ARMmbed/mbedtls
1
0
Fork 0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-05-09 16:41:19 +08:00
Code Issues Releases Wiki Activity

mbedtls_x509_csr_info: Add parsing code for v3 csr extensions

Browse Source 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
This commit is contained in:
Przemek Stekiel 2023-01-12 12:58:02 +01:00
parent 2d9e359275
commit cbaf3167dd
4 changed files with 69 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
include/mbedtls/x509.h
View File

@ -379,6 +379,14 @@ int x509_get_key_usage(unsigned char **p,
int x509_get_subject_alt_name(unsigned char **p, int x509_get_subject_alt_name(unsigned char **p,
const unsigned char *end, const unsigned char *end,
mbedtls_x509_sequence *subject_alt_name); mbedtls_x509_sequence *subject_alt_name);
int x509_info_subject_alt_name(char **buf, size_t *size,
const mbedtls_x509_sequence
*subject_alt_name,
const char *prefix);
int x509_info_cert_type(char **buf, size_t *size,
unsigned char ns_cert_type);
int x509_info_key_usage(char **buf, size_t *size,
unsigned int key_usage);
#define MBEDTLS_X509_SAFE_SNPRINTF \ #define MBEDTLS_X509_SAFE_SNPRINTF \
do { \ do { \

2
include/mbedtls/x509_csr.h
View File

@ -62,6 +62,8 @@ typedef struct mbedtls_x509_csr {
unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */ mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */
mbedtls_x509_buf sig_oid; mbedtls_x509_buf sig_oid;
mbedtls_x509_buf MBEDTLS_PRIVATE(sig); mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */

6
library/x509_crt.c
View File

@ -1849,7 +1849,7 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
} }
#if !defined(MBEDTLS_X509_REMOVE_INFO) #if !defined(MBEDTLS_X509_REMOVE_INFO)
static int x509_info_subject_alt_name(char **buf, size_t *size, int x509_info_subject_alt_name(char **buf, size_t *size,
const mbedtls_x509_sequence const mbedtls_x509_sequence
*subject_alt_name, *subject_alt_name,
const char *prefix) const char *prefix)
@ -1965,7 +1965,7 @@ static int x509_info_subject_alt_name(char **buf, size_t *size,
if (ns_cert_type & (type)) \ if (ns_cert_type & (type)) \
PRINT_ITEM(name); PRINT_ITEM(name);
static int x509_info_cert_type(char **buf, size_t *size, int x509_info_cert_type(char **buf, size_t *size,
unsigned char ns_cert_type) unsigned char ns_cert_type)
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1992,7 +1992,7 @@ static int x509_info_cert_type(char **buf, size_t *size,
if (key_usage & (code)) \ if (key_usage & (code)) \
PRINT_ITEM(name); PRINT_ITEM(name);
static int x509_info_key_usage(char **buf, size_t *size, int x509_info_key_usage(char **buf, size_t *size,
unsigned int key_usage) unsigned int key_usage)
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

52
library/x509_csr.c
View File

@ -111,7 +111,19 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
} }
if (mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type) == 0) { /*
* Detect supported extensions
*/
ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
if (ret == 0) {
/* Forbid repeated extensions */
if ((csr->ext_types & ext_type) != 0) {
return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
}
csr->ext_types |= ext_type;
switch (ext_type) { switch (ext_type) {
case MBEDTLS_X509_EXT_KEY_USAGE: case MBEDTLS_X509_EXT_KEY_USAGE:
/* Parse key usage */ /* Parse key usage */
@ -497,6 +509,44 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
(int) mbedtls_pk_get_bitlen(&csr->pk)); (int) mbedtls_pk_get_bitlen(&csr->pk));
MBEDTLS_X509_SAFE_SNPRINTF; MBEDTLS_X509_SAFE_SNPRINTF;
/*
* Optional extensions
*/
if (csr->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = x509_info_subject_alt_name(&p, &n,
&csr->subject_alt_names,
prefix)) != 0) {
return ret;
}
}
if (csr->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) {
ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = x509_info_cert_type(&p, &n, csr->ns_cert_type)) != 0) {
return ret;
}
}
if (csr->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) {
ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = x509_info_key_usage(&p, &n, csr->key_usage)) != 0) {
return ret;
}
}
if (csr->ext_types != 0) {
ret = mbedtls_snprintf(p, n, "\n");
MBEDTLS_X509_SAFE_SNPRINTF;
}
return (int) (size - n); return (int) (size - n);
} }
#endif /* MBEDTLS_X509_REMOVE_INFO */ #endif /* MBEDTLS_X509_REMOVE_INFO */