From b2dc3fa72ed519eb739e41ac25d49eb943bca7a1 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Thu, 21 Mar 2019 13:40:13 +0200 Subject: [PATCH] Suppport otherName of type hardware module name Add support of parsing of subject alternative name, of type otherName. Currently supports only hardware module name, as defined in rfc 4108. --- include/mbedtls/oid.h | 3 + include/mbedtls/x509.h | 22 ++ include/mbedtls/x509_crt.h | 61 +++- library/x509_crt.c | 305 ++++++++++++++++-- tests/data_files/Makefile | 6 + tests/data_files/multiple_san.crt | 12 + tests/data_files/server5-othername.crt | 11 + .../server5-unsupported_othername.crt | 12 + tests/data_files/test-ca.opensslconf | 19 ++ tests/suites/test_suite_x509parse.data | 36 ++- tests/suites/test_suite_x509parse.function | 108 +++++++ 11 files changed, 565 insertions(+), 30 deletions(-) create mode 100644 tests/data_files/multiple_san.crt create mode 100644 tests/data_files/server5-othername.crt create mode 100644 tests/data_files/server5-unsupported_othername.crt diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 55f72c8eb..c516b7aaf 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -214,6 +214,9 @@ */ #define MBEDTLS_OID_WISUN_FAN MBEDTLS_OID_INTERNET "\x04\x01\x82\xe4\x25\x01" +#define MBEDTLS_OID_ON MBEDTLS_OID_PKIX "\x08" /**< id-on OBJECT IDENTIFIER ::= { id-pkix 8 } */ +#define MBEDTLS_OID_ON_HW_MODULE_NAME MBEDTLS_OID_ON "\x04" /**< id-on-hardwareModuleName OBJECT IDENTIFIER ::= { id-on 4 } */ + /* * PKCS definition OIDs */ diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index b63e864e3..054ff2ecc 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -109,6 +109,28 @@ /* \} name */ /* \} addtogroup x509_module */ +/* + * X.509 v3 Subject Alternative Name types. + * otherName [0] OtherName, + * rfc822Name [1] IA5String, + * dNSName [2] IA5String, + * x400Address [3] ORAddress, + * directoryName [4] Name, + * ediPartyName [5] EDIPartyName, + * uniformResourceIdentifier [6] IA5String, + * iPAddress [7] OCTET STRING, + * registeredID [8] OBJECT IDENTIFIER + */ +#define MBEDTLS_X509_SAN_OTHER_NAME 0 +#define MBEDTLS_X509_SAN_RFC822_NAME 1 +#define MBEDTLS_X509_SAN_DNS_NAME 2 +#define MBEDTLS_X509_SAN_X400_ADDRESS_NAME 3 +#define MBEDTLS_X509_SAN_DIRECTORY_NAME 4 +#define MBEDTLS_X509_SAN_EDI_PARTY_NAME 5 +#define MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER 6 +#define MBEDTLS_X509_SAN_IP_ADDRESS 7 +#define MBEDTLS_X509_SAN_REGISTERED_ID 8 + /* * X.509 v3 Key Usage Extension flags * Reminder: update x509_info_key_usage() when adding new flags. diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index a0f32cb30..4a796173f 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -76,7 +76,7 @@ typedef struct mbedtls_x509_crt mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ - mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ + mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName and OtherName supported). */ int ext_types; /**< Bit string containing detected and parsed extensions */ int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ @@ -97,6 +97,44 @@ typedef struct mbedtls_x509_crt } mbedtls_x509_crt; +/* + * From RFC 5280 section 4.2.1.6: + * OtherName ::= SEQUENCE { + * type-id OBJECT IDENTIFIER, + * value [0] EXPLICIT ANY DEFINED BY type-id } + */ +typedef struct mbedtls_x509_san_other_name +{ + mbedtls_x509_buf type_id; /**< The type id. */ + union + { + /* + * From RFC 4108 section 5: + * HardwareModuleName ::= SEQUENCE { + * hwType OBJECT IDENTIFIER, + * hwSerialNum OCTET STRING } + */ + mbedtls_x509_name hardware_module_name; + } + value; +} +mbedtls_x509_san_other_name; + +/* + * A structure for holding the parsed Subject Alternative Name, according to type + */ +typedef struct mbedtls_x509_subject_alternative_name +{ + int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ + union { + mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ + mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */ + } + san; /**< A union of the supported SAN types */ + struct mbedtls_x509_subject_alternative_name *next; /**< The next SAN in the list. */ +} +mbedtls_x509_subject_alternative_name; + /** * Build flag from an algorithm/curve identifier (pk, md, ecp) * Since 0 is always XXX_NONE, ignore it. @@ -347,7 +385,26 @@ int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path ); */ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ); #endif /* MBEDTLS_FS_IO */ - +/** + * \brief Parses the subject alternative name list of a given certificate; + * + * \param crt The X509 certificate to parse. + * + * \param san A list holding the parsed certificate. + * + * \note Only "dnsName" and "otherName" of type hardware_module_name, + * as defined in RFC 4180 is supported. + * + * \note Any unsupported san type is ignored. + * + * \note The function allocates a list of mbedtls_x509_subject_alternative_name + * and it is the caller's responsibility to free it. + * + * \return Zero for success and negative + * value for any other failure. + */ +int mbedtls_x509_parse_subject_alternative_name( const mbedtls_x509_crt *crt, + mbedtls_x509_subject_alternative_name **san ); /** * \brief Returns an informational string about the * certificate. diff --git a/library/x509_crt.c b/library/x509_crt.c index 97a06d5f1..f9cbed0a2 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -618,7 +618,8 @@ static int x509_get_ext_key_usage( unsigned char **p, * nameAssigner [0] DirectoryString OPTIONAL, * partyName [1] DirectoryString } * - * NOTE: we only parse and use dNSName at this point. + * NOTE: we only parse and use dNSName at this point, + * and otherName of type HwModuleName, as defined in RFC 4108. */ static int x509_get_subject_alt_name( unsigned char **p, const unsigned char *end, @@ -657,13 +658,6 @@ static int x509_get_subject_alt_name( unsigned char **p, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); } - /* Skip everything but DNS name */ - if( tag != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2 ) ) - { - *p += tag_len; - continue; - } - /* Allocate and assign next pointer */ if( cur->buf.p != NULL ) { @@ -1435,32 +1429,195 @@ cleanup: } #endif /* MBEDTLS_FS_IO */ +/* + * OtherName ::= SEQUENCE { + * type-id OBJECT IDENTIFIER, + * value [0] EXPLICIT ANY DEFINED BY type-id } + * + * HardwareModuleName ::= SEQUENCE { + * hwType OBJECT IDENTIFIER, + * hwSerialNum OCTET STRING } + * + * NOTE: we currently only parse and use otherName of type HwModuleName, + * as defined in RFC 4108. + */ +static int x509_get_other_name( const mbedtls_x509_buf *subject_alt_name, + mbedtls_x509_san_other_name *other_name ) +{ + int ret; + size_t len; + unsigned char *p = subject_alt_name->p; + const unsigned char *end = p + subject_alt_name->len; + mbedtls_x509_buf cur_oid; + + if( ( subject_alt_name->tag & + ( MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK ) ) != + ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME ) ) + { + /* + * The given subject alternative name is not of type "othername". + */ + return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); + } + + if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, + MBEDTLS_ASN1_OID ) ) != 0 ) + return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); + + cur_oid.tag = MBEDTLS_ASN1_OID; + cur_oid.p = p; + cur_oid.len = len; + + /* + * Only HwModuleName is currently supported. + */ + if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid ) != 0 ) + { + return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ); + } + + if( p + len >= end ) + { + mbedtls_platform_zeroize( other_name, sizeof( other_name ) ); + return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); + } + p += len; + if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) + return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); + + if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) + return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); + + if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OID ) ) != 0 ) + return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); + + other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID; + other_name->value.hardware_module_name.oid.p = p; + other_name->value.hardware_module_name.oid.len = len; + + if( p + len >= end ) + { + mbedtls_platform_zeroize( other_name, sizeof( other_name ) ); + return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); + } + p += len; + if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, + MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) + return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); + + other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING; + other_name->value.hardware_module_name.val.p = p; + other_name->value.hardware_module_name.val.len = len; + other_name->value.hardware_module_name.next = NULL; + other_name->value.hardware_module_name.next_merged = 0; + p += len; + if( p != end ) + { + mbedtls_platform_zeroize( other_name, + sizeof( other_name ) ); + return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); + } + return( 0 ); +} + static int x509_info_subject_alt_name( char **buf, size_t *size, - const mbedtls_x509_sequence *subject_alt_name ) + const mbedtls_x509_sequence *subject_alt_name, + const char *prefix ) { size_t i; + int ret; size_t n = *size; char *p = *buf; const mbedtls_x509_sequence *cur = subject_alt_name; - const char *sep = ""; - size_t sep_len = 0; while( cur != NULL ) { - if( cur->buf.len + sep_len >= n ) + switch( cur->buf.tag & + ( MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK ) ) { - *p = '\0'; - return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); + /* + * otherName + */ + case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME ): + { + mbedtls_x509_san_other_name other_name; + + ret = x509_get_other_name( &cur->buf, &other_name ); + if( ret != 0 ) + { + /* + * In case MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, + * then the "otherName" is of an unsupported type. Ignore. + */ + if( ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ) + ret = 0; + return( ret ); + } + + ret = mbedtls_snprintf( p, n, "\n%s otherName :", prefix ); + MBEDTLS_X509_SAFE_SNPRINTF; + + if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, + &other_name.value.hardware_module_name.oid ) != 0 ) + { + ret = mbedtls_snprintf( p, n, "\n%s hardware module name :", prefix ); + MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_snprintf( p, n, "\n%s hardware type : ", prefix ); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_oid_get_numeric_string( p, n, &other_name.value.hardware_module_name.oid ); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_snprintf( p, n, "\n%s hardware serial number : ", prefix ); + MBEDTLS_X509_SAFE_SNPRINTF; + + if( other_name.value.hardware_module_name.val.len >= n ) + { + *p = '\0'; + return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); + } + + for( i = 0; i < other_name.value.hardware_module_name.val.len; i++ ) + { + *p++ = other_name.value.hardware_module_name.val.p[i]; + } + n -= other_name.value.hardware_module_name.val.len; + + }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ + } + break; + + /* + * dNSName + */ + case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME ): + { + + ret = mbedtls_snprintf( p, n, "\n%s dNSName : ", prefix ); + MBEDTLS_X509_SAFE_SNPRINTF; + if( cur->buf.len >= n ) + { + *p = '\0'; + return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); + } + n -= cur->buf.len; + for( i = 0; i < cur->buf.len; i++ ) + *p++ = cur->buf.p[i]; + } + break; + + /* + * Type not supported, skip item. + */ + default: + break; } - n -= cur->buf.len + sep_len; - for( i = 0; i < sep_len; i++ ) - *p++ = sep[i]; - for( i = 0; i < cur->buf.len; i++ ) - *p++ = cur->buf.p[i]; - - sep = ", "; - sep_len = 2; cur = cur->next; } @@ -1473,6 +1630,105 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, return( 0 ); } +int mbedtls_x509_parse_subject_alternative_name( const mbedtls_x509_crt *crt, + mbedtls_x509_subject_alternative_name **san ) +{ + int ret; + const mbedtls_x509_sequence *cur = &crt->subject_alt_names; + mbedtls_x509_subject_alternative_name *cur_san = *san, *prev_san = NULL; + + if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) + { + if( cur_san != NULL ) + { + return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); + } + + while( cur != NULL ) + { + switch( cur->buf.tag & + ( MBEDTLS_ASN1_TAG_CLASS_MASK | + MBEDTLS_ASN1_TAG_VALUE_MASK ) ) + { + /* + * otherName + */ + case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME ): + { + mbedtls_x509_san_other_name other_name; + + ret = x509_get_other_name( &cur->buf, &other_name ); + if( ret != 0 ) + { + /* + * In case MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, + * then the "otherName" is of an unsupported type. Ignore. + */ + if( ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ) + ret = 0; + cur = cur->next; + continue; + } + + cur_san = mbedtls_calloc( 1, sizeof( mbedtls_x509_subject_alternative_name ) ); + if( cur_san == NULL ) + return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + + MBEDTLS_ERR_ASN1_ALLOC_FAILED ); + + if( prev_san != NULL ) + prev_san->next = cur_san; + + cur_san->type = MBEDTLS_X509_SAN_OTHER_NAME; + memcpy( &cur_san->san.other_name, + &other_name, sizeof( other_name ) ); + + } + break; + + /* + * dNSName + */ + case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME ): + { + cur_san = mbedtls_calloc( 1, sizeof( mbedtls_x509_subject_alternative_name ) ); + if( cur_san == NULL ) + return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + + MBEDTLS_ERR_ASN1_ALLOC_FAILED ); + + if( prev_san != NULL ) + prev_san->next = cur_san; + + memset( cur_san, 0, sizeof( mbedtls_x509_subject_alternative_name ) ); + cur_san->type = MBEDTLS_X509_SAN_DNS_NAME; + + memcpy( &cur_san->san.unstructured_name, + &cur->buf, sizeof( cur->buf ) ); + + } + break; + + /* + * Type not supported, skip item. + */ + default: + break; + } + + if( *san == NULL ) + *san = cur_san; + + if( cur_san != NULL ) + { + prev_san = cur_san; + cur_san = cur_san->next; + } + + cur = cur->next; + }/* while( cur != NULL ) */ + }/* crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME */ + return( 0 ); +} + #define PRINT_ITEM(i) \ { \ ret = mbedtls_snprintf( p, n, "%s" i, sep ); \ @@ -1659,11 +1915,12 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) { - ret = mbedtls_snprintf( p, n, "\n%ssubject alt name : ", prefix ); + ret = mbedtls_snprintf( p, n, "\n%ssubject alt name :", prefix ); MBEDTLS_X509_SAFE_SNPRINTF; if( ( ret = x509_info_subject_alt_name( &p, &n, - &crt->subject_alt_names ) ) != 0 ) + &crt->subject_alt_names, + prefix) ) != 0 ) return( ret ); } diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 748514db1..6680c808f 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -142,6 +142,12 @@ server5-ss-forgeca.crt: server5.key $(FAKETIME) '2015-09-01 14:08:43' $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@ all_final += server5-ss-forgeca.crt +server5-othername.crt: server5.key + $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions othername_san -days 3650 -sha256 -key $< -out $@ + +server5-unsupported_othername.crt: server5.key + $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS unsupported othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions unsupoported_othername_san -days 3650 -sha256 -key $< -out $@ + server10-badsign.crt: server10.crt { head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@ all_final += server10-badsign.crt diff --git a/tests/data_files/multiple_san.crt b/tests/data_files/multiple_san.crt new file mode 100644 index 000000000..8cdc73061 --- /dev/null +++ b/tests/data_files/multiple_san.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB2jCCAYCgAwIBAgIBBDAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G +A1UECgwITWJlZCBUTFMxKDAmBgNVBAMMH01iZWQgVExTIG11bHRpcGxlIG90aGVy +bmFtZSBTQU4wHhcNMTkwNDIyMTYxMDQ4WhcNMjkwNDE5MTYxMDQ4WjBKMQswCQYD +VQQGEwJVSzERMA8GA1UECgwITWJlZCBUTFMxKDAmBgNVBAMMH01iZWQgVExTIG11 +bHRpcGxlIG90aGVybmFtZSBTQU4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3 +zFbZdgkeWnI+x1kt/yBu7nz5BpF00K0UtfdoIllikk7lANgjEf/qL9I0XV0WvYqI +wmt3DVXNiioO+gHItO3/o1cwVTBTBgNVHREETDBKggtleGFtcGxlLmNvbaAfBggr +BgEFBQcIBKATMBEGBysGAQQBEQMEBjEyMzQ1NoILZXhhbXBsZS5uZXSCDSouZXhh +bXBsZS5vcmcwCgYIKoZIzj0EAwIDSAAwRQIhAMZUkp+pcuFQ3WWdgvV4Y+tIXOyS +L6p0RtEAOi/GgigVAiB50n3rIUKjapYstPp3yOpGZGyRxnc6uRdSiMH5wLA4yw== +-----END CERTIFICATE----- diff --git a/tests/data_files/server5-othername.crt b/tests/data_files/server5-othername.crt new file mode 100644 index 000000000..3be1a772c --- /dev/null +++ b/tests/data_files/server5-othername.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBnzCCAUWgAwIBAgIBTTAKBggqhkjOPQQDAjBBMQswCQYDVQQGEwJVSzERMA8G +A1UECgwITWJlZCBUTFMxHzAdBgNVBAMMFk1iZWQgVExTIG90aGVybmFtZSBTQU4w +HhcNMTkwMzI0MDkwNjAyWhcNMjkwMzIxMDkwNjAyWjBBMQswCQYDVQQGEwJVSzER +MA8GA1UECgwITWJlZCBUTFMxHzAdBgNVBAMMFk1iZWQgVExTIG90aGVybmFtZSBT +QU4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3zFbZdgkeWnI+x1kt/yBu7nz5 +BpF00K0UtfdoIllikk7lANgjEf/qL9I0XV0WvYqIwmt3DVXNiioO+gHItO3/oy4w +LDAqBgNVHREEIzAhoB8GCCsGAQUFBwgEoBMwEQYHKwYBBAERAwQGMTIzNDU2MAoG +CCqGSM49BAMCA0gAMEUCIQCijdm1AfArx2p4cLCVciHCTE8UXRiTm8f85k4aNzzf +sgIgCdmLyfZB9jsSPH3A3O1GATAR3O9OTtEDC+YSc+lvxSw= +-----END CERTIFICATE----- diff --git a/tests/data_files/server5-unsupported_othername.crt b/tests/data_files/server5-unsupported_othername.crt new file mode 100644 index 000000000..b46fc2d96 --- /dev/null +++ b/tests/data_files/server5-unsupported_othername.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBtjCCAVygAwIBAgIBTTAKBggqhkjOPQQDAjBNMQswCQYDVQQGEwJVSzERMA8G +A1UECgwITWJlZCBUTFMxKzApBgNVBAMMIk1iZWQgVExTIHVuc3VwcG9ydGVkIG90 +aGVybmFtZSBTQU4wHhcNMTkwNTAxMDkxMDM1WhcNMjkwNDI4MDkxMDM1WjBNMQsw +CQYDVQQGEwJVSzERMA8GA1UECgwITWJlZCBUTFMxKzApBgNVBAMMIk1iZWQgVExT +IHVuc3VwcG9ydGVkIG90aGVybmFtZSBTQU4wWTATBgcqhkjOPQIBBggqhkjOPQMB +BwNCAAQ3zFbZdgkeWnI+x1kt/yBu7nz5BpF00K0UtfdoIllikk7lANgjEf/qL9I0 +XV0WvYqIwmt3DVXNiioO+gHItO3/oy0wKzApBgNVHREEIjAgoB4GAyoDBKAXDBVz +b21lIG90aGVyIGlkZW50aWZpZXIwCgYIKoZIzj0EAwIDSAAwRQIhANkj6n9qHYVi +FLfb0IRZpIsvvuNCjSgT8yBLVjJYQj3nAiBffQKZ7y/F6rfon6L1GZU0BBja8BLX +rXp8WpY7Bc8myQ== +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf index f66b39e3c..d345fe99e 100644 --- a/tests/data_files/test-ca.opensslconf +++ b/tests/data_files/test-ca.opensslconf @@ -12,6 +12,25 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true +[othername_san] +subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:hw_module_name + +[unsupoported_othername_san] +subjectAltName=otherName:1.2.3.4;UTF8:some other identifier + +[alt_names] +DNS.1=example.com +otherName.1=1.3.6.1.5.5.7.8.4;SEQ:hw_module_name +DNS.2=example.net +DNS.3=*.example.org + +[multiple_san] +subjectAltName=@alt_names + +[hw_module_name] +hwtype = OID:1.3.6.1.4.1.17.3 +hwserial = OCT:123456 + [noext_ca] basicConstraints = CA:true diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index edd3a6fc5..f53ea8232 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -94,6 +94,10 @@ X509 Certificate information EC, SHA512 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA512_C x509_cert_info:"data_files/server5-sha512.crt":"cert. version \: 3\nserial number \: 15\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" +X509 Certificate information EC, SHA256 Digest, hardware module name SAN +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C +x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 123456\n" + X509 Certificate information, NS Cert Type depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C x509_cert_info:"data_files/server1.cert_type.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\ncert. type \: SSL Server\n" @@ -108,11 +112,15 @@ x509_cert_info:"data_files/keyUsage.decipherOnly.crt":"cert. version \: 3\ns X509 Certificate information, Subject Alt Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: example.com, example.net, *.example.org\n" +x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n" + +X509 Certificate information, Multiple different Subject Alt Name +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C +x509_cert_info:"data_files/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 123456\n dNSName \: example.net\n dNSName \: *.example.org\n" X509 Certificate information, Subject Alt Name + Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \: www.shotokan-braunschweig.de, www.massimo-abate.eu\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 Certificate information, Key Usage + Extended Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C @@ -128,11 +136,31 @@ x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number X509 Certificate information Bitstring in subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: \next key usage \: TLS Web Client Authentication\n" +x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\next key usage \: TLS Web Client Authentication\n" X509 certificate v1 with extension depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C -x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \: identity-check.org, www.identity-check.org\n" +x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \:\n dNSName \: identity-check.org\n dNSName \: www.identity-check.org\n" + +X509 SAN parsing otherName +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C +x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 123456\n" + +X509 SAN parsing dNSName +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C +x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" + +X509 SAN parsing Multiple different types +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C +x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 123456\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" + +X509 SAN parsing, no subject alt name +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C +x509_parse_san:"data_files/server4.crt":"" + +X509 SAN parsing, unsupported otherName name +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C +x509_parse_san:"data_files/server5-unsupported_othername.crt":"" X509 CRL information #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index b11ab849a..beec52cc3 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -219,6 +219,79 @@ int verify_print( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint return( 0 ); } + +int verify_parse_san( mbedtls_x509_subject_alternative_name *san, + char **buf, size_t *size ) +{ + int ret; + size_t i; + char *p = *buf; + size_t n = *size; + + ret = mbedtls_snprintf( p, n, "type : %u", san->type ); + MBEDTLS_X509_SAFE_SNPRINTF; + + switch( san->type ) + { + case( MBEDTLS_X509_SAN_OTHER_NAME ): + ret = mbedtls_snprintf( p, n, "\notherName :"); + MBEDTLS_X509_SAFE_SNPRINTF; + + if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, + &san->san.other_name.value.hardware_module_name.oid ) != 0 ) + { + ret = mbedtls_snprintf( p, n, " hardware module name :" ); + MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_snprintf( p, n, " hardware type : " ); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_oid_get_numeric_string( p, n, + &san->san.other_name.value.hardware_module_name.oid ); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_snprintf( p, n, ", hardware serial number : " ); + MBEDTLS_X509_SAFE_SNPRINTF; + + if( san->san.other_name.value.hardware_module_name.val.len >= n ) + { + *p = '\0'; + return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); + } + + for( i=0; i < san->san.other_name.value.hardware_module_name.val.len; i++ ) + { + *p++ = san->san.other_name.value.hardware_module_name.val.p[i]; + } + n -= san->san.other_name.value.hardware_module_name.val.len; + } + break;/* MBEDTLS_OID_ON_HW_MODULE_NAME */ + case( MBEDTLS_X509_SAN_DNS_NAME ): + ret = mbedtls_snprintf( p, n, "\ndNSName : " ); + MBEDTLS_X509_SAFE_SNPRINTF; + if( san->san.unstructured_name.len >= n ) + { + *p = '\0'; + return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); + } + n -= san->san.unstructured_name.len; + for( i = 0; i < san->san.unstructured_name.len; i++ ) + *p++ = san->san.unstructured_name.p[i]; + break;/* MBEDTLS_X509_SAN_DNS_NAME */ + + default: + /* + * Should not happen. + */ + return( -1 ); + } + ret = mbedtls_snprintf( p, n, "\n" ); + MBEDTLS_X509_SAFE_SNPRINTF; + + *size = n; + *buf = p; + + return( 0 ); +} #endif /* MBEDTLS_X509_CRT_PARSE_C */ /* END_HEADER */ @@ -227,6 +300,41 @@ int verify_print( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint * END_DEPENDENCIES */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ +void x509_parse_san( char * crt_file, char * result_str ) +{ + mbedtls_x509_crt crt; + mbedtls_x509_subject_alternative_name *cur, *next, *san = NULL; + char buf[2000]; + char *p = buf; + size_t n = sizeof( buf ); + + mbedtls_x509_crt_init( &crt ); + memset( buf, 0, 2000 ); + + TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); + TEST_ASSERT( mbedtls_x509_parse_subject_alternative_name( &crt, &san ) == 0 ); + cur = san; + while( cur != NULL ) + { + TEST_ASSERT( verify_parse_san( cur, &p, &n ) == 0 ); + cur = cur->next; + } + + TEST_ASSERT( strcmp( buf, result_str ) == 0 ); + +exit: + + for( cur = san; cur != NULL; cur = next ) + { + next = cur->next; + mbedtls_free( cur ); + } + + mbedtls_x509_crt_free( &crt ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void x509_cert_info( char * crt_file, char * result_str ) {