From e12b01d31b032e5db26f9b5f36f577668ad3e867 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 10 Jan 2023 06:47:38 -0500 Subject: [PATCH 01/14] Add support for directoryName subjectAltName Signed-off-by: Andrzej Kurek --- include/mbedtls/x509.h | 3 +- library/x509.c | 41 ++++++++++++++++++++++ tests/data_files/Makefile | 4 +++ tests/data_files/server5-directoryname.crt | 13 +++++++ tests/data_files/test-ca.opensslconf | 8 +++++ tests/suites/test_suite_x509parse.data | 8 +++++ tests/suites/test_suite_x509parse.function | 11 ++++++ 7 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 tests/data_files/server5-directoryname.crt diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index bd1947e465..82cffff36a 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -294,7 +294,8 @@ typedef struct mbedtls_x509_subject_alternative_name { int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ union { mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ - mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported */ + mbedtls_x509_name directory_name; + mbedtls_x509_buf unstructured_name; /**< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. */ } san; /**< A union of the supported SAN types */ } diff --git a/library/x509.c b/library/x509.c index 6f88f3fb43..da772b843d 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1433,6 +1433,31 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, } break; + /* + * directoryName + */ + case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DIRECTORY_NAME): + { + size_t name_len; + unsigned char *p = san_buf->p; + memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name)); + san->type = MBEDTLS_X509_SAN_DIRECTORY_NAME; + + ret = mbedtls_asn1_get_tag(&p, p + san_buf->len, &name_len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + + if (ret != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + ret); + } + + if ((ret = mbedtls_x509_get_name(&p, p + name_len, + &san->san.directory_name)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, + ret); + } + } + break; /* * Type not supported */ @@ -1553,6 +1578,22 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, } break; + /* + * directoryName + */ + case MBEDTLS_X509_SAN_DIRECTORY_NAME: + { + ret = mbedtls_snprintf(p, n, "\n%s directoryName : ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_x509_dn_gets(p, n, &san.san.directory_name); + if (ret < 0) { + return ret; + } + + p += ret; + n -= ret; + } + break; /* * Type not supported, skip item. */ diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 7cdbd24b54..ce4a25794c 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -337,6 +337,10 @@ server5-fan.crt: server5.key server5-tricky-ip-san.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -out $@ + +server5-directoryname.crt: server5.key + $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions directory_name_san -days 3650 -sha256 -key server5.key -out $@ + all_final += server5-tricky-ip-san.crt rsa_single_san_uri.crt.der: rsa_single_san_uri.key diff --git a/tests/data_files/server5-directoryname.crt b/tests/data_files/server5-directoryname.crt new file mode 100644 index 0000000000..afa88b3840 --- /dev/null +++ b/tests/data_files/server5-directoryname.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7jCCAZSgAwIBAgIBTTAKBggqhkjOPQQDAjBFMQswCQYDVQQGEwJVSzERMA8G +A1UECgwITWJlZCBUTFMxIzAhBgNVBAMMGk1iZWQgVExTIGRpcmVjdG9yeU5hbWUg +U0FOMB4XDTIzMDExMDE2NTkyOVoXDTMzMDEwNzE2NTkyOVowRTELMAkGA1UEBhMC +VUsxETAPBgNVBAoMCE1iZWQgVExTMSMwIQYDVQQDDBpNYmVkIFRMUyBkaXJlY3Rv +cnlOYW1lIFNBTjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2CR5acj7H +WS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76 +Aci07f+jdTBzMFIGA1UdEQRLMEmkRzBFMQswCQYDVQQGEwJVSzERMA8GA1UECgwI +TWJlZCBUTFMxIzAhBgNVBAMMGk1iZWQgVExTIGRpcmVjdG9yeU5hbWUgU0FOMB0G +A1UdDgQWBBRQYaWP1AfZ14IBDOVlf4xjRqcTvjAKBggqhkjOPQQDAgNIADBFAiBr +PtyaL8tF+jghNK32ZnWriCp2k7Aq+QVuef+6+sSH6AIhAIKw+o0J2Pu27ulHFIzI +MdFECpZ3nqAGbTOTOMX6LoDh +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf index 8f8385a489..16afebf77b 100644 --- a/tests/data_files/test-ca.opensslconf +++ b/tests/data_files/test-ca.opensslconf @@ -99,3 +99,11 @@ nsCertType=server keyUsage = cRLSign subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name nsCertType=client + +[directory_name_san] +subjectAltName=dirName:dirname_sect + +[dirname_sect] +C=UK +O=Mbed TLS +CN=Mbed TLS directoryName SAN diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index c025c3ffbf..5554c27723 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -94,6 +94,10 @@ X509 CRT information EC, SHA256 Digest, binary hardware module name SAN depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 x509_cert_info:"data_files/server5-nonprintable_othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued on \: 2022-09-06 15\:56\:47\nexpires on \: 2032-09-03 15\:56\:47\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\n" +X509 CRT information EC, SHA256 Digest, directoryName SAN +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/server5-directoryname.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-10 16\:59\:29\nexpires on \: 2033-01-07 16\:59\:29\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n" + X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 x509_cert_info:"data_files/server5-fan.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2019-03-25 09\:03\:46\nexpires on \: 2029-03-22 09\:03\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n" @@ -190,6 +194,10 @@ X509 SAN parsing binary otherName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n" +X509 SAN parsing directoryName +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_parse_san:"data_files/server5-directoryname.crt":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n" + X509 SAN parsing dNSName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index ed1dcaf8fc..abdc5aafc8 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -289,6 +289,17 @@ int verify_parse_san(mbedtls_x509_subject_alternative_name *san, *p++ = san->san.unstructured_name.p[i]; } break;/* MBEDTLS_X509_SAN_RFC822_NAME */ + case (MBEDTLS_X509_SAN_DIRECTORY_NAME): + ret = mbedtls_snprintf(p, n, "\ndirectoryName : "); + MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_x509_dn_gets(p, n, &san->san.directory_name); + if (ret < 0) { + return ret; + } + + p += ret; + n -= ret; + break;/* MBEDTLS_X509_SAN_DIRECTORY_NAME */ default: /* * Should not happen. From 4a4f1ec8e9625ffb01b7de2351e0e0b6d819d840 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 12 Jan 2023 06:51:20 -0500 Subject: [PATCH 02/14] Add the original certificate to be malformed for x509 tests Signed-off-by: Andrzej Kurek --- tests/data_files/Makefile | 3 +++ tests/data_files/server5-two-directorynames.crt | 13 +++++++++++++ tests/data_files/test-ca.opensslconf | 6 ++++++ 3 files changed, 22 insertions(+) create mode 100644 tests/data_files/server5-two-directorynames.crt diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index ce4a25794c..27f2afa913 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -341,6 +341,9 @@ server5-tricky-ip-san.crt: server5.key server5-directoryname.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions directory_name_san -days 3650 -sha256 -key server5.key -out $@ +server5-two-directorynames.crt: server5.key + $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions two_directorynames -days 3650 -sha256 -key server5.key -out $@ + all_final += server5-tricky-ip-san.crt rsa_single_san_uri.crt.der: rsa_single_san_uri.key diff --git a/tests/data_files/server5-two-directorynames.crt b/tests/data_files/server5-two-directorynames.crt new file mode 100644 index 0000000000..aa76c16fc3 --- /dev/null +++ b/tests/data_files/server5-two-directorynames.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIICCTCCAa+gAwIBAgIBTTAKBggqhkjOPQQDAjBFMQswCQYDVQQGEwJVSzERMA8G +A1UECgwITWJlZCBUTFMxIzAhBgNVBAMMGk1iZWQgVExTIGRpcmVjdG9yeU5hbWUg +U0FOMB4XDTIzMDExMjEwMzQxMVoXDTMzMDEwOTEwMzQxMVowRTELMAkGA1UEBhMC +VUsxETAPBgNVBAoMCE1iZWQgVExTMSMwIQYDVQQDDBpNYmVkIFRMUyBkaXJlY3Rv +cnlOYW1lIFNBTjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2CR5acj7H +WS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76 +Aci07f+jgY8wgYwwawYDVR0RBGQwYqRHMEUxCzAJBgNVBAYTAlVLMREwDwYDVQQK +DAhNYmVkIFRMUzEjMCEGA1UEAwwaTWJlZCBUTFMgZGlyZWN0b3J5TmFtZSBTQU6k +FzAVMRMwEQYDVQQKDApNQUxGT1JNX01FMB0GA1UdDgQWBBRQYaWP1AfZ14IBDOVl +f4xjRqcTvjAKBggqhkjOPQQDAgNIADBFAiAHI/ousygMhcDhAb+bK402vAh4+bGK +UuwPMpd1XQ2FHAIhAL0uuCTzI72PJLyxB4cFtbmodUejDc+Oa02AUW4Ed8Uu +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf index 16afebf77b..a642b7379a 100644 --- a/tests/data_files/test-ca.opensslconf +++ b/tests/data_files/test-ca.opensslconf @@ -103,7 +103,13 @@ nsCertType=client [directory_name_san] subjectAltName=dirName:dirname_sect +[bad_second_directory_name_san] +subjectAltName=dirName:dirname_sect, dirName:dirname_sect_bad + [dirname_sect] C=UK O=Mbed TLS CN=Mbed TLS directoryName SAN + +[two_directorynames] +O=MALFORM_ME From d40c2b65a6978329b6608e0445fe489e4799c513 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 13 Feb 2023 07:01:59 -0500 Subject: [PATCH 03/14] Introduce proper memory management for SANs DirectoryName parsing performs allocation that has to be handled. Signed-off-by: Andrzej Kurek --- include/mbedtls/x509.h | 9 ++++++++- library/x509.c | 12 ++++++++++++ tests/suites/test_suite_x509parse.function | 4 +++- 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 82cffff36a..73730dcd72 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -379,7 +379,8 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); /** * \brief This function parses an item in the SubjectAlternativeNames - * extension. + * extension. Please note that mbedtls_x509_free_subject_alt_name + * has to be called to dispose of the structure afterwards. * * \param san_buf The buffer holding the raw data item of the subject * alternative name. @@ -407,6 +408,12 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); */ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, mbedtls_x509_subject_alternative_name *san); +/** + * \brief Unallocate all data related to subject alternative name + * + * \param san SAN structure to free + */ +void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san); /** \} addtogroup x509_module */ diff --git a/library/x509.c b/library/x509.c index da772b843d..f8695d4a98 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1283,6 +1283,7 @@ int mbedtls_x509_get_subject_alt_name(unsigned char **p, return ret; } + mbedtls_x509_free_subject_alt_name(&dummy_san_buf); /* Allocate and assign next pointer */ if (cur->buf.p != NULL) { if (cur->next != NULL) { @@ -1467,6 +1468,13 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, return 0; } +void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san) +{ + if (san->type == MBEDTLS_X509_SAN_DIRECTORY_NAME) { + mbedtls_asn1_free_named_data_list_shallow(san->san.directory_name.next); + } +} + #if !defined(MBEDTLS_X509_REMOVE_INFO) int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, const mbedtls_x509_sequence @@ -1586,6 +1594,7 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, ret = mbedtls_snprintf(p, n, "\n%s directoryName : ", prefix); MBEDTLS_X509_SAFE_SNPRINTF; ret = mbedtls_x509_dn_gets(p, n, &san.san.directory_name); + if (ret < 0) { return ret; } @@ -1603,6 +1612,9 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, break; } + /* So far memory is freed only in the case of directoryName + * parsing succeeding, as mbedtls_x509_dn_gets allocates memory. */ + mbedtls_x509_free_subject_alt_name(&san); cur = cur->next; } diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index abdc5aafc8..29c05745ad 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -461,7 +461,9 @@ void x509_parse_san(char *crt_file, char *result_str) * If san type not supported, ignore. */ if (ret == 0) { - TEST_ASSERT(verify_parse_san(&san, &p, &n) == 0); + ret = verify_parse_san(&san, &p, &n); + mbedtls_x509_free_subject_alt_name(&san); + TEST_EQUAL(ret, 0); } cur = cur->next; } From 151d85d82cc43e1f6e6d30d84d36dcf151588bd4 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 12 Jan 2023 08:59:37 -0500 Subject: [PATCH 04/14] Introduce a test for a malformed directoryname SAN Signed-off-by: Andrzej Kurek --- tests/data_files/Makefile | 3 +++ .../server5-second-directoryname-malformed.crt | 13 +++++++++++++ tests/suites/test_suite_x509parse.data | 8 ++++++++ 3 files changed, 24 insertions(+) create mode 100644 tests/data_files/server5-second-directoryname-malformed.crt diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 27f2afa913..233a2c781c 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -344,6 +344,9 @@ server5-directoryname.crt: server5.key server5-two-directorynames.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions two_directorynames -days 3650 -sha256 -key server5.key -out $@ +server5-second-directoryname-malformed.crt: server5-two-directorynames.crt + (head -n1 $<; sed -n '2,12p' $< | base64 --decode | hexdump -ve '1/1 "%.2X"' | sed "s/0355040A0C0A4D414C464F524D5F4D45/1555040A0C0A4D414C464F524D5F4D45/" | xxd -r -p | base64 -w64; tail -n1 $<) > $@ + all_final += server5-tricky-ip-san.crt rsa_single_san_uri.crt.der: rsa_single_san_uri.key diff --git a/tests/data_files/server5-second-directoryname-malformed.crt b/tests/data_files/server5-second-directoryname-malformed.crt new file mode 100644 index 0000000000..11d439b3e8 --- /dev/null +++ b/tests/data_files/server5-second-directoryname-malformed.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIICCTCCAa+gAwIBAgIBTTAKBggqhkjOPQQDAjBFMQswCQYDVQQGEwJVSzERMA8G +A1UECgwITWJlZCBUTFMxIzAhBgNVBAMMGk1iZWQgVExTIGRpcmVjdG9yeU5hbWUg +U0FOMB4XDTIzMDExMjEwMzQxMVoXDTMzMDEwOTEwMzQxMVowRTELMAkGA1UEBhMC +VUsxETAPBgNVBAoMCE1iZWQgVExTMSMwIQYDVQQDDBpNYmVkIFRMUyBkaXJlY3Rv +cnlOYW1lIFNBTjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2CR5acj7H +WS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76 +Aci07f+jgY8wgYwwawYDVR0RBGQwYqRHMEUxCzAJBgNVBAYTAlVLMREwDwYDVQQK +DAhNYmVkIFRMUzEjMCEGA1UEAwwaTWJlZCBUTFMgZGlyZWN0b3J5TmFtZSBTQU6k +FzAVMRMwEQYVVQQKDApNQUxGT1JNX01FMB0GA1UdDgQWBBRQYaWP1AfZ14IBDOVl +f4xjRqcTvjAKBggqhkjOPQQDAgNIADBFAiAHI/ousygMhcDhAb+bK402vAh4+bGK +UuwPMpd1XQ2FHAIhAL0uuCTzI72PJLyxB4cFtbmodUejDc+Oa02AUW4Ed8Uu +-----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 5554c27723..b811314d59 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -98,6 +98,14 @@ X509 CRT information EC, SHA256 Digest, directoryName SAN depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/server5-directoryname.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-10 16\:59\:29\nexpires on \: 2033-01-07 16\:59\:29\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n" +X509 CRT information EC, SHA256 Digest, two directoryName SANs +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/server5-two-directorynames.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-12 10\:34\:11\nexpires on \: 2033-01-09 10\:34\:11\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n directoryName \: O=MALFORM_ME\n" + +X509 CRT information EC, SHA256 Digest, second directoryname malformed +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/server5-second-directoryname-malformed.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-12 10\:34\:11\nexpires on \: 2033-01-09 10\:34\:11\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n \n" + X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 x509_cert_info:"data_files/server5-fan.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2019-03-25 09\:03\:46\nexpires on \: 2029-03-22 09\:03\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n" From bf8ccd81099777e88ca4db63166b65219a76030d Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 13 Feb 2023 07:13:30 -0500 Subject: [PATCH 05/14] Adjust error reporting in x509 SAN parsing Signed-off-by: Andrzej Kurek --- library/x509.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/x509.c b/library/x509.c index f8695d4a98..4b4e1b6d6e 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1448,14 +1448,12 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); if (ret != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - ret); + return ret; } if ((ret = mbedtls_x509_get_name(&p, p + name_len, &san->san.directory_name)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - ret); + return ret; } } break; From d348632a6aa48058163b54102be7310e7f5fe5af Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 20 Jan 2023 05:21:52 -0500 Subject: [PATCH 06/14] Switch from PEM to DER format for new x509 directoryname test This simplifies generating malformed data and doesn't require the PEM support for tests. Signed-off-by: Andrzej Kurek --- tests/data_files/Makefile | 12 ++++++------ tests/data_files/server5-directoryname.crt | 13 ------------- tests/data_files/server5-directoryname.crt.der | Bin 0 -> 498 bytes .../server5-second-directoryname-malformed.crt | 13 ------------- ...rver5-second-directoryname-malformed.crt.der | Bin 0 -> 525 bytes tests/data_files/server5-two-directorynames.crt | 13 ------------- .../server5-two-directorynames.crt.der | Bin 0 -> 525 bytes tests/suites/test_suite_x509parse.data | 16 ++++++++-------- 8 files changed, 14 insertions(+), 53 deletions(-) delete mode 100644 tests/data_files/server5-directoryname.crt create mode 100644 tests/data_files/server5-directoryname.crt.der delete mode 100644 tests/data_files/server5-second-directoryname-malformed.crt create mode 100644 tests/data_files/server5-second-directoryname-malformed.crt.der delete mode 100644 tests/data_files/server5-two-directorynames.crt create mode 100644 tests/data_files/server5-two-directorynames.crt.der diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 233a2c781c..563d86ea10 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -338,14 +338,14 @@ server5-fan.crt: server5.key server5-tricky-ip-san.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -out $@ -server5-directoryname.crt: server5.key - $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions directory_name_san -days 3650 -sha256 -key server5.key -out $@ +server5-directoryname.crt.der: server5.key + $(OPENSSL) req -x509 -outform der -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions directory_name_san -days 3650 -sha256 -key server5.key -out $@ -server5-two-directorynames.crt: server5.key - $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions two_directorynames -days 3650 -sha256 -key server5.key -out $@ +server5-two-directorynames.crt.der: server5.key + $(OPENSSL) req -x509 -outform der -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions two_directorynames -days 3650 -sha256 -key server5.key -out $@ -server5-second-directoryname-malformed.crt: server5-two-directorynames.crt - (head -n1 $<; sed -n '2,12p' $< | base64 --decode | hexdump -ve '1/1 "%.2X"' | sed "s/0355040A0C0A4D414C464F524D5F4D45/1555040A0C0A4D414C464F524D5F4D45/" | xxd -r -p | base64 -w64; tail -n1 $<) > $@ +server5-second-directoryname-malformed.crt.der: server5-two-directorynames.crt.der + hexdump -ve '1/1 "%.2X"' $< | sed "s/0355040A0C0A4D414C464F524D5F4D45/1555040A0C0A4D414C464F524D5F4D45/" | xxd -r -p > $@ all_final += server5-tricky-ip-san.crt diff --git a/tests/data_files/server5-directoryname.crt b/tests/data_files/server5-directoryname.crt deleted file mode 100644 index afa88b3840..0000000000 --- a/tests/data_files/server5-directoryname.crt +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB7jCCAZSgAwIBAgIBTTAKBggqhkjOPQQDAjBFMQswCQYDVQQGEwJVSzERMA8G -A1UECgwITWJlZCBUTFMxIzAhBgNVBAMMGk1iZWQgVExTIGRpcmVjdG9yeU5hbWUg -U0FOMB4XDTIzMDExMDE2NTkyOVoXDTMzMDEwNzE2NTkyOVowRTELMAkGA1UEBhMC -VUsxETAPBgNVBAoMCE1iZWQgVExTMSMwIQYDVQQDDBpNYmVkIFRMUyBkaXJlY3Rv -cnlOYW1lIFNBTjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2CR5acj7H -WS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76 -Aci07f+jdTBzMFIGA1UdEQRLMEmkRzBFMQswCQYDVQQGEwJVSzERMA8GA1UECgwI -TWJlZCBUTFMxIzAhBgNVBAMMGk1iZWQgVExTIGRpcmVjdG9yeU5hbWUgU0FOMB0G -A1UdDgQWBBRQYaWP1AfZ14IBDOVlf4xjRqcTvjAKBggqhkjOPQQDAgNIADBFAiBr -PtyaL8tF+jghNK32ZnWriCp2k7Aq+QVuef+6+sSH6AIhAIKw+o0J2Pu27ulHFIzI -MdFECpZ3nqAGbTOTOMX6LoDh ------END CERTIFICATE----- diff --git a/tests/data_files/server5-directoryname.crt.der b/tests/data_files/server5-directoryname.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..4badea1a279ff3e58a340bdafe353563bb93355e GIT binary patch literal 498 zcmXqLVti-N#5iREGZP~d6Qi#I7aNCGo5wj@7G@>`S3_%W5xD%bsWkr=M6pErN#G)@x+$5{}-1U z6dMEqJt`~6;%(r$#GP7BmIax~$0Eie5|FsG{|fuf>rIS2PgCoAlHHaI??a9YW)B7f zS0;sQyF0V=PrLrIP&8TlEvV-<)Vu0jz{YLSIB!; z^OJ32$%VBdTfb*0MJ7%1d&+P_S@8cW{YxgXv0{6>Iu2!*^M;=7(&GEYcw)=j|BD;@ z4H|n4vVmTe6=X>P4 z3VOqDG`%#Iw^fEokzudi4wcW!d;3-PY-Dd|-MVu{srzEy^L^RA4S{(qV-<)Vu0jz{YLSIB!; z^OJ32$%VBdTfb*0MJ7%1d&+P_S@8cW{YxgXv0{6>Iu2!*^M;=7(&GEYcw)=j|BD;@ z4H|n4vVmTe6=X>\n" +depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/server5-second-directoryname-malformed.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-12 10\:34\:11\nexpires on \: 2033-01-09 10\:34\:11\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n \n" X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 @@ -203,8 +203,8 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n" X509 SAN parsing directoryName -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_parse_san:"data_files/server5-directoryname.crt":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n" +depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_parse_san:"data_files/server5-directoryname.crt.der":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n" X509 SAN parsing dNSName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 From d90376ef46b4c6e64a62c6f4975c553da205ec4e Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 20 Jan 2023 07:08:57 -0500 Subject: [PATCH 07/14] Add a test for a malformed directoryname sequence Signed-off-by: Andrzej Kurek --- tests/data_files/Makefile | 7 +++- ...erver5-directoryname-seq-malformed.crt.der | Bin 0 -> 525 bytes ...econd-directoryname-oid-malformed.crt.der} | Bin tests/suites/test_suite_x509parse.data | 30 ++++++++++-------- tests/suites/test_suite_x509parse.function | 7 ++-- 5 files changed, 28 insertions(+), 16 deletions(-) create mode 100644 tests/data_files/server5-directoryname-seq-malformed.crt.der rename tests/data_files/{server5-second-directoryname-malformed.crt.der => server5-second-directoryname-oid-malformed.crt.der} (100%) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 563d86ea10..d137b25dc5 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -344,7 +344,12 @@ server5-directoryname.crt.der: server5.key server5-two-directorynames.crt.der: server5.key $(OPENSSL) req -x509 -outform der -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions two_directorynames -days 3650 -sha256 -key server5.key -out $@ -server5-second-directoryname-malformed.crt.der: server5-two-directorynames.crt.der +# directoryname sequence tag malformed +server5-directoryname-seq-malformed.crt.der: server5-two-directorynames.crt.der + hexdump -ve '1/1 "%.2X"' $< | sed "s/62A4473045310B/62A4473145310B/" | xxd -r -p > $@ + +# Second directoryname OID length malformed 03 -> 15 +server5-second-directoryname-oid-malformed.crt.der: server5-two-directorynames.crt.der hexdump -ve '1/1 "%.2X"' $< | sed "s/0355040A0C0A4D414C464F524D5F4D45/1555040A0C0A4D414C464F524D5F4D45/" | xxd -r -p > $@ all_final += server5-tricky-ip-san.crt diff --git a/tests/data_files/server5-directoryname-seq-malformed.crt.der b/tests/data_files/server5-directoryname-seq-malformed.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..4b0c3252af6ef1c7484026fc4e43523d3dc9f67b GIT binary patch literal 525 zcmXqLV&XJtVqCv~nTe5!iP6`9i;Y98&EuRc3p0~}t0A`mCmVAp3!5-gsJEe@0Y8Yt z#lzv7l$xRt;uCDBY@i4dV&;*82`Qvx7NsVaV-<)Vu0jz{YLSIB!; z^OJ32$%VBdTfb*0MJ7%1d&+P_S@8cW{YxgXv0{6>Iu2!*^M;=7(&GEYcw)=j|BD;@ z4H|n4vVmTe6=X>\n" +X509 CRT information EC, SHA256 Digest, second DN OID malformed +depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 +x509_cert_info:"data_files/server5-second-directoryname-oid-malformed.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-12 10\:34\:11\nexpires on \: 2033-01-09 10\:34\:11\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n \n" X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 @@ -196,31 +196,35 @@ x509_cert_info:"data_files/non-ascii-string-in-issuer.crt":"cert. version \: X509 SAN parsing otherName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n" +x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n":0 X509 SAN parsing binary otherName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n" +x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n":0 X509 SAN parsing directoryName -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_parse_san:"data_files/server5-directoryname.crt.der":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n" +depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 +x509_parse_san:"data_files/server5-directoryname.crt.der":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n":0 + +X509 SAN parsing directoryName, seq malformed +depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 +x509_parse_san:"data_files/server5-directoryname-seq-malformed.crt.der":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 SAN parsing dNSName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" +x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0 X509 SAN parsing Multiple different types depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" +x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0 X509 SAN parsing, no subject alt name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME -x509_parse_san:"data_files/server4.crt":"" +x509_parse_san:"data_files/server4.crt":"":0 X509 SAN parsing, unsupported otherName name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/server5-unsupported_othername.crt":"" +x509_parse_san:"data_files/server5-unsupported_othername.crt":"":0 X509 SAN parsing rfc822Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 29c05745ad..177bc97ad3 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -437,7 +437,7 @@ void x509_accessor_ext_types(int ext_type, int has_ext_type) /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ -void x509_parse_san(char *crt_file, char *result_str) +void x509_parse_san(char *crt_file, char *result_str, int parse_result) { int ret; mbedtls_x509_crt crt; @@ -450,8 +450,11 @@ void x509_parse_san(char *crt_file, char *result_str) mbedtls_x509_crt_init(&crt); memset(buf, 0, 2000); - TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); + TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), parse_result); + if (parse_result != 0) { + goto exit; + } if (crt.ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { cur = &crt.subject_alt_names; while (cur != NULL) { From 9fa1d25aeb31b156bce90394d2803aef6ea9d1e1 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 20 Jan 2023 07:18:50 -0500 Subject: [PATCH 08/14] Add changelog entry for directoryname SAN Signed-off-by: Andrzej Kurek --- ChangeLog.d/add-directoryname-san.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/add-directoryname-san.txt diff --git a/ChangeLog.d/add-directoryname-san.txt b/ChangeLog.d/add-directoryname-san.txt new file mode 100644 index 0000000000..e116298786 --- /dev/null +++ b/ChangeLog.d/add-directoryname-san.txt @@ -0,0 +1,3 @@ +Features + * Add parsing of directoryName subtype for subjectAltName extension in + x509 certificates. From 532b8d41afb8e6c7fb80cdcb7b6a062f40bea035 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 13 Feb 2023 08:10:28 -0500 Subject: [PATCH 09/14] Move an x509 malformation test Now, that the errors are not silently ignored anymore, instead of expecting a tag in parsed data, the test case returns an error. Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_x509parse.data | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 2c48fc7006..1675804707 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -102,10 +102,6 @@ X509 CRT information EC, SHA256 Digest, two directoryName SANs depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 x509_cert_info:"data_files/server5-two-directorynames.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-12 10\:34\:11\nexpires on \: 2033-01-09 10\:34\:11\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n directoryName \: O=MALFORM_ME\n" -X509 CRT information EC, SHA256 Digest, second DN OID malformed -depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/server5-second-directoryname-oid-malformed.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-12 10\:34\:11\nexpires on \: 2033-01-09 10\:34\:11\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n \n" - X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 x509_cert_info:"data_files/server5-fan.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2019-03-25 09\:03\:46\nexpires on \: 2029-03-22 09\:03\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n" @@ -210,6 +206,10 @@ X509 SAN parsing directoryName, seq malformed depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 x509_parse_san:"data_files/server5-directoryname-seq-malformed.crt.der":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +X509 SAN parsing two directoryNames, second DN OID malformed +depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256 +x509_parse_san:"data_files/server5-second-directoryname-oid-malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA + X509 SAN parsing dNSName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0 From 5f0c6e82fb88049569b7d1f87f4cfd120c80c689 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 27 Feb 2023 16:03:41 -0500 Subject: [PATCH 10/14] Add missing deallocation of subject alt name Since mbedtls_x509_get_name allocates memory when parsing a directoryName, deallocation has to be performed if anything fails in the meantime. Signed-off-by: Andrzej Kurek --- include/mbedtls/x509.h | 6 ++++-- library/x509.c | 7 ++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 73730dcd72..0cb8aa08c6 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -379,8 +379,10 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); /** * \brief This function parses an item in the SubjectAlternativeNames - * extension. Please note that mbedtls_x509_free_subject_alt_name - * has to be called to dispose of the structure afterwards. + * extension. Please note that this function might allocate + * additional memory for a subject alternative name, thus + * mbedtls_x509_free_subject_alt_name has to be called + * to dispose of the structure afterwards. * * \param san_buf The buffer holding the raw data item of the subject * alternative name. diff --git a/library/x509.c b/library/x509.c index 4b4e1b6d6e..c9524c958e 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1590,10 +1590,15 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, case MBEDTLS_X509_SAN_DIRECTORY_NAME: { ret = mbedtls_snprintf(p, n, "\n%s directoryName : ", prefix); + if (ret < 0 || (size_t) ret >= n) { + mbedtls_x509_free_subject_alt_name(&san); + } + MBEDTLS_X509_SAFE_SNPRINTF; ret = mbedtls_x509_dn_gets(p, n, &san.san.directory_name); if (ret < 0) { + mbedtls_x509_free_subject_alt_name(&san); return ret; } @@ -1611,7 +1616,7 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, } /* So far memory is freed only in the case of directoryName - * parsing succeeding, as mbedtls_x509_dn_gets allocates memory. */ + * parsing succeeding, as mbedtls_x509_get_name allocates memory. */ mbedtls_x509_free_subject_alt_name(&san); cur = cur->next; } From 8bc128eca7e0c51e9698a1e88d433d8138388f86 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 27 Feb 2023 16:09:52 -0500 Subject: [PATCH 11/14] Add missing information about supported subjectAltName types Signed-off-by: Andrzej Kurek --- include/mbedtls/x509_crt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index d7392378cd..6c86a6629e 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -75,7 +75,7 @@ typedef struct mbedtls_x509_crt { mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ - mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier and OtherName are listed). */ + mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier, DirectoryName and OtherName are listed). */ mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */ From 43d7131c149843625a3796f9b60f41b9411037ff Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 27 Feb 2023 17:24:36 -0500 Subject: [PATCH 12/14] Fix rfc822name test arguments Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_x509parse.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 1675804707..685b8596d2 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -228,7 +228,7 @@ x509_parse_san:"data_files/server5-unsupported_othername.crt":"":0 X509 SAN parsing rfc822Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n" +x509_parse_san:"data_files/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n":0 X509 CRL information #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO From c27ba3a531609107ba0e5ad6535115e18ff11306 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 6 Mar 2023 10:48:30 +0100 Subject: [PATCH 13/14] Clarify SAN structure memory management Co-authored-by: David Horstmann Signed-off-by: Andrzej Kurek --- include/mbedtls/x509.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 0cb8aa08c6..8dfd1f364c 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -382,7 +382,7 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); * extension. Please note that this function might allocate * additional memory for a subject alternative name, thus * mbedtls_x509_free_subject_alt_name has to be called - * to dispose of the structure afterwards. + * to dispose of this additional memory afterwards. * * \param san_buf The buffer holding the raw data item of the subject * alternative name. @@ -413,7 +413,7 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, /** * \brief Unallocate all data related to subject alternative name * - * \param san SAN structure to free + * \param san SAN structure - extra memory owned by this structure will be freed */ void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san); From 303704ef4afa11d396a9a066e2ea1564f4c55c45 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 6 Mar 2023 04:50:47 -0500 Subject: [PATCH 14/14] Remove unnecessary tabs Signed-off-by: Andrzej Kurek --- tests/data_files/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index d137b25dc5..4228f45822 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -337,7 +337,7 @@ server5-fan.crt: server5.key server5-tricky-ip-san.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -out $@ - + server5-directoryname.crt.der: server5.key $(OPENSSL) req -x509 -outform der -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions directory_name_san -days 3650 -sha256 -key server5.key -out $@ @@ -347,7 +347,7 @@ server5-two-directorynames.crt.der: server5.key # directoryname sequence tag malformed server5-directoryname-seq-malformed.crt.der: server5-two-directorynames.crt.der hexdump -ve '1/1 "%.2X"' $< | sed "s/62A4473045310B/62A4473145310B/" | xxd -r -p > $@ - + # Second directoryname OID length malformed 03 -> 15 server5-second-directoryname-oid-malformed.crt.der: server5-two-directorynames.crt.der hexdump -ve '1/1 "%.2X"' $< | sed "s/0355040A0C0A4D414C464F524D5F4D45/1555040A0C0A4D414C464F524D5F4D45/" | xxd -r -p > $@