From ee78caaeec4d9a4bb35acd1539dd19f2fbae2e27 Mon Sep 17 00:00:00 2001
From: kaleb-himes <kaleb@wolfssl.com>
Date: Thu, 25 Jun 2020 14:24:01 -0600
Subject: [PATCH] Extend certfields to output alt names and tie in w/ certgen
 example

---
 certfields/README.md | 38 +++++++++++++++++++++++++-
 certfields/main.c    | 65 ++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 96 insertions(+), 7 deletions(-)

diff --git a/certfields/README.md b/certfields/README.md
index a9b1f5a5..5de0a52a 100644
--- a/certfields/README.md
+++ b/certfields/README.md
@@ -18,7 +18,43 @@ Then, compile the example app:
 
 ```
 $ make
-$ ./app
+```
+
+Next, run the example app with a cert of your choice:
+
+EXAMPLE A:
+
+```
+$ ./app ../certs/ca-cert.der RSA
+PUBLIC KEY:
+3082010A0282010100BF0CCA2D14B21E84425BCD381F4AF24D7510F1B6359FDFCA7D0398D3ACDE0366EE2AF1D8B07D6E07540B1098214D80CB1220E7CC4FDE457DC9727732EACA90BB695210032FA8F395C5F18B62561BEF676FA4104195AD0A9BE3A5C0B0D2707650305BA8E8082C7CEDA7A27A8D38291CACC7EDF27C95B095827D495C38CD7725EFBD807553943C3DCA635B9F15B5D31D132F19D13CDB763ACCB87DC9E5C2D7DA406FD821DC731B422D539CFE1AFC7DAB7A363F98DE847C0567CE6A143887A9F18CB568CB687F71202BF5A063F5562FA326D2B76FB15A17D7389908FE93586FFEC3134908160BA74D6700523167234E98ED51451DB904D90BECD828B34BBDED36790203010001
+SIG TYPE = 655
+CN = www.wolfssl.com (15)
+COUNTRY = US (2)
+LOCALITY = Bozeman (7)
+STATE = Montana (7)
+ORG = Sawtooth (8)
+ORG UNIT = Consulting (10)
+```
+
+EXAMPLE B: (Assuming you've built and run the certgen_with_altnames example from
+            wolfssl-examples/certgen/ directory)
+
+```
+$ ./app ../certgen/newCert.der ECC
+PUBLIC KEY:
+3059301306072A8648CE3D020106082A8648CE3D03010703420004DC0E533A07160404DDA2D28685F8AB10880A1C17556443BE71C113BF5888268866187D976CB444CDE848C3AA6802251BF1FD2582FF1285BE869F5592ADD60C5D
+SIG TYPE = 524
+CN = www.yourDomain.com (18)
+COUNTRY = US (2)
+LOCALITY = Bozeman (7)
+STATE = MT (2)
+ORG = yourOrgNameHere (15)
+ORG UNIT = yourUnitNameHere (16)
+DNS:localhost
+DNS:example.com
+DNS:127.0.0.1
+IP:127.0.0.1
 ```
 
 For support, please contact support@wolfssl.com
diff --git a/certfields/main.c b/certfields/main.c
index d173254f..d43ef460 100644
--- a/certfields/main.c
+++ b/certfields/main.c
@@ -31,6 +31,11 @@
 #include <wolfssl/wolfcrypt/rsa.h>
 #include <wolfssl/wolfcrypt/asn.h>
 
+enum {
+    RSA_KEY_TYPE = 2,
+    ECC_KEY_TYPE = 3,
+};
+
 static void err_sys(const char* msg, int ret)
 {
     if (ret) {
@@ -41,7 +46,7 @@ static void err_sys(const char* msg, int ret)
     exit(EXIT_FAILURE);
 }
 
-int main(void)
+int main(int argc, char** argv)
 {
     int   ret, i;
     int   sigType;
@@ -50,8 +55,11 @@ int main(void)
     byte  derCert[4096];
     word32 idx;
     FILE* file;
+    char* certFile;
+    int keyType;
 
-    RsaKey pubKey;
+    RsaKey pubKeyRsa;
+    ecc_key pubKeyEcc;
     WOLFSSL_X509* cert;
     WOLFSSL_EVP_PKEY* pubKeyTmp;
     WOLFSSL_X509_NAME* name;
@@ -63,10 +71,27 @@ int main(void)
     char orgName[80];
     char orgUnit[80];
 
+    STACK_OF(GENERAL_NAME)* sk;
+
     /* ------ PARSE ORIGINAL SELF-SIGNED CERTIFICATE ------ */
 
+    if (argc < 3) {
+        printf("USAGE:\n"
+               "./app derCert keyType\n"
+               "EXAMPLE(s):\n"
+               "            ./app myCert.der RSA\n"
+               "            ./app myCert.der ECC\n");
+        err_sys("invalid input", -1);
+    }
+    certFile = argv[1]; /* certFile to check */
+    keyType = (XMEMCMP(argv[2], "RSA", 3) == 0) ? RSA_KEY_TYPE :
+                (XMEMCMP(argv[2], "ECC", 3) == 0) ? ECC_KEY_TYPE : 0; /* key */
+    if (keyType == 0)
+        err_sys("unsupported keyType", -1);
+
     /* open and read DER-formatted cert into buffer */
-    file = fopen("../certs/client-cert.der", "rb");
+    //file = fopen("../certs/client-cert.der", "rb");
+    file = fopen(certFile, "rb");
     if (!file)
         err_sys("can't open client certificate", 0);
 
@@ -85,10 +110,17 @@ int main(void)
     if (pubKeyTmp == NULL)
         err_sys("wolfSSL_X509_get_pubkey failed", 0);
 
-    wc_InitRsaKey(&pubKey, 0);
     idx = 0;
-    ret = wc_RsaPublicKeyDecode((byte*)pubKeyTmp->pkey.ptr, &idx, &pubKey,
-                                pubKeyTmp->pkey_sz);
+    if (keyType == RSA_KEY_TYPE) {
+        wc_InitRsaKey(&pubKeyRsa, 0);
+        ret = wc_RsaPublicKeyDecode((byte*)pubKeyTmp->pkey.ptr, &idx,
+                                    &pubKeyRsa, pubKeyTmp->pkey_sz);
+    } else {
+        wc_ecc_init(&pubKeyEcc);
+        ret = wc_EccPublicKeyDecode((byte*)pubKeyTmp->pkey.ptr, &idx,
+                                    &pubKeyEcc, pubKeyTmp->pkey_sz);
+    }
+
     if (ret != 0)
         err_sys("wc_RsaPublicKeyDecode failed", ret);
 
@@ -132,6 +164,27 @@ int main(void)
                                             orgUnit, sizeof(orgUnit));
     printf("ORG UNIT = %s (%d)\n", orgUnit, nameSz);
 
+    sk = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+
+    for (i = 0; i < sk_GENERAL_NAME_num(sk); i++) {
+        GENERAL_NAME* gn = sk_GENERAL_NAME_value(sk, i);
+        if (gn->type == GEN_DNS) {
+            printf("DNS:%s\n", gn->d.dNSName->strData);
+        } else if (gn->type == GEN_IPADD) {
+            printf("IP:");
+            int j;
+            for (j = 0; j < gn->d.ip->length; j++) {
+                if (j < gn->d.ip->length - 1)
+                    printf("%d.", (int) gn->d.ip->strData[j]);
+                else
+                    printf("%d", (int) gn->d.ip->strData[j]);
+            }
+            printf("\n");
+        } else {
+            printf("Other type: %d\n", gn->type);
+        }
+    }
+
     wolfSSL_EVP_PKEY_free(pubKeyTmp);
     wolfSSL_X509_free(cert);