SEP Extensions

1. Added configure option to enable SEP extensions.
2. Enabled KEEP_PEER_CERT for the SEP configuration.
3. Copy the Certificate Policy extension into the cert as the
   device type.
4. Copy an other type Alt Name extension into the cert as the
   hwType and hwSerialNumber, if the alt name has a
   hardwareModuleName OID.
This commit is contained in:
John Safranek 2013-06-25 16:26:53 -07:00
parent 99b6c1d3c3
commit 43f320d5e2
3 changed files with 227 additions and 43 deletions

View File

@ -495,6 +495,18 @@ then
fi
# SEP
AC_ARG_ENABLE([sep],
[ --enable-sep Enable sep extensions (default: disabled)],
[ ENABLED_SEP=$enableval ],
[ ENABLED_SEP=no ]
)
if test "$ENABLED_SEP" = "yes"
then
AM_CFLAGS="-DCYASSL_SEP -DKEEP_PEER_CERT $AM_CFLAGS"
fi
# DSA
AC_ARG_ENABLE([dsa],
[ --enable-dsa Enable DSA (default: disabled)],
@ -1063,7 +1075,7 @@ fi
# Maximum Fragment Length
AC_ARG_ENABLE([maxfragment],
[ --enable-maxfragment Enable Maximum Fragment Length (default: disabled)],
[ --enable-maxfragment Enable Maximum Fragment Length (default: disabled)],
[ ENABLED_MAX_FRAGMENT=$enableval ],
[ ENABLED_MAX_FRAGMENT=no ]
)

View File

@ -1266,6 +1266,14 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
cert->afterDate = 0;
cert->afterDateLen = 0;
#endif /* CYASSL_CERT_GEN */
#ifdef CYASSL_SEP
cert->deviceTypeSz = 0;
cert->deviceType = NULL;
cert->hwTypeSz = 0;
cert->hwType = NULL;
cert->hwSerialNumSz = 0;
cert->hwSerialNum = NULL;
#endif /* CYASSL_SEP */
}
@ -1291,6 +1299,11 @@ void FreeDecodedCert(DecodedCert* cert)
XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
if (cert->altNames)
FreeAltNames(cert->altNames, cert->heap);
#ifdef CYASSL_SEP
XFREE(cert->deviceType, cert->heap, 0);
XFREE(cert->hwType, cert->heap, 0);
XFREE(cert->hwSerialNum, cert->heap, 0);
#endif /* CYASSL_SEP */
}
@ -2372,48 +2385,132 @@ static void DecodeAltNames(byte* input, int sz, DecodedCert* cert)
}
while (length > 0) {
DNS_entry* entry;
int strLen;
word lenStartIdx;
byte b = input[idx++];
length--;
if (b != (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) {
/* Save DNS Type names in the altNames list. */
/* Save Other Type names in the cert's OidMap */
if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) {
DNS_entry* dnsEntry;
int strLen;
word32 lenStartIdx = idx;
if (GetLength(input, &idx, &strLen, sz) < 0) {
CYASSL_MSG("\tfail: str length");
return;
}
length -= (idx - lenStartIdx);
dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
DYNAMIC_TYPE_ALTNAME);
if (dnsEntry == NULL) {
CYASSL_MSG("\tOut of Memory");
return;
}
dnsEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
DYNAMIC_TYPE_ALTNAME);
if (dnsEntry->name == NULL) {
CYASSL_MSG("\tOut of Memory");
XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
return;
}
XMEMCPY(dnsEntry->name, &input[idx], strLen);
dnsEntry->name[strLen] = '\0';
dnsEntry->next = cert->altNames;
cert->altNames = dnsEntry;
length -= strLen;
idx += strLen;
}
#ifdef CYASSL_SEP
else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE))
{
int strLen;
word32 lenStartIdx = idx;
word32 oid = 0;
if (GetLength(input, &idx, &strLen, sz) < 0) {
CYASSL_MSG("\tfail: other name length");
return;
}
/* Consume the rest of this sequence. */
length -= (strLen + idx - lenStartIdx);
if (GetObjectId(input, &idx, &oid, sz) < 0) {
CYASSL_MSG("\tbad OID");
return;
}
if (oid != HW_NAME_OID) {
CYASSL_MSG("\tincorrect OID");
return;
}
if (input[idx++] != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
CYASSL_MSG("\twrong type");
return;
}
if (GetLength(input, &idx, &strLen, sz) < 0) {
CYASSL_MSG("\tfail: str len");
return;
}
if (GetSequence(input, &idx, &strLen, sz) < 0) {
CYASSL_MSG("\tBad Sequence");
return;
}
if (input[idx++] != ASN_OBJECT_ID) {
CYASSL_MSG("\texpected OID");
return;
}
if (GetLength(input, &idx, &strLen, sz) < 0) {
CYASSL_MSG("\tfailed: str len");
return;
}
cert->hwType = (byte*)XMALLOC(strLen, cert->heap, 0);
if (cert->hwType == NULL) {
CYASSL_MSG("\tOut of Memory");
return;
}
XMEMCPY(cert->hwType, &input[idx], strLen);
cert->hwTypeSz = strLen;
idx += strLen;
if (input[idx++] != ASN_OCTET_STRING) {
CYASSL_MSG("\texpected Octet String");
return;
}
if (GetLength(input, &idx, &strLen, sz) < 0) {
CYASSL_MSG("\tfailed: str len");
return;
}
cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap, 0);
if (cert->hwSerialNum == NULL) {
CYASSL_MSG("\tOut of Memory");
return;
}
XMEMCPY(cert->hwSerialNum, &input[idx], strLen);
cert->hwSerialNum[strLen] = '\0';
cert->hwSerialNumSz = strLen;
idx += strLen;
}
#endif /* CYASSL_SEP */
else {
CYASSL_MSG("\tNot DNS type");
return;
}
lenStartIdx = idx;
if (GetLength(input, &idx, &strLen, sz) < 0) {
CYASSL_MSG("\tfail: str length");
return;
}
length -= (int)(idx - lenStartIdx);
entry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
DYNAMIC_TYPE_ALTNAME);
if (entry == NULL) {
CYASSL_MSG("\tOut of Memory");
return;
}
entry->name = (char*)XMALLOC(strLen + 1, cert->heap,
DYNAMIC_TYPE_ALTNAME);
if (entry->name == NULL) {
CYASSL_MSG("\tOut of Memory");
XFREE(entry, cert->heap, DYNAMIC_TYPE_ALTNAME);
return;
}
XMEMCPY(entry->name, &input[idx], strLen);
entry->name[strLen] = '\0';
entry->next = cert->altNames;
cert->altNames = entry;
length -= strLen;
idx += strLen;
}
}
@ -2643,6 +2740,50 @@ static void DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
}
#ifdef CYASSL_SEP
static void DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int length = 0;
CYASSL_ENTER("DecodeCertPolicy");
/* Unwrap certificatePolicies */
if (GetSequence(input, &idx, &length, sz) < 0) {
CYASSL_MSG("\tdeviceType isn't OID");
return;
}
if (GetSequence(input, &idx, &length, sz) < 0) {
CYASSL_MSG("\tdeviceType isn't OID");
return;
}
if (input[idx++] != ASN_OBJECT_ID) {
CYASSL_MSG("\tdeviceType isn't OID");
return;
}
if (GetLength(input, &idx, &length, sz) < 0) {
CYASSL_MSG("\tCouldn't read length of deviceType");
return;
}
if (length > 0) {
cert->deviceType = (byte*)XMALLOC(length, cert->heap, 0);
if (cert->deviceType == NULL) {
CYASSL_MSG("\tCouldn't alloc memory for deviceType");
return;
}
cert->deviceTypeSz = length;
XMEMCPY(cert->deviceType, input + idx, length);
}
CYASSL_LEAVE("DecodeCertPolicy", 0);
}
#endif /* CYASSL_SEP */
static void DecodeCertExtensions(DecodedCert* cert)
/*
* Processing the Certificate Extensions. This does not modify the current
@ -2719,6 +2860,12 @@ static void DecodeCertExtensions(DecodedCert* cert)
DecodeSubjKeyId(&input[idx], length, cert);
break;
#ifdef CYASSL_SEP
case CERT_POLICY_OID:
DecodeCertPolicy(&input[idx], length, cert);
break;
#endif
default:
CYASSL_MSG("\tExtension type not handled, skipping");
break;
@ -2726,6 +2873,7 @@ static void DecodeCertExtensions(DecodedCert* cert)
idx += length;
}
CYASSL_LEAVE("DecodeCertExtensions", 0);
return;
}
@ -5353,3 +5501,9 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
#endif /* HAVE_CRL */
#endif
#ifdef CYASSL_SEP
#endif /* CYASSL_SEP */

View File

@ -62,6 +62,7 @@ enum ASN_Tags {
ASN_SEQUENCE = 0x10,
ASN_SET = 0x11,
ASN_UTC_TIME = 0x17,
ASN_OTHER_TYPE = 0x00,
ASN_DNS_TYPE = 0x02,
ASN_GENERALIZED_TIME = 0x18,
CRL_EXTENSIONS = 0xa0,
@ -189,13 +190,22 @@ enum KDF_Sum {
enum Extensions_Sum {
BASIC_CA_OID = 133,
ALT_NAMES_OID = 131,
CRL_DIST_OID = 145,
AUTH_INFO_OID = 69,
CA_ISSUER_OID = 117,
AUTH_KEY_OID = 149,
SUBJ_KEY_OID = 128
BASIC_CA_OID = 133,
ALT_NAMES_OID = 131,
CRL_DIST_OID = 145,
AUTH_INFO_OID = 69,
CA_ISSUER_OID = 117,
AUTH_KEY_OID = 149,
SUBJ_KEY_OID = 128,
CERT_POLICY_OID = 146
};
enum CertificatePolicy_Sum {
CP_ANY_OID = 146 /* id-ce 32 0 */
};
enum SepHardwareName_Sum {
HW_NAME_OID = 79 /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/
};
@ -277,6 +287,14 @@ struct DecodedCert {
byte* afterDate;
int afterDateLen;
#endif /* CYASSL_CERT_GEN */
#ifdef CYASSL_SEP
int deviceTypeSz;
byte* deviceType;
int hwTypeSz;
byte* hwType;
int hwSerialNumSz;
byte* hwSerialNum;
#endif /* CYASSL_SEP */
};
#ifdef SHA_DIGEST_SIZE