Merge pull request #6922 from mprse/csr_v3
Parsing v3 extensions from a CSR - v.2
This commit is contained in:
commit
0cfb08ddf1
34 changed files with 996 additions and 574 deletions
3
ChangeLog.d/csr_v3_extensions.txt
Normal file
3
ChangeLog.d/csr_v3_extensions.txt
Normal file
|
@ -0,0 +1,3 @@
|
|||
Features
|
||||
* Add parsing of V3 extensions (key usage, Netscape cert-type,
|
||||
Subject Alternative Names) in x509 Certificate Sign Requests.
|
|
@ -148,7 +148,7 @@
|
|||
|
||||
/*
|
||||
* X.509 v3 Key Usage Extension flags
|
||||
* Reminder: update x509_info_key_usage() when adding new flags.
|
||||
* Reminder: update mbedtls_x509_info_key_usage() when adding new flags.
|
||||
*/
|
||||
#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
|
||||
#define MBEDTLS_X509_KU_NON_REPUDIATION (0x40) /* bit 1 */
|
||||
|
@ -250,6 +250,56 @@ typedef struct mbedtls_x509_time {
|
|||
}
|
||||
mbedtls_x509_time;
|
||||
|
||||
/**
|
||||
* From RFC 5280 section 4.2.1.6:
|
||||
* OtherName ::= SEQUENCE {
|
||||
* type-id OBJECT IDENTIFIER,
|
||||
* value [0] EXPLICIT ANY DEFINED BY type-id }
|
||||
*
|
||||
* Future versions of the library may add new fields to this structure or
|
||||
* to its embedded union and structure.
|
||||
*/
|
||||
typedef struct mbedtls_x509_san_other_name {
|
||||
/**
|
||||
* The type_id is an OID as defined in RFC 5280.
|
||||
* To check the value of the type id, you should use
|
||||
* \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
|
||||
*/
|
||||
mbedtls_x509_buf type_id; /**< The type id. */
|
||||
union {
|
||||
/**
|
||||
* From RFC 4108 section 5:
|
||||
* HardwareModuleName ::= SEQUENCE {
|
||||
* hwType OBJECT IDENTIFIER,
|
||||
* hwSerialNum OCTET STRING }
|
||||
*/
|
||||
struct {
|
||||
mbedtls_x509_buf oid; /**< The object identifier. */
|
||||
mbedtls_x509_buf val; /**< The named value. */
|
||||
}
|
||||
hardware_module_name;
|
||||
}
|
||||
value;
|
||||
}
|
||||
mbedtls_x509_san_other_name;
|
||||
|
||||
/**
|
||||
* A structure for holding the parsed Subject Alternative Name,
|
||||
* according to type.
|
||||
*
|
||||
* Future versions of the library may add new fields to this structure or
|
||||
* to its embedded union and structure.
|
||||
*/
|
||||
typedef struct mbedtls_x509_subject_alternative_name {
|
||||
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
|
||||
union {
|
||||
mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
|
||||
mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
|
||||
}
|
||||
san; /**< A union of the supported SAN types */
|
||||
}
|
||||
mbedtls_x509_subject_alternative_name;
|
||||
|
||||
/** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
|
||||
|
||||
/**
|
||||
|
@ -326,6 +376,36 @@ int mbedtls_x509_time_is_past(const mbedtls_x509_time *to);
|
|||
*/
|
||||
int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
|
||||
|
||||
/**
|
||||
* \brief This function parses an item in the SubjectAlternativeNames
|
||||
* extension.
|
||||
*
|
||||
* \param san_buf The buffer holding the raw data item of the subject
|
||||
* alternative name.
|
||||
* \param san The target structure to populate with the parsed presentation
|
||||
* of the subject alternative name encoded in \p san_raw.
|
||||
*
|
||||
* \note Only "dnsName" and "otherName" of type hardware_module_name
|
||||
* as defined in RFC 4180 is supported.
|
||||
*
|
||||
* \note This function should be called on a single raw data of
|
||||
* subject alternative name. For example, after successful
|
||||
* certificate parsing, one must iterate on every item in the
|
||||
* \p crt->subject_alt_names sequence, and pass it to
|
||||
* this function.
|
||||
*
|
||||
* \warning The target structure contains pointers to the raw data of the
|
||||
* parsed certificate, and its lifetime is restricted by the
|
||||
* lifetime of the certificate.
|
||||
*
|
||||
* \return \c 0 on success
|
||||
* \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported
|
||||
* SAN type.
|
||||
* \return Another negative value for any other failure.
|
||||
*/
|
||||
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
|
||||
mbedtls_x509_subject_alternative_name *san);
|
||||
|
||||
/** \} addtogroup x509_module */
|
||||
|
||||
/*
|
||||
|
@ -370,6 +450,23 @@ int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
|
|||
int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
|
||||
const char *oid, size_t oid_len,
|
||||
unsigned char *sig, size_t size);
|
||||
int mbedtls_x509_get_ns_cert_type(unsigned char **p,
|
||||
const unsigned char *end,
|
||||
unsigned char *ns_cert_type);
|
||||
int mbedtls_x509_get_key_usage(unsigned char **p,
|
||||
const unsigned char *end,
|
||||
unsigned int *key_usage);
|
||||
int mbedtls_x509_get_subject_alt_name(unsigned char **p,
|
||||
const unsigned char *end,
|
||||
mbedtls_x509_sequence *subject_alt_name);
|
||||
int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
|
||||
const mbedtls_x509_sequence
|
||||
*subject_alt_name,
|
||||
const char *prefix);
|
||||
int mbedtls_x509_info_cert_type(char **buf, size_t *size,
|
||||
unsigned char ns_cert_type);
|
||||
int mbedtls_x509_info_key_usage(char **buf, size_t *size,
|
||||
unsigned int key_usage);
|
||||
|
||||
#define MBEDTLS_X509_SAFE_SNPRINTF \
|
||||
do { \
|
||||
|
|
|
@ -102,56 +102,6 @@ typedef struct mbedtls_x509_crt {
|
|||
}
|
||||
mbedtls_x509_crt;
|
||||
|
||||
/**
|
||||
* From RFC 5280 section 4.2.1.6:
|
||||
* OtherName ::= SEQUENCE {
|
||||
* type-id OBJECT IDENTIFIER,
|
||||
* value [0] EXPLICIT ANY DEFINED BY type-id }
|
||||
*
|
||||
* Future versions of the library may add new fields to this structure or
|
||||
* to its embedded union and structure.
|
||||
*/
|
||||
typedef struct mbedtls_x509_san_other_name {
|
||||
/**
|
||||
* The type_id is an OID as defined in RFC 5280.
|
||||
* To check the value of the type id, you should use
|
||||
* \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
|
||||
*/
|
||||
mbedtls_x509_buf type_id; /**< The type id. */
|
||||
union {
|
||||
/**
|
||||
* From RFC 4108 section 5:
|
||||
* HardwareModuleName ::= SEQUENCE {
|
||||
* hwType OBJECT IDENTIFIER,
|
||||
* hwSerialNum OCTET STRING }
|
||||
*/
|
||||
struct {
|
||||
mbedtls_x509_buf oid; /**< The object identifier. */
|
||||
mbedtls_x509_buf val; /**< The named value. */
|
||||
}
|
||||
hardware_module_name;
|
||||
}
|
||||
value;
|
||||
}
|
||||
mbedtls_x509_san_other_name;
|
||||
|
||||
/**
|
||||
* A structure for holding the parsed Subject Alternative Name,
|
||||
* according to type.
|
||||
*
|
||||
* Future versions of the library may add new fields to this structure or
|
||||
* to its embedded union and structure.
|
||||
*/
|
||||
typedef struct mbedtls_x509_subject_alternative_name {
|
||||
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
|
||||
union {
|
||||
mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
|
||||
mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
|
||||
}
|
||||
san; /**< A union of the supported SAN types */
|
||||
}
|
||||
mbedtls_x509_subject_alternative_name;
|
||||
|
||||
/**
|
||||
* Build flag from an algorithm/curve identifier (pk, md, ecp)
|
||||
* Since 0 is always XXX_NONE, ignore it.
|
||||
|
@ -590,36 +540,6 @@ int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path);
|
|||
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path);
|
||||
|
||||
#endif /* MBEDTLS_FS_IO */
|
||||
/**
|
||||
* \brief This function parses an item in the SubjectAlternativeNames
|
||||
* extension.
|
||||
*
|
||||
* \param san_buf The buffer holding the raw data item of the subject
|
||||
* alternative name.
|
||||
* \param san The target structure to populate with the parsed presentation
|
||||
* of the subject alternative name encoded in \p san_raw.
|
||||
*
|
||||
* \note Only "dnsName" and "otherName" of type hardware_module_name
|
||||
* as defined in RFC 4180 is supported.
|
||||
*
|
||||
* \note This function should be called on a single raw data of
|
||||
* subject alternative name. For example, after successful
|
||||
* certificate parsing, one must iterate on every item in the
|
||||
* \p crt->subject_alt_names sequence, and pass it to
|
||||
* this function.
|
||||
*
|
||||
* \warning The target structure contains pointers to the raw data of the
|
||||
* parsed certificate, and its lifetime is restricted by the
|
||||
* lifetime of the certificate.
|
||||
*
|
||||
* \return \c 0 on success
|
||||
* \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported
|
||||
* SAN type.
|
||||
* \return Another negative value for any other failure.
|
||||
*/
|
||||
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
|
||||
mbedtls_x509_subject_alternative_name *san);
|
||||
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
/**
|
||||
* \brief Returns an informational string about the
|
||||
|
|
|
@ -58,6 +58,12 @@ typedef struct mbedtls_x509_csr {
|
|||
|
||||
mbedtls_pk_context pk; /**< Container for the public key context. */
|
||||
|
||||
unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */
|
||||
unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
|
||||
mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
|
||||
|
||||
int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */
|
||||
|
||||
mbedtls_x509_buf sig_oid;
|
||||
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
|
||||
mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
|
||||
|
|
485
library/x509.c
485
library/x509.c
|
@ -1107,4 +1107,489 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from)
|
|||
return 0;
|
||||
}
|
||||
#endif /* MBEDTLS_HAVE_TIME_DATE */
|
||||
|
||||
/* Common functions for parsing CRT and CSR. */
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) || defined(MBEDTLS_X509_CSR_PARSE_C)
|
||||
/*
|
||||
* OtherName ::= SEQUENCE {
|
||||
* type-id OBJECT IDENTIFIER,
|
||||
* value [0] EXPLICIT ANY DEFINED BY type-id }
|
||||
*
|
||||
* HardwareModuleName ::= SEQUENCE {
|
||||
* hwType OBJECT IDENTIFIER,
|
||||
* hwSerialNum OCTET STRING }
|
||||
*
|
||||
* NOTE: we currently only parse and use otherName of type HwModuleName,
|
||||
* as defined in RFC 4108.
|
||||
*/
|
||||
static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
|
||||
mbedtls_x509_san_other_name *other_name)
|
||||
{
|
||||
int ret = 0;
|
||||
size_t len;
|
||||
unsigned char *p = subject_alt_name->p;
|
||||
const unsigned char *end = p + subject_alt_name->len;
|
||||
mbedtls_x509_buf cur_oid;
|
||||
|
||||
if ((subject_alt_name->tag &
|
||||
(MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK)) !=
|
||||
(MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME)) {
|
||||
/*
|
||||
* The given subject alternative name is not of type "othername".
|
||||
*/
|
||||
return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_OID)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
cur_oid.tag = MBEDTLS_ASN1_OID;
|
||||
cur_oid.p = p;
|
||||
cur_oid.len = len;
|
||||
|
||||
/*
|
||||
* Only HwModuleName is currently supported.
|
||||
*/
|
||||
if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) {
|
||||
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
|
||||
}
|
||||
|
||||
if (p + len >= end) {
|
||||
mbedtls_platform_zeroize(other_name, sizeof(*other_name));
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
p += len;
|
||||
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) !=
|
||||
0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
|
||||
other_name->value.hardware_module_name.oid.p = p;
|
||||
other_name->value.hardware_module_name.oid.len = len;
|
||||
|
||||
if (p + len >= end) {
|
||||
mbedtls_platform_zeroize(other_name, sizeof(*other_name));
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
p += len;
|
||||
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
|
||||
other_name->value.hardware_module_name.val.p = p;
|
||||
other_name->value.hardware_module_name.val.len = len;
|
||||
p += len;
|
||||
if (p != end) {
|
||||
mbedtls_platform_zeroize(other_name,
|
||||
sizeof(*other_name));
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* SubjectAltName ::= GeneralNames
|
||||
*
|
||||
* GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
|
||||
*
|
||||
* GeneralName ::= CHOICE {
|
||||
* otherName [0] OtherName,
|
||||
* rfc822Name [1] IA5String,
|
||||
* dNSName [2] IA5String,
|
||||
* x400Address [3] ORAddress,
|
||||
* directoryName [4] Name,
|
||||
* ediPartyName [5] EDIPartyName,
|
||||
* uniformResourceIdentifier [6] IA5String,
|
||||
* iPAddress [7] OCTET STRING,
|
||||
* registeredID [8] OBJECT IDENTIFIER }
|
||||
*
|
||||
* OtherName ::= SEQUENCE {
|
||||
* type-id OBJECT IDENTIFIER,
|
||||
* value [0] EXPLICIT ANY DEFINED BY type-id }
|
||||
*
|
||||
* EDIPartyName ::= SEQUENCE {
|
||||
* nameAssigner [0] DirectoryString OPTIONAL,
|
||||
* partyName [1] DirectoryString }
|
||||
*
|
||||
* NOTE: we list all types, but only use dNSName and otherName
|
||||
* of type HwModuleName, as defined in RFC 4108, at this point.
|
||||
*/
|
||||
int mbedtls_x509_get_subject_alt_name(unsigned char **p,
|
||||
const unsigned char *end,
|
||||
mbedtls_x509_sequence *subject_alt_name)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t len, tag_len;
|
||||
mbedtls_asn1_buf *buf;
|
||||
unsigned char tag;
|
||||
mbedtls_asn1_sequence *cur = subject_alt_name;
|
||||
|
||||
/* Get main sequence tag */
|
||||
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if (*p + len != end) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
|
||||
while (*p < end) {
|
||||
mbedtls_x509_subject_alternative_name dummy_san_buf;
|
||||
memset(&dummy_san_buf, 0, sizeof(dummy_san_buf));
|
||||
|
||||
tag = **p;
|
||||
(*p)++;
|
||||
if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
|
||||
MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
|
||||
}
|
||||
|
||||
/*
|
||||
* Check that the SAN is structured correctly.
|
||||
*/
|
||||
ret = mbedtls_x509_parse_subject_alt_name(&(cur->buf), &dummy_san_buf);
|
||||
/*
|
||||
* In case the extension is malformed, return an error,
|
||||
* and clear the allocated sequences.
|
||||
*/
|
||||
if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
|
||||
mbedtls_asn1_sequence_free(subject_alt_name->next);
|
||||
subject_alt_name->next = NULL;
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Allocate and assign next pointer */
|
||||
if (cur->buf.p != NULL) {
|
||||
if (cur->next != NULL) {
|
||||
return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
|
||||
}
|
||||
|
||||
cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
|
||||
|
||||
if (cur->next == NULL) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_ALLOC_FAILED);
|
||||
}
|
||||
|
||||
cur = cur->next;
|
||||
}
|
||||
|
||||
buf = &(cur->buf);
|
||||
buf->tag = tag;
|
||||
buf->p = *p;
|
||||
buf->len = tag_len;
|
||||
*p += buf->len;
|
||||
}
|
||||
|
||||
/* Set final sequence entry's next pointer to NULL */
|
||||
cur->next = NULL;
|
||||
|
||||
if (*p != end) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int mbedtls_x509_get_ns_cert_type(unsigned char **p,
|
||||
const unsigned char *end,
|
||||
unsigned char *ns_cert_type)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_x509_bitstring bs = { 0, 0, NULL };
|
||||
|
||||
if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
/* A bitstring with no flags set is still technically valid, as it will mean
|
||||
that the certificate has no designated purpose at the time of creation. */
|
||||
if (bs.len == 0) {
|
||||
*ns_cert_type = 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (bs.len != 1) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_INVALID_LENGTH);
|
||||
}
|
||||
|
||||
/* Get actual bitstring */
|
||||
*ns_cert_type = *bs.p;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int mbedtls_x509_get_key_usage(unsigned char **p,
|
||||
const unsigned char *end,
|
||||
unsigned int *key_usage)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t i;
|
||||
mbedtls_x509_bitstring bs = { 0, 0, NULL };
|
||||
|
||||
if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
/* A bitstring with no flags set is still technically valid, as it will mean
|
||||
that the certificate has no designated purpose at the time of creation. */
|
||||
if (bs.len == 0) {
|
||||
*key_usage = 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Get actual bitstring */
|
||||
*key_usage = 0;
|
||||
for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) {
|
||||
*key_usage |= (unsigned int) bs.p[i] << (8*i);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
|
||||
mbedtls_x509_subject_alternative_name *san)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
switch (san_buf->tag &
|
||||
(MBEDTLS_ASN1_TAG_CLASS_MASK |
|
||||
MBEDTLS_ASN1_TAG_VALUE_MASK)) {
|
||||
/*
|
||||
* otherName
|
||||
*/
|
||||
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME):
|
||||
{
|
||||
mbedtls_x509_san_other_name other_name;
|
||||
|
||||
ret = x509_get_other_name(san_buf, &other_name);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
|
||||
san->type = MBEDTLS_X509_SAN_OTHER_NAME;
|
||||
memcpy(&san->san.other_name,
|
||||
&other_name, sizeof(other_name));
|
||||
|
||||
}
|
||||
break;
|
||||
|
||||
/*
|
||||
* dNSName
|
||||
*/
|
||||
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME):
|
||||
{
|
||||
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
|
||||
san->type = MBEDTLS_X509_SAN_DNS_NAME;
|
||||
|
||||
memcpy(&san->san.unstructured_name,
|
||||
san_buf, sizeof(*san_buf));
|
||||
|
||||
}
|
||||
break;
|
||||
|
||||
/*
|
||||
* Type not supported
|
||||
*/
|
||||
default:
|
||||
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
|
||||
const mbedtls_x509_sequence
|
||||
*subject_alt_name,
|
||||
const char *prefix)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t i;
|
||||
size_t n = *size;
|
||||
char *p = *buf;
|
||||
const mbedtls_x509_sequence *cur = subject_alt_name;
|
||||
mbedtls_x509_subject_alternative_name san;
|
||||
int parse_ret;
|
||||
|
||||
while (cur != NULL) {
|
||||
memset(&san, 0, sizeof(san));
|
||||
parse_ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san);
|
||||
if (parse_ret != 0) {
|
||||
if (parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
|
||||
ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
} else {
|
||||
ret = mbedtls_snprintf(p, n, "\n%s <malformed>", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
}
|
||||
cur = cur->next;
|
||||
continue;
|
||||
}
|
||||
|
||||
switch (san.type) {
|
||||
/*
|
||||
* otherName
|
||||
*/
|
||||
case MBEDTLS_X509_SAN_OTHER_NAME:
|
||||
{
|
||||
mbedtls_x509_san_other_name *other_name = &san.san.other_name;
|
||||
|
||||
ret = mbedtls_snprintf(p, n, "\n%s otherName :", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME,
|
||||
&other_name->value.hardware_module_name.oid) != 0) {
|
||||
ret = mbedtls_snprintf(p, n, "\n%s hardware module name :", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
ret =
|
||||
mbedtls_snprintf(p, n, "\n%s hardware type : ", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_oid_get_numeric_string(p,
|
||||
n,
|
||||
&other_name->value.hardware_module_name.oid);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret =
|
||||
mbedtls_snprintf(p, n, "\n%s hardware serial number : ", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
for (i = 0; i < other_name->value.hardware_module_name.val.len; i++) {
|
||||
ret = mbedtls_snprintf(p,
|
||||
n,
|
||||
"%02X",
|
||||
other_name->value.hardware_module_name.val.p[i]);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
}
|
||||
}/* MBEDTLS_OID_ON_HW_MODULE_NAME */
|
||||
}
|
||||
break;
|
||||
|
||||
/*
|
||||
* dNSName
|
||||
*/
|
||||
case MBEDTLS_X509_SAN_DNS_NAME:
|
||||
{
|
||||
ret = mbedtls_snprintf(p, n, "\n%s dNSName : ", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
if (san.san.unstructured_name.len >= n) {
|
||||
*p = '\0';
|
||||
return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
|
||||
p += san.san.unstructured_name.len;
|
||||
n -= san.san.unstructured_name.len;
|
||||
}
|
||||
break;
|
||||
|
||||
/*
|
||||
* Type not supported, skip item.
|
||||
*/
|
||||
default:
|
||||
ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
break;
|
||||
}
|
||||
|
||||
cur = cur->next;
|
||||
}
|
||||
|
||||
*p = '\0';
|
||||
|
||||
*size = n;
|
||||
*buf = p;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#define PRINT_ITEM(i) \
|
||||
{ \
|
||||
ret = mbedtls_snprintf(p, n, "%s" i, sep); \
|
||||
MBEDTLS_X509_SAFE_SNPRINTF; \
|
||||
sep = ", "; \
|
||||
}
|
||||
|
||||
#define CERT_TYPE(type, name) \
|
||||
if (ns_cert_type & (type)) \
|
||||
PRINT_ITEM(name);
|
||||
|
||||
int mbedtls_x509_info_cert_type(char **buf, size_t *size,
|
||||
unsigned char ns_cert_type)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t n = *size;
|
||||
char *p = *buf;
|
||||
const char *sep = "";
|
||||
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA");
|
||||
|
||||
*size = n;
|
||||
*buf = p;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#define KEY_USAGE(code, name) \
|
||||
if (key_usage & (code)) \
|
||||
PRINT_ITEM(name);
|
||||
|
||||
int mbedtls_x509_info_key_usage(char **buf, size_t *size,
|
||||
unsigned int key_usage)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t n = *size;
|
||||
char *p = *buf;
|
||||
const char *sep = "";
|
||||
|
||||
KEY_USAGE(MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only");
|
||||
|
||||
*size = n;
|
||||
*buf = p;
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif /* MBEDTLS_X509_REMOVE_INFO */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C || MBEDTLS_X509_CSR_PARSE_C */
|
||||
#endif /* MBEDTLS_X509_USE_C */
|
||||
|
|
|
@ -562,53 +562,6 @@ static int x509_get_basic_constraints(unsigned char **p,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int x509_get_ns_cert_type(unsigned char **p,
|
||||
const unsigned char *end,
|
||||
unsigned char *ns_cert_type)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_x509_bitstring bs = { 0, 0, NULL };
|
||||
|
||||
if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if (bs.len != 1) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_INVALID_LENGTH);
|
||||
}
|
||||
|
||||
/* Get actual bitstring */
|
||||
*ns_cert_type = *bs.p;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int x509_get_key_usage(unsigned char **p,
|
||||
const unsigned char *end,
|
||||
unsigned int *key_usage)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t i;
|
||||
mbedtls_x509_bitstring bs = { 0, 0, NULL };
|
||||
|
||||
if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if (bs.len < 1) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_INVALID_LENGTH);
|
||||
}
|
||||
|
||||
/* Get actual bitstring */
|
||||
*key_usage = 0;
|
||||
for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) {
|
||||
*key_usage |= (unsigned int) bs.p[i] << (8*i);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
|
||||
*
|
||||
|
@ -633,118 +586,6 @@ static int x509_get_ext_key_usage(unsigned char **p,
|
|||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* SubjectAltName ::= GeneralNames
|
||||
*
|
||||
* GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
|
||||
*
|
||||
* GeneralName ::= CHOICE {
|
||||
* otherName [0] OtherName,
|
||||
* rfc822Name [1] IA5String,
|
||||
* dNSName [2] IA5String,
|
||||
* x400Address [3] ORAddress,
|
||||
* directoryName [4] Name,
|
||||
* ediPartyName [5] EDIPartyName,
|
||||
* uniformResourceIdentifier [6] IA5String,
|
||||
* iPAddress [7] OCTET STRING,
|
||||
* registeredID [8] OBJECT IDENTIFIER }
|
||||
*
|
||||
* OtherName ::= SEQUENCE {
|
||||
* type-id OBJECT IDENTIFIER,
|
||||
* value [0] EXPLICIT ANY DEFINED BY type-id }
|
||||
*
|
||||
* EDIPartyName ::= SEQUENCE {
|
||||
* nameAssigner [0] DirectoryString OPTIONAL,
|
||||
* partyName [1] DirectoryString }
|
||||
*
|
||||
* NOTE: we list all types, but only use dNSName and otherName
|
||||
* of type HwModuleName, as defined in RFC 4108, at this point.
|
||||
*/
|
||||
static int x509_get_subject_alt_name(unsigned char **p,
|
||||
const unsigned char *end,
|
||||
mbedtls_x509_sequence *subject_alt_name)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t len, tag_len;
|
||||
mbedtls_asn1_buf *buf;
|
||||
unsigned char tag;
|
||||
mbedtls_asn1_sequence *cur = subject_alt_name;
|
||||
|
||||
/* Get main sequence tag */
|
||||
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if (*p + len != end) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
|
||||
while (*p < end) {
|
||||
mbedtls_x509_subject_alternative_name dummy_san_buf;
|
||||
memset(&dummy_san_buf, 0, sizeof(dummy_san_buf));
|
||||
|
||||
tag = **p;
|
||||
(*p)++;
|
||||
if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
|
||||
MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
|
||||
}
|
||||
|
||||
/*
|
||||
* Check that the SAN is structured correctly.
|
||||
*/
|
||||
ret = mbedtls_x509_parse_subject_alt_name(&(cur->buf), &dummy_san_buf);
|
||||
/*
|
||||
* In case the extension is malformed, return an error,
|
||||
* and clear the allocated sequences.
|
||||
*/
|
||||
if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
|
||||
mbedtls_asn1_sequence_free(subject_alt_name->next);
|
||||
subject_alt_name->next = NULL;
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Allocate and assign next pointer */
|
||||
if (cur->buf.p != NULL) {
|
||||
if (cur->next != NULL) {
|
||||
return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
|
||||
}
|
||||
|
||||
cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
|
||||
|
||||
if (cur->next == NULL) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_ALLOC_FAILED);
|
||||
}
|
||||
|
||||
cur = cur->next;
|
||||
}
|
||||
|
||||
buf = &(cur->buf);
|
||||
buf->tag = tag;
|
||||
buf->p = *p;
|
||||
buf->len = tag_len;
|
||||
*p += buf->len;
|
||||
}
|
||||
|
||||
/* Set final sequence entry's next pointer to NULL */
|
||||
cur->next = NULL;
|
||||
|
||||
if (*p != end) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
|
||||
*
|
||||
|
@ -1029,8 +870,8 @@ static int x509_get_crt_ext(unsigned char **p,
|
|||
|
||||
case MBEDTLS_X509_EXT_KEY_USAGE:
|
||||
/* Parse key usage */
|
||||
if ((ret = x509_get_key_usage(p, end_ext_octet,
|
||||
&crt->key_usage)) != 0) {
|
||||
if ((ret = mbedtls_x509_get_key_usage(p, end_ext_octet,
|
||||
&crt->key_usage)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
break;
|
||||
|
@ -1045,16 +886,16 @@ static int x509_get_crt_ext(unsigned char **p,
|
|||
|
||||
case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
|
||||
/* Parse subject alt name */
|
||||
if ((ret = x509_get_subject_alt_name(p, end_ext_octet,
|
||||
&crt->subject_alt_names)) != 0) {
|
||||
if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_octet,
|
||||
&crt->subject_alt_names)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
break;
|
||||
|
||||
case MBEDTLS_X509_EXT_NS_CERT_TYPE:
|
||||
/* Parse netscape certificate type */
|
||||
if ((ret = x509_get_ns_cert_type(p, end_ext_octet,
|
||||
&crt->ns_cert_type)) != 0) {
|
||||
if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_octet,
|
||||
&crt->ns_cert_type)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
break;
|
||||
|
@ -1703,319 +1544,7 @@ cleanup:
|
|||
}
|
||||
#endif /* MBEDTLS_FS_IO */
|
||||
|
||||
/*
|
||||
* OtherName ::= SEQUENCE {
|
||||
* type-id OBJECT IDENTIFIER,
|
||||
* value [0] EXPLICIT ANY DEFINED BY type-id }
|
||||
*
|
||||
* HardwareModuleName ::= SEQUENCE {
|
||||
* hwType OBJECT IDENTIFIER,
|
||||
* hwSerialNum OCTET STRING }
|
||||
*
|
||||
* NOTE: we currently only parse and use otherName of type HwModuleName,
|
||||
* as defined in RFC 4108.
|
||||
*/
|
||||
static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
|
||||
mbedtls_x509_san_other_name *other_name)
|
||||
{
|
||||
int ret = 0;
|
||||
size_t len;
|
||||
unsigned char *p = subject_alt_name->p;
|
||||
const unsigned char *end = p + subject_alt_name->len;
|
||||
mbedtls_x509_buf cur_oid;
|
||||
|
||||
if ((subject_alt_name->tag &
|
||||
(MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK)) !=
|
||||
(MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME)) {
|
||||
/*
|
||||
* The given subject alternative name is not of type "othername".
|
||||
*/
|
||||
return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_OID)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
cur_oid.tag = MBEDTLS_ASN1_OID;
|
||||
cur_oid.p = p;
|
||||
cur_oid.len = len;
|
||||
|
||||
/*
|
||||
* Only HwModuleName is currently supported.
|
||||
*/
|
||||
if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) {
|
||||
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
|
||||
}
|
||||
|
||||
if (p + len >= end) {
|
||||
mbedtls_platform_zeroize(other_name, sizeof(*other_name));
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
p += len;
|
||||
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) !=
|
||||
0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
|
||||
other_name->value.hardware_module_name.oid.p = p;
|
||||
other_name->value.hardware_module_name.oid.len = len;
|
||||
|
||||
if (p + len >= end) {
|
||||
mbedtls_platform_zeroize(other_name, sizeof(*other_name));
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
p += len;
|
||||
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
|
||||
other_name->value.hardware_module_name.val.p = p;
|
||||
other_name->value.hardware_module_name.val.len = len;
|
||||
p += len;
|
||||
if (p != end) {
|
||||
mbedtls_platform_zeroize(other_name,
|
||||
sizeof(*other_name));
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
|
||||
mbedtls_x509_subject_alternative_name *san)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
switch (san_buf->tag &
|
||||
(MBEDTLS_ASN1_TAG_CLASS_MASK |
|
||||
MBEDTLS_ASN1_TAG_VALUE_MASK)) {
|
||||
/*
|
||||
* otherName
|
||||
*/
|
||||
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME):
|
||||
{
|
||||
mbedtls_x509_san_other_name other_name;
|
||||
|
||||
ret = x509_get_other_name(san_buf, &other_name);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
|
||||
san->type = MBEDTLS_X509_SAN_OTHER_NAME;
|
||||
memcpy(&san->san.other_name,
|
||||
&other_name, sizeof(other_name));
|
||||
|
||||
}
|
||||
break;
|
||||
|
||||
/*
|
||||
* dNSName
|
||||
*/
|
||||
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME):
|
||||
{
|
||||
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
|
||||
san->type = MBEDTLS_X509_SAN_DNS_NAME;
|
||||
|
||||
memcpy(&san->san.unstructured_name,
|
||||
san_buf, sizeof(*san_buf));
|
||||
|
||||
}
|
||||
break;
|
||||
|
||||
/*
|
||||
* Type not supported
|
||||
*/
|
||||
default:
|
||||
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
static int x509_info_subject_alt_name(char **buf, size_t *size,
|
||||
const mbedtls_x509_sequence
|
||||
*subject_alt_name,
|
||||
const char *prefix)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t i;
|
||||
size_t n = *size;
|
||||
char *p = *buf;
|
||||
const mbedtls_x509_sequence *cur = subject_alt_name;
|
||||
mbedtls_x509_subject_alternative_name san;
|
||||
int parse_ret;
|
||||
|
||||
while (cur != NULL) {
|
||||
memset(&san, 0, sizeof(san));
|
||||
parse_ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san);
|
||||
if (parse_ret != 0) {
|
||||
if (parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
|
||||
ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
} else {
|
||||
ret = mbedtls_snprintf(p, n, "\n%s <malformed>", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
}
|
||||
cur = cur->next;
|
||||
continue;
|
||||
}
|
||||
|
||||
switch (san.type) {
|
||||
/*
|
||||
* otherName
|
||||
*/
|
||||
case MBEDTLS_X509_SAN_OTHER_NAME:
|
||||
{
|
||||
mbedtls_x509_san_other_name *other_name = &san.san.other_name;
|
||||
|
||||
ret = mbedtls_snprintf(p, n, "\n%s otherName :", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME,
|
||||
&other_name->value.hardware_module_name.oid) != 0) {
|
||||
ret = mbedtls_snprintf(p, n, "\n%s hardware module name :", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
ret =
|
||||
mbedtls_snprintf(p, n, "\n%s hardware type : ", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_oid_get_numeric_string(p,
|
||||
n,
|
||||
&other_name->value.hardware_module_name.oid);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret =
|
||||
mbedtls_snprintf(p, n, "\n%s hardware serial number : ", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
for (i = 0; i < other_name->value.hardware_module_name.val.len; i++) {
|
||||
ret = mbedtls_snprintf(p,
|
||||
n,
|
||||
"%02X",
|
||||
other_name->value.hardware_module_name.val.p[i]);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
}
|
||||
}/* MBEDTLS_OID_ON_HW_MODULE_NAME */
|
||||
}
|
||||
break;
|
||||
|
||||
/*
|
||||
* dNSName
|
||||
*/
|
||||
case MBEDTLS_X509_SAN_DNS_NAME:
|
||||
{
|
||||
ret = mbedtls_snprintf(p, n, "\n%s dNSName : ", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
if (san.san.unstructured_name.len >= n) {
|
||||
*p = '\0';
|
||||
return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
|
||||
p += san.san.unstructured_name.len;
|
||||
n -= san.san.unstructured_name.len;
|
||||
}
|
||||
break;
|
||||
|
||||
/*
|
||||
* Type not supported, skip item.
|
||||
*/
|
||||
default:
|
||||
ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
break;
|
||||
}
|
||||
|
||||
cur = cur->next;
|
||||
}
|
||||
|
||||
*p = '\0';
|
||||
|
||||
*size = n;
|
||||
*buf = p;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#define PRINT_ITEM(i) \
|
||||
{ \
|
||||
ret = mbedtls_snprintf(p, n, "%s" i, sep); \
|
||||
MBEDTLS_X509_SAFE_SNPRINTF; \
|
||||
sep = ", "; \
|
||||
}
|
||||
|
||||
#define CERT_TYPE(type, name) \
|
||||
if (ns_cert_type & (type)) \
|
||||
PRINT_ITEM(name);
|
||||
|
||||
static int x509_info_cert_type(char **buf, size_t *size,
|
||||
unsigned char ns_cert_type)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t n = *size;
|
||||
char *p = *buf;
|
||||
const char *sep = "";
|
||||
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA");
|
||||
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA");
|
||||
|
||||
*size = n;
|
||||
*buf = p;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#define KEY_USAGE(code, name) \
|
||||
if (key_usage & (code)) \
|
||||
PRINT_ITEM(name);
|
||||
|
||||
static int x509_info_key_usage(char **buf, size_t *size,
|
||||
unsigned int key_usage)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t n = *size;
|
||||
char *p = *buf;
|
||||
const char *sep = "";
|
||||
|
||||
KEY_USAGE(MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only");
|
||||
KEY_USAGE(MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only");
|
||||
|
||||
*size = n;
|
||||
*buf = p;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int x509_info_ext_key_usage(char **buf, size_t *size,
|
||||
const mbedtls_x509_sequence *extended_key_usage)
|
||||
{
|
||||
|
@ -2167,9 +1696,9 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
|
|||
ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
if ((ret = x509_info_subject_alt_name(&p, &n,
|
||||
&crt->subject_alt_names,
|
||||
prefix)) != 0) {
|
||||
if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n,
|
||||
&crt->subject_alt_names,
|
||||
prefix)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
@ -2178,7 +1707,7 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
|
|||
ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
if ((ret = x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) {
|
||||
if ((ret = mbedtls_x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
@ -2187,7 +1716,7 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
|
|||
ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
if ((ret = x509_info_key_usage(&p, &n, crt->key_usage)) != 0) {
|
||||
if ((ret = mbedtls_x509_info_key_usage(&p, &n, crt->key_usage)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -69,6 +69,165 @@ static int x509_csr_get_version(unsigned char **p,
|
|||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse CSR extension requests in DER format
|
||||
*/
|
||||
static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
|
||||
unsigned char **p, const unsigned char *end)
|
||||
{
|
||||
int ret;
|
||||
size_t len;
|
||||
unsigned char *end_ext_data;
|
||||
while (*p < end) {
|
||||
mbedtls_x509_buf extn_oid = { 0, 0, NULL };
|
||||
int ext_type = 0;
|
||||
|
||||
/* Read sequence tag */
|
||||
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
end_ext_data = *p + len;
|
||||
|
||||
/* Get extension ID */
|
||||
if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len,
|
||||
MBEDTLS_ASN1_OID)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
extn_oid.tag = MBEDTLS_ASN1_OID;
|
||||
extn_oid.p = *p;
|
||||
*p += extn_oid.len;
|
||||
|
||||
/* Data should be octet string type */
|
||||
if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
|
||||
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if (*p + len != end_ext_data) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
|
||||
/*
|
||||
* Detect supported extensions and skip unsupported extensions
|
||||
*/
|
||||
ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
|
||||
|
||||
if (ret == 0) {
|
||||
/* Forbid repeated extensions */
|
||||
if ((csr->ext_types & ext_type) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_INVALID_DATA);
|
||||
}
|
||||
|
||||
csr->ext_types |= ext_type;
|
||||
|
||||
switch (ext_type) {
|
||||
case MBEDTLS_X509_EXT_KEY_USAGE:
|
||||
/* Parse key usage */
|
||||
if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
|
||||
&csr->key_usage)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
break;
|
||||
|
||||
case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
|
||||
/* Parse subject alt name */
|
||||
if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
|
||||
&csr->subject_alt_names)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
break;
|
||||
|
||||
case MBEDTLS_X509_EXT_NS_CERT_TYPE:
|
||||
/* Parse netscape certificate type */
|
||||
if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
|
||||
&csr->ns_cert_type)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
*p = end_ext_data;
|
||||
}
|
||||
|
||||
if (*p != end) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse CSR attributes in DER format
|
||||
*/
|
||||
static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
|
||||
const unsigned char *start, const unsigned char *end)
|
||||
{
|
||||
int ret;
|
||||
size_t len;
|
||||
unsigned char *end_attr_data;
|
||||
unsigned char **p = (unsigned char **) &start;
|
||||
|
||||
while (*p < end) {
|
||||
mbedtls_x509_buf attr_oid = { 0, 0, NULL };
|
||||
|
||||
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
end_attr_data = *p + len;
|
||||
|
||||
/* Get attribute ID */
|
||||
if ((ret = mbedtls_asn1_get_tag(p, end_attr_data, &attr_oid.len,
|
||||
MBEDTLS_ASN1_OID)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
attr_oid.tag = MBEDTLS_ASN1_OID;
|
||||
attr_oid.p = *p;
|
||||
*p += attr_oid.len;
|
||||
|
||||
/* Check that this is an extension-request attribute */
|
||||
if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS9_CSR_EXT_REQ, &attr_oid) == 0) {
|
||||
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) !=
|
||||
0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||
}
|
||||
|
||||
if ((ret = x509_csr_parse_extensions(csr, p, *p + len)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
if (*p != end_attr_data) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
}
|
||||
|
||||
*p = end_attr_data;
|
||||
}
|
||||
|
||||
if (*p != end) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse a CSR in DER format
|
||||
*/
|
||||
|
@ -197,6 +356,11 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
|
|||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
|
||||
}
|
||||
|
||||
if ((ret = x509_csr_parse_attributes(csr, p, p + len)) != 0) {
|
||||
mbedtls_x509_csr_free(csr);
|
||||
return ret;
|
||||
}
|
||||
|
||||
p += len;
|
||||
|
||||
end = csr->raw.p + csr->raw.len;
|
||||
|
@ -345,6 +509,44 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
|
|||
(int) mbedtls_pk_get_bitlen(&csr->pk));
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
/*
|
||||
* Optional extensions
|
||||
*/
|
||||
|
||||
if (csr->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
|
||||
ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n,
|
||||
&csr->subject_alt_names,
|
||||
prefix)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
||||
if (csr->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) {
|
||||
ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
if ((ret = mbedtls_x509_info_cert_type(&p, &n, csr->ns_cert_type)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
||||
if (csr->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) {
|
||||
ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
if ((ret = mbedtls_x509_info_key_usage(&p, &n, csr->key_usage)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
||||
if (csr->ext_types != 0) {
|
||||
ret = mbedtls_snprintf(p, n, "\n");
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
}
|
||||
|
||||
return (int) (size - n);
|
||||
}
|
||||
#endif /* MBEDTLS_X509_REMOVE_INFO */
|
||||
|
@ -373,6 +575,7 @@ void mbedtls_x509_csr_free(mbedtls_x509_csr *csr)
|
|||
#endif
|
||||
|
||||
mbedtls_asn1_free_named_data_list_shallow(csr->subject.next);
|
||||
mbedtls_asn1_sequence_free(csr->subject_alt_names.next);
|
||||
|
||||
if (csr->raw.p != NULL) {
|
||||
mbedtls_platform_zeroize(csr->raw.p, csr->raw.len);
|
||||
|
|
|
@ -93,6 +93,53 @@ cert_example_multi.csr: rsa_pkcs1_1024_clear.pem
|
|||
cert_example_multi.crt: cert_example_multi.csr
|
||||
$(OPENSSL) x509 -req -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) -extfile $(test_ca_config_file) -extensions dns_alt_names -passin "pass:$(test_ca_pwd_rsa)" -set_serial 17 -days 3653 -sha256 -in $< > $@
|
||||
|
||||
test_csr_v3_keyUsage.csr.der: rsa_pkcs1_1024_clear.pem
|
||||
$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_keyUsage
|
||||
test_csr_v3_subjectAltName.csr.der: rsa_pkcs1_1024_clear.pem
|
||||
$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_subjectAltName
|
||||
test_csr_v3_nsCertType.csr.der: rsa_pkcs1_1024_clear.pem
|
||||
$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_nsCertType
|
||||
test_csr_v3_all.csr.der: rsa_pkcs1_1024_clear.pem
|
||||
$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_all
|
||||
test_csr_v3_all_malformed_extensions_sequence_tag.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/300B0603551D0F040403/200B0603551D0F040403/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_extension_id_tag.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/0603551D0F0404030201/0703551D0F0404030201/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_extension_data_tag.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/050403020102302F0603/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_extension_data_len1.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/040503020102302F0603/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_extension_data_len2.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/040303020102302F0603/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/03020102302F0603551D/04020102302F0603551D/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/3026A02406082B060105/4026A02406082B060105/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/03020780300D06092A86/04020780300D06092A86/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_duplicated_extension.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/551D11/551D0F/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_extension_type_oid.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/551D11/551DFF/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_attributes_sequence_tag.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/406006092A864886F70D/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_attributes_id_tag.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/06092A864886F70D0109/07092A864886F70D0109/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_attributes_extension_request.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/2A864886F70D01090E/2A864886F70D01090F/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/31533051300B0603551D/32533051300B0603551D/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3151300B0603551D0F04/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_attributes_len1.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/306106092A864886F70D/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_attributes_len2.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/305906092A864886F70D/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3052300B0603551D0F04/" | xxd -r -p ) > $@
|
||||
test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3050300B0603551D0F04/" | xxd -r -p ) > $@
|
||||
|
||||
$(test_ca_key_file_rsa_alt):test-ca.opensslconf
|
||||
$(OPENSSL) genrsa -out $@ 2048
|
||||
test-ca-alt.csr: $(test_ca_key_file_rsa_alt) $(test_ca_config_file)
|
||||
|
|
|
@ -82,3 +82,17 @@ fullname=URI:http://pki.example.com/
|
|||
# these IPs are the ascii values for 'abcd' and 'abcd.example.com'
|
||||
[tricky_ip_san]
|
||||
subjectAltName=IP:97.98.99.100,IP:6162:6364:2e65:7861:6d70:6c65:2e63:6f6d
|
||||
|
||||
[csr_ext_v3_keyUsage]
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
|
||||
[csr_ext_v3_subjectAltName]
|
||||
subjectAltName=DNS:example.com, DNS:example.net, DNS:*.example.org
|
||||
|
||||
[csr_ext_v3_nsCertType]
|
||||
nsCertType=server
|
||||
|
||||
[csr_ext_v3_all]
|
||||
keyUsage = cRLSign
|
||||
subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name
|
||||
nsCertType=client
|
||||
|
|
BIN
tests/data_files/test_csr_v3_all.csr.der
Normal file
BIN
tests/data_files/test_csr_v3_all.csr.der
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
BIN
tests/data_files/test_csr_v3_keyUsage.csr.der
Normal file
BIN
tests/data_files/test_csr_v3_keyUsage.csr.der
Normal file
Binary file not shown.
BIN
tests/data_files/test_csr_v3_nsCertType.csr.der
Normal file
BIN
tests/data_files/test_csr_v3_nsCertType.csr.der
Normal file
Binary file not shown.
BIN
tests/data_files/test_csr_v3_subjectAltName.csr.der
Normal file
BIN
tests/data_files/test_csr_v3_subjectAltName.csr.der
Normal file
Binary file not shown.
|
@ -308,48 +308,64 @@ mbedtls_x509_csr_info:"data_files/server1.req.commas.sha256":"CSR version \: 1
|
|||
|
||||
X509 CSR Information EC with SHA1
|
||||
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n"
|
||||
mbedtls_x509_csr_info:"data_files/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||
|
||||
X509 CSR Information EC with SHA224
|
||||
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n"
|
||||
mbedtls_x509_csr_info:"data_files/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||
|
||||
X509 CSR Information EC with SHA256
|
||||
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n"
|
||||
mbedtls_x509_csr_info:"data_files/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||
|
||||
X509 CSR Information EC with SHA384
|
||||
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n"
|
||||
mbedtls_x509_csr_info:"data_files/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||
|
||||
X509 CSR Information EC with SHA512
|
||||
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n"
|
||||
mbedtls_x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||
|
||||
X509 CSR Information RSA-PSS with SHA1
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n"
|
||||
mbedtls_x509_csr_info:"data_files/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||
|
||||
X509 CSR Information RSA-PSS with SHA224
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n"
|
||||
mbedtls_x509_csr_info:"data_files/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||
|
||||
X509 CSR Information RSA-PSS with SHA256
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n"
|
||||
mbedtls_x509_csr_info:"data_files/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||
|
||||
X509 CSR Information RSA-PSS with SHA384
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n"
|
||||
mbedtls_x509_csr_info:"data_files/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||
|
||||
X509 CSR Information RSA-PSS with SHA512
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n"
|
||||
mbedtls_x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||
|
||||
X509 CSR Information RSA with SHA-256 - Microsoft header
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_info:"data_files/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
|
||||
|
||||
X509 CSR Information v3 extensions #1 (all)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/test_csr_v3_all.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n"
|
||||
|
||||
X509 CSR Information v3 extensions #2 (nsCertType only)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/test_csr_v3_nsCertType.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n"
|
||||
|
||||
X509 CSR Information v3 extensions #3 (subjectAltName only)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/test_csr_v3_subjectAltName.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n"
|
||||
|
||||
X509 CSR Information v3 extensions #4 (keyUsage only)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_info:"data_files/test_csr_v3_keyUsage.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n"
|
||||
|
||||
X509 Verify Information: empty
|
||||
x509_verify_info:0:"":""
|
||||
|
||||
|
@ -2573,7 +2589,7 @@ x509_parse_rsassa_pss_params:"a303020102":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN
|
|||
|
||||
X509 CSR ASN.1 (OK)
|
||||
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n":0
|
||||
mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n":0
|
||||
|
||||
X509 CSR ASN.1 (bad first tag)
|
||||
mbedtls_x509_csr_parse:"3100":"":MBEDTLS_ERR_X509_INVALID_FORMAT
|
||||
|
@ -2664,6 +2680,84 @@ mbedtls_x509_csr_parse:"308201193081bf0201003034310b3009060355040613024e4c311130
|
|||
X509 CSR ASN.1 (invalid version overflow)
|
||||
mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
|
||||
|
||||
# Used test_csr_v3_all.csr.der as a base for malforming CSR extenstions/attributes
|
||||
# Please see makefile for data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files)
|
||||
X509 CSR ASN.1 (attributes: invalid sequence tag)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CSR ASN.1 (attributes: invalid attribute id)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CSR ASN.1 (attributes: not extension request)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n":0
|
||||
|
||||
X509 CSR ASN.1 (attributes: invalid extenstion request set tag)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CSR ASN.1 (attributes: invalid extenstion request sequence tag)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CSR ASN.1 (attributes: invalid len (len > data))
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
|
||||
|
||||
X509 CSR ASN.1 (attributes: invalid len (len < data))
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
|
||||
|
||||
X509 CSR ASN.1 (attributes: extension request invalid len (len > data))
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
|
||||
|
||||
X509 CSR ASN.1 (attributes: extension request invalid len (len < data))
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
|
||||
|
||||
X509 CSR ASN.1 (extensions: invalid sequence tag)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CSR ASN.1 (extensions: invalid extension id tag)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CSR ASN.1 (extensions: invalid extension data tag)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CSR ASN.1 (extensions: invalid extension data len (len > data))
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
|
||||
|
||||
X509 CSR ASN.1 (extensions: invalid extension data len (len < data))
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
|
||||
|
||||
X509 CSR ASN.1 (extensions: invalid extension key usage bitstream tag)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CSR ASN.1 (extensions: invalid extension subject alt name sequence tag)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CSR ASN.1 (extensions: invalid extension ns cert bitstream tag)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||
|
||||
X509 CSR ASN.1 (extensions: duplicated extension)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_duplicated_extension.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA
|
||||
|
||||
X509 CSR ASN.1 (extensions: invalid extension type data)
|
||||
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_type_oid.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Client\nkey usage \: CRL Sign\n":0
|
||||
|
||||
X509 File parse (no issues)
|
||||
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
|
||||
x509parse_crt_file:"data_files/server7_int-ca.crt":0
|
||||
|
|
|
@ -1169,6 +1169,30 @@ exit:
|
|||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
|
||||
void mbedtls_x509_csr_parse_file(char *csr_file, char *ref_out, int ref_ret)
|
||||
{
|
||||
mbedtls_x509_csr csr;
|
||||
char my_out[1000];
|
||||
int my_ret;
|
||||
|
||||
mbedtls_x509_csr_init(&csr);
|
||||
memset(my_out, 0, sizeof(my_out));
|
||||
|
||||
my_ret = mbedtls_x509_csr_parse_file(&csr, csr_file);
|
||||
TEST_ASSERT(my_ret == ref_ret);
|
||||
|
||||
if (ref_ret == 0) {
|
||||
size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr);
|
||||
TEST_ASSERT(my_out_len == strlen(ref_out));
|
||||
TEST_ASSERT(strcmp(my_out, ref_out) == 0);
|
||||
}
|
||||
|
||||
exit:
|
||||
mbedtls_x509_csr_free(&csr);
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
|
||||
void mbedtls_x509_crt_parse_path(char *crt_path, int ret, int nb_crt)
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue