diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h
index 55f72c8eb3..c516b7aaf7 100644
--- a/include/mbedtls/oid.h
+++ b/include/mbedtls/oid.h
@@ -214,6 +214,9 @@
*/
#define MBEDTLS_OID_WISUN_FAN MBEDTLS_OID_INTERNET "\x04\x01\x82\xe4\x25\x01"
+#define MBEDTLS_OID_ON MBEDTLS_OID_PKIX "\x08" /**< id-on OBJECT IDENTIFIER ::= { id-pkix 8 } */
+#define MBEDTLS_OID_ON_HW_MODULE_NAME MBEDTLS_OID_ON "\x04" /**< id-on-hardwareModuleName OBJECT IDENTIFIER ::= { id-on 4 } */
+
/*
* PKCS definition OIDs
*/
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index b63e864e3f..054ff2ecc4 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -109,6 +109,28 @@
/* \} name */
/* \} addtogroup x509_module */
+/*
+ * X.509 v3 Subject Alternative Name types.
+ * otherName [0] OtherName,
+ * rfc822Name [1] IA5String,
+ * dNSName [2] IA5String,
+ * x400Address [3] ORAddress,
+ * directoryName [4] Name,
+ * ediPartyName [5] EDIPartyName,
+ * uniformResourceIdentifier [6] IA5String,
+ * iPAddress [7] OCTET STRING,
+ * registeredID [8] OBJECT IDENTIFIER
+ */
+#define MBEDTLS_X509_SAN_OTHER_NAME 0
+#define MBEDTLS_X509_SAN_RFC822_NAME 1
+#define MBEDTLS_X509_SAN_DNS_NAME 2
+#define MBEDTLS_X509_SAN_X400_ADDRESS_NAME 3
+#define MBEDTLS_X509_SAN_DIRECTORY_NAME 4
+#define MBEDTLS_X509_SAN_EDI_PARTY_NAME 5
+#define MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER 6
+#define MBEDTLS_X509_SAN_IP_ADDRESS 7
+#define MBEDTLS_X509_SAN_REGISTERED_ID 8
+
/*
* X.509 v3 Key Usage Extension flags
* Reminder: update x509_info_key_usage() when adding new flags.
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index a0f32cb304..4a796173f6 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -76,7 +76,7 @@ typedef struct mbedtls_x509_crt
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
- mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
+ mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName and OtherName supported). */
int ext_types; /**< Bit string containing detected and parsed extensions */
int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
@@ -97,6 +97,44 @@ typedef struct mbedtls_x509_crt
}
mbedtls_x509_crt;
+/*
+ * From RFC 5280 section 4.2.1.6:
+ * OtherName ::= SEQUENCE {
+ * type-id OBJECT IDENTIFIER,
+ * value [0] EXPLICIT ANY DEFINED BY type-id }
+ */
+typedef struct mbedtls_x509_san_other_name
+{
+ mbedtls_x509_buf type_id; /**< The type id. */
+ union
+ {
+ /*
+ * From RFC 4108 section 5:
+ * HardwareModuleName ::= SEQUENCE {
+ * hwType OBJECT IDENTIFIER,
+ * hwSerialNum OCTET STRING }
+ */
+ mbedtls_x509_name hardware_module_name;
+ }
+ value;
+}
+mbedtls_x509_san_other_name;
+
+/*
+ * A structure for holding the parsed Subject Alternative Name, according to type
+ */
+typedef struct mbedtls_x509_subject_alternative_name
+{
+ int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
+ union {
+ mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
+ mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
+ }
+ san; /**< A union of the supported SAN types */
+ struct mbedtls_x509_subject_alternative_name *next; /**< The next SAN in the list. */
+}
+mbedtls_x509_subject_alternative_name;
+
/**
* Build flag from an algorithm/curve identifier (pk, md, ecp)
* Since 0 is always XXX_NONE, ignore it.
@@ -347,7 +385,26 @@ int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
*/
int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
#endif /* MBEDTLS_FS_IO */
-
+/**
+ * \brief Parses the subject alternative name list of a given certificate;
+ *
+ * \param crt The X509 certificate to parse.
+ *
+ * \param san A list holding the parsed certificate.
+ *
+ * \note Only "dnsName" and "otherName" of type hardware_module_name,
+ * as defined in RFC 4180 is supported.
+ *
+ * \note Any unsupported san type is ignored.
+ *
+ * \note The function allocates a list of mbedtls_x509_subject_alternative_name
+ * and it is the caller's responsibility to free it.
+ *
+ * \return Zero for success and negative
+ * value for any other failure.
+ */
+int mbedtls_x509_parse_subject_alternative_name( const mbedtls_x509_crt *crt,
+ mbedtls_x509_subject_alternative_name **san );
/**
* \brief Returns an informational string about the
* certificate.
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 97a06d5f1b..f9cbed0a23 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -618,7 +618,8 @@ static int x509_get_ext_key_usage( unsigned char **p,
* nameAssigner [0] DirectoryString OPTIONAL,
* partyName [1] DirectoryString }
*
- * NOTE: we only parse and use dNSName at this point.
+ * NOTE: we only parse and use dNSName at this point,
+ * and otherName of type HwModuleName, as defined in RFC 4108.
*/
static int x509_get_subject_alt_name( unsigned char **p,
const unsigned char *end,
@@ -657,13 +658,6 @@ static int x509_get_subject_alt_name( unsigned char **p,
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
}
- /* Skip everything but DNS name */
- if( tag != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2 ) )
- {
- *p += tag_len;
- continue;
- }
-
/* Allocate and assign next pointer */
if( cur->buf.p != NULL )
{
@@ -1435,32 +1429,195 @@ cleanup:
}
#endif /* MBEDTLS_FS_IO */
+/*
+ * OtherName ::= SEQUENCE {
+ * type-id OBJECT IDENTIFIER,
+ * value [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * HardwareModuleName ::= SEQUENCE {
+ * hwType OBJECT IDENTIFIER,
+ * hwSerialNum OCTET STRING }
+ *
+ * NOTE: we currently only parse and use otherName of type HwModuleName,
+ * as defined in RFC 4108.
+ */
+static int x509_get_other_name( const mbedtls_x509_buf *subject_alt_name,
+ mbedtls_x509_san_other_name *other_name )
+{
+ int ret;
+ size_t len;
+ unsigned char *p = subject_alt_name->p;
+ const unsigned char *end = p + subject_alt_name->len;
+ mbedtls_x509_buf cur_oid;
+
+ if( ( subject_alt_name->tag &
+ ( MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK ) ) !=
+ ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME ) )
+ {
+ /*
+ * The given subject alternative name is not of type "othername".
+ */
+ return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+ }
+
+ if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+ MBEDTLS_ASN1_OID ) ) != 0 )
+ return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+ cur_oid.tag = MBEDTLS_ASN1_OID;
+ cur_oid.p = p;
+ cur_oid.len = len;
+
+ /*
+ * Only HwModuleName is currently supported.
+ */
+ if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid ) != 0 )
+ {
+ return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
+ }
+
+ if( p + len >= end )
+ {
+ mbedtls_platform_zeroize( other_name, sizeof( other_name ) );
+ return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ }
+ p += len;
+ if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
+ return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+ if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+ return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+ if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OID ) ) != 0 )
+ return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+ other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
+ other_name->value.hardware_module_name.oid.p = p;
+ other_name->value.hardware_module_name.oid.len = len;
+
+ if( p + len >= end )
+ {
+ mbedtls_platform_zeroize( other_name, sizeof( other_name ) );
+ return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ }
+ p += len;
+ if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+ MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+ return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+ other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
+ other_name->value.hardware_module_name.val.p = p;
+ other_name->value.hardware_module_name.val.len = len;
+ other_name->value.hardware_module_name.next = NULL;
+ other_name->value.hardware_module_name.next_merged = 0;
+ p += len;
+ if( p != end )
+ {
+ mbedtls_platform_zeroize( other_name,
+ sizeof( other_name ) );
+ return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ }
+ return( 0 );
+}
+
static int x509_info_subject_alt_name( char **buf, size_t *size,
- const mbedtls_x509_sequence *subject_alt_name )
+ const mbedtls_x509_sequence *subject_alt_name,
+ const char *prefix )
{
size_t i;
+ int ret;
size_t n = *size;
char *p = *buf;
const mbedtls_x509_sequence *cur = subject_alt_name;
- const char *sep = "";
- size_t sep_len = 0;
while( cur != NULL )
{
- if( cur->buf.len + sep_len >= n )
+ switch( cur->buf.tag &
+ ( MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK ) )
{
- *p = '\0';
- return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
+ /*
+ * otherName
+ */
+ case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME ):
+ {
+ mbedtls_x509_san_other_name other_name;
+
+ ret = x509_get_other_name( &cur->buf, &other_name );
+ if( ret != 0 )
+ {
+ /*
+ * In case MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned,
+ * then the "otherName" is of an unsupported type. Ignore.
+ */
+ if( ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE )
+ ret = 0;
+ return( ret );
+ }
+
+ ret = mbedtls_snprintf( p, n, "\n%s otherName :", prefix );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME,
+ &other_name.value.hardware_module_name.oid ) != 0 )
+ {
+ ret = mbedtls_snprintf( p, n, "\n%s hardware module name :", prefix );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ ret = mbedtls_snprintf( p, n, "\n%s hardware type : ", prefix );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_oid_get_numeric_string( p, n, &other_name.value.hardware_module_name.oid );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf( p, n, "\n%s hardware serial number : ", prefix );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if( other_name.value.hardware_module_name.val.len >= n )
+ {
+ *p = '\0';
+ return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
+ }
+
+ for( i = 0; i < other_name.value.hardware_module_name.val.len; i++ )
+ {
+ *p++ = other_name.value.hardware_module_name.val.p[i];
+ }
+ n -= other_name.value.hardware_module_name.val.len;
+
+ }/* MBEDTLS_OID_ON_HW_MODULE_NAME */
+ }
+ break;
+
+ /*
+ * dNSName
+ */
+ case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME ):
+ {
+
+ ret = mbedtls_snprintf( p, n, "\n%s dNSName : ", prefix );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ if( cur->buf.len >= n )
+ {
+ *p = '\0';
+ return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
+ }
+ n -= cur->buf.len;
+ for( i = 0; i < cur->buf.len; i++ )
+ *p++ = cur->buf.p[i];
+ }
+ break;
+
+ /*
+ * Type not supported, skip item.
+ */
+ default:
+ break;
}
- n -= cur->buf.len + sep_len;
- for( i = 0; i < sep_len; i++ )
- *p++ = sep[i];
- for( i = 0; i < cur->buf.len; i++ )
- *p++ = cur->buf.p[i];
-
- sep = ", ";
- sep_len = 2;
cur = cur->next;
}
@@ -1473,6 +1630,105 @@ static int x509_info_subject_alt_name( char **buf, size_t *size,
return( 0 );
}
+int mbedtls_x509_parse_subject_alternative_name( const mbedtls_x509_crt *crt,
+ mbedtls_x509_subject_alternative_name **san )
+{
+ int ret;
+ const mbedtls_x509_sequence *cur = &crt->subject_alt_names;
+ mbedtls_x509_subject_alternative_name *cur_san = *san, *prev_san = NULL;
+
+ if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
+ {
+ if( cur_san != NULL )
+ {
+ return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+ }
+
+ while( cur != NULL )
+ {
+ switch( cur->buf.tag &
+ ( MBEDTLS_ASN1_TAG_CLASS_MASK |
+ MBEDTLS_ASN1_TAG_VALUE_MASK ) )
+ {
+ /*
+ * otherName
+ */
+ case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME ):
+ {
+ mbedtls_x509_san_other_name other_name;
+
+ ret = x509_get_other_name( &cur->buf, &other_name );
+ if( ret != 0 )
+ {
+ /*
+ * In case MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned,
+ * then the "otherName" is of an unsupported type. Ignore.
+ */
+ if( ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE )
+ ret = 0;
+ cur = cur->next;
+ continue;
+ }
+
+ cur_san = mbedtls_calloc( 1, sizeof( mbedtls_x509_subject_alternative_name ) );
+ if( cur_san == NULL )
+ return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+ MBEDTLS_ERR_ASN1_ALLOC_FAILED );
+
+ if( prev_san != NULL )
+ prev_san->next = cur_san;
+
+ cur_san->type = MBEDTLS_X509_SAN_OTHER_NAME;
+ memcpy( &cur_san->san.other_name,
+ &other_name, sizeof( other_name ) );
+
+ }
+ break;
+
+ /*
+ * dNSName
+ */
+ case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME ):
+ {
+ cur_san = mbedtls_calloc( 1, sizeof( mbedtls_x509_subject_alternative_name ) );
+ if( cur_san == NULL )
+ return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+ MBEDTLS_ERR_ASN1_ALLOC_FAILED );
+
+ if( prev_san != NULL )
+ prev_san->next = cur_san;
+
+ memset( cur_san, 0, sizeof( mbedtls_x509_subject_alternative_name ) );
+ cur_san->type = MBEDTLS_X509_SAN_DNS_NAME;
+
+ memcpy( &cur_san->san.unstructured_name,
+ &cur->buf, sizeof( cur->buf ) );
+
+ }
+ break;
+
+ /*
+ * Type not supported, skip item.
+ */
+ default:
+ break;
+ }
+
+ if( *san == NULL )
+ *san = cur_san;
+
+ if( cur_san != NULL )
+ {
+ prev_san = cur_san;
+ cur_san = cur_san->next;
+ }
+
+ cur = cur->next;
+ }/* while( cur != NULL ) */
+ }/* crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME */
+ return( 0 );
+}
+
#define PRINT_ITEM(i) \
{ \
ret = mbedtls_snprintf( p, n, "%s" i, sep ); \
@@ -1659,11 +1915,12 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
{
- ret = mbedtls_snprintf( p, n, "\n%ssubject alt name : ", prefix );
+ ret = mbedtls_snprintf( p, n, "\n%ssubject alt name :", prefix );
MBEDTLS_X509_SAFE_SNPRINTF;
if( ( ret = x509_info_subject_alt_name( &p, &n,
- &crt->subject_alt_names ) ) != 0 )
+ &crt->subject_alt_names,
+ prefix) ) != 0 )
return( ret );
}
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 748514db10..6680c808fe 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -142,6 +142,12 @@ server5-ss-forgeca.crt: server5.key
$(FAKETIME) '2015-09-01 14:08:43' $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@
all_final += server5-ss-forgeca.crt
+server5-othername.crt: server5.key
+ $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions othername_san -days 3650 -sha256 -key $< -out $@
+
+server5-unsupported_othername.crt: server5.key
+ $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS unsupported othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions unsupoported_othername_san -days 3650 -sha256 -key $< -out $@
+
server10-badsign.crt: server10.crt
{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
all_final += server10-badsign.crt
diff --git a/tests/data_files/multiple_san.crt b/tests/data_files/multiple_san.crt
new file mode 100644
index 0000000000..8cdc730611
--- /dev/null
+++ b/tests/data_files/multiple_san.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2jCCAYCgAwIBAgIBBDAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwITWJlZCBUTFMxKDAmBgNVBAMMH01iZWQgVExTIG11bHRpcGxlIG90aGVy
+bmFtZSBTQU4wHhcNMTkwNDIyMTYxMDQ4WhcNMjkwNDE5MTYxMDQ4WjBKMQswCQYD
+VQQGEwJVSzERMA8GA1UECgwITWJlZCBUTFMxKDAmBgNVBAMMH01iZWQgVExTIG11
+bHRpcGxlIG90aGVybmFtZSBTQU4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3
+zFbZdgkeWnI+x1kt/yBu7nz5BpF00K0UtfdoIllikk7lANgjEf/qL9I0XV0WvYqI
+wmt3DVXNiioO+gHItO3/o1cwVTBTBgNVHREETDBKggtleGFtcGxlLmNvbaAfBggr
+BgEFBQcIBKATMBEGBysGAQQBEQMEBjEyMzQ1NoILZXhhbXBsZS5uZXSCDSouZXhh
+bXBsZS5vcmcwCgYIKoZIzj0EAwIDSAAwRQIhAMZUkp+pcuFQ3WWdgvV4Y+tIXOyS
+L6p0RtEAOi/GgigVAiB50n3rIUKjapYstPp3yOpGZGyRxnc6uRdSiMH5wLA4yw==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server5-othername.crt b/tests/data_files/server5-othername.crt
new file mode 100644
index 0000000000..3be1a772c0
--- /dev/null
+++ b/tests/data_files/server5-othername.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBnzCCAUWgAwIBAgIBTTAKBggqhkjOPQQDAjBBMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwITWJlZCBUTFMxHzAdBgNVBAMMFk1iZWQgVExTIG90aGVybmFtZSBTQU4w
+HhcNMTkwMzI0MDkwNjAyWhcNMjkwMzIxMDkwNjAyWjBBMQswCQYDVQQGEwJVSzER
+MA8GA1UECgwITWJlZCBUTFMxHzAdBgNVBAMMFk1iZWQgVExTIG90aGVybmFtZSBT
+QU4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3zFbZdgkeWnI+x1kt/yBu7nz5
+BpF00K0UtfdoIllikk7lANgjEf/qL9I0XV0WvYqIwmt3DVXNiioO+gHItO3/oy4w
+LDAqBgNVHREEIzAhoB8GCCsGAQUFBwgEoBMwEQYHKwYBBAERAwQGMTIzNDU2MAoG
+CCqGSM49BAMCA0gAMEUCIQCijdm1AfArx2p4cLCVciHCTE8UXRiTm8f85k4aNzzf
+sgIgCdmLyfZB9jsSPH3A3O1GATAR3O9OTtEDC+YSc+lvxSw=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server5-unsupported_othername.crt b/tests/data_files/server5-unsupported_othername.crt
new file mode 100644
index 0000000000..b46fc2d966
--- /dev/null
+++ b/tests/data_files/server5-unsupported_othername.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtjCCAVygAwIBAgIBTTAKBggqhkjOPQQDAjBNMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwITWJlZCBUTFMxKzApBgNVBAMMIk1iZWQgVExTIHVuc3VwcG9ydGVkIG90
+aGVybmFtZSBTQU4wHhcNMTkwNTAxMDkxMDM1WhcNMjkwNDI4MDkxMDM1WjBNMQsw
+CQYDVQQGEwJVSzERMA8GA1UECgwITWJlZCBUTFMxKzApBgNVBAMMIk1iZWQgVExT
+IHVuc3VwcG9ydGVkIG90aGVybmFtZSBTQU4wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAAQ3zFbZdgkeWnI+x1kt/yBu7nz5BpF00K0UtfdoIllikk7lANgjEf/qL9I0
+XV0WvYqIwmt3DVXNiioO+gHItO3/oy0wKzApBgNVHREEIjAgoB4GAyoDBKAXDBVz
+b21lIG90aGVyIGlkZW50aWZpZXIwCgYIKoZIzj0EAwIDSAAwRQIhANkj6n9qHYVi
+FLfb0IRZpIsvvuNCjSgT8yBLVjJYQj3nAiBffQKZ7y/F6rfon6L1GZU0BBja8BLX
+rXp8WpY7Bc8myQ==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf
index f66b39e3ce..d345fe99e9 100644
--- a/tests/data_files/test-ca.opensslconf
+++ b/tests/data_files/test-ca.opensslconf
@@ -12,6 +12,25 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
+[othername_san]
+subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:hw_module_name
+
+[unsupoported_othername_san]
+subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
+
+[alt_names]
+DNS.1=example.com
+otherName.1=1.3.6.1.5.5.7.8.4;SEQ:hw_module_name
+DNS.2=example.net
+DNS.3=*.example.org
+
+[multiple_san]
+subjectAltName=@alt_names
+
+[hw_module_name]
+hwtype = OID:1.3.6.1.4.1.17.3
+hwserial = OCT:123456
+
[noext_ca]
basicConstraints = CA:true
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index edd3a6fc59..f53ea82328 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -94,6 +94,10 @@ X509 Certificate information EC, SHA512 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA512_C
x509_cert_info:"data_files/server5-sha512.crt":"cert. version \: 3\nserial number \: 15\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\nbasic constraints \: CA=false\n"
+X509 Certificate information EC, SHA256 Digest, hardware module name SAN
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 123456\n"
+
X509 Certificate information, NS Cert Type
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
x509_cert_info:"data_files/server1.cert_type.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\ncert. type \: SSL Server\n"
@@ -108,11 +112,15 @@ x509_cert_info:"data_files/keyUsage.decipherOnly.crt":"cert. version \: 3\ns
X509 Certificate information, Subject Alt Name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
-x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: example.com, example.net, *.example.org\n"
+x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n"
+
+X509 Certificate information, Multiple different Subject Alt Name
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+x509_cert_info:"data_files/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 123456\n dNSName \: example.net\n dNSName \: *.example.org\n"
X509 Certificate information, Subject Alt Name + Key Usage
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
-x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \: www.shotokan-braunschweig.de, www.massimo-abate.eu\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 Certificate information, Key Usage + Extended Key Usage
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
@@ -128,11 +136,31 @@ x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number
X509 Certificate information Bitstring in subject name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
-x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: \next key usage \: TLS Web Client Authentication\n"
+x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\next key usage \: TLS Web Client Authentication\n"
X509 certificate v1 with extension
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C
-x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \: identity-check.org, www.identity-check.org\n"
+x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \:\n dNSName \: identity-check.org\n dNSName \: www.identity-check.org\n"
+
+X509 SAN parsing otherName
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 123456\n"
+
+X509 SAN parsing dNSName
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n"
+
+X509 SAN parsing Multiple different types
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 123456\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n"
+
+X509 SAN parsing, no subject alt name
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C
+x509_parse_san:"data_files/server4.crt":""
+
+X509 SAN parsing, unsupported otherName name
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+x509_parse_san:"data_files/server5-unsupported_othername.crt":""
X509 CRL information #1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index b11ab849af..beec52cc3d 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -219,6 +219,79 @@ int verify_print( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint
return( 0 );
}
+
+int verify_parse_san( mbedtls_x509_subject_alternative_name *san,
+ char **buf, size_t *size )
+{
+ int ret;
+ size_t i;
+ char *p = *buf;
+ size_t n = *size;
+
+ ret = mbedtls_snprintf( p, n, "type : %u", san->type );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ switch( san->type )
+ {
+ case( MBEDTLS_X509_SAN_OTHER_NAME ):
+ ret = mbedtls_snprintf( p, n, "\notherName :");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME,
+ &san->san.other_name.value.hardware_module_name.oid ) != 0 )
+ {
+ ret = mbedtls_snprintf( p, n, " hardware module name :" );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ ret = mbedtls_snprintf( p, n, " hardware type : " );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_oid_get_numeric_string( p, n,
+ &san->san.other_name.value.hardware_module_name.oid );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf( p, n, ", hardware serial number : " );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if( san->san.other_name.value.hardware_module_name.val.len >= n )
+ {
+ *p = '\0';
+ return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
+ }
+
+ for( i=0; i < san->san.other_name.value.hardware_module_name.val.len; i++ )
+ {
+ *p++ = san->san.other_name.value.hardware_module_name.val.p[i];
+ }
+ n -= san->san.other_name.value.hardware_module_name.val.len;
+ }
+ break;/* MBEDTLS_OID_ON_HW_MODULE_NAME */
+ case( MBEDTLS_X509_SAN_DNS_NAME ):
+ ret = mbedtls_snprintf( p, n, "\ndNSName : " );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ if( san->san.unstructured_name.len >= n )
+ {
+ *p = '\0';
+ return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
+ }
+ n -= san->san.unstructured_name.len;
+ for( i = 0; i < san->san.unstructured_name.len; i++ )
+ *p++ = san->san.unstructured_name.p[i];
+ break;/* MBEDTLS_X509_SAN_DNS_NAME */
+
+ default:
+ /*
+ * Should not happen.
+ */
+ return( -1 );
+ }
+ ret = mbedtls_snprintf( p, n, "\n" );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ *size = n;
+ *buf = p;
+
+ return( 0 );
+}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/* END_HEADER */
@@ -227,6 +300,41 @@ int verify_print( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint
* END_DEPENDENCIES
*/
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
+void x509_parse_san( char * crt_file, char * result_str )
+{
+ mbedtls_x509_crt crt;
+ mbedtls_x509_subject_alternative_name *cur, *next, *san = NULL;
+ char buf[2000];
+ char *p = buf;
+ size_t n = sizeof( buf );
+
+ mbedtls_x509_crt_init( &crt );
+ memset( buf, 0, 2000 );
+
+ TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
+ TEST_ASSERT( mbedtls_x509_parse_subject_alternative_name( &crt, &san ) == 0 );
+ cur = san;
+ while( cur != NULL )
+ {
+ TEST_ASSERT( verify_parse_san( cur, &p, &n ) == 0 );
+ cur = cur->next;
+ }
+
+ TEST_ASSERT( strcmp( buf, result_str ) == 0 );
+
+exit:
+
+ for( cur = san; cur != NULL; cur = next )
+ {
+ next = cur->next;
+ mbedtls_free( cur );
+ }
+
+ mbedtls_x509_crt_free( &crt );
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
void x509_cert_info( char * crt_file, char * result_str )
{