diff options
author | Andrzej Kurek <andrzej.kurek@arm.com> | 2023-02-13 10:03:07 -0500 |
---|---|---|
committer | Andrzej Kurek <andrzej.kurek@arm.com> | 2023-02-13 10:03:07 -0500 |
commit | 7a05fab716d798275f8815faa193e080773fde19 (patch) | |
tree | 918fa090356f8de111e77c0b5d19a2c1ff545f85 | |
parent | daa65956c3aabf67146a8535cf1ce081bb878dc0 (diff) | |
download | mbedtls-7a05fab716d798275f8815faa193e080773fde19.zip mbedtls-7a05fab716d798275f8815faa193e080773fde19.tar.gz mbedtls-7a05fab716d798275f8815faa193e080773fde19.tar.bz2 |
Added the uniformResourceIdentifier subtype for the subjectAltName.
Co-authored-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
-rw-r--r-- | include/mbedtls/x509.h | 6 | ||||
-rw-r--r-- | include/mbedtls/x509_crt.h | 2 | ||||
-rw-r--r-- | library/x509.c | 32 | ||||
-rw-r--r-- | tests/data_files/Makefile | 6 | ||||
-rw-r--r-- | tests/data_files/rsa_multiple_san_uri.crt | 22 | ||||
-rw-r--r-- | tests/data_files/rsa_single_san_uri.crt | 21 | ||||
-rw-r--r-- | tests/suites/test_suite_x509parse.data | 8 |
7 files changed, 91 insertions, 6 deletions
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index aa1cd08..bf1f94a 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -294,7 +294,7 @@ typedef struct mbedtls_x509_subject_alternative_name { int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ union { mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ - mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */ + mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only dnsName and uniformResourceIdentifier currently supported */ */ } san; /**< A union of the supported SAN types */ } @@ -385,8 +385,8 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); * \param san The target structure to populate with the parsed presentation * of the subject alternative name encoded in \p san_raw. * - * \note Only "dnsName" and "otherName" of type hardware_module_name - * as defined in RFC 4180 is supported. + * \note Only "dnsName", "uniformResourceIdentifier" and "otherName", + * as defined in RFC 5280, is supported. * * \note This function should be called on a single raw data of * subject alternative name. For example, after successful diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 187e60a..036282f 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -76,7 +76,7 @@ typedef struct mbedtls_x509_crt { mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ - mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */ + mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier and OtherName are listed). */ mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */ diff --git a/library/x509.c b/library/x509.c index 2865c2e..9f0dc62 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1227,8 +1227,8 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name, * nameAssigner [0] DirectoryString OPTIONAL, * partyName [1] DirectoryString } * - * NOTE: we list all types, but only use dNSName and otherName - * of type HwModuleName, as defined in RFC 4108, at this point. + * NOTE: we list all types, but only use "dnsName", "otherName" and + * "uniformResourceIdentifier", as defined in RFC 5280, at this point. */ int mbedtls_x509_get_subject_alt_name(unsigned char **p, const unsigned char *end, @@ -1397,7 +1397,19 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, } break; + /* + * uniformResourceIdentifier + */ + case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER): + { + memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name)); + san->type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER; + memcpy(&san->san.unstructured_name, + san_buf, sizeof(*san_buf)); + + } + break; /* * dNSName */ @@ -1488,7 +1500,23 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ } break; + /* + * uniformResourceIdentifier + */ + case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER: + { + ret = mbedtls_snprintf(p, n, "\n%s uniformResourceIdentifier : ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + if (san.san.unstructured_name.len >= n) { + *p = '\0'; + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len); + p += san.san.unstructured_name.len; + n -= san.san.unstructured_name.len; + } + break; /* * dNSName */ diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 070f538..7b97eea 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -365,6 +365,12 @@ rsa_pkcs8_2048_public.der: rsa_pkcs8_2048_public.pem $(OPENSSL) rsa -pubin -in $< -outform DER -pubout -out $@ all_final += rsa_pkcs8_2048_public.der +rsa_single_san_uri.crt: rsa_single_san_uri.key + $(OPENSSL) req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN" + +rsa_multiple_san_uri.crt: rsa_multiple_san_uri.key + $(OPENSSL) req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c, URI:urn:example.com:5ff40f78-9210-494f-8206-abcde1234567" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN" + ################################################################ #### Generate various RSA keys ################################################################ diff --git a/tests/data_files/rsa_multiple_san_uri.crt b/tests/data_files/rsa_multiple_san_uri.crt new file mode 100644 index 0000000..ceda8f2 --- /dev/null +++ b/tests/data_files/rsa_multiple_san_uri.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtjCCAp6gAwIBAgIULxROma15QuBZpLSG3KZTtcrOX0AwDQYJKoZIhvcNAQEL +BQAwOzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBN +YmVkIFRMUyBVUkkgU0FOMB4XDTIyMTIyODA4Mzc0NloXDTQyMTIyMzA4Mzc0Nlow +OzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBNYmVk +IFRMUyBVUkkgU0FOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3poS +TQijviHqJNAdKXN0FJMfgLsP9JZuLJczG0MAQsLaB6jHEdH/mrL3Q/1qZv6I6+5E +O5mN0fe8V9THT+OzAaxg8SwWvbog94iReK4OvNqbHEHSKZ0Ej2UHsAYBc/y/xzvJ +UD5QcbjF4g6udumddqA4/MqOSM9KUDufD6rbGhTW2zW8Z/teFW6Y7ucIcyYbS10E +T+P00ZoQbXGSzdddMy/sF+1YxsENniKUQhooIpNxX/lSCHe/CHMFfaj9HPyJE3ke +4rZtUAK1rfSmltfbRl7XQdaB1HLQA/oP+sPWp231mp9jhO2DEMYmHQcRREl/0Zrg +6RKyyIWJabtaF0pPCQIDAQABo4GxMIGuMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg +MHUGA1UdEQRuMGyGNHVybjpleGFtcGxlLmNvbTo1ZmY0MGY3OC05MjEwLTQ5NGYt +ODIwNi1jMmMwODJmMDYwOWOGNHVybjpleGFtcGxlLmNvbTo1ZmY0MGY3OC05MjEw +LTQ5NGYtODIwNi1hYmNkZTEyMzQ1NjcwHQYDVR0OBBYEFKmGzddKZIFyozb1WrKj +2GXUOg3WMA0GCSqGSIb3DQEBCwUAA4IBAQAV3+vEBnTFcvxSnMSQmNXuSWPaomed +eoT7p5mbdKBiHGv/XoAaAF/WJUGz3dLKtfg0fPOIDPI/Diuyx2eaVHHzPYRW++W0 +wdx1VyAEfTnPexutol5hYMaSonr6wp6V509utwfXAYm8iMMAcHOpljgiGznY5DoB +5qykEAt1Y9jsjhf1Ih/7Q6rVc3I+w8AG5nrJ56MZQBjdOa6xV+8++RJwzuhiSb8E +iDEccpYkfrOOsMl5UZIsSm2BtWp4CRSigWgmN+LSpIfm/zYVYoQYrkjdWx3YhGVB ++xWW1Q/UQhQYtJ8vw9xw/vYWTVWaQDdA22d9XNxLakzwhPDX1OOCJJNy +-----END CERTIFICATE----- diff --git a/tests/data_files/rsa_single_san_uri.crt b/tests/data_files/rsa_single_san_uri.crt new file mode 100644 index 0000000..0c5b1ca --- /dev/null +++ b/tests/data_files/rsa_single_san_uri.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDfjCCAmagAwIBAgIUWWuPuKBmp/e7Jt4G3JAjp97z0NkwDQYJKoZIhvcNAQEL +BQAwOzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBN +YmVkIFRMUyBVUkkgU0FOMB4XDTIyMTIyNzE3MDUwMVoXDTQyMTIyMjE3MDUwMVow +OzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBNYmVk +IFRMUyBVUkkgU0FOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAigYQ +brVSGf/AyTscC8GSiXPnl0PpJzwvQe0c2oVhX/GB8F++m9FT4msoc6i50KNmcuCO +l52w0lY1+XWkm6+FoqeOm5Vfj2fLrsDed2jomI6T5n68QOtbWZNluCbBbDpnAZbo +QCUwHHjrPSc8h76kxEbX7luPOUaG6cyN/eG+HPY6XLRxDUbqFl9q/WsVkAfm5jO5 +7Oa3j4NfnIbFyuHbQXCmCdBq+4sLW3eKAvp2PyKvB601evOMtmUoX4SrWBTI/rfS +8Z6DqJN+V2afOameP/JiuQbc8GvKwOYLRKjdH8bJZ3GUdxTdOAvFhxfUxQIo7aup +nlLGHLdJUPUurV6dywIDAQABo3oweDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DA/ +BgNVHREEODA2hjR1cm46ZXhhbXBsZS5jb206NWZmNDBmNzgtOTIxMC00OTRmLTgy +MDYtYzJjMDgyZjA2MDljMB0GA1UdDgQWBBSDgDX0Y5xPkSAbqVeJ491MzU9jZDAN +BgkqhkiG9w0BAQsFAAOCAQEAFYXiBh3La7vmEj3uTpzGvNBMtJdiXK6C5IgRnARI +5jye0m3AMK9EJEKrE0144PWOKahirxgznCbPPxL86xfC552Wzu2+ARlXBs+XVQnh +c/IQ7NzCw6Pwtg8hFP0Qhjmp4rMvVjbHH8uPBaefx0wDO80f/VOC3xIPqVHA8U9X +Q8+dBPcv1iHaZ8gBx+lTZVaRSzAciNkPFRv5X/GAcnhIWQFBJD0XTlH4SgdsW4O6 +0Oqo4qbHPxPf5zx3ZtX0zG13+/wiPAMvZyjemCMtsentiJt0+a5n+9X3b2lhEq58 +yy5d8aax9EXT5TAguKP7kV1sglSlJcIzmKXb4MCdTYfdfg== +-----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 98c2ae3..6edb43b 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -122,6 +122,14 @@ X509 CRT information, Subject Alt Name + Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n <unsupported>\n <unsupported>\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +X509 CRT information, Subject Alt Name with uniformResourceIdentifier +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/rsa_single_san_uri.crt":"cert. version \: 3\nserial number \: 59\:6B\:8F\:B8\:A0\:66\:A7\:F7\:BB\:26\:DE\:06\:DC\:90\:23\:A7\:DE\:F3\:D0\:D9\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2022-12-27 17\:05\:01\nexpires on \: 2042-12-22 17\:05\:01\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" + +X509 CRT information, Subject Alt Name with two uniformResourceIdentifiers +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/rsa_multiple_san_uri.crt":"cert. version \: 3\nserial number \: 2F\:14\:4E\:99\:AD\:79\:42\:E0\:59\:A4\:B4\:86\:DC\:A6\:53\:B5\:CA\:CE\:5F\:40\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2022-12-28 08\:37\:46\nexpires on \: 2042-12-23 08\:37\:46\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" + X509 CRT information, RSA Certificate Policy any depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/test-ca-any_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-03-21 16\:40\:59\nexpires on \: 2029-03-21 16\:40\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n" |