Merge pull request #6900 from AndrzejKurek/san-dirname

Add support for directoryName subjectAltName
2025-03-25 13:43:31 +00:00 · 2023-03-30 18:37:26 +01:00 · 2023-03-30 18:37:26 +01:00 · 03d557db35
commit 03d557db35
parent 54118a1720 303704ef4a
12 changed files with 147 additions and 13 deletions
--- a/ChangeLog.d/add-directoryname-san.txt
+++ b/ChangeLog.d/add-directoryname-san.txt
@ -0,0 +1,3 @@
+Features
+   * Add parsing of directoryName subtype for subjectAltName extension in
+     x509 certificates.
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@ -294,7 +294,8 @@ typedef struct mbedtls_x509_subject_alternative_name {
    int type;                              /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
    union {
        mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
-        mbedtls_x509_buf   unstructured_name; /**< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported */
+        mbedtls_x509_name directory_name;
+        mbedtls_x509_buf unstructured_name; /**< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. */
    }
    san; /**< A union of the supported SAN types */
 }
@ -378,7 +379,10 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);

 /**
 * \brief          This function parses an item in the SubjectAlternativeNames
- *                 extension.
+ *                 extension. Please note that this function might allocate
+ *                 additional memory for a subject alternative name, thus
+ *                 mbedtls_x509_free_subject_alt_name has to be called
+ *                 to dispose of this additional memory afterwards.
 *
 * \param san_buf  The buffer holding the raw data item of the subject
 *                 alternative name.
@ -406,6 +410,12 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
 */
 int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
                                        mbedtls_x509_subject_alternative_name *san);
+/**
+ * \brief          Unallocate all data related to subject alternative name
+ *
+ * \param san      SAN structure - extra memory owned by this structure will be freed
+ */
+void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san);

 /** \} addtogroup x509_module */

--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@ -75,7 +75,7 @@ typedef struct mbedtls_x509_crt {
    mbedtls_x509_buf issuer_id;         /**< Optional X.509 v2/v3 issuer unique identifier. */
    mbedtls_x509_buf subject_id;        /**< Optional X.509 v2/v3 subject unique identifier. */
    mbedtls_x509_buf v3_ext;            /**< Optional X.509 v3 extensions.  */
-    mbedtls_x509_sequence subject_alt_names;    /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier and OtherName are listed). */
+    mbedtls_x509_sequence subject_alt_names;    /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier, DirectoryName and OtherName are listed). */

    mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */

--- a/library/x509.c
+++ b/library/x509.c
@ -1283,6 +1283,7 @@ int mbedtls_x509_get_subject_alt_name(unsigned char **p,
            return ret;
        }

+        mbedtls_x509_free_subject_alt_name(&dummy_san_buf);
        /* Allocate and assign next pointer */
        if (cur->buf.p != NULL) {
            if (cur->next != NULL) {
@ -1433,6 +1434,29 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
        }
        break;

+        /*
+         * directoryName
+         */
+        case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DIRECTORY_NAME):
+        {
+            size_t name_len;
+            unsigned char *p = san_buf->p;
+            memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+            san->type = MBEDTLS_X509_SAN_DIRECTORY_NAME;
+
+            ret = mbedtls_asn1_get_tag(&p, p + san_buf->len, &name_len,
+                                       MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+
+            if (ret != 0) {
+                return ret;
+            }
+
+            if ((ret = mbedtls_x509_get_name(&p, p + name_len,
+                                             &san->san.directory_name)) != 0) {
+                return ret;
+            }
+        }
+        break;
        /*
         * Type not supported
         */
@ -1442,6 +1466,13 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
    return 0;
 }

+void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san)
+{
+    if (san->type == MBEDTLS_X509_SAN_DIRECTORY_NAME) {
+        mbedtls_asn1_free_named_data_list_shallow(san->san.directory_name.next);
+    }
+}
+
 #if !defined(MBEDTLS_X509_REMOVE_INFO)
 int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
                                       const mbedtls_x509_sequence
@ -1553,6 +1584,28 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
            }
            break;

+            /*
+             * directoryName
+             */
+            case MBEDTLS_X509_SAN_DIRECTORY_NAME:
+            {
+                ret = mbedtls_snprintf(p, n, "\n%s    directoryName : ", prefix);
+                if (ret < 0 || (size_t) ret >= n) {
+                    mbedtls_x509_free_subject_alt_name(&san);
+                }
+
+                MBEDTLS_X509_SAFE_SNPRINTF;
+                ret = mbedtls_x509_dn_gets(p, n, &san.san.directory_name);
+
+                if (ret < 0) {
+                    mbedtls_x509_free_subject_alt_name(&san);
+                    return ret;
+                }
+
+                p += ret;
+                n -= ret;
+            }
+            break;
            /*
             * Type not supported, skip item.
             */
@ -1562,6 +1615,9 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
                break;
        }

+        /* So far memory is freed only in the case of directoryName
+         * parsing succeeding, as mbedtls_x509_get_name allocates memory. */
+        mbedtls_x509_free_subject_alt_name(&san);
        cur = cur->next;
    }

--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@ -337,6 +337,21 @@ server5-fan.crt: server5.key

 server5-tricky-ip-san.crt: server5.key
 	$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -out $@
+
+server5-directoryname.crt.der: server5.key
+	$(OPENSSL) req -x509 -outform der -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions directory_name_san -days 3650 -sha256 -key server5.key -out $@
+
+server5-two-directorynames.crt.der: server5.key
+	$(OPENSSL) req -x509 -outform der -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions two_directorynames -days 3650 -sha256 -key server5.key -out $@
+
+# directoryname sequence tag malformed
+server5-directoryname-seq-malformed.crt.der: server5-two-directorynames.crt.der
+	hexdump -ve '1/1 "%.2X"' $< | sed "s/62A4473045310B/62A4473145310B/" | xxd -r -p > $@
+
+# Second directoryname OID length malformed 03 -> 15
+server5-second-directoryname-oid-malformed.crt.der: server5-two-directorynames.crt.der
+	hexdump -ve '1/1 "%.2X"' $< | sed "s/0355040A0C0A4D414C464F524D5F4D45/1555040A0C0A4D414C464F524D5F4D45/" | xxd -r -p > $@
+
 all_final += server5-tricky-ip-san.crt

 rsa_single_san_uri.crt.der: rsa_single_san_uri.key
--- a/tests/data_files/server5-directoryname-seq-malformed.crt.der
+++ b/tests/data_files/server5-directoryname-seq-malformed.crt.der
--- a/tests/data_files/server5-directoryname.crt.der
+++ b/tests/data_files/server5-directoryname.crt.der
--- a/tests/data_files/server5-second-directoryname-oid-malformed.crt.der
+++ b/tests/data_files/server5-second-directoryname-oid-malformed.crt.der
--- a/tests/data_files/server5-two-directorynames.crt.der
+++ b/tests/data_files/server5-two-directorynames.crt.der
--- a/tests/data_files/test-ca.opensslconf
+++ b/tests/data_files/test-ca.opensslconf
@ -99,3 +99,17 @@ nsCertType=server
 keyUsage = cRLSign
 subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name
 nsCertType=client
+
+[directory_name_san]
+subjectAltName=dirName:dirname_sect
+
+[bad_second_directory_name_san]
+subjectAltName=dirName:dirname_sect, dirName:dirname_sect_bad
+
+[dirname_sect]
+C=UK
+O=Mbed TLS
+CN=Mbed TLS directoryName SAN
+
+[two_directorynames]
+O=MALFORM_ME
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@ -94,6 +94,14 @@ X509 CRT information EC, SHA256 Digest, binary hardware module name SAN
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 x509_cert_info:"data_files/server5-nonprintable_othername.crt":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued  on        \: 2022-09-06 15\:56\:47\nexpires on        \: 2032-09-03 15\:56\:47\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    otherName \:\n        hardware module name \:\n            hardware type          \: 1.3.6.1.4.1.17.3\n            hardware serial number \: 3132338081008180333231\n"

+X509 CRT information EC, SHA256 Digest, directoryName SAN
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
+x509_cert_info:"data_files/server5-directoryname.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued  on        \: 2023-01-10 16\:59\:29\nexpires on        \: 2033-01-07 16\:59\:29\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n"
+
+X509 CRT information EC, SHA256 Digest, two directoryName SANs
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
+x509_cert_info:"data_files/server5-two-directorynames.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued  on        \: 2023-01-12 10\:34\:11\nexpires on        \: 2033-01-09 10\:34\:11\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n    directoryName \: O=MALFORM_ME\n"
+
 X509 CRT information EC, SHA256 Digest, Wisun Fan device
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 x509_cert_info:"data_files/server5-fan.crt":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued  on        \: 2019-03-25 09\:03\:46\nexpires on        \: 2029-03-22 09\:03\:46\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\next key usage     \: Wi-SUN Alliance Field Area Network (FAN)\n"
@ -184,31 +192,43 @@ x509_cert_info:"data_files/non-ascii-string-in-issuer.crt":"cert. version     \:

 X509 SAN parsing otherName
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n"
+x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n":0

 X509 SAN parsing binary otherName
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n"
+x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n":0
+
+X509 SAN parsing directoryName
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
+x509_parse_san:"data_files/server5-directoryname.crt.der":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n":0
+
+X509 SAN parsing directoryName, seq malformed
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
+x509_parse_san:"data_files/server5-directoryname-seq-malformed.crt.der":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+X509 SAN parsing two directoryNames, second DN OID malformed
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
+x509_parse_san:"data_files/server5-second-directoryname-oid-malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA

 X509 SAN parsing dNSName
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n"
+x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0

 X509 SAN parsing  Multiple different types
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n"
+x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0

 X509 SAN parsing, no subject alt name
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME
-x509_parse_san:"data_files/server4.crt":""
+x509_parse_san:"data_files/server4.crt":"":0

 X509 SAN parsing, unsupported otherName name
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/server5-unsupported_othername.crt":""
+x509_parse_san:"data_files/server5-unsupported_othername.crt":"":0

 X509 SAN parsing rfc822Name
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n"
+x509_parse_san:"data_files/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n":0

 X509 CRL information #1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@ -289,6 +289,17 @@ int verify_parse_san(mbedtls_x509_subject_alternative_name *san,
                *p++ = san->san.unstructured_name.p[i];
            }
            break;/* MBEDTLS_X509_SAN_RFC822_NAME */
+        case (MBEDTLS_X509_SAN_DIRECTORY_NAME):
+            ret = mbedtls_snprintf(p, n, "\ndirectoryName : ");
+            MBEDTLS_X509_SAFE_SNPRINTF;
+            ret = mbedtls_x509_dn_gets(p, n, &san->san.directory_name);
+            if (ret < 0) {
+                return ret;
+            }
+
+            p += ret;
+            n -= ret;
+            break;/* MBEDTLS_X509_SAN_DIRECTORY_NAME */
        default:
            /*
             * Should not happen.
@ -426,7 +437,7 @@ void x509_accessor_ext_types(int ext_type, int has_ext_type)
 /* END_CASE */

 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
-void x509_parse_san(char *crt_file, char *result_str)
+void x509_parse_san(char *crt_file, char *result_str, int parse_result)
 {
    int ret;
    mbedtls_x509_crt   crt;
@ -439,8 +450,11 @@ void x509_parse_san(char *crt_file, char *result_str)
    mbedtls_x509_crt_init(&crt);
    memset(buf, 0, 2000);

-    TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0);
+    TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), parse_result);

+    if (parse_result != 0) {
+        goto exit;
+    }
    if (crt.ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
        cur = &crt.subject_alt_names;
        while (cur != NULL) {
@ -450,7 +464,9 @@ void x509_parse_san(char *crt_file, char *result_str)
             * If san type not supported, ignore.
             */
            if (ret == 0) {
-                TEST_ASSERT(verify_parse_san(&san, &p, &n) == 0);
+                ret = verify_parse_san(&san, &p, &n);
+                mbedtls_x509_free_subject_alt_name(&san);
+                TEST_EQUAL(ret, 0);
            }
            cur = cur->next;
        }