wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 11:17:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4485 from JacobBarthelmeh/certs

Browse Source 
Improve permitted alternate name logic in certificate ASN handling
This commit is contained in:
David Garske
2021-10-22 11:59:16 -07:00
committed by GitHub
parent f8178b4896 4c0527490d
commit 229f0d5fd1
9 changed files with 789 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
certs/test/cert-ext-mnc.der Normal file
View File

Binary file not shown.

1
certs/test/cert-ext-nc.cfg
View File

@ -10,7 +10,6 @@ L = Brisbane
O = wolfSSL Inc O = wolfSSL Inc
OU = Engineering OU = Engineering
CN = www.wolfssl.com CN = www.wolfssl.com
emailAddress = support@wolfsssl.com
[ v3_ca ] [ v3_ca ]
subjectKeyIdentifier = hash subjectKeyIdentifier = hash

BIN
certs/test/cert-ext-nc.der
View File

Binary file not shown.

BIN
certs/test/cert-ext-ncdns.der Normal file
View File

Binary file not shown.

BIN
certs/test/cert-ext-ncmixed.der Normal file
View File

Binary file not shown.

87
certs/test/gen-ext-certs.sh
View File

@ -34,7 +34,6 @@ L = Brisbane
O = wolfSSL Inc O = wolfSSL Inc
OU = Engineering OU = Engineering
CN = www.wolfssl.com CN = www.wolfssl.com
emailAddress = support@wolfsssl.com
[ v3_ca ] [ v3_ca ]
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
@ -47,6 +46,92 @@ nsComment = "Testing name constraints"
EOF EOF
gen_cert gen_cert
OUT=certs/test/cert-ext-mnc.der
KEYFILE=certs/test/cert-ext-mnc-key.der
CONFIG=certs/test/cert-ext-mnc.cfg
tee >$CONFIG <<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = v3_ca
[ req_distinguished_name ]
C = AU
ST = Queensland
L = Brisbane
O = wolfSSL Inc
OU = Engineering
CN = www.wolfssl.com
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
nameConstraints = critical,permitted;email:.wolfssl.com, permitted;email:.example.com
nsComment = "Testing name constraints"
EOF
gen_cert
OUT=certs/test/cert-ext-ncdns.der
KEYFILE=certs/test/cert-ext-nc-key.der
CONFIG=certs/test/cert-ext-ncdns.cfg
tee >$CONFIG <<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = v3_ca
[ req_distinguished_name ]
C = AU
ST = Queensland
L = Brisbane
O = wolfSSL Inc
OU = Engineering
CN = www.wolfssl.com
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
nameConstraints = critical,permitted;DNS:wolfssl.com, permitted;DNS:example.com
nsComment = "Testing name constraints"
EOF
gen_cert
OUT=certs/test/cert-ext-ncmixed.der
KEYFILE=certs/test/cert-ext-ncmixed-key.der
CONFIG=certs/test/cert-ext-ncmixed.cfg
tee >$CONFIG <<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = v3_ca
[ req_distinguished_name ]
C = AU
ST = Queensland
L = Brisbane
O = wolfSSL Inc
OU = Engineering
CN = www.wolfssl.com
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
nameConstraints = critical,permitted;DNS:example, permitted;email:.wolfssl.com
nsComment = "Testing name constraints"
EOF
gen_cert
OUT=certs/test/cert-ext-ia.der OUT=certs/test/cert-ext-ia.der
KEYFILE=certs/test/cert-ext-ia-key.der KEYFILE=certs/test/cert-ext-ia-key.der
CONFIG=certs/test/cert-ext-ia.cfg CONFIG=certs/test/cert-ext-ia.cfg

3
certs/test/include.am
View File

@ -7,6 +7,9 @@ EXTRA_DIST += \
certs/test/cert-ext-ia.der \ certs/test/cert-ext-ia.der \
certs/test/cert-ext-nc.cfg \ certs/test/cert-ext-nc.cfg \
certs/test/cert-ext-nc.der \ certs/test/cert-ext-nc.der \
certs/test/cert-ext-ncdns.der \
certs/test/cert-ext-ncmixed.der \
certs/test/cert-ext-mnc.der \
certs/test/cert-ext-nct.cfg \ certs/test/cert-ext-nct.cfg \
certs/test/cert-ext-nct.der \ certs/test/cert-ext-nct.der \
certs/test/cert-ext-ndir.cfg \ certs/test/cert-ext-ndir.cfg \

608
tests/api.c
View File

@ -1457,14 +1457,47 @@ static int test_wolfSSL_CertManagerSetVerify(void)
return ret; return ret;
} }
#if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
defined(DEBUG_UNIT_TEST_CERTS)
/* used when debugging name constraint tests */
static void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName)
{
BIO* out = BIO_new(BIO_s_file());
if (out != NULL) {
FILE* f = fopen(fileName, "wb");
BIO_set_fp(out, f, BIO_CLOSE);
PEM_write_bio_X509(out, x509);
BIO_free(out);
}
}
static void DEBUG_WRITE_CERT_DER(const byte* der, int derSz, const char* fileName)
{
BIO* out = BIO_new(BIO_s_file());
if (out != NULL) {
FILE* f = fopen(fileName, "wb");
BIO_set_fp(out, f, BIO_CLOSE);
BIO_write(out, der, derSz);
BIO_free(out);
}
}
#else
#define DEBUG_WRITE_CERT_X509(x509, fileName)
#define DEBUG_WRITE_CERT_DER(der, derSz, fileName)
#endif
static void test_wolfSSL_CertManagerNameConstraint(void) static void test_wolfSSL_CertManagerNameConstraint(void)
{ {
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
!defined(NO_SHA256)
WOLFSSL_CERT_MANAGER* cm; WOLFSSL_CERT_MANAGER* cm;
WOLFSSL_EVP_PKEY *priv;
WOLFSSL_X509_NAME* name;
const char* ca_cert = "./certs/test/cert-ext-nc.der"; const char* ca_cert = "./certs/test/cert-ext-nc.der";
const char* server_cert = "./certs/test/server-goodcn.pem";
int i = 0; int i = 0;
static const byte extNameConsOid[] = {85, 29, 30}; static const byte extNameConsOid[] = {85, 29, 30};
@ -1474,7 +1507,7 @@ static void test_wolfSSL_CertManagerNameConstraint(void)
int derSz; int derSz;
word32 idx = 0; word32 idx = 0;
byte *pt; byte *pt;
WOLFSSL_X509 *x509; WOLFSSL_X509 *x509, *ca;
wc_InitRng(&rng); wc_InitRng(&rng);
@ -1524,6 +1557,79 @@ static void test_wolfSSL_CertManagerNameConstraint(void)
wolfSSL_X509_free(x509); wolfSSL_X509_free(x509);
wc_FreeRsaKey(&key); wc_FreeRsaKey(&key);
wc_FreeRng(&rng); wc_FreeRng(&rng);
/* add email alt name to satisfy constraint */
pt = (byte*)server_key_der_2048;
AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
(const unsigned char**)&pt, sizeof_server_key_der_2048));
AssertNotNull(cm = wolfSSL_CertManagerNew());
AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
WOLFSSL_FILETYPE_ASN1));
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* Good cert test with proper alt email name */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
(byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "good-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
/* Cert with bad alt name list */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
(byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE);
wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
wolfSSL_CertManagerFree(cm);
wolfSSL_X509_free(x509);
wolfSSL_X509_free(ca);
wolfSSL_EVP_PKEY_free(priv);
#endif #endif
} }
@ -1621,8 +1727,62 @@ static void test_wolfSSL_CertManagerNameConstraint2(void)
wolfSSL_X509_sign(x509, priv, EVP_sha256()); wolfSSL_X509_sign(x509, priv, EVP_sha256());
#endif #endif
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
#ifndef WOLFSSL_NO_ASN_STRICT
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E); WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
#else
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#endif
/* check that it still fails if one bad altname and one good altname is in
* the certificate */
wolfSSL_X509_free(x509);
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE);
wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail),
ASN_DIR_TYPE);
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
wolfSSL_X509_sign(x509, priv, EVP_sha3_256());
#else
wolfSSL_X509_sign(x509, priv, EVP_sha256());
#endif
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
#ifndef WOLFSSL_NO_ASN_STRICT
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
#else
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#endif
/* check it fails with switching position of bad altname */
wolfSSL_X509_free(x509);
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail),
ASN_DIR_TYPE);
wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE);
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
wolfSSL_X509_sign(x509, priv, EVP_sha3_256());
#else
wolfSSL_X509_sign(x509, priv, EVP_sha256());
#endif
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
#ifndef WOLFSSL_NO_ASN_STRICT
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
#else
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#endif
wolfSSL_CertManagerFree(cm); wolfSSL_CertManagerFree(cm);
wolfSSL_X509_free(x509); wolfSSL_X509_free(x509);
@ -1649,12 +1809,439 @@ static void test_wolfSSL_CertManagerNameConstraint2(void)
wolfSSL_X509_sign(x509, priv, EVP_sha256()); wolfSSL_X509_sign(x509, priv, EVP_sha256());
#endif #endif
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
#ifndef WOLFSSL_NO_ASN_STRICT
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E); WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
#else
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#endif
wolfSSL_CertManagerFree(cm); wolfSSL_CertManagerFree(cm);
wolfSSL_X509_free(x509); wolfSSL_X509_free(x509);
wolfSSL_X509_free(ca); wolfSSL_X509_free(ca);
wolfSSL_EVP_PKEY_free(priv);
#endif
}
static void test_wolfSSL_CertManagerNameConstraint3(void)
{
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
!defined(NO_SHA256)
WOLFSSL_CERT_MANAGER* cm;
WOLFSSL_EVP_PKEY *priv;
WOLFSSL_X509_NAME* name;
const char* ca_cert = "./certs/test/cert-ext-mnc.der";
const char* server_cert = "./certs/test/server-goodcn.pem";
byte *der;
int derSz;
byte *pt;
WOLFSSL_X509 *x509, *ca;
pt = (byte*)server_key_der_2048;
AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
(const unsigned char**)&pt, sizeof_server_key_der_2048));
AssertNotNull(cm = wolfSSL_CertManagerNew());
AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
WOLFSSL_FILETYPE_ASN1));
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* check satisfying .wolfssl.com constraint passes */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
(byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
/* check satisfying .random.com constraint passes */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
(byte*)"support@info.example.com", 24, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "wolfssl@info.example.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
/* check fail case when neither constraint is matched */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
(byte*)"support@info.com", 16, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
wolfSSL_CertManagerFree(cm);
wolfSSL_X509_free(x509);
wolfSSL_X509_free(ca);
wolfSSL_EVP_PKEY_free(priv);
#endif
}
static void test_wolfSSL_CertManagerNameConstraint4(void)
{
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
!defined(NO_SHA256)
WOLFSSL_CERT_MANAGER* cm;
WOLFSSL_EVP_PKEY *priv;
WOLFSSL_X509_NAME* name;
const char* ca_cert = "./certs/test/cert-ext-ncdns.der";
const char* server_cert = "./certs/test/server-goodcn.pem";
byte *der;
int derSz;
byte *pt;
WOLFSSL_X509 *x509, *ca;
pt = (byte*)server_key_der_2048;
AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
(const unsigned char**)&pt, sizeof_server_key_der_2048));
AssertNotNull(cm = wolfSSL_CertManagerNew());
AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
WOLFSSL_FILETYPE_ASN1));
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* check satisfying wolfssl.com constraint passes */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
/* check satisfying example.com constraint passes */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"example.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "www.example.com", ASN_DNS_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
/* check satisfying wolfssl.com constraint passes with list of DNS's */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE);
wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE);
wolfSSL_X509_add_altname(x509, "extra.wolfssl.com", ASN_DNS_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "good-multiple-constraint-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
/* check fail when one DNS in the list is bad */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE);
wolfSSL_X509_add_altname(x509, "www.nomatch.com", ASN_DNS_TYPE);
wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "bad-multiple-constraint-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
wolfSSL_X509_free(x509);
/* check fail case when neither constraint is matched */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"common", 6, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "www.random.com", ASN_DNS_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
wolfSSL_CertManagerFree(cm);
wolfSSL_X509_free(x509);
wolfSSL_X509_free(ca);
wolfSSL_EVP_PKEY_free(priv);
#endif
}
static void test_wolfSSL_CertManagerNameConstraint5(void)
{
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
!defined(NO_SHA256)
WOLFSSL_CERT_MANAGER* cm;
WOLFSSL_EVP_PKEY *priv;
WOLFSSL_X509_NAME* name;
const char* ca_cert = "./certs/test/cert-ext-ncmixed.der";
const char* server_cert = "./certs/test/server-goodcn.pem";
byte *der;
int derSz;
byte *pt;
WOLFSSL_X509 *x509, *ca;
pt = (byte*)server_key_der_2048;
AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
(const unsigned char**)&pt, sizeof_server_key_der_2048));
AssertNotNull(cm = wolfSSL_CertManagerNew());
AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
WOLFSSL_FILETYPE_ASN1));
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* check satisfying wolfssl.com constraint passes */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"example", 7, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "good.example", ASN_DNS_TYPE);
wolfSSL_X509_add_altname(x509, "facts@into.wolfssl.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "good-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
/* fail with DNS check because of common name */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
(byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE);
wolfSSL_X509_add_altname(x509, "facts@wolfssl.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "bad-cn-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
wolfSSL_X509_free(x509);
/* fail on permitted DNS name constraint */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "www.example", ASN_DNS_TYPE);
wolfSSL_X509_add_altname(x509, "www.wolfssl", ASN_DNS_TYPE);
wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "bad-1st-constraint-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
wolfSSL_X509_free(x509);
/* fail on permitted email name constraint */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE);
wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE);
wolfSSL_X509_add_altname(x509, "info@example.com", ASN_RFC822_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "bad-2nd-constraint-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
wolfSSL_X509_free(x509);
/* success with empty email name */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
AssertNotNull(name = X509_NAME_new());
AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
(byte*)"US", 2, -1, 0), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
X509_NAME_free(name);
wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE);
AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
DEBUG_WRITE_CERT_X509(x509, "good-missing-constraint-cert.pem");
AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
wolfSSL_CertManagerFree(cm);
wolfSSL_X509_free(ca);
wolfSSL_EVP_PKEY_free(priv); wolfSSL_EVP_PKEY_free(priv);
#endif #endif
} }
@ -7975,7 +8562,7 @@ static void test_wolfSSL_URI(void)
wolfSSL_FreeX509(x509); wolfSSL_FreeX509(x509);
x509 = wolfSSL_X509_load_certificate_file(badUri, WOLFSSL_FILETYPE_PEM); x509 = wolfSSL_X509_load_certificate_file(badUri, WOLFSSL_FILETYPE_PEM);
#ifndef IGNORE_NAME_CONSTRAINTS #if !defined(IGNORE_NAME_CONSTRAINTS) && !defined(WOLFSSL_NO_ASN_STRICT)
AssertNull(x509); AssertNull(x509);
#else #else
AssertNotNull(x509); AssertNotNull(x509);
@ -35315,17 +35902,7 @@ static void test_wolfSSL_X509_sign(void)
AssertIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz), AssertIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz),
WOLFSSL_SUCCESS); WOLFSSL_SUCCESS);
DEBUG_WRITE_CERT_X509(x509, "signed.der");
#if 0
/* example for writing to file */
XFILE tmpFile = XFOPEN("./signed.der", "wb");
if (tmpFile) {
int derSz = 0;
const byte* der = wolfSSL_X509_get_der(x509, &derSz);
XFWRITE(der, 1, derSz, tmpFile);
}
XFCLOSE(tmpFile);
#endif
/* Variation in size depends on ASN.1 encoding when MSB is set */ /* Variation in size depends on ASN.1 encoding when MSB is set */
#ifndef WOLFSSL_ALT_NAMES #ifndef WOLFSSL_ALT_NAMES
@ -50296,6 +50873,9 @@ void ApiTest(void)
test_wolfSSL_CertManagerSetVerify(); test_wolfSSL_CertManagerSetVerify();
test_wolfSSL_CertManagerNameConstraint(); test_wolfSSL_CertManagerNameConstraint();
test_wolfSSL_CertManagerNameConstraint2(); test_wolfSSL_CertManagerNameConstraint2();
test_wolfSSL_CertManagerNameConstraint3();
test_wolfSSL_CertManagerNameConstraint4();
test_wolfSSL_CertManagerNameConstraint5();
test_wolfSSL_CertManagerCRL(); test_wolfSSL_CertManagerCRL();
test_wolfSSL_CTX_load_verify_locations_ex(); test_wolfSSL_CTX_load_verify_locations_ex();
test_wolfSSL_CTX_load_verify_buffer_ex(); test_wolfSSL_CTX_load_verify_buffer_ex();

179
wolfcrypt/src/asn.c
View File

@ -13392,7 +13392,12 @@ static int MatchBaseName(int type, const char* name, int nameSz,
} }
} }
if ((type == ASN_DNS_TYPE || type == ASN_RFC822_TYPE) && base[0] == '.') { /* RFC 5280 section 4.2.1.10
* "...Any DNS name that can be constructed by simply adding zero or more
* labels to the left-hand side of the name satisfies the name constraint."
* i.e www.host.example.com works for host.example.com name constraint and
* host1.example.com does not. */
if (type == ASN_DNS_TYPE || (type == ASN_RFC822_TYPE && base[0] == '.')) {
int szAdjust = nameSz - baseSz; int szAdjust = nameSz - baseSz;
name += szAdjust; name += szAdjust;
nameSz -= szAdjust; nameSz -= szAdjust;
@ -13484,89 +13489,117 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
/* Check against the permitted list */ /* Check against the permitted list */
if (signer->permittedNames != NULL) { if (signer->permittedNames != NULL) {
int needDns = 0; int permittedDir = 0;
int matchDns = 0; int matchDir;
int needEmail = 0; Base_entry* base;
int matchEmail = 0; DNS_entry* name;
int needDir = 0;
int matchDir = 0;
Base_entry* base = signer->permittedNames;
while (base != NULL) { /* Check each DNS name matches a permitted. */
switch (base->type) { name = cert->altNames;
case ASN_DNS_TYPE: while (name != NULL) {
{ int matchDns = 0;
DNS_entry* name = cert->altNames; int permittedDns = 0;
base = signer->permittedNames;
if (name != NULL) do {
needDns = 1; /* Looking for permittedNames that are for DNS. */
if (base->type == ASN_DNS_TYPE) {
while (name != NULL) { permittedDns = 1;
matchDns = MatchBaseName(ASN_DNS_TYPE, matchDns = MatchBaseName(ASN_DNS_TYPE,
name->name, name->len, name->name, name->len,
base->name, base->nameSz); base->name, base->nameSz);
name = name->next;
}
break;
} }
case ASN_RFC822_TYPE: base = base->next;
{ } while (base != NULL && !matchDns);
DNS_entry* name = cert->altEmailNames; /* If we found an DNS type permittedName then name must have had a
* match. */
if (permittedDns && !matchDns)
return 0;
if (name != NULL) if (!permittedDns)
needEmail = 1; break;
while (name != NULL) { name = name->next;
matchEmail = MatchBaseName(ASN_DNS_TYPE, }
name->name, name->len,
base->name, base->nameSz); /* Check each email name matches a permitted. */
name = name->next; name = cert->altEmailNames;
} while (name != NULL) {
break; int matchEmail = 0;
int permittedEmail = 0;
base = signer->permittedNames;
do {
/* Looking for permittedNames that are for email. */
if (base->type == ASN_RFC822_TYPE) {
permittedEmail = 1;
matchEmail = MatchBaseName(ASN_DNS_TYPE,
name->name, name->len,
base->name, base->nameSz);
} }
case ASN_DIR_TYPE: base = base->next;
{ } while ((base != NULL) && !matchEmail);
/* allow permitted dirName smaller than actual subject */ /* If we found an email type permittedName then name must have had a
needDir = 1; * match. */
if (cert->subjectRaw != NULL && if (permittedEmail && !matchEmail)
cert->subjectRawLen >= base->nameSz && return 0;
XMEMCMP(cert->subjectRaw, base->name,
base->nameSz) == 0) { if (!permittedEmail)
break;
name = name->next;
}
/* Check subject name matches a permitted name. */
if (cert->subjectRaw != NULL) {
matchDir = 0;
permittedDir = 0;
base = signer->permittedNames;
while (base != NULL && !matchDir) {
/* Looking for permittedNames that are for directoryName. */
if (base->type == ASN_DIR_TYPE) {
permittedDir = 1;
if (cert->subjectRawLen >= base->nameSz &&
XMEMCMP(cert->subjectRaw, base->name, base->nameSz)
== 0) {
matchDir = 1; matchDir = 1;
#ifndef WOLFSSL_NO_ASN_STRICT
/* RFC 5280 section 4.2.1.10
"Restrictions of the form directoryName MUST be
applied to the subject field .... and to any names
of type directoryName in the subjectAltName
extension"
*/
if (cert->altDirNames != NULL) {
DNS_entry* cur = cert->altDirNames;
while (cur != NULL) {
if (XMEMCMP(cur->name, base->name, base->nameSz)
!= 0) {
WOLFSSL_MSG("DIR alt name constraint err");
matchDir = 0; /* did not match */
}
cur = cur->next;
}
}
#endif /* !WOLFSSL_NO_ASN_STRICT */
} }
break;
} }
default: base = base->next;
break; }
} /* switch */ /* If we found an dir name type permittedName then name must have
base = base->next; * had a match. */
if (permittedDir && !matchDir)
return 0;
} }
if ((needDns && !matchDns) || #ifndef WOLFSSL_NO_ASN_STRICT
(needEmail && !matchEmail) || /* RFC 5280 section 4.2.1.10
(needDir && !matchDir)) { "Restrictions of the form directoryName MUST be
return 0; applied to the subject field .... and to any names
of type directoryName in the subjectAltName
extension"
*/
/* Check each alt dir name matches a permitted. */
name = cert->altDirNames;
while (permittedDir && name != NULL) {
int matchAltDir = 0;
base = signer->permittedNames;
do {
/* Looking for permittedNames that are for directoryName. */
if (base->type == ASN_DIR_TYPE) {
if (XMEMCMP(name->name, base->name, base->nameSz) == 0) {
matchAltDir = 1;
}
}
base = base->next;
} while ((base != NULL) && !matchAltDir);
/* If we found an dir name type permittedName then name must have
* had a match. */
if (permittedDir && !matchAltDir)
return 0;
name = name->next;
} }
#endif /* !WOLFSSL_NO_ASN_STRICT */
} }
return 1; return 1;