From 47c7a732d28696b9ff4ebd90f45ba4d96d6cfd78 Mon Sep 17 00:00:00 2001 From: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:34:23 -0300 Subject: [PATCH 1/3] Print RFC 4108 hwSerialNum in hex format Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> --- library/x509_crt.c | 14 ++----- tests/suites/test_suite_x509parse.data | 8 ++-- tests/suites/test_suite_x509parse.function | 46 ++++++++++------------ 3 files changed, 28 insertions(+), 40 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index af1e487db..d17a952b7 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1854,6 +1854,7 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, const char *prefix ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t i; size_t n = *size; char *p = *buf; const mbedtls_x509_sequence *cur = subject_alt_name; @@ -1906,18 +1907,11 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, ret = mbedtls_snprintf( p, n, "\n%s hardware serial number : ", prefix ); MBEDTLS_X509_SAFE_SNPRINTF; - if( other_name->value.hardware_module_name.val.len >= n ) + for( i = 0; i < other_name->value.hardware_module_name.val.len; i++ ) { - *p = '\0'; - return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); + ret = mbedtls_snprintf( p, n, "%02X", other_name->value.hardware_module_name.val.p[i] ); + MBEDTLS_X509_SAFE_SNPRINTF; } - - memcpy( p, other_name->value.hardware_module_name.val.p, - other_name->value.hardware_module_name.val.len ); - p += other_name->value.hardware_module_name.val.len; - - n -= other_name->value.hardware_module_name.val.len; - }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ } break; diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 6263fba2c..a4908a61e 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -88,7 +88,7 @@ x509_cert_info:"data_files/server5-sha512.crt":"cert. version \: 3\nserial n X509 CRT information EC, SHA256 Digest, hardware module name SAN depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 123456\n" +x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n" X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA @@ -112,7 +112,7 @@ x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nseri X509 CRT information, Multiple different Subject Alt Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_cert_info:"data_files/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 123456\n dNSName \: example.net\n dNSName \: *.example.org\n" +x509_cert_info:"data_files/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n dNSName \: example.net\n dNSName \: *.example.org\n" X509 CRT information, Subject Alt Name + Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA @@ -172,7 +172,7 @@ x509_cert_info:"data_files/non-ascii-string-in-issuer.crt":"cert. version \: X509 SAN parsing otherName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 123456\n" +x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n" X509 SAN parsing dNSName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA @@ -180,7 +180,7 @@ x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: exampl X509 SAN parsing Multiple different types depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 123456\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" +x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" X509 SAN parsing, no subject alt name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 60e703a94..df4b03e0e 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -246,36 +246,30 @@ int verify_parse_san( mbedtls_x509_subject_alternative_name *san, switch( san->type ) { - case( MBEDTLS_X509_SAN_OTHER_NAME ): - ret = mbedtls_snprintf( p, n, "\notherName :"); - MBEDTLS_X509_SAFE_SNPRINTF; + case( MBEDTLS_X509_SAN_OTHER_NAME ): + ret = mbedtls_snprintf( p, n, "\notherName :"); + MBEDTLS_X509_SAFE_SNPRINTF; - if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, - &san->san.other_name.value.hardware_module_name.oid ) != 0 ) - { - ret = mbedtls_snprintf( p, n, " hardware module name :" ); - MBEDTLS_X509_SAFE_SNPRINTF; - ret = mbedtls_snprintf( p, n, " hardware type : " ); - MBEDTLS_X509_SAFE_SNPRINTF; + if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, + &san->san.other_name.value.hardware_module_name.oid ) != 0 ) + { + ret = mbedtls_snprintf( p, n, " hardware module name :" ); + MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_snprintf( p, n, " hardware type : " ); + MBEDTLS_X509_SAFE_SNPRINTF; - ret = mbedtls_oid_get_numeric_string( p, n, - &san->san.other_name.value.hardware_module_name.oid ); - MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_oid_get_numeric_string( p, n, + &san->san.other_name.value.hardware_module_name.oid ); + MBEDTLS_X509_SAFE_SNPRINTF; - ret = mbedtls_snprintf( p, n, ", hardware serial number : " ); - MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_snprintf( p, n, ", hardware serial number : " ); + MBEDTLS_X509_SAFE_SNPRINTF; - if( san->san.other_name.value.hardware_module_name.val.len >= n ) - { - *p = '\0'; - return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); - } - - for( i=0; i < san->san.other_name.value.hardware_module_name.val.len; i++ ) - { - *p++ = san->san.other_name.value.hardware_module_name.val.p[i]; - } - n -= san->san.other_name.value.hardware_module_name.val.len; + for( i = 0; i < san->san.other_name.value.hardware_module_name.val.len; i++ ) + { + ret = mbedtls_snprintf( p, n, "%02X", san->san.other_name.value.hardware_module_name.val.p[i] ); + MBEDTLS_X509_SAFE_SNPRINTF; + } } break;/* MBEDTLS_OID_ON_HW_MODULE_NAME */ case( MBEDTLS_X509_SAN_DNS_NAME ): From d0225afcb62573774df307389352c336b97a9e54 Mon Sep 17 00:00:00 2001 From: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:40:20 -0300 Subject: [PATCH 2/3] Add a new test with a binary hwSerialNum Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> --- tests/data_files/Makefile | 3 +++ tests/data_files/server5-nonprintable_othername.crt | 12 ++++++++++++ tests/data_files/test-ca.opensslconf | 7 +++++++ tests/suites/test_suite_x509parse.data | 8 ++++++++ 4 files changed, 30 insertions(+) create mode 100644 tests/data_files/server5-nonprintable_othername.crt diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 6187d17bc..09a068946 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -276,6 +276,9 @@ all_final += server5-ss-forgeca.crt server5-othername.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions othername_san -days 3650 -sha256 -key $< -out $@ +server5-nonprintable_othername.crt: server5.key + $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS non-printable othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions nonprintable_othername_san -days 3650 -sha256 -key $< -out $@ + server5-unsupported_othername.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS unsupported othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions unsupoported_othername_san -days 3650 -sha256 -key $< -out $@ diff --git a/tests/data_files/server5-nonprintable_othername.crt b/tests/data_files/server5-nonprintable_othername.crt new file mode 100644 index 000000000..9470bbe9c --- /dev/null +++ b/tests/data_files/server5-nonprintable_othername.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBwTCCAWagAwIBAgIBTTAKBggqhkjOPQQDAjBPMQswCQYDVQQGEwJVSzERMA8G +A1UECgwITWJlZCBUTFMxLTArBgNVBAMMJE1iZWQgVExTIG5vbi1wcmludGFibGUg +b3RoZXJuYW1lIFNBTjAeFw0yMjA5MDYxNTU2NDdaFw0zMjA5MDMxNTU2NDdaME8x +CzAJBgNVBAYTAlVLMREwDwYDVQQKDAhNYmVkIFRMUzEtMCsGA1UEAwwkTWJlZCBU +TFMgbm9uLXByaW50YWJsZSBvdGhlcm5hbWUgU0FOMFkwEwYHKoZIzj0CAQYIKoZI +zj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/ +6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6MzMDEwLwYDVR0RBCgwJqAkBggrBgEF +BQcIBKAYMBYGBysGAQQBEQMECzEyM4CBAIGAMzIxMAoGCCqGSM49BAMCA0kAMEYC +IQDATir07PTj5gtf+HAyI+nd27AH9+bdaWdOI2t2bAwUWgIhAO7kvdcsa++yfJdT +3vnWdvcHRIAdXA0kh+mcBMaXk9B0 +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf index 64347de83..3bb237903 100644 --- a/tests/data_files/test-ca.opensslconf +++ b/tests/data_files/test-ca.opensslconf @@ -15,6 +15,9 @@ basicConstraints = CA:true [othername_san] subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:hw_module_name +[nonprintable_othername_san] +subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name + [unsupoported_othername_san] subjectAltName=otherName:1.2.3.4;UTF8:some other identifier @@ -34,6 +37,10 @@ subjectAltName=@alt_names hwtype = OID:1.3.6.1.4.1.17.3 hwserial = OCT:123456 +[nonprintable_hw_module_name] +hwtype = OID:1.3.6.1.4.1.17.3 +hwserial = FORMAT:HEX, OCT:3132338081008180333231 + [v3_any_policy_ca] basicConstraints = CA:true certificatePolicies = 2.5.29.32.0 diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index a4908a61e..69f745f46 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -90,6 +90,10 @@ X509 CRT information EC, SHA256 Digest, hardware module name SAN depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n" +X509 CRT information EC, SHA256 Digest, binary hardware module name SAN +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/server5-nonprintable_othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued on \: 2022-09-06 15\:56\:47\nexpires on \: 2032-09-03 15\:56\:47\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\n" + X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/server5-fan.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2019-03-25 09\:03\:46\nexpires on \: 2029-03-22 09\:03\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n" @@ -174,6 +178,10 @@ X509 SAN parsing otherName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n" +X509 SAN parsing binary otherName +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n" + X509 SAN parsing dNSName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" From 00a02b1468e95e0c0bf66e513beb919733e78050 Mon Sep 17 00:00:00 2001 From: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:40:39 -0300 Subject: [PATCH 3/3] Add Changelog entry Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> --- ChangeLog.d/fix_x509_info_hwmodulename.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/fix_x509_info_hwmodulename.txt diff --git a/ChangeLog.d/fix_x509_info_hwmodulename.txt b/ChangeLog.d/fix_x509_info_hwmodulename.txt new file mode 100644 index 000000000..8b227cec3 --- /dev/null +++ b/ChangeLog.d/fix_x509_info_hwmodulename.txt @@ -0,0 +1,5 @@ +Bugfix + * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable + bytes when parsing certificates containing a binary RFC 4108 + HardwareModuleName as a Subject Alternative Name extension. Hardware + serial numbers are now rendered in hex format. Fixes #6262.