From cfae6a1ae99aaf5e3e4172f0722623ec59d49b0e Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Fri, 18 Aug 2023 19:12:59 +0100 Subject: [PATCH] Fix incorrect detection of HardwareModuleName The hardware module name otherName SAN contains 2 OIDs: OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } HardwareModuleName ::= SEQUENCE { hwType OBJECT IDENTIFIER, hwSerialNum OCTET STRING } The first, type-id, is the one that identifies the otherName as a HardwareModuleName. The second, hwType, identifies the type of hardware. This change fixes 2 issues: 1. We were erroneously trying to identify HardwareModuleNames by looking at hwType, not type-id. 2. We accidentally inverted the check so that we were checking that hwType did NOT match HardwareModuleName. This fix ensures that type-id is correctly checked to make sure that it matches the OID for HardwareModuleName. Signed-off-by: David Horstmann --- library/x509.c | 2 +- tests/suites/test_suite_x509parse.function | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/x509.c b/library/x509.c index cee854c0c..ee7a2b2f3 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1489,7 +1489,7 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, MBEDTLS_X509_SAFE_SNPRINTF; if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, - &other_name->value.hardware_module_name.oid) != 0) { + &other_name->type_id) == 0) { ret = mbedtls_snprintf(p, n, "\n%s hardware module name :", prefix); MBEDTLS_X509_SAFE_SNPRINTF; ret = diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 7a2bbefd9..ce80e569e 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -242,7 +242,7 @@ int verify_parse_san(mbedtls_x509_subject_alternative_name *san, MBEDTLS_X509_SAFE_SNPRINTF; if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, - &san->san.other_name.value.hardware_module_name.oid) != 0) { + &san->san.other_name.type_id) == 0) { ret = mbedtls_snprintf(p, n, " hardware module name :"); MBEDTLS_X509_SAFE_SNPRINTF; ret = mbedtls_snprintf(p, n, " hardware type : ");