Escape special characters RFC 4514

This escapes special characters according to RFC 4514 in mbedtls_x509_dn_gets and de-escapes in mbedtls_x509_string_to_names. This commit does not handle hexpairs. Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2025-01-28 18:32:56 +00:00 · 2023-07-20 16:19:05 +01:00 · 2023-07-20 16:19:05 +01:00 · 48513b8639
commit 48513b8639
parent 17d5081ffb
3 changed files with 21 additions and 8 deletions
--- a/library/x509.c
+++ b/library/x509.c
@ -855,12 +855,16 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn)
            }

            c = name->val.p[i];
-            // Special characters requiring escaping, RFC 1779
-            if (c && strchr(",=+<>#;\"\\", c)) {
-                if (j + 1 >= sizeof(s) - 1) {
-                    return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+            // Special characters requiring escaping, RFC 4514 Section 2.4
+            if (c) {
+                if (strchr(",=+<>;\"\\+", c) || 
+                ((i == 0) && strchr("# ", c)) ||
+                ((i == name->val.len-1 ) && (c == ' '))) {
+                    if (j + 1 >= sizeof(s) - 1) {
+                        return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+                    }
+                    s[j++] = '\\';
                }
-                s[j++] = '\\';
            }
            if (c < 32 || c >= 127) {
                s[j] = '?';
--- a/library/x509_create.c
+++ b/library/x509_create.c
@ -153,8 +153,8 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
        if (!in_tag && *c == '\\' && c != end) {
            c++;

-            /* Check for valid escaped characters */
-            if (c == end || *c != ',') {
+            /* Check for valid escaped characters in RFC 4514 in Section 3*/
+            if (c == end || !strchr(" ,=+<>#;\"\\+", *c)) {
                ret = MBEDTLS_ERR_X509_INVALID_NAME;
                goto exit;
            }
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@ -184,8 +184,17 @@ mbedtls_x509_string_to_names:"C=NL, O=Offspark\\a Inc., OU=PolarSSL":"":MBEDTLS_
 X509 String to Names #6 (Escape at end)
 mbedtls_x509_string_to_names:"C=NL, O=Offspark\\":"":MBEDTLS_ERR_X509_INVALID_NAME

-X509 String to Names #6 (Invalid, no '=' or ',')
+X509 String to Names #7 (Invalid, no '=' or ',')
 mbedtls_x509_string_to_names:"ABC123":"":MBEDTLS_ERR_X509_INVALID_NAME

+X509 String to Names #8 (Escape valid characters)
+mbedtls_x509_string_to_names:"C=NL, O=Offspark\\+ \\> \\=, OU=PolarSSL":"C=NL, O=Offspark\\+ \\> \\=, OU=PolarSSL":0
+
+X509 String to Names #9 (Escape '#' at beginning of string)
+mbedtls_x509_string_to_names:"C=NL, O=#Offspark#, OU=PolarSSL":"C=NL, O=\\#Offspark#, OU=PolarSSL":0
+
+X509 String to Names #10 (Escape ' ' at beginning and end of string)
+mbedtls_x509_string_to_names:"C=NL, O= Off spark , OU=PolarSSL":"C=NL, O=\\ Off spark\\ , OU=PolarSSL":0
+
 Check max serial length
 x509_set_serial_check: