From 1747304a7a3e86706261ad96447feb1b496ae490 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Sun, 30 Apr 2023 14:11:23 -0400 Subject: [PATCH 1/2] Update the descriptions of SANs All of them are listed, so the previous description was wrong. Signed-off-by: Andrzej Kurek --- include/mbedtls/x509.h | 5 +++-- include/mbedtls/x509_crt.h | 2 +- include/mbedtls/x509_csr.h | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 7faf176b5a..6f3b555782 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -304,7 +304,7 @@ mbedtls_x509_san_other_name; typedef struct mbedtls_x509_subject_alternative_name { int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ union { - mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ + mbedtls_x509_san_other_name other_name; mbedtls_x509_name directory_name; mbedtls_x509_buf unstructured_name; /**< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. */ } @@ -401,7 +401,8 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); * of the subject alternative name encoded in \p san_raw. * * \note Supported GeneralName types, as defined in RFC 5280: - * "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name" + * "rfc822Name", "dnsName", "directoryName", + * "uniformResourceIdentifier" and "hardware_module_name" * of type "otherName", as defined in RFC 4108. * * \note This function should be called on a single raw data of diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index e1b4aa238d..803ef735de 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -75,7 +75,7 @@ typedef struct mbedtls_x509_crt { mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ - mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier, DirectoryName and OtherName are listed). */ + mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. */ mbedtls_x509_buf subject_key_id; /**< Optional X.509 v3 extension subject key identifier. */ mbedtls_x509_authority authority_key_id; /**< Optional X.509 v3 extension authority key identifier. */ diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index f3f9e13a03..76e02380fb 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -60,7 +60,7 @@ typedef struct mbedtls_x509_csr { unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */ unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ - mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */ + mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. */ int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */ From 154a605ae81cacf7ead7c70e116f240ef5e07765 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Sun, 30 Apr 2023 14:11:49 -0400 Subject: [PATCH 2/2] Change the name of the temporary san variable Explain why it is used. Signed-off-by: Andrzej Kurek --- library/x509.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/library/x509.c b/library/x509.c index 5f6715aa25..8a4426478d 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1215,9 +1215,9 @@ int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p, mbedtls_asn1_sequence *cur = subject_alt_name; while (*p < end) { - mbedtls_x509_subject_alternative_name dummy_san_buf; + mbedtls_x509_subject_alternative_name tmp_san_name; mbedtls_x509_buf tmp_san_buf; - memset(&dummy_san_buf, 0, sizeof(dummy_san_buf)); + memset(&tmp_san_name, 0, sizeof(tmp_san_name)); tmp_san_buf.tag = **p; (*p)++; @@ -1236,9 +1236,10 @@ int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p, } /* - * Check that the SAN is structured correctly. + * Check that the SAN is structured correctly by parsing it. + * The SAN structure is discarded afterwards. */ - ret = mbedtls_x509_parse_subject_alt_name(&tmp_san_buf, &dummy_san_buf); + ret = mbedtls_x509_parse_subject_alt_name(&tmp_san_buf, &tmp_san_name); /* * In case the extension is malformed, return an error, * and clear the allocated sequences. @@ -1249,7 +1250,7 @@ int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p, return ret; } - mbedtls_x509_free_subject_alt_name(&dummy_san_buf); + mbedtls_x509_free_subject_alt_name(&tmp_san_name); /* Allocate and assign next pointer */ if (cur->buf.p != NULL) { if (cur->next != NULL) { @@ -1439,7 +1440,7 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, break; /* - * RFC822 Name + * rfc822Name */ case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_RFC822_NAME): {