Merge pull request #7638 from AndrzejKurek/cert-apps-use-ips

Use better IP parsing in x509 apps
2023-06-20 17:21:04 +01:00 · 2023-06-20 17:21:04 +01:00 · 458b96b1a7
commit 458b96b1a7
parent cd70070c25 c6beb3a741
6 changed files with 48 additions and 92 deletions
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@ -116,18 +116,6 @@ struct options {
    mbedtls_md_type_t md_alg;         /* Hash algorithm used for signature.   */
 } opt;

-static void ip_string_to_bytes(const char *str, uint8_t *bytes, int maxBytes)
-{
-    for (int i = 0; i < maxBytes; i++) {
-        bytes[i] = (uint8_t) strtoul(str, NULL, 10);
-        str = strchr(str, '.');
-        if (str == NULL || *str == '\0') {
-            break;
-        }
-        str++;
-    }
-}
-
 int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file,
                              int (*f_rng)(void *, unsigned char *, size_t),
                              void *p_rng)
@ -165,13 +153,15 @@ int main(int argc, char *argv[])
    mbedtls_pk_context key;
    char buf[1024];
    int i;
-    char *p, *q, *r, *r2;
+    char *p, *q, *r, *subtype_value;
    mbedtls_x509write_csr req;
    mbedtls_entropy_context entropy;
    mbedtls_ctr_drbg_context ctr_drbg;
    const char *pers = "csr example app";
    mbedtls_x509_san_list *cur, *prev;
-
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    uint8_t ip[4] = { 0 };
+#endif
    /*
     * Set to sane values
     */
@ -231,8 +221,6 @@ usage:
            prev = NULL;

            while (q != NULL) {
-                uint8_t ip[4] = { 0 };
-
                if ((r = strchr(q, ';')) != NULL) {
                    *r++ = '\0';
                }
@ -245,8 +233,8 @@ usage:

                cur->next = NULL;

-                if ((r2 = strchr(q, ':')) != NULL) {
-                    *r2++ = '\0';
+                if ((subtype_value = strchr(q, ':')) != NULL) {
+                    *subtype_value++ = '\0';
                }

                if (strcmp(q, "URI") == 0) {
@ -254,18 +242,31 @@ usage:
                } else if (strcmp(q, "DNS") == 0) {
                    cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
                } else if (strcmp(q, "IP") == 0) {
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+                    size_t ip_len = 0;
                    cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
-                    ip_string_to_bytes(r2, ip, 4);
+                    ip_len = mbedtls_x509_crt_parse_cn_inet_pton(subtype_value, ip);
+                    if (ip_len == 0) {
+                        mbedtls_printf("mbedtls_x509_crt_parse_cn_inet_pton failed to parse %s\n",
+                                       subtype_value);
+                        goto exit;
+                    }
+#else
+                    mbedtls_printf("IP SAN parsing requires MBEDTLS_X509_CRT_PARSE_C to be defined");
+                    goto exit;
+#endif
                } else {
                    mbedtls_free(cur);
                    goto usage;
                }

                if (strcmp(q, "IP") == 0) {
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
                    cur->node.san.unstructured_name.p = (unsigned char *) ip;
                    cur->node.san.unstructured_name.len = sizeof(ip);
+#endif
                } else {
-                    q = r2;
+                    q = subtype_value;
                    cur->node.san.unstructured_name.p = (unsigned char *) q;
                    cur->node.san.unstructured_name.len = strlen(q);
                }
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@ -216,18 +216,6 @@ struct options {
    int format;                 /* format                               */
 } opt;

-static void ip_string_to_bytes(const char *str, uint8_t *bytes, int maxBytes)
-{
-    for (int i = 0; i < maxBytes; i++) {
-        bytes[i] = (uint8_t) strtoul(str, NULL, 10);
-        str = strchr(str, '.');
-        if (str == NULL || *str == '\0') {
-            break;
-        }
-        str++;
-    }
-}
-
 int write_certificate(mbedtls_x509write_cert *crt, const char *output_file,
                      int (*f_rng)(void *, unsigned char *, size_t),
                      void *p_rng)
@ -601,8 +589,14 @@ usage:
                } else if (strcmp(q, "DNS") == 0) {
                    cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
                } else if (strcmp(q, "IP") == 0) {
+                    size_t ip_len = 0;
                    cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
-                    ip_string_to_bytes(subtype_value, ip, 4);
+                    ip_len = mbedtls_x509_crt_parse_cn_inet_pton(subtype_value, ip);
+                    if (ip_len == 0) {
+                        mbedtls_printf("mbedtls_x509_crt_parse_cn_inet_pton failed to parse %s\n",
+                                       subtype_value);
+                        goto exit;
+                    }
                    cur->node.san.unstructured_name.p = (unsigned char *) ip;
                    cur->node.san.unstructured_name.len = sizeof(ip);
                } else if (strcmp(q, "DN") == 0) {
@ -625,8 +619,9 @@ usage:
                if (cur->node.type == MBEDTLS_X509_SAN_RFC822_NAME ||
                    cur->node.type == MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER ||
                    cur->node.type == MBEDTLS_X509_SAN_DNS_NAME) {
-                    cur->node.san.unstructured_name.p = (unsigned char *) subtype_value;
-                    cur->node.san.unstructured_name.len = strlen(subtype_value);
+                    q = subtype_value;
+                    cur->node.san.unstructured_name.p = (unsigned char *) q;
+                    cur->node.san.unstructured_name.len = strlen(q);
                }

                if (prev == NULL) {