wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

remove subject/issuer email from altEmailNames list

Browse Source
This commit is contained in:
Jacob Barthelmeh
2022-06-21 16:59:36 -06:00
parent b8cff49044
commit 7d62fd09e4
2 changed files with 24 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
wolfcrypt/src/asn.c
View File

@ -11104,14 +11104,14 @@ static int SetSubject(DecodedCert* cert, int id, byte* str, word32 strLen,
SetCertNameSubjectLen(cert, id, strLen); SetCertNameSubjectLen(cert, id, strLen);
SetCertNameSubjectEnc(cert, id, tag); SetCertNameSubjectEnc(cert, id, tag);
} }
#endif
#if !defined(IGNORE_NAME_CONSTRAINTS) || \
defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
else if (id == ASN_EMAIL) { else if (id == ASN_EMAIL) {
cert->subjectEmail = (char*)str; cert->subjectEmail = (char*)str;
cert->subjectEmailLen = strLen; cert->subjectEmailLen = strLen;
#if !defined(IGNORE_NAME_CONSTRAINTS)
ret = SetDNSEntry(cert, cert->subjectEmail, strLen, 0,
&cert->altEmailNames);
#endif
} }
#endif
#ifdef WOLFSSL_CERT_EXT #ifdef WOLFSSL_CERT_EXT
/* TODO: consider mapping id to an index and using SetCertNameSubect*(). */ /* TODO: consider mapping id to an index and using SetCertNameSubect*(). */
else if (id == ASN_JURIS_C) { else if (id == ASN_JURIS_C) {
@ -11124,7 +11124,6 @@ static int SetSubject(DecodedCert* cert, int id, byte* str, word32 strLen,
cert->subjectJSLen = strLen; cert->subjectJSLen = strLen;
cert->subjectJSEnc = tag; cert->subjectJSEnc = tag;
} }
#endif
#endif #endif
return ret; return ret;
@ -11747,7 +11746,8 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
copy = WOLFSSL_EMAIL_ADDR; copy = WOLFSSL_EMAIL_ADDR;
} }
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) #if !defined(IGNORE_NAME_CONSTRAINTS) || \
defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
if (nameType == SUBJECT) { if (nameType == SUBJECT) {
cert->subjectEmail = (char*)&input[srcIdx]; cert->subjectEmail = (char*)&input[srcIdx];
cert->subjectEmailLen = strLen; cert->subjectEmailLen = strLen;
@ -11764,41 +11764,6 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
&& !defined(WOLFCRYPT_ONLY) && !defined(WOLFCRYPT_ONLY)
nid = NID_emailAddress; nid = NID_emailAddress;
#endif /* OPENSSL_EXTRA */ #endif /* OPENSSL_EXTRA */
#ifndef IGNORE_NAME_CONSTRAINTS
{
DNS_entry* emailName;
emailName = AltNameNew(cert->heap);
if (emailName == NULL) {
WOLFSSL_MSG("\tOut of Memory");
#if (defined(OPENSSL_EXTRA) || \
defined(OPENSSL_EXTRA_X509_SMALL)) && \
!defined(WOLFCRYPT_ONLY)
wolfSSL_X509_NAME_free(dName);
#endif /* OPENSSL_EXTRA */
return MEMORY_E;
}
emailName->type = 0;
emailName->name = (char*)XMALLOC(strLen + 1,
cert->heap, DYNAMIC_TYPE_ALTNAME);
if (emailName->name == NULL) {
WOLFSSL_MSG("\tOut of Memory");
XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME);
#if (defined(OPENSSL_EXTRA) || \
defined(OPENSSL_EXTRA_X509_SMALL)) && \
!defined(WOLFCRYPT_ONLY)
wolfSSL_X509_NAME_free(dName);
#endif /* OPENSSL_EXTRA */
return MEMORY_E;
}
emailName->len = strLen;
XMEMCPY(emailName->name, &input[srcIdx], strLen);
emailName->name[strLen] = '\0';
emailName->next = cert->altEmailNames;
cert->altEmailNames = emailName;
}
#endif /* IGNORE_NAME_CONSTRAINTS */
} }
if (pilot) { if (pilot) {
@ -14394,6 +14359,19 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
case ASN_RFC822_TYPE: case ASN_RFC822_TYPE:
/* Shouldn't it validade E= in subject as well? */ /* Shouldn't it validade E= in subject as well? */
name = cert->altEmailNames; name = cert->altEmailNames;
if (cert->subjectEmail != NULL) { /* add subject email to list*/
/* RFC 5280 section 4.2.1.10
* "When constraints are imposed on the rfc822Name name
* form, but the certificate does not include a subject
* alternative name, the rfc822Name constraint MUST be
* applied to the attribute of type emailAddress in the
* subject distinguished name" */
subjectDnsName.next = name;
subjectDnsName.type = ASN_RFC822_TYPE;
subjectDnsName.len = cert->subjectEmailLen;
subjectDnsName.name = (char *)cert->subjectEmail;
name = &subjectDnsName;
}
break; break;
case ASN_DIR_TYPE: case ASN_DIR_TYPE:
if (cert->subjectRaw != NULL) { if (cert->subjectRaw != NULL) {

7
wolfssl/wolfcrypt/asn.h
View File

@ -1569,6 +1569,11 @@ struct DecodedCert {
const byte* subjectRaw; /* pointer to subject inside source */ const byte* subjectRaw; /* pointer to subject inside source */
int subjectRawLen; int subjectRawLen;
#endif #endif
#if !defined(IGNORE_NAME_CONSTRAINTS) || \
defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
char* subjectEmail;
int subjectEmailLen;
#endif
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
/* easy access to subject info for other sign */ /* easy access to subject info for other sign */
char* subjectSN; char* subjectSN;
@ -1610,8 +1615,6 @@ struct DecodedCert {
char* subjectPC; char* subjectPC;
int subjectPCLen; int subjectPCLen;
char subjectPCEnc; char subjectPCEnc;
char* subjectEmail;
int subjectEmailLen;
#if defined(WOLFSSL_HAVE_ISSUER_NAMES) #if defined(WOLFSSL_HAVE_ISSUER_NAMES)
char* issuerCN; char* issuerCN;
int issuerCNLen; int issuerCNLen;