Merge pull request #7009 from mprse/csr_write_san

Added ability to include the SubjectAltName extension to a CSR - v.2
This commit is contained in:
Paul Elliott 2023-03-17 10:07:27 +00:00 committed by GitHub
commit 9f02a4177b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 284 additions and 25 deletions

2
ChangeLog.d/san_csr.txt Normal file
View file

@ -0,0 +1,2 @@
Features
* Add support to include the SubjectAltName extension to a CSR.

View file

@ -35,6 +35,15 @@
(g) += ret; \ (g) += ret; \
} while (0) } while (0)
#define MBEDTLS_ASN1_CHK_CLEANUP_ADD(g, f) \
do \
{ \
if ((ret = (f)) < 0) \
goto cleanup; \
else \
(g) += ret; \
} while (0)
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
#endif #endif

View file

@ -83,6 +83,12 @@ typedef struct mbedtls_x509write_csr {
} }
mbedtls_x509write_csr; mbedtls_x509write_csr;
typedef struct mbedtls_x509_san_list {
mbedtls_x509_subject_alternative_name node;
struct mbedtls_x509_san_list *next;
}
mbedtls_x509_san_list;
#if defined(MBEDTLS_X509_CSR_PARSE_C) #if defined(MBEDTLS_X509_CSR_PARSE_C)
/** /**
* \brief Load a Certificate Signing Request (CSR) in DER format * \brief Load a Certificate Signing Request (CSR) in DER format
@ -228,6 +234,20 @@ void mbedtls_x509write_csr_set_md_alg(mbedtls_x509write_csr *ctx, mbedtls_md_typ
*/ */
int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage); int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage);
/**
* \brief Set Subject Alternative Name
*
* \param ctx CSR context to use
* \param san_list List of SAN values
*
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
*
* \note Only "dnsName", "uniformResourceIdentifier" and "otherName",
* as defined in RFC 5280, are supported.
*/
int mbedtls_x509write_csr_set_subject_alternative_name(mbedtls_x509write_csr *ctx,
const mbedtls_x509_san_list *san_list);
/** /**
* \brief Set the Netscape Cert Type flags * \brief Set the Netscape Cert Type flags
* (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)

View file

@ -26,6 +26,7 @@
#if defined(MBEDTLS_X509_CSR_WRITE_C) #if defined(MBEDTLS_X509_CSR_WRITE_C)
#include "mbedtls/x509.h"
#include "mbedtls/x509_csr.h" #include "mbedtls/x509_csr.h"
#include "mbedtls/asn1write.h" #include "mbedtls/asn1write.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
@ -85,6 +86,105 @@ int mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx,
critical, val, val_len); critical, val, val_len);
} }
int mbedtls_x509write_csr_set_subject_alternative_name(mbedtls_x509write_csr *ctx,
const mbedtls_x509_san_list *san_list)
{
int ret = 0;
const mbedtls_x509_san_list *cur;
unsigned char *buf;
unsigned char *p;
size_t len;
size_t buflen = 0;
/* Determine the maximum size of the SubjectAltName list */
for (cur = san_list; cur != NULL; cur = cur->next) {
/* Calculate size of the required buffer */
switch (cur->node.type) {
case MBEDTLS_X509_SAN_DNS_NAME:
case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
case MBEDTLS_X509_SAN_IP_ADDRESS:
/* length of value for each name entry,
* maximum 4 bytes for the length field,
* 1 byte for the tag/type.
*/
buflen += cur->node.san.unstructured_name.len + 4 + 1;
break;
default:
/* Not supported - skip. */
break;
}
}
/* Add the extra length field and tag */
buflen += 4 + 1;
/* Allocate buffer */
buf = mbedtls_calloc(1, buflen);
if (buf == NULL) {
return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
}
mbedtls_platform_zeroize(buf, buflen);
p = buf + buflen;
/* Write ASN.1-based structure */
cur = san_list;
len = 0;
while (cur != NULL) {
switch (cur->node.type) {
case MBEDTLS_X509_SAN_DNS_NAME:
case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
case MBEDTLS_X509_SAN_IP_ADDRESS:
{
const unsigned char *unstructured_name =
(const unsigned char *) cur->node.san.unstructured_name.p;
size_t unstructured_name_len = cur->node.san.unstructured_name.len;
MBEDTLS_ASN1_CHK_CLEANUP_ADD(len,
mbedtls_asn1_write_raw_buffer(
&p, buf,
unstructured_name, unstructured_name_len));
MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, mbedtls_asn1_write_len(
&p, buf, unstructured_name_len));
MBEDTLS_ASN1_CHK_CLEANUP_ADD(len,
mbedtls_asn1_write_tag(
&p, buf,
MBEDTLS_ASN1_CONTEXT_SPECIFIC | cur->node.type));
}
break;
default:
/* Skip unsupported names. */
break;
}
cur = cur->next;
}
MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, mbedtls_asn1_write_len(&p, buf, len));
MBEDTLS_ASN1_CHK_CLEANUP_ADD(len,
mbedtls_asn1_write_tag(&p, buf,
MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE));
ret = mbedtls_x509write_csr_set_extension(
ctx,
MBEDTLS_OID_SUBJECT_ALT_NAME,
MBEDTLS_OID_SIZE(MBEDTLS_OID_SUBJECT_ALT_NAME),
0,
buf + buflen - len,
len);
/* If we exceeded the allocated buffer it means that maximum size of the SubjectAltName list
* was incorrectly calculated and memory is corrupted. */
if (p < buf) {
ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
}
cleanup:
mbedtls_free(buf);
return ret;
}
int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage) int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage)
{ {
unsigned char buf[4] = { 0 }; unsigned char buf[4] = { 0 };

View file

@ -63,6 +63,11 @@ int main(void)
" debug_level=%%d default: 0 (disabled)\n" \ " debug_level=%%d default: 0 (disabled)\n" \
" output_file=%%s default: cert.req\n" \ " output_file=%%s default: cert.req\n" \
" subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \ " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
" san=%%s default: (none)\n" \
" Comma-separated-list of values:\n" \
" DNS:value\n" \
" URI:value\n" \
" IP:value (Only IPv4 is supported)\n" \
" key_usage=%%s default: (empty)\n" \ " key_usage=%%s default: (empty)\n" \
" Comma-separated-list of values:\n" \ " Comma-separated-list of values:\n" \
" digital_signature\n" \ " digital_signature\n" \
@ -96,18 +101,31 @@ int main(void)
* global options * global options
*/ */
struct options { struct options {
const char *filename; /* filename of the key file */ const char *filename; /* filename of the key file */
const char *password; /* password for the key file */ const char *password; /* password for the key file */
int debug_level; /* level of debugging */ int debug_level; /* level of debugging */
const char *output_file; /* where to store the constructed key file */ const char *output_file; /* where to store the constructed key file */
const char *subject_name; /* subject name for certificate request */ const char *subject_name; /* subject name for certificate request */
unsigned char key_usage; /* key usage flags */ mbedtls_x509_san_list *san_list; /* subjectAltName for certificate request */
int force_key_usage; /* Force adding the KeyUsage extension */ unsigned char key_usage; /* key usage flags */
unsigned char ns_cert_type; /* NS cert type */ int force_key_usage; /* Force adding the KeyUsage extension */
int force_ns_cert_type; /* Force adding NsCertType extension */ unsigned char ns_cert_type; /* NS cert type */
mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */ int force_ns_cert_type; /* Force adding NsCertType extension */
mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */
} opt; } opt;
static void ip_string_to_bytes(const char *str, uint8_t *bytes, int maxBytes)
{
for (int i = 0; i < maxBytes; i++) {
bytes[i] = (uint8_t) strtoul(str, NULL, 16);
str = strchr(str, '.');
if (str == NULL || *str == '\0') {
break;
}
str++;
}
}
int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file, int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file,
int (*f_rng)(void *, unsigned char *, size_t), int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng) void *p_rng)
@ -145,11 +163,12 @@ int main(int argc, char *argv[])
mbedtls_pk_context key; mbedtls_pk_context key;
char buf[1024]; char buf[1024];
int i; int i;
char *p, *q, *r; char *p, *q, *r, *r2;
mbedtls_x509write_csr req; mbedtls_x509write_csr req;
mbedtls_entropy_context entropy; mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ctr_drbg_context ctr_drbg;
const char *pers = "csr example app"; const char *pers = "csr example app";
mbedtls_x509_san_list *cur, *prev;
/* /*
* Set to sane values * Set to sane values
@ -175,15 +194,14 @@ usage:
opt.ns_cert_type = DFL_NS_CERT_TYPE; opt.ns_cert_type = DFL_NS_CERT_TYPE;
opt.force_ns_cert_type = DFL_FORCE_NS_CERT_TYPE; opt.force_ns_cert_type = DFL_FORCE_NS_CERT_TYPE;
opt.md_alg = DFL_MD_ALG; opt.md_alg = DFL_MD_ALG;
opt.san_list = NULL;
for (i = 1; i < argc; i++) { for (i = 1; i < argc; i++) {
p = argv[i]; p = argv[i];
if ((q = strchr(p, '=')) == NULL) { if ((q = strchr(p, '=')) == NULL) {
goto usage; goto usage;
} }
*q++ = '\0'; *q++ = '\0';
if (strcmp(p, "filename") == 0) { if (strcmp(p, "filename") == 0) {
opt.filename = q; opt.filename = q;
} else if (strcmp(p, "password") == 0) { } else if (strcmp(p, "password") == 0) {
@ -197,6 +215,59 @@ usage:
} }
} else if (strcmp(p, "subject_name") == 0) { } else if (strcmp(p, "subject_name") == 0) {
opt.subject_name = q; opt.subject_name = q;
} else if (strcmp(p, "san") == 0) {
prev = NULL;
while (q != NULL) {
uint8_t ip[4] = { 0 };
if ((r = strchr(q, ';')) != NULL) {
*r++ = '\0';
}
cur = mbedtls_calloc(1, sizeof(mbedtls_x509_san_list));
if (cur == NULL) {
mbedtls_printf("Not enough memory for subjectAltName list\n");
goto usage;
}
cur->next = NULL;
if ((r2 = strchr(q, ':')) != NULL) {
*r2++ = '\0';
}
if (strcmp(q, "URI") == 0) {
cur->node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
} else if (strcmp(q, "DNS") == 0) {
cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
} else if (strcmp(q, "IP") == 0) {
cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
ip_string_to_bytes(r2, ip, 4);
} else {
mbedtls_free(cur);
goto usage;
}
if (strcmp(q, "IP") == 0) {
cur->node.san.unstructured_name.p = (unsigned char *) ip;
cur->node.san.unstructured_name.len = sizeof(ip);
} else {
q = r2;
cur->node.san.unstructured_name.p = (unsigned char *) q;
cur->node.san.unstructured_name.len = strlen(q);
}
if (prev == NULL) {
opt.san_list = cur;
} else {
prev->next = cur;
}
prev = cur;
q = r;
}
} else if (strcmp(p, "md") == 0) { } else if (strcmp(p, "md") == 0) {
const mbedtls_md_info_t *md_info = const mbedtls_md_info_t *md_info =
mbedtls_md_info_from_string(q); mbedtls_md_info_from_string(q);
@ -274,14 +345,39 @@ usage:
} }
} }
/* Set the MD algorithm to use for the signature in the CSR */
mbedtls_x509write_csr_set_md_alg(&req, opt.md_alg); mbedtls_x509write_csr_set_md_alg(&req, opt.md_alg);
/* Set the Key Usage Extension flags in the CSR */
if (opt.key_usage || opt.force_key_usage == 1) { if (opt.key_usage || opt.force_key_usage == 1) {
mbedtls_x509write_csr_set_key_usage(&req, opt.key_usage); ret = mbedtls_x509write_csr_set_key_usage(&req, opt.key_usage);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_key_usage returned %d", ret);
goto exit;
}
} }
/* Set the Cert Type flags in the CSR */
if (opt.ns_cert_type || opt.force_ns_cert_type == 1) { if (opt.ns_cert_type || opt.force_ns_cert_type == 1) {
mbedtls_x509write_csr_set_ns_cert_type(&req, opt.ns_cert_type); ret = mbedtls_x509write_csr_set_ns_cert_type(&req, opt.ns_cert_type);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_ns_cert_type returned %d", ret);
goto exit;
}
}
/* Set the SubjectAltName in the CSR */
if (opt.san_list != NULL) {
ret = mbedtls_x509write_csr_set_subject_alternative_name(&req, opt.san_list);
if (ret != 0) {
mbedtls_printf(
" failed\n ! mbedtls_x509write_csr_set_subject_alternative_name returned %d",
ret);
goto exit;
}
} }
/* /*
@ -363,6 +459,14 @@ exit:
mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy); mbedtls_entropy_free(&entropy);
cur = opt.san_list;
while (cur != NULL) {
prev = cur;
cur = cur->next;
mbedtls_free(prev);
}
mbedtls_exit(exit_code); mbedtls_exit(exit_code);
} }
#endif /* MBEDTLS_X509_CSR_WRITE_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO && #endif /* MBEDTLS_X509_CSR_WRITE_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&

View file

@ -1006,7 +1006,7 @@ all_final += server1.req.sha256
server1.req.sha256.ext: server1.key server1.req.sha256.ext: server1.key
# Generating this with OpenSSL as a comparison point to test we're getting the same result # Generating this with OpenSSL as a comparison point to test we're getting the same result
openssl req -new -out $@ -key $< -subj '/C=NL/O=PolarSSL/CN=PolarSSL Server 1' -sha256 -addext "extendedKeyUsage=serverAuth" openssl req -new -out $@ -key $< -subj '/C=NL/O=PolarSSL/CN=PolarSSL Server 1' -sha256 -addext "extendedKeyUsage=serverAuth" -addext "subjectAltName=URI:http://pki.example.com/,IP:127.1.1.0,DNS:example.com"
all_final += server1.req.sha256.ext all_final += server1.req.sha256.ext
server1.req.sha384: server1.key server1.req.sha384: server1.key

View file

@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE REQUEST----- -----BEGIN CERTIFICATE REQUEST-----
MIICpzCCAY8CAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow MIIC3jCCAcYCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAmMCQGCSqGSIb3DQEJDjEX DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaBdMFsGCSqGSIb3DQEJDjFO
MBUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAHi0yEGu MEwwEwYDVR0lBAwwCgYIKwYBBQUHAwEwNQYDVR0RBC4wLIYXaHR0cDovL3BraS5l
Fh5tuLiLuT95UrRnly55+lTY9xchFiKtlcoEdSheybYxqk3JHuSSqojOFKZBlRdk eGFtcGxlLmNvbS+HBH8BAQCCC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IB
oG6Azg56/aMHPWyvtCMSRQX4b+FgjeQsm9IfhYNMquQOxyPxm62vjuU3MfZIofXH AQCGmTIXEUvTqwChkzRtxPIQDDchrMnCXgUrTSxre5nvUOpjVlcIIPGWAwxRovfe
hKdI6Ci2CDF4Fyvw50KBWniV38eE9+kjsvDLdXD3ESZJGhjjuFl8ReUiA2wdBTcP pW6OaGZ/3xD0dRAcOW08sTD6GRUazFrubPA1eZiNC7vYdWV59qm84N5yRR/s8Hm+
XEZaXUIc6B4tUnlPeqn/2zp4GBqqWzNZx6TXBpApASGG3BEJnM52FVPC7E9p+8YZ okwI47m7W9C0pfaNXchgFUQBn16TrZxPXklbCpBJ/TFV+1ODY0sJPHYiCFpYI+Jz
qIGuiF5Cz/rYZkpwffBWIfS2zZakHLm5TB8FgZkWlyReJU9Ihk2Tl/sZ1kllFdYa YuJmadP2BHucl8wv2RyVHywOmV1sDc74i9igVrBCAh8wu+kqImMtrnkGZDxrnj/L
xLPnLCL82KFL1Co= 5P1eDfdqG2cN+s40RnMQMosh3UfqpNV/bTgAqBPP2uluT9L1KpWcjZeuvisOgVTq
XwFI5s34fen2DUVw6MWNfbDK
-----END CERTIFICATE REQUEST----- -----END CERTIFICATE REQUEST-----

View file

@ -152,6 +152,27 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type,
int der_len = -1; int der_len = -1;
const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
mbedtls_test_rnd_pseudo_info rnd_info; mbedtls_test_rnd_pseudo_info rnd_info;
mbedtls_x509_san_list san_ip;
mbedtls_x509_san_list san_dns;
mbedtls_x509_san_list san_uri;
mbedtls_x509_san_list *san_list = NULL;
const char san_ip_name[] = { 0x7f, 0x01, 0x01, 0x00 }; // 127.1.1.0
const char *san_dns_name = "example.com";
const char *san_uri_name = "http://pki.example.com/";
san_uri.node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
san_uri.node.san.unstructured_name.p = (unsigned char *) san_uri_name;
san_uri.node.san.unstructured_name.len = strlen(san_uri_name);
san_uri.next = NULL;
san_ip.node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
san_ip.node.san.unstructured_name.p = (unsigned char *) san_ip_name;
san_ip.node.san.unstructured_name.len = sizeof(san_ip_name);
san_ip.next = &san_uri;
san_dns.node.type = MBEDTLS_X509_SAN_DNS_NAME;
san_dns.node.san.unstructured_name.p = (unsigned char *) san_dns_name;
san_dns.node.san.unstructured_name.len = strlen(san_dns_name);
san_dns.next = &san_ip;
san_list = &san_dns;
memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info)); memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
@ -175,6 +196,8 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type,
if (set_extension != 0) { if (set_extension != 0) {
TEST_ASSERT(csr_set_extended_key_usage(&req, MBEDTLS_OID_SERVER_AUTH, TEST_ASSERT(csr_set_extended_key_usage(&req, MBEDTLS_OID_SERVER_AUTH,
MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) == 0); MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) == 0);
TEST_ASSERT(mbedtls_x509write_csr_set_subject_alternative_name(&req, san_list) == 0);
} }
ret = mbedtls_x509write_csr_pem(&req, buf, sizeof(buf), ret = mbedtls_x509write_csr_pem(&req, buf, sizeof(buf),