From 22f605fbab03c36f3ce32f0fdd681dbec480917c Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 10 May 2019 10:37:17 +0100 Subject: [PATCH] Print unparseable SubjectAlternativeNames In x509_info_subject_alt_name() we silently dropped names that we couldn't parse because they are not supported or are malformed. (Being malformed might mean damaged file, but can be a sign of incompatibility between applications.) This commit adds code notifying the user that there is something, but we can't parse it. --- library/x509_crt.c | 34 +++++++++++++++----------- tests/suites/test_suite_x509parse.data | 4 +-- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index cfd3b9d13..54b42854b 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1682,21 +1682,27 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, { mbedtls_x509_san_other_name other_name; - ret = x509_get_other_name( &cur->buf, &other_name ); - if( ret != 0 ) - { - /* - * In case MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, - * then the "otherName" is of an unsupported type. Ignore. - */ - if( ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ) - ret = 0; - return( ret ); - } + int parse_ret = x509_get_other_name( &cur->buf, &other_name ); ret = mbedtls_snprintf( p, n, "\n%s otherName :", prefix ); MBEDTLS_X509_SAFE_SNPRINTF; + if( parse_ret != 0 ) + { + if( ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ) + { + ret = mbedtls_snprintf( p, n, " " ); + MBEDTLS_X509_SAFE_SNPRINTF; + } + else + { + ret = mbedtls_snprintf( p, n, " " ); + MBEDTLS_X509_SAFE_SNPRINTF; + } + + break; + } + if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, &other_name.value.hardware_module_name.oid ) != 0 ) { @@ -1732,7 +1738,6 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, */ case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME ): { - ret = mbedtls_snprintf( p, n, "\n%s dNSName : ", prefix ); MBEDTLS_X509_SAFE_SNPRINTF; if( cur->buf.len >= n ) @@ -1747,13 +1752,14 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, break; /* - * Type not supported, skip item. + * Type not supported. */ default: + ret = mbedtls_snprintf( p, n, "\n%s ", prefix ); + MBEDTLS_X509_SAFE_SNPRINTF; break; } - cur = cur->next; } diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index d3afe1f88..99dd0833f 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -124,7 +124,7 @@ x509_cert_info:"data_files/multiple_san.crt":"cert. version \: 3\nserial num X509 Certificate information, Subject Alt Name + Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n \n \nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 Certificate information, RSA Certificate Policy any depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C @@ -172,7 +172,7 @@ x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number X509 Certificate information Bitstring in subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\next key usage \: TLS Web Client Authentication\n" +x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n \next key usage \: TLS Web Client Authentication\n" X509 certificate v1 with extension depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C