From afee92e0cf6050f1414719c447d4c142d95d0e0b Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 19 Oct 2021 15:18:42 -0600 Subject: [PATCH 1/9] bail out when a bad alt name is found in the list of alt names --- certs/test/cert-ext-nc.cfg | 1 - certs/test/cert-ext-nc.der | Bin 1146 -> 1070 bytes certs/test/gen-ext-certs.sh | 1 - tests/api.c | 155 +++++++++++++++++++++++++++++++++++- wolfcrypt/src/asn.c | 12 +++ 5 files changed, 164 insertions(+), 5 deletions(-) diff --git a/certs/test/cert-ext-nc.cfg b/certs/test/cert-ext-nc.cfg index 9e8ff6be5..ce3757091 100644 --- a/certs/test/cert-ext-nc.cfg +++ b/certs/test/cert-ext-nc.cfg @@ -10,7 +10,6 @@ L = Brisbane O = wolfSSL Inc OU = Engineering CN = www.wolfssl.com -emailAddress = support@wolfsssl.com [ v3_ca ] subjectKeyIdentifier = hash diff --git a/certs/test/cert-ext-nc.der b/certs/test/cert-ext-nc.der index e16710d1ec0e58c265ac9ffd27c65b162d445383..a390dbfd32f8ba66411aa3c3cea3b70cfbbf7de1 100644 GIT binary patch delta 351 zcmeyxv5rI2povAxpov*%0W%XL6B8%H{$zjtj%G;}170>xtu~Lg@4SqR+^h@+)f3-V zD;da%^BNf%8W>s{85o-xnMaB98krcF8=6A7U{#xY8Q(J27cBVk%vos3vjV}C4M|I5 zURuZ0*)Cq(-LZ3v$Ju{6JWE%1>^Xk;qtXl0+_Pqv4D&uP9=U(+Vp;n9N-oAbg~D92 zHl@v{8T;#2n@b;1KF7iHRq0^gIi~Lu7TGP4oA8YNm?Eon&y1VTZ!#V-zaV}rc%ws* z_s*|3_FXIy{GD@7#^zzY<)_pPZJ(kOdHyq>I>&DKwfXmnO&xK^-Mx?8`q?<4NQFf} zF#Jz?Y+eF?O;YU6)+Jj$ukkLK>5@F-^K8jh=?2dyn_Xs|C<a$GRd7i27y&OWec6aYzIX|#{{;GFhwq>PAG_f=_juPiJ zGBz|cFo$v>X360Pv(9O5``0fTvC!~Yx~AzX>*)`qRIAobi{zYK zaDG}_+T7=@<*7YSEV2&<+2=@FTzqqC;WCXtm1Ru=o(tbw@SVK4ZsRIJ&dHnBvw9UT zFZ0M?OMUvzfb-kt%bO={483*RT=YZE9KY2QU-~I|zEEU5-8JF<*H!ho9=-K9+3V*$ zm~qtgrH?)1^g@=xFo#MuM$P?ltCJh%Uw*OiIa@R1j(nS%-6HW$s*jXg1Ly5iD)oIh zz4*_im669c2-Gewy7}W|iuVmcHc#7NmPC%!6Gv9B@8A#YE0FU(^zBGf(z{8bC3OnA j{nJi5owDHmm-uYname, name->len, base->name, base->nameSz); + + #ifndef WOLFSSL_NO_ASN_STRICT + /* found a bad name */ + if (matchDns == 0) + break; + #endif name = name->next; } break; @@ -13520,6 +13526,12 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) matchEmail = MatchBaseName(ASN_DNS_TYPE, name->name, name->len, base->name, base->nameSz); + + #ifndef WOLFSSL_NO_ASN_STRICT + /* found a bad name */ + if (matchEmail == 0) + break; + #endif name = name->next; } break; From 3b73c6e3ae2fd6444d1b9ea17c46bd26a7286acf Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 19 Oct 2021 16:52:08 -0600 Subject: [PATCH 2/9] handle multiple permitted name constraints --- certs/test/cert-ext-mnc.der | Bin 0 -> 1086 bytes certs/test/gen-ext-certs.sh | 29 +++++++ tests/api.c | 161 +++++++++++++++++++++++++++++++++++- wolfcrypt/src/asn.c | 13 +++ 4 files changed, 202 insertions(+), 1 deletion(-) create mode 100644 certs/test/cert-ext-mnc.der diff --git a/certs/test/cert-ext-mnc.der b/certs/test/cert-ext-mnc.der new file mode 100644 index 0000000000000000000000000000000000000000..b7df09abb97d680921cdbd83b8612f117ef4a6b1 GIT binary patch literal 1086 zcmXqLVzDx4Vpdwf%*4pV#K|xvNJoCQSb~HBFB_*;n@8JsUPeZ4RtAG=Lv903Hs(+k zHen{mP(xt@K@f+7hbyo&H8rm|CowO@P|$!MB*@Og;Z&4aoRpZCYA9kL1QO!n;V#e5 zNed44QSi)5hKX|XaJ%NEXXd4*7G>t88%h|6fz&ed@RygD>w(l47w70D=jR&8iSrs6 z8X6c{8W|Z|8d*k(^BS2Lm>ZfxxdZFCCPpRXz+z-&U~XdMXE11Dr)N}fN*S^Vg?5UamdqsNvznD3JrQf?wu|GG}?|-Xa4Ye@?|#?|Pv4v`8;sukFUv;#+H^gLlT;Uzg-n^?#V09N5jBV!zgT$5NRX zlg;ZG79=12R?i)oQBl0CM`9&Y?)t-$jCwl+9v?g7uqAV`n{j4)-jUtn%RaxjyS8{w zwZ7ukziELydqXxq%#D}Xqg;HEletsmlEBWC!&(;>PV?IH@QPIQ@dXDCCRgygm>U>P zYcNuty0Cng@TKX+k789%X7L`jOjxpIL#C4x=gS)$dyEw}M<^{{_4>%eXNk>6FHO6D z^Me1{>rBjy42+8#4;VD=HIQXv4wdC&5n~bAENFCc(u|fzCx2Y9&SQ2uCC}GqV;~Qb zR%Vef5Np7$0F;&&|N-kWEe{_For^io~8K=x8C;e%E;Z*C(yod-a&NM% z)r7R=L3{7ji0Ds>i(4yOwbP^O@`t%S7g`jB)CgsP<+eX?=IJ+Mb9@rJfG@U zb6G#Iv0`(Az})l7UnZ+M1b%*@sQo3>-;DYC19fXNrH@9e>}{Sx1>27s?Kq_IVx@*< z;p6w-m(TglT3KQqf(i=7GBB8&&24-;w7Wu0PB=Ir` Y?Vr)*di+mtOY_I-U2H5R&;OhP0C8o4c>n+a literal 0 HcmV?d00001 diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh index 045942d71..f63e86e84 100755 --- a/certs/test/gen-ext-certs.sh +++ b/certs/test/gen-ext-certs.sh @@ -46,6 +46,35 @@ nsComment = "Testing name constraints" EOF gen_cert + +OUT=certs/test/cert-ext-mnc.der +KEYFILE=certs/test/cert-ext-mnc-key.der +CONFIG=certs/test/cert-ext-mnc.cfg +tee >$CONFIG <name, name->len, @@ -13522,6 +13526,10 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) if (name != NULL) needEmail = 1; + /* check if already found a matching permitted subtree */ + if (matchEmail == 1) + break; + while (name != NULL) { matchEmail = MatchBaseName(ASN_DNS_TYPE, name->name, name->len, @@ -13540,6 +13548,11 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) { /* allow permitted dirName smaller than actual subject */ needDir = 1; + + /* check if already found a matching permitted subtree */ + if (matchDir == 1) + break; + if (cert->subjectRaw != NULL && cert->subjectRawLen >= base->nameSz && XMEMCMP(cert->subjectRaw, base->name, From e0e43b6a1619fd9e2c372dae547437129259ce2a Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 19 Oct 2021 22:14:04 -0600 Subject: [PATCH 3/9] clean up test case --- tests/api.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/api.c b/tests/api.c index 6847ac556..e0407ce67 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1934,7 +1934,7 @@ static void test_wolfSSL_CertManagerNameConstraint3(void) AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@info.com", 24, -1, 0), SSL_SUCCESS); + (byte*)"support@info.com", 16, -1, 0), SSL_SUCCESS); AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); X509_NAME_free(name); @@ -1957,7 +1957,6 @@ static void test_wolfSSL_CertManagerNameConstraint3(void) AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E); - wolfSSL_X509_free(x509); wolfSSL_CertManagerFree(cm); wolfSSL_X509_free(x509); From ab6939d2004e19b22d4d0b20ae62c19768abe320 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 19 Oct 2021 23:34:03 -0600 Subject: [PATCH 4/9] add new test cert to make dist --- certs/test/include.am | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/test/include.am b/certs/test/include.am index 1aaa1c0b8..3bcda40b4 100644 --- a/certs/test/include.am +++ b/certs/test/include.am @@ -7,6 +7,7 @@ EXTRA_DIST += \ certs/test/cert-ext-ia.der \ certs/test/cert-ext-nc.cfg \ certs/test/cert-ext-nc.der \ + certs/test/cert-ext-mnc.der \ certs/test/cert-ext-nct.cfg \ certs/test/cert-ext-nct.der \ certs/test/cert-ext-ndir.cfg \ From f57801c17b937175399aa32d4a1f36ee7f986260 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 20 Oct 2021 14:25:02 -0600 Subject: [PATCH 5/9] more name constraint test cases and adjust DNS base name matching to not require . --- certs/test/cert-ext-ncdns.der | Bin 0 -> 1084 bytes certs/test/cert-ext-ncmixed.der | Bin 0 -> 1081 bytes certs/test/gen-ext-certs.sh | 57 +++++ certs/test/include.am | 2 + tests/api.c | 425 ++++++++++++++++++++++++++++---- wolfcrypt/src/asn.c | 7 +- 6 files changed, 438 insertions(+), 53 deletions(-) create mode 100644 certs/test/cert-ext-ncdns.der create mode 100644 certs/test/cert-ext-ncmixed.der diff --git a/certs/test/cert-ext-ncdns.der b/certs/test/cert-ext-ncdns.der new file mode 100644 index 0000000000000000000000000000000000000000..5222e152346d66a136d5d7fbc47dce616a4e20b0 GIT binary patch literal 1084 zcmXqLVzDr2Vpdqd%*4pV#L3X+m3fZg-MuygUN%mxHjlRNyo`+8tPBR#hTI06Y|No7 zY{E>Ap@zZ+f*=kD4_9DmYHD6_PGVk)p`ZajNRXX}!>K5h&tTBR$i>ve$jESDD#ycc z$4`a1+b_8~sxzh@b6xjokBY&Lsps_lu6>i~*i$qA_lorTe=&0cOTTxWVt;O`-~VuL z^#T2w)hR2)|D1}g-t|E7X^~#OUfYeS#kbZ-2k(rxzb?tE>i;k~Ik1~M#eS{xj-@g& zCY#qWEJ!~3t)4qFqoR0OkHku*-1Ubg8TEDuJU({DVN2#>H{;Cqyd%5CmwkS5cWv>W zYJJ76f71ea_J(YJm>Vy%N4fYSCv&IBC4rqOhqW#&oaVLX;T5Uq;|mTPOs?Q}F*h)p z)?lPObz%7~;Y-ttAH}Mk%;G(4nXqKbhD;|X&X+eh_82Q{j!;^@>h+O_&k~!DUYd6Q z<^}(?*O{0Z85kEg?lWlIZ6M3W94gDlBE}-JSU42hzk35@TUzVr(g1#$+w zP2jW#OG~^>+^H3bxdl0?;H0I_#+lIO!Pxf0iIJB@N=zaowYVfRFI^!oF*j8qIX|zs zq$n{nucR0`in+m2%*Y@Ylm1QX+S#yQ*8?86#eQ0DS@QnmkM|Ef1to8OT3G+YV4k)A zx{rnv-M)S)TWDeWSzm%Hz|bV?3g@A3MKfBA`|qS(x+awFB6q5J^YUOniK}J%oU^hn z=-S7r#Q)7);KZ=1;Ouf4<-*s$uZGQee9i9Ct)NzMmC}{H65Re=*A`DtXgmK^YJy<& z0*SOgIcs^%PQAHVZ8Y=$dynop?q(euB$gaIDr?~*%D>Chu{CE?QDMOAz_2gVA0Ki~ zjCt(gD%$sM=Y%;qCEw53&)Io@-KH5ld*okmAC~*w7Cd!#6Yqn>o~gmfk*hzankz(! dOkE>WE#YY`!@KR>>ivx`%03pIkW9W<3;>0Sjbi`+ literal 0 HcmV?d00001 diff --git a/certs/test/cert-ext-ncmixed.der b/certs/test/cert-ext-ncmixed.der new file mode 100644 index 0000000000000000000000000000000000000000..a7fad165dbe62753332c079e876593480b99a9fe GIT binary patch literal 1081 zcmXqLVlg#nVwPRN%*4pV#L2Mb@`fVL-q0okUN%mxHjlRNyo`+8tPBR#hTI06Y|No7 zY{E>Ap@zZ+f*=kD4_9DmYHD6_PGVk)p`ZajNRXX}!>K5h&tTBR$i>ve$jESDD#ycc z$4`a1+b_8~sxzh@b6xjokBY&Lsps_lu6>i~*i$qA_lorTe=&0cOTTxWVt;O`-~VuL z^#T2w)hR2)|D1}g-t|E7X^~#OUfYeS#kbZ-2k(rxzb?tE>i;k~Ik1~M#eS{xj-@g& zCY#qWEJ!~3t)4qFqoR0OkHku*-1Ubg8TEDuJU({DVN2#>H{;Cqyd%5CmwkS5cWv>W zYJJ76f71ea_J(YJm>Vy%N4fYSCv&IBC4rqOhqW#&oaVLX;T5Uq;|mTPOs?Q}F*h)p z)?lPObz%7~;Y-ttAH}Mk%;G(4nXqKbhD;|X&X+eh_82Q{j!;^@>h+O_&k~!DUYd6Q z<^}(?*O{0Z85kEg?lx%LVIa%K94gDlBE}-JSU42hzk35@TUzVr(mRs5yD{%?Bw4`CU5XXF17{yTr>rxnO>K8d}d=&|qVDlxzK*rr(z zejhA5^s_wtT7bBq!^^w7HN{h22kjS9db_oOH>2)&Q}4QeMTHCeS#O%8<|jwTwAZ># zJAThmMc{U8P@&YbgEMw@%=Da``~T_NkN1jJ72CGAG#HC2@1DZD)F{~h^+DN&eg4x# zCh_n8e&F856$-l_+n-{eYL;@-^2viG4;OiqG-oEdU322T<#YRd!vcl7j;pGkOfoBb aWUc*r`{VDQ7aX>mbRqfJ$p|;^!_fdFC5|`% literal 0 HcmV?d00001 diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh index f63e86e84..aa77314b0 100755 --- a/certs/test/gen-ext-certs.sh +++ b/certs/test/gen-ext-certs.sh @@ -75,6 +75,63 @@ nsComment = "Testing name constraints" EOF gen_cert + +OUT=certs/test/cert-ext-ncdns.der +KEYFILE=certs/test/cert-ext-nc-key.der +CONFIG=certs/test/cert-ext-ncdns.cfg +tee >$CONFIG <$CONFIG < Date: Wed, 20 Oct 2021 17:13:34 -0600 Subject: [PATCH 6/9] clean up test case memory and common name size --- tests/api.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/api.c b/tests/api.c index 0075cbb79..dd2ecbace 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2090,7 +2090,7 @@ static void test_wolfSSL_CertManagerNameConstraint4(void) AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, (byte*)"US", 2, -1, 0), SSL_SUCCESS); AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"common", 11, -1, 0), SSL_SUCCESS); + (byte*)"common", 6, -1, 0), SSL_SUCCESS); AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); X509_NAME_free(name); @@ -2278,7 +2278,6 @@ static void test_wolfSSL_CertManagerNameConstraint5(void) wolfSSL_X509_free(x509); wolfSSL_CertManagerFree(cm); - wolfSSL_X509_free(x509); wolfSSL_X509_free(ca); wolfSSL_EVP_PKEY_free(priv); #endif From 785e37790a68d70f72dead6a75b1189040f22eb5 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 21 Oct 2021 12:35:06 -0700 Subject: [PATCH 7/9] Cleanup API test case debugging. --- tests/api.c | 150 +++++++++++++++------------------------------------- 1 file changed, 42 insertions(+), 108 deletions(-) diff --git a/tests/api.c b/tests/api.c index dd2ecbace..9caf14b41 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1457,18 +1457,32 @@ static int test_wolfSSL_CertManagerSetVerify(void) return ret; } -#if 0 +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_UNIT_TEST_CERTS) /* used when debugging name constraint tests */ -static void debug_write_cert(WOLFSSL_X509* x509, const char* fileName) +static void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName) { - BIO* out = BIO_new(wolfSSL_BIO_s_file()); + BIO* out = BIO_new(BIO_s_file()); if (out != NULL) { - FILE* f= fopen(fileName, "wb"); + FILE* f = fopen(fileName, "wb"); BIO_set_fp(out, f, BIO_CLOSE); PEM_write_bio_X509(out, x509); BIO_free(out); } } +static void DEBUG_WRITE_CERT_DER(const byte* der, int derSz, const char* fileName) +{ + BIO* out = BIO_new(BIO_s_file()); + if (out != NULL) { + FILE* f = fopen(fileName, "wb"); + BIO_set_fp(out, f, BIO_CLOSE); + BIO_write(out, der, derSz); + BIO_free(out); + } +} +#else +#define DEBUG_WRITE_CERT_X509(x509, fileName) +#define DEBUG_WRITE_CERT_DER(der, derSz, fileName) #endif @@ -1554,18 +1568,8 @@ static void test_wolfSSL_CertManagerNameConstraint(void) WOLFSSL_FILETYPE_ASN1)); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); -#if 0 - { - //write out x509 for test - BIO* out = BIO_new(wolfSSL_BIO_s_file()); - if (out != NULL) { - FILE* f= fopen("ca.der", "wb"); - BIO_set_fp(out, f, BIO_CLOSE); - BIO_write(out, der, derSz); - BIO_free(out); - } - } -#endif + DEBUG_WRITE_CERT_DER(der, derSz, "ca.der"); + AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); @@ -1588,9 +1592,7 @@ static void test_wolfSSL_CertManagerNameConstraint(void) wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "good-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "good-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -1618,9 +1620,7 @@ static void test_wolfSSL_CertManagerNameConstraint(void) wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "bad-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -1830,18 +1830,8 @@ static void test_wolfSSL_CertManagerNameConstraint3(void) AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, WOLFSSL_FILETYPE_ASN1)); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); -#if 0 - { - //write out x509 for test - BIO* out = BIO_new(wolfSSL_BIO_s_file()); - if (out != NULL) { - FILE* f= fopen("ca.der", "wb"); - BIO_set_fp(out, f, BIO_CLOSE); - BIO_write(out, der, derSz); - BIO_free(out); - } - } -#endif + DEBUG_WRITE_CERT_DER(der, derSz, "ca.der"); + AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); @@ -1864,9 +1854,7 @@ static void test_wolfSSL_CertManagerNameConstraint3(void) wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "good-1st-constraint-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -1892,9 +1880,7 @@ static void test_wolfSSL_CertManagerNameConstraint3(void) wolfSSL_X509_add_altname(x509, "wolfssl@info.example.com", ASN_RFC822_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "good-2nd-constraint-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -1920,9 +1906,7 @@ static void test_wolfSSL_CertManagerNameConstraint3(void) wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "bad-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -1961,18 +1945,8 @@ static void test_wolfSSL_CertManagerNameConstraint4(void) AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, WOLFSSL_FILETYPE_ASN1)); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); -#if 0 - { - //write out x509 for test - BIO* out = BIO_new(wolfSSL_BIO_s_file()); - if (out != NULL) { - FILE* f= fopen("ca.der", "wb"); - BIO_set_fp(out, f, BIO_CLOSE); - BIO_write(out, der, derSz); - BIO_free(out); - } - } -#endif + DEBUG_WRITE_CERT_DER(der, derSz, "ca.der"); + AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); @@ -1992,9 +1966,7 @@ static void test_wolfSSL_CertManagerNameConstraint4(void) wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "good-1st-constraint-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -2017,9 +1989,7 @@ static void test_wolfSSL_CertManagerNameConstraint4(void) wolfSSL_X509_add_altname(x509, "www.example.com", ASN_DNS_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "good-2nd-constraint-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -2044,9 +2014,7 @@ static void test_wolfSSL_CertManagerNameConstraint4(void) wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE); wolfSSL_X509_add_altname(x509, "extra.wolfssl.com", ASN_DNS_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "good-multiple-constraint-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "good-multiple-constraint-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -2071,9 +2039,7 @@ static void test_wolfSSL_CertManagerNameConstraint4(void) wolfSSL_X509_add_altname(x509, "www.nomatch.com", ASN_DNS_TYPE); wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "bad-multiple-constraint-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "bad-multiple-constraint-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -2096,9 +2062,7 @@ static void test_wolfSSL_CertManagerNameConstraint4(void) wolfSSL_X509_add_altname(x509, "www.random.com", ASN_DNS_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "bad-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -2137,18 +2101,8 @@ static void test_wolfSSL_CertManagerNameConstraint5(void) AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, WOLFSSL_FILETYPE_ASN1)); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); -#if 0 - { - //write out x509 for test - BIO* out = BIO_new(wolfSSL_BIO_s_file()); - if (out != NULL) { - FILE* f= fopen("ca.der", "wb"); - BIO_set_fp(out, f, BIO_CLOSE); - BIO_write(out, der, derSz); - BIO_free(out); - } - } -#endif + DEBUG_WRITE_CERT_DER(der, derSz, "ca.der"); + AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); @@ -2169,9 +2123,7 @@ static void test_wolfSSL_CertManagerNameConstraint5(void) wolfSSL_X509_add_altname(x509, "good.example", ASN_DNS_TYPE); wolfSSL_X509_add_altname(x509, "facts@into.wolfssl.com", ASN_RFC822_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "good-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "good-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -2195,9 +2147,7 @@ static void test_wolfSSL_CertManagerNameConstraint5(void) wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); wolfSSL_X509_add_altname(x509, "facts@wolfssl.com", ASN_RFC822_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "bad-cn-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "bad-cn-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -2220,9 +2170,7 @@ static void test_wolfSSL_CertManagerNameConstraint5(void) wolfSSL_X509_add_altname(x509, "www.wolfssl", ASN_DNS_TYPE); wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "bad-1st-constraint-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "bad-1st-constraint-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -2245,9 +2193,7 @@ static void test_wolfSSL_CertManagerNameConstraint5(void) wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE); wolfSSL_X509_add_altname(x509, "info@example.com", ASN_RFC822_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "bad-2nd-constraint-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "bad-2nd-constraint-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -2268,9 +2214,7 @@ static void test_wolfSSL_CertManagerNameConstraint5(void) wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - #if 0 - debug_write_cert(x509, "good-missing-constraint-cert.pem"); - #endif + DEBUG_WRITE_CERT_X509(x509, "good-missing-constraint-cert.pem"); AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, @@ -35921,17 +35865,7 @@ static void test_wolfSSL_X509_sign(void) AssertIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz), WOLFSSL_SUCCESS); - -#if 0 - /* example for writing to file */ - XFILE tmpFile = XFOPEN("./signed.der", "wb"); - if (tmpFile) { - int derSz = 0; - const byte* der = wolfSSL_X509_get_der(x509, &derSz); - XFWRITE(der, 1, derSz, tmpFile); - } - XFCLOSE(tmpFile); -#endif + DEBUG_WRITE_CERT_X509(x509, "signed.der"); /* Variation in size depends on ASN.1 encoding when MSB is set */ #ifndef WOLFSSL_ALT_NAMES From 6e7dee3283a43fb7d7ac913fe551bb529085a963 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Fri, 22 Oct 2021 10:43:29 +1000 Subject: [PATCH 8/9] Change to compare each name to each matching type in permittedNames list. --- wolfcrypt/src/asn.c | 194 +++++++++++++++++++++++--------------------- 1 file changed, 100 insertions(+), 94 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 1397f41e7..9ce3e4c85 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -13489,114 +13489,120 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) /* Check against the permitted list */ if (signer->permittedNames != NULL) { - int needDns = 0; - int matchDns = 0; - int needEmail = 0; - int matchEmail = 0; - int needDir = 0; - int matchDir = 0; - Base_entry* base = signer->permittedNames; + int permittedDir = 0; + int matchDir; + Base_entry* base; + DNS_entry* name; - while (base != NULL) { - switch (base->type) { - case ASN_DNS_TYPE: - { - DNS_entry* name = cert->altNames; - - if (name != NULL) - needDns = 1; - - /* check if already found a matching permitted subtree */ - if (matchDns == 1) - break; - - while (name != NULL) { - matchDns = MatchBaseName(ASN_DNS_TYPE, - name->name, name->len, - base->name, base->nameSz); - - #ifndef WOLFSSL_NO_ASN_STRICT - /* found a bad name */ - if (matchDns == 0) - break; - #endif - name = name->next; - } - break; + /* Check each DNS name matches a permitted. */ + name = cert->altNames; + while (name != NULL) { + int matchDns = 0; + int permittedDns = 0; + base = signer->permittedNames; + do { + /* Looking for perrmittedNames that are for DNS. */ + if (base->type == ASN_DNS_TYPE) { + permittedDns = 1; + matchDns = MatchBaseName(ASN_DNS_TYPE, + name->name, name->len, + base->name, base->nameSz); } - case ASN_RFC822_TYPE: - { - DNS_entry* name = cert->altEmailNames; + base = base->next; + } + while (base != NULL && !matchDns); + /* If we found an DNS type permittedName then name must have had a + * match. */ + if (permittedDns && !matchDns) + return 0; - if (name != NULL) - needEmail = 1; + if (!permittedDns) + break; - /* check if already found a matching permitted subtree */ - if (matchEmail == 1) - break; + name = name->next; + } - while (name != NULL) { - matchEmail = MatchBaseName(ASN_DNS_TYPE, - name->name, name->len, - base->name, base->nameSz); - - #ifndef WOLFSSL_NO_ASN_STRICT - /* found a bad name */ - if (matchEmail == 0) - break; - #endif - name = name->next; - } - break; + /* Check each email name matches a permitted. */ + name = cert->altEmailNames; + while (name != NULL) { + int matchEmail = 0; + int permittedEmail = 0; + base = signer->permittedNames; + do { + /* Looking for perrmittedNames that are for email. */ + if (base->type == ASN_RFC822_TYPE) { + permittedEmail = 1; + matchEmail = MatchBaseName(ASN_DNS_TYPE, + name->name, name->len, + base->name, base->nameSz); } - case ASN_DIR_TYPE: - { - /* allow permitted dirName smaller than actual subject */ - needDir = 1; + base = base->next; + } + while ((base != NULL) && !matchEmail); + /* If we found an email type permittedName then name must have had a + * match. */ + if (permittedEmail && !matchEmail) + return 0; - /* check if already found a matching permitted subtree */ - if (matchDir == 1) - break; + if (!permittedEmail) + break; - if (cert->subjectRaw != NULL && - cert->subjectRawLen >= base->nameSz && - XMEMCMP(cert->subjectRaw, base->name, - base->nameSz) == 0) { + name = name->next; + } + + /* Check subject name matches a permitted name. */ + if (cert->subjectRaw != NULL) { + matchDir = 0; + permittedDir = 0; + base = signer->permittedNames; + while (base != NULL && !matchDir) { + /* Looking for perrmittedNames that are for directoryName. */ + if (base->type == ASN_DIR_TYPE) { + permittedDir = 1; + if (cert->subjectRawLen >= base->nameSz && + XMEMCMP(cert->subjectRaw, base->name, base->nameSz) + == 0) { matchDir = 1; - - #ifndef WOLFSSL_NO_ASN_STRICT - /* RFC 5280 section 4.2.1.10 - "Restrictions of the form directoryName MUST be - applied to the subject field .... and to any names - of type directoryName in the subjectAltName - extension" - */ - if (cert->altDirNames != NULL) { - DNS_entry* cur = cert->altDirNames; - while (cur != NULL) { - if (XMEMCMP(cur->name, base->name, base->nameSz) - != 0) { - WOLFSSL_MSG("DIR alt name constraint err"); - matchDir = 0; /* did not match */ - } - cur = cur->next; - } - } - #endif /* !WOLFSSL_NO_ASN_STRICT */ } - break; } - default: - break; - } /* switch */ - base = base->next; + base = base->next; + } + /* If we found an dir name type permittedName then name must have + * had a match. */ + if (permittedDir && !matchDir) + return 0; } - if ((needDns && !matchDns) || - (needEmail && !matchEmail) || - (needDir && !matchDir)) { - return 0; + #ifndef WOLFSSL_NO_ASN_STRICT + /* RFC 5280 section 4.2.1.10 + "Restrictions of the form directoryName MUST be + applied to the subject field .... and to any names + of type directoryName in the subjectAltName + extension" + */ + /* Check each alt dir name matches a permitted. */ + name = cert->altDirNames; + while (permittedDir && name != NULL) { + int matchAltDir = 0; + base = signer->permittedNames; + do { + /* Looking for perrmittedNames that are for directoryName. */ + if (base->type == ASN_DIR_TYPE) { + if (XMEMCMP(name->name, base->name, base->nameSz) == 0) { + matchAltDir = 1; + } + } + base = base->next; + } + while ((base != NULL) && !matchAltDir); + /* If we found an dir name type permittedName then name must have + * had a match. */ + if (permittedDir && !matchAltDir) + return 0; + + name = name->next; } + #endif /* !WOLFSSL_NO_ASN_STRICT */ } return 1; From 4c0527490d4cda8f2a766ea59deb2393b7703ed6 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 22 Oct 2021 09:59:16 -0700 Subject: [PATCH 9/9] Fixes for API unit test with `WOLFSSL_NO_ASN_STRICT`. Fix spelling error. --- tests/api.c | 23 +++++++++++++++++++++-- wolfcrypt/src/asn.c | 17 +++++++---------- 2 files changed, 28 insertions(+), 12 deletions(-) diff --git a/tests/api.c b/tests/api.c index 9caf14b41..abc90b640 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1727,9 +1727,13 @@ static void test_wolfSSL_CertManagerNameConstraint2(void) wolfSSL_X509_sign(x509, priv, EVP_sha256()); #endif AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E); - +#else + AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif /* check that it still fails if one bad altname and one good altname is in * the certificate */ @@ -1748,8 +1752,13 @@ static void test_wolfSSL_CertManagerNameConstraint2(void) wolfSSL_X509_sign(x509, priv, EVP_sha256()); #endif AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E); +#else + AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif /* check it fails with switching position of bad altname */ wolfSSL_X509_free(x509); @@ -1767,8 +1776,13 @@ static void test_wolfSSL_CertManagerNameConstraint2(void) wolfSSL_X509_sign(x509, priv, EVP_sha256()); #endif AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E); +#else + AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif wolfSSL_CertManagerFree(cm); wolfSSL_X509_free(x509); @@ -1795,8 +1809,13 @@ static void test_wolfSSL_CertManagerNameConstraint2(void) wolfSSL_X509_sign(x509, priv, EVP_sha256()); #endif AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E); +#else + AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif wolfSSL_CertManagerFree(cm); wolfSSL_X509_free(x509); wolfSSL_X509_free(ca); @@ -8542,7 +8561,7 @@ static void test_wolfSSL_URI(void) wolfSSL_FreeX509(x509); x509 = wolfSSL_X509_load_certificate_file(badUri, WOLFSSL_FILETYPE_PEM); -#ifndef IGNORE_NAME_CONSTRAINTS +#if !defined(IGNORE_NAME_CONSTRAINTS) && !defined(WOLFSSL_NO_ASN_STRICT) AssertNull(x509); #else AssertNotNull(x509); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 9ce3e4c85..08d50dd75 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -13501,7 +13501,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) int permittedDns = 0; base = signer->permittedNames; do { - /* Looking for perrmittedNames that are for DNS. */ + /* Looking for permittedNames that are for DNS. */ if (base->type == ASN_DNS_TYPE) { permittedDns = 1; matchDns = MatchBaseName(ASN_DNS_TYPE, @@ -13509,8 +13509,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) base->name, base->nameSz); } base = base->next; - } - while (base != NULL && !matchDns); + } while (base != NULL && !matchDns); /* If we found an DNS type permittedName then name must have had a * match. */ if (permittedDns && !matchDns) @@ -13529,7 +13528,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) int permittedEmail = 0; base = signer->permittedNames; do { - /* Looking for perrmittedNames that are for email. */ + /* Looking for permittedNames that are for email. */ if (base->type == ASN_RFC822_TYPE) { permittedEmail = 1; matchEmail = MatchBaseName(ASN_DNS_TYPE, @@ -13537,8 +13536,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) base->name, base->nameSz); } base = base->next; - } - while ((base != NULL) && !matchEmail); + } while ((base != NULL) && !matchEmail); /* If we found an email type permittedName then name must have had a * match. */ if (permittedEmail && !matchEmail) @@ -13556,7 +13554,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) permittedDir = 0; base = signer->permittedNames; while (base != NULL && !matchDir) { - /* Looking for perrmittedNames that are for directoryName. */ + /* Looking for permittedNames that are for directoryName. */ if (base->type == ASN_DIR_TYPE) { permittedDir = 1; if (cert->subjectRawLen >= base->nameSz && @@ -13586,15 +13584,14 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) int matchAltDir = 0; base = signer->permittedNames; do { - /* Looking for perrmittedNames that are for directoryName. */ + /* Looking for permittedNames that are for directoryName. */ if (base->type == ASN_DIR_TYPE) { if (XMEMCMP(name->name, base->name, base->nameSz) == 0) { matchAltDir = 1; } } base = base->next; - } - while ((base != NULL) && !matchAltDir); + } while ((base != NULL) && !matchAltDir); /* If we found an dir name type permittedName then name must have * had a match. */ if (permittedDir && !matchAltDir)