feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

handle multiple permitted name constraints

Browse Source
This commit is contained in:
Jacob Barthelmeh
2021-10-19 16:52:08 -06:00
parent afee92e0cf
commit 3b73c6e3ae
4 changed files with 202 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
certs/test/cert-ext-mnc.der Normal file
View File

Binary file not shown.

29
certs/test/gen-ext-certs.sh
View File

@ -46,6 +46,35 @@ nsComment = "Testing name constraints"
EOF EOF
gen_cert gen_cert
OUT=certs/test/cert-ext-mnc.der
KEYFILE=certs/test/cert-ext-mnc-key.der
CONFIG=certs/test/cert-ext-mnc.cfg
tee >$CONFIG <<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = v3_ca
[ req_distinguished_name ]
C = AU
ST = Queensland
L = Brisbane
O = wolfSSL Inc
OU = Engineering
CN = www.wolfssl.com
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
nameConstraints = critical,permitted;email:.wolfssl.com, permitted;email:.example.com
nsComment = "Testing name constraints"
EOF
gen_cert
OUT=certs/test/cert-ext-ia.der OUT=certs/test/cert-ext-ia.der
KEYFILE=certs/test/cert-ext-ia-key.der KEYFILE=certs/test/cert-ext-ia-key.der
CONFIG=certs/test/cert-ext-ia.cfg CONFIG=certs/test/cert-ext-ia.cfg

161
tests/api.c
View File

@ -1571,7 +1571,6 @@ static void test_wolfSSL_CertManagerNameConstraint(void)
X509_NAME_free(name); X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE);
(void)altEmail;
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
#if 0 #if 0
@ -1808,6 +1807,165 @@ static void test_wolfSSL_CertManagerNameConstraint2(void)
#endif #endif
} }
static void test_wolfSSL_CertManagerNameConstraint3(void)
{
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
!defined(NO_SHA256)
WOLFSSL_CERT_MANAGER* cm;
WOLFSSL_EVP_PKEY *priv;
WOLFSSL_X509_NAME* name;
const char* ca_cert = "./certs/test/cert-ext-mnc.der";
const char* server_cert = "./certs/test/server-goodcn.pem";
byte *der;
int derSz;
byte *pt;
WOLFSSL_X509 *x509, *ca;
pt = (byte*)server_key_der_2048;
AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
(const unsigned char**)&pt, sizeof_server_key_der_2048));
AssertNotNull(cm = wolfSSL_CertManagerNew());
AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
WOLFSSL_FILETYPE_ASN1));
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
#if 0
{
//write out x509 for test
BIO* out = BIO_new(wolfSSL_BIO_s_file());
if (out != NULL) {
FILE* f= fopen("ca.der", "wb");
BIO_set_fp(out, f, BIO_CLOSE);
BIO_write(out, der, derSz);
BIO_free(out);
}
}
#endif
AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* check satisfying .wolfssl.com constraint passes */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
(byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
#if 0
{
//write out good x509 for test
BIO* out = BIO_new(wolfSSL_BIO_s_file());
if (out != NULL) {
FILE* f= fopen("good-1st-constraint-cert.pem", "wb");
BIO_set_fp(out, f, BIO_CLOSE);
PEM_write_bio_X509(out, x509);
BIO_free(out);
}
}
#endif
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
/* check satisfying .random.com constraint passes */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
(byte*)"support@info.example.com", 24, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "wolfssl@info.example.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
#if 0
{
//write out good x509 for test
BIO* out = BIO_new(wolfSSL_BIO_s_file());
if (out != NULL) {
FILE* f= fopen("good-2nd-constraint-cert.pem", "wb");
BIO_set_fp(out, f, BIO_CLOSE);
PEM_write_bio_X509(out, x509);
BIO_free(out);
}
}
#endif
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
/* check fail case when neither constraint is matched */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
(byte*)"support@info.com", 24, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
#if 0
{
//write out good x509 for test
BIO* out = BIO_new(wolfSSL_BIO_s_file());
if (out != NULL) {
FILE* f= fopen("bad-cert.pem", "wb");
BIO_set_fp(out, f, BIO_CLOSE);
PEM_write_bio_X509(out, x509);
BIO_free(out);
}
}
#endif
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
wolfSSL_X509_free(x509);
wolfSSL_CertManagerFree(cm);
wolfSSL_X509_free(x509);
wolfSSL_X509_free(ca);
wolfSSL_EVP_PKEY_free(priv);
#endif
}
static void test_wolfSSL_CertManagerCRL(void) static void test_wolfSSL_CertManagerCRL(void)
{ {
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \
@ -50397,6 +50555,7 @@ void ApiTest(void)
test_wolfSSL_CertManagerSetVerify(); test_wolfSSL_CertManagerSetVerify();
test_wolfSSL_CertManagerNameConstraint(); test_wolfSSL_CertManagerNameConstraint();
test_wolfSSL_CertManagerNameConstraint2(); test_wolfSSL_CertManagerNameConstraint2();
test_wolfSSL_CertManagerNameConstraint3();
test_wolfSSL_CertManagerCRL(); test_wolfSSL_CertManagerCRL();
test_wolfSSL_CTX_load_verify_locations_ex(); test_wolfSSL_CTX_load_verify_locations_ex();
test_wolfSSL_CTX_load_verify_buffer_ex(); test_wolfSSL_CTX_load_verify_buffer_ex();

13
wolfcrypt/src/asn.c
View File

@ -13501,6 +13501,10 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
if (name != NULL) if (name != NULL)
needDns = 1; needDns = 1;
/* check if already found a matching permitted subtree */
if (matchDns == 1)
break;
while (name != NULL) { while (name != NULL) {
matchDns = MatchBaseName(ASN_DNS_TYPE, matchDns = MatchBaseName(ASN_DNS_TYPE,
name->name, name->len, name->name, name->len,
@ -13522,6 +13526,10 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
if (name != NULL) if (name != NULL)
needEmail = 1; needEmail = 1;
/* check if already found a matching permitted subtree */
if (matchEmail == 1)
break;
while (name != NULL) { while (name != NULL) {
matchEmail = MatchBaseName(ASN_DNS_TYPE, matchEmail = MatchBaseName(ASN_DNS_TYPE,
name->name, name->len, name->name, name->len,
@ -13540,6 +13548,11 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
{ {
/* allow permitted dirName smaller than actual subject */ /* allow permitted dirName smaller than actual subject */
needDir = 1; needDir = 1;
/* check if already found a matching permitted subtree */
if (matchDir == 1)
break;
if (cert->subjectRaw != NULL && if (cert->subjectRaw != NULL &&
cert->subjectRawLen >= base->nameSz && cert->subjectRawLen >= base->nameSz &&
XMEMCMP(cert->subjectRaw, base->name, XMEMCMP(cert->subjectRaw, base->name,