From 99ed72717934f9b7972dccb0470d0a79305da294 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 1 Aug 2022 10:52:09 -0700 Subject: [PATCH] add WOLFSSL_CERT_NAME_ALL macro guard and new values to set subject --- configure.ac | 5 +- src/x509.c | 2 + wolfcrypt/src/asn.c | 87 +++++++++++++++++++++++++--------- wolfssl/wolfcrypt/asn.h | 14 ++++-- wolfssl/wolfcrypt/asn_public.h | 2 + 5 files changed, 82 insertions(+), 28 deletions(-) diff --git a/configure.ac b/configure.ac index e87979e06..0d415e26b 100644 --- a/configure.ac +++ b/configure.ac @@ -830,6 +830,9 @@ then # Certificate extensions and alt. names for FPKI use AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SUBJ_DIR_ATTR -DWOLFSSL_FPKI -DWOLFSSL_SUBJ_INFO_ACC" + + # Handle as many subject/issuer name OIDs as possible + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_NAME_ALL" fi @@ -7450,7 +7453,7 @@ then fi AS_IF([test "x$ENABLED_OPENSSLALL" = "xyes"], - [AM_CFLAGS="$AM_CFLAGS -DOPENSSL_ALL -DWOLFSSL_EITHER_SIDE -DWC_RSA_NO_PADDING -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_TICKET_HAVE_ID -DWOLFSSL_ERROR_CODE_OPENSSL"]) + [AM_CFLAGS="$AM_CFLAGS -DOPENSSL_ALL -DWOLFSSL_EITHER_SIDE -DWC_RSA_NO_PADDING -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_TICKET_HAVE_ID -DWOLFSSL_ERROR_CODE_OPENSSL -DWOLFSSL_CERT_NAME_ALL"]) AS_IF([test "x$ENABLED_AESSIV" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_SIV"]) diff --git a/src/x509.c b/src/x509.c index 8fdcd96ec..69f853695 100644 --- a/src/x509.c +++ b/src/x509.c @@ -9403,10 +9403,12 @@ static int ConvertNIDToWolfSSL(int nid) { switch (nid) { case NID_commonName : return ASN_COMMON_NAME; + #ifdef WOLFSSL_CERT_NAME_ALL case NID_name : return ASN_NAME; case NID_givenName: return ASN_GIVEN_NAME; case NID_dnQualifier : return ASN_DNQUALIFIER; case NID_initials: return ASN_INITIALS; + #endif /* WOLFSSL_CERT_NAME_ALL */ case NID_surname : return ASN_SUR_NAME; case NID_countryName: return ASN_COUNTRY_NAME; case NID_localityName: return ASN_LOCALITY_NAME; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index b98b51739..6c0f77109 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -84,6 +84,9 @@ ASN Options: extension. * WOLFSSL_SUBJ_INFO_ACC: Enable support for SubjectInfoAccess extension. * WOLFSSL_FPKI: Enable support for FPKI (Federal PKI) extensions. + * WOLFSSL_CERT_NAME_ALL: Adds more certificate name capability at the + cost of taking up more memory. Adds initials, givenname, dnQualifer for + example. */ #ifndef NO_ASN @@ -9956,10 +9959,12 @@ void InitDecodedCert(DecodedCert* cert, cert->heap = heap; cert->maxPathLen = WOLFSSL_MAX_PATH_LEN; #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) + #ifdef WOLFSSL_CERT_NAME_ALL cert->subjectNEnc = CTC_UTF8; cert->subjectIEnc = CTC_UTF8; cert->subjectDNQEnc = CTC_UTF8; cert->subjectGNEnc = CTC_UTF8; + #endif cert->subjectSNEnc = CTC_UTF8; cert->subjectCEnc = CTC_PRINTABLE; cert->subjectLEnc = CTC_UTF8; @@ -10702,10 +10707,12 @@ int wc_OBJ_sn2nid(const char *sn) {WOLFSSL_STATE_NAME, NID_stateOrProvinceName}, {WOLFSSL_ORG_NAME, NID_organizationName}, {WOLFSSL_ORGUNIT_NAME, NID_organizationalUnitName}, + #ifdef WOLFSSL_CERT_NAME_ALL {WOLFSSL_NAME, NID_name}, {WOLFSSL_INITIALS, NID_initials}, {WOLFSSL_GIVEN_NAME, NID_givenName}, {WOLFSSL_DNQUALIFIER, NID_dnQualifier}, + #endif {WOLFSSL_EMAIL_ADDR, NID_emailAddress}, {"SHA1", NID_sha1}, {NULL, -1}}; @@ -11054,54 +11061,56 @@ static const CertNameData certNameSubject[] = { NID_userId #endif }, +#ifdef WOLFSSL_CERT_NAME_ALL /* Name, id 41 */ { "/N=", 3, -#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) + #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectN), OFFSETOF(DecodedCert, subjectNLen), OFFSETOF(DecodedCert, subjectNEnc), -#endif -#ifdef WOLFSSL_X509_NAME_AVAILABLE + #endif + #ifdef WOLFSSL_X509_NAME_AVAILABLE NID_name -#endif + #endif }, /* Given Name, id 42 */ { "/GN=", 4, -#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) + #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectGN), OFFSETOF(DecodedCert, subjectGNLen), OFFSETOF(DecodedCert, subjectGNEnc), -#endif -#ifdef WOLFSSL_X509_NAME_AVAILABLE + #endif + #ifdef WOLFSSL_X509_NAME_AVAILABLE NID_givenName -#endif + #endif }, /* initials, id 43 */ { "/initials=", 10, -#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) + #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectI), OFFSETOF(DecodedCert, subjectILen), OFFSETOF(DecodedCert, subjectIEnc), -#endif -#ifdef WOLFSSL_X509_NAME_AVAILABLE + #endif + #ifdef WOLFSSL_X509_NAME_AVAILABLE NID_initials -#endif + #endif }, /* DN Qualifier Name, id 46 */ { "/dnQualifier=", 13, -#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) + #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectDNQ), OFFSETOF(DecodedCert, subjectDNQLen), OFFSETOF(DecodedCert, subjectDNQEnc), -#endif -#ifdef WOLFSSL_X509_NAME_AVAILABLE + #endif + #ifdef WOLFSSL_X509_NAME_AVAILABLE NID_dnQualifier -#endif + #endif }, +#endif /* WOLFSSL_CERT_NAME_ALL */ }; static const int certNameSubjectSz = @@ -11637,6 +11646,7 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, nid = NID_commonName; #endif /* OPENSSL_EXTRA */ } + #ifdef WOLFSSL_CERT_NAME_ALL else if (id == ASN_NAME) { copy = WOLFSSL_NAME; copyLen = sizeof(WOLFSSL_NAME) - 1; @@ -11701,6 +11711,7 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, nid = NID_dnQualifier; #endif /* OPENSSL_EXTRA */ } + #endif /* WOLFSSL_CERT_NAME_ALL */ else if (id == ASN_SUR_NAME) { copy = WOLFSSL_SUR_NAME; copyLen = sizeof(WOLFSSL_SUR_NAME) - 1; @@ -22803,10 +22814,12 @@ static const byte nameOid[][NAME_OID_SZ] = { { 0x55, 0x04, ASN_STATE_NAME }, { 0x55, 0x04, ASN_STREET_ADDR }, { 0x55, 0x04, ASN_LOCALITY_NAME }, +#ifdef WOLFSSL_CERT_NAME_ALL { 0x55, 0x04, ASN_NAME }, { 0x55, 0x04, ASN_GIVEN_NAME }, { 0x55, 0x04, ASN_INITIALS }, { 0x55, 0x04, ASN_DNQUALIFIER }, +#endif { 0x55, 0x04, ASN_SUR_NAME }, { 0x55, 0x04, ASN_ORG_NAME }, { 0x00, 0x00, ASN_DOMAIN_COMPONENT}, /* not actual OID - see dcOid */ @@ -22848,6 +22861,7 @@ const char* GetOneCertName(CertName* name, int idx) return name->street; case ASN_LOCALITY_NAME: return name->locality; +#ifdef WOLFSSL_CERT_NAME_ALL case ASN_NAME: return name->dnName; case ASN_GIVEN_NAME: @@ -22856,6 +22870,7 @@ const char* GetOneCertName(CertName* name, int idx) return name->initials; case ASN_DNQUALIFIER: return name->dnQualifier; +#endif /* WOLFSSL_CERT_NAME_ALL */ case ASN_SUR_NAME: return name->sur; case ASN_ORG_NAME: @@ -22899,6 +22914,7 @@ static char GetNameType(CertName* name, int idx) return name->streetEnc; case ASN_LOCALITY_NAME: return name->localityEnc; +#ifdef WOLFSSL_CERT_NAME_ALL case ASN_NAME: return name->dnNameEnc; case ASN_GIVEN_NAME: @@ -22907,6 +22923,7 @@ static char GetNameType(CertName* name, int idx) return name->initialsEnc; case ASN_DNQUALIFIER: return name->dnQualifierEnc; +#endif /* WOLFSSL_CERT_NAME_ALL */ case ASN_SUR_NAME: return name->surEnc; case ASN_ORG_NAME: @@ -27646,13 +27663,6 @@ static void SetNameFromDcert(CertName* cn, DecodedCert* decoded) cn->unit[sz] = '\0'; cn->unitEnc = decoded->subjectOUEnc; } - if (decoded->subjectN) { - sz = (decoded->subjectNLen < CTC_NAME_SIZE) ? decoded->subjectNLen - : CTC_NAME_SIZE - 1; - XSTRNCPY(cn->dnName, decoded->subjectN, sz); - cn->dnName[sz] = '\0'; - cn->dnNameEnc = decoded->subjectNEnc; - } if (decoded->subjectSN) { sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen : CTC_NAME_SIZE - 1; @@ -27703,6 +27713,37 @@ static void SetNameFromDcert(CertName* cn, DecodedCert* decoded) XSTRNCPY(cn->email, decoded->subjectEmail, sz); cn->email[sz] = '\0'; } +#if defined(WOLFSSL_CERT_NAME_ALL) && \ + (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)) + if (decoded->subjectN) { + sz = (decoded->subjectNLen < CTC_NAME_SIZE) ? decoded->subjectNLen + : CTC_NAME_SIZE - 1; + XSTRNCPY(cn->dnName, decoded->subjectN, sz); + cn->dnName[sz] = '\0'; + cn->dnNameEnc = decoded->subjectNEnc; + } + if (decoded->subjectI) { + sz = (decoded->subjectILen < CTC_NAME_SIZE) ? decoded->subjectILen + : CTC_NAME_SIZE - 1; + XSTRNCPY(cn->initials, decoded->subjectI, sz); + cn->initials[sz] = '\0'; + cn->initialsEnc = decoded->subjectIEnc; + } + if (decoded->subjectGN) { + sz = (decoded->subjectGNLen < CTC_NAME_SIZE) ? decoded->subjectGNLen + : CTC_NAME_SIZE - 1; + XSTRNCPY(cn->givenName, decoded->subjectGN, sz); + cn->givenName[sz] = '\0'; + cn->givenNameEnc = decoded->subjectGNEnc; + } + if (decoded->subjectDNQ) { + sz = (decoded->subjectDNQLen < CTC_NAME_SIZE) ? decoded->subjectDNQLen + : CTC_NAME_SIZE - 1; + XSTRNCPY(cn->dnQualifier, decoded->subjectDNQ, sz); + cn->dnQualifier[sz] = '\0'; + cn->dnQualifierEnc = decoded->subjectDNQEnc; + } +#endif /* WOLFSSL_CERT_NAME_ALL */ } #ifndef NO_FILESYSTEM diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 88eb21c02..0212d1fe1 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -674,10 +674,12 @@ enum DN_Tags { ASN_BUS_CAT = 0x0f, /* businessCategory */ ASN_POSTAL_CODE = 0x11, /* postalCode */ ASN_USER_ID = 0x12, /* UserID */ +#ifdef WOLFSSL_CERT_NAME_ALL ASN_NAME = 0x2a, /* name */ ASN_GIVEN_NAME = 0x29, /* GN */ ASN_INITIALS = 0x2b, /* initials */ ASN_DNQUALIFIER = 0x2e, /* dnQualifier */ +#endif /* WOLFSSL_CERT_NAME_ALL */ ASN_EMAIL_NAME = 0x98, /* not actual OID (see attrEmailOid) */ ASN_CUSTOM_NAME = 0x99, /* not actual OID (see CertOidField) */ @@ -707,10 +709,12 @@ extern const WOLFSSL_ObjectInfo wolfssl_object_info[]; #define WOLFSSL_COMMON_NAME "/CN=" #define WOLFSSL_LN_COMMON_NAME "/commonName=" #define WOLFSSL_SUR_NAME "/SN=" -#define WOLFSSL_NAME "/N=" -#define WOLFSSL_INITIALS "/initials=" -#define WOLFSSL_GIVEN_NAME "/GN=" -#define WOLFSSL_DNQUALIFIER "/dnQualifier=" +#ifdef WOLFSSL_CERT_NAME_ALL + #define WOLFSSL_NAME "/N=" + #define WOLFSSL_INITIALS "/initials=" + #define WOLFSSL_GIVEN_NAME "/GN=" + #define WOLFSSL_DNQUALIFIER "/dnQualifier=" +#endif /* WOLFSSL_CERT_NAME_ALL */ #define WOLFSSL_SERIAL_NUMBER "/serialNumber=" #define WOLFSSL_COUNTRY_NAME "/C=" #define WOLFSSL_LN_COUNTRY_NAME "/countryName=" @@ -1658,6 +1662,7 @@ struct DecodedCert { char* subjectSN; int subjectSNLen; char subjectSNEnc; + #ifdef WOLFSSL_CERT_NAME_ALL char* subjectN; int subjectNLen; char subjectNEnc; @@ -1670,6 +1675,7 @@ struct DecodedCert { char* subjectDNQ; int subjectDNQLen; char subjectDNQEnc; + #endif /*WOLFSSL_CERT_NAME_ALL */ char* subjectC; int subjectCLen; char subjectCEnc; diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index 49078277b..f99e7fb9f 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -337,6 +337,7 @@ typedef struct CertName { char localityEnc; char sur[CTC_NAME_SIZE]; char surEnc; +#ifdef WOLFSSL_CERT_NAME_ALL char givenName[CTC_NAME_SIZE]; char givenNameEnc; char initials[CTC_NAME_SIZE]; @@ -345,6 +346,7 @@ typedef struct CertName { char dnQualifierEnc; char dnName[CTC_NAME_SIZE]; char dnNameEnc; +#endif /* WOLFSSL_CERT_NAME_ALL */ char org[CTC_NAME_SIZE]; char orgEnc; char unit[CTC_NAME_SIZE];