Commit graph

400 commits

Author SHA1 Message Date
Andrzej Kurek
199eab97e7 Add partial support for URI SubjectAltNames
Only exact matching without normalization is supported.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-05-10 09:57:19 -04:00
Gilles Peskine
97edeb4fb8
Merge pull request #6866 from mprse/extract-key-ids
Extracting SubjectKeyId and AuthorityKeyId in case of x509 V3 extensions v.2
2023-05-08 20:38:29 +02:00
Przemek Stekiel
61aed064c5 Code optimization
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-05-08 11:15:59 +02:00
Przemek Stekiel
ed9fb78739 Fix parsing of KeyIdentifier (tag length error case) + test
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-05-08 11:15:54 +02:00
Przemek Stekiel
8194285cf1 Fix parsing of authorityCertSerialNumber (use valid tags)
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-05-03 16:19:16 +02:00
Przemek Stekiel
f5b8f78ad7 authorityCertIssuer and authorityCertSerialNumber MUST both be present or absent
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-26 08:57:32 +02:00
Przemek Stekiel
f4194944e8 Use do-while(0) format in macros
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-24 09:52:17 +02:00
Gilles Peskine
935a987b2b
Merge pull request #7436 from AndrzejKurek/x509-verify-san-ip
x509 SAN IP parsing
2023-04-21 22:00:58 +02:00
Andrzej Kurek
90117db5dc Split a complex condition into separate ones
Make it more readable
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-04-18 10:43:35 -04:00
Andrzej Kurek
8bc2cc92b5 Refactor IPv6 parsing
Make it more readable
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-04-18 07:26:27 -04:00
Andrzej Kurek
ea3e71fa37 Further refactor IPv4 parsing
Make it more readable
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-04-18 05:54:50 -04:00
Przemek Stekiel
9a7a725ee7 Fix code style
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-17 16:06:57 +02:00
Andrzej Kurek
6cbca6dd42 Rename a variable in ipv4 and ipv6 parsing
Character was too elaborate.
p is used in other x509 code to step through data.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-04-13 09:25:00 -04:00
Andrzej Kurek
0d57896f7e Refactor ipv6 parsing
Introduce new variables to make it more readable. Clarify the calculations a bit.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-04-13 09:20:31 -04:00
Andrzej Kurek
7f5a1a4525 Rename ipv6 parsing variables, introduce one new one
This way the names are more descriptive.
j was reused later on for calculation, 
num_zero_groups is used instead.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-04-13 09:20:23 -04:00
Andrzej Kurek
06969fc3a0 Introduce a test for a sw implementation of inet_pton
Create a bypass define to simulate platforms
without AF_INET6.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-04-13 09:20:15 -04:00
Andrzej Kurek
13b8b780fe Improve x509_inet_pton_ipv4 readability
Introduce descriptive variable names.
Drop the table of tens.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-04-13 09:19:50 -04:00
Glenn Strauss
b255e21e48 Handle endianness in x509_inet_pton_ipv6()
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2023-04-11 08:29:43 -04:00
Glenn Strauss
6f545acfaf Add mbedtls_x509_crt_parse_cn_inet_pton() tests
Extended from https://github.com/Mbed-TLS/mbedtls/pull/2906
contributed by Eugene K <eugene.kobyakov@netfoundry.io>

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2023-04-11 08:29:42 -04:00
Glenn Strauss
416c295078 x509 crt verify local implementation to parse IP
x509 crt verify local implementation to parse IP
if inet_pton() is not portably available

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2023-04-11 08:29:42 -04:00
Glenn Strauss
c26bd76020 x509 crt verify SAN iPAddress
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2023-04-11 08:29:42 -04:00
Valerio Setti
d4a5d461de library: add remaining changes for the new ECP_LIGHT symbol
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 11:33:50 +02:00
Przemek Stekiel
725688b143 Fix code style
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 22:49:44 +02:00
Przemek Stekiel
294ec1274d Remove redundant memory relase for authorityCertIssuer
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
Przemek Stekiel
21903ec860 Fix after rebase
Handle manually functions that have been moved to different locations.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
Przemek Stekiel
4f3e7b934e Fix parsing of authorityCertIssuer
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
Przemek Stekiel
75653b1df0 Add indication of extension error while parsing authority/subject key id
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
Przemek Stekiel
6ec839a1f9 x509_get_authority_key_id: add length check + test
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
Przemek Stekiel
3520fe6fda Use MBEDTLS_ERROR_ADD() and tag macros
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
Przemek Stekiel
8a13866f65 Remove parsing of rfc822Name
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
Przemek Stekiel
a2939e8728 Remove duplicated function
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
Przemek Stekiel
9a511c5bdf Rename back mbedtls_x509_parse_general_name->mbedtls_x509_parse_subject_alt_name
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
Przemek Stekiel
62d8f84be2 Adapt mbedtls_x509_crt_free after rebase
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
toth92g
9232e0ad84 Adding some comments for easier understand
Signed-off-by: toth92g <toth92g@gmail.com>
2023-04-04 17:48:28 +02:00
toth92g
8d435a0c8b Renaming x509_get_subject_alt_name to x509_get_general_names and mbedtls_x509_parse_subject_alt_name to mbedtls_x509_parse_general_name so they can be used not only to collect subject alt name, but the V3 authority cert issuer that is also GeneralName type.
Also updated the x509_get_general_names function to be able to parse rfc822Names

Test are also updated according these changes.

Signed-off-by: toth92g <toth92g@gmail.com>
2023-04-04 17:48:28 +02:00
toth92g
d96027acd2 Correcting documentation issues:
- Changelog entry is Feature instead of API Change
- Correcting whitespaces around braces
- Also adding defensive mechanism to x509_get_subject_key_id
  to avoid malfunction in case of trailing garbage

Signed-off-by: toth92g <toth92g@gmail.com>
2023-04-04 17:48:27 +02:00
toth92g
a41954d0cf Extracting SubjectKeyId and AuthorityKeyId in case of x509 V3 extensions. Updating mbedtls_x509_crt_free function to also free the new dynamic elements (issuer field of AuthorityKeyId).
A few tests are also added which test the feature with a correct certificate and multiple ones with erroneous ASN1 tags.

Signed-off-by: toth92g <toth92g@gmail.com>
2023-04-04 17:48:27 +02:00
Tom Cosgrove
b96c309395 Don't use lstrlenW() on Windows
The lstrlenW() function isn't available to UWP apps, and isn't necessary, since
when given -1, WideCharToMultiByte() will process the terminating null character
itself (and the length returned by the function includes this character).

Resolves #2994

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-02-10 12:52:13 +00:00
Gilles Peskine
0cfb08ddf1
Merge pull request #6922 from mprse/csr_v3
Parsing v3 extensions from a CSR - v.2
2023-02-03 16:41:11 +01:00
Dave Rodgman
6dd757a8ba Fix use of sizeof without brackets
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-02 12:40:50 +00:00
Przemek Stekiel
cf6ff0fb43 Move common functions for crt/csr parsing to x509.c
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-24 10:57:19 +01:00
Przemek Stekiel
db128f518c Allow empty ns_cert_type, key_usage while parsing certificates
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-24 10:57:19 +01:00
Przemek Stekiel
21c37288e5 Adapt function names
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-24 10:57:19 +01:00
Przemek Stekiel
cbaf3167dd mbedtls_x509_csr_info: Add parsing code for v3 csr extensions
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-24 10:57:19 +01:00
Jens Alfke
2d9e359275 Parsing v3 extensions from a CSR
A parsed CSR struct (`mbedtls_x509_csr`) now includes some of the
X.509v3 extensions included in the CSR -- the key usage, Netscape
cert-type, and Subject Alternative Names.

Author: Jens Alfke <jens@couchbase.com>

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-24 10:56:55 +01:00
Gilles Peskine
449bd8303e Switch to the new code style
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-11 14:50:10 +01:00
Gilles Peskine
4a480ac5a1
Merge pull request #6265 from Kabbah/x509-info-hwmodulename-hex
`x509_info_subject_alt_name`: Render HardwareModuleName as hex
2022-11-08 17:11:07 +01:00
Glenn Strauss
a4b4041219 Shared code to free x509 structs
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-10-28 12:51:35 -04:00
Victor Barpp Gomes
47c7a732d2 Print RFC 4108 hwSerialNum in hex format
Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com>
2022-09-29 11:34:23 -03:00
Gilles Peskine
945b23c46f Include platform.h unconditionally: automatic part
We used to include platform.h only when MBEDTLS_PLATFORM_C was enabled, and
to define ad hoc replacements for mbedtls_xxx functions on a case-by-case
basis when MBEDTLS_PLATFORM_C was disabled. The only reason for this
complication was to allow building individual source modules without copying
platform.h. This is not something we support or recommend anymore, so get
rid of the complication: include platform.h unconditionally.

There should be no change in behavior since just including the header should
not change the behavior of a program.

This commit replaces most occurrences of conditional inclusion of
platform.h, using the following code:

```
perl -i -0777 -pe 's!#if.*\n#include "mbedtls/platform.h"\n(#else.*\n(#define (mbedtls|MBEDTLS)_.*\n|#include <(stdarg|stddef|stdio|stdlib|string|time)\.h>\n)*)?#endif.*!#include "mbedtls/platform.h"!mg' $(git grep -l '#include "mbedtls/platform.h"')
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-09-15 20:33:07 +02:00