yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #6922 from mprse/csr_v3

Browse source 
Parsing v3 extensions from a CSR - v.2
This commit is contained in:
Gilles Peskine 2023-02-03 16:41:11 +01:00 committed by GitHub
commit 0cfb08ddf1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
34 changed files with 996 additions and 574 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ChangeLog.d/csr_v3_extensions.txt Normal file
View file

@ -0,0 +1,3 @@
Features
* Add parsing of V3 extensions (key usage, Netscape cert-type,
Subject Alternative Names) in x509 Certificate Sign Requests.

99
include/mbedtls/x509.h
View file

@ -148,7 +148,7 @@
/*
* X.509 v3 Key Usage Extension flags
* Reminder: update x509_info_key_usage() when adding new flags.
* Reminder: update mbedtls_x509_info_key_usage() when adding new flags.
*/
#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
#define MBEDTLS_X509_KU_NON_REPUDIATION (0x40) /* bit 1 */
@ -250,6 +250,56 @@ typedef struct mbedtls_x509_time {
}
mbedtls_x509_time;
/**
* From RFC 5280 section 4.2.1.6:
* OtherName ::= SEQUENCE {
* type-id OBJECT IDENTIFIER,
* value [0] EXPLICIT ANY DEFINED BY type-id }
*
* Future versions of the library may add new fields to this structure or
* to its embedded union and structure.
*/
typedef struct mbedtls_x509_san_other_name {
/**
* The type_id is an OID as defined in RFC 5280.
* To check the value of the type id, you should use
* \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
*/
mbedtls_x509_buf type_id; /**< The type id. */
union {
/**
* From RFC 4108 section 5:
* HardwareModuleName ::= SEQUENCE {
* hwType OBJECT IDENTIFIER,
* hwSerialNum OCTET STRING }
*/
struct {
mbedtls_x509_buf oid; /**< The object identifier. */
mbedtls_x509_buf val; /**< The named value. */
}
hardware_module_name;
}
value;
}
mbedtls_x509_san_other_name;
/**
* A structure for holding the parsed Subject Alternative Name,
* according to type.
*
* Future versions of the library may add new fields to this structure or
* to its embedded union and structure.
*/
typedef struct mbedtls_x509_subject_alternative_name {
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
union {
mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
}
san; /**< A union of the supported SAN types */
}
mbedtls_x509_subject_alternative_name;
/** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
/**
@ -326,6 +376,36 @@ int mbedtls_x509_time_is_past(const mbedtls_x509_time *to);
*/
int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
/**
* \brief This function parses an item in the SubjectAlternativeNames
* extension.
*
* \param san_buf The buffer holding the raw data item of the subject
* alternative name.
* \param san The target structure to populate with the parsed presentation
* of the subject alternative name encoded in \p san_raw.
*
* \note Only "dnsName" and "otherName" of type hardware_module_name
* as defined in RFC 4180 is supported.
*
* \note This function should be called on a single raw data of
* subject alternative name. For example, after successful
* certificate parsing, one must iterate on every item in the
* \p crt->subject_alt_names sequence, and pass it to
* this function.
*
* \warning The target structure contains pointers to the raw data of the
* parsed certificate, and its lifetime is restricted by the
* lifetime of the certificate.
*
* \return \c 0 on success
* \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported
* SAN type.
* \return Another negative value for any other failure.
*/
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
mbedtls_x509_subject_alternative_name *san);
/** \} addtogroup x509_module */
/*
@ -370,6 +450,23 @@ int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
const char *oid, size_t oid_len,
unsigned char *sig, size_t size);
int mbedtls_x509_get_ns_cert_type(unsigned char **p,
const unsigned char *end,
unsigned char *ns_cert_type);
int mbedtls_x509_get_key_usage(unsigned char **p,
const unsigned char *end,
unsigned int *key_usage);
int mbedtls_x509_get_subject_alt_name(unsigned char **p,
const unsigned char *end,
mbedtls_x509_sequence *subject_alt_name);
int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
const mbedtls_x509_sequence
*subject_alt_name,
const char *prefix);
int mbedtls_x509_info_cert_type(char **buf, size_t *size,
unsigned char ns_cert_type);
int mbedtls_x509_info_key_usage(char **buf, size_t *size,
unsigned int key_usage);
#define MBEDTLS_X509_SAFE_SNPRINTF \
do { \

80
include/mbedtls/x509_crt.h
View file

@ -102,56 +102,6 @@ typedef struct mbedtls_x509_crt {
}
mbedtls_x509_crt;
/**
* From RFC 5280 section 4.2.1.6:
* OtherName ::= SEQUENCE {
* type-id OBJECT IDENTIFIER,
* value [0] EXPLICIT ANY DEFINED BY type-id }
*
* Future versions of the library may add new fields to this structure or
* to its embedded union and structure.
*/
typedef struct mbedtls_x509_san_other_name {
/**
* The type_id is an OID as defined in RFC 5280.
* To check the value of the type id, you should use
* \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
*/
mbedtls_x509_buf type_id; /**< The type id. */
union {
/**
* From RFC 4108 section 5:
* HardwareModuleName ::= SEQUENCE {
* hwType OBJECT IDENTIFIER,
* hwSerialNum OCTET STRING }
*/
struct {
mbedtls_x509_buf oid; /**< The object identifier. */
mbedtls_x509_buf val; /**< The named value. */
}
hardware_module_name;
}
value;
}
mbedtls_x509_san_other_name;
/**
* A structure for holding the parsed Subject Alternative Name,
* according to type.
*
* Future versions of the library may add new fields to this structure or
* to its embedded union and structure.
*/
typedef struct mbedtls_x509_subject_alternative_name {
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
union {
mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
}
san; /**< A union of the supported SAN types */
}
mbedtls_x509_subject_alternative_name;
/**
* Build flag from an algorithm/curve identifier (pk, md, ecp)
* Since 0 is always XXX_NONE, ignore it.
@ -590,36 +540,6 @@ int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path);
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path);
#endif /* MBEDTLS_FS_IO */
/**
* \brief This function parses an item in the SubjectAlternativeNames
* extension.
*
* \param san_buf The buffer holding the raw data item of the subject
* alternative name.
* \param san The target structure to populate with the parsed presentation
* of the subject alternative name encoded in \p san_raw.
*
* \note Only "dnsName" and "otherName" of type hardware_module_name
* as defined in RFC 4180 is supported.
*
* \note This function should be called on a single raw data of
* subject alternative name. For example, after successful
* certificate parsing, one must iterate on every item in the
* \p crt->subject_alt_names sequence, and pass it to
* this function.
*
* \warning The target structure contains pointers to the raw data of the
* parsed certificate, and its lifetime is restricted by the
* lifetime of the certificate.
*
* \return \c 0 on success
* \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported
* SAN type.
* \return Another negative value for any other failure.
*/
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
mbedtls_x509_subject_alternative_name *san);
#if !defined(MBEDTLS_X509_REMOVE_INFO)
/**
* \brief Returns an informational string about the

6
include/mbedtls/x509_csr.h
View file

@ -58,6 +58,12 @@ typedef struct mbedtls_x509_csr {
mbedtls_pk_context pk; /**< Container for the public key context. */
unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */
unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */
mbedtls_x509_buf sig_oid;
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */

485
library/x509.c
View file

@ -1107,4 +1107,489 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from)
return 0;
}
#endif /* MBEDTLS_HAVE_TIME_DATE */
/* Common functions for parsing CRT and CSR. */
#if defined(MBEDTLS_X509_CRT_PARSE_C) || defined(MBEDTLS_X509_CSR_PARSE_C)
/*
* OtherName ::= SEQUENCE {
* type-id OBJECT IDENTIFIER,
* value [0] EXPLICIT ANY DEFINED BY type-id }
*
* HardwareModuleName ::= SEQUENCE {
* hwType OBJECT IDENTIFIER,
* hwSerialNum OCTET STRING }
*
* NOTE: we currently only parse and use otherName of type HwModuleName,
* as defined in RFC 4108.
*/
static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
mbedtls_x509_san_other_name *other_name)
{
int ret = 0;
size_t len;
unsigned char *p = subject_alt_name->p;
const unsigned char *end = p + subject_alt_name->len;
mbedtls_x509_buf cur_oid;
if ((subject_alt_name->tag &
(MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK)) !=
(MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME)) {
/*
* The given subject alternative name is not of type "othername".
*/
return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
}
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_OID)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
cur_oid.tag = MBEDTLS_ASN1_OID;
cur_oid.p = p;
cur_oid.len = len;
/*
* Only HwModuleName is currently supported.
*/
if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) {
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
}
if (p + len >= end) {
mbedtls_platform_zeroize(other_name, sizeof(*other_name));
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
p += len;
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) !=
0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
other_name->value.hardware_module_name.oid.p = p;
other_name->value.hardware_module_name.oid.len = len;
if (p + len >= end) {
mbedtls_platform_zeroize(other_name, sizeof(*other_name));
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
p += len;
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
other_name->value.hardware_module_name.val.p = p;
other_name->value.hardware_module_name.val.len = len;
p += len;
if (p != end) {
mbedtls_platform_zeroize(other_name,
sizeof(*other_name));
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return 0;
}
/*
* SubjectAltName ::= GeneralNames
*
* GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
*
* GeneralName ::= CHOICE {
* otherName [0] OtherName,
* rfc822Name [1] IA5String,
* dNSName [2] IA5String,
* x400Address [3] ORAddress,
* directoryName [4] Name,
* ediPartyName [5] EDIPartyName,
* uniformResourceIdentifier [6] IA5String,
* iPAddress [7] OCTET STRING,
* registeredID [8] OBJECT IDENTIFIER }
*
* OtherName ::= SEQUENCE {
* type-id OBJECT IDENTIFIER,
* value [0] EXPLICIT ANY DEFINED BY type-id }
*
* EDIPartyName ::= SEQUENCE {
* nameAssigner [0] DirectoryString OPTIONAL,
* partyName [1] DirectoryString }
*
* NOTE: we list all types, but only use dNSName and otherName
* of type HwModuleName, as defined in RFC 4108, at this point.
*/
int mbedtls_x509_get_subject_alt_name(unsigned char **p,
const unsigned char *end,
mbedtls_x509_sequence *subject_alt_name)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len, tag_len;
mbedtls_asn1_buf *buf;
unsigned char tag;
mbedtls_asn1_sequence *cur = subject_alt_name;
/* Get main sequence tag */
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if (*p + len != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
while (*p < end) {
mbedtls_x509_subject_alternative_name dummy_san_buf;
memset(&dummy_san_buf, 0, sizeof(dummy_san_buf));
tag = **p;
(*p)++;
if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
}
/*
* Check that the SAN is structured correctly.
*/
ret = mbedtls_x509_parse_subject_alt_name(&(cur->buf), &dummy_san_buf);
/*
* In case the extension is malformed, return an error,
* and clear the allocated sequences.
*/
if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
mbedtls_asn1_sequence_free(subject_alt_name->next);
subject_alt_name->next = NULL;
return ret;
}
/* Allocate and assign next pointer */
if (cur->buf.p != NULL) {
if (cur->next != NULL) {
return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
}
cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
if (cur->next == NULL) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_ALLOC_FAILED);
}
cur = cur->next;
}
buf = &(cur->buf);
buf->tag = tag;
buf->p = *p;
buf->len = tag_len;
*p += buf->len;
}
/* Set final sequence entry's next pointer to NULL */
cur->next = NULL;
if (*p != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return 0;
}
int mbedtls_x509_get_ns_cert_type(unsigned char **p,
const unsigned char *end,
unsigned char *ns_cert_type)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_x509_bitstring bs = { 0, 0, NULL };
if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
/* A bitstring with no flags set is still technically valid, as it will mean
that the certificate has no designated purpose at the time of creation. */
if (bs.len == 0) {
*ns_cert_type = 0;
return 0;
}
if (bs.len != 1) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_INVALID_LENGTH);
}
/* Get actual bitstring */
*ns_cert_type = *bs.p;
return 0;
}
int mbedtls_x509_get_key_usage(unsigned char **p,
const unsigned char *end,
unsigned int *key_usage)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t i;
mbedtls_x509_bitstring bs = { 0, 0, NULL };
if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
/* A bitstring with no flags set is still technically valid, as it will mean
that the certificate has no designated purpose at the time of creation. */
if (bs.len == 0) {
*key_usage = 0;
return 0;
}
/* Get actual bitstring */
*key_usage = 0;
for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) {
*key_usage |= (unsigned int) bs.p[i] << (8*i);
}
return 0;
}
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
mbedtls_x509_subject_alternative_name *san)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
switch (san_buf->tag &
(MBEDTLS_ASN1_TAG_CLASS_MASK |
MBEDTLS_ASN1_TAG_VALUE_MASK)) {
/*
* otherName
*/
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME):
{
mbedtls_x509_san_other_name other_name;
ret = x509_get_other_name(san_buf, &other_name);
if (ret != 0) {
return ret;
}
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
san->type = MBEDTLS_X509_SAN_OTHER_NAME;
memcpy(&san->san.other_name,
&other_name, sizeof(other_name));
}
break;
/*
* dNSName
*/
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME):
{
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
san->type = MBEDTLS_X509_SAN_DNS_NAME;
memcpy(&san->san.unstructured_name,
san_buf, sizeof(*san_buf));
}
break;
/*
* Type not supported
*/
default:
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
}
return 0;
}
#if !defined(MBEDTLS_X509_REMOVE_INFO)
int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
const mbedtls_x509_sequence
*subject_alt_name,
const char *prefix)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t i;
size_t n = *size;
char *p = *buf;
const mbedtls_x509_sequence *cur = subject_alt_name;
mbedtls_x509_subject_alternative_name san;
int parse_ret;
while (cur != NULL) {
memset(&san, 0, sizeof(san));
parse_ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san);
if (parse_ret != 0) {
if (parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
} else {
ret = mbedtls_snprintf(p, n, "\n%s <malformed>", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
}
cur = cur->next;
continue;
}
switch (san.type) {
/*
* otherName
*/
case MBEDTLS_X509_SAN_OTHER_NAME:
{
mbedtls_x509_san_other_name *other_name = &san.san.other_name;
ret = mbedtls_snprintf(p, n, "\n%s otherName :", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME,
&other_name->value.hardware_module_name.oid) != 0) {
ret = mbedtls_snprintf(p, n, "\n%s hardware module name :", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
ret =
mbedtls_snprintf(p, n, "\n%s hardware type : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
ret = mbedtls_oid_get_numeric_string(p,
n,
&other_name->value.hardware_module_name.oid);
MBEDTLS_X509_SAFE_SNPRINTF;
ret =
mbedtls_snprintf(p, n, "\n%s hardware serial number : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
for (i = 0; i < other_name->value.hardware_module_name.val.len; i++) {
ret = mbedtls_snprintf(p,
n,
"%02X",
other_name->value.hardware_module_name.val.p[i]);
MBEDTLS_X509_SAFE_SNPRINTF;
}
}/* MBEDTLS_OID_ON_HW_MODULE_NAME */
}
break;
/*
* dNSName
*/
case MBEDTLS_X509_SAN_DNS_NAME:
{
ret = mbedtls_snprintf(p, n, "\n%s dNSName : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if (san.san.unstructured_name.len >= n) {
*p = '\0';
return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
}
memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
p += san.san.unstructured_name.len;
n -= san.san.unstructured_name.len;
}
break;
/*
* Type not supported, skip item.
*/
default:
ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
break;
}
cur = cur->next;
}
*p = '\0';
*size = n;
*buf = p;
return 0;
}
#define PRINT_ITEM(i) \
{ \
ret = mbedtls_snprintf(p, n, "%s" i, sep); \
MBEDTLS_X509_SAFE_SNPRINTF; \
sep = ", "; \
}
#define CERT_TYPE(type, name) \
if (ns_cert_type & (type)) \
PRINT_ITEM(name);
int mbedtls_x509_info_cert_type(char **buf, size_t *size,
unsigned char ns_cert_type)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n = *size;
char *p = *buf;
const char *sep = "";
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA");
*size = n;
*buf = p;
return 0;
}
#define KEY_USAGE(code, name) \
if (key_usage & (code)) \
PRINT_ITEM(name);
int mbedtls_x509_info_key_usage(char **buf, size_t *size,
unsigned int key_usage)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n = *size;
char *p = *buf;
const char *sep = "";
KEY_USAGE(MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature");
KEY_USAGE(MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation");
KEY_USAGE(MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment");
KEY_USAGE(MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment");
KEY_USAGE(MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement");
KEY_USAGE(MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign");
KEY_USAGE(MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign");
KEY_USAGE(MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only");
KEY_USAGE(MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only");
*size = n;
*buf = p;
return 0;
}
#endif /* MBEDTLS_X509_REMOVE_INFO */
#endif /* MBEDTLS_X509_CRT_PARSE_C || MBEDTLS_X509_CSR_PARSE_C */
#endif /* MBEDTLS_X509_USE_C */

483
library/x509_crt.c
View file

@ -562,53 +562,6 @@ static int x509_get_basic_constraints(unsigned char **p,
return 0;
}
static int x509_get_ns_cert_type(unsigned char **p,
const unsigned char *end,
unsigned char *ns_cert_type)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_x509_bitstring bs = { 0, 0, NULL };
if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if (bs.len != 1) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_INVALID_LENGTH);
}
/* Get actual bitstring */
*ns_cert_type = *bs.p;
return 0;
}
static int x509_get_key_usage(unsigned char **p,
const unsigned char *end,
unsigned int *key_usage)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t i;
mbedtls_x509_bitstring bs = { 0, 0, NULL };
if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if (bs.len < 1) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_INVALID_LENGTH);
}
/* Get actual bitstring */
*key_usage = 0;
for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) {
*key_usage |= (unsigned int) bs.p[i] << (8*i);
}
return 0;
}
/*
* ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
*
@ -633,118 +586,6 @@ static int x509_get_ext_key_usage(unsigned char **p,
return 0;
}
/*
* SubjectAltName ::= GeneralNames
*
* GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
*
* GeneralName ::= CHOICE {
* otherName [0] OtherName,
* rfc822Name [1] IA5String,
* dNSName [2] IA5String,
* x400Address [3] ORAddress,
* directoryName [4] Name,
* ediPartyName [5] EDIPartyName,
* uniformResourceIdentifier [6] IA5String,
* iPAddress [7] OCTET STRING,
* registeredID [8] OBJECT IDENTIFIER }
*
* OtherName ::= SEQUENCE {
* type-id OBJECT IDENTIFIER,
* value [0] EXPLICIT ANY DEFINED BY type-id }
*
* EDIPartyName ::= SEQUENCE {
* nameAssigner [0] DirectoryString OPTIONAL,
* partyName [1] DirectoryString }
*
* NOTE: we list all types, but only use dNSName and otherName
* of type HwModuleName, as defined in RFC 4108, at this point.
*/
static int x509_get_subject_alt_name(unsigned char **p,
const unsigned char *end,
mbedtls_x509_sequence *subject_alt_name)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len, tag_len;
mbedtls_asn1_buf *buf;
unsigned char tag;
mbedtls_asn1_sequence *cur = subject_alt_name;
/* Get main sequence tag */
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if (*p + len != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
while (*p < end) {
mbedtls_x509_subject_alternative_name dummy_san_buf;
memset(&dummy_san_buf, 0, sizeof(dummy_san_buf));
tag = **p;
(*p)++;
if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
}
/*
* Check that the SAN is structured correctly.
*/
ret = mbedtls_x509_parse_subject_alt_name(&(cur->buf), &dummy_san_buf);
/*
* In case the extension is malformed, return an error,
* and clear the allocated sequences.
*/
if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
mbedtls_asn1_sequence_free(subject_alt_name->next);
subject_alt_name->next = NULL;
return ret;
}
/* Allocate and assign next pointer */
if (cur->buf.p != NULL) {
if (cur->next != NULL) {
return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
}
cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
if (cur->next == NULL) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_ALLOC_FAILED);
}
cur = cur->next;
}
buf = &(cur->buf);
buf->tag = tag;
buf->p = *p;
buf->len = tag_len;
*p += buf->len;
}
/* Set final sequence entry's next pointer to NULL */
cur->next = NULL;
if (*p != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return 0;
}
/*
* id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
*
@ -1029,7 +870,7 @@ static int x509_get_crt_ext(unsigned char **p,
case MBEDTLS_X509_EXT_KEY_USAGE:
/* Parse key usage */
if ((ret = x509_get_key_usage(p, end_ext_octet,
if ((ret = mbedtls_x509_get_key_usage(p, end_ext_octet,
&crt->key_usage)) != 0) {
return ret;
}
@ -1045,7 +886,7 @@ static int x509_get_crt_ext(unsigned char **p,
case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
/* Parse subject alt name */
if ((ret = x509_get_subject_alt_name(p, end_ext_octet,
if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_octet,
&crt->subject_alt_names)) != 0) {
return ret;
}
@ -1053,7 +894,7 @@ static int x509_get_crt_ext(unsigned char **p,
case MBEDTLS_X509_EXT_NS_CERT_TYPE:
/* Parse netscape certificate type */
if ((ret = x509_get_ns_cert_type(p, end_ext_octet,
if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_octet,
&crt->ns_cert_type)) != 0) {
return ret;
}
@ -1703,319 +1544,7 @@ cleanup:
}
#endif /* MBEDTLS_FS_IO */
/*
* OtherName ::= SEQUENCE {
* type-id OBJECT IDENTIFIER,
* value [0] EXPLICIT ANY DEFINED BY type-id }
*
* HardwareModuleName ::= SEQUENCE {
* hwType OBJECT IDENTIFIER,
* hwSerialNum OCTET STRING }
*
* NOTE: we currently only parse and use otherName of type HwModuleName,
* as defined in RFC 4108.
*/
static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
mbedtls_x509_san_other_name *other_name)
{
int ret = 0;
size_t len;
unsigned char *p = subject_alt_name->p;
const unsigned char *end = p + subject_alt_name->len;
mbedtls_x509_buf cur_oid;
if ((subject_alt_name->tag &
(MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK)) !=
(MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME)) {
/*
* The given subject alternative name is not of type "othername".
*/
return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
}
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_OID)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
cur_oid.tag = MBEDTLS_ASN1_OID;
cur_oid.p = p;
cur_oid.len = len;
/*
* Only HwModuleName is currently supported.
*/
if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) {
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
}
if (p + len >= end) {
mbedtls_platform_zeroize(other_name, sizeof(*other_name));
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
p += len;
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) !=
0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
other_name->value.hardware_module_name.oid.p = p;
other_name->value.hardware_module_name.oid.len = len;
if (p + len >= end) {
mbedtls_platform_zeroize(other_name, sizeof(*other_name));
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
p += len;
if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
other_name->value.hardware_module_name.val.p = p;
other_name->value.hardware_module_name.val.len = len;
p += len;
if (p != end) {
mbedtls_platform_zeroize(other_name,
sizeof(*other_name));
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return 0;
}
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
mbedtls_x509_subject_alternative_name *san)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
switch (san_buf->tag &
(MBEDTLS_ASN1_TAG_CLASS_MASK |
MBEDTLS_ASN1_TAG_VALUE_MASK)) {
/*
* otherName
*/
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME):
{
mbedtls_x509_san_other_name other_name;
ret = x509_get_other_name(san_buf, &other_name);
if (ret != 0) {
return ret;
}
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
san->type = MBEDTLS_X509_SAN_OTHER_NAME;
memcpy(&san->san.other_name,
&other_name, sizeof(other_name));
}
break;
/*
* dNSName
*/
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME):
{
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
san->type = MBEDTLS_X509_SAN_DNS_NAME;
memcpy(&san->san.unstructured_name,
san_buf, sizeof(*san_buf));
}
break;
/*
* Type not supported
*/
default:
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
}
return 0;
}
#if !defined(MBEDTLS_X509_REMOVE_INFO)
static int x509_info_subject_alt_name(char **buf, size_t *size,
const mbedtls_x509_sequence
*subject_alt_name,
const char *prefix)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t i;
size_t n = *size;
char *p = *buf;
const mbedtls_x509_sequence *cur = subject_alt_name;
mbedtls_x509_subject_alternative_name san;
int parse_ret;
while (cur != NULL) {
memset(&san, 0, sizeof(san));
parse_ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san);
if (parse_ret != 0) {
if (parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
} else {
ret = mbedtls_snprintf(p, n, "\n%s <malformed>", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
}
cur = cur->next;
continue;
}
switch (san.type) {
/*
* otherName
*/
case MBEDTLS_X509_SAN_OTHER_NAME:
{
mbedtls_x509_san_other_name *other_name = &san.san.other_name;
ret = mbedtls_snprintf(p, n, "\n%s otherName :", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME,
&other_name->value.hardware_module_name.oid) != 0) {
ret = mbedtls_snprintf(p, n, "\n%s hardware module name :", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
ret =
mbedtls_snprintf(p, n, "\n%s hardware type : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
ret = mbedtls_oid_get_numeric_string(p,
n,
&other_name->value.hardware_module_name.oid);
MBEDTLS_X509_SAFE_SNPRINTF;
ret =
mbedtls_snprintf(p, n, "\n%s hardware serial number : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
for (i = 0; i < other_name->value.hardware_module_name.val.len; i++) {
ret = mbedtls_snprintf(p,
n,
"%02X",
other_name->value.hardware_module_name.val.p[i]);
MBEDTLS_X509_SAFE_SNPRINTF;
}
}/* MBEDTLS_OID_ON_HW_MODULE_NAME */
}
break;
/*
* dNSName
*/
case MBEDTLS_X509_SAN_DNS_NAME:
{
ret = mbedtls_snprintf(p, n, "\n%s dNSName : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if (san.san.unstructured_name.len >= n) {
*p = '\0';
return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
}
memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
p += san.san.unstructured_name.len;
n -= san.san.unstructured_name.len;
}
break;
/*
* Type not supported, skip item.
*/
default:
ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
break;
}
cur = cur->next;
}
*p = '\0';
*size = n;
*buf = p;
return 0;
}
#define PRINT_ITEM(i) \
{ \
ret = mbedtls_snprintf(p, n, "%s" i, sep); \
MBEDTLS_X509_SAFE_SNPRINTF; \
sep = ", "; \
}
#define CERT_TYPE(type, name) \
if (ns_cert_type & (type)) \
PRINT_ITEM(name);
static int x509_info_cert_type(char **buf, size_t *size,
unsigned char ns_cert_type)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n = *size;
char *p = *buf;
const char *sep = "";
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA");
CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA");
*size = n;
*buf = p;
return 0;
}
#define KEY_USAGE(code, name) \
if (key_usage & (code)) \
PRINT_ITEM(name);
static int x509_info_key_usage(char **buf, size_t *size,
unsigned int key_usage)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n = *size;
char *p = *buf;
const char *sep = "";
KEY_USAGE(MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature");
KEY_USAGE(MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation");
KEY_USAGE(MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment");
KEY_USAGE(MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment");
KEY_USAGE(MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement");
KEY_USAGE(MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign");
KEY_USAGE(MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign");
KEY_USAGE(MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only");
KEY_USAGE(MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only");
*size = n;
*buf = p;
return 0;
}
static int x509_info_ext_key_usage(char **buf, size_t *size,
const mbedtls_x509_sequence *extended_key_usage)
{
@ -2167,7 +1696,7 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = x509_info_subject_alt_name(&p, &n,
if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n,
&crt->subject_alt_names,
prefix)) != 0) {
return ret;
@ -2178,7 +1707,7 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) {
if ((ret = mbedtls_x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) {
return ret;
}
}
@ -2187,7 +1716,7 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = x509_info_key_usage(&p, &n, crt->key_usage)) != 0) {
if ((ret = mbedtls_x509_info_key_usage(&p, &n, crt->key_usage)) != 0) {
return ret;
}
}

203
library/x509_csr.c
View file

@ -69,6 +69,165 @@ static int x509_csr_get_version(unsigned char **p,
return 0;
}
/*
* Parse CSR extension requests in DER format
*/
static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
unsigned char **p, const unsigned char *end)
{
int ret;
size_t len;
unsigned char *end_ext_data;
while (*p < end) {
mbedtls_x509_buf extn_oid = { 0, 0, NULL };
int ext_type = 0;
/* Read sequence tag */
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
end_ext_data = *p + len;
/* Get extension ID */
if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len,
MBEDTLS_ASN1_OID)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
extn_oid.tag = MBEDTLS_ASN1_OID;
extn_oid.p = *p;
*p += extn_oid.len;
/* Data should be octet string type */
if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if (*p + len != end_ext_data) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
/*
* Detect supported extensions and skip unsupported extensions
*/
ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
if (ret == 0) {
/* Forbid repeated extensions */
if ((csr->ext_types & ext_type) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_INVALID_DATA);
}
csr->ext_types |= ext_type;
switch (ext_type) {
case MBEDTLS_X509_EXT_KEY_USAGE:
/* Parse key usage */
if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
&csr->key_usage)) != 0) {
return ret;
}
break;
case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
/* Parse subject alt name */
if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
&csr->subject_alt_names)) != 0) {
return ret;
}
break;
case MBEDTLS_X509_EXT_NS_CERT_TYPE:
/* Parse netscape certificate type */
if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
&csr->ns_cert_type)) != 0) {
return ret;
}
break;
default:
break;
}
}
*p = end_ext_data;
}
if (*p != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return 0;
}
/*
* Parse CSR attributes in DER format
*/
static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
const unsigned char *start, const unsigned char *end)
{
int ret;
size_t len;
unsigned char *end_attr_data;
unsigned char **p = (unsigned char **) &start;
while (*p < end) {
mbedtls_x509_buf attr_oid = { 0, 0, NULL };
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
end_attr_data = *p + len;
/* Get attribute ID */
if ((ret = mbedtls_asn1_get_tag(p, end_attr_data, &attr_oid.len,
MBEDTLS_ASN1_OID)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
attr_oid.tag = MBEDTLS_ASN1_OID;
attr_oid.p = *p;
*p += attr_oid.len;
/* Check that this is an extension-request attribute */
if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS9_CSR_EXT_REQ, &attr_oid) == 0) {
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) !=
0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if ((ret = x509_csr_parse_extensions(csr, p, *p + len)) != 0) {
return ret;
}
if (*p != end_attr_data) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
}
*p = end_attr_data;
}
if (*p != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return 0;
}
/*
* Parse a CSR in DER format
*/
@ -197,6 +356,11 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
}
if ((ret = x509_csr_parse_attributes(csr, p, p + len)) != 0) {
mbedtls_x509_csr_free(csr);
return ret;
}
p += len;
end = csr->raw.p + csr->raw.len;
@ -345,6 +509,44 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
(int) mbedtls_pk_get_bitlen(&csr->pk));
MBEDTLS_X509_SAFE_SNPRINTF;
/*
* Optional extensions
*/
if (csr->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n,
&csr->subject_alt_names,
prefix)) != 0) {
return ret;
}
}
if (csr->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) {
ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = mbedtls_x509_info_cert_type(&p, &n, csr->ns_cert_type)) != 0) {
return ret;
}
}
if (csr->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) {
ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = mbedtls_x509_info_key_usage(&p, &n, csr->key_usage)) != 0) {
return ret;
}
}
if (csr->ext_types != 0) {
ret = mbedtls_snprintf(p, n, "\n");
MBEDTLS_X509_SAFE_SNPRINTF;
}
return (int) (size - n);
}
#endif /* MBEDTLS_X509_REMOVE_INFO */
@ -373,6 +575,7 @@ void mbedtls_x509_csr_free(mbedtls_x509_csr *csr)
#endif
mbedtls_asn1_free_named_data_list_shallow(csr->subject.next);
mbedtls_asn1_sequence_free(csr->subject_alt_names.next);
if (csr->raw.p != NULL) {
mbedtls_platform_zeroize(csr->raw.p, csr->raw.len);

47
tests/data_files/Makefile
View file

@ -93,6 +93,53 @@ cert_example_multi.csr: rsa_pkcs1_1024_clear.pem
cert_example_multi.crt: cert_example_multi.csr
$(OPENSSL) x509 -req -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) -extfile $(test_ca_config_file) -extensions dns_alt_names -passin "pass:$(test_ca_pwd_rsa)" -set_serial 17 -days 3653 -sha256 -in $< > $@
test_csr_v3_keyUsage.csr.der: rsa_pkcs1_1024_clear.pem
$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_keyUsage
test_csr_v3_subjectAltName.csr.der: rsa_pkcs1_1024_clear.pem
$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_subjectAltName
test_csr_v3_nsCertType.csr.der: rsa_pkcs1_1024_clear.pem
$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_nsCertType
test_csr_v3_all.csr.der: rsa_pkcs1_1024_clear.pem
$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_all
test_csr_v3_all_malformed_extensions_sequence_tag.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/300B0603551D0F040403/200B0603551D0F040403/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_extension_id_tag.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/0603551D0F0404030201/0703551D0F0404030201/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_extension_data_tag.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/050403020102302F0603/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_extension_data_len1.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/040503020102302F0603/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_extension_data_len2.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/040303020102302F0603/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/03020102302F0603551D/04020102302F0603551D/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/3026A02406082B060105/4026A02406082B060105/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/03020780300D06092A86/04020780300D06092A86/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_duplicated_extension.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/551D11/551D0F/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_extension_type_oid.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/551D11/551DFF/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_attributes_sequence_tag.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/406006092A864886F70D/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_attributes_id_tag.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/06092A864886F70D0109/07092A864886F70D0109/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_attributes_extension_request.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/2A864886F70D01090E/2A864886F70D01090F/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/31533051300B0603551D/32533051300B0603551D/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3151300B0603551D0F04/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_attributes_len1.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/306106092A864886F70D/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_attributes_len2.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/305906092A864886F70D/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3052300B0603551D0F04/" | xxd -r -p ) > $@
test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3050300B0603551D0F04/" | xxd -r -p ) > $@
$(test_ca_key_file_rsa_alt):test-ca.opensslconf
$(OPENSSL) genrsa -out $@ 2048
test-ca-alt.csr: $(test_ca_key_file_rsa_alt) $(test_ca_config_file)

14
tests/data_files/test-ca.opensslconf
View file

@ -82,3 +82,17 @@ fullname=URI:http://pki.example.com/
# these IPs are the ascii values for 'abcd' and 'abcd.example.com'
[tricky_ip_san]
subjectAltName=IP:97.98.99.100,IP:6162:6364:2e65:7861:6d70:6c65:2e63:6f6d
[csr_ext_v3_keyUsage]
keyUsage = digitalSignature, keyEncipherment
[csr_ext_v3_subjectAltName]
subjectAltName=DNS:example.com, DNS:example.net, DNS:*.example.org
[csr_ext_v3_nsCertType]
nsCertType=server
[csr_ext_v3_all]
keyUsage = cRLSign
subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name
nsCertType=client

BIN
tests/data_files/test_csr_v3_all.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_attributes_extension_request.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_attributes_id_tag.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_attributes_len1.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_attributes_len2.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_duplicated_extension.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_extension_data_len1.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_extension_data_len2.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_extension_data_tag.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_extension_id_tag.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_extension_type_oid.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_keyUsage.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_nsCertType.csr.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/test_csr_v3_subjectAltName.csr.der Normal file
View file

Binary file not shown.

116
tests/suites/test_suite_x509parse.data
View file

@ -308,48 +308,64 @@ mbedtls_x509_csr_info:"data_files/server1.req.commas.sha256":"CSR version \: 1
X509 CSR Information EC with SHA1
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n"
mbedtls_x509_csr_info:"data_files/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information EC with SHA224
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n"
mbedtls_x509_csr_info:"data_files/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information EC with SHA256
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n"
mbedtls_x509_csr_info:"data_files/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information EC with SHA384
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n"
mbedtls_x509_csr_info:"data_files/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information EC with SHA512
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n"
mbedtls_x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n"
mbedtls_x509_csr_info:"data_files/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA224
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n"
mbedtls_x509_csr_info:"data_files/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA256
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n"
mbedtls_x509_csr_info:"data_files/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA384
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n"
mbedtls_x509_csr_info:"data_files/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA512
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n"
mbedtls_x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA with SHA-256 - Microsoft header
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_info:"data_files/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
X509 CSR Information v3 extensions #1 (all)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/test_csr_v3_all.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n"
X509 CSR Information v3 extensions #2 (nsCertType only)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/test_csr_v3_nsCertType.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n"
X509 CSR Information v3 extensions #3 (subjectAltName only)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/test_csr_v3_subjectAltName.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n"
X509 CSR Information v3 extensions #4 (keyUsage only)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/test_csr_v3_keyUsage.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n"
X509 Verify Information: empty
x509_verify_info:0:"":""
@ -2573,7 +2589,7 @@ x509_parse_rsassa_pss_params:"a303020102":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN
X509 CSR ASN.1 (OK)
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n":0
mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n":0
X509 CSR ASN.1 (bad first tag)
mbedtls_x509_csr_parse:"3100":"":MBEDTLS_ERR_X509_INVALID_FORMAT
@ -2664,6 +2680,84 @@ mbedtls_x509_csr_parse:"308201193081bf0201003034310b3009060355040613024e4c311130
X509 CSR ASN.1 (invalid version overflow)
mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
# Used test_csr_v3_all.csr.der as a base for malforming CSR extenstions/attributes
# Please see makefile for data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files)
X509 CSR ASN.1 (attributes: invalid sequence tag)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (attributes: invalid attribute id)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (attributes: not extension request)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n":0
X509 CSR ASN.1 (attributes: invalid extenstion request set tag)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (attributes: invalid extenstion request sequence tag)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (attributes: invalid len (len > data))
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (attributes: invalid len (len < data))
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
X509 CSR ASN.1 (attributes: extension request invalid len (len > data))
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (attributes: extension request invalid len (len < data))
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (extensions: invalid sequence tag)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: invalid extension id tag)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: invalid extension data tag)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: invalid extension data len (len > data))
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (extensions: invalid extension data len (len < data))
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
X509 CSR ASN.1 (extensions: invalid extension key usage bitstream tag)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: invalid extension subject alt name sequence tag)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: invalid extension ns cert bitstream tag)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: duplicated extension)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_duplicated_extension.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA
X509 CSR ASN.1 (extensions: invalid extension type data)
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_type_oid.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Client\nkey usage \: CRL Sign\n":0
X509 File parse (no issues)
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C
x509parse_crt_file:"data_files/server7_int-ca.crt":0

24
tests/suites/test_suite_x509parse.function
View file

@ -1169,6 +1169,30 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
void mbedtls_x509_csr_parse_file(char *csr_file, char *ref_out, int ref_ret)
{
mbedtls_x509_csr csr;
char my_out[1000];
int my_ret;
mbedtls_x509_csr_init(&csr);
memset(my_out, 0, sizeof(my_out));
my_ret = mbedtls_x509_csr_parse_file(&csr, csr_file);
TEST_ASSERT(my_ret == ref_ret);
if (ref_ret == 0) {
size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr);
TEST_ASSERT(my_out_len == strlen(ref_out));
TEST_ASSERT(strcmp(my_out, ref_out) == 0);
}
exit:
mbedtls_x509_csr_free(&csr);
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
void mbedtls_x509_crt_parse_path(char *crt_path, int ret, int nb_crt)
{