mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-04-15 23:42:41 +00:00
Merge pull request #7076 from mprse/parse_RFC822_name
Add parsing of x509 RFC822 name + test
This commit is contained in:
Paul Elliott
GitHub
commit
ac2251dad1
3
ChangeLog.d/san_rfc822Name.txt
Normal file
3
ChangeLog.d/san_rfc822Name.txt
Normal file
@ -0,0 +1,3 @@
|
||||
Features
|
||||
* Add parsing of rfc822Name subtype for subjectAltName
|
||||
extension in x509 certificates.
|
||||
@ -294,7 +294,7 @@ typedef struct mbedtls_x509_subject_alternative_name {
|
||||
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
|
||||
union {
|
||||
mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
|
||||
mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only dnsName and uniformResourceIdentifier are currently supported */
|
||||
mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported */
|
||||
}
|
||||
san; /**< A union of the supported SAN types */
|
||||
}
|
||||
@ -386,7 +386,7 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
|
||||
* of the subject alternative name encoded in \p san_raw.
|
||||
*
|
||||
* \note Supported GeneralName types, as defined in RFC 5280:
|
||||
* "dnsName", "uniformResourceIdentifier" and "hardware_module_name"
|
||||
* "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name"
|
||||
* of type "otherName", as defined in RFC 4108.
|
||||
*
|
||||
* \note This function should be called on a single raw data of
|
||||
|
||||
@ -1421,7 +1421,17 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
|
||||
|
||||
memcpy(&san->san.unstructured_name,
|
||||
san_buf, sizeof(*san_buf));
|
||||
}
|
||||
break;
|
||||
|
||||
/*
|
||||
* RFC822 Name
|
||||
*/
|
||||
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_RFC822_NAME):
|
||||
{
|
||||
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
|
||||
san->type = MBEDTLS_X509_SAN_RFC822_NAME;
|
||||
memcpy(&san->san.unstructured_name, san_buf, sizeof(*san_buf));
|
||||
}
|
||||
break;
|
||||
|
||||
@ -1520,10 +1530,19 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
|
||||
break;
|
||||
/*
|
||||
* dNSName
|
||||
* RFC822 Name
|
||||
*/
|
||||
case MBEDTLS_X509_SAN_DNS_NAME:
|
||||
case MBEDTLS_X509_SAN_RFC822_NAME:
|
||||
{
|
||||
ret = mbedtls_snprintf(p, n, "\n%s dNSName : ", prefix);
|
||||
const char *dns_name = "dNSName";
|
||||
const char *rfc822_name = "rfc822Name";
|
||||
|
||||
ret = mbedtls_snprintf(p, n,
|
||||
"\n%s %s : ",
|
||||
prefix,
|
||||
san.type ==
|
||||
MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
if (san.san.unstructured_name.len >= n) {
|
||||
*p = '\0';
|
||||
|
||||
@ -140,6 +140,9 @@ test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der: te
|
||||
test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der: test_csr_v3_all.csr.der
|
||||
(hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3050300B0603551D0F04/" | xxd -r -p ) > $@
|
||||
|
||||
test_cert_rfc822name.crt.der: cert_example_multi.csr
|
||||
$(OPENSSL) x509 -req -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) -extfile $(test_ca_config_file) -outform DER -extensions rfc822name_names -passin "pass:$(test_ca_pwd_rsa)" -set_serial 17 -days 3653 -sha256 -in $< > $@
|
||||
|
||||
$(test_ca_key_file_rsa_alt):test-ca.opensslconf
|
||||
$(OPENSSL) genrsa -out $@ 2048
|
||||
test-ca-alt.csr: $(test_ca_key_file_rsa_alt) $(test_ca_config_file)
|
||||
|
||||
@ -24,6 +24,9 @@ subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
|
||||
[dns_alt_names]
|
||||
subjectAltName=DNS:example.com, DNS:example.net, DNS:*.example.org
|
||||
|
||||
[rfc822name_names]
|
||||
subjectAltName=email:my@other.address,email:second@other.address
|
||||
|
||||
[alt_names]
|
||||
DNS.1=example.com
|
||||
otherName.1=1.3.6.1.5.5.7.8.4;SEQ:hw_module_name
|
||||
|
||||
BIN
tests/data_files/test_cert_rfc822name.crt.der
Normal file
BIN
tests/data_files/test_cert_rfc822name.crt.der
Normal file
Binary file not shown.
@ -176,7 +176,7 @@ x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number
|
||||
|
||||
X509 CRT information Bitstring in subject name
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
|
||||
x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n <unsupported>\next key usage \: TLS Web Client Authentication\n"
|
||||
x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n rfc822Name \: client@example.com\next key usage \: TLS Web Client Authentication\n"
|
||||
|
||||
X509 CRT information Non-ASCII string in issuer name and subject name
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
|
||||
@ -206,6 +206,10 @@ X509 SAN parsing, unsupported otherName name
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
|
||||
x509_parse_san:"data_files/server5-unsupported_othername.crt":""
|
||||
|
||||
X509 SAN parsing rfc822Name
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
|
||||
x509_parse_san:"data_files/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n"
|
||||
|
||||
X509 CRL information #1
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
|
||||
mbedtls_x509_crl_info:"data_files/crl_expired.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-20 10\:24\:19\nnext update \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n"
|
||||
|
||||
@ -279,7 +279,18 @@ int verify_parse_san(mbedtls_x509_subject_alternative_name *san,
|
||||
*p++ = san->san.unstructured_name.p[i];
|
||||
}
|
||||
break;/* MBEDTLS_X509_SAN_DNS_NAME */
|
||||
|
||||
case (MBEDTLS_X509_SAN_RFC822_NAME):
|
||||
ret = mbedtls_snprintf(p, n, "\nrfc822Name : ");
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
if (san->san.unstructured_name.len >= n) {
|
||||
*p = '\0';
|
||||
return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
|
||||
}
|
||||
n -= san->san.unstructured_name.len;
|
||||
for (i = 0; i < san->san.unstructured_name.len; i++) {
|
||||
*p++ = san->san.unstructured_name.p[i];
|
||||
}
|
||||
break;/* MBEDTLS_X509_SAN_RFC822_NAME */
|
||||
default:
|
||||
/*
|
||||
* Should not happen.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user