diff --git a/ChangeLog.d/register-name-constraints.txt b/ChangeLog.d/register-name-constraints.txt new file mode 100644 index 000000000000..aa2ceba62d05 --- /dev/null +++ b/ChangeLog.d/register-name-constraints.txt @@ -0,0 +1,5 @@ +Features + * Decode Name Constraints extension. + * Show info for Name Constraints for a certificate. + * Handle Other Name type of General Name as opaque data. + * Show info for BundleEID Other Name for a certificate. diff --git a/framework b/framework index 8296a73ce0cb..54d1b5af4b0a 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 8296a73ce0cb31fadf411b6929a3201beece37a5 +Subproject commit 54d1b5af4b0a26dfdaa674a0175649dd144520d7 diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 18df19ce6c8f..90ac328d3ca5 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -134,6 +134,9 @@ #define MBEDTLS_X509_SAN_IP_ADDRESS 7 #define MBEDTLS_X509_SAN_REGISTERED_ID 8 +#define MBEDTLS_X509_NAME_CONST_INCL 0 +#define MBEDTLS_X509_NAME_CONST_EXCL 1 + /* * X.509 v3 Key Usage Extension flags * Reminder: update mbedtls_x509_info_key_usage() when adding new flags. @@ -277,6 +280,9 @@ typedef struct mbedtls_x509_san_other_name { mbedtls_x509_buf val; /**< The named value. */ } hardware_module_name; + /** Raw source value for non-constructed types. + */ + mbedtls_x509_buf raw; } value; } diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 5943cfcfa586..6c6c7ec85b5b 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -67,6 +67,9 @@ typedef struct mbedtls_x509_crt { mbedtls_x509_buf subject_key_id; /**< Optional X.509 v3 extension subject key identifier. */ mbedtls_x509_authority authority_key_id; /**< Optional X.509 v3 extension authority key identifier. */ + mbedtls_x509_sequence name_constraints_incl; /**< Optional list of raw entries of Name Constraints extension (currently only dNSName and OtherName are listed). */ + mbedtls_x509_sequence name_constraints_excl; /**< Optional list of raw entries of Name Constraints extension (currently only dNSName and OtherName are listed). */ + mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */ int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */ diff --git a/library/x509.c b/library/x509.c index 0571687daa14..2a286f439096 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1190,6 +1190,7 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from) * * NOTE: we currently only parse and use otherName of type HwModuleName, * as defined in RFC 4108. + * Other type-ids are kept as raw, undecoded ASN.1 bytes. */ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name, mbedtls_x509_san_other_name *other_name) @@ -1218,12 +1219,7 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name, cur_oid.p = p; cur_oid.len = len; - /* - * Only HwModuleName is currently supported. - */ - if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) { - return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; - } + /* Value context-specific tag */ other_name->type_id = cur_oid; p += len; @@ -1238,38 +1234,64 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name, MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } - if ((ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); - } + /* + * HwModuleName + */ + if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) == 0) { + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } - if (end != p + len) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); - } + if (end != p + len) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } - if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); - } + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } - other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID; - other_name->value.hardware_module_name.oid.p = p; - other_name->value.hardware_module_name.oid.len = len; + other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID; + other_name->value.hardware_module_name.oid.p = p; + other_name->value.hardware_module_name.oid.len = len; - p += len; - if ((ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_OCTET_STRING)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + p += len; + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_OCTET_STRING)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING; + other_name->value.hardware_module_name.val.p = p; + other_name->value.hardware_module_name.val.len = len; + p += len; + if (p != end) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } } + /* Arbitrary raw value */ + else { + if (p >= end) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_OUT_OF_DATA); + } + other_name->value.raw.tag = *p; + p++; - other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING; - other_name->value.hardware_module_name.val.p = p; - other_name->value.hardware_module_name.val.len = len; - p += len; - if (p != end) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + if ((ret = mbedtls_asn1_get_len(&p, end, &len)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + other_name->value.raw.p = p; + other_name->value.raw.len = len; + p += len; + if (p != end) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } } + return 0; } @@ -1640,6 +1662,40 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, MBEDTLS_X509_SAFE_SNPRINTF; } }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ + else if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_BUNDLE_EID, + &other_name->type_id) == 0) { + int len = 0; + const char *str = NULL; + if (other_name->value.raw.tag == MBEDTLS_ASN1_IA5_STRING) { + len = other_name->value.raw.len; + str = (char*)other_name->value.raw.p; + } + + ret = mbedtls_snprintf(p, n, "\n%s BundleEID : %.*s", prefix, + len, str); + MBEDTLS_X509_SAFE_SNPRINTF; + }/* MBEDTLS_OID_ON_BUNDLE_EID */ + else { + /* Show type OID */ + ret = mbedtls_snprintf(p, n, "\n%s type-id : ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_oid_get_numeric_string(p, + n, + &other_name->type_id); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_snprintf(p, n, "\n%s value : ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + + for (i = 0; i < other_name->value.raw.len; i++) { + ret = mbedtls_snprintf(p, + n, + "%02X", + other_name->value.raw.p[i]); + MBEDTLS_X509_SAFE_SNPRINTF; + } + } } break; /* diff --git a/library/x509_crt.c b/library/x509_crt.c index d72e2fb8add0..101e3c940b97 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -578,6 +578,190 @@ static int x509_get_ext_key_usage(unsigned char **p, return 0; } +/* + GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree + + GeneralSubtree ::= SEQUENCE { + base GeneralName, + minimum [0] BaseDistance DEFAULT 0, + maximum [1] BaseDistance OPTIONAL } + + BaseDistance ::= INTEGER (0..MAX) + */ +static int x509_get_general_subtrees( unsigned char **p, + const unsigned char *end, + mbedtls_x509_sequence *general_names ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len, tag_len; + const unsigned char *item_end; + mbedtls_asn1_sequence *cur = general_names; + + while( *p < end ) + { + /* Sequence within the GeneralSubtree */ + if( ( ret = mbedtls_asn1_get_tag( p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); + item_end = *p + len; + + mbedtls_x509_subject_alternative_name dummy_san_buf; + mbedtls_x509_buf tmp_san_buf; + memset(&dummy_san_buf, 0, sizeof(dummy_san_buf)); + + tmp_san_buf.tag = **p; + (*p)++; + + if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + tmp_san_buf.p = *p; + tmp_san_buf.len = tag_len; + + if ((tmp_san_buf.tag & MBEDTLS_ASN1_TAG_CLASS_MASK) != + MBEDTLS_ASN1_CONTEXT_SPECIFIC) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); + } + + /* + * Check that the GeneralName is structured correctly. + */ + ret = mbedtls_x509_parse_subject_alt_name(&tmp_san_buf, &dummy_san_buf); + /* + * In case the extension is malformed, return an error, + * and clear the allocated sequences. + */ + if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) { + mbedtls_x509_sequence *seq_cur = general_names->next; + mbedtls_x509_sequence *seq_prv; + while (seq_cur != NULL) { + seq_prv = seq_cur; + seq_cur = seq_cur->next; + mbedtls_platform_zeroize(seq_prv, + sizeof(mbedtls_x509_sequence)); + mbedtls_free(seq_prv); + } + general_names->next = NULL; + return ret; + } + + /* Allocate and assign next pointer */ + if (cur->buf.p != NULL) { + if (cur->next != NULL) { + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS; + } + + cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence)); + + if (cur->next == NULL) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_ALLOC_FAILED); + } + + cur = cur->next; + } + + cur->buf = tmp_san_buf; + *p += tmp_san_buf.len; + + // Require that minimum and maximum distance are not present + if (*p != item_end) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); + } + } + + /* Set final sequence entry's next pointer to NULL */ + cur->next = NULL; + + if( *p != end ) + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); + + return( 0 ); +} + +/* + NameConstraints ::= SEQUENCE { + permittedSubtrees [0] GeneralSubtrees OPTIONAL, + excludedSubtrees [1] GeneralSubtrees OPTIONAL } + */ +static int x509_get_name_constraints( unsigned char **p, + const unsigned char *end, + mbedtls_x509_sequence *include, + mbedtls_x509_sequence *exclude ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len; + const unsigned char *end_subtree; + + if ((ret = mbedtls_asn1_get_tag(p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + if (*p + len != end) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } + + if (*p < end) { + const unsigned tag = **p; + if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) != + MBEDTLS_ASN1_CONTEXT_SPECIFIC) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); + } + + /* + * permittedSubtrees + */ + if ((tag & MBEDTLS_ASN1_TAG_VALUE_MASK) == MBEDTLS_X509_NAME_CONST_INCL) { + (*p)++; + if ((ret = mbedtls_asn1_get_len(p, end, &len)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + end_subtree = *p + len; + if ((ret = x509_get_general_subtrees(p, end_subtree, include))) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + } + } + + if (*p < end) { + const unsigned tag = **p; + if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) != + MBEDTLS_ASN1_CONTEXT_SPECIFIC) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); + } + + /* + * excludedSubtrees + */ + if ((tag & MBEDTLS_ASN1_TAG_VALUE_MASK) == MBEDTLS_X509_NAME_CONST_EXCL) { + (*p)++; + if ((ret = mbedtls_asn1_get_len(p, end, &len)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + + end_subtree = *p + len; + if( (ret = x509_get_general_subtrees(p, end_subtree, exclude))) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); + } + } + } + + if( *p != end ) + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); + + return( 0 ); +} + /* * SubjectKeyIdentifier ::= KeyIdentifier * @@ -968,6 +1152,14 @@ static int x509_get_crt_ext(unsigned char **p, } break; + case MBEDTLS_X509_EXT_NAME_CONSTRAINTS: + /* Parse name constraints */ + if ((ret = x509_get_name_constraints( p, end_ext_octet, + &crt->name_constraints_incl, + &crt->name_constraints_excl)) != 0 ) + return( ret ); + break; + case MBEDTLS_X509_EXT_KEY_USAGE: /* Parse key usage */ if ((ret = mbedtls_x509_get_key_usage(p, end_ext_octet, @@ -1870,6 +2062,31 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, } } + if (crt->ext_types & MBEDTLS_X509_EXT_NAME_CONSTRAINTS) { + ret = mbedtls_snprintf(p, n, "\n%sname constraints :", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + + if (crt->name_constraints_incl.buf.p) { + ret = mbedtls_snprintf(p, n, "\n%s permitted :", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n, + &crt->name_constraints_incl, + prefix)) != 0) { + return ret; + } + } + + if (crt->name_constraints_excl.buf.p) { + ret = mbedtls_snprintf(p, n, "\n%s excluded :", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n, + &crt->name_constraints_excl, + prefix)) != 0) { + return ret; + } + } + } + if (crt->ext_types & MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES) { ret = mbedtls_snprintf(p, n, "\n%scertificate policies : ", prefix); MBEDTLS_X509_SAFE_SNPRINTF; @@ -3241,6 +3458,8 @@ void mbedtls_x509_crt_free(mbedtls_x509_crt *crt) mbedtls_asn1_free_named_data_list_shallow(cert_cur->subject.next); mbedtls_asn1_sequence_free(cert_cur->ext_key_usage.next); mbedtls_asn1_sequence_free(cert_cur->subject_alt_names.next); + mbedtls_asn1_sequence_free(cert_cur->name_constraints_incl.next); + mbedtls_asn1_sequence_free(cert_cur->name_constraints_excl.next); mbedtls_asn1_sequence_free(cert_cur->certificate_policies.next); mbedtls_asn1_sequence_free(cert_cur->authority_key_id.authorityCertIssuer.next); diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index d962f34b6014..5d7c778d95dc 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -170,6 +170,10 @@ X509 CRT information, ECDSA Certificate unsupported policy depends_on:MBEDTLS_PEM_PARSE_C:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 x509_cert_info:"../framework/data_files/parse_input/test-ca-unsupported_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 13\:00\:19\nexpires on \: 2029-04-28 13\:00\:19\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n" +X509 CRT information, ECDSA Certificate name constraints with DNSName +depends_on:MBEDTLS_PEM_PARSE_C:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 +x509_cert_info:"../framework/data_files/parse_input/test-ca-name_constraints_dns_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2025-01-10 16\:45\:33\nexpires on \: 2035-01-11 16\:45\:33\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\nname constraints \:\n permitted \:\n dNSName \: .example.com\n excluded \:\n dNSName \: .bad.example.com\n" + X509 CRT information, Key Usage + Extended Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_256 x509_cert_info:"../framework/data_files/parse_input/server1.ext_ku.crt":"cert. version \: 3\nserial number \: 21\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2014-04-01 14\:44\:43\nexpires on \: 2024-03-29 14\:44\:43\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\next key usage \: TLS Web Server Authentication\n" @@ -198,6 +202,10 @@ X509 SAN parsing otherName depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 x509_parse_san:"../framework/data_files/parse_input/server5-othername.crt.der":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n":0 +X509 SAN parsing BP EID otherName +depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +x509_parse_san:"../framework/data_files/parse_input/server5-bp_eid.crt.der":"type \: 0\notherName \: BundleEID \: ipn\:977000.100.0\n":0 + X509 SAN parsing binary otherName depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 x509_parse_san:"../framework/data_files/parse_input/server5-nonprintable_othername.crt.der":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n":0 @@ -228,7 +236,7 @@ x509_parse_san:"../framework/data_files/parse_input/server4.crt":"":0 X509 SAN parsing, unsupported otherName name depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -x509_parse_san:"../framework/data_files/parse_input/server5-unsupported_othername.crt.der":"":0 +x509_parse_san:"../framework/data_files/parse_input/server5-unsupported_othername.crt.der":"type \: 0\notherName \: raw \: type-id \: 1.2.3.4 value \: 736F6D65206F74686572206964656E746966696572\n":0 X509 SAN parsing rfc822Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_256 diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index fae36571b1c4..7ba710463400 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -270,8 +270,42 @@ static int verify_parse_san(mbedtls_x509_subject_alternative_name *san, san->san.other_name.value.hardware_module_name.val.p[i]); MBEDTLS_X509_SAFE_SNPRINTF; } + }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ + else if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_BUNDLE_EID, + &san->san.other_name.type_id) == 0) { + int len = 0; + const char *str = NULL; + if (san->san.other_name.value.raw.tag == MBEDTLS_ASN1_IA5_STRING) { + len = san->san.other_name.value.raw.len; + str = (char*)san->san.other_name.value.raw.p; + } + + ret = mbedtls_snprintf(p, n, " BundleEID : %.*s", len, str); + MBEDTLS_X509_SAFE_SNPRINTF; + }/* MBEDTLS_OID_ON_BUNDLE_EID */ + else { + ret = mbedtls_snprintf(p, n, " raw :"); + MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_snprintf(p, n, " type-id : "); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_oid_get_numeric_string(p, + n, + &san->san.other_name.type_id); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_snprintf(p, n, " value : "); + MBEDTLS_X509_SAFE_SNPRINTF; + + for (i = 0; i < san->san.other_name.value.raw.len; i++) { + ret = mbedtls_snprintf(p, + n, + "%02X", + san->san.other_name.value.raw.p[i]); + MBEDTLS_X509_SAFE_SNPRINTF; + } } - break;/* MBEDTLS_OID_ON_HW_MODULE_NAME */ + break;/* MBEDTLS_X509_SAN_OTHER_NAME */ case (MBEDTLS_X509_SAN_DNS_NAME): ret = mbedtls_snprintf(p, n, "\ndNSName : "); MBEDTLS_X509_SAFE_SNPRINTF; diff --git a/tf-psa-crypto b/tf-psa-crypto index 1bc29c97c99a..88b3ab0b3c54 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 1bc29c97c99ad40aa9f17b5a873b391454c9c068 +Subproject commit 88b3ab0b3c54d13f6e4f0616909f5106a7222eba