diff --git a/ChangeLog.d/san_csr.txt b/ChangeLog.d/san_csr.txt new file mode 100644 index 0000000000..b5c6cf3cbb --- /dev/null +++ b/ChangeLog.d/san_csr.txt @@ -0,0 +1,2 @@ +Features + * Add support to include the SubjectAltName extension to a CSR. diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index acfc073915..da7375962c 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -35,6 +35,15 @@ (g) += ret; \ } while (0) +#define MBEDTLS_ASN1_CHK_CLEANUP_ADD(g, f) \ + do \ + { \ + if ((ret = (f)) < 0) \ + goto cleanup; \ + else \ + (g) += ret; \ + } while (0) + #ifdef __cplusplus extern "C" { #endif diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index e376000a40..f3f9e13a03 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -83,6 +83,12 @@ typedef struct mbedtls_x509write_csr { } mbedtls_x509write_csr; +typedef struct mbedtls_x509_san_list { + mbedtls_x509_subject_alternative_name node; + struct mbedtls_x509_san_list *next; +} +mbedtls_x509_san_list; + #if defined(MBEDTLS_X509_CSR_PARSE_C) /** * \brief Load a Certificate Signing Request (CSR) in DER format @@ -228,6 +234,20 @@ void mbedtls_x509write_csr_set_md_alg(mbedtls_x509write_csr *ctx, mbedtls_md_typ */ int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage); +/** + * \brief Set Subject Alternative Name + * + * \param ctx CSR context to use + * \param san_list List of SAN values + * + * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * + * \note Only "dnsName", "uniformResourceIdentifier" and "otherName", + * as defined in RFC 5280, are supported. + */ +int mbedtls_x509write_csr_set_subject_alternative_name(mbedtls_x509write_csr *ctx, + const mbedtls_x509_san_list *san_list); + /** * \brief Set the Netscape Cert Type flags * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) diff --git a/library/x509write_csr.c b/library/x509write_csr.c index d8d8e99ff0..deb66174b2 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -26,6 +26,7 @@ #if defined(MBEDTLS_X509_CSR_WRITE_C) +#include "mbedtls/x509.h" #include "mbedtls/x509_csr.h" #include "mbedtls/asn1write.h" #include "mbedtls/error.h" @@ -85,6 +86,105 @@ int mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx, critical, val, val_len); } +int mbedtls_x509write_csr_set_subject_alternative_name(mbedtls_x509write_csr *ctx, + const mbedtls_x509_san_list *san_list) +{ + int ret = 0; + const mbedtls_x509_san_list *cur; + unsigned char *buf; + unsigned char *p; + size_t len; + size_t buflen = 0; + + /* Determine the maximum size of the SubjectAltName list */ + for (cur = san_list; cur != NULL; cur = cur->next) { + /* Calculate size of the required buffer */ + switch (cur->node.type) { + case MBEDTLS_X509_SAN_DNS_NAME: + case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER: + case MBEDTLS_X509_SAN_IP_ADDRESS: + /* length of value for each name entry, + * maximum 4 bytes for the length field, + * 1 byte for the tag/type. + */ + buflen += cur->node.san.unstructured_name.len + 4 + 1; + break; + + default: + /* Not supported - skip. */ + break; + } + } + + /* Add the extra length field and tag */ + buflen += 4 + 1; + + /* Allocate buffer */ + buf = mbedtls_calloc(1, buflen); + if (buf == NULL) { + return MBEDTLS_ERR_ASN1_ALLOC_FAILED; + } + + mbedtls_platform_zeroize(buf, buflen); + p = buf + buflen; + + /* Write ASN.1-based structure */ + cur = san_list; + len = 0; + while (cur != NULL) { + switch (cur->node.type) { + case MBEDTLS_X509_SAN_DNS_NAME: + case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER: + case MBEDTLS_X509_SAN_IP_ADDRESS: + { + const unsigned char *unstructured_name = + (const unsigned char *) cur->node.san.unstructured_name.p; + size_t unstructured_name_len = cur->node.san.unstructured_name.len; + + MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, + mbedtls_asn1_write_raw_buffer( + &p, buf, + unstructured_name, unstructured_name_len)); + MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, mbedtls_asn1_write_len( + &p, buf, unstructured_name_len)); + MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, + mbedtls_asn1_write_tag( + &p, buf, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | cur->node.type)); + } + break; + default: + /* Skip unsupported names. */ + break; + } + cur = cur->next; + } + + MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, mbedtls_asn1_write_len(&p, buf, len)); + MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, + mbedtls_asn1_write_tag(&p, buf, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE)); + + ret = mbedtls_x509write_csr_set_extension( + ctx, + MBEDTLS_OID_SUBJECT_ALT_NAME, + MBEDTLS_OID_SIZE(MBEDTLS_OID_SUBJECT_ALT_NAME), + 0, + buf + buflen - len, + len); + + /* If we exceeded the allocated buffer it means that maximum size of the SubjectAltName list + * was incorrectly calculated and memory is corrupted. */ + if (p < buf) { + ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + +cleanup: + mbedtls_free(buf); + return ret; +} + int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage) { unsigned char buf[4] = { 0 }; diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index 8ef59325ef..5241438440 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -63,6 +63,11 @@ int main(void) " debug_level=%%d default: 0 (disabled)\n" \ " output_file=%%s default: cert.req\n" \ " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \ + " san=%%s default: (none)\n" \ + " Comma-separated-list of values:\n" \ + " DNS:value\n" \ + " URI:value\n" \ + " IP:value (Only IPv4 is supported)\n" \ " key_usage=%%s default: (empty)\n" \ " Comma-separated-list of values:\n" \ " digital_signature\n" \ @@ -96,18 +101,31 @@ int main(void) * global options */ struct options { - const char *filename; /* filename of the key file */ - const char *password; /* password for the key file */ - int debug_level; /* level of debugging */ - const char *output_file; /* where to store the constructed key file */ - const char *subject_name; /* subject name for certificate request */ - unsigned char key_usage; /* key usage flags */ - int force_key_usage; /* Force adding the KeyUsage extension */ - unsigned char ns_cert_type; /* NS cert type */ - int force_ns_cert_type; /* Force adding NsCertType extension */ - mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */ + const char *filename; /* filename of the key file */ + const char *password; /* password for the key file */ + int debug_level; /* level of debugging */ + const char *output_file; /* where to store the constructed key file */ + const char *subject_name; /* subject name for certificate request */ + mbedtls_x509_san_list *san_list; /* subjectAltName for certificate request */ + unsigned char key_usage; /* key usage flags */ + int force_key_usage; /* Force adding the KeyUsage extension */ + unsigned char ns_cert_type; /* NS cert type */ + int force_ns_cert_type; /* Force adding NsCertType extension */ + mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */ } opt; +static void ip_string_to_bytes(const char *str, uint8_t *bytes, int maxBytes) +{ + for (int i = 0; i < maxBytes; i++) { + bytes[i] = (uint8_t) strtoul(str, NULL, 16); + str = strchr(str, '.'); + if (str == NULL || *str == '\0') { + break; + } + str++; + } +} + int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) @@ -145,11 +163,12 @@ int main(int argc, char *argv[]) mbedtls_pk_context key; char buf[1024]; int i; - char *p, *q, *r; + char *p, *q, *r, *r2; mbedtls_x509write_csr req; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; const char *pers = "csr example app"; + mbedtls_x509_san_list *cur, *prev; /* * Set to sane values @@ -175,15 +194,14 @@ usage: opt.ns_cert_type = DFL_NS_CERT_TYPE; opt.force_ns_cert_type = DFL_FORCE_NS_CERT_TYPE; opt.md_alg = DFL_MD_ALG; + opt.san_list = NULL; for (i = 1; i < argc; i++) { - p = argv[i]; if ((q = strchr(p, '=')) == NULL) { goto usage; } *q++ = '\0'; - if (strcmp(p, "filename") == 0) { opt.filename = q; } else if (strcmp(p, "password") == 0) { @@ -197,6 +215,59 @@ usage: } } else if (strcmp(p, "subject_name") == 0) { opt.subject_name = q; + } else if (strcmp(p, "san") == 0) { + prev = NULL; + + while (q != NULL) { + uint8_t ip[4] = { 0 }; + + if ((r = strchr(q, ';')) != NULL) { + *r++ = '\0'; + } + + cur = mbedtls_calloc(1, sizeof(mbedtls_x509_san_list)); + if (cur == NULL) { + mbedtls_printf("Not enough memory for subjectAltName list\n"); + goto usage; + } + + cur->next = NULL; + + if ((r2 = strchr(q, ':')) != NULL) { + *r2++ = '\0'; + } + + if (strcmp(q, "URI") == 0) { + cur->node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER; + } else if (strcmp(q, "DNS") == 0) { + cur->node.type = MBEDTLS_X509_SAN_DNS_NAME; + } else if (strcmp(q, "IP") == 0) { + cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS; + ip_string_to_bytes(r2, ip, 4); + } else { + mbedtls_free(cur); + goto usage; + } + + if (strcmp(q, "IP") == 0) { + cur->node.san.unstructured_name.p = (unsigned char *) ip; + cur->node.san.unstructured_name.len = sizeof(ip); + } else { + q = r2; + cur->node.san.unstructured_name.p = (unsigned char *) q; + cur->node.san.unstructured_name.len = strlen(q); + } + + if (prev == NULL) { + opt.san_list = cur; + } else { + prev->next = cur; + } + + prev = cur; + q = r; + } + } else if (strcmp(p, "md") == 0) { const mbedtls_md_info_t *md_info = mbedtls_md_info_from_string(q); @@ -274,14 +345,39 @@ usage: } } + /* Set the MD algorithm to use for the signature in the CSR */ mbedtls_x509write_csr_set_md_alg(&req, opt.md_alg); + /* Set the Key Usage Extension flags in the CSR */ if (opt.key_usage || opt.force_key_usage == 1) { - mbedtls_x509write_csr_set_key_usage(&req, opt.key_usage); + ret = mbedtls_x509write_csr_set_key_usage(&req, opt.key_usage); + + if (ret != 0) { + mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_key_usage returned %d", ret); + goto exit; + } } + /* Set the Cert Type flags in the CSR */ if (opt.ns_cert_type || opt.force_ns_cert_type == 1) { - mbedtls_x509write_csr_set_ns_cert_type(&req, opt.ns_cert_type); + ret = mbedtls_x509write_csr_set_ns_cert_type(&req, opt.ns_cert_type); + + if (ret != 0) { + mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_ns_cert_type returned %d", ret); + goto exit; + } + } + + /* Set the SubjectAltName in the CSR */ + if (opt.san_list != NULL) { + ret = mbedtls_x509write_csr_set_subject_alternative_name(&req, opt.san_list); + + if (ret != 0) { + mbedtls_printf( + " failed\n ! mbedtls_x509write_csr_set_subject_alternative_name returned %d", + ret); + goto exit; + } } /* @@ -363,6 +459,14 @@ exit: mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); + cur = opt.san_list; + while (cur != NULL) { + prev = cur; + cur = cur->next; + mbedtls_free(prev); + } + + mbedtls_exit(exit_code); } #endif /* MBEDTLS_X509_CSR_WRITE_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO && diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index e638cafe68..7cdbd24b54 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1006,7 +1006,7 @@ all_final += server1.req.sha256 server1.req.sha256.ext: server1.key # Generating this with OpenSSL as a comparison point to test we're getting the same result - openssl req -new -out $@ -key $< -subj '/C=NL/O=PolarSSL/CN=PolarSSL Server 1' -sha256 -addext "extendedKeyUsage=serverAuth" + openssl req -new -out $@ -key $< -subj '/C=NL/O=PolarSSL/CN=PolarSSL Server 1' -sha256 -addext "extendedKeyUsage=serverAuth" -addext "subjectAltName=URI:http://pki.example.com/,IP:127.1.1.0,DNS:example.com" all_final += server1.req.sha256.ext server1.req.sha384: server1.key diff --git a/tests/data_files/server1.req.sha256.ext b/tests/data_files/server1.req.sha256.ext index 3f26f09ef0..c5ff5c5731 100644 --- a/tests/data_files/server1.req.sha256.ext +++ b/tests/data_files/server1.req.sha256.ext @@ -1,17 +1,18 @@ -----BEGIN CERTIFICATE REQUEST----- -MIICpzCCAY8CAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow +MIIC3jCCAcYCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ -DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAmMCQGCSqGSIb3DQEJDjEX -MBUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAHi0yEGu -Fh5tuLiLuT95UrRnly55+lTY9xchFiKtlcoEdSheybYxqk3JHuSSqojOFKZBlRdk -oG6Azg56/aMHPWyvtCMSRQX4b+FgjeQsm9IfhYNMquQOxyPxm62vjuU3MfZIofXH -hKdI6Ci2CDF4Fyvw50KBWniV38eE9+kjsvDLdXD3ESZJGhjjuFl8ReUiA2wdBTcP -XEZaXUIc6B4tUnlPeqn/2zp4GBqqWzNZx6TXBpApASGG3BEJnM52FVPC7E9p+8YZ -qIGuiF5Cz/rYZkpwffBWIfS2zZakHLm5TB8FgZkWlyReJU9Ihk2Tl/sZ1kllFdYa -xLPnLCL82KFL1Co= +DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaBdMFsGCSqGSIb3DQEJDjFO +MEwwEwYDVR0lBAwwCgYIKwYBBQUHAwEwNQYDVR0RBC4wLIYXaHR0cDovL3BraS5l +eGFtcGxlLmNvbS+HBH8BAQCCC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IB +AQCGmTIXEUvTqwChkzRtxPIQDDchrMnCXgUrTSxre5nvUOpjVlcIIPGWAwxRovfe +pW6OaGZ/3xD0dRAcOW08sTD6GRUazFrubPA1eZiNC7vYdWV59qm84N5yRR/s8Hm+ +okwI47m7W9C0pfaNXchgFUQBn16TrZxPXklbCpBJ/TFV+1ODY0sJPHYiCFpYI+Jz +YuJmadP2BHucl8wv2RyVHywOmV1sDc74i9igVrBCAh8wu+kqImMtrnkGZDxrnj/L +5P1eDfdqG2cN+s40RnMQMosh3UfqpNV/bTgAqBPP2uluT9L1KpWcjZeuvisOgVTq +XwFI5s34fen2DUVw6MWNfbDK -----END CERTIFICATE REQUEST----- diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index cd1f203eaf..5e8230f379 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -152,6 +152,27 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, int der_len = -1; const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; mbedtls_test_rnd_pseudo_info rnd_info; + mbedtls_x509_san_list san_ip; + mbedtls_x509_san_list san_dns; + mbedtls_x509_san_list san_uri; + mbedtls_x509_san_list *san_list = NULL; + const char san_ip_name[] = { 0x7f, 0x01, 0x01, 0x00 }; // 127.1.1.0 + const char *san_dns_name = "example.com"; + const char *san_uri_name = "http://pki.example.com/"; + + san_uri.node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER; + san_uri.node.san.unstructured_name.p = (unsigned char *) san_uri_name; + san_uri.node.san.unstructured_name.len = strlen(san_uri_name); + san_uri.next = NULL; + san_ip.node.type = MBEDTLS_X509_SAN_IP_ADDRESS; + san_ip.node.san.unstructured_name.p = (unsigned char *) san_ip_name; + san_ip.node.san.unstructured_name.len = sizeof(san_ip_name); + san_ip.next = &san_uri; + san_dns.node.type = MBEDTLS_X509_SAN_DNS_NAME; + san_dns.node.san.unstructured_name.p = (unsigned char *) san_dns_name; + san_dns.node.san.unstructured_name.len = strlen(san_dns_name); + san_dns.next = &san_ip; + san_list = &san_dns; memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info)); @@ -175,6 +196,8 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, if (set_extension != 0) { TEST_ASSERT(csr_set_extended_key_usage(&req, MBEDTLS_OID_SERVER_AUTH, MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) == 0); + + TEST_ASSERT(mbedtls_x509write_csr_set_subject_alternative_name(&req, san_list) == 0); } ret = mbedtls_x509write_csr_pem(&req, buf, sizeof(buf),