From 0488ce653a1cf791be9d4061832e33694e6d1f63 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Sun, 30 Sep 2018 15:36:50 +0100 Subject: [PATCH 1/4] Add support for alternative CSR headers Add support for RFC7468, and the alternative Microsoft footer/headers for CSR's that contain the text 'BEGIN NEW CERTIFICATE REQUEST' instead of 'BEGIN CERTIFICATE REQUEST'. --- library/x509_csr.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/library/x509_csr.c b/library/x509_csr.c index f84425728..032b15c65 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -279,15 +279,23 @@ int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, siz { mbedtls_pem_init( &pem ); ret = mbedtls_pem_read_buffer( &pem, - "-----BEGIN CERTIFICATE REQUEST-----", - "-----END CERTIFICATE REQUEST-----", - buf, NULL, 0, &use_len ); - + "-----BEGIN CERTIFICATE REQUEST-----", + "-----END CERTIFICATE REQUEST-----", + buf, NULL, 0, &use_len ); + if( ret != 0 ) + { + ret = mbedtls_pem_read_buffer( &pem, + "-----BEGIN NEW CERTIFICATE REQUEST-----", + "-----END NEW CERTIFICATE REQUEST-----", + buf, NULL, 0, &use_len ); + } if( ret == 0 ) + { /* * Was PEM encoded, parse the result */ ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen ); + } mbedtls_pem_free( &pem ); if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) From 03de21059d037b46bc43cc152e472963325d1a52 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Sat, 6 Oct 2018 16:24:13 +0100 Subject: [PATCH 2/4] Add additional test case for alternative CSR headers Add a test case for alternative headers possible for CSR's, as defined in RFC7468. --- tests/data_files/server1-ms.req.sha256 | 16 ++++++++++++++++ tests/suites/test_suite_x509parse.data | 4 ++++ 2 files changed, 20 insertions(+) create mode 100644 tests/data_files/server1-ms.req.sha256 diff --git a/tests/data_files/server1-ms.req.sha256 b/tests/data_files/server1-ms.req.sha256 new file mode 100644 index 000000000..b0d9414a2 --- /dev/null +++ b/tests/data_files/server1-ms.req.sha256 @@ -0,0 +1,16 @@ +-----BEGIN NEW CERTIFICATE REQUEST----- +MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow +GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ +ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ +HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF +W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs +FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ +DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA +A4IBAQBY/1nnYQ3ThVyeZb1Z2wLYoHZ5rfeJCedyP7N/gjJZjhrMbwioUft2uHpb ++OZQfxRXJTbtj/1wpRMCoUMLWzapS7/xGx3IjoPtl42aM4M+xVYvbLjExL13kUAr +eE4JWcMIbTEPol2zSdX/LuB+m27jEp5VsvM2ty9qOw/T4iKwjFSe6pcYZ2spks19 +3ltgjnaamwqKcN9zUA3IERTsWjr5exKYgfXm2OeeuSP0tHr7Dh+w/2XA9dGcLhrm +TA4P8QjIgSDlyzmhYYmsrioFPuCfdi1uzs8bxmbLXbiCGZ8TDMy5oLqLo1K+j2pF +ox+ATHKxQ/XpRQP+2OTb9sw1kM59 +-----END NEW CERTIFICATE REQUEST----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 406cf5931..d5b5351b5 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -278,6 +278,10 @@ X509 CSR Information RSA-PSS with SHA512 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C mbedtls_x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n" +X509 CSR Information RSA with SHA256 - Microsoft header +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +mbedtls_x509_csr_info:"data_files/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" + X509 Verify Information: empty x509_verify_info:0:"":"" From 5199227d87ce8b2812c8f3c99ed97762f6c634a7 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Sun, 30 Sep 2018 15:44:52 +0100 Subject: [PATCH 3/4] Add Changelog entry for #767 Add Changelog entry for fix for alternative header/footers in CSR's. --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 513f24f3a..dde23d868 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ Changes * Close a test gap in (D)TLS between the client side and the server side: test the handling of large packets and small packets on the client side in the same way as on the server side. + * Add support for alternative CSR headers, as used by Microsoft and defined + in RFC 7468. Found by Michael Ernst. Fixes #767. = mbed TLS 2.13.1 branch released 2018-09-06 From e1660af2e2c402b535bac5d7a8dbd44269347f80 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Sun, 7 Oct 2018 17:48:37 +0100 Subject: [PATCH 4/4] Fix CSR parsing header call Change the secondary X509 CSR parsing call for the alternative MS header to only occur if the first call fails due to the header being unfound, instead of any call. --- library/x509_csr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/x509_csr.c b/library/x509_csr.c index 032b15c65..c8c08c87b 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -282,13 +282,14 @@ int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, siz "-----BEGIN CERTIFICATE REQUEST-----", "-----END CERTIFICATE REQUEST-----", buf, NULL, 0, &use_len ); - if( ret != 0 ) + if( ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) { ret = mbedtls_pem_read_buffer( &pem, "-----BEGIN NEW CERTIFICATE REQUEST-----", "-----END NEW CERTIFICATE REQUEST-----", buf, NULL, 0, &use_len ); } + if( ret == 0 ) { /*