SEP Extensions
1. Added configure option to enable SEP extensions. 2. Enabled KEEP_PEER_CERT for the SEP configuration. 3. Copy the Certificate Policy extension into the cert as the device type. 4. Copy an other type Alt Name extension into the cert as the hwType and hwSerialNumber, if the alt name has a hardwareModuleName OID.
This commit is contained in:
parent
99b6c1d3c3
commit
43f320d5e2
14
configure.ac
14
configure.ac
@ -495,6 +495,18 @@ then
|
||||
fi
|
||||
|
||||
|
||||
# SEP
|
||||
AC_ARG_ENABLE([sep],
|
||||
[ --enable-sep Enable sep extensions (default: disabled)],
|
||||
[ ENABLED_SEP=$enableval ],
|
||||
[ ENABLED_SEP=no ]
|
||||
)
|
||||
if test "$ENABLED_SEP" = "yes"
|
||||
then
|
||||
AM_CFLAGS="-DCYASSL_SEP -DKEEP_PEER_CERT $AM_CFLAGS"
|
||||
fi
|
||||
|
||||
|
||||
# DSA
|
||||
AC_ARG_ENABLE([dsa],
|
||||
[ --enable-dsa Enable DSA (default: disabled)],
|
||||
@ -1063,7 +1075,7 @@ fi
|
||||
|
||||
# Maximum Fragment Length
|
||||
AC_ARG_ENABLE([maxfragment],
|
||||
[ --enable-maxfragment Enable Maximum Fragment Length (default: disabled)],
|
||||
[ --enable-maxfragment Enable Maximum Fragment Length (default: disabled)],
|
||||
[ ENABLED_MAX_FRAGMENT=$enableval ],
|
||||
[ ENABLED_MAX_FRAGMENT=no ]
|
||||
)
|
||||
|
@ -1266,6 +1266,14 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
|
||||
cert->afterDate = 0;
|
||||
cert->afterDateLen = 0;
|
||||
#endif /* CYASSL_CERT_GEN */
|
||||
#ifdef CYASSL_SEP
|
||||
cert->deviceTypeSz = 0;
|
||||
cert->deviceType = NULL;
|
||||
cert->hwTypeSz = 0;
|
||||
cert->hwType = NULL;
|
||||
cert->hwSerialNumSz = 0;
|
||||
cert->hwSerialNum = NULL;
|
||||
#endif /* CYASSL_SEP */
|
||||
}
|
||||
|
||||
|
||||
@ -1291,6 +1299,11 @@ void FreeDecodedCert(DecodedCert* cert)
|
||||
XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
|
||||
if (cert->altNames)
|
||||
FreeAltNames(cert->altNames, cert->heap);
|
||||
#ifdef CYASSL_SEP
|
||||
XFREE(cert->deviceType, cert->heap, 0);
|
||||
XFREE(cert->hwType, cert->heap, 0);
|
||||
XFREE(cert->hwSerialNum, cert->heap, 0);
|
||||
#endif /* CYASSL_SEP */
|
||||
}
|
||||
|
||||
|
||||
@ -2372,48 +2385,132 @@ static void DecodeAltNames(byte* input, int sz, DecodedCert* cert)
|
||||
}
|
||||
|
||||
while (length > 0) {
|
||||
DNS_entry* entry;
|
||||
int strLen;
|
||||
word lenStartIdx;
|
||||
byte b = input[idx++];
|
||||
|
||||
length--;
|
||||
|
||||
if (b != (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) {
|
||||
/* Save DNS Type names in the altNames list. */
|
||||
/* Save Other Type names in the cert's OidMap */
|
||||
if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) {
|
||||
DNS_entry* dnsEntry;
|
||||
int strLen;
|
||||
word32 lenStartIdx = idx;
|
||||
|
||||
if (GetLength(input, &idx, &strLen, sz) < 0) {
|
||||
CYASSL_MSG("\tfail: str length");
|
||||
return;
|
||||
}
|
||||
length -= (idx - lenStartIdx);
|
||||
|
||||
dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
|
||||
DYNAMIC_TYPE_ALTNAME);
|
||||
if (dnsEntry == NULL) {
|
||||
CYASSL_MSG("\tOut of Memory");
|
||||
return;
|
||||
}
|
||||
|
||||
dnsEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
|
||||
DYNAMIC_TYPE_ALTNAME);
|
||||
if (dnsEntry->name == NULL) {
|
||||
CYASSL_MSG("\tOut of Memory");
|
||||
XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
|
||||
return;
|
||||
}
|
||||
|
||||
XMEMCPY(dnsEntry->name, &input[idx], strLen);
|
||||
dnsEntry->name[strLen] = '\0';
|
||||
|
||||
dnsEntry->next = cert->altNames;
|
||||
cert->altNames = dnsEntry;
|
||||
|
||||
length -= strLen;
|
||||
idx += strLen;
|
||||
}
|
||||
#ifdef CYASSL_SEP
|
||||
else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE))
|
||||
{
|
||||
int strLen;
|
||||
word32 lenStartIdx = idx;
|
||||
word32 oid = 0;
|
||||
|
||||
if (GetLength(input, &idx, &strLen, sz) < 0) {
|
||||
CYASSL_MSG("\tfail: other name length");
|
||||
return;
|
||||
}
|
||||
/* Consume the rest of this sequence. */
|
||||
length -= (strLen + idx - lenStartIdx);
|
||||
|
||||
if (GetObjectId(input, &idx, &oid, sz) < 0) {
|
||||
CYASSL_MSG("\tbad OID");
|
||||
return;
|
||||
}
|
||||
|
||||
if (oid != HW_NAME_OID) {
|
||||
CYASSL_MSG("\tincorrect OID");
|
||||
return;
|
||||
}
|
||||
|
||||
if (input[idx++] != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
|
||||
CYASSL_MSG("\twrong type");
|
||||
return;
|
||||
}
|
||||
|
||||
if (GetLength(input, &idx, &strLen, sz) < 0) {
|
||||
CYASSL_MSG("\tfail: str len");
|
||||
return;
|
||||
}
|
||||
|
||||
if (GetSequence(input, &idx, &strLen, sz) < 0) {
|
||||
CYASSL_MSG("\tBad Sequence");
|
||||
return;
|
||||
}
|
||||
|
||||
if (input[idx++] != ASN_OBJECT_ID) {
|
||||
CYASSL_MSG("\texpected OID");
|
||||
return;
|
||||
}
|
||||
|
||||
if (GetLength(input, &idx, &strLen, sz) < 0) {
|
||||
CYASSL_MSG("\tfailed: str len");
|
||||
return;
|
||||
}
|
||||
|
||||
cert->hwType = (byte*)XMALLOC(strLen, cert->heap, 0);
|
||||
if (cert->hwType == NULL) {
|
||||
CYASSL_MSG("\tOut of Memory");
|
||||
return;
|
||||
}
|
||||
|
||||
XMEMCPY(cert->hwType, &input[idx], strLen);
|
||||
cert->hwTypeSz = strLen;
|
||||
idx += strLen;
|
||||
|
||||
if (input[idx++] != ASN_OCTET_STRING) {
|
||||
CYASSL_MSG("\texpected Octet String");
|
||||
return;
|
||||
}
|
||||
|
||||
if (GetLength(input, &idx, &strLen, sz) < 0) {
|
||||
CYASSL_MSG("\tfailed: str len");
|
||||
return;
|
||||
}
|
||||
|
||||
cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap, 0);
|
||||
if (cert->hwSerialNum == NULL) {
|
||||
CYASSL_MSG("\tOut of Memory");
|
||||
return;
|
||||
}
|
||||
|
||||
XMEMCPY(cert->hwSerialNum, &input[idx], strLen);
|
||||
cert->hwSerialNum[strLen] = '\0';
|
||||
cert->hwSerialNumSz = strLen;
|
||||
idx += strLen;
|
||||
}
|
||||
#endif /* CYASSL_SEP */
|
||||
else {
|
||||
CYASSL_MSG("\tNot DNS type");
|
||||
return;
|
||||
}
|
||||
|
||||
lenStartIdx = idx;
|
||||
if (GetLength(input, &idx, &strLen, sz) < 0) {
|
||||
CYASSL_MSG("\tfail: str length");
|
||||
return;
|
||||
}
|
||||
length -= (int)(idx - lenStartIdx);
|
||||
|
||||
entry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
|
||||
DYNAMIC_TYPE_ALTNAME);
|
||||
if (entry == NULL) {
|
||||
CYASSL_MSG("\tOut of Memory");
|
||||
return;
|
||||
}
|
||||
|
||||
entry->name = (char*)XMALLOC(strLen + 1, cert->heap,
|
||||
DYNAMIC_TYPE_ALTNAME);
|
||||
if (entry->name == NULL) {
|
||||
CYASSL_MSG("\tOut of Memory");
|
||||
XFREE(entry, cert->heap, DYNAMIC_TYPE_ALTNAME);
|
||||
return;
|
||||
}
|
||||
|
||||
XMEMCPY(entry->name, &input[idx], strLen);
|
||||
entry->name[strLen] = '\0';
|
||||
|
||||
entry->next = cert->altNames;
|
||||
cert->altNames = entry;
|
||||
|
||||
length -= strLen;
|
||||
idx += strLen;
|
||||
}
|
||||
}
|
||||
|
||||
@ -2643,6 +2740,50 @@ static void DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
|
||||
}
|
||||
|
||||
|
||||
#ifdef CYASSL_SEP
|
||||
static void DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
|
||||
{
|
||||
word32 idx = 0;
|
||||
int length = 0;
|
||||
|
||||
CYASSL_ENTER("DecodeCertPolicy");
|
||||
|
||||
/* Unwrap certificatePolicies */
|
||||
if (GetSequence(input, &idx, &length, sz) < 0) {
|
||||
CYASSL_MSG("\tdeviceType isn't OID");
|
||||
return;
|
||||
}
|
||||
|
||||
if (GetSequence(input, &idx, &length, sz) < 0) {
|
||||
CYASSL_MSG("\tdeviceType isn't OID");
|
||||
return;
|
||||
}
|
||||
|
||||
if (input[idx++] != ASN_OBJECT_ID) {
|
||||
CYASSL_MSG("\tdeviceType isn't OID");
|
||||
return;
|
||||
}
|
||||
|
||||
if (GetLength(input, &idx, &length, sz) < 0) {
|
||||
CYASSL_MSG("\tCouldn't read length of deviceType");
|
||||
return;
|
||||
}
|
||||
|
||||
if (length > 0) {
|
||||
cert->deviceType = (byte*)XMALLOC(length, cert->heap, 0);
|
||||
if (cert->deviceType == NULL) {
|
||||
CYASSL_MSG("\tCouldn't alloc memory for deviceType");
|
||||
return;
|
||||
}
|
||||
cert->deviceTypeSz = length;
|
||||
XMEMCPY(cert->deviceType, input + idx, length);
|
||||
}
|
||||
|
||||
CYASSL_LEAVE("DecodeCertPolicy", 0);
|
||||
}
|
||||
#endif /* CYASSL_SEP */
|
||||
|
||||
|
||||
static void DecodeCertExtensions(DecodedCert* cert)
|
||||
/*
|
||||
* Processing the Certificate Extensions. This does not modify the current
|
||||
@ -2719,6 +2860,12 @@ static void DecodeCertExtensions(DecodedCert* cert)
|
||||
DecodeSubjKeyId(&input[idx], length, cert);
|
||||
break;
|
||||
|
||||
#ifdef CYASSL_SEP
|
||||
case CERT_POLICY_OID:
|
||||
DecodeCertPolicy(&input[idx], length, cert);
|
||||
break;
|
||||
#endif
|
||||
|
||||
default:
|
||||
CYASSL_MSG("\tExtension type not handled, skipping");
|
||||
break;
|
||||
@ -2726,6 +2873,7 @@ static void DecodeCertExtensions(DecodedCert* cert)
|
||||
idx += length;
|
||||
}
|
||||
|
||||
CYASSL_LEAVE("DecodeCertExtensions", 0);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -5353,3 +5501,9 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
|
||||
#endif /* HAVE_CRL */
|
||||
#endif
|
||||
|
||||
#ifdef CYASSL_SEP
|
||||
|
||||
|
||||
|
||||
#endif /* CYASSL_SEP */
|
||||
|
||||
|
@ -62,6 +62,7 @@ enum ASN_Tags {
|
||||
ASN_SEQUENCE = 0x10,
|
||||
ASN_SET = 0x11,
|
||||
ASN_UTC_TIME = 0x17,
|
||||
ASN_OTHER_TYPE = 0x00,
|
||||
ASN_DNS_TYPE = 0x02,
|
||||
ASN_GENERALIZED_TIME = 0x18,
|
||||
CRL_EXTENSIONS = 0xa0,
|
||||
@ -189,13 +190,22 @@ enum KDF_Sum {
|
||||
|
||||
|
||||
enum Extensions_Sum {
|
||||
BASIC_CA_OID = 133,
|
||||
ALT_NAMES_OID = 131,
|
||||
CRL_DIST_OID = 145,
|
||||
AUTH_INFO_OID = 69,
|
||||
CA_ISSUER_OID = 117,
|
||||
AUTH_KEY_OID = 149,
|
||||
SUBJ_KEY_OID = 128
|
||||
BASIC_CA_OID = 133,
|
||||
ALT_NAMES_OID = 131,
|
||||
CRL_DIST_OID = 145,
|
||||
AUTH_INFO_OID = 69,
|
||||
CA_ISSUER_OID = 117,
|
||||
AUTH_KEY_OID = 149,
|
||||
SUBJ_KEY_OID = 128,
|
||||
CERT_POLICY_OID = 146
|
||||
};
|
||||
|
||||
enum CertificatePolicy_Sum {
|
||||
CP_ANY_OID = 146 /* id-ce 32 0 */
|
||||
};
|
||||
|
||||
enum SepHardwareName_Sum {
|
||||
HW_NAME_OID = 79 /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/
|
||||
};
|
||||
|
||||
|
||||
@ -277,6 +287,14 @@ struct DecodedCert {
|
||||
byte* afterDate;
|
||||
int afterDateLen;
|
||||
#endif /* CYASSL_CERT_GEN */
|
||||
#ifdef CYASSL_SEP
|
||||
int deviceTypeSz;
|
||||
byte* deviceType;
|
||||
int hwTypeSz;
|
||||
byte* hwType;
|
||||
int hwSerialNumSz;
|
||||
byte* hwSerialNum;
|
||||
#endif /* CYASSL_SEP */
|
||||
};
|
||||
|
||||
#ifdef SHA_DIGEST_SIZE
|
||||
|
Loading…
Reference in New Issue
Block a user