Merge pull request #6525 from lealem47/san

Improve subjectAltName extension parsing and printing

configure.ac

@@ -8173,6 +8173,9 @@ then
 
  # Uses alt name
  ENABLED_ALTNAMES="yes"
+
+ AM_CFLAGS="$AM_CFLAGS -DHAVE_OID_ENCODING -DWOLFSSL_NO_ASN_STRICT"
+
 fi
 
 if test "$ENABLED_STRONGSWAN" = "yes"; then

src/ssl.c

@@ -24918,7 +24918,9 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = {
 
  /* oidCertNameType */
  { NID_commonName, NID_commonName, oidCertNameType, "CN", "commonName"},
+#if !defined(WOLFSSL_CERT_REQ)
  { NID_surname, NID_surname, oidCertNameType, "SN", "surname"},
+#endif
  { NID_serialNumber, NID_serialNumber, oidCertNameType, "serialNumber",
  "serialNumber"},
  { NID_userId, NID_userId, oidCertNameType, "UID", "userid"},
@@ -33109,6 +33111,24 @@ word32 nid2oid(int nid, int grp)
  }
  break;
 
+ /* oidCmsKeyAgreeType */
+ #ifdef WOLFSSL_CERT_REQ
+ case oidCsrAttrType:
+ switch (nid) {
+ case NID_pkcs9_contentType:
+ return PKCS9_CONTENT_TYPE_OID;
+ case NID_pkcs9_challengePassword:
+ return CHALLENGE_PASSWORD_OID;
+ case NID_serialNumber:
+ return SERIAL_NUMBER_OID;
+ case NID_userId:
+ return USER_ID_OID;
+ case NID_surname:
+ return SURNAME_OID;
+ }
+ break;
+ #endif
+
  default:
  WOLFSSL_MSG("NID not in table");
  /* MSVC warns without the cast */
@@ -33487,7 +33507,7 @@ int oid2nid(word32 oid, int grp)
 #endif
 
  default:
- WOLFSSL_MSG("NID not in table");
+ WOLFSSL_MSG("OID not in table");
  }
  /* If not found in above switch then try the table */
  for (i = 0; i < WOLFSSL_OBJECT_INFO_SZ; i++) {

src/x509.c

@@ -5866,11 +5866,21 @@ static int X509PrintSubjAltName(WOLFSSL_BIO* bio, WOLFSSL_X509* x509,
  else if (entry->type == ASN_URI_TYPE) {
  len = XSNPRINTF(scratch, MAX_WIDTH, "URI:%s",
  entry->name);
+ if (len >= MAX_WIDTH) {
+ ret = WOLFSSL_FAILURE;
+ break;
+ }
+ }
+ #if defined(OPENSSL_ALL)
+ else if (entry->type == ASN_RID_TYPE) {
+ len = XSNPRINTF(scratch, MAX_WIDTH, "Registered ID:%s",
+ entry->ridString);
  if (len >= MAX_WIDTH) {
  ret = WOLFSSL_FAILURE;
  break;
  }
  }
+ #endif
  else if (entry->type == ASN_OTHER_TYPE) {
  len = XSNPRINTF(scratch, MAX_WIDTH,
  "othername <unsupported>");

wolfcrypt/src/asn.c

@@ -5465,13 +5465,18 @@ static int CheckCurve(word32 oid)
  * @return BAD_FUNC_ARG when in or outSz is NULL.
  * @return BUFFER_E when buffer too small.
  */
+int wc_EncodeObjectId(const word16* in, word32 inSz, byte* out, word32* outSz)
+{
+ return EncodeObjectId(in, inSz, out, outSz);
+}
+
 int EncodeObjectId(const word16* in, word32 inSz, byte* out, word32* outSz)
 {
  int i, x, len;
  word32 d, t;
 
  /* check args */
- if (in == NULL || outSz == NULL) {
+ if (in == NULL || outSz == NULL || inSz <= 0) {
  return BAD_FUNC_ARG;
  }
 
@@ -5540,7 +5545,8 @@ int EncodeObjectId(const word16* in, word32 inSz, byte* out, word32* outSz)
 }
 #endif /* HAVE_OID_ENCODING */
 
-#if defined(HAVE_OID_DECODING) || defined(WOLFSSL_ASN_PRINT)
+#if defined(HAVE_OID_DECODING) || defined(WOLFSSL_ASN_PRINT) || \
+ defined(OPENSSL_ALL)
 /* Encode dotted form of OID into byte array version.
  *
  * @param [in] in Byte array containing OID.
@@ -5587,7 +5593,7 @@ int DecodeObjectId(const byte* in, word32 inSz, word16* out, word32* outSz)
 
  return 0;
 }
-#endif /* HAVE_OID_DECODING */
+#endif /* HAVE_OID_DECODING || WOLFSSL_ASN_PRINT || OPENSSL_ALL */
 
 /* Decode the header of a BER/DER encoded OBJECT ID.
  *
@@ -11196,6 +11202,9 @@ void FreeAltNames(DNS_entry* altNames, void* heap)
  XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME);
  #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
  XFREE(altNames->ipString, heap, DYNAMIC_TYPE_ALTNAME);
+ #endif
+ #if defined(OPENSSL_ALL)
+ XFREE(altNames->ridString, heap, DYNAMIC_TYPE_ALTNAME);
  #endif
  XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME);
  altNames = tmp;
@@ -12970,6 +12979,90 @@ static int GenerateDNSEntryIPString(DNS_entry* entry, void* heap)
 }
 #endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
 
+#if defined(OPENSSL_ALL)
+/* used to set the human readable string for the registeredID with an
+ * ASN_RID_TYPE DNS entry
+ * return 0 on success
+ */
+static int GenerateDNSEntryRIDString(DNS_entry* entry, void* heap)
+{
+ int i, j, ret = 0;
+ int nameSz = 0;
+ int numerical = 0;
+ int nid = 0;
+ int tmpSize = MAX_OID_SZ;
+ word32 oid = 0;
+ word32 idx = 0;
+ word16 tmpName[MAX_OID_SZ];
+ char oidName[MAX_OID_SZ];
+ char* finalName;
+
+ if (entry == NULL || entry->type != ASN_RID_TYPE) {
+ return BAD_FUNC_ARG;
+ }
+
+ if (entry->len <= 0) {
+ return BAD_FUNC_ARG;
+ }
+
+ XMEMSET(&oidName, 0, MAX_OID_SZ);
+
+ ret = GetOID((const byte*)entry->name, &idx, &oid, oidIgnoreType,
+ entry->len);
+
+ if (ret == 0 && (nid = oid2nid(oid, oidCsrAttrType)) > 0) {
+ /* OID has known string value */
+ finalName = (char*)wolfSSL_OBJ_nid2ln(nid);
+ }
+ else {
+ /* Decode OBJECT_ID into dotted form array. */
+ ret = DecodeObjectId((const byte*)(entry->name),(word32)entry->len,
+ tmpName, (word32*)&tmpSize);
+
+ numerical = 1;
+ if (ret == 0) {
+ j = 0;
+ /* Append each number of dotted form. */
+ for (i = 0; i < tmpSize; i++) {
+ ret = XSNPRINTF(oidName + j, MAX_OID_SZ, "%d", tmpName[i]);
+ if (ret >= 0) {
+ j += ret;
+ if (i < tmpSize - 1) {
+ oidName[j] = '.';
+ j++;
+ }
+ }
+ else {
+ return BUFFER_E;
+ }
+ }
+ ret = 0;
+ finalName = oidName;
+ }
+ }
+
+ if (ret == 0) {
+ nameSz = (int)XSTRLEN((const char*)finalName);
+
+ entry->ridString = (char*)XMALLOC(nameSz + numerical, heap,
+ DYNAMIC_TYPE_ALTNAME);
+
+ if (entry->ridString == NULL) {
+ ret = MEMORY_E;
+ }
+
+ if (ret == 0) {
+ XMEMCPY(entry->ridString, finalName, nameSz);
+ if (numerical) {
+ entry->ridString[nameSz] = '\0';
+ }
+ }
+ }
+
+ return ret;
+}
+#endif /* OPENSSL_ALL && WOLFSSL_ASN_TEMPLATE */
+
 #ifdef WOLFSSL_ASN_TEMPLATE
 
 #if defined(WOLFSSL_CERT_GEN) || !defined(NO_CERTS)
@@ -13048,6 +13141,15 @@ static int SetDNSEntry(DecodedCert* cert, const char* str, int strLen,
  XMEMCPY(dnsEntry->name, str, (size_t)strLen);
  dnsEntry->name[strLen] = '\0';
 
+#if defined(OPENSSL_ALL)
+ /* store registeredID as a string */
+ if (type == ASN_RID_TYPE) {
+ if ((ret = GenerateDNSEntryRIDString(dnsEntry, cert->heap)) != 0) {
+ XFREE(dnsEntry->name, cert->heap, DYNAMIC_TYPE_ALTNAME);
+ XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
+ }
+ }
+#endif
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
  /* store IP addresses as a string */
  if (type == ASN_IP_TYPE) {
@@ -17599,6 +17701,15 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
  }
  }
  #endif /* WOLFSSL_QT || OPENSSL_ALL */
+
+ /* GeneralName choice: registeredID */
+ else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RID_TYPE)) {
+ ret = SetDNSEntry(cert, (const char*)(input + idx), len,
+ ASN_RID_TYPE, &cert->altNames);
+ if (ret == 0) {
+ idx += (word32)len;
+ }
+ }
 #endif /* IGNORE_NAME_CONSTRAINTS */
 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_FPKI)
  /* GeneralName choice: otherName */
@@ -17607,8 +17718,7 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
  ret = DecodeOtherName(cert, input, &idx, idx + (word32)len);
  }
 #endif
- /* GeneralName choice: dNSName, x400Address, ediPartyName,
- * registeredID */
+ /* GeneralName choice: dNSName, x400Address, ediPartyName */
  else {
  WOLFSSL_MSG("\tUnsupported name type, skipping");
  idx += (word32)len;
@@ -18118,7 +18228,55 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
  length -= strLen;
  idx += (word32)strLen;
  }
-#endif /* WOLFSSL_QT || OPENSSL_ALL */
+#endif /* WOLFSSL_QT || OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
+#if defined(OPENSSL_ALL)
+ else if (current_byte == (ASN_CONTEXT_SPECIFIC | ASN_RID_TYPE)) {
+ DNS_entry* rid;
+ int strLen;
+ word32 lenStartIdx = idx;
+ WOLFSSL_MSG("Decoding Subject Alt. Name: Registered Id");
+
+ if (GetLength(input, &idx, &strLen, sz) < 0) {
+ WOLFSSL_MSG("\tfail: str length");
+ return ASN_PARSE_E;
+ }
+ length -= (idx - lenStartIdx);
+ /* check that strLen at index is not past input buffer */
+ if (strLen + idx > sz) {
+ return BUFFER_E;
+ }
+
+ rid = AltNameNew(cert->heap);
+ if (rid == NULL) {
+ WOLFSSL_MSG("\tOut of Memory");
+ return MEMORY_E;
+ }
+
+ rid->type = ASN_RID_TYPE;
+ rid->name = (char*)XMALLOC((size_t)strLen + 1, cert->heap,
+ DYNAMIC_TYPE_ALTNAME);
+ if (rid->name == NULL) {
+ WOLFSSL_MSG("\tOut of Memory");
+ XFREE(rid, cert->heap, DYNAMIC_TYPE_ALTNAME);
+ return MEMORY_E;
+ }
+ rid->len = strLen;
+ XMEMCPY(rid->name, &input[idx], strLen);
+ rid->name[strLen] = '\0';
+
+ if (GenerateDNSEntryRIDString(rid, cert->heap) != 0) {
+ WOLFSSL_MSG("\tOut of Memory for registerd Id string");
+ XFREE(rid->name, cert->heap, DYNAMIC_TYPE_ALTNAME);
+ XFREE(rid, cert->heap, DYNAMIC_TYPE_ALTNAME);
+ return MEMORY_E;
+ }
+
+ AddAltName(cert, rid);
+
+ length -= strLen;
+ idx += (word32)strLen;
+ }
+#endif /* OPENSSL_ALL */
 #endif /* IGNORE_NAME_CONSTRAINTS */
  else if (current_byte ==
  (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE)) {
@@ -21191,6 +21349,22 @@ static int DecodeCertReqAttrValue(DecodedCert* cert, int* criticalExt,
  }
  break;
 
+ case UNSTRUCTURED_NAME_OID:
+ /* Clear dynamic data and specify choices acceptable. */
+ XMEMSET(strDataASN, 0, sizeof(strDataASN));
+ GetASN_Choice(&strDataASN[STRATTRASN_IDX_STR], strAttrChoice);
+ /* Parse a string. */
+ ret = GetASN_Items(strAttrASN, strDataASN, strAttrASN_Length,
+ 1, input, &idx, maxIdx);
+ if (ret == 0) {
+ /* Store references to unstructured name. */
+ cert->unstructuredName =
+ (char*)strDataASN[STRATTRASN_IDX_STR].data.ref.data;
+ cert->unstructuredNameLen = (int)strDataASN[STRATTRASN_IDX_STR].
+ data.ref.length;
+ }
+ break;
+
  /* Certificate extensions to be included in generated certificate.
  * PKCS#9: RFC 2985, 5.4.2 - Extension request
  */
@@ -29706,6 +29880,11 @@ static const ASNItem certReqBodyASN[] = {
 /* ATTRS_CPW_SET */ { 3, ASN_SET, 1, 1, 0 },
 /* ATTRS_CPW_PS */ { 4, ASN_PRINTABLE_STRING, 0, 0, 0 },
 /* ATTRS_CPW_UTF */ { 4, ASN_UTF8STRING, 0, 0, 0 },
+/* ATTRS_USN_SEQ */ { 2, ASN_SEQUENCE, 1, 1, 1 },
+/* ATTRS_USN_OID */ { 3, ASN_OBJECT_ID, 0, 0, 0 },
+/* ATTRS_USN_SET */ { 3, ASN_SET, 1, 1, 0 },
+/* ATTRS_USN_PS */ { 4, ASN_PRINTABLE_STRING, 0, 0, 0 },
+/* ATTRS_USN_UTF */ { 4, ASN_UTF8STRING, 0, 0, 0 },
  /* Extensions Attribute */
 /* EXT_SEQ */ { 2, ASN_SEQUENCE, 1, 1, 1 },
 /* EXT_OID */ { 3, ASN_OBJECT_ID, 0, 0, 0 },
@@ -29723,6 +29902,11 @@ enum {
  CERTREQBODYASN_IDX_ATTRS_CPW_SET,
  CERTREQBODYASN_IDX_ATTRS_CPW_PS,
  CERTREQBODYASN_IDX_ATTRS_CPW_UTF,
+ CERTREQBODYASN_IDX_ATTRS_USN_SEQ,
+ CERTREQBODYASN_IDX_ATTRS_USN_OID,
+ CERTREQBODYASN_IDX_ATTRS_USN_SET,
+ CERTREQBODYASN_IDX_ATTRS_USN_PS,
+ CERTREQBODYASN_IDX_ATTRS_USN_UTF,
  CERTREQBODYASN_IDX_EXT_SEQ,
  CERTREQBODYASN_IDX_EXT_OID,
  CERTREQBODYASN_IDX_EXT_SET,
@@ -29976,6 +30160,23 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
  SetASNItem_NoOutNode(dataASN, certReqBodyASN,
  CERTREQBODYASN_IDX_ATTRS_CPW_SEQ, certReqBodyASN_Length);
  }
+ if (cert->unstructuredName[0] != '\0') {
+ /* Add unstructured name attribute. */
+ /* Set unstructured name OID. */
+ SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_ATTRS_USN_OID],
+ attrUnstructuredNameOid, sizeof(attrUnstructuredNameOid));
+ /* PRINTABLE_STRING - set buffer */
+ SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_ATTRS_USN_PS],
+ (byte*)cert->unstructuredName,
+ (word32)XSTRLEN(cert->unstructuredName));
+ /* UTF8STRING - don't encode */
+ dataASN[CERTREQBODYASN_IDX_ATTRS_USN_UTF].noOut = 1;
+ }
+ else {
+ /* Leave out unstructured name attribute item. */
+ SetASNItem_NoOutNode(dataASN, certReqBodyASN,
+ CERTREQBODYASN_IDX_ATTRS_USN_SEQ, certReqBodyASN_Length);
+ }
  if (extSz > 0) {
  /* Set extension attribute OID. */
  SetASN_Buffer(&dataASN[CERTREQBODYASN_IDX_EXT_OID], attrExtensionRequestOid,
@@ -37515,9 +37716,6 @@ int wc_Asn1_SetFile(Asn1* asn1, XFILE file)
  return ret;
 }
 
-/* Maximum OID dotted form size. */
-#define ASN1_OID_DOTTED_MAX_SZ 16
-
 /* Print OID in dotted form or as hex bytes.
  *
  * @param [in] file File pointer to write to.