Merge pull request #129 from lealem47/san

Add ability to set more subjectAltName attributes
wolfSSL · Aug 3, 2023 · c04fc32 · c04fc32
2 parents e79d476 + 02ab548
commit c04fc32
Show file tree

Hide file tree

Showing 7 changed files with 104 additions and 13 deletions.
diff --git a/configure.ac b/configure.ac
@@ -120,6 +120,9 @@ AC_CHECK_FUNC([wolfSSL_X509_CRL_print],
 AC_CHECK_FUNC([wolfSSL_X509_REQ_print],
     [],
     [AM_CFLAGS="$AM_CFLAGS -DNO_WOLFSSL_REQ_PRINT"])
+AC_CHECK_FUNC([wc_EncodeObjectId],
+    [],
+    [AM_CFLAGS="$AM_CFLAGS -DNO_WC_ENCODE_OBJECT_ID"])
 
 
 ###############################################

diff --git a/src/x509/clu_config.c b/src/x509/clu_config.c
@@ -353,10 +353,15 @@ static int wolfCLU_setAltNames(WOLFSSL_X509* x509, WOLFSSL_CONF* conf,
         total = wolfSSL_sk_CONF_VALUE_num(altNames);
         for (i = 0; i < total; i++) {
             WOLFSSL_CONF_VALUE *c;
-            WOLFSSL_ASN1_STRING *ipStr = NULL;
-            char *s   = NULL;
-            int   sSz = 0;
-            int   type= 0;
+            WOLFSSL_ASN1_STRING *ipStr  = NULL;
+            WOLFSSL_ASN1_OBJECT *ridObj = NULL;
+            char  *token, *ptr, *s      = NULL;
+            int   sSz  = 0;
+            int   type = 0;
+            byte oid[ASN1_OID_DOTTED_MAX_SZ];
+            word32 oidSz = ASN1_OID_DOTTED_MAX_SZ;
+            word32 decodedCount = 0;
+            word16 decoded[ASN1_OID_DOTTED_MAX_SZ];
 
             c = wolfSSL_sk_CONF_VALUE_value(altNames, i);
             if (c == NULL) {
@@ -383,13 +388,72 @@ static int wolfCLU_setAltNames(WOLFSSL_X509* x509, WOLFSSL_CONF* conf,
 
             }
 
-            if (XSTRNCMP(c->name, "DNS", 3) == 0) {
+            else if (XSTRNCMP(c->name, "DNS", 3) == 0) {
                 type = ASN_DNS_TYPE;
                 s = c->value;
                 sSz = (int)XSTRLEN(c->value);
             }
 
-            if (type == 0) {
+            else if (XSTRNCMP(c->name, "URI", 3) == 0) {
+                type = ASN_URI_TYPE;
+                s = c->value;
+                sSz = (int)XSTRLEN(c->value);
+            }
+
+            else if (XSTRNCMP(c->name, "RID", 3) == 0) {
+                if ((ridObj = wolfSSL_OBJ_txt2obj(c->value, 0)) == NULL) {
+            #if defined(HAVE_OID_ENCODING) && !defined(NO_WC_ENCODE_OBJECT_ID)
+                    /* If RID value is not named OID, manually encode
+                     * dotted OID into byte array */
+                    token = XSTRTOK(c->value, ".", &ptr);
+
+                    while (token != NULL) {
+                        decoded[decodedCount] = XATOI(token);
+                        decodedCount++;
+                        token = XSTRTOK(NULL, ".", &ptr);
+                    }
+
+                    if (wc_EncodeObjectId(decoded, decodedCount, oid, &oidSz)
+                            == 0) {
+                        s   = (char*)oid;
+                        sSz = (int)oidSz;
+                    }
+                    else {
+                        wolfCLU_LogError("bad RID found %s", c->value);
+                        ret = WOLFCLU_FATAL_ERROR;
+                        break;
+                    }
+            #else
+                    (void)token;
+                    (void)ptr;
+                    (void)decoded;
+                    (void)decodedCount;
+                    (void)oid;
+                    (void)oidSz;
+
+                    wolfCLU_LogError("Couldn't encode RID. OID encoding is not"
+                            " compiled in");
+                    ret = WOLFCLU_FATAL_ERROR;
+                    break;
+
+            #endif
+                }
+                else {
+                    s   = (char*)wolfSSL_OBJ_get0_data(ridObj);
+                    sSz = (int)wolfSSL_OBJ_length(ridObj);
+                }
+
+
+                type = ASN_RID_TYPE;
+            }
+
+            else if (XSTRNCMP(c->name, "email", 5) == 0) {
+                type = ASN_RFC822_TYPE;
+                s = c->value;
+                sSz = (int)XSTRLEN(c->value);
+            }
+
+            else {
                 ret = WOLFCLU_FATAL_ERROR;
                 break;
             }
@@ -405,6 +469,9 @@ static int wolfCLU_setAltNames(WOLFSSL_X509* x509, WOLFSSL_CONF* conf,
 
             if (ipStr != NULL)
                 wolfSSL_ASN1_STRING_free(ipStr);
+
+            if (ridObj != NULL)
+                wolfSSL_ASN1_OBJECT_free(ridObj);
         }
     }
 #endif

diff --git a/tests/dgst/dgst-test.sh b/tests/dgst/dgst-test.sh
@@ -52,6 +52,7 @@ done
 run "dgst -sha256 -verify ./certs/server-keyPub.pem -signature ./tests/dgst/5000-server-key.sig ./large-test.txt"
 run "dgst -sha256 -sign ./certs/server-key.pem -out 5000-server-key.sig ./large-test.txt"
 run "dgst -sha256 -verify ./certs/server-keyPub.pem -signature ./5000-server-key.sig ./large-test.txt"
+rm -rf 5000-server-key.sig
 
 # run some hash tests on large file while available
 run "-hash sha256 -in ./large-test.txt"

diff --git a/tests/pkey/ecparam-test.sh b/tests/pkey/ecparam-test.sh
@@ -57,9 +57,9 @@ run "ecparam -in certs/ecc-key.pem -out ecc-key.der -outform der"
 
 # not yet supported reading only parameters with no key
 run_fail "ecparam -in ecc-key.der -inform der -out ecc-key.pem -outform pem"
-rm -f ecc-key.der
 
 run "ecparam -genkey -out ecc-key.der -outform der"
+rm -f ecc-key.der
 
 run_fail "ecparam -in certs/ca-key.pem -text"
 

diff --git a/tests/x509/x509-ca-test.sh b/tests/x509/x509-ca-test.sh
@@ -197,7 +197,6 @@ run_success "verify -CAfile ./certs/ca-cert.pem test_ca.pem"
 
 # override almost all info from config file
 run_success "ca -config ca.conf -in tmp-ca.csr -out test_ca.pem -extensions usr_cert -md sha512 -days 3650 -cert ./certs/ca-ecc-cert.pem -keyfile ./certs/ca-ecc-key.pem"
-rm -f test_ca.pem
 
 # test key missmatch
 run_fail "ca -config ca.conf -in tmp-ca.csr -out test_ca.pem -keyfile ./certs/ecc-key.pem"
@@ -260,7 +259,8 @@ run_success "ca -config ca.conf -in tmp-ca.csr -out tmp.pem -md sha256 -keyfile
 run_success "req -key ./certs/server-key.pem -subj O=Sawtooth/CN=www.wolfclu.com/C=US/ST=MT/L=Bozeman/OU=org-unit -out tmp-ca.csr"
 run_fail "ca -config ca-match.conf -in tmp-ca.csr -out tmp.pem -md sha256 -keyfile ./certs/ca-key.pem"
 
-rm -f tmp.pm
+rm -f test_ca.pem
+rm -f tmp.pem
 rm -f rand-file-test
 rm -f serial-file-test
 rm -f tmp-ca.csr

diff --git a/tests/x509/x509-process-test.sh b/tests/x509/x509-process-test.sh
@@ -243,7 +243,7 @@ run3() {
     ./wolfssl x509 -inform pem -in certs/ca-cert.pem -outform der -out x509_test.der
     cert_test_case "-inform pem -outform der -in certs/ca-cert.pem -out x509_tmp.der" \
                     x509_test.der x509_tmp.der
-    rm -f x509_test.pem x509_tmp.pem
+    rm -f x509_test.pem x509_tmp.pem x509_test.der x509_tmp.der
     echo "TEST 3.c"
     test_case "-in certs/server-cert.pem -subject -noout"
     EXPECTED="/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=www.wolfssl.com/[email protected]"
@@ -367,6 +367,7 @@ run4
 rm -f out.txt
 rm -f tmp.pem
 rm -f tmp.der
+rm -f cert_stripped.pem
 
 echo "Done"
 exit 0
diff --git a/tests/x509/x509-req-test.sh b/tests/x509/x509-req-test.sh
@@ -100,6 +100,12 @@ coutnryName_min = 2
 basicConstraints = critical,CA:true
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 subjectAltName = @alt_names
+[alt_names]
+RID.1 = 1.1.1.1
+RID.2 = surname
+email.1 = [email protected]
+URI.1 = [email protected]
+
 EOF
 
 
@@ -119,8 +125,21 @@ rm -f tmp.cert
 # no parameter -conf
 #run_fail "req -new -key ./certs/server-key.pem -conf ./test.conf -out tmp.csr"
 
-run_success "req -new -key ./certs/server-key.pem -config ./test.conf -out tmp.csr"
+run_success "req -new -key ./certs/server-key.pem -config ./test-prompt.conf -out tmp.csr" "US"
 run_success "req -text -in tmp.csr"
+SUBJECT=`./wolfssl req -in tmp.csr -text | grep -A1 "X509v3 Subject Alternative Name"`
+EXPECTED="        X509v3 Subject Alternative Name: 
+            email:[email protected], Registered ID:1.1.1.1, Registered ID:surname, URI:[email protected]"
+if [ "$SUBJECT" != "$EXPECTED" ]
+then
+    echo "found unexpected result"
+    echo "Got      : $SUBJECT"
+    echo "Expected : $EXPECTED"
+    exit 99
+fi
+
+run_success "req -new -key ./certs/server-key.pem -config ./test.conf -out tmp.csr" "US"
+
 
 # fail when extensions can not be found
 run_fail "req -new -extensions v3_alt_ca_not_found -key ./certs/server-key.pem -config ./test.conf -x509 -out alt.crt"
@@ -175,6 +194,7 @@ fi
 
 rm -f tmp.cert
 rm -f tmp.csr
+rm -f alt.crt
 
 run_success "req -new -key ./certs/server-key.pem -config ./test.conf -x509 -out tmp.cert"
 SUBJECT=`./wolfssl x509 -in tmp.cert -text | grep Subject:`
@@ -236,11 +256,10 @@ fi
 run_success "req -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -out tmp.cert -passout pass:123456789wolfssl -outform pem -sha256"
 run_success "rsa -in new-key.pem -passin pass:123456789wolfssl"
 
-rm -f tmp.cert
-
 run_success "req -new -x509 -key ./certs/ca-key.pem -config ./test-prompt.conf -out tmp.cert" "AA"
 run_fail "req -new -x509 -key ./certs/ca-key.pem -config ./test-prompt.conf -out tmp.cert" "LONG"
 
+rm -f tmp.cert
 rm -f new-key.pem
 rm -f test.conf
 rm -f test-prompt.conf