From f1daa2d356b55e2d2a693a1e5304fcfbb25ba513 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Mon, 5 Dec 2022 15:51:33 -0800
Subject: [PATCH] fix other name san parsing and add RID cert to test parsing

---
 certs/include.am             |   3 ++-
 certs/renewcerts.sh          |  15 +++++++++++++++
 certs/renewcerts/wolfssl.cnf |  15 +++++++++++++++
 certs/rid-cert.der           | Bin 0 -> 1164 bytes
 src/x509.c                   |  25 +++++++++++++++++++++++++
 tests/api.c                  |  28 ++++++++++++++++++++++++++++
 wolfcrypt/src/asn.c          |   6 ------
 7 files changed, 85 insertions(+), 7 deletions(-)
 create mode 100644 certs/rid-cert.der

diff --git a/certs/include.am b/certs/include.am
index be19b392e..c3a86ba93 100644
--- a/certs/include.am
+++ b/certs/include.am
@@ -64,7 +64,8 @@ EXTRA_DIST += \
 	     certs/entity-no-ca-bool-cert.pem \
 	     certs/entity-no-ca-bool-key.pem \
 	     certs/x942dh2048.pem \
-	     certs/fpki-cert.der
+	     certs/fpki-cert.der \
+	     certs/rid-cert.der
 
 EXTRA_DIST += \
 	     certs/ca-key.der \
diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
index d2cca7f9a..0cba0693e 100755
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@@ -28,6 +28,7 @@
 #                       client-crl-dist.pem
 #                       entity-no-ca-bool-cert.pem
 #                       fpki-cert.der
+#                       rid-cert.der
 # updates the following crls:
 #                       crl/cliCrl.pem
 #                       crl/crl.pem
@@ -359,6 +360,20 @@ run_renewcerts(){
     echo "End of section"
     echo "---------------------------------------------------------------------"
     ###########################################################
+    ########## update and sign rid-cert.der ################
+    ###########################################################
+    echo "Updating rid-cert.der"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nRID\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > rid-req.pem
+    check_result $? "Step 1"
+
+    openssl x509 -req -in rid-req.pem -extfile wolfssl.cnf -extensions rid_ext -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 7 -out rid-cert.der -outform DER
+    check_result $? "Step 2"
+    rm rid-req.pem
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+    ###########################################################
     ########## update and sign server-cert.pem ################
     ###########################################################
     echo "Updating server-cert.pem"
diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf
index af26cdc23..44593b17c 100644
--- a/certs/renewcerts/wolfssl.cnf
+++ b/certs/renewcerts/wolfssl.cnf
@@ -372,3 +372,18 @@ attribute = SEQUENCE:PCE_attr
 type = OID:2.16.840.1.101.3.6.9.1
 value = BOOLEAN:true
 
+[rid_ext]
+basicConstraints = CA:FALSE,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+keyUsage = critical, digitalSignature
+subjectAltName = @RID_altname
+
+[RID_altname]
+otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:facts@wolfssl.com
+RID.1 = 1.2.3.4.5
+DNS.1 = www.example.org
+URI.1 = https://www.wolfssl.com/
+otherName.2 = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D1:38:10:D8:28:AF:2C:10:84:35:15:A1:68:58:28:AF:02:10:86:A2:84:E7:39:C3:EB
+
+
diff --git a/certs/rid-cert.der b/certs/rid-cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..e8098cf9b25ab652b3dcccd5569174a44a8df241
GIT binary patch
literal 1164
zcmXqLV(BnwVlG&~%*4pV#K>;I%f_kI=F#?@mywa1mBFBKiXpcFCmVAp3!5-gXt1Gx
z0UwCN!NcyGpI4HYmk1MK=V5osuS(5L%rg`;;0LMU;^7EREHBB=FUc?zHV^~}ar1CF
z=jRod=9FaSr5j2Zh=Bx|dHBoA%k|3hbJB{7bM%t)a}DJUWZ}->WE2y~%uCC6KvG~J
zC(dhRWN2hyYG7_`YHSn*<eC~-7#l*l28}(WI~(dXE*^G}O~JuFhCBvb5LYt?dAd;I
z+$KgP<bY*lWngY%<YzEwV&r0KVq|1EFqPwBxZ|h7-0hcK9n~3AkGZb<v`58Y$JBHB
ze%HRqbnK~_|9eGx{lAzwfu-NOPO(2X)$f0}xB7s7&FYjD;(t!XR_}VC__RnbU$5=P
z)Z$xfq=R?H+h3RDRrP<EoE+HAonpV%dB;+j7?aKG7#1WS{Z`K%nNd-^tVd!cQ||i1
zl8kyg1Rftd<FF-jv72#bd)|@V;>$k2xVyG^Pqn_{*1u_iJbObnKg^An*`r*1k(0So
z<dVS7l*3vV7Ebfp^YDsP^zj7;4klOdyO<joO=~bxp1QDnm++<O#gAfDPiFBRwoF*E
zWkaTu6X(kt9D9rvHb*EeU-kOP!)J-jM=wpgfAfO>+Urcrj0}v68($eTJ~!Y22Dz*-
z3#$PzMKS=>0g%VXBE}-JS<vX@q!}%bPX4%HoyY8SN}jLJ#y}n<t;_;UNev?Eed&TF
zht*{5-x?=xUUEa$;OUF2;M6M1&&c?ng@u`ky}_Wd4WvVmrQV=+fg&51HX9=gW0ScE
z6Y~OL9>KK4<dS0Kbk@P5#mvIm1Wuo+6^Xe8IjMU2Md@u486_nJ#a8<IXbD$;fjS#U
zLYoI;Dl;3~0%;b>ixvVmG}h|~w3v!6%!trf&m_>csO7ok;n&E?0hrH#$$^m}_s+bl
zw%=F#XrzD7S-x>u(CKw5U5B4M2|0S%tM-sw|M#~#XC}AEPA)MJJ#ypBqcf602IU<Y
z7mPHXJrJFg_3gafF`4bDw@>_YWnRDYpG7+(r*3qB#*PJd%{q54zEoMMtv=(y-mcz_
zg1eGDPE?-Zer4*?k(|&n=c&mY%N@MmAD<86$@(Xm=+CJ0Kji(zr_&Q%l~%s|Bfq>^
zw*JeTZtnXzYs{^)H(uxYExCM_Ww(*qzw))(hkZ2EU%9P#;>k2~TSZO$>V<l~OP;J*
zw_w)GOLNc9sq}PcoG`6j<NL#x3%9zRfBHoHzs1INy*Jete_i<Z&6H1fohF#xJtJUp
Mjl=Po)b|Nl0M&G?d;kCd

literal 0
HcmV?d00001

diff --git a/src/x509.c b/src/x509.c
index eaec2a2d8..667ac47cf 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -5381,6 +5381,31 @@ static int X509PrintSubjAltName(WOLFSSL_BIO* bio, WOLFSSL_X509* x509,
                         break;
                     }
                 }
+                else if (entry->type == ASN_DIR_TYPE) {
+                    /* @TODO entry->name in ASN1 syntax */
+                    len = XSNPRINTF(scratch, MAX_WIDTH,
+                        "DirName:<print out not supported yet>");
+                    if (len >= MAX_WIDTH) {
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                }
+                else if (entry->type == ASN_URI_TYPE) {
+                    len = XSNPRINTF(scratch, MAX_WIDTH, "URI:%s",
+                        entry->name);
+                    if (len >= MAX_WIDTH) {
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                }
+                else if (entry->type == ASN_OTHER_TYPE) {
+                    len = XSNPRINTF(scratch, MAX_WIDTH,
+                        "othername <unsupported>");
+                    if (len >= MAX_WIDTH) {
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                }
                 else {
                     WOLFSSL_MSG("Bad alt name type.");
                     ret = WOLFSSL_FAILURE;
diff --git a/tests/api.c b/tests/api.c
index ea0df1598..fcdd62b1b 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -2859,6 +2859,33 @@ static int test_wolfSSL_FPKI(void)
     return res;
 }
 
+/* use RID in confuncture with other names to test parsing of unknown other
+ * names */
+static int test_wolfSSL_OtherName(void)
+{
+    int res = TEST_SKIPPED;
+#if !defined(NO_RSA) && !defined(NO_FILESYSTEM)
+    XFILE f;
+    const char* ridCert = "./certs/rid-cert.der";
+    DecodedCert cert;
+    byte buf[4096];
+    int bytes;
+
+    f = XFOPEN(ridCert, "rb");
+    AssertTrue((f != XBADFILE));
+    bytes = (int)XFREAD(buf, 1, sizeof(buf), f);
+    XFCLOSE(f);
+
+    wc_InitDecodedCert(&cert, buf, bytes, NULL);
+    AssertIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0);
+    wc_FreeDecodedCert(&cert);
+
+    res = TEST_RES_CHECK(1);
+#endif
+
+    return res;
+}
+
 static int test_wolfSSL_CertRsaPss(void)
 {
     int res = TEST_SKIPPED;
@@ -59260,6 +59287,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_CertManagerNameConstraint4),
     TEST_DECL(test_wolfSSL_CertManagerNameConstraint5),
     TEST_DECL(test_wolfSSL_FPKI),
+    TEST_DECL(test_wolfSSL_OtherName),
     TEST_DECL(test_wolfSSL_CertRsaPss),
     TEST_DECL(test_wolfSSL_CertManagerCRL),
     TEST_DECL(test_wolfSSL_CTX_load_verify_locations_ex),
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 51c73c149..a116bb8b5 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -17284,7 +17284,6 @@ static int DecodeConstructedOtherName(DecodedCert* cert, const byte* input,
 
             default:
                 WOLFSSL_MSG("Unknown constructed other name, skipping");
-                *idx += strLen;
                 XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
                 dnsEntry = NULL;
         }
@@ -17645,13 +17644,8 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert)
                             WOLFSSL_MSG("\tfail: unsupported other name length");
                             return ASN_PARSE_E;
                         }
-                        else {
-                            /* idx will have been advanced to end of alt name */
-                            length -= (idx - lenStartIdx);
-                        }
                     }
                     else {
-                        length -= (strLen + idx - lenStartIdx);
                         idx += strLen;
                     }
             }