wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 10:47:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3557 from JacobBarthelmeh/Cert-Report2

Browse Source 
Strict alt names check with DIR name constraint
This commit is contained in:
toddouska
2020-12-15 08:51:55 -08:00
committed by GitHub
parent f362c6ecf5 04e22b0747
commit 38a11368e0
9 changed files with 321 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
certs/test/cert-ext-ndir-exc.cfg Normal file
View File

@ -0,0 +1,24 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = constraints
[ req_distinguished_name ]
C = US
ST = Montana
L = Bozeman
O = Sawtooth
OU = Consulting
CN = www.wolfssl.com
emailAddress = info@wolfsssl.com
[constraints]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE
nameConstraints=critical,excluded;dirName:dir_name_exclude
[dir_name_exclude]
countryName = US
stateOrProvinceName = California

BIN
certs/test/cert-ext-ndir-exc.der Normal file
View File

Binary file not shown.

23
certs/test/cert-ext-ndir.cfg Normal file
View File

@ -0,0 +1,23 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = constraints
[ req_distinguished_name ]
C = US
ST = Montana
L = Bozeman
O = Sawtooth
OU = Consulting
CN = www.wolfssl.com
emailAddress = info@wolfsssl.com
[constraints]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE
nameConstraints=critical,permitted;dirName:dir_name
[dir_name]
countryName = US

BIN
certs/test/cert-ext-ndir.der Normal file
View File

Binary file not shown.

66
certs/test/gen-ext-certs.sh
View File

@ -2,8 +2,9 @@
TMP="/tmp/`basename $0`" TMP="/tmp/`basename $0`"
KEY=certs/server-key.der
gen_cert() { gen_cert() {
openssl req -x509 -keyform DER -key certs/server-key.der \ openssl req -x509 -keyform DER -key $KEY \
-days 1000 -new -outform DER -out $OUT -config $CONFIG \ -days 1000 -new -outform DER -out $OUT -config $CONFIG \
>$TMP 2>&1 >$TMP 2>&1
@ -96,3 +97,66 @@ nsComment = "Testing Netscape Certificate Type"
EOF EOF
gen_cert gen_cert
KEY=certs/ca-key.der
OUT=certs/test/cert-ext-ndir.der
KEYFILE=certs/ca-key.der
CONFIG=certs/test/cert-ext-ndir.cfg
tee >$CONFIG <<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = constraints
[ req_distinguished_name ]
C = US
ST = Montana
L = Bozeman
O = Sawtooth
OU = Consulting
CN = www.wolfssl.com
emailAddress = info@wolfsssl.com
[constraints]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE
nameConstraints=critical,permitted;dirName:dir_name
[dir_name]
countryName = US
EOF
gen_cert
OUT=certs/test/cert-ext-ndir-exc.der
KEYFILE=certs/ca-key.der
CONFIG=certs/test/cert-ext-ndir-exc.cfg
tee >$CONFIG <<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = constraints
[ req_distinguished_name ]
C = US
ST = Montana
L = Bozeman
O = Sawtooth
OU = Consulting
CN = www.wolfssl.com
emailAddress = info@wolfsssl.com
[constraints]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE
nameConstraints=critical,excluded;dirName:dir_name_exclude
[dir_name_exclude]
countryName = US
stateOrProvinceName = California
EOF
gen_cert

4
certs/test/include.am
View File

@ -9,7 +9,11 @@ EXTRA_DIST += \
certs/test/cert-ext-nc.der \ certs/test/cert-ext-nc.der \
certs/test/cert-ext-nct.cfg \ certs/test/cert-ext-nct.cfg \
certs/test/cert-ext-nct.der \ certs/test/cert-ext-nct.der \
certs/test/cert-ext-ndir.cfg \
certs/test/cert-ext-ndir.der \
certs/test/cert-ext-ns.der \ certs/test/cert-ext-ns.der \
certs/test/cert-ext-ndir-exc.cfg \
certs/test/cert-ext-ndir-exc.der \
certs/test/gen-ext-certs.sh \ certs/test/gen-ext-certs.sh \
certs/test/server-duplicate-policy.pem \ certs/test/server-duplicate-policy.pem \
certs/test/cert-ext-joi.pem certs/test/cert-ext-joi.pem

117
tests/api.c
View File

@ -1267,6 +1267,122 @@ static void test_wolfSSL_CertManagerNameConstraint(void)
#endif #endif
} }
static void test_wolfSSL_CertManagerNameConstraint2(void)
{
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES)
const char* ca_cert = "./certs/test/cert-ext-ndir.der";
const char* ca_cert2 = "./certs/test/cert-ext-ndir-exc.der";
const char* server_cert = "./certs/server-cert.pem";
WOLFSSL_CERT_MANAGER* cm;
WOLFSSL_X509 *x509, *ca;
const unsigned char *der;
const unsigned char *pt;
WOLFSSL_EVP_PKEY *priv;
WOLFSSL_X509_NAME* name;
int derSz;
/* C=US*/
char altName[] = {
0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09,
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53
};
/* C=ID */
char altNameFail[] = {
0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09,
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x49, 0x44
};
/* C=US ST=California*/
char altNameExc[] = {
0x30, 0x22,
0x31, 0x0B,
0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
0x31, 0x13,
0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A,
0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61
};
/* load in CA private key for signing */
pt = ca_key_der_2048;
AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt,
sizeof_ca_key_der_2048));
AssertNotNull(cm = wolfSSL_CertManagerNew());
AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
WOLFSSL_FILETYPE_ASN1));
AssertNotNull((der = wolfSSL_X509_get_der(ca, &derSz)));
AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
wolfSSL_X509_sign(x509, priv, EVP_sha256());
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* add in matching DIR alt name and resign */
wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE);
wolfSSL_X509_sign(x509, priv, EVP_sha256());
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
/* check verify fail */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
/* add in miss matching DIR alt name and resign */
wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail),
ASN_DIR_TYPE);
wolfSSL_X509_sign(x509, priv, EVP_sha256());
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
wolfSSL_CertManagerFree(cm);
wolfSSL_X509_free(x509);
wolfSSL_X509_free(ca);
/* now test with excluded name constraint */
AssertNotNull(cm = wolfSSL_CertManagerNew());
AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert2,
WOLFSSL_FILETYPE_ASN1));
AssertNotNull((der = wolfSSL_X509_get_der(ca, &derSz)));
AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
wolfSSL_X509_add_altname_ex(x509, altNameExc, sizeof(altNameExc),
ASN_DIR_TYPE);
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
wolfSSL_X509_sign(x509, priv, EVP_sha256());
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
wolfSSL_CertManagerFree(cm);
wolfSSL_X509_free(x509);
wolfSSL_X509_free(ca);
wolfSSL_EVP_PKEY_free(priv);
#endif
}
static void test_wolfSSL_CertManagerCRL(void) static void test_wolfSSL_CertManagerCRL(void)
{ {
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \
@ -39246,6 +39362,7 @@ void ApiTest(void)
test_wolfSSL_CertManagerGetCerts(); test_wolfSSL_CertManagerGetCerts();
test_wolfSSL_CertManagerSetVerify(); test_wolfSSL_CertManagerSetVerify();
test_wolfSSL_CertManagerNameConstraint(); test_wolfSSL_CertManagerNameConstraint();
test_wolfSSL_CertManagerNameConstraint2();
test_wolfSSL_CertManagerCRL(); test_wolfSSL_CertManagerCRL();
test_wolfSSL_CTX_load_verify_locations_ex(); test_wolfSSL_CTX_load_verify_locations_ex();
test_wolfSSL_CTX_load_verify_buffer_ex(); test_wolfSSL_CTX_load_verify_buffer_ex();

88
wolfcrypt/src/asn.c
View File

@ -5090,6 +5090,8 @@ void FreeDecodedCert(DecodedCert* cert)
#ifndef IGNORE_NAME_CONSTRAINTS #ifndef IGNORE_NAME_CONSTRAINTS
if (cert->altEmailNames) if (cert->altEmailNames)
FreeAltNames(cert->altEmailNames, cert->heap); FreeAltNames(cert->altEmailNames, cert->heap);
if (cert->altDirNames)
FreeAltNames(cert->altDirNames, cert->heap);
if (cert->permittedNames) if (cert->permittedNames)
FreeNameSubtrees(cert->permittedNames, cert->heap); FreeNameSubtrees(cert->permittedNames, cert->heap);
if (cert->excludedNames) if (cert->excludedNames)
@ -7626,6 +7628,25 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
base->nameSz) == 0) { base->nameSz) == 0) {
return 0; return 0;
} }
#ifndef WOLFSSL_NO_ASN_STRICT
/* RFC 5280 section 4.2.1.10
"Restrictions of the form directoryName MUST be
applied to the subject field .... and to any names
of type directoryName in the subjectAltName
extension"
*/
if (cert->altDirNames != NULL) {
DNS_entry* cur = cert->altDirNames;
while (cur != NULL) {
if (XMEMCMP(cur->name, base->name, base->nameSz)
== 0) {
WOLFSSL_MSG("DIR alt name constraint err");
return 0;
}
cur = cur->next;
}
}
#endif /* !WOLFSSL_NO_ASN_STRICT */
break; break;
} }
}; /* switch */ }; /* switch */
@ -7684,6 +7705,26 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
XMEMCMP(cert->subjectRaw, base->name, XMEMCMP(cert->subjectRaw, base->name,
base->nameSz) == 0) { base->nameSz) == 0) {
matchDir = 1; matchDir = 1;
#ifndef WOLFSSL_NO_ASN_STRICT
/* RFC 5280 section 4.2.1.10
"Restrictions of the form directoryName MUST be
applied to the subject field .... and to any names
of type directoryName in the subjectAltName
extension"
*/
if (cert->altDirNames != NULL) {
DNS_entry* cur = cert->altDirNames;
while (cur != NULL) {
if (XMEMCMP(cur->name, base->name, base->nameSz)
!= 0) {
WOLFSSL_MSG("DIR alt name constraint err");
matchDir = 0; /* did not match */
}
cur = cur->next;
}
}
#endif /* !WOLFSSL_NO_ASN_STRICT */
} }
break; break;
} }
@ -7768,6 +7809,47 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert)
idx += strLen; idx += strLen;
} }
#ifndef IGNORE_NAME_CONSTRAINTS #ifndef IGNORE_NAME_CONSTRAINTS
else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) {
DNS_entry* dirEntry;
int strLen;
word32 lenStartIdx = idx;
if (GetLength(input, &idx, &strLen, sz) < 0) {
WOLFSSL_MSG("\tfail: str length");
return ASN_PARSE_E;
}
if (GetSequence(input, &idx, &strLen, sz) < 0) {
WOLFSSL_MSG("\tfail: seq length");
return ASN_PARSE_E;
}
length -= (idx - lenStartIdx);
dirEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
DYNAMIC_TYPE_ALTNAME);
if (dirEntry == NULL) {
WOLFSSL_MSG("\tOut of Memory");
return MEMORY_E;
}
dirEntry->type = ASN_DIR_TYPE;
dirEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
DYNAMIC_TYPE_ALTNAME);
if (dirEntry->name == NULL) {
WOLFSSL_MSG("\tOut of Memory");
XFREE(dirEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
return MEMORY_E;
}
dirEntry->len = strLen;
XMEMCPY(dirEntry->name, &input[idx], strLen);
dirEntry->name[strLen] = '\0';
dirEntry->next = cert->altDirNames;
cert->altDirNames = dirEntry;
length -= strLen;
idx += strLen;
}
else if (b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) { else if (b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) {
DNS_entry* emailEntry; DNS_entry* emailEntry;
int strLen; int strLen;
@ -12659,7 +12741,11 @@ int FlattenAltNames(byte* output, word32 outputSz, const DNS_entry* names)
curName = names; curName = names;
do { do {
output[idx++] = ASN_CONTEXT_SPECIFIC | curName->type; output[idx] = ASN_CONTEXT_SPECIFIC | curName->type;
if (curName->type == ASN_DIR_TYPE) {
output[idx] |= ASN_CONSTRUCTED;
}
idx++;
idx += SetLength(curName->len, output + idx); idx += SetLength(curName->len, output + idx);
XMEMCPY(output + idx, curName->name, curName->len); XMEMCPY(output + idx, curName->name, curName->len);
idx += curName->len; idx += curName->len;

1
wolfssl/wolfcrypt/asn.h
View File

@ -769,6 +769,7 @@ struct DecodedCert {
DNS_entry* altNames; /* alt names list of dns entries */ DNS_entry* altNames; /* alt names list of dns entries */
#ifndef IGNORE_NAME_CONSTRAINTS #ifndef IGNORE_NAME_CONSTRAINTS
DNS_entry* altEmailNames; /* alt names list of RFC822 entries */ DNS_entry* altEmailNames; /* alt names list of RFC822 entries */
DNS_entry* altDirNames; /* alt names list of DIR entries */
Base_entry* permittedNames; /* Permitted name bases */ Base_entry* permittedNames; /* Permitted name bases */
Base_entry* excludedNames; /* Excluded name bases */ Base_entry* excludedNames; /* Excluded name bases */
#endif /* IGNORE_NAME_CONSTRAINTS */ #endif /* IGNORE_NAME_CONSTRAINTS */