WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #4536 from luizluca/refactor_nameconstraints-permit 

ASN: refactor name constraints checks
pull/4554/head
David Garske 2021-11-09 10:44:17 -08:00 committed by GitHub
parent bd0f6736c5 01335e2e1c
commit 9a83842c29
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 74 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

210
wolfcrypt/src/asn.c
View File

@ -13678,8 +13678,13 @@ static int MatchBaseName(int type, const char* name, int nameSz,
{ {
if (base == NULL || baseSz <= 0 || name == NULL || nameSz <= 0 || if (base == NULL || baseSz <= 0 || name == NULL || nameSz <= 0 ||
name[0] == '.' || nameSz < baseSz || name[0] == '.' || nameSz < baseSz ||
(type != ASN_RFC822_TYPE && type != ASN_DNS_TYPE)) (type != ASN_RFC822_TYPE && type != ASN_DNS_TYPE &&
type != ASN_DIR_TYPE)) {
return 0; return 0;
}
if (type == ASN_DIR_TYPE)
return XMEMCMP(name, base, baseSz) == 0;
/* If an email type, handle special cases where the base is only /* If an email type, handle special cases where the base is only
* a domain, or is an email address itself. */ * a domain, or is an email address itself. */
@ -13743,49 +13748,40 @@ static int MatchBaseName(int type, const char* name, int nameSz,
static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
{ {
const byte nameTypes[] = {ASN_RFC822_TYPE, ASN_DNS_TYPE, ASN_DIR_TYPE};
int i;
if (signer == NULL || cert == NULL) if (signer == NULL || cert == NULL)
return 0; return 0;
/* Check against the excluded list */ if (signer->excludedNames == NULL && signer->permittedNames == NULL)
if (signer->excludedNames != NULL) { return 1;
Base_entry* base = signer->excludedNames;
while (base != NULL) { for (i=0; i < (int)sizeof(nameTypes); i++) {
switch (base->type) { byte nameType = nameTypes[i];
DNS_entry* name = NULL;
DNS_entry subjectDnsName;
Base_entry* base;
switch (nameType) {
case ASN_DNS_TYPE: case ASN_DNS_TYPE:
{ /* Should it also consider CN in subject? It could use
DNS_entry* name = cert->altNames; * subjectDnsName too */
while (name != NULL) { name = cert->altNames;
if (MatchBaseName(ASN_DNS_TYPE,
name->name, name->len,
base->name, base->nameSz)) {
return 0;
}
name = name->next;
}
break; break;
}
case ASN_RFC822_TYPE: case ASN_RFC822_TYPE:
{ /* Shouldn't it validade E= in subject as well? */
DNS_entry* name = cert->altEmailNames; name = cert->altEmailNames;
while (name != NULL) {
if (MatchBaseName(ASN_RFC822_TYPE,
name->name, name->len,
base->name, base->nameSz)) {
return 0;
}
name = name->next;
}
break; break;
}
case ASN_DIR_TYPE: case ASN_DIR_TYPE:
{ if (cert->subjectRaw != NULL) {
/* allow permitted dirName smaller than actual subject */ subjectDnsName.next = NULL;
if (cert->subjectRawLen >= base->nameSz && subjectDnsName.type = ASN_DIR_TYPE;
XMEMCMP(cert->subjectRaw, base->name, subjectDnsName.len = cert->subjectRawLen;
base->nameSz) == 0) { subjectDnsName.name = (char *)cert->subjectRaw;
return 0; name = &subjectDnsName;
} }
#ifndef WOLFSSL_NO_ASN_STRICT #ifndef WOLFSSL_NO_ASN_STRICT
/* RFC 5280 section 4.2.1.10 /* RFC 5280 section 4.2.1.10
"Restrictions of the form directoryName MUST be "Restrictions of the form directoryName MUST be
@ -13793,140 +13789,58 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
of type directoryName in the subjectAltName of type directoryName in the subjectAltName
extension" extension"
*/ */
if (cert->altDirNames != NULL) { if (name != NULL)
DNS_entry* cur = cert->altDirNames; name->next = cert->altDirNames;
while (cur != NULL) { else
if (XMEMCMP(cur->name, base->name, base->nameSz) name = cert->altDirNames;
== 0) { #endif
WOLFSSL_MSG("DIR alt name constraint err"); break;
default:
/* Other types of names are ignored for now.
* Shouldn't it be rejected if it there is a altNamesByType[nameType]
* and signer->extNameConstraintCrit is set? */
return 0; return 0;
} }
cur = cur->next;
while (name != NULL) {
int match = 0;
int need = 0;
base = signer->excludedNames;
/* Check against the excluded list */
while (base != NULL) {
if (base->type == nameType) {
if (name->len >= base->nameSz &&
MatchBaseName(nameType,
name->name, name->len,
base->name, base->nameSz)) {
return 0;
} }
} }
#endif /* !WOLFSSL_NO_ASN_STRICT */
break;
}
default:
break;
}; /* switch */
base = base->next; base = base->next;
} }
}
/* Check against the permitted list */ /* Check against the permitted list */
if (signer->permittedNames != NULL) {
int permittedDir = 0;
int matchDir;
Base_entry* base;
DNS_entry* name;
/* Check each DNS name matches a permitted. */
name = cert->altNames;
while (name != NULL) {
int matchDns = 0;
int permittedDns = 0;
base = signer->permittedNames; base = signer->permittedNames;
do { while (base != NULL) {
/* Looking for permittedNames that are for DNS. */ if (base->type == nameType) {
if (base->type == ASN_DNS_TYPE) { need = 1;
permittedDns = 1; if (name->len >= base->nameSz &&
matchDns = MatchBaseName(ASN_DNS_TYPE, MatchBaseName(nameType,
name->name, name->len, name->name, name->len,
base->name, base->nameSz); base->name, base->nameSz)) {
} match = 1;
base = base->next;
} while (base != NULL && !matchDns);
/* If we found an DNS type permittedName then name must have had a
* match. */
if (permittedDns && !matchDns)
return 0;
if (!permittedDns)
break; break;
name = name->next;
}
/* Check each email name matches a permitted. */
name = cert->altEmailNames;
while (name != NULL) {
int matchEmail = 0;
int permittedEmail = 0;
base = signer->permittedNames;
do {
/* Looking for permittedNames that are for email. */
if (base->type == ASN_RFC822_TYPE) {
permittedEmail = 1;
matchEmail = MatchBaseName(ASN_DNS_TYPE,
name->name, name->len,
base->name, base->nameSz);
}
base = base->next;
} while ((base != NULL) && !matchEmail);
/* If we found an email type permittedName then name must have had a
* match. */
if (permittedEmail && !matchEmail)
return 0;
if (!permittedEmail)
break;
name = name->next;
}
/* Check subject name matches a permitted name. */
if (cert->subjectRaw != NULL) {
matchDir = 0;
permittedDir = 0;
base = signer->permittedNames;
while (base != NULL && !matchDir) {
/* Looking for permittedNames that are for directoryName. */
if (base->type == ASN_DIR_TYPE) {
permittedDir = 1;
if (cert->subjectRawLen >= base->nameSz &&
XMEMCMP(cert->subjectRaw, base->name, base->nameSz)
== 0) {
matchDir = 1;
} }
} }
base = base->next; base = base->next;
} }
/* If we found an dir name type permittedName then name must have
* had a match. */
if (permittedDir && !matchDir)
return 0;
}
#ifndef WOLFSSL_NO_ASN_STRICT if (need && !match)
/* RFC 5280 section 4.2.1.10
"Restrictions of the form directoryName MUST be
applied to the subject field .... and to any names
of type directoryName in the subjectAltName
extension"
*/
/* Check each alt dir name matches a permitted. */
name = cert->altDirNames;
while (permittedDir && name != NULL) {
int matchAltDir = 0;
base = signer->permittedNames;
do {
/* Looking for permittedNames that are for directoryName. */
if (base->type == ASN_DIR_TYPE) {
if (XMEMCMP(name->name, base->name, base->nameSz) == 0) {
matchAltDir = 1;
}
}
base = base->next;
} while ((base != NULL) && !matchAltDir);
/* If we found an dir name type permittedName then name must have
* had a match. */
if (permittedDir && !matchAltDir)
return 0; return 0;
name = name->next; name = name->next;
} }
#endif /* !WOLFSSL_NO_ASN_STRICT */
} }
return 1; return 1;