mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-08-02 12:14:38 +02:00
Added the directoryName comparison to the name constraint checks.
This commit is contained in:
John Safranek
@@ -1672,6 +1672,12 @@ static int GetName(DecodedCert* cert, int nameType)
|
|||||||
cert->issuerRawLen = length - cert->srcIdx;
|
cert->issuerRawLen = length - cert->srcIdx;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||||
|
if (nameType == SUBJECT) {
|
||||||
|
cert->subjectRaw = &cert->source[cert->srcIdx];
|
||||||
|
cert->subjectRawLen = length - cert->srcIdx;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
while (cert->srcIdx < (word32)length) {
|
while (cert->srcIdx < (word32)length) {
|
||||||
byte b;
|
byte b;
|
||||||
@@ -3004,7 +3010,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
|
|||||||
while (name != NULL) {
|
while (name != NULL) {
|
||||||
if (MatchBaseName(ASN_DNS_TYPE,
|
if (MatchBaseName(ASN_DNS_TYPE,
|
||||||
name->name, (int)XSTRLEN(name->name),
|
name->name, (int)XSTRLEN(name->name),
|
||||||
base->name, (int)XSTRLEN(base->name)))
|
base->name, base->nameSz))
|
||||||
return 0;
|
return 0;
|
||||||
name = name->next;
|
name = name->next;
|
||||||
}
|
}
|
||||||
@@ -3014,11 +3020,19 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
|
|||||||
while (name != NULL) {
|
while (name != NULL) {
|
||||||
if (MatchBaseName(ASN_RFC822_TYPE,
|
if (MatchBaseName(ASN_RFC822_TYPE,
|
||||||
name->name, (int)XSTRLEN(name->name),
|
name->name, (int)XSTRLEN(name->name),
|
||||||
base->name, (int)XSTRLEN(base->name)))
|
base->name, base->nameSz))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
name = name->next;
|
name = name->next;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else if (base->type == ASN_DIR_TYPE) {
|
||||||
|
if (cert->subjectRawLen == base->nameSz &&
|
||||||
|
XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
base = base->next;
|
base = base->next;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -3029,6 +3043,8 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
|
|||||||
int matchDns = 0;
|
int matchDns = 0;
|
||||||
int needEmail = 0;
|
int needEmail = 0;
|
||||||
int matchEmail = 0;
|
int matchEmail = 0;
|
||||||
|
int needDir = 0;
|
||||||
|
int matchDir = 0;
|
||||||
Base_entry* base = signer->permittedNames;
|
Base_entry* base = signer->permittedNames;
|
||||||
|
|
||||||
while (base != NULL) {
|
while (base != NULL) {
|
||||||
@@ -3041,7 +3057,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
|
|||||||
while (name != NULL) {
|
while (name != NULL) {
|
||||||
matchDns = MatchBaseName(ASN_DNS_TYPE,
|
matchDns = MatchBaseName(ASN_DNS_TYPE,
|
||||||
name->name, (int)XSTRLEN(name->name),
|
name->name, (int)XSTRLEN(name->name),
|
||||||
base->name, (int)XSTRLEN(base->name));
|
base->name, base->nameSz);
|
||||||
name = name->next;
|
name = name->next;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -3054,16 +3070,28 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
|
|||||||
while (name != NULL) {
|
while (name != NULL) {
|
||||||
matchEmail = MatchBaseName(ASN_DNS_TYPE,
|
matchEmail = MatchBaseName(ASN_DNS_TYPE,
|
||||||
name->name, (int)XSTRLEN(name->name),
|
name->name, (int)XSTRLEN(name->name),
|
||||||
base->name, (int)XSTRLEN(base->name));
|
base->name, base->nameSz);
|
||||||
name = name->next;
|
name = name->next;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else if (base->type == ASN_DIR_TYPE) {
|
||||||
|
needDir = 1;
|
||||||
|
if (cert->subjectRaw != NULL &&
|
||||||
|
cert->subjectRawLen == base->nameSz &&
|
||||||
|
XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
|
||||||
|
|
||||||
|
matchDir = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
base = base->next;
|
base = base->next;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((needDns && !matchDns) || (needEmail && !matchEmail))
|
if ((needDns && !matchDns) || (needEmail && !matchEmail) ||
|
||||||
|
(needDir && !matchDir)) {
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
@@ -3629,7 +3657,8 @@ static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE) ||
|
if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE) ||
|
||||||
b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) {
|
b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE) ||
|
||||||
|
b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) {
|
||||||
|
|
||||||
Base_entry* entry = (Base_entry*)XMALLOC(sizeof(Base_entry),
|
Base_entry* entry = (Base_entry*)XMALLOC(sizeof(Base_entry),
|
||||||
heap, DYNAMIC_TYPE_ALTNAME);
|
heap, DYNAMIC_TYPE_ALTNAME);
|
||||||
@@ -3639,15 +3668,14 @@ static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
|
|||||||
return MEMORY_E;
|
return MEMORY_E;
|
||||||
}
|
}
|
||||||
|
|
||||||
entry->name = (char*)XMALLOC(strLength + 1,
|
entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME);
|
||||||
heap, DYNAMIC_TYPE_ALTNAME);
|
|
||||||
if (entry->name == NULL) {
|
if (entry->name == NULL) {
|
||||||
CYASSL_MSG("allocate error");
|
CYASSL_MSG("allocate error");
|
||||||
return MEMORY_E;
|
return MEMORY_E;
|
||||||
}
|
}
|
||||||
|
|
||||||
XMEMCPY(entry->name, &input[nameIdx], strLength);
|
XMEMCPY(entry->name, &input[nameIdx], strLength);
|
||||||
entry->name[strLength] = '\0';
|
entry->nameSz = strLength;
|
||||||
entry->type = b & 0x0F;
|
entry->type = b & 0x0F;
|
||||||
|
|
||||||
entry->next = *head;
|
entry->next = *head;
|
||||||
|
|||||||
@@ -66,6 +66,7 @@ enum ASN_Tags {
|
|||||||
ASN_OTHER_TYPE = 0x00,
|
ASN_OTHER_TYPE = 0x00,
|
||||||
ASN_RFC822_TYPE = 0x01,
|
ASN_RFC822_TYPE = 0x01,
|
||||||
ASN_DNS_TYPE = 0x02,
|
ASN_DNS_TYPE = 0x02,
|
||||||
|
ASN_DIR_TYPE = 0x04,
|
||||||
ASN_GENERALIZED_TIME = 0x18,
|
ASN_GENERALIZED_TIME = 0x18,
|
||||||
CRL_EXTENSIONS = 0xa0,
|
CRL_EXTENSIONS = 0xa0,
|
||||||
ASN_EXTENSIONS = 0xa3,
|
ASN_EXTENSIONS = 0xa3,
|
||||||
@@ -279,6 +280,7 @@ typedef struct Base_entry Base_entry;
|
|||||||
struct Base_entry {
|
struct Base_entry {
|
||||||
Base_entry* next; /* next on name base list */
|
Base_entry* next; /* next on name base list */
|
||||||
char* name; /* actual name base */
|
char* name; /* actual name base */
|
||||||
|
int nameSz; /* name length */
|
||||||
byte type; /* Name base type (DNS or RFC822) */
|
byte type; /* Name base type (DNS or RFC822) */
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -401,6 +403,10 @@ struct DecodedCert {
|
|||||||
byte* issuerRaw; /* pointer to issuer inside source */
|
byte* issuerRaw; /* pointer to issuer inside source */
|
||||||
int issuerRawLen;
|
int issuerRawLen;
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef IGNORE_NAME_CONSTRAINT
|
||||||
|
byte* subjectRaw; /* pointer to subject inside source */
|
||||||
|
int subjectRawLen;
|
||||||
|
#endif
|
||||||
#if defined(CYASSL_CERT_GEN)
|
#if defined(CYASSL_CERT_GEN)
|
||||||
/* easy access to subject info for other sign */
|
/* easy access to subject info for other sign */
|
||||||
char* subjectSN;
|
char* subjectSN;
|
||||||
|
|||||||
Reference in New Issue
Block a user