Skip to content

Commit

Permalink
Add parsing of Name Constraints extension, allow handling raw Other N…
Browse files Browse the repository at this point in the history 
…ame data

Signed-off-by: Brian Sipos <[email protected]>
  • Loading branch information
@BrianSipos
BrianSipos committed Jan 10, 2025
1 parent 69dcb6d commit 998df5b
Show file tree
Hide file tree
Showing 8 changed files with 345 additions and 35 deletions.
2 changes: 1 addition & 1 deletion framework
Submodule framework updated 3 files
+3 −0 data_files/Makefile
+13 −0 data_files/parse_input/test-ca-name_constraints_dns_ec.crt
+4 −0 data_files/test-ca.opensslconf
6 changes: 6 additions & 0 deletions include/mbedtls/x509.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,9 @@
#define MBEDTLS_X509_SAN_IP_ADDRESS 7
#define MBEDTLS_X509_SAN_REGISTERED_ID 8

#define MBEDTLS_X509_NAME_CONST_INCL 0
#define MBEDTLS_X509_NAME_CONST_EXCL 1

/*
* X.509 v3 Key Usage Extension flags
* Reminder: update mbedtls_x509_info_key_usage() when adding new flags.
Expand Down Expand Up @@ -277,6 +280,9 @@ typedef struct mbedtls_x509_san_other_name {
mbedtls_x509_buf val; /**< The named value. */
}
hardware_module_name;
/** Raw source value for non-constructed types.
*/
mbedtls_x509_buf raw;
}
value;
}
Expand Down
3 changes: 3 additions & 0 deletions include/mbedtls/x509_crt.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,9 @@ typedef struct mbedtls_x509_crt {
mbedtls_x509_buf subject_key_id; /**< Optional X.509 v3 extension subject key identifier. */
mbedtls_x509_authority authority_key_id; /**< Optional X.509 v3 extension authority key identifier. */

mbedtls_x509_sequence name_constraints_incl; /**< Optional list of raw entries of Name Constraints extension (currently only dNSName and OtherName are listed). */
mbedtls_x509_sequence name_constraints_excl; /**< Optional list of raw entries of Name Constraints extension (currently only dNSName and OtherName are listed). */

mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */

int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */
Expand Down
118 changes: 87 additions & 31 deletions library/x509.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1190,6 +1190,7 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from)
*
* NOTE: we currently only parse and use otherName of type HwModuleName,
* as defined in RFC 4108.
* Other type-ids are kept as raw, undecoded ASN.1 bytes.
*/
static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
mbedtls_x509_san_other_name *other_name)
Expand Down Expand Up @@ -1218,12 +1219,7 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
cur_oid.p = p;
cur_oid.len = len;

/*
* Only HwModuleName is currently supported.
*/
if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) {
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
}
/* Value context-specific tag */
other_name->type_id = cur_oid;

p += len;
Expand All @@ -1238,38 +1234,64 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}

if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
/*
* HwModuleName
*/
if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) == 0) {
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}

if (end != p + len) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
if (end != p + len) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}

if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}

other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
other_name->value.hardware_module_name.oid.p = p;
other_name->value.hardware_module_name.oid.len = len;
other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
other_name->value.hardware_module_name.oid.p = p;
other_name->value.hardware_module_name.oid.len = len;

p += len;
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
p += len;
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}

other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
other_name->value.hardware_module_name.val.p = p;
other_name->value.hardware_module_name.val.len = len;
p += len;
if (p != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
}
/* Arbitrary raw value */
else {
if (p >= end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_OUT_OF_DATA);
}
other_name->value.raw.tag = *p;
p++;

other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
other_name->value.hardware_module_name.val.p = p;
other_name->value.hardware_module_name.val.len = len;
p += len;
if (p != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
if ((ret = mbedtls_asn1_get_len(&p, end, &len)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
other_name->value.raw.p = p;
other_name->value.raw.len = len;
p += len;
if (p != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
}

return 0;
}

Expand Down Expand Up @@ -1640,6 +1662,40 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
MBEDTLS_X509_SAFE_SNPRINTF;
}
}/* MBEDTLS_OID_ON_HW_MODULE_NAME */
else if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_BUNDLE_EID,
&other_name->type_id) == 0) {
int len = 0;
const char *str = NULL;
if (other_name->value.raw.tag == MBEDTLS_ASN1_IA5_STRING) {
len = other_name->value.raw.len;
str = (char*)other_name->value.raw.p;
}

ret = mbedtls_snprintf(p, n, "\n%s BundleEID : %.*s", prefix,
len, str);
MBEDTLS_X509_SAFE_SNPRINTF;
}/* MBEDTLS_OID_ON_BUNDLE_EID */
else {
/* Show type OID */
ret = mbedtls_snprintf(p, n, "\n%s type-id : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;

ret = mbedtls_oid_get_numeric_string(p,
n,
&other_name->type_id);
MBEDTLS_X509_SAFE_SNPRINTF;

ret = mbedtls_snprintf(p, n, "\n%s value : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;

for (i = 0; i < other_name->value.raw.len; i++) {
ret = mbedtls_snprintf(p,
n,
"%02X",
other_name->value.raw.p[i]);
MBEDTLS_X509_SAFE_SNPRINTF;
}
}
}
break;
/*
Expand Down
Loading

0 comments on commit 998df5b

Please sign in to comment.