From 90f5665318b2613d1488e4686681056e7fdd0511 Mon Sep 17 00:00:00 2001 From: Lealem Amedie Date: Tue, 20 Jun 2023 09:40:48 -0600 Subject: [PATCH] Improve subjectAltName extension parsing and printing --- src/x509.c | 8 ++++++ wolfcrypt/src/asn.c | 55 +++++++++++++++++++++++++++++++++++++++-- wolfssl/wolfcrypt/asn.h | 1 + 3 files changed, 62 insertions(+), 2 deletions(-) diff --git a/src/x509.c b/src/x509.c index 860eea185..5755dc492 100644 --- a/src/x509.c +++ b/src/x509.c @@ -5790,6 +5790,14 @@ static int X509PrintSubjAltName(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, else if (entry->type == ASN_URI_TYPE) { len = XSNPRINTF(scratch, MAX_WIDTH, "URI:%s", entry->name); + if (len >= MAX_WIDTH) { + ret = WOLFSSL_FAILURE; + break; + } + } + else if (entry->type == ASN_RID_TYPE) { + len = XSNPRINTF(scratch, MAX_WIDTH, "Registered ID:%s", + entry->name); if (len >= MAX_WIDTH) { ret = WOLFSSL_FAILURE; break; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 9eec8bfce..af980a3ea 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -16924,6 +16924,15 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag, } } #endif /* WOLFSSL_QT || OPENSSL_ALL */ + + /* GeneralName choice: registeredID */ + else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RID_TYPE)) { + ret = SetDNSEntry(cert, (const char*)(input + idx), len, + ASN_RID_TYPE, &cert->altNames); + if (ret == 0) { + idx += (word32)len; + } + } #endif /* IGNORE_NAME_CONSTRAINTS */ #if defined(WOLFSSL_SEP) || defined(WOLFSSL_FPKI) /* GeneralName choice: otherName */ @@ -16932,8 +16941,7 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag, ret = DecodeOtherName(cert, input, &idx, idx + (word32)len); } #endif - /* GeneralName choice: dNSName, x400Address, ediPartyName, - * registeredID */ + /* GeneralName choice: dNSName, x400Address, ediPartyName */ else { WOLFSSL_MSG("\tUnsupported name type, skipping"); idx += (word32)len; @@ -20480,6 +20488,22 @@ static int DecodeCertReqAttrValue(DecodedCert* cert, int* criticalExt, } break; + case UNSTRUCTURED_NAME_OID: + /* Clear dynamic data and specify choices acceptable. */ + XMEMSET(strDataASN, 0, sizeof(strDataASN)); + GetASN_Choice(&strDataASN[STRATTRASN_IDX_STR], strAttrChoice); + /* Parse a string. */ + ret = GetASN_Items(strAttrASN, strDataASN, strAttrASN_Length, + 1, input, &idx, maxIdx); + if (ret == 0) { + /* Store references to unstructured name. */ + cert->unstructuredName = + (char*)strDataASN[STRATTRASN_IDX_STR].data.ref.data; + cert->unstructuredNameLen = (int)strDataASN[STRATTRASN_IDX_STR]. + data.ref.length; + } + break; + /* Certificate extensions to be included in generated certificate. * PKCS#9: RFC 2985, 5.4.2 - Extension request */ @@ -29346,6 +29370,11 @@ static const ASNItem certReqBodyASN[] = { /* ATTRS_CPW_SET */ { 3, ASN_SET, 1, 1, 0 }, /* ATTRS_CPW_PS */ { 4, ASN_PRINTABLE_STRING, 0, 0, 0 }, /* ATTRS_CPW_UTF */ { 4, ASN_UTF8STRING, 0, 0, 0 }, +/* ATTRS_USN_SEQ */ { 2, ASN_SEQUENCE, 1, 1, 1 }, +/* ATTRS_USN_OID */ { 3, ASN_OBJECT_ID, 0, 0, 0 }, +/* ATTRS_USN_SET */ { 3, ASN_SET, 1, 1, 0 }, +/* ATTRS_USN_PS */ { 4, ASN_PRINTABLE_STRING, 0, 0, 0 }, +/* ATTRS_USN_UTF */ { 4, ASN_UTF8STRING, 0, 0, 0 }, /* Extensions Attribute */ /* EXT_SEQ */ { 2, ASN_SEQUENCE, 1, 1, 1 }, /* EXT_OID */ { 3, ASN_OBJECT_ID, 0, 0, 0 }, @@ -29363,6 +29392,11 @@ enum { CERTREQBODYASN_IDX_ATTRS_CPW_SET, CERTREQBODYASN_IDX_ATTRS_CPW_PS, CERTREQBODYASN_IDX_ATTRS_CPW_UTF, + CERTREQBODYASN_IDX_ATTRS_USN_SEQ, + CERTREQBODYASN_IDX_ATTRS_USN_OID, + CERTREQBODYASN_IDX_ATTRS_USN_SET, + CERTREQBODYASN_IDX_ATTRS_USN_PS, + CERTREQBODYASN_IDX_ATTRS_USN_UTF, CERTREQBODYASN_IDX_EXT_SEQ, CERTREQBODYASN_IDX_EXT_OID, CERTREQBODYASN_IDX_EXT_SET, @@ -29616,6 +29650,23 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz, SetASNItem_NoOutNode(dataASN, certReqBodyASN, CERTREQBODYASN_IDX_ATTRS_CPW_SEQ, certReqBodyASN_Length); } + if (cert->unstructuredName[0] != '\0') { + /* Add unstructured name attribute. */ + /* Set unstructured name OID. */ + SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_ATTRS_USN_OID], + attrUnstructuredNameOid, sizeof(attrUnstructuredNameOid)); + /* PRINTABLE_STRING - set buffer */ + SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_ATTRS_USN_PS], + (byte*)cert->unstructuredName, + (word32)XSTRLEN(cert->unstructuredName)); + /* UTF8STRING - don't encode */ + dataASN[CERTREQBODYASN_IDX_ATTRS_USN_UTF].noOut = 1; + } + else { + /* Leave out unstructured name attribute item. */ + SetASNItem_NoOutNode(dataASN, certReqBodyASN, + CERTREQBODYASN_IDX_ATTRS_USN_SEQ, certReqBodyASN_Length); + } if (extSz > 0) { /* Set extension attribute OID. */ SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_EXT_OID], attrExtensionRequestOid, diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 24d8362c8..f4f0c1d6d 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -139,6 +139,7 @@ enum ASN_Tags { ASN_DIR_TYPE = 0x04, ASN_URI_TYPE = 0x06, /* the value 6 is from GeneralName OID */ ASN_IP_TYPE = 0x07, /* the value 7 is from GeneralName OID */ + ASN_RID_TYPE = 0x08, /* PKCS #7 types */ ASN_ENC_CONTENT = 0x00,