alt_names)) != 0) { return ret; } break; @@ -145,7 +145,7 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, case MBEDTLS_X509_EXT_NS_CERT_TYPE: /* Parse netscape certificate type */ if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data, - &csr->ns_cert_type)) != 0) { + &csr->ns_cert_type)) != 0) { return ret; } break; @@ -222,7 +222,7 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr, if (*p != end) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } return 0; From 59f4a18b6f355003d867c0fdce2eaaf3a7529696 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 27 Jan 2023 07:13:43 +0100 Subject: [PATCH 19/20] Fix test dependency SHA1 -> SHA256 Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_x509parse.data | 46 +++++++++++++------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index fc8d51dfe..6821fe184 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -351,19 +351,19 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_US mbedtls_x509_csr_info:"data_files/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" X509 CSR Information v3 extensions #1 (all) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_all.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n" X509 CSR Information v3 extensions #2 (nsCertType only) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_nsCertType.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n" X509 CSR Information v3 extensions #3 (subjectAltName only) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_subjectAltName.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n" X509 CSR Information v3 extensions #4 (keyUsage only) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_csr_info:"data_files/test_csr_v3_keyUsage.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n" X509 Verify Information: empty @@ -2683,79 +2683,79 @@ mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSIO # Used test_csr_v3_all.csr.der as a base for malforming CSR extenstions/attributes # Please see makefile for data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files) X509 CSR ASN.1 (attributes: invalid sequence tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid attribute id) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: not extension request) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n":0 X509 CSR ASN.1 (attributes: invalid extenstion request set tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid extenstion request sequence tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid len (len > data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (attributes: invalid len (len < data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CSR ASN.1 (attributes: extension request invalid len (len > data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (attributes: extension request invalid len (len < data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (extensions: invalid sequence tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension id tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension data tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension data len (len > data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (extensions: invalid extension data len (len < data)) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CSR ASN.1 (extensions: invalid extension key usage bitstream tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension subject alt name sequence tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension ns cert bitstream tag) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: duplicated extension) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_duplicated_extension.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA X509 CSR ASN.1 (extensions: invalid extension type data) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_type_oid.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Client\nkey usage \: CRL Sign\n":0 X509 File parse (no issues) From 30223708968291143f53a325bd8e8b2f7b481044 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 27 Jan 2023 11:03:53 +0100 Subject: [PATCH 20/20] Add changelog entry for V3 extensions in CSR Signed-off-by: Przemek Stekiel --- ChangeLog.d/csr_v3_extensions.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/csr_v3_extensions.txt diff --git a/ChangeLog.d/csr_v3_extensions.txt b/ChangeLog.d/csr_v3_extensions.txt new file mode 100644 index 000000000..92740174f --- /dev/null +++ b/ChangeLog.d/csr_v3_extensions.txt @@ -0,0 +1,3 @@ +Features + * Add parsing of V3 extensions (key usage, Netscape cert-type, + Subject Alternative Names) in x509 Certificate Sign Requests.