Print unparseable SubjectAlternativeNames
In x509_info_subject_alt_name() we silently dropped names that we couldn't parse because they are not supported or are malformed. (Being malformed might mean damaged file, but can be a sign of incompatibility between applications.) This commit adds code notifying the user that there is something, but we can't parse it.
This commit is contained in:
parent
ab23cd1eae
commit
22f605fbab
2 changed files with 22 additions and 16 deletions
|
@ -1682,21 +1682,27 @@ static int x509_info_subject_alt_name( char **buf, size_t *size,
|
||||||
{
|
{
|
||||||
mbedtls_x509_san_other_name other_name;
|
mbedtls_x509_san_other_name other_name;
|
||||||
|
|
||||||
ret = x509_get_other_name( &cur->buf, &other_name );
|
int parse_ret = x509_get_other_name( &cur->buf, &other_name );
|
||||||
if( ret != 0 )
|
|
||||||
{
|
|
||||||
/*
|
|
||||||
* In case MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned,
|
|
||||||
* then the "otherName" is of an unsupported type. Ignore.
|
|
||||||
*/
|
|
||||||
if( ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE )
|
|
||||||
ret = 0;
|
|
||||||
return( ret );
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = mbedtls_snprintf( p, n, "\n%s otherName :", prefix );
|
ret = mbedtls_snprintf( p, n, "\n%s otherName :", prefix );
|
||||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
if( parse_ret != 0 )
|
||||||
|
{
|
||||||
|
if( ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE )
|
||||||
|
{
|
||||||
|
ret = mbedtls_snprintf( p, n, " <unsupported>" );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
ret = mbedtls_snprintf( p, n, " <malformed>" );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
}
|
||||||
|
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME,
|
if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME,
|
||||||
&other_name.value.hardware_module_name.oid ) != 0 )
|
&other_name.value.hardware_module_name.oid ) != 0 )
|
||||||
{
|
{
|
||||||
|
@ -1732,7 +1738,6 @@ static int x509_info_subject_alt_name( char **buf, size_t *size,
|
||||||
*/
|
*/
|
||||||
case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME ):
|
case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME ):
|
||||||
{
|
{
|
||||||
|
|
||||||
ret = mbedtls_snprintf( p, n, "\n%s dNSName : ", prefix );
|
ret = mbedtls_snprintf( p, n, "\n%s dNSName : ", prefix );
|
||||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
if( cur->buf.len >= n )
|
if( cur->buf.len >= n )
|
||||||
|
@ -1747,13 +1752,14 @@ static int x509_info_subject_alt_name( char **buf, size_t *size,
|
||||||
break;
|
break;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Type not supported, skip item.
|
* Type not supported.
|
||||||
*/
|
*/
|
||||||
default:
|
default:
|
||||||
|
ret = mbedtls_snprintf( p, n, "\n%s <unsupported>", prefix );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
cur = cur->next;
|
cur = cur->next;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -124,7 +124,7 @@ x509_cert_info:"data_files/multiple_san.crt":"cert. version \: 3\nserial num
|
||||||
|
|
||||||
X509 Certificate information, Subject Alt Name + Key Usage
|
X509 Certificate information, Subject Alt Name + Key Usage
|
||||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
|
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
|
||||||
x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n <unsupported>\n <unsupported>\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||||
|
|
||||||
X509 Certificate information, RSA Certificate Policy any
|
X509 Certificate information, RSA Certificate Policy any
|
||||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||||
|
@ -172,7 +172,7 @@ x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number
|
||||||
|
|
||||||
X509 Certificate information Bitstring in subject name
|
X509 Certificate information Bitstring in subject name
|
||||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
|
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
|
||||||
x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\next key usage \: TLS Web Client Authentication\n"
|
x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n <unsupported>\next key usage \: TLS Web Client Authentication\n"
|
||||||
|
|
||||||
X509 certificate v1 with extension
|
X509 certificate v1 with extension
|
||||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C
|
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C
|
||||||
|
|
Loading…
Reference in a new issue