From 4ee957afa38de9f8fb6842cc9702133d7958cf94 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 8 May 2018 10:19:51 -0600 Subject: [PATCH 1/6] fix for relative URI detection --- wolfcrypt/src/asn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index ce2532a9e..e7d1f908b 100755 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -5717,7 +5717,7 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) /* Verify RFC 5280 Sec 4.2.1.6 rule: "The name MUST NOT be a relative URI" */ - if (XSTRNCMP((const char*)&input[idx], "://", strLen + 1) != 0) { + if (XSTRNSTR((const char*)&input[idx], "://", strLen + 1) == NULL) { WOLFSSL_MSG("\tAlt Name must be absolute URI"); return ASN_ALT_NAME_E; } From bb979980ca50bb0a79a028f36ca7c467a1346f33 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 8 May 2018 16:24:41 -0600 Subject: [PATCH 2/6] add test case for parsing URI from certificate --- certs/client-uri-cert.pem | 89 ++++++++++++++++++++++++++++++++++++ certs/renewcerts.sh | 16 +++++++ certs/renewcerts/wolfssl.cnf | 7 +++ tests/api.c | 21 +++++++++ 4 files changed, 133 insertions(+) create mode 100644 certs/client-uri-cert.pem diff --git a/certs/client-uri-cert.pem b/certs/client-uri-cert.pem new file mode 100644 index 000000000..1a96baccd --- /dev/null +++ b/certs/client-uri-cert.pem @@ -0,0 +1,89 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9402123678722384441 (0x827b0dabd4896239) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Validity + Not Before: May 8 21:54:16 2018 GMT + Not After : Feb 1 21:54:16 2021 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c3:03:d1:2b:fe:39:a4:32:45:3b:53:c8:84:2b: + 2a:7c:74:9a:bd:aa:2a:52:07:47:d6:a6:36:b2:07: + 32:8e:d0:ba:69:7b:c6:c3:44:9e:d4:81:48:fd:2d: + 68:a2:8b:67:bb:a1:75:c8:36:2c:4a:d2:1b:f7:8b: + ba:cf:0d:f9:ef:ec:f1:81:1e:7b:9b:03:47:9a:bf: + 65:cc:7f:65:24:69:a6:e8:14:89:5b:e4:34:f7:c5: + b0:14:93:f5:67:7b:3a:7a:78:e1:01:56:56:91:a6: + 13:42:8d:d2:3c:40:9c:4c:ef:d1:86:df:37:51:1b: + 0c:a1:3b:f5:f1:a3:4a:35:e4:e1:ce:96:df:1b:7e: + bf:4e:97:d0:10:e8:a8:08:30:81:af:20:0b:43:14: + c5:74:67:b4:32:82:6f:8d:86:c2:88:40:99:36:83: + ba:1e:40:72:22:17:d7:52:65:24:73:b0:ce:ef:19: + cd:ae:ff:78:6c:7b:c0:12:03:d4:4e:72:0d:50:6d: + 3b:a3:3b:a3:99:5e:9d:c8:d9:0c:85:b3:d9:8a:d9: + 54:26:db:6d:fa:ac:bb:ff:25:4c:c4:d1:79:f4:71: + d3:86:40:18:13:b0:63:b5:72:4e:30:c4:97:84:86: + 2d:56:2f:d7:15:f7:7f:c0:ae:f5:fc:5b:e5:fb:a1: + ba:d3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0 + X509v3 Authority Key Identifier: + keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0 + DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=URI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:82:7B:0D:AB:D4:89:62:39 + + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Alternative Name: + URI:https://www.wolfssl.com + Signature Algorithm: sha256WithRSAEncryption + 18:bb:46:7a:13:a5:32:c2:aa:1c:60:cf:d1:b7:59:f3:86:fd: + b4:db:62:6e:40:4d:d3:cb:b5:8f:0a:45:43:9f:0b:50:7b:ac: + 41:ed:27:32:a5:b3:fb:6a:a5:9c:36:00:f2:88:da:dd:80:b5: + 49:29:6c:4d:1c:22:24:07:5b:7b:9a:88:8b:21:a0:62:43:1c: + 14:23:d2:08:a8:27:cc:f2:d5:4f:e2:5c:b1:f8:3c:f5:7c:b2: + ef:b1:ad:1e:fe:a9:92:5f:00:26:fb:f3:8d:e2:c7:38:8a:9a: + e4:a8:4a:29:61:44:f6:80:61:09:5d:49:9b:1c:10:e0:1e:27: + 03:26:e2:46:01:83:49:6a:1d:5f:6e:71:c8:1e:61:44:32:2a: + 84:cd:5a:45:d3:9f:a4:ec:76:4b:1a:6c:26:ca:55:d7:c3:ad: + 94:57:7b:8b:d4:9f:be:25:3d:e2:30:08:d5:fb:18:9a:aa:ee: + c1:ce:bb:ea:de:5d:a7:77:40:c2:b1:57:aa:11:43:41:69:73: + 0c:bd:87:0e:b9:8d:ba:f9:cc:ac:38:60:8a:62:32:2a:c0:0d: + 1c:88:d3:d3:92:d6:f1:2e:82:67:8e:f5:42:b9:e4:28:b3:fd: + fb:7c:9a:16:5f:fe:20:da:37:5f:c2:5e:74:9b:99:f3:de:35: + 45:8d:49:28 +-----BEGIN CERTIFICATE----- +MIIExDCCA6ygAwIBAgIJAIJ7DavUiWI5MA0GCSqGSIb3DQEBCwUAMIGRMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG +A1UECgwMd29sZlNTTF8yMDQ4MQwwCgYDVQQLDANVUkkxGDAWBgNVBAMMD3d3dy53 +b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0x +ODA1MDgyMTU0MTZaFw0yMTAyMDEyMTU0MTZaMIGRMQswCQYDVQQGEwJVUzEQMA4G +A1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNT +TF8yMDQ4MQwwCgYDVQQLDANVUkkxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf +MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Q +uml7xsNEntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRp +pugUiVvkNPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk +4c6W3xt+v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOw +zu8Zza7/eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx +04ZAGBOwY7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOCARswggEXMB0G +A1UdDgQWBBQz2EVm12iHGH5UDXAnkccm14VlwDCBxgYDVR0jBIG+MIG7gBQz2EVm +12iHGH5UDXAnkccm14VlwKGBl6SBlDCBkTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM +B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfMjA0 +ODEMMAoGA1UECwwDVVJJMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq +hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCCew2r1IliOTAJBgNVHRMEAjAA +MCIGA1UdEQQbMBmGF2h0dHBzOi8vd3d3LndvbGZzc2wuY29tMA0GCSqGSIb3DQEB +CwUAA4IBAQAYu0Z6E6UywqocYM/Rt1nzhv2022JuQE3Ty7WPCkVDnwtQe6xB7Scy +pbP7aqWcNgDyiNrdgLVJKWxNHCIkB1t7moiLIaBiQxwUI9IIqCfM8tVP4lyx+Dz1 +fLLvsa0e/qmSXwAm+/ON4sc4iprkqEopYUT2gGEJXUmbHBDgHicDJuJGAYNJah1f +bnHIHmFEMiqEzVpF05+k7HZLGmwmylXXw62UV3uL1J++JT3iMAjV+xiaqu7Bzrvq +3l2nd0DCsVeqEUNBaXMMvYcOuY26+cysOGCKYjIqwA0ciNPTktbxLoJnjvVCueQo +s/37fJoWX/4g2jdfwl50m5nz3jVFjUko +-----END CERTIFICATE----- diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index 39bcc135d..f42b004ce 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -22,6 +22,7 @@ # client-ca.pem # test/digsigku.pem # ecc-privOnlyCert.pem +# uri-cert.pem # updates the following crls: # crl/cliCrl.pem # crl/crl.pem @@ -45,6 +46,21 @@ function run_renewcerts(){ # To generate these all in sha1 add the flag "-sha1" on appropriate lines # That is all lines beginning with: "openssl req" + ############################################################ + #### update the self-signed (2048-bit) client-uri-cert.pem # + ############################################################ + echo "Updating 2048-bit client-uri-cert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nURI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr + + + openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions uri -signkey client-key.pem -out client-uri-cert.pem + rm client-cert.csr + + openssl x509 -in client-uri-cert.pem -text > tmp.pem + mv tmp.pem client-uri-cert.pem + ############################################################ #### update the self-signed (2048-bit) client-cert.pem ##### ############################################################ diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index c251cc71e..91c0312b9 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -220,6 +220,13 @@ keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage=serverAuth nsCertType=server +# test parsing URI +[ uri ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:false +subjectAltName=URI:https://www.wolfssl.com + #tsa default [ tsa ] default_tsa = tsa_config1 diff --git a/tests/api.c b/tests/api.c index 11bcbded3..e2ebaaea1 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2956,6 +2956,26 @@ static void test_wolfSSL_PKCS5(void) #endif /* defined(OPENSSL_EXTRA) && !defined(NO_SHA) */ } +/* test parsing URI from certificate */ +static void test_wolfSSL_URI(void) +{ +#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) \ + && (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \ + defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) + WOLFSSL_X509* x509; + const char uri[] = "./certs/client-uri-cert.pem"; + + printf(testingFmt, "wolfSSL URI parse"); + + x509 = wolfSSL_X509_load_certificate_file(uri, WOLFSSL_FILETYPE_PEM); + AssertNotNull(x509); + + wolfSSL_FreeX509(x509); + + printf(resultFmt, passed); +#endif +} + /* Testing function wolfSSL_CTX_SetMinVersion; sets the minimum downgrade * version allowed. * POST: 1 on success. @@ -18612,6 +18632,7 @@ void ApiTest(void) test_wolfSSL_PKCS12(); test_wolfSSL_PKCS8(); test_wolfSSL_PKCS5(); + test_wolfSSL_URI(); /*OCSP Stapling. */ AssertIntEQ(test_wolfSSL_UseOCSPStapling(), WOLFSSL_SUCCESS); From d1192021a59a46db7e3ea9355a5a473f2b4ea677 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 9 May 2018 14:43:52 -0600 Subject: [PATCH 3/6] alter search behavior for testing if URI is a absolute path --- wolfcrypt/src/asn.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e7d1f908b..24581efad 100755 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -5717,9 +5717,28 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) /* Verify RFC 5280 Sec 4.2.1.6 rule: "The name MUST NOT be a relative URI" */ - if (XSTRNSTR((const char*)&input[idx], "://", strLen + 1) == NULL) { - WOLFSSL_MSG("\tAlt Name must be absolute URI"); - return ASN_ALT_NAME_E; + { + int i; + + /* skip past scheme (i.e http,ftp,...) finding first ':' char */ + for (i = 0; i < strLen; i++) { + if (input[idx + i] == ':') { + break; + } + if (input[idx + i] == '/') { + i = strLen; /* error, found relative path since '/' was + * encountered before ':'. Returning error + * value in next if statement. */ + } + } + + /* test if no ':' char was found and test that the next two + * chars are // to match the pattern "://" */ + if (i == strLen || (input[idx + i + 1] != '/' || + input[idx + i + 2] != '/')) { + WOLFSSL_MSG("\tAlt Name must be absolute URI"); + return ASN_ALT_NAME_E; + } } #endif From 63a0e872c534c6c38b541ab606e270d1dcbff0bc Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Mon, 14 May 2018 14:27:02 -0600 Subject: [PATCH 4/6] add test for fail case when parsing relative URI path --- certs/client-relative-uri.pem | 90 +++++++++++++++++++++++++++++++++++ certs/renewcerts.sh | 18 ++++++- certs/renewcerts/wolfssl.cnf | 7 +++ tests/api.c | 4 ++ 4 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 certs/client-relative-uri.pem diff --git a/certs/client-relative-uri.pem b/certs/client-relative-uri.pem new file mode 100644 index 000000000..f4e0f5ca0 --- /dev/null +++ b/certs/client-relative-uri.pem @@ -0,0 +1,90 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9930516258332383263 (0x89d047ec3e24981f) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=RELATIVE_URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Validity + Not Before: May 14 20:24:06 2018 GMT + Not After : Feb 7 20:24:06 2021 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=RELATIVE_URI, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c3:03:d1:2b:fe:39:a4:32:45:3b:53:c8:84:2b: + 2a:7c:74:9a:bd:aa:2a:52:07:47:d6:a6:36:b2:07: + 32:8e:d0:ba:69:7b:c6:c3:44:9e:d4:81:48:fd:2d: + 68:a2:8b:67:bb:a1:75:c8:36:2c:4a:d2:1b:f7:8b: + ba:cf:0d:f9:ef:ec:f1:81:1e:7b:9b:03:47:9a:bf: + 65:cc:7f:65:24:69:a6:e8:14:89:5b:e4:34:f7:c5: + b0:14:93:f5:67:7b:3a:7a:78:e1:01:56:56:91:a6: + 13:42:8d:d2:3c:40:9c:4c:ef:d1:86:df:37:51:1b: + 0c:a1:3b:f5:f1:a3:4a:35:e4:e1:ce:96:df:1b:7e: + bf:4e:97:d0:10:e8:a8:08:30:81:af:20:0b:43:14: + c5:74:67:b4:32:82:6f:8d:86:c2:88:40:99:36:83: + ba:1e:40:72:22:17:d7:52:65:24:73:b0:ce:ef:19: + cd:ae:ff:78:6c:7b:c0:12:03:d4:4e:72:0d:50:6d: + 3b:a3:3b:a3:99:5e:9d:c8:d9:0c:85:b3:d9:8a:d9: + 54:26:db:6d:fa:ac:bb:ff:25:4c:c4:d1:79:f4:71: + d3:86:40:18:13:b0:63:b5:72:4e:30:c4:97:84:86: + 2d:56:2f:d7:15:f7:7f:c0:ae:f5:fc:5b:e5:fb:a1: + ba:d3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0 + X509v3 Authority Key Identifier: + keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0 + DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=RELATIVE_URI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:89:D0:47:EC:3E:24:98:1F + + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Alternative Name: + URI:../relative/page.html + Signature Algorithm: sha256WithRSAEncryption + 29:cb:c0:50:61:da:51:c5:da:50:15:b7:bd:c3:f4:9b:c5:b8: + 2a:9b:6c:c7:91:7a:26:e3:eb:48:d2:40:fa:e3:ab:f9:b7:e2: + 4a:37:9b:b6:03:ad:9c:f4:f2:5d:12:eb:5c:c6:97:c4:3a:18: + 99:70:47:49:93:f3:a5:32:ab:aa:22:71:6f:5c:36:1c:42:2f: + d4:19:da:64:73:84:d3:1e:a8:5f:af:8a:58:e7:64:18:38:79: + 69:f2:08:d4:f2:be:b0:9c:18:d8:f1:a5:eb:b6:9c:67:21:0f: + ba:bf:95:68:e9:d2:23:56:84:cf:87:7c:a4:2a:3a:0d:c1:72: + 3a:43:da:53:bb:6c:f0:b5:f1:03:3c:ff:b6:0a:1f:54:c5:1b: + d5:40:80:24:74:e2:f6:4c:41:88:f1:df:a3:36:64:78:e9:c2: + 0e:c3:0f:f3:5f:19:e6:44:85:79:e1:6a:ee:78:39:9b:58:e3: + c4:39:27:d7:05:1a:b9:7c:21:75:61:7a:71:53:fd:fc:7f:57: + ef:3a:19:be:69:c6:cb:73:49:bd:72:7d:2b:eb:68:52:8e:0f: + d7:47:d3:90:86:5a:14:03:0d:dc:6b:07:10:57:2b:e0:b6:d2: + a0:49:2d:63:88:d0:17:b3:b2:50:c4:60:15:1e:b6:ce:13:14: + 0d:ec:45:eb +-----BEGIN CERTIFICATE----- +MIIE3TCCA8WgAwIBAgIJAInQR+w+JJgfMA0GCSqGSIb3DQEBCwUAMIGaMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG +A1UECgwMd29sZlNTTF8yMDQ4MRUwEwYDVQQLDAxSRUxBVElWRV9VUkkxGDAWBgNV +BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns +LmNvbTAeFw0xODA1MTQyMDI0MDZaFw0yMTAyMDcyMDI0MDZaMIGaMQswCQYDVQQG +EwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UE +CgwMd29sZlNTTF8yMDQ4MRUwEwYDVQQLDAxSRUxBVElWRV9VUkkxGDAWBgNVBAMM +D3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv +bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQr +Knx0mr2qKlIHR9amNrIHMo7Quml7xsNEntSBSP0taKKLZ7uhdcg2LErSG/eLus8N ++e/s8YEee5sDR5q/Zcx/ZSRppugUiVvkNPfFsBST9Wd7Onp44QFWVpGmE0KN0jxA +nEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+v06X0BDoqAgwga8gC0MUxXRntDKCb42G +wohAmTaDuh5AciIX11JlJHOwzu8Zza7/eGx7wBID1E5yDVBtO6M7o5lencjZDIWz +2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOwY7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuh +utMCAwEAAaOCASIwggEeMB0GA1UdDgQWBBQz2EVm12iHGH5UDXAnkccm14VlwDCB +zwYDVR0jBIHHMIHEgBQz2EVm12iHGH5UDXAnkccm14VlwKGBoKSBnTCBmjELMAkG +A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT +BgNVBAoMDHdvbGZTU0xfMjA0ODEVMBMGA1UECwwMUkVMQVRJVkVfVVJJMRgwFgYD +VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz +bC5jb22CCQCJ0EfsPiSYHzAJBgNVHRMEAjAAMCAGA1UdEQQZMBeGFS4uL3JlbGF0 +aXZlL3BhZ2UuaHRtbDANBgkqhkiG9w0BAQsFAAOCAQEAKcvAUGHaUcXaUBW3vcP0 +m8W4Kptsx5F6JuPrSNJA+uOr+bfiSjebtgOtnPTyXRLrXMaXxDoYmXBHSZPzpTKr +qiJxb1w2HEIv1BnaZHOE0x6oX6+KWOdkGDh5afII1PK+sJwY2PGl67acZyEPur+V +aOnSI1aEz4d8pCo6DcFyOkPaU7ts8LXxAzz/tgofVMUb1UCAJHTi9kxBiPHfozZk +eOnCDsMP818Z5kSFeeFq7ng5m1jjxDkn1wUauXwhdWF6cVP9/H9X7zoZvmnGy3NJ +vXJ9K+toUo4P10fTkIZaFAMN3GsHEFcr4LbSoEktY4jQF7OyUMRgFR62zhMUDexF +6w== +-----END CERTIFICATE----- diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index f42b004ce..693abb9c6 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -22,7 +22,8 @@ # client-ca.pem # test/digsigku.pem # ecc-privOnlyCert.pem -# uri-cert.pem +# client-uri-cert.pem +# client-relative-uri.pem # updates the following crls: # crl/cliCrl.pem # crl/crl.pem @@ -61,6 +62,21 @@ function run_renewcerts(){ openssl x509 -in client-uri-cert.pem -text > tmp.pem mv tmp.pem client-uri-cert.pem + ############################################################ + #### update the self-signed (2048-bit) client-relative-uri.pem + ############################################################ + echo "Updating 2048-bit client-relative-uri.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nRELATIVE_URI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr + + + openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions relative_uri -signkey client-key.pem -out client-relative-uri.pem + rm client-cert.csr + + openssl x509 -in client-relative-uri.pem -text > tmp.pem + mv tmp.pem client-relative-uri.pem + ############################################################ #### update the self-signed (2048-bit) client-cert.pem ##### ############################################################ diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 91c0312b9..421194bc2 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -227,6 +227,13 @@ authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=CA:false subjectAltName=URI:https://www.wolfssl.com +# test parsing relative URI +[ relative_uri ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:false +subjectAltName=URI:../relative/page.html + #tsa default [ tsa ] default_tsa = tsa_config1 diff --git a/tests/api.c b/tests/api.c index e2ebaaea1..4a470efde 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2964,6 +2964,7 @@ static void test_wolfSSL_URI(void) defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) WOLFSSL_X509* x509; const char uri[] = "./certs/client-uri-cert.pem"; + const char badUri[] = "./certs/client-relative-uri.pem"; printf(testingFmt, "wolfSSL URI parse"); @@ -2972,6 +2973,9 @@ static void test_wolfSSL_URI(void) wolfSSL_FreeX509(x509); + x509 = wolfSSL_X509_load_certificate_file(badUri, WOLFSSL_FILETYPE_PEM); + AssertNull(x509); + printf(resultFmt, passed); #endif } From a6ad6b94d1c9941b4101e862bee6265d183431db Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Mon, 14 May 2018 16:03:51 -0600 Subject: [PATCH 5/6] account for IGNORE_NAME_CONSTRAINTS when testing the parsing of a relative URI --- tests/api.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/api.c b/tests/api.c index 4a470efde..d6547e61f 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2974,7 +2974,11 @@ static void test_wolfSSL_URI(void) wolfSSL_FreeX509(x509); x509 = wolfSSL_X509_load_certificate_file(badUri, WOLFSSL_FILETYPE_PEM); +#ifndef IGNORE_NAME_CONSTRAINTS AssertNull(x509); +#else + AssertNotNull(x509); +#endif printf(resultFmt, passed); #endif From f67046f485e85d9281a4b0fb19b2794387ae3b1d Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 17 May 2018 16:55:59 -0600 Subject: [PATCH 6/6] better bounds checking --- wolfcrypt/src/asn.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 24581efad..c5016aee9 100755 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -5713,6 +5713,11 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) } length -= (idx - lenStartIdx); + /* check that strLen at index is not past input buffer */ + if (strLen + (int)idx > sz) { + return BUFFER_E; + } + #ifndef WOLFSSL_NO_ASN_STRICT /* Verify RFC 5280 Sec 4.2.1.6 rule: "The name MUST NOT be a relative URI" */ @@ -5734,8 +5739,8 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) /* test if no ':' char was found and test that the next two * chars are // to match the pattern "://" */ - if (i == strLen || (input[idx + i + 1] != '/' || - input[idx + i + 2] != '/')) { + if (i >= strLen - 2 || (input[idx + i + 1] != '/' || + input[idx + i + 2] != '/')) { WOLFSSL_MSG("\tAlt Name must be absolute URI"); return ASN_ALT_NAME_E; }