Extend certfields to output alt names and tie in w/ certgen example

2020-06-25 14:24:01 -06:00 · 2020-06-25 14:24:01 -06:00 · ee78caaeec
parent 9622943b6a
commit ee78caaeec
2 changed files with 96 additions and 7 deletions
--- a/certfields/README.md
+++ b/certfields/README.md
@ -18,7 +18,43 @@ Then, compile the example app:

 ```
 $ make
-$ ./app
+```
+
+Next, run the example app with a cert of your choice:
+
+EXAMPLE A:
+
+```
+$ ./app ../certs/ca-cert.der RSA
+PUBLIC KEY:
+3082010A0282010100BF0CCA2D14B21E84425BCD381F4AF24D7510F1B6359FDFCA7D0398D3ACDE0366EE2AF1D8B07D6E07540B1098214D80CB1220E7CC4FDE457DC9727732EACA90BB695210032FA8F395C5F18B62561BEF676FA4104195AD0A9BE3A5C0B0D2707650305BA8E8082C7CEDA7A27A8D38291CACC7EDF27C95B095827D495C38CD7725EFBD807553943C3DCA635B9F15B5D31D132F19D13CDB763ACCB87DC9E5C2D7DA406FD821DC731B422D539CFE1AFC7DAB7A363F98DE847C0567CE6A143887A9F18CB568CB687F71202BF5A063F5562FA326D2B76FB15A17D7389908FE93586FFEC3134908160BA74D6700523167234E98ED51451DB904D90BECD828B34BBDED36790203010001
+SIG TYPE = 655
+CN = www.wolfssl.com (15)
+COUNTRY = US (2)
+LOCALITY = Bozeman (7)
+STATE = Montana (7)
+ORG = Sawtooth (8)
+ORG UNIT = Consulting (10)
+```
+
+EXAMPLE B: (Assuming you've built and run the certgen_with_altnames example from
+            wolfssl-examples/certgen/ directory)
+
+```
+$ ./app ../certgen/newCert.der ECC
+PUBLIC KEY:
+3059301306072A8648CE3D020106082A8648CE3D03010703420004DC0E533A07160404DDA2D28685F8AB10880A1C17556443BE71C113BF5888268866187D976CB444CDE848C3AA6802251BF1FD2582FF1285BE869F5592ADD60C5D
+SIG TYPE = 524
+CN = www.yourDomain.com (18)
+COUNTRY = US (2)
+LOCALITY = Bozeman (7)
+STATE = MT (2)
+ORG = yourOrgNameHere (15)
+ORG UNIT = yourUnitNameHere (16)
+DNS:localhost
+DNS:example.com
+DNS:127.0.0.1
+IP:127.0.0.1
 ```

 For support, please contact support@wolfssl.com
--- a/certfields/main.c
+++ b/certfields/main.c
@ -31,6 +31,11 @@
 #include <wolfssl/wolfcrypt/rsa.h>
 #include <wolfssl/wolfcrypt/asn.h>

+enum {
+    RSA_KEY_TYPE = 2,
+    ECC_KEY_TYPE = 3,
+};
+
 static void err_sys(const char* msg, int ret)
 {
    if (ret) {
@ -41,7 +46,7 @@ static void err_sys(const char* msg, int ret)
    exit(EXIT_FAILURE);
 }

-int main(void)
+int main(int argc, char** argv)
 {
    int   ret, i;
    int   sigType;
@ -50,8 +55,11 @@ int main(void)
    byte  derCert[4096];
    word32 idx;
    FILE* file;
+    char* certFile;
+    int keyType;

-    RsaKey pubKey;
+    RsaKey pubKeyRsa;
+    ecc_key pubKeyEcc;
    WOLFSSL_X509* cert;
    WOLFSSL_EVP_PKEY* pubKeyTmp;
    WOLFSSL_X509_NAME* name;
@ -63,10 +71,27 @@ int main(void)
    char orgName[80];
    char orgUnit[80];

+    STACK_OF(GENERAL_NAME)* sk;
+
    /* ------ PARSE ORIGINAL SELF-SIGNED CERTIFICATE ------ */

+    if (argc < 3) {
+        printf("USAGE:\n"
+               "./app derCert keyType\n"
+               "EXAMPLE(s):\n"
+               "            ./app myCert.der RSA\n"
+               "            ./app myCert.der ECC\n");
+        err_sys("invalid input", -1);
+    }
+    certFile = argv[1]; /* certFile to check */
+    keyType = (XMEMCMP(argv[2], "RSA", 3) == 0) ? RSA_KEY_TYPE :
+                (XMEMCMP(argv[2], "ECC", 3) == 0) ? ECC_KEY_TYPE : 0; /* key */
+    if (keyType == 0)
+        err_sys("unsupported keyType", -1);
+
    /* open and read DER-formatted cert into buffer */
-    file = fopen("../certs/client-cert.der", "rb");
+    //file = fopen("../certs/client-cert.der", "rb");
+    file = fopen(certFile, "rb");
    if (!file)
        err_sys("can't open client certificate", 0);

@ -85,10 +110,17 @@ int main(void)
    if (pubKeyTmp == NULL)
        err_sys("wolfSSL_X509_get_pubkey failed", 0);

-    wc_InitRsaKey(&pubKey, 0);
    idx = 0;
-    ret = wc_RsaPublicKeyDecode((byte*)pubKeyTmp->pkey.ptr, &idx, &pubKey,
-                                pubKeyTmp->pkey_sz);
+    if (keyType == RSA_KEY_TYPE) {
+        wc_InitRsaKey(&pubKeyRsa, 0);
+        ret = wc_RsaPublicKeyDecode((byte*)pubKeyTmp->pkey.ptr, &idx,
+                                    &pubKeyRsa, pubKeyTmp->pkey_sz);
+    } else {
+        wc_ecc_init(&pubKeyEcc);
+        ret = wc_EccPublicKeyDecode((byte*)pubKeyTmp->pkey.ptr, &idx,
+                                    &pubKeyEcc, pubKeyTmp->pkey_sz);
+    }
+
    if (ret != 0)
        err_sys("wc_RsaPublicKeyDecode failed", ret);

@ -132,6 +164,27 @@ int main(void)
                                            orgUnit, sizeof(orgUnit));
    printf("ORG UNIT = %s (%d)\n", orgUnit, nameSz);

+    sk = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+
+    for (i = 0; i < sk_GENERAL_NAME_num(sk); i++) {
+        GENERAL_NAME* gn = sk_GENERAL_NAME_value(sk, i);
+        if (gn->type == GEN_DNS) {
+            printf("DNS:%s\n", gn->d.dNSName->strData);
+        } else if (gn->type == GEN_IPADD) {
+            printf("IP:");
+            int j;
+            for (j = 0; j < gn->d.ip->length; j++) {
+                if (j < gn->d.ip->length - 1)
+                    printf("%d.", (int) gn->d.ip->strData[j]);
+                else
+                    printf("%d", (int) gn->d.ip->strData[j]);
+            }
+            printf("\n");
+        } else {
+            printf("Other type: %d\n", gn->type);
+        }
+    }
+
    wolfSSL_EVP_PKEY_free(pubKeyTmp);
    wolfSSL_X509_free(cert);