diff --git a/src/ssl.c b/src/ssl.c index c00d95da0..6aed893c6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -14936,8 +14936,8 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) textSz = name->fullName.dcLen; break; default: - WOLFSSL_MSG("Unknown NID value"); - return -1; + WOLFSSL_MSG("Entry type not found"); + return SSL_FATAL_ERROR; } /* if buf is NULL return size of buffer needed (minus null char) */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 55923a995..40f39f49c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -3895,17 +3895,6 @@ static int GetName(DecodedCert* cert, int nameType) dName->snLen = strLen; #endif /* OPENSSL_EXTRA */ } - else if (id == ASN_DOMAIN_COMPONENT) { - if (!tooBig) { - XMEMCPY(&full[idx], "/domainComponent=", 17); - idx += 17; - copy = TRUE; - } - #ifdef OPENSSL_EXTRA - dName->dcIdx = cert->srcIdx; - dName->dcLen = strLen; - #endif /* OPENSSL_EXTRA */ - } if (copy && !tooBig) { XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen); idx += strLen; @@ -3916,14 +3905,18 @@ static int GetName(DecodedCert* cert, int nameType) else { /* skip */ byte email = FALSE; - byte uid = FALSE; + byte pilot = FALSE; + byte id = 0; int adv; if (joint[0] == 0x2a && joint[1] == 0x86) /* email id hdr */ email = TRUE; - if (joint[0] == 0x9 && joint[1] == 0x92) /* uid id hdr */ - uid = TRUE; + if (joint[0] == 0x9 && joint[1] == 0x92) { /* uid id hdr */ + /* last value of OID is the type of pilot attribute */ + id = cert->source[cert->srcIdx + oidSz - 1]; + pilot = TRUE; + } cert->srcIdx += oidSz + 1; @@ -3986,22 +3979,38 @@ static int GetName(DecodedCert* cert, int nameType) } } - if (uid) { + if (pilot) { if ( (5 + adv) > (int)(ASN_NAME_MAX - idx)) { WOLFSSL_MSG("ASN name too big, skipping"); tooBig = TRUE; } if (!tooBig) { - XMEMCPY(&full[idx], "/UID=", 5); - idx += 5; + switch (id) { + case ASN_USER_ID: + XMEMCPY(&full[idx], "/UID=", 5); + idx += 5; + #ifdef OPENSSL_EXTRA + dName->uidIdx = cert->srcIdx; + dName->uidLen = adv; + #endif /* OPENSSL_EXTRA */ + break; + case ASN_DOMAIN_COMPONENT: + XMEMCPY(&full[idx], "/DC=", 4); + idx += 4; + #ifdef OPENSSL_EXTRA + dName->dcIdx = cert->srcIdx; + dName->dcLen = adv; + #endif /* OPENSSL_EXTRA */ + break; + + default: + WOLFSSL_MSG("Unknown pilot attribute type"); + return ASN_PARSE_E; + } XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv); idx += adv; } - #ifdef OPENSSL_EXTRA - dName->uidIdx = cert->srcIdx; - dName->uidLen = adv; - #endif /* OPENSSL_EXTRA */ } cert->srcIdx += adv; @@ -4033,6 +4042,8 @@ static int GetName(DecodedCert* cert, int nameType) totalLen += dName->uidLen + 5; if (dName->serialLen != 0) totalLen += dName->serialLen + 14; + if (dName->dcLen != 0) + totalLen += dName->dcLen + 4; dName->fullName = (char*)XMALLOC(totalLen + 1, cert->heap, DYNAMIC_TYPE_X509); @@ -4111,6 +4122,15 @@ static int GetName(DecodedCert* cert, int nameType) dName->emailIdx = idx; idx += dName->emailLen; } + if (dName->dcLen != 0) { + dName->entryCount++; + XMEMCPY(&dName->fullName[idx], "/DC=", 4); + idx += 4; + XMEMCPY(&dName->fullName[idx], + &cert->source[dName->dcIdx], dName->dcLen); + dName->dcIdx = idx; + idx += dName->dcLen; + } if (dName->uidLen != 0) { dName->entryCount++; XMEMCPY(&dName->fullName[idx], "/UID=", 5); diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index c7f4aa3a4..8b9747195 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -556,19 +556,7 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define SSL_dup_CA_list wolfSSL_dup_CA_list -#define NID_commonName 0x03 /* matchs ASN_COMMON_NAME in asn.h */ -#define NID_domainComponent 0x10 - /* matchs ASN_DOMAIN_COMPONENT in asn.h */ - /* matchs ASN_..._NAME in asn.h */ -#define NID_commonName 0x03 /* CN */ -#define NID_surname 0x04, /* SN */ -#define NID_serialNumber 0x05, /* serialNumber */ -#define NID_countryName 0x06, /* C */ -#define NID_localityName 0x07, /* L */ -#define NID_stateOrProvinceName 0x08, /* ST */ -#define NID_organizationName 0x0a, /* O */ -#define NID_organizationalUnitName 0x0b, /* OU */ /* NIDs */ enum { @@ -779,6 +767,18 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define NID_policy_constraints 150 #define NID_inhibit_any_policy 168 /* 2.5.29.54 */ #define NID_tlsfeature 92 /* id-pe 24 */ +#define NID_commonName 0x03 /* matchs ASN_COMMON_NAME in asn.h */ +#define NID_domainComponent 0x19 + /* matchs ASN_DOMAIN_COMPONENT in asn.h */ + + /* matchs ASN_..._NAME in asn.h */ +#define NID_surname 0x04, /* SN */ +#define NID_serialNumber 0x05, /* serialNumber */ +#define NID_countryName 0x06, /* C */ +#define NID_localityName 0x07, /* L */ +#define NID_stateOrProvinceName 0x08, /* ST */ +#define NID_organizationName 0x0a, /* O */ +#define NID_organizationalUnitName 0x0b, /* OU */ #define SSL_CTX_set_msg_callback wolfSSL_CTX_set_msg_callback @@ -786,24 +786,6 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define SSL_CTX_set_msg_callback_arg wolfSSL_CTX_set_msg_callback_arg #define SSL_set_msg_callback_arg wolfSSL_set_msg_callback_arg -/* certificate extension NIDs */ -#define NID_basic_constraints 133 -#define NID_key_usage 129 /* 2.5.29.15 */ -#define NID_ext_key_usage 151 /* 2.5.29.37 */ -#define NID_subject_key_identifier 128 -#define NID_authority_key_identifier 149 -#define NID_private_key_usage_period 130 /* 2.5.29.16 */ -#define NID_subject_alt_name 131 -#define NID_issuer_alt_name 132 -#define NID_info_access 69 -#define NID_sinfo_access 79 /* id-pe 11 */ -#define NID_name_constraints 144 /* 2.5.29.30 */ -#define NID_certificate_policies 146 -#define NID_policy_mappings 147 -#define NID_policy_constraints 150 -#define NID_inhibit_any_policy 168 /* 2.5.29.54 */ -#define NID_tlsfeature 92 /* id-pe 24 */ - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA) diff --git a/wolfssl/test.h b/wolfssl/test.h index f859b0665..40cc5283f 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -10,6 +10,10 @@ #include #include #include +#include +#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) + #include /* for domain component NID value */ +#endif #ifdef ATOMIC_USER #include @@ -124,7 +128,6 @@ #ifdef HAVE_CAVIUM #include #endif - #ifdef _MSC_VER /* disable conversion warning */ /* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */ @@ -522,11 +525,24 @@ static INLINE void ShowX509(WOLFSSL_X509* x509, const char* hdr) #if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) { WOLFSSL_BIO* bio; + char buf[256]; /* should be size of ASN_NAME_MAX */ + int textSz; + + + /* print out domain component if certificate has it */ + textSz = wolfSSL_X509_NAME_get_text_by_NID( + wolfSSL_X509_get_subject_name(x509), NID_domainComponent, + buf, sizeof(buf)); + if (textSz > 0) { + printf("Domain Component = %s\n", buf); + } bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); - wolfSSL_BIO_set_fp(bio, stdout, BIO_NOCLOSE); - wolfSSL_X509_print(bio, x509); - wolfSSL_BIO_free(bio); + if (bio != NULL) { + wolfSSL_BIO_set_fp(bio, stdout, BIO_NOCLOSE); + wolfSSL_X509_print(bio, x509); + wolfSSL_BIO_free(bio); + } } #endif } diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 8890bd958..09a1d6e82 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -104,8 +104,12 @@ enum DN_Tags { ASN_STATE_NAME = 0x08, /* ST */ ASN_ORG_NAME = 0x0a, /* O */ ASN_ORGUNIT_NAME = 0x0b, /* OU */ - ASN_DOMAIN_COMPONENT = 0x10, /* DC */ - ASN_EMAIL_NAME = 0x98 /* not oid number there is 97 in 2.5.4.0-97 */ + ASN_EMAIL_NAME = 0x98, /* not oid number there is 97 in 2.5.4.0-97 */ + + /* pilot attribute types + * OID values of 0.9.2342.19200300.100.1.* */ + ASN_USER_ID = 0x01, /* UID */ + ASN_DOMAIN_COMPONENT = 0x19 /* DC */ }; enum PBES {