mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-07-30 10:47:28 +02:00
Cert: SAN extension critical
Add field to Cert to indicate SAN extension is critical. Handle the field being set when encoding.
This commit is contained in:
@ -23499,11 +23499,13 @@ static int SetCertificatePolicies(byte *output,
|
|||||||
#ifndef WOLFSSL_ASN_TEMPLATE
|
#ifndef WOLFSSL_ASN_TEMPLATE
|
||||||
/* encode Alternative Names, return total bytes written */
|
/* encode Alternative Names, return total bytes written */
|
||||||
static int SetAltNames(byte *output, word32 outSz,
|
static int SetAltNames(byte *output, word32 outSz,
|
||||||
const byte *input, word32 length)
|
const byte *input, word32 length, int critical)
|
||||||
{
|
{
|
||||||
byte san_len[1 + MAX_LENGTH_SZ];
|
byte san_len[1 + MAX_LENGTH_SZ];
|
||||||
int idx = 0, san_lenSz;
|
int idx = 0, san_lenSz;
|
||||||
const byte san_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x11 };
|
const byte san_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x11 };
|
||||||
|
const byte san_crit[] = { 0x01, 0x01, 0xff };
|
||||||
|
word32 seqSz;
|
||||||
|
|
||||||
if (output == NULL || input == NULL)
|
if (output == NULL || input == NULL)
|
||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
@ -23517,15 +23519,23 @@ static int SetAltNames(byte *output, word32 outSz,
|
|||||||
if (outSz < MAX_SEQ_SZ)
|
if (outSz < MAX_SEQ_SZ)
|
||||||
return BUFFER_E;
|
return BUFFER_E;
|
||||||
|
|
||||||
idx = SetSequence(length + sizeof(san_oid) + san_lenSz, output);
|
seqSz = length + sizeof(san_oid) + san_lenSz;
|
||||||
|
if (critical)
|
||||||
|
seqSz += sizeof(san_crit);
|
||||||
|
idx = SetSequence(seqSz, output);
|
||||||
|
|
||||||
if ((length + sizeof(san_oid) + san_lenSz) > outSz)
|
if (seqSz > outSz)
|
||||||
return BUFFER_E;
|
return BUFFER_E;
|
||||||
|
|
||||||
/* put oid */
|
/* put oid */
|
||||||
XMEMCPY(output+idx, san_oid, sizeof(san_oid));
|
XMEMCPY(output+idx, san_oid, sizeof(san_oid));
|
||||||
idx += sizeof(san_oid);
|
idx += sizeof(san_oid);
|
||||||
|
|
||||||
|
if (critical) {
|
||||||
|
XMEMCPY(output+idx, san_crit, sizeof(san_crit));
|
||||||
|
idx += sizeof(san_crit);
|
||||||
|
}
|
||||||
|
|
||||||
/* put octet header */
|
/* put octet header */
|
||||||
XMEMCPY(output+idx, san_len, san_lenSz);
|
XMEMCPY(output+idx, san_len, san_lenSz);
|
||||||
idx += san_lenSz;
|
idx += san_lenSz;
|
||||||
@ -24288,8 +24298,9 @@ static const ASNItem static_certExtsASN[] = {
|
|||||||
/* BC_PATHLEN */ { 3, ASN_INTEGER, 0, 0, 1 },
|
/* BC_PATHLEN */ { 3, ASN_INTEGER, 0, 0, 1 },
|
||||||
/* Subject Alternative Name - 4.2.1.6 */
|
/* Subject Alternative Name - 4.2.1.6 */
|
||||||
/* SAN_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 },
|
/* SAN_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 },
|
||||||
/* SAN_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 },
|
/* SAN_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 },
|
||||||
/* SAN_STR */ { 1, ASN_OCTET_STRING, 0, 0, 0 },
|
/* SAN_CRIT */ { 1, ASN_BOOLEAN, 0, 0, 0 },
|
||||||
|
/* SAN_STR */ { 1, ASN_OCTET_STRING, 0, 0, 0 },
|
||||||
/* Subject Key Identifier - 4.2.1.2 */
|
/* Subject Key Identifier - 4.2.1.2 */
|
||||||
/* SKID_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 },
|
/* SKID_SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 },
|
||||||
/* SKID_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 },
|
/* SKID_OID */ { 1, ASN_OBJECT_ID, 0, 0, 0 },
|
||||||
@ -24337,6 +24348,7 @@ enum {
|
|||||||
CERTEXTSASN_IDX_BC_PATHLEN,
|
CERTEXTSASN_IDX_BC_PATHLEN,
|
||||||
CERTEXTSASN_IDX_SAN_SEQ,
|
CERTEXTSASN_IDX_SAN_SEQ,
|
||||||
CERTEXTSASN_IDX_SAN_OID,
|
CERTEXTSASN_IDX_SAN_OID,
|
||||||
|
CERTEXTSASN_IDX_SAN_CRIT,
|
||||||
CERTEXTSASN_IDX_SAN_STR,
|
CERTEXTSASN_IDX_SAN_STR,
|
||||||
CERTEXTSASN_IDX_SKID_SEQ,
|
CERTEXTSASN_IDX_SKID_SEQ,
|
||||||
CERTEXTSASN_IDX_SKID_OID,
|
CERTEXTSASN_IDX_SKID_OID,
|
||||||
@ -24479,6 +24491,12 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
|
|||||||
/* Set Subject Alternative Name OID and data. */
|
/* Set Subject Alternative Name OID and data. */
|
||||||
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SAN_OID],
|
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SAN_OID],
|
||||||
sanOID, sizeof(sanOID));
|
sanOID, sizeof(sanOID));
|
||||||
|
if (cert->altNamesCrit) {
|
||||||
|
SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_SAN_CRIT], 1);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
dataASN[CERTEXTSASN_IDX_SAN_CRIT].noOut = 1;
|
||||||
|
}
|
||||||
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SAN_STR],
|
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_SAN_STR],
|
||||||
cert->altNames, cert->altNamesSz);
|
cert->altNames, cert->altNamesSz);
|
||||||
}
|
}
|
||||||
@ -25091,7 +25109,8 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
|
|||||||
/* Alternative Name */
|
/* Alternative Name */
|
||||||
if (cert->altNamesSz) {
|
if (cert->altNamesSz) {
|
||||||
der->altNamesSz = SetAltNames(der->altNames, sizeof(der->altNames),
|
der->altNamesSz = SetAltNames(der->altNames, sizeof(der->altNames),
|
||||||
cert->altNames, cert->altNamesSz);
|
cert->altNames, cert->altNamesSz,
|
||||||
|
cert->altNamesCrit);
|
||||||
if (der->altNamesSz <= 0)
|
if (der->altNamesSz <= 0)
|
||||||
return ALT_NAME_E;
|
return ALT_NAME_E;
|
||||||
|
|
||||||
@ -26283,7 +26302,8 @@ static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey,
|
|||||||
/* Alternative Name */
|
/* Alternative Name */
|
||||||
if (cert->altNamesSz) {
|
if (cert->altNamesSz) {
|
||||||
der->altNamesSz = SetAltNames(der->altNames, sizeof(der->altNames),
|
der->altNamesSz = SetAltNames(der->altNames, sizeof(der->altNames),
|
||||||
cert->altNames, cert->altNamesSz);
|
cert->altNames, cert->altNamesSz,
|
||||||
|
cert->altNamesCrit);
|
||||||
if (der->altNamesSz <= 0)
|
if (der->altNamesSz <= 0)
|
||||||
return ALT_NAME_E;
|
return ALT_NAME_E;
|
||||||
|
|
||||||
|
@ -450,6 +450,9 @@ typedef struct Cert {
|
|||||||
void* heap; /* heap hint */
|
void* heap; /* heap hint */
|
||||||
byte basicConstSet:1; /* Indicator for when Basic Constaint is set */
|
byte basicConstSet:1; /* Indicator for when Basic Constaint is set */
|
||||||
byte pathLenSet:1; /* Indicator for when path length is set */
|
byte pathLenSet:1; /* Indicator for when path length is set */
|
||||||
|
#ifdef WOLFSSL_ALT_NAMES
|
||||||
|
byte altNamesCrit:1; /* Indicator of criticality of SAN extension */
|
||||||
|
#endif
|
||||||
} Cert;
|
} Cert;
|
||||||
|
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user