From 04e22b0747a41bf56ca0dfce3d15e208720c7ef9 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Fri, 11 Dec 2020 10:00:11 +0700
Subject: [PATCH] add restriction to excluded DIR name constraint

---
 certs/test/cert-ext-ndir-exc.cfg |  24 +++++++++++++++++++
 certs/test/cert-ext-ndir-exc.der | Bin 0 -> 1281 bytes
 certs/test/gen-ext-certs.sh      |  32 ++++++++++++++++++++++++++
 certs/test/include.am            |   2 ++
 tests/api.c                      |  38 ++++++++++++++++++++++++++++---
 wolfcrypt/src/asn.c              |  19 ++++++++++++++++
 6 files changed, 112 insertions(+), 3 deletions(-)
 create mode 100644 certs/test/cert-ext-ndir-exc.cfg
 create mode 100644 certs/test/cert-ext-ndir-exc.der

diff --git a/certs/test/cert-ext-ndir-exc.cfg b/certs/test/cert-ext-ndir-exc.cfg
new file mode 100644
index 000000000..8d66b8a07
--- /dev/null
+++ b/certs/test/cert-ext-ndir-exc.cfg
@@ -0,0 +1,24 @@
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = constraints
+
+[ req_distinguished_name ]
+C             = US
+ST            = Montana
+L             = Bozeman
+O             = Sawtooth
+OU            = Consulting
+CN            = www.wolfssl.com
+emailAddress  = info@wolfsssl.com
+
+[constraints]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints=CA:TRUE
+nameConstraints=critical,excluded;dirName:dir_name_exclude
+
+[dir_name_exclude]
+countryName = US
+stateOrProvinceName = California
+
diff --git a/certs/test/cert-ext-ndir-exc.der b/certs/test/cert-ext-ndir-exc.der
new file mode 100644
index 0000000000000000000000000000000000000000..19afbab840a90d09b8b50c8658fb48465f70ec88
GIT binary patch
literal 1281
zcmXqLV)<*(#QbytGZP~dlZb}T2I*f+%_<A+SLJ!+J@@Qzj(BIl%f_kI=F#?@mywa1
zmBFBKsv)-lCmVAp3!5-gXt1Gx0UwCN!NcyGpI4HYmk1MK=V5osuS(5L%rg`;;0LMU
z;^7EREHBB=FUc?zHV^~}ar1CF=jRod=9FaSr5j2Zh=Bx|dHBoA%k|3hbJB{7bM%t)
za}5;?<lxTWWE2z3%uCC6fGB{dFpv}HH8L<XGBh+WGBq|fiUM+t4J-}Jq1-|1?j}Yh
z<RE5bWngY%<YzEwV&r0KVq|34&vQywWRqNrQ}kI2d9P2tr2-$fna;m|s+M`i<u&)1
z)81))ys@D+k3EE2V1}Y^!)YOf=V$!yxz?U6DmQv{YQpZ!AOU9m6`!Xb{n(upCjCA=
ze~EzO)U{l*A1^(y;Zi|afI;+%7aTe@Z<jBs>b206S#$jDr<$o7rZ&}j##o#!SAD;?
zp)`1kjqR!A==q{sFUtz+OJ20OU1oJ=NA1a{hpyjp$iJa@r&!uaH+arJsXw)=tIX_Y
z+-s>}O+S|<V$r_xW6#!%(;4-J3ff;6B!3OlU#xa%d;Z2K@#_{dIsQ$K$p3d(*powy
zd%15qLy%#*vfqrifv&PUS#EN_xuLPyd+%GbN+xDT2FArrjE=w%u{DqdrVm*@7BLnP
z^}ck$lEZ4U_HT`oH!ry%Yw+~NRfEQ>AbDk$#<K>Ery8)TS=cyxN#l&cnjD(2=RqEj
zw}e?(4VW1j{~MTrcyd4%i;jWTLJb48B`O9=sJRlFy*Pl`D={ZCEx#x)GZ8tN0dq1i
znK3fVa8i1*{oG!?;uWut2Pnr&M>}lwh-}wAqvzRGa+-yYpLgME^J#@VZ}r<xoMnxj
z5IC>B^Px%Lzl&_jMtAPU*C^gExtOr{YWl1RU!Mz|ICo=Cp|I2qi}$}$m<9Xy_sh?{
zt7Lof;f9oBXG}M!R7d72ymRB|`FJ`Y(J)x6bmi&CYg6~!3RFnw?ft$rxx;ItzVflh
zzd2g;i<u?sf*V7clpiloeS9R${y^L0tJ|;ct-1Z!Q!wN8%bU${`DZ6atuOj;?}*xJ
z&3lsaj~wp(C`g&bUcX{%;H26Zx7!!4%!^+=DJOL8xpU{PwW|79ym+%JDq3k`MS#uO
SU0V09D>6S&ySu`C>mdNlSj1BR

literal 0
HcmV?d00001

diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh
index 65ce2124c..e418157ab 100755
--- a/certs/test/gen-ext-certs.sh
+++ b/certs/test/gen-ext-certs.sh
@@ -128,3 +128,35 @@ countryName = US
 EOF
 gen_cert
 
+OUT=certs/test/cert-ext-ndir-exc.der
+KEYFILE=certs/ca-key.der
+CONFIG=certs/test/cert-ext-ndir-exc.cfg
+tee >$CONFIG <<EOF
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = constraints
+
+[ req_distinguished_name ]
+C             = US
+ST            = Montana
+L             = Bozeman
+O             = Sawtooth
+OU            = Consulting
+CN            = www.wolfssl.com
+emailAddress  = info@wolfsssl.com
+
+[constraints]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints=CA:TRUE
+nameConstraints=critical,excluded;dirName:dir_name_exclude
+
+[dir_name_exclude]
+countryName = US
+stateOrProvinceName = California
+
+EOF
+gen_cert
+
+
diff --git a/certs/test/include.am b/certs/test/include.am
index ca9822032..588603380 100644
--- a/certs/test/include.am
+++ b/certs/test/include.am
@@ -12,6 +12,8 @@ EXTRA_DIST += \
          certs/test/cert-ext-ndir.cfg \
          certs/test/cert-ext-ndir.der \
          certs/test/cert-ext-ns.der \
+         certs/test/cert-ext-ndir-exc.cfg \
+         certs/test/cert-ext-ndir-exc.der \
          certs/test/gen-ext-certs.sh \
          certs/test/server-duplicate-policy.pem \
          certs/test/cert-ext-joi.pem
diff --git a/tests/api.c b/tests/api.c
index 9e81ac409..d361e8caf 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -1274,7 +1274,8 @@ static void test_wolfSSL_CertManagerNameConstraint2(void)
     !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
     defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
     defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES)
-    const char* ca_cert = "./certs/test/cert-ext-ndir.der";
+    const char* ca_cert  = "./certs/test/cert-ext-ndir.der";
+    const char* ca_cert2 = "./certs/test/cert-ext-ndir-exc.der";
     const char* server_cert = "./certs/server-cert.pem";
     WOLFSSL_CERT_MANAGER* cm;
     WOLFSSL_X509 *x509, *ca;
@@ -1297,6 +1298,15 @@ static void test_wolfSSL_CertManagerNameConstraint2(void)
         0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x49, 0x44
     };
 
+    /* C=US ST=California*/
+    char altNameExc[] = {
+        0x30, 0x22,
+        0x31, 0x0B,
+        0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+        0x31, 0x13,
+        0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A,
+        0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61
+    };
     /* load in CA private key for signing */
     pt = ca_key_der_2048;
     AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt,
@@ -1337,7 +1347,6 @@ static void test_wolfSSL_CertManagerNameConstraint2(void)
     wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail),
             ASN_DIR_TYPE);
 
-
     wolfSSL_X509_sign(x509, priv, EVP_sha256());
     AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
     AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
@@ -1346,7 +1355,30 @@ static void test_wolfSSL_CertManagerNameConstraint2(void)
 
     wolfSSL_X509_free(x509);
     wolfSSL_X509_free(ca);
-    wolfSSL_X509_MAME_free(name);
+
+    /* now test with excluded name constraint */
+    AssertNotNull(cm = wolfSSL_CertManagerNew());
+    AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert2,
+                WOLFSSL_FILETYPE_ASN1));
+    AssertNotNull((der = wolfSSL_X509_get_der(ca, &derSz)));
+    AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
+                WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
+                WOLFSSL_FILETYPE_PEM));
+    wolfSSL_X509_add_altname_ex(x509, altNameExc, sizeof(altNameExc),
+            ASN_DIR_TYPE);
+    AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
+    AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
+
+    wolfSSL_X509_sign(x509, priv, EVP_sha256());
+    AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
+    AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
+                WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
+    wolfSSL_CertManagerFree(cm);
+    wolfSSL_X509_free(x509);
+    wolfSSL_X509_free(ca);
+
     wolfSSL_EVP_PKEY_free(priv);
 #endif
 }
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index d509e89c6..7815cca3f 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -7628,6 +7628,25 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
                                                         base->nameSz) == 0) {
                         return 0;
                     }
+                    #ifndef WOLFSSL_NO_ASN_STRICT
+                    /* RFC 5280 section 4.2.1.10
+                       "Restrictions of the form directoryName MUST be
+                        applied to the subject field .... and to any names
+                        of type directoryName in the subjectAltName
+                        extension"
+                    */
+                    if (cert->altDirNames != NULL) {
+                        DNS_entry* cur = cert->altDirNames;
+                        while (cur != NULL) {
+                            if (XMEMCMP(cur->name, base->name, base->nameSz)
+                                    == 0) {
+                                WOLFSSL_MSG("DIR alt name constraint err");
+                                return 0;
+                            }
+                            cur = cur->next;
+                        }
+                    }
+                    #endif /* !WOLFSSL_NO_ASN_STRICT */
                     break;
                 }
             }; /* switch */