From e82341646a0e29c1066afba90434caeed558e57f Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 3 Apr 2019 09:45:07 +0300 Subject: [PATCH 1/3] Add certificate policy oid x509 extension Add the `MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES` to the list of supported x509 extensions, in `mbedtls_oid_get_x509_ext_type()`. --- ChangeLog | 1 + library/oid.c | 14 +++++++++----- tests/suites/test_suite_oid.data | 24 ++++++++++++++++++++++++ tests/suites/test_suite_oid.function | 23 +++++++++++++++++++++++ 4 files changed, 57 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9ab0c03c6..984de6a45 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,7 @@ Features * It is now possible to use NIST key wrap mode via the mbedtls_cipher API. Contributed by Jack Lloyd and Fortanix Inc. * Add the Wi-SUN Field Area Network (FAN) device extended key usage. + * Add the oid certificate policy x509 extension. Bugfix * Fix private key DER output in the key_app_writer example. File contents diff --git a/library/oid.c b/library/oid.c index 8059a336c..2d22b11f2 100644 --- a/library/oid.c +++ b/library/oid.c @@ -254,25 +254,29 @@ typedef struct { static const oid_x509_ext_t oid_x509_ext[] = { { - { ADD_LEN( MBEDTLS_OID_BASIC_CONSTRAINTS ), "id-ce-basicConstraints", "Basic Constraints" }, + { ADD_LEN( MBEDTLS_OID_BASIC_CONSTRAINTS ), "id-ce-basicConstraints", "Basic Constraints" }, MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS, }, { - { ADD_LEN( MBEDTLS_OID_KEY_USAGE ), "id-ce-keyUsage", "Key Usage" }, + { ADD_LEN( MBEDTLS_OID_KEY_USAGE ), "id-ce-keyUsage", "Key Usage" }, MBEDTLS_OID_X509_EXT_KEY_USAGE, }, { - { ADD_LEN( MBEDTLS_OID_EXTENDED_KEY_USAGE ), "id-ce-extKeyUsage", "Extended Key Usage" }, + { ADD_LEN( MBEDTLS_OID_EXTENDED_KEY_USAGE ), "id-ce-extKeyUsage", "Extended Key Usage" }, MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE, }, { - { ADD_LEN( MBEDTLS_OID_SUBJECT_ALT_NAME ), "id-ce-subjectAltName", "Subject Alt Name" }, + { ADD_LEN( MBEDTLS_OID_SUBJECT_ALT_NAME ), "id-ce-subjectAltName", "Subject Alt Name" }, MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME, }, { - { ADD_LEN( MBEDTLS_OID_NS_CERT_TYPE ), "id-netscape-certtype", "Netscape Certificate Type" }, + { ADD_LEN( MBEDTLS_OID_NS_CERT_TYPE ), "id-netscape-certtype", "Netscape Certificate Type" }, MBEDTLS_OID_X509_EXT_NS_CERT_TYPE, }, + { + { ADD_LEN( MBEDTLS_OID_CERTIFICATE_POLICIES ), "id-ce-certificatePolicies", "Certificate Policies" }, + MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES, + }, { { NULL, 0, NULL, NULL }, 0, diff --git a/tests/suites/test_suite_oid.data b/tests/suites/test_suite_oid.data index 625085f16..3d5d9db3f 100644 --- a/tests/suites/test_suite_oid.data +++ b/tests/suites/test_suite_oid.data @@ -33,3 +33,27 @@ oid_get_extended_key_usage:"5533445566":"" OID get Ext Key Usage wrong oid - id-ce-authorityKeyIdentifier oid_get_extended_key_usage:"551D23":"" + +OID get x509 extension - id-ce-basicConstraints +oid_get_x509_extension:"551D13":MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS + +OID get x509 extension - id-ce-keyUsage +oid_get_x509_extension:"551D0F":MBEDTLS_OID_X509_EXT_KEY_USAGE + +OID get x509 extension - id-ce-extKeyUsage +oid_get_x509_extension:"551D25":MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE + +OID get x509 extension - id-ce-subjectAltName +oid_get_x509_extension:"551D11":MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME + +OID get x509 extension - id-netscape-certtype +oid_get_x509_extension:"6086480186F8420101":MBEDTLS_OID_X509_EXT_NS_CERT_TYPE + +OID get x509 extension - id-ce-certificatePolicies +oid_get_x509_extension:"551D20":MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES + +OID get x509 extension - invalid oid +oid_get_x509_extension:"5533445566":0 + +OID get x509 extension - wrong oid - id-ce +oid_get_x509_extension:"551D":0 diff --git a/tests/suites/test_suite_oid.function b/tests/suites/test_suite_oid.function index 59e700e51..890ffecad 100644 --- a/tests/suites/test_suite_oid.function +++ b/tests/suites/test_suite_oid.function @@ -55,3 +55,26 @@ void oid_get_extended_key_usage( data_t *oid, char *result_str ) } } /* END_CASE */ + +/* BEGIN_CASE */ +void oid_get_x509_extension( data_t *oid, int exp_type ) +{ + mbedtls_asn1_buf ext_oid = { 0, 0, NULL }; + int ret; + int ext_type; + + ext_oid.tag = MBEDTLS_ASN1_OID; + ext_oid.p = oid->x; + ext_oid.len = oid->len; + + ret = mbedtls_oid_get_x509_ext_type( &ext_oid, &ext_type ); + if( exp_type == 0 ) + { + TEST_ASSERT( ret == MBEDTLS_ERR_OID_NOT_FOUND ); + } + else + { + TEST_ASSERT( ext_type == exp_type ); + } +} +/* END_CASE */ From 685a398a6b0082f7fd16f3d9f6e70a9d616e41c8 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 3 Apr 2019 09:46:27 +0300 Subject: [PATCH 2/3] Minor fixes in get certificate policies oid test 1. Remove irrelevant dependency on `MBEDTLS_ASN1_WRITE_C`. 2. Remove whitespace between `*` and parameter. --- tests/suites/test_suite_oid.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_oid.function b/tests/suites/test_suite_oid.function index 890ffecad..cb8abe638 100644 --- a/tests/suites/test_suite_oid.function +++ b/tests/suites/test_suite_oid.function @@ -10,8 +10,8 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C*/ -void oid_get_certificate_policies( data_t * oid, char * result_str ) +/* BEGIN_CASE */ +void oid_get_certificate_policies( data_t *oid, char *result_str ) { mbedtls_asn1_buf asn1_buf = { 0, 0, NULL }; int ret; From 3b4f9eac445f2eb971adb75e36444a3e24a8bdaf Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 16 Apr 2019 13:31:27 +0300 Subject: [PATCH 3/3] Update crypto submodule Update crypto submodule to latest commit --- crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto b/crypto index 82b3b83d5..125a1e980 160000 --- a/crypto +++ b/crypto @@ -1 +1 @@ -Subproject commit 82b3b83d540ec9611277ca3e9b645b335f80846a +Subproject commit 125a1e980e44a8b756ba3a9a3b7c4d1ce5cbf134