mirrors
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update OID check for domain component

This commit is contained in:
Jacob Barthelmeh 2017-02-27 20:39:55 -07:00
parent e2a16190a6
commit 857bbe65b5
5 changed files with 81 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/ssl.c
View File

@ -14936,8 +14936,8 @@ static void ExternalFreeX509(WOLFSSL_X509* x509)
textSz = name->fullName.dcLen;
break;
default:
WOLFSSL_MSG("Unknown NID value");
return -1;
WOLFSSL_MSG("Entry type not found");
return SSL_FATAL_ERROR;
}
/* if buf is NULL return size of buffer needed (minus null char) */

58
wolfcrypt/src/asn.c
View File

@ -3895,17 +3895,6 @@ static int GetName(DecodedCert* cert, int nameType)
dName->snLen = strLen;
#endif /* OPENSSL_EXTRA */
}
else if (id == ASN_DOMAIN_COMPONENT) {
if (!tooBig) {
XMEMCPY(&full[idx], "/domainComponent=", 17);
idx += 17;
copy = TRUE;
}
#ifdef OPENSSL_EXTRA
dName->dcIdx = cert->srcIdx;
dName->dcLen = strLen;
#endif /* OPENSSL_EXTRA */
}
if (copy && !tooBig) {
XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen);
idx += strLen;
@ -3916,14 +3905,18 @@ static int GetName(DecodedCert* cert, int nameType)
else {
/* skip */
byte email = FALSE;
byte uid = FALSE;
byte pilot = FALSE;
byte id = 0;
int adv;
if (joint[0] == 0x2a && joint[1] == 0x86) /* email id hdr */
email = TRUE;
if (joint[0] == 0x9 && joint[1] == 0x92) /* uid id hdr */
uid = TRUE;
if (joint[0] == 0x9 && joint[1] == 0x92) { /* uid id hdr */
/* last value of OID is the type of pilot attribute */
id = cert->source[cert->srcIdx + oidSz - 1];
pilot = TRUE;
}
cert->srcIdx += oidSz + 1;
@ -3986,22 +3979,38 @@ static int GetName(DecodedCert* cert, int nameType)
}
}
if (uid) {
if (pilot) {
if ( (5 + adv) > (int)(ASN_NAME_MAX - idx)) {
WOLFSSL_MSG("ASN name too big, skipping");
tooBig = TRUE;
}
if (!tooBig) {
switch (id) {
case ASN_USER_ID:
XMEMCPY(&full[idx], "/UID=", 5);
idx += 5;
XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
idx += adv;
}
#ifdef OPENSSL_EXTRA
dName->uidIdx = cert->srcIdx;
dName->uidLen = adv;
#endif /* OPENSSL_EXTRA */
break;
case ASN_DOMAIN_COMPONENT:
XMEMCPY(&full[idx], "/DC=", 4);
idx += 4;
#ifdef OPENSSL_EXTRA
dName->dcIdx = cert->srcIdx;
dName->dcLen = adv;
#endif /* OPENSSL_EXTRA */
break;
default:
WOLFSSL_MSG("Unknown pilot attribute type");
return ASN_PARSE_E;
}
XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
idx += adv;
}
}
cert->srcIdx += adv;
@ -4033,6 +4042,8 @@ static int GetName(DecodedCert* cert, int nameType)
totalLen += dName->uidLen + 5;
if (dName->serialLen != 0)
totalLen += dName->serialLen + 14;
if (dName->dcLen != 0)
totalLen += dName->dcLen + 4;
dName->fullName = (char*)XMALLOC(totalLen + 1, cert->heap,
DYNAMIC_TYPE_X509);
@ -4111,6 +4122,15 @@ static int GetName(DecodedCert* cert, int nameType)
dName->emailIdx = idx;
idx += dName->emailLen;
}
if (dName->dcLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/DC=", 4);
idx += 4;
XMEMCPY(&dName->fullName[idx],
&cert->source[dName->dcIdx], dName->dcLen);
dName->dcIdx = idx;
idx += dName->dcLen;
}
if (dName->uidLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/UID=", 5);

42
wolfssl/openssl/ssl.h
View File

@ -556,19 +556,7 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY;
#define SSL_dup_CA_list wolfSSL_dup_CA_list
#define NID_commonName 0x03 /* matchs ASN_COMMON_NAME in asn.h */
#define NID_domainComponent 0x10
/* matchs ASN_DOMAIN_COMPONENT in asn.h */
/* matchs ASN_..._NAME in asn.h */
#define NID_commonName 0x03 /* CN */
#define NID_surname 0x04, /* SN */
#define NID_serialNumber 0x05, /* serialNumber */
#define NID_countryName 0x06, /* C */
#define NID_localityName 0x07, /* L */
#define NID_stateOrProvinceName 0x08, /* ST */
#define NID_organizationName 0x0a, /* O */
#define NID_organizationalUnitName 0x0b, /* OU */
/* NIDs */
enum {
@ -779,6 +767,18 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING;
#define NID_policy_constraints 150
#define NID_inhibit_any_policy 168 /* 2.5.29.54 */
#define NID_tlsfeature 92 /* id-pe 24 */
#define NID_commonName 0x03 /* matchs ASN_COMMON_NAME in asn.h */
#define NID_domainComponent 0x19
/* matchs ASN_DOMAIN_COMPONENT in asn.h */
/* matchs ASN_..._NAME in asn.h */
#define NID_surname 0x04, /* SN */
#define NID_serialNumber 0x05, /* serialNumber */
#define NID_countryName 0x06, /* C */
#define NID_localityName 0x07, /* L */
#define NID_stateOrProvinceName 0x08, /* ST */
#define NID_organizationName 0x0a, /* O */
#define NID_organizationalUnitName 0x0b, /* OU */
#define SSL_CTX_set_msg_callback wolfSSL_CTX_set_msg_callback
@ -786,24 +786,6 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING;
#define SSL_CTX_set_msg_callback_arg wolfSSL_CTX_set_msg_callback_arg
#define SSL_set_msg_callback_arg wolfSSL_set_msg_callback_arg
/* certificate extension NIDs */
#define NID_basic_constraints 133
#define NID_key_usage 129 /* 2.5.29.15 */
#define NID_ext_key_usage 151 /* 2.5.29.37 */
#define NID_subject_key_identifier 128
#define NID_authority_key_identifier 149
#define NID_private_key_usage_period 130 /* 2.5.29.16 */
#define NID_subject_alt_name 131
#define NID_issuer_alt_name 132
#define NID_info_access 69
#define NID_sinfo_access 79 /* id-pe 11 */
#define NID_name_constraints 144 /* 2.5.29.30 */
#define NID_certificate_policies 146
#define NID_policy_mappings 147
#define NID_policy_constraints 150
#define NID_inhibit_any_policy 168 /* 2.5.29.54 */
#define NID_tlsfeature 92 /* id-pe 24 */
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA)

18
wolfssl/test.h
View File

@ -10,6 +10,10 @@
#include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/mem_track.h>
#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS)
#include <wolfssl/openssl/ssl.h> /* for domain component NID value */
#endif
#ifdef ATOMIC_USER
#include <wolfssl/wolfcrypt/aes.h>
@ -124,7 +128,6 @@
#ifdef HAVE_CAVIUM
#include <wolfssl/wolfcrypt/port/cavium/cavium_nitrox.h>
#endif
#ifdef _MSC_VER
/* disable conversion warning */
/* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */
@ -522,12 +525,25 @@ static INLINE void ShowX509(WOLFSSL_X509* x509, const char* hdr)
#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS)
{
WOLFSSL_BIO* bio;
char buf[256]; /* should be size of ASN_NAME_MAX */
int textSz;
/* print out domain component if certificate has it */
textSz = wolfSSL_X509_NAME_get_text_by_NID(
wolfSSL_X509_get_subject_name(x509), NID_domainComponent,
buf, sizeof(buf));
if (textSz > 0) {
printf("Domain Component = %s\n", buf);
}
bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file());
if (bio != NULL) {
wolfSSL_BIO_set_fp(bio, stdout, BIO_NOCLOSE);
wolfSSL_X509_print(bio, x509);
wolfSSL_BIO_free(bio);
}
}
#endif
}

8
wolfssl/wolfcrypt/asn.h
View File

@ -104,8 +104,12 @@ enum DN_Tags {
ASN_STATE_NAME = 0x08, /* ST */
ASN_ORG_NAME = 0x0a, /* O */
ASN_ORGUNIT_NAME = 0x0b, /* OU */
ASN_DOMAIN_COMPONENT = 0x10, /* DC */
ASN_EMAIL_NAME = 0x98 /* not oid number there is 97 in 2.5.4.0-97 */
ASN_EMAIL_NAME = 0x98, /* not oid number there is 97 in 2.5.4.0-97 */
/* pilot attribute types
* OID values of 0.9.2342.19200300.100.1.* */
ASN_USER_ID = 0x01, /* UID */
ASN_DOMAIN_COMPONENT = 0x19 /* DC */
};
enum PBES {