Merge pull request #8378 from mschulz-at-hilscher/fixes/issue-8377
Fixes "CSR parsing with critical fields fails"
This commit is contained in:
commit
4dec9ebdc2
5 changed files with 259 additions and 46 deletions
|
@ -0,0 +1,6 @@
|
||||||
|
Features
|
||||||
|
* Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows
|
||||||
|
parsing unsupported certificate extensions via user provided callback.
|
||||||
|
|
||||||
|
Bugfix
|
||||||
|
* Fix parsing of CSRs with critical extensions.
|
|
@ -75,7 +75,9 @@ mbedtls_x509write_csr;
|
||||||
/**
|
/**
|
||||||
* \brief Load a Certificate Signing Request (CSR) in DER format
|
* \brief Load a Certificate Signing Request (CSR) in DER format
|
||||||
*
|
*
|
||||||
* \note CSR attributes (if any) are currently silently ignored.
|
* \note Any unsupported requested extensions are silently
|
||||||
|
* ignored, unless the critical flag is set, in which case
|
||||||
|
* the CSR is rejected.
|
||||||
*
|
*
|
||||||
* \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
|
* \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
|
||||||
* subsystem must have been initialized by calling
|
* subsystem must have been initialized by calling
|
||||||
|
@ -90,6 +92,67 @@ mbedtls_x509write_csr;
|
||||||
int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
|
int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
|
||||||
const unsigned char *buf, size_t buflen);
|
const unsigned char *buf, size_t buflen);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief The type of certificate extension callbacks.
|
||||||
|
*
|
||||||
|
* Callbacks of this type are passed to and used by the
|
||||||
|
* mbedtls_x509_csr_parse_der_with_ext_cb() routine when
|
||||||
|
* it encounters either an unsupported extension.
|
||||||
|
* Future versions of the library may invoke the callback
|
||||||
|
* in other cases, if and when the need arises.
|
||||||
|
*
|
||||||
|
* \param p_ctx An opaque context passed to the callback.
|
||||||
|
* \param csr The CSR being parsed.
|
||||||
|
* \param oid The OID of the extension.
|
||||||
|
* \param critical Whether the extension is critical.
|
||||||
|
* \param p Pointer to the start of the extension value
|
||||||
|
* (the content of the OCTET STRING).
|
||||||
|
* \param end End of extension value.
|
||||||
|
*
|
||||||
|
* \note The callback must fail and return a negative error code
|
||||||
|
* if it can not parse or does not support the extension.
|
||||||
|
* When the callback fails to parse a critical extension
|
||||||
|
* mbedtls_x509_csr_parse_der_with_ext_cb() also fails.
|
||||||
|
* When the callback fails to parse a non critical extension
|
||||||
|
* mbedtls_x509_csr_parse_der_with_ext_cb() simply skips
|
||||||
|
* the extension and continues parsing.
|
||||||
|
*
|
||||||
|
* \return \c 0 on success.
|
||||||
|
* \return A negative error code on failure.
|
||||||
|
*/
|
||||||
|
typedef int (*mbedtls_x509_csr_ext_cb_t)(void *p_ctx,
|
||||||
|
mbedtls_x509_csr const *csr,
|
||||||
|
mbedtls_x509_buf const *oid,
|
||||||
|
int critical,
|
||||||
|
const unsigned char *p,
|
||||||
|
const unsigned char *end);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Load a Certificate Signing Request (CSR) in DER format
|
||||||
|
*
|
||||||
|
* \note Any unsupported requested extensions are silently
|
||||||
|
* ignored, unless the critical flag is set, in which case
|
||||||
|
* the result of the callback function decides whether
|
||||||
|
* CSR is rejected.
|
||||||
|
*
|
||||||
|
* \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
|
||||||
|
* subsystem must have been initialized by calling
|
||||||
|
* psa_crypto_init() before calling this function.
|
||||||
|
*
|
||||||
|
* \param csr CSR context to fill
|
||||||
|
* \param buf buffer holding the CRL data
|
||||||
|
* \param buflen size of the buffer
|
||||||
|
* \param cb A callback invoked for every unsupported certificate
|
||||||
|
* extension.
|
||||||
|
* \param p_ctx An opaque context passed to the callback.
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a specific X509 error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_csr_parse_der_with_ext_cb(mbedtls_x509_csr *csr,
|
||||||
|
const unsigned char *buf, size_t buflen,
|
||||||
|
mbedtls_x509_csr_ext_cb_t cb,
|
||||||
|
void *p_ctx);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief Load a Certificate Signing Request (CSR), DER or PEM format
|
* \brief Load a Certificate Signing Request (CSR), DER or PEM format
|
||||||
*
|
*
|
||||||
|
|
|
@ -61,13 +61,17 @@ static int x509_csr_get_version(unsigned char **p,
|
||||||
* Parse CSR extension requests in DER format
|
* Parse CSR extension requests in DER format
|
||||||
*/
|
*/
|
||||||
static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
|
static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
|
||||||
unsigned char **p, const unsigned char *end)
|
unsigned char **p, const unsigned char *end,
|
||||||
|
mbedtls_x509_csr_ext_cb_t cb,
|
||||||
|
void *p_ctx)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
size_t len;
|
size_t len;
|
||||||
unsigned char *end_ext_data;
|
unsigned char *end_ext_data, *end_ext_octet;
|
||||||
|
|
||||||
while (*p < end) {
|
while (*p < end) {
|
||||||
mbedtls_x509_buf extn_oid = { 0, 0, NULL };
|
mbedtls_x509_buf extn_oid = { 0, 0, NULL };
|
||||||
|
int is_critical = 0; /* DEFAULT FALSE */
|
||||||
int ext_type = 0;
|
int ext_type = 0;
|
||||||
|
|
||||||
/* Read sequence tag */
|
/* Read sequence tag */
|
||||||
|
@ -88,13 +92,21 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
|
||||||
extn_oid.p = *p;
|
extn_oid.p = *p;
|
||||||
*p += extn_oid.len;
|
*p += extn_oid.len;
|
||||||
|
|
||||||
|
/* Get optional critical */
|
||||||
|
if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
|
||||||
|
(ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
|
||||||
|
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||||
|
}
|
||||||
|
|
||||||
/* Data should be octet string type */
|
/* Data should be octet string type */
|
||||||
if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
|
if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
|
||||||
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
|
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
|
||||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (*p + len != end_ext_data) {
|
end_ext_octet = *p + len;
|
||||||
|
|
||||||
|
if (end_ext_octet != end_ext_data) {
|
||||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||||
}
|
}
|
||||||
|
@ -104,7 +116,28 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
|
||||||
*/
|
*/
|
||||||
ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
|
ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
|
||||||
|
|
||||||
if (ret == 0) {
|
if (ret != 0) {
|
||||||
|
/* Give the callback (if any) a chance to handle the extension */
|
||||||
|
if (cb != NULL) {
|
||||||
|
ret = cb(p_ctx, csr, &extn_oid, is_critical, *p, end_ext_octet);
|
||||||
|
if (ret != 0 && is_critical) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
*p = end_ext_octet;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* No parser found, skip extension */
|
||||||
|
*p = end_ext_octet;
|
||||||
|
|
||||||
|
if (is_critical) {
|
||||||
|
/* Data is marked as critical: fail */
|
||||||
|
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||||
|
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
/* Forbid repeated extensions */
|
/* Forbid repeated extensions */
|
||||||
if ((csr->ext_types & ext_type) != 0) {
|
if ((csr->ext_types & ext_type) != 0) {
|
||||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||||
|
@ -138,10 +171,17 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
/*
|
||||||
|
* If this is a non-critical extension, which the oid layer
|
||||||
|
* supports, but there isn't an x509 parser for it,
|
||||||
|
* skip the extension.
|
||||||
|
*/
|
||||||
|
if (is_critical) {
|
||||||
|
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
|
||||||
|
} else {
|
||||||
|
*p = end_ext_octet;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
*p = end_ext_data;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (*p != end) {
|
if (*p != end) {
|
||||||
|
@ -156,7 +196,9 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
|
||||||
* Parse CSR attributes in DER format
|
* Parse CSR attributes in DER format
|
||||||
*/
|
*/
|
||||||
static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
|
static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
|
||||||
const unsigned char *start, const unsigned char *end)
|
const unsigned char *start, const unsigned char *end,
|
||||||
|
mbedtls_x509_csr_ext_cb_t cb,
|
||||||
|
void *p_ctx)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
size_t len;
|
size_t len;
|
||||||
|
@ -195,7 +237,7 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
|
||||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((ret = x509_csr_parse_extensions(csr, p, *p + len)) != 0) {
|
if ((ret = x509_csr_parse_extensions(csr, p, *p + len, cb, p_ctx)) != 0) {
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -219,8 +261,10 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
|
||||||
/*
|
/*
|
||||||
* Parse a CSR in DER format
|
* Parse a CSR in DER format
|
||||||
*/
|
*/
|
||||||
int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
|
static int mbedtls_x509_csr_parse_der_internal(mbedtls_x509_csr *csr,
|
||||||
const unsigned char *buf, size_t buflen)
|
const unsigned char *buf, size_t buflen,
|
||||||
|
mbedtls_x509_csr_ext_cb_t cb,
|
||||||
|
void *p_ctx)
|
||||||
{
|
{
|
||||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
size_t len;
|
size_t len;
|
||||||
|
@ -344,7 +388,7 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
|
||||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
|
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((ret = x509_csr_parse_attributes(csr, p, p + len)) != 0) {
|
if ((ret = x509_csr_parse_attributes(csr, p, p + len, cb, p_ctx)) != 0) {
|
||||||
mbedtls_x509_csr_free(csr);
|
mbedtls_x509_csr_free(csr);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
@ -383,6 +427,26 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Parse a CSR in DER format
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
|
||||||
|
const unsigned char *buf, size_t buflen)
|
||||||
|
{
|
||||||
|
return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, NULL, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Parse a CSR in DER format with callback for unknown extensions
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_csr_parse_der_with_ext_cb(mbedtls_x509_csr *csr,
|
||||||
|
const unsigned char *buf, size_t buflen,
|
||||||
|
mbedtls_x509_csr_ext_cb_t cb,
|
||||||
|
void *p_ctx)
|
||||||
|
{
|
||||||
|
return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, cb, p_ctx);
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Parse a CSR, allowing for PEM or raw DER encoding
|
* Parse a CSR, allowing for PEM or raw DER encoding
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -2940,6 +2940,26 @@ X509 CSR ASN.1 (OK)
|
||||||
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
|
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
|
||||||
mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n":0
|
mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n":0
|
||||||
|
|
||||||
|
X509 CSR ASN.1 (Unsupported critical extension, critical=true)
|
||||||
|
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
|
||||||
|
mbedtls_x509_csr_parse:"308201233081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004c11ebb9951848a436ca2c8a73382f24bbb6c28a92e401d4889b0c361f377b92a8b0497ff2f5a5f6057ae85f704ab1850bef075914f68ed3aeb15a1ff1ebc0dc6a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101ff0403010101300a06082a8648ce3d040302034700304402200c4108fd098525993d3fd5b113f0a1ead8750852baf55a2f8e670a22cabc0ba1022034db93a0fcb993912adcf2ea8cb4b66389af30e264d43c0daea03255e45d2ccc":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
|
||||||
|
|
||||||
|
X509 CSR ASN.1 (Unsupported non-critical extension, critical=false)
|
||||||
|
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
|
||||||
|
mbedtls_x509_csr_parse:"308201243081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004b5e718a7df6b21912733e77c42f266b8283e6cae7adf8afd56b990c1c6232ea0a2a46097c218353bc948444aea3d00423e84802e28c48099641fe9977cdfb505a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101000403010101300a06082a8648ce3d0403020348003045022100f0ba9a0846ad0a7cefd0a61d5fc92194dc06037a44158de2d0c569912c058d430220421f27a9f249c1687e2fa34db3f543c8512fd925dfe5ae00867f13963ffd4f8d":"CSR version \: 1\nsubject name \: CN=Self signed test, C=DE, O=AuthCrtDB Test\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n":0
|
||||||
|
|
||||||
|
X509 CSR ASN.1 (Unsupported non-critical extension, critical undefined)
|
||||||
|
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
|
||||||
|
mbedtls_x509_csr_parse:"308201223081c802010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d030107034200045f94b28d133418833bf10c442d91306459d3925e7cea06ebb9220932e7de116fb671c5d2d6c0a3784a12897217aef8432e7228fcea0ab016bdb67b67ced4c612a025302306092a864886f70d01090e311630143012060b2b0601040183890c8622020403010101300a06082a8648ce3d04030203490030460221009b1e8b25775c18525e96753e1ed55875f8d62f026c5b7f70eb5037ad27dc92de022100ba1dfe14de6af6a603f763563fd046b1cd3714b54d6daf5d8a72076497f11014":"CSR version \: 1\nsubject name \: CN=Self signed test, C=DE, O=AuthCrtDB Test\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n":0
|
||||||
|
|
||||||
|
X509 CSR ASN.1 (Unsupported critical extension accepted by callback, critical=true)
|
||||||
|
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
|
||||||
|
mbedtls_x509_csr_parse_with_ext_cb:"308201233081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004c11ebb9951848a436ca2c8a73382f24bbb6c28a92e401d4889b0c361f377b92a8b0497ff2f5a5f6057ae85f704ab1850bef075914f68ed3aeb15a1ff1ebc0dc6a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101ff0403010101300a06082a8648ce3d040302034700304402200c4108fd098525993d3fd5b113f0a1ead8750852baf55a2f8e670a22cabc0ba1022034db93a0fcb993912adcf2ea8cb4b66389af30e264d43c0daea03255e45d2ccc":"CSR version \: 1\nsubject name \: CN=Self signed test, C=DE, O=AuthCrtDB Test\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n":0:1
|
||||||
|
|
||||||
|
X509 CSR ASN.1 (Unsupported critical extension rejected by callback, critical=true)
|
||||||
|
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
|
||||||
|
mbedtls_x509_csr_parse_with_ext_cb:"308201233081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004c11ebb9951848a436ca2c8a73382f24bbb6c28a92e401d4889b0c361f377b92a8b0497ff2f5a5f6057ae85f704ab1850bef075914f68ed3aeb15a1ff1ebc0dc6a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101ff0403010101300a06082a8648ce3d040302034700304402200c4108fd098525993d3fd5b113f0a1ead8750852baf55a2f8e670a22cabc0ba1022034db93a0fcb993912adcf2ea8cb4b66389af30e264d43c0daea03255e45d2ccc":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:0
|
||||||
|
|
||||||
X509 CSR ASN.1 (bad first tag)
|
X509 CSR ASN.1 (bad first tag)
|
||||||
mbedtls_x509_csr_parse:"3100":"":MBEDTLS_ERR_X509_INVALID_FORMAT
|
mbedtls_x509_csr_parse:"3100":"":MBEDTLS_ERR_X509_INVALID_FORMAT
|
||||||
|
|
||||||
|
|
|
@ -250,7 +250,8 @@ int verify_parse_san(mbedtls_x509_subject_alternative_name *san,
|
||||||
|
|
||||||
ret = mbedtls_oid_get_numeric_string(p,
|
ret = mbedtls_oid_get_numeric_string(p,
|
||||||
n,
|
n,
|
||||||
&san->san.other_name.value.hardware_module_name.oid);
|
&san->san.other_name.value.hardware_module_name
|
||||||
|
.oid);
|
||||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
ret = mbedtls_snprintf(p, n, ", hardware serial number : ");
|
ret = mbedtls_snprintf(p, n, ", hardware serial number : ");
|
||||||
|
@ -413,6 +414,35 @@ int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CSR_PARSE_C)
|
||||||
|
int parse_csr_ext_accept_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid,
|
||||||
|
int critical, const unsigned char *cp, const unsigned char *end)
|
||||||
|
{
|
||||||
|
(void) p_ctx;
|
||||||
|
(void) csr;
|
||||||
|
(void) oid;
|
||||||
|
(void) critical;
|
||||||
|
(void) cp;
|
||||||
|
(void) end;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int parse_csr_ext_reject_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid,
|
||||||
|
int critical, const unsigned char *cp, const unsigned char *end)
|
||||||
|
{
|
||||||
|
(void) p_ctx;
|
||||||
|
(void) csr;
|
||||||
|
(void) oid;
|
||||||
|
(void) critical;
|
||||||
|
(void) cp;
|
||||||
|
(void) end;
|
||||||
|
|
||||||
|
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
|
||||||
|
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_X509_CSR_PARSE_C */
|
||||||
/* END_HEADER */
|
/* END_HEADER */
|
||||||
|
|
||||||
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
|
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
@ -1247,6 +1277,36 @@ exit:
|
||||||
}
|
}
|
||||||
/* END_CASE */
|
/* END_CASE */
|
||||||
|
|
||||||
|
/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
|
||||||
|
void mbedtls_x509_csr_parse_with_ext_cb(data_t *csr_der, char *ref_out, int ref_ret, int accept)
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr csr;
|
||||||
|
char my_out[1000];
|
||||||
|
int my_ret;
|
||||||
|
|
||||||
|
mbedtls_x509_csr_init(&csr);
|
||||||
|
USE_PSA_INIT();
|
||||||
|
|
||||||
|
memset(my_out, 0, sizeof(my_out));
|
||||||
|
|
||||||
|
my_ret = mbedtls_x509_csr_parse_der_with_ext_cb(&csr, csr_der->x, csr_der->len,
|
||||||
|
accept ? parse_csr_ext_accept_cb :
|
||||||
|
parse_csr_ext_reject_cb,
|
||||||
|
NULL);
|
||||||
|
TEST_EQUAL(my_ret, ref_ret);
|
||||||
|
|
||||||
|
if (ref_ret == 0) {
|
||||||
|
size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr);
|
||||||
|
TEST_EQUAL(my_out_len, strlen(ref_out));
|
||||||
|
TEST_EQUAL(strcmp(my_out, ref_out), 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
exit:
|
||||||
|
mbedtls_x509_csr_free(&csr);
|
||||||
|
USE_PSA_DONE();
|
||||||
|
}
|
||||||
|
/* END_CASE */
|
||||||
|
|
||||||
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
|
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
|
||||||
void mbedtls_x509_csr_parse_file(char *csr_file, char *ref_out, int ref_ret)
|
void mbedtls_x509_csr_parse_file(char *csr_file, char *ref_out, int ref_ret)
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue