eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add support for directoryName subjectAltName

Browse source 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
This commit is contained in:
Andrzej Kurek 2023-01-10 06:47:38 -05:00
parent 05c5a91514
commit e12b01d31b
7 changed files with 87 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
include/mbedtls/x509.h
View file

@ -294,7 +294,8 @@ typedef struct mbedtls_x509_subject_alternative_name {
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
union { union {
mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported */ mbedtls_x509_name directory_name;
mbedtls_x509_buf unstructured_name; /**< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. */
} }
san; /**< A union of the supported SAN types */ san; /**< A union of the supported SAN types */
} }

41
library/x509.c
View file

@ -1433,6 +1433,31 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
} }
break; break;
/*
* directoryName
*/
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DIRECTORY_NAME):
{
size_t name_len;
unsigned char *p = san_buf->p;
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
san->type = MBEDTLS_X509_SAN_DIRECTORY_NAME;
ret = mbedtls_asn1_get_tag(&p, p + san_buf->len, &name_len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
ret);
}
if ((ret = mbedtls_x509_get_name(&p, p + name_len,
&san->san.directory_name)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
ret);
}
}
break;
/* /*
* Type not supported * Type not supported
*/ */
@ -1553,6 +1578,22 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
} }
break; break;
/*
* directoryName
*/
case MBEDTLS_X509_SAN_DIRECTORY_NAME:
{
ret = mbedtls_snprintf(p, n, "\n%s directoryName : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
ret = mbedtls_x509_dn_gets(p, n, &san.san.directory_name);
if (ret < 0) {
return ret;
}
p += ret;
n -= ret;
}
break;
/* /*
* Type not supported, skip item. * Type not supported, skip item.
*/ */

4
tests/data_files/Makefile
View file

@ -337,6 +337,10 @@ server5-fan.crt: server5.key
server5-tricky-ip-san.crt: server5.key server5-tricky-ip-san.crt: server5.key
$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -out $@ $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -out $@
server5-directoryname.crt: server5.key
$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions directory_name_san -days 3650 -sha256 -key server5.key -out $@
all_final += server5-tricky-ip-san.crt all_final += server5-tricky-ip-san.crt
rsa_single_san_uri.crt.der: rsa_single_san_uri.key rsa_single_san_uri.crt.der: rsa_single_san_uri.key

13
tests/data_files/server5-directoryname.crt Normal file
View file

@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIIB7jCCAZSgAwIBAgIBTTAKBggqhkjOPQQDAjBFMQswCQYDVQQGEwJVSzERMA8G
A1UECgwITWJlZCBUTFMxIzAhBgNVBAMMGk1iZWQgVExTIGRpcmVjdG9yeU5hbWUg
U0FOMB4XDTIzMDExMDE2NTkyOVoXDTMzMDEwNzE2NTkyOVowRTELMAkGA1UEBhMC
VUsxETAPBgNVBAoMCE1iZWQgVExTMSMwIQYDVQQDDBpNYmVkIFRMUyBkaXJlY3Rv
cnlOYW1lIFNBTjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2CR5acj7H
WS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76
Aci07f+jdTBzMFIGA1UdEQRLMEmkRzBFMQswCQYDVQQGEwJVSzERMA8GA1UECgwI
TWJlZCBUTFMxIzAhBgNVBAMMGk1iZWQgVExTIGRpcmVjdG9yeU5hbWUgU0FOMB0G
A1UdDgQWBBRQYaWP1AfZ14IBDOVlf4xjRqcTvjAKBggqhkjOPQQDAgNIADBFAiBr
PtyaL8tF+jghNK32ZnWriCp2k7Aq+QVuef+6+sSH6AIhAIKw+o0J2Pu27ulHFIzI
MdFECpZ3nqAGbTOTOMX6LoDh
-----END CERTIFICATE-----

8
tests/data_files/test-ca.opensslconf
View file

@ -99,3 +99,11 @@ nsCertType=server
keyUsage = cRLSign keyUsage = cRLSign
subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name
nsCertType=client nsCertType=client
[directory_name_san]
subjectAltName=dirName:dirname_sect
[dirname_sect]
C=UK
O=Mbed TLS
CN=Mbed TLS directoryName SAN

8
tests/suites/test_suite_x509parse.data
View file

@ -94,6 +94,10 @@ X509 CRT information EC, SHA256 Digest, binary hardware module name SAN
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
x509_cert_info:"data_files/server5-nonprintable_othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued on \: 2022-09-06 15\:56\:47\nexpires on \: 2032-09-03 15\:56\:47\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\n" x509_cert_info:"data_files/server5-nonprintable_othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued on \: 2022-09-06 15\:56\:47\nexpires on \: 2032-09-03 15\:56\:47\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\n"
X509 CRT information EC, SHA256 Digest, directoryName SAN
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
x509_cert_info:"data_files/server5-directoryname.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-10 16\:59\:29\nexpires on \: 2033-01-07 16\:59\:29\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n"
X509 CRT information EC, SHA256 Digest, Wisun Fan device X509 CRT information EC, SHA256 Digest, Wisun Fan device
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
x509_cert_info:"data_files/server5-fan.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2019-03-25 09\:03\:46\nexpires on \: 2029-03-22 09\:03\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n" x509_cert_info:"data_files/server5-fan.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2019-03-25 09\:03\:46\nexpires on \: 2029-03-22 09\:03\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n"
@ -190,6 +194,10 @@ X509 SAN parsing binary otherName
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n" x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n"
X509 SAN parsing directoryName
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
x509_parse_san:"data_files/server5-directoryname.crt":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n"
X509 SAN parsing dNSName X509 SAN parsing dNSName
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n"

11
tests/suites/test_suite_x509parse.function
View file

@ -289,6 +289,17 @@ int verify_parse_san(mbedtls_x509_subject_alternative_name *san,
*p++ = san->san.unstructured_name.p[i]; *p++ = san->san.unstructured_name.p[i];
} }
break;/* MBEDTLS_X509_SAN_RFC822_NAME */ break;/* MBEDTLS_X509_SAN_RFC822_NAME */
case (MBEDTLS_X509_SAN_DIRECTORY_NAME):
ret = mbedtls_snprintf(p, n, "\ndirectoryName : ");
MBEDTLS_X509_SAFE_SNPRINTF;
ret = mbedtls_x509_dn_gets(p, n, &san->san.directory_name);
if (ret < 0) {
return ret;
}
p += ret;
n -= ret;
break;/* MBEDTLS_X509_SAN_DIRECTORY_NAME */
default: default:
/* /*
* Should not happen. * Should not happen.