forked from wolfSSL/wolfssl
Merge pull request #7597 from ColtonWilley/max_altnames_and_name_constraints
Max limits on number of alternative names and name constraints
This commit is contained in:
Sean Parkinson
GitHub
150
certs/test/cert-over-max-altnames.cfg
Normal file
150
certs/test/cert-over-max-altnames.cfg
Normal file
@ -0,0 +1,150 @@
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
prompt = no
|
||||
distinguished_name = dn
|
||||
x509_extensions = extensions
|
||||
|
||||
[ dn ]
|
||||
C = US
|
||||
ST = Montana
|
||||
L = Bozeman
|
||||
O = wolfSSL Inc
|
||||
OU = Engineering
|
||||
CN = www.wolfssl.com
|
||||
|
||||
[ extensions ]
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[ alt_names ]
|
||||
DNS.1 = example1.com
|
||||
DNS.2 = example2.com
|
||||
DNS.3 = example3.com
|
||||
DNS.4 = example4.com
|
||||
DNS.5 = example5.com
|
||||
DNS.6 = example6.com
|
||||
DNS.7 = example7.com
|
||||
DNS.8 = example8.com
|
||||
DNS.9 = example9.com
|
||||
DNS.10 = example10.com
|
||||
DNS.11 = example11.com
|
||||
DNS.12 = example12.com
|
||||
DNS.13 = example13.com
|
||||
DNS.14 = example14.com
|
||||
DNS.15 = example15.com
|
||||
DNS.16 = example16.com
|
||||
DNS.17 = example17.com
|
||||
DNS.18 = example18.com
|
||||
DNS.19 = example19.com
|
||||
DNS.20 = example20.com
|
||||
DNS.21 = example21.com
|
||||
DNS.22 = example22.com
|
||||
DNS.23 = example23.com
|
||||
DNS.24 = example24.com
|
||||
DNS.25 = example25.com
|
||||
DNS.26 = example26.com
|
||||
DNS.27 = example27.com
|
||||
DNS.28 = example28.com
|
||||
DNS.29 = example29.com
|
||||
DNS.30 = example30.com
|
||||
DNS.31 = example31.com
|
||||
DNS.32 = example32.com
|
||||
DNS.33 = example33.com
|
||||
DNS.34 = example34.com
|
||||
DNS.35 = example35.com
|
||||
DNS.36 = example36.com
|
||||
DNS.37 = example37.com
|
||||
DNS.38 = example38.com
|
||||
DNS.39 = example39.com
|
||||
DNS.40 = example40.com
|
||||
DNS.41 = example41.com
|
||||
DNS.42 = example42.com
|
||||
DNS.43 = example43.com
|
||||
DNS.44 = example44.com
|
||||
DNS.45 = example45.com
|
||||
DNS.46 = example46.com
|
||||
DNS.47 = example47.com
|
||||
DNS.48 = example48.com
|
||||
DNS.49 = example49.com
|
||||
DNS.50 = example50.com
|
||||
DNS.51 = example51.com
|
||||
DNS.52 = example52.com
|
||||
DNS.53 = example53.com
|
||||
DNS.54 = example54.com
|
||||
DNS.55 = example55.com
|
||||
DNS.56 = example56.com
|
||||
DNS.57 = example57.com
|
||||
DNS.58 = example58.com
|
||||
DNS.59 = example59.com
|
||||
DNS.60 = example60.com
|
||||
DNS.61 = example61.com
|
||||
DNS.62 = example62.com
|
||||
DNS.63 = example63.com
|
||||
DNS.64 = example64.com
|
||||
DNS.65 = example65.com
|
||||
DNS.66 = example66.com
|
||||
DNS.67 = example67.com
|
||||
DNS.68 = example68.com
|
||||
DNS.69 = example69.com
|
||||
DNS.70 = example70.com
|
||||
DNS.71 = example71.com
|
||||
DNS.72 = example72.com
|
||||
DNS.73 = example73.com
|
||||
DNS.74 = example74.com
|
||||
DNS.75 = example75.com
|
||||
DNS.76 = example76.com
|
||||
DNS.77 = example77.com
|
||||
DNS.78 = example78.com
|
||||
DNS.79 = example79.com
|
||||
DNS.80 = example80.com
|
||||
DNS.81 = example81.com
|
||||
DNS.82 = example82.com
|
||||
DNS.83 = example83.com
|
||||
DNS.84 = example84.com
|
||||
DNS.85 = example85.com
|
||||
DNS.86 = example86.com
|
||||
DNS.87 = example87.com
|
||||
DNS.88 = example88.com
|
||||
DNS.89 = example89.com
|
||||
DNS.90 = example90.com
|
||||
DNS.91 = example91.com
|
||||
DNS.92 = example92.com
|
||||
DNS.93 = example93.com
|
||||
DNS.94 = example94.com
|
||||
DNS.95 = example95.com
|
||||
DNS.96 = example96.com
|
||||
DNS.97 = example97.com
|
||||
DNS.98 = example98.com
|
||||
DNS.99 = example99.com
|
||||
DNS.100 = example100.com
|
||||
DNS.101 = example101.com
|
||||
DNS.102 = example102.com
|
||||
DNS.103 = example103.com
|
||||
DNS.104 = example104.com
|
||||
DNS.105 = example105.com
|
||||
DNS.106 = example106.com
|
||||
DNS.107 = example107.com
|
||||
DNS.108 = example108.com
|
||||
DNS.109 = example109.com
|
||||
DNS.110 = example110.com
|
||||
DNS.111 = example111.com
|
||||
DNS.112 = example112.com
|
||||
DNS.113 = example113.com
|
||||
DNS.114 = example114.com
|
||||
DNS.115 = example115.com
|
||||
DNS.116 = example116.com
|
||||
DNS.117 = example117.com
|
||||
DNS.118 = example118.com
|
||||
DNS.119 = example119.com
|
||||
DNS.120 = example120.com
|
||||
DNS.121 = example121.com
|
||||
DNS.122 = example122.com
|
||||
DNS.123 = example123.com
|
||||
DNS.124 = example124.com
|
||||
DNS.125 = example125.com
|
||||
DNS.126 = example126.com
|
||||
DNS.127 = example127.com
|
||||
DNS.128 = example128.com
|
||||
DNS.129 = example129.com
|
||||
DNS.130 = example130.com
|
||||
|
||||
|
||||
63
certs/test/cert-over-max-altnames.pem
Normal file
63
certs/test/cert-over-max-altnames.pem
Normal file
@ -0,0 +1,63 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIILZjCCCk6gAwIBAgIURc0vEAYKqmZm+uhVYVYcdTDD5jIwDQYJKoZIhvcNAQEL
|
||||
BQAwdzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
|
||||
emVtYW4xFDASBgNVBAoMC3dvbGZTU0wgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmlu
|
||||
ZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMB4XDTI0MDUzMDAxMzQ1NloXDTI0
|
||||
MDYyOTAxMzQ1NlowdzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAO
|
||||
BgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZTU0wgSW5jMRQwEgYDVQQLDAtF
|
||||
bmdpbmVlcmluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMIIBIjANBgkqhkiG
|
||||
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4MxlWlPvDK577o82h5LrZDs/1eFX/xEI2ICZ
|
||||
xvQ3rMm5cdUxsnYeExXMP8Fzlx4RsyYeNCJo8wdKFtTbrkyTGE1tlrQ6jZ20aYA0
|
||||
V38GkQhVNzG5EIOBm9x7Zl7L4kgJEAG0a36jOrCuP9JOxo6EtyezF+KyN9TEzxxZ
|
||||
udlaV3JoxghmvaBzRO07vmomtxwtm/5K4gM3XCcYyDhxf7J357s6Ra8nhefOT/PV
|
||||
rB/mSHUcH0nvt2mNZdJyDOUBNx0IAVL1CaJh3pT14Ql03igSbeRr7pVtiioixZTD
|
||||
xB1npmn0kgTa4zNR11EWHX0nBwEJST3QofkJA+odSFQBG1tCTQIDAQABo4IH6DCC
|
||||
B+QwggfBBgNVHREEgge4MIIHtIIMZXhhbXBsZTEuY29tggxleGFtcGxlMi5jb22C
|
||||
DGV4YW1wbGUzLmNvbYIMZXhhbXBsZTQuY29tggxleGFtcGxlNS5jb22CDGV4YW1w
|
||||
bGU2LmNvbYIMZXhhbXBsZTcuY29tggxleGFtcGxlOC5jb22CDGV4YW1wbGU5LmNv
|
||||
bYINZXhhbXBsZTEwLmNvbYINZXhhbXBsZTExLmNvbYINZXhhbXBsZTEyLmNvbYIN
|
||||
ZXhhbXBsZTEzLmNvbYINZXhhbXBsZTE0LmNvbYINZXhhbXBsZTE1LmNvbYINZXhh
|
||||
bXBsZTE2LmNvbYINZXhhbXBsZTE3LmNvbYINZXhhbXBsZTE4LmNvbYINZXhhbXBs
|
||||
ZTE5LmNvbYINZXhhbXBsZTIwLmNvbYINZXhhbXBsZTIxLmNvbYINZXhhbXBsZTIy
|
||||
LmNvbYINZXhhbXBsZTIzLmNvbYINZXhhbXBsZTI0LmNvbYINZXhhbXBsZTI1LmNv
|
||||
bYINZXhhbXBsZTI2LmNvbYINZXhhbXBsZTI3LmNvbYINZXhhbXBsZTI4LmNvbYIN
|
||||
ZXhhbXBsZTI5LmNvbYINZXhhbXBsZTMwLmNvbYINZXhhbXBsZTMxLmNvbYINZXhh
|
||||
bXBsZTMyLmNvbYINZXhhbXBsZTMzLmNvbYINZXhhbXBsZTM0LmNvbYINZXhhbXBs
|
||||
ZTM1LmNvbYINZXhhbXBsZTM2LmNvbYINZXhhbXBsZTM3LmNvbYINZXhhbXBsZTM4
|
||||
LmNvbYINZXhhbXBsZTM5LmNvbYINZXhhbXBsZTQwLmNvbYINZXhhbXBsZTQxLmNv
|
||||
bYINZXhhbXBsZTQyLmNvbYINZXhhbXBsZTQzLmNvbYINZXhhbXBsZTQ0LmNvbYIN
|
||||
ZXhhbXBsZTQ1LmNvbYINZXhhbXBsZTQ2LmNvbYINZXhhbXBsZTQ3LmNvbYINZXhh
|
||||
bXBsZTQ4LmNvbYINZXhhbXBsZTQ5LmNvbYINZXhhbXBsZTUwLmNvbYINZXhhbXBs
|
||||
ZTUxLmNvbYINZXhhbXBsZTUyLmNvbYINZXhhbXBsZTUzLmNvbYINZXhhbXBsZTU0
|
||||
LmNvbYINZXhhbXBsZTU1LmNvbYINZXhhbXBsZTU2LmNvbYINZXhhbXBsZTU3LmNv
|
||||
bYINZXhhbXBsZTU4LmNvbYINZXhhbXBsZTU5LmNvbYINZXhhbXBsZTYwLmNvbYIN
|
||||
ZXhhbXBsZTYxLmNvbYINZXhhbXBsZTYyLmNvbYINZXhhbXBsZTYzLmNvbYINZXhh
|
||||
bXBsZTY0LmNvbYINZXhhbXBsZTY1LmNvbYINZXhhbXBsZTY2LmNvbYINZXhhbXBs
|
||||
ZTY3LmNvbYINZXhhbXBsZTY4LmNvbYINZXhhbXBsZTY5LmNvbYINZXhhbXBsZTcw
|
||||
LmNvbYINZXhhbXBsZTcxLmNvbYINZXhhbXBsZTcyLmNvbYINZXhhbXBsZTczLmNv
|
||||
bYINZXhhbXBsZTc0LmNvbYINZXhhbXBsZTc1LmNvbYINZXhhbXBsZTc2LmNvbYIN
|
||||
ZXhhbXBsZTc3LmNvbYINZXhhbXBsZTc4LmNvbYINZXhhbXBsZTc5LmNvbYINZXhh
|
||||
bXBsZTgwLmNvbYINZXhhbXBsZTgxLmNvbYINZXhhbXBsZTgyLmNvbYINZXhhbXBs
|
||||
ZTgzLmNvbYINZXhhbXBsZTg0LmNvbYINZXhhbXBsZTg1LmNvbYINZXhhbXBsZTg2
|
||||
LmNvbYINZXhhbXBsZTg3LmNvbYINZXhhbXBsZTg4LmNvbYINZXhhbXBsZTg5LmNv
|
||||
bYINZXhhbXBsZTkwLmNvbYINZXhhbXBsZTkxLmNvbYINZXhhbXBsZTkyLmNvbYIN
|
||||
ZXhhbXBsZTkzLmNvbYINZXhhbXBsZTk0LmNvbYINZXhhbXBsZTk1LmNvbYINZXhh
|
||||
bXBsZTk2LmNvbYINZXhhbXBsZTk3LmNvbYINZXhhbXBsZTk4LmNvbYINZXhhbXBs
|
||||
ZTk5LmNvbYIOZXhhbXBsZTEwMC5jb22CDmV4YW1wbGUxMDEuY29tgg5leGFtcGxl
|
||||
MTAyLmNvbYIOZXhhbXBsZTEwMy5jb22CDmV4YW1wbGUxMDQuY29tgg5leGFtcGxl
|
||||
MTA1LmNvbYIOZXhhbXBsZTEwNi5jb22CDmV4YW1wbGUxMDcuY29tgg5leGFtcGxl
|
||||
MTA4LmNvbYIOZXhhbXBsZTEwOS5jb22CDmV4YW1wbGUxMTAuY29tgg5leGFtcGxl
|
||||
MTExLmNvbYIOZXhhbXBsZTExMi5jb22CDmV4YW1wbGUxMTMuY29tgg5leGFtcGxl
|
||||
MTE0LmNvbYIOZXhhbXBsZTExNS5jb22CDmV4YW1wbGUxMTYuY29tgg5leGFtcGxl
|
||||
MTE3LmNvbYIOZXhhbXBsZTExOC5jb22CDmV4YW1wbGUxMTkuY29tgg5leGFtcGxl
|
||||
MTIwLmNvbYIOZXhhbXBsZTEyMS5jb22CDmV4YW1wbGUxMjIuY29tgg5leGFtcGxl
|
||||
MTIzLmNvbYIOZXhhbXBsZTEyNC5jb22CDmV4YW1wbGUxMjUuY29tgg5leGFtcGxl
|
||||
MTI2LmNvbYIOZXhhbXBsZTEyNy5jb22CDmV4YW1wbGUxMjguY29tgg5leGFtcGxl
|
||||
MTI5LmNvbYIOZXhhbXBsZTEzMC5jb20wHQYDVR0OBBYEFLbtWbf+CESA0Xfsii18
|
||||
98iIet9AMA0GCSqGSIb3DQEBCwUAA4IBAQBCY+SvA+JFFZ1NwwEBcl5BDbTjTAgt
|
||||
w+xlEK71C+KUdvFuMMftDjaESOTJXEsimz5TuYhCMmQwQJMTlaEuZnzyCetuyBwJ
|
||||
eRAFopo4xRhJKQ6okJlOANPlmXehuPS+niiMMGxqBOjVyvPFZpdnj0oa6Mz/ewuP
|
||||
gNlsLUUrA6YQZNGYq9rDb4r2CCtD+10xkUg1Pu+2eRHBkYP9VSJOvWTVLMj/mPwN
|
||||
mh/pAxg50fl/t+m181AOu8KpIen3++54ljgo0v/O3SyO0d5zq8+vSTpjkfX3LPjH
|
||||
DFyofMjOQ7lFnr7uwY9jmj//GUUg3nULmItMhcEJ3XE9ySoEwfP35OWC
|
||||
-----END CERTIFICATE-----
|
||||
61
certs/test/cert-over-max-nc.cfg
Normal file
61
certs/test/cert-over-max-nc.cfg
Normal file
@ -0,0 +1,61 @@
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
prompt = no
|
||||
distinguished_name = dn
|
||||
x509_extensions = extensions
|
||||
|
||||
[ dn ]
|
||||
C = US
|
||||
ST = Montana
|
||||
L = Bozeman
|
||||
O = wolfSSL Inc
|
||||
OU = Engineering
|
||||
CN = www.wolfssl.com
|
||||
|
||||
[ extensions ]
|
||||
basicConstraints=critical,CA:true
|
||||
nameConstraints = permitted;DNS:.ex1.com,permitted;DNS:.ex2.com,permitted;\
|
||||
DNS:.ex3.com,permitted;DNS:.ex4.com,permitted;DNS:.ex5.com,permitted;\
|
||||
DNS:.ex6.com,permitted;DNS:.ex7.com,permitted;DNS:.ex8.com,permitted;\
|
||||
DNS:.ex9.com,permitted;DNS:.ex10.com,permitted;DNS:.ex11.com,permitted;\
|
||||
DNS:.ex12.com,permitted;DNS:.ex13.com,permitted;DNS:.ex14.com,permitted;\
|
||||
DNS:.ex15.com,permitted;DNS:.ex16.com,permitted;DNS:.ex17.com,permitted;\
|
||||
DNS:.ex18.com,permitted;DNS:.ex19.com,permitted;DNS:.ex20.com,permitted;\
|
||||
DNS:.ex21.com,permitted;DNS:.ex22.com,permitted;DNS:.ex23.com,permitted;\
|
||||
DNS:.ex24.com,permitted;DNS:.ex25.com,permitted;DNS:.ex26.com,permitted;\
|
||||
DNS:.ex27.com,permitted;DNS:.ex28.com,permitted;DNS:.ex29.com,permitted;\
|
||||
DNS:.ex30.com,permitted;DNS:.ex31.com,permitted;DNS:.ex32.com,permitted;\
|
||||
DNS:.ex33.com,permitted;DNS:.ex34.com,permitted;DNS:.ex35.com,permitted;\
|
||||
DNS:.ex36.com,permitted;DNS:.ex37.com,permitted;DNS:.ex38.com,permitted;\
|
||||
DNS:.ex39.com,permitted;DNS:.ex40.com,permitted;DNS:.ex41.com,permitted;\
|
||||
DNS:.ex42.com,permitted;DNS:.ex43.com,permitted;DNS:.ex44.com,permitted;\
|
||||
DNS:.ex45.com,permitted;DNS:.ex46.com,permitted;DNS:.ex47.com,permitted;\
|
||||
DNS:.ex48.com,permitted;DNS:.ex49.com,permitted;DNS:.ex50.com,permitted;\
|
||||
DNS:.ex51.com,permitted;DNS:.ex52.com,permitted;DNS:.ex53.com,permitted;\
|
||||
DNS:.ex54.com,permitted;DNS:.ex55.com,permitted;DNS:.ex56.com,permitted;\
|
||||
DNS:.ex57.com,permitted;DNS:.ex58.com,permitted;DNS:.ex59.com,permitted;\
|
||||
DNS:.ex60.com,permitted;DNS:.ex61.com,permitted;DNS:.ex62.com,permitted;\
|
||||
DNS:.ex63.com,permitted;DNS:.ex64.com,permitted;DNS:.ex65.com,permitted;\
|
||||
DNS:.ex66.com,permitted;DNS:.ex67.com,permitted;DNS:.ex68.com,permitted;\
|
||||
DNS:.ex69.com,permitted;DNS:.ex70.com,permitted;DNS:.ex71.com,permitted;\
|
||||
DNS:.ex72.com,permitted;DNS:.ex73.com,permitted;DNS:.ex74.com,permitted;\
|
||||
DNS:.ex75.com,permitted;DNS:.ex76.com,permitted;DNS:.ex77.com,permitted;\
|
||||
DNS:.ex78.com,permitted;DNS:.ex79.com,permitted;DNS:.ex80.com,permitted;\
|
||||
DNS:.ex81.com,permitted;DNS:.ex82.com,permitted;DNS:.ex83.com,permitted;\
|
||||
DNS:.ex84.com,permitted;DNS:.ex85.com,permitted;DNS:.ex86.com,permitted;\
|
||||
DNS:.ex87.com,permitted;DNS:.ex88.com,permitted;DNS:.ex89.com,permitted;\
|
||||
DNS:.ex90.com,permitted;DNS:.ex91.com,permitted;DNS:.ex92.com,permitted;\
|
||||
DNS:.ex93.com,permitted;DNS:.ex94.com,permitted;DNS:.ex95.com,permitted;\
|
||||
DNS:.ex96.com,permitted;DNS:.ex97.com,permitted;DNS:.ex98.com,permitted;\
|
||||
DNS:.ex99.com,permitted;DNS:.ex100.com,permitted;DNS:.ex101.com,permitted;\
|
||||
DNS:.ex102.com,permitted;DNS:.ex103.com,permitted;DNS:.ex104.com,permitted;\
|
||||
DNS:.ex105.com,permitted;DNS:.ex106.com,permitted;DNS:.ex107.com,permitted;\
|
||||
DNS:.ex108.com,permitted;DNS:.ex109.com,permitted;DNS:.ex110.com,permitted;\
|
||||
DNS:.ex111.com,permitted;DNS:.ex112.com,permitted;DNS:.ex113.com,permitted;\
|
||||
DNS:.ex114.com,permitted;DNS:.ex115.com,permitted;DNS:.ex116.com,permitted;\
|
||||
DNS:.ex117.com,permitted;DNS:.ex118.com,permitted;DNS:.ex119.com,permitted;\
|
||||
DNS:.ex120.com,permitted;DNS:.ex121.com,permitted;DNS:.ex122.com,permitted;\
|
||||
DNS:.ex123.com,permitted;DNS:.ex124.com,permitted;DNS:.ex125.com,permitted;\
|
||||
DNS:.ex126.com,permitted;DNS:.ex127.com,permitted;DNS:.ex128.com,permitted;\
|
||||
DNS:.ex129.com,permitted;DNS:.ex130.com
|
||||
|
||||
58
certs/test/cert-over-max-nc.pem
Normal file
58
certs/test/cert-over-max-nc.pem
Normal file
@ -0,0 +1,58 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIKdzCCCV+gAwIBAgIUP2BNrIrxeGGYtoPzcrEMcF8RDbEwDQYJKoZIhvcNAQEL
|
||||
BQAwdzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
|
||||
emVtYW4xFDASBgNVBAoMC3dvbGZTU0wgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmlu
|
||||
ZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMB4XDTI0MDUzMDAxNTE0M1oXDTI0
|
||||
MDYyOTAxNTE0M1owdzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAO
|
||||
BgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZTU0wgSW5jMRQwEgYDVQQLDAtF
|
||||
bmdpbmVlcmluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMIIBIjANBgkqhkiG
|
||||
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr7XMOFVWne2YJvHK9odaZiLSFJ5l9FJqKLnc
|
||||
VDPPjM++SdO/dU8/hO/e1B5r88NtXFJHztMbekIIQd7f0T3Lwru/FRkmqI3Q2Z5V
|
||||
SYLJbrI3EiVg4eG07MI2DhHWg9cMnfENzYk4Q/Zhd2cGCsJUW4S37ye+M+VXDtlb
|
||||
ZkQVN19uqrxmZESqVpa05AjsJcbVMwb4++ZkhXLrs0eUcLQpZxWehTvKO/FgcFbD
|
||||
6kNkTBBNf3c/5AQCLugSLUGn1RgbNt9sBZ6zZPM3UOgeREfEcb5+B61RGQD/SMCR
|
||||
o+VEMCkGmWw8b3B7tyRXweuHBZ5I+AOw9QHb7F5tkT8ih5FUrwIDAQABo4IG+TCC
|
||||
BvUwDwYDVR0TAQH/BAUwAwEB/zCCBsEGA1UdHgSCBrgwgga0oIIGsDAKggguZXgx
|
||||
LmNvbTAKggguZXgyLmNvbTAKggguZXgzLmNvbTAKggguZXg0LmNvbTAKggguZXg1
|
||||
LmNvbTAKggguZXg2LmNvbTAKggguZXg3LmNvbTAKggguZXg4LmNvbTAKggguZXg5
|
||||
LmNvbTALggkuZXgxMC5jb20wC4IJLmV4MTEuY29tMAuCCS5leDEyLmNvbTALggku
|
||||
ZXgxMy5jb20wC4IJLmV4MTQuY29tMAuCCS5leDE1LmNvbTALggkuZXgxNi5jb20w
|
||||
C4IJLmV4MTcuY29tMAuCCS5leDE4LmNvbTALggkuZXgxOS5jb20wC4IJLmV4MjAu
|
||||
Y29tMAuCCS5leDIxLmNvbTALggkuZXgyMi5jb20wC4IJLmV4MjMuY29tMAuCCS5l
|
||||
eDI0LmNvbTALggkuZXgyNS5jb20wC4IJLmV4MjYuY29tMAuCCS5leDI3LmNvbTAL
|
||||
ggkuZXgyOC5jb20wC4IJLmV4MjkuY29tMAuCCS5leDMwLmNvbTALggkuZXgzMS5j
|
||||
b20wC4IJLmV4MzIuY29tMAuCCS5leDMzLmNvbTALggkuZXgzNC5jb20wC4IJLmV4
|
||||
MzUuY29tMAuCCS5leDM2LmNvbTALggkuZXgzNy5jb20wC4IJLmV4MzguY29tMAuC
|
||||
CS5leDM5LmNvbTALggkuZXg0MC5jb20wC4IJLmV4NDEuY29tMAuCCS5leDQyLmNv
|
||||
bTALggkuZXg0My5jb20wC4IJLmV4NDQuY29tMAuCCS5leDQ1LmNvbTALggkuZXg0
|
||||
Ni5jb20wC4IJLmV4NDcuY29tMAuCCS5leDQ4LmNvbTALggkuZXg0OS5jb20wC4IJ
|
||||
LmV4NTAuY29tMAuCCS5leDUxLmNvbTALggkuZXg1Mi5jb20wC4IJLmV4NTMuY29t
|
||||
MAuCCS5leDU0LmNvbTALggkuZXg1NS5jb20wC4IJLmV4NTYuY29tMAuCCS5leDU3
|
||||
LmNvbTALggkuZXg1OC5jb20wC4IJLmV4NTkuY29tMAuCCS5leDYwLmNvbTALggku
|
||||
ZXg2MS5jb20wC4IJLmV4NjIuY29tMAuCCS5leDYzLmNvbTALggkuZXg2NC5jb20w
|
||||
C4IJLmV4NjUuY29tMAuCCS5leDY2LmNvbTALggkuZXg2Ny5jb20wC4IJLmV4Njgu
|
||||
Y29tMAuCCS5leDY5LmNvbTALggkuZXg3MC5jb20wC4IJLmV4NzEuY29tMAuCCS5l
|
||||
eDcyLmNvbTALggkuZXg3My5jb20wC4IJLmV4NzQuY29tMAuCCS5leDc1LmNvbTAL
|
||||
ggkuZXg3Ni5jb20wC4IJLmV4NzcuY29tMAuCCS5leDc4LmNvbTALggkuZXg3OS5j
|
||||
b20wC4IJLmV4ODAuY29tMAuCCS5leDgxLmNvbTALggkuZXg4Mi5jb20wC4IJLmV4
|
||||
ODMuY29tMAuCCS5leDg0LmNvbTALggkuZXg4NS5jb20wC4IJLmV4ODYuY29tMAuC
|
||||
CS5leDg3LmNvbTALggkuZXg4OC5jb20wC4IJLmV4ODkuY29tMAuCCS5leDkwLmNv
|
||||
bTALggkuZXg5MS5jb20wC4IJLmV4OTIuY29tMAuCCS5leDkzLmNvbTALggkuZXg5
|
||||
NC5jb20wC4IJLmV4OTUuY29tMAuCCS5leDk2LmNvbTALggkuZXg5Ny5jb20wC4IJ
|
||||
LmV4OTguY29tMAuCCS5leDk5LmNvbTAMggouZXgxMDAuY29tMAyCCi5leDEwMS5j
|
||||
b20wDIIKLmV4MTAyLmNvbTAMggouZXgxMDMuY29tMAyCCi5leDEwNC5jb20wDIIK
|
||||
LmV4MTA1LmNvbTAMggouZXgxMDYuY29tMAyCCi5leDEwNy5jb20wDIIKLmV4MTA4
|
||||
LmNvbTAMggouZXgxMDkuY29tMAyCCi5leDExMC5jb20wDIIKLmV4MTExLmNvbTAM
|
||||
ggouZXgxMTIuY29tMAyCCi5leDExMy5jb20wDIIKLmV4MTE0LmNvbTAMggouZXgx
|
||||
MTUuY29tMAyCCi5leDExNi5jb20wDIIKLmV4MTE3LmNvbTAMggouZXgxMTguY29t
|
||||
MAyCCi5leDExOS5jb20wDIIKLmV4MTIwLmNvbTAMggouZXgxMjEuY29tMAyCCi5l
|
||||
eDEyMi5jb20wDIIKLmV4MTIzLmNvbTAMggouZXgxMjQuY29tMAyCCi5leDEyNS5j
|
||||
b20wDIIKLmV4MTI2LmNvbTAMggouZXgxMjcuY29tMAyCCi5leDEyOC5jb20wDIIK
|
||||
LmV4MTI5LmNvbTAMggouZXgxMzAuY29tMB0GA1UdDgQWBBRZqhZL7IEF/o83ZyxK
|
||||
Djw6be/2ozANBgkqhkiG9w0BAQsFAAOCAQEAPObXW1f+7VAT0SUE6fLpqmP1y1PY
|
||||
z5oePRsiRPrM8tbgu2DESGwcHeapCtIPXLPbf1pW3yYqTGtgIrO2IqBZmVWIk3YT
|
||||
OSp4RrZDH55soOr2g6KP5RpjE6kWU5XkVxbQNLHlwRgnpQcDgVoOgIDtxpVgpXs1
|
||||
OCdNe1sdQbPbI8ciIayJJl7bEv52BjrmjYhCWCPXDBspwLhafwFzorHDj8QiYbWo
|
||||
6QH1TQakxjo3Nbceax7D2LT2Aev/cMw8GqR/wykLj1EEYzdB644OYwEfdRf5RwJg
|
||||
CkaQE7FWVpdVcoJnXIa8/iATpTLYuYeolpDLXJe2Eqb3SegTp6wL4x1Bzg==
|
||||
-----END CERTIFICATE-----
|
||||
@ -32,7 +32,11 @@ EXTRA_DIST += \
|
||||
certs/test/cert-ext-multiple.pem \
|
||||
certs/test/cert-bad-neg-int.der \
|
||||
certs/test/cert-bad-oid.der \
|
||||
certs/test/cert-bad-utf8.der
|
||||
certs/test/cert-bad-utf8.der \
|
||||
certs/test/cert-over-max-altnames.cfg \
|
||||
certs/test/cert-over-max-altnames.pem \
|
||||
certs/test/cert-over-max-nc.cfg \
|
||||
certs/test/cert-over-max-nc.pem
|
||||
|
||||
# The certs/server-cert with the last byte (signature byte) changed
|
||||
EXTRA_DIST += \
|
||||
|
||||
58
tests/api.c
58
tests/api.c
@ -41261,6 +41261,62 @@ static int test_wolfSSL_X509_bad_altname(void)
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static int test_wolfSSL_X509_max_altnames(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA)
|
||||
|
||||
/* Only test if max alt names has not been modified */
|
||||
#if WOLFSSL_MAX_ALT_NAMES == 128
|
||||
|
||||
WOLFSSL_CTX* ctx = NULL;
|
||||
/* File contains a certificate encoded with 130 subject alternative names */
|
||||
const char* over_max_altnames_cert = \
|
||||
"./certs/test/cert-over-max-altnames.pem";
|
||||
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
|
||||
#else
|
||||
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
|
||||
#endif
|
||||
|
||||
ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx,
|
||||
over_max_altnames_cert, NULL, WOLFSSL_LOAD_FLAG_NONE),
|
||||
WOLFSSL_SUCCESS);
|
||||
wolfSSL_CTX_free(ctx);
|
||||
#endif
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static int test_wolfSSL_X509_max_name_constraints(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA) && \
|
||||
!defined(IGNORE_NAME_CONSTRAINTS)
|
||||
|
||||
/* Only test if max name constraints has not been modified */
|
||||
#if WOLFSSL_MAX_NAME_CONSTRAINTS == 128
|
||||
|
||||
WOLFSSL_CTX* ctx = NULL;
|
||||
/* File contains a certificate with 130 name constraints */
|
||||
const char* over_max_nc = "./certs/test/cert-over-max-nc.pem";
|
||||
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
|
||||
#else
|
||||
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
|
||||
#endif
|
||||
|
||||
ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, over_max_nc,
|
||||
NULL, WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS);
|
||||
wolfSSL_CTX_free(ctx);
|
||||
#endif
|
||||
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static int test_wolfSSL_X509(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
@ -72838,6 +72894,8 @@ TEST_CASE testCases[] = {
|
||||
TEST_DECL(test_wolfSSL_X509_check_ca),
|
||||
TEST_DECL(test_wolfSSL_X509_check_ip_asc),
|
||||
TEST_DECL(test_wolfSSL_X509_bad_altname),
|
||||
TEST_DECL(test_wolfSSL_X509_max_altnames),
|
||||
TEST_DECL(test_wolfSSL_X509_max_name_constraints),
|
||||
TEST_DECL(test_wolfSSL_make_cert),
|
||||
|
||||
#ifndef NO_BIO
|
||||
|
||||
@ -18944,6 +18944,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
|
||||
word32 idx = 0;
|
||||
int length = 0;
|
||||
int ret = 0;
|
||||
word32 numNames = 0;
|
||||
|
||||
WOLFSSL_ENTER("DecodeAltNames");
|
||||
|
||||
@ -18976,6 +18977,13 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
|
||||
while ((ret == 0) && (idx < sz)) {
|
||||
ASNGetData dataASN[altNameASN_Length];
|
||||
|
||||
numNames++;
|
||||
if (numNames > WOLFSSL_MAX_ALT_NAMES) {
|
||||
WOLFSSL_MSG("\tToo many subject alternative names");
|
||||
ret = ASN_ALT_NAME_E;
|
||||
break;
|
||||
}
|
||||
|
||||
/* Clear dynamic data items. */
|
||||
XMEMSET(dataASN, 0, sizeof(dataASN));
|
||||
/* Parse GeneralName with the choices supported. */
|
||||
@ -20086,13 +20094,16 @@ static int DecodeSubtreeGeneralName(const byte* input, word32 sz, byte tag,
|
||||
* @param [in] input Buffer holding data.
|
||||
* @param [in] sz Size of data in buffer.
|
||||
* @param [in, out] head Linked list of subtree names.
|
||||
* @param [in] limit If > 0, limit on number of tree
|
||||
* entries to process, exceeding
|
||||
* is an error.
|
||||
* @param [in] heap Dynamic memory hint.
|
||||
* @return 0 on success.
|
||||
* @return MEMORY_E when dynamic memory allocation fails.
|
||||
* @return ASN_PARSE_E when SEQUENCE is not found as expected.
|
||||
*/
|
||||
static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
|
||||
void* heap)
|
||||
word32 limit, void* heap)
|
||||
{
|
||||
#ifndef WOLFSSL_ASN_TEMPLATE
|
||||
word32 idx = 0;
|
||||
@ -20170,6 +20181,7 @@ static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
|
||||
DECL_ASNGETDATA(dataASN, subTreeASN_Length);
|
||||
word32 idx = 0;
|
||||
int ret = 0;
|
||||
word32 cnt = 0;
|
||||
|
||||
(void)heap;
|
||||
|
||||
@ -20179,6 +20191,14 @@ static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
|
||||
while ((ret == 0) && (idx < (word32)sz)) {
|
||||
byte minVal = 0;
|
||||
byte maxVal = 0;
|
||||
if (limit > 0) {
|
||||
cnt++;
|
||||
if (cnt > limit) {
|
||||
WOLFSSL_MSG("too many name constraints");
|
||||
ret = ASN_NAME_INVALID_E;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* Clear dynamic data and set choice for GeneralName and location to
|
||||
* store minimum and maximum.
|
||||
@ -20277,7 +20297,7 @@ static int DecodeNameConstraints(const byte* input, word32 sz,
|
||||
}
|
||||
|
||||
if (DecodeSubtree(input + idx, (word32)length, subtree,
|
||||
cert->heap) < 0) {
|
||||
WOLFSSL_MAX_NAME_CONSTRAINTS, cert->heap) < 0) {
|
||||
WOLFSSL_MSG("\terror parsing subtree");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
@ -20304,7 +20324,8 @@ static int DecodeNameConstraints(const byte* input, word32 sz,
|
||||
ret = DecodeSubtree(
|
||||
dataASN[NAMECONSTRAINTSASN_IDX_PERMIT].data.ref.data,
|
||||
dataASN[NAMECONSTRAINTSASN_IDX_PERMIT].data.ref.length,
|
||||
&cert->permittedNames, cert->heap);
|
||||
&cert->permittedNames, WOLFSSL_MAX_NAME_CONSTRAINTS,
|
||||
cert->heap);
|
||||
}
|
||||
}
|
||||
if (ret == 0) {
|
||||
@ -20313,7 +20334,8 @@ static int DecodeNameConstraints(const byte* input, word32 sz,
|
||||
ret = DecodeSubtree(
|
||||
dataASN[NAMECONSTRAINTSASN_IDX_EXCLUDE].data.ref.data,
|
||||
dataASN[NAMECONSTRAINTSASN_IDX_EXCLUDE].data.ref.length,
|
||||
&cert->excludedNames, cert->heap);
|
||||
&cert->excludedNames, WOLFSSL_MAX_NAME_CONSTRAINTS,
|
||||
cert->heap);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -780,6 +780,20 @@ extern const WOLFSSL_ObjectInfo wolfssl_object_info[];
|
||||
#define WOLFSSL_TLS_FEATURE_SUM 92
|
||||
#endif
|
||||
|
||||
/* Maximum number of allowed subject alternative names in a certificate.
|
||||
* Any certificate containing more than this number of subject
|
||||
* alternative names will cause an error when attempting to parse. */
|
||||
#ifndef WOLFSSL_MAX_ALT_NAMES
|
||||
#define WOLFSSL_MAX_ALT_NAMES 128
|
||||
#endif
|
||||
|
||||
/* Maximum number of allowed name constraints in a certificate.
|
||||
* Any certificate containing more than this number of name constraints
|
||||
* will cause an error when attempting to parse. */
|
||||
#ifndef WOLFSSL_MAX_NAME_CONSTRAINTS
|
||||
#define WOLFSSL_MAX_NAME_CONSTRAINTS 128
|
||||
#endif
|
||||
|
||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
||||
/* NIDs */
|
||||
#define NID_undef 0
|
||||
|
||||
Reference in New Issue
Block a user