AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make many fields of X.509 structures public

Browse Source 
The structures mbedtls_x509_time, mbedtls_x509_crl_entry, mbedtls_x509_crl,
mbedtls_x509_crt, mbedtls_x509_san_other_name,
mbedtls_x509_subject_alternative_name, mbedtls_x509_csr are designed to
expose the result of parsing X.509 data. Document many of their fields as
being publicly readable.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2021-08-04 21:56:10 +02:00
parent b89d9c0599
commit 842edf474c
5 changed files with 83 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
include/mbedtls/x509.h
View File

@ -246,8 +246,8 @@ typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
/** Container for date and time (precision in seconds). */
typedef struct mbedtls_x509_time
{
int MBEDTLS_PRIVATE(year), MBEDTLS_PRIVATE(mon), MBEDTLS_PRIVATE(day); /**< Date. */
int MBEDTLS_PRIVATE(hour), MBEDTLS_PRIVATE(min), MBEDTLS_PRIVATE(sec); /**< Time. */
int year, mon, day; /**< Date. */
int hour, min, sec; /**< Time. */
}
mbedtls_x509_time;

43
include/mbedtls/x509_crl.h
View File

@ -43,16 +43,25 @@ extern "C" {
/**
* Certificate revocation list entry.
* Contains the CA-specific serial numbers and revocation dates.
*
* Some fields of this structure are publicly readable. Do not modify
* them except via Mbed TLS library functions: the effect of modifying
* those fields or the data that those fields points to is unspecified.
*/
typedef struct mbedtls_x509_crl_entry
{
mbedtls_x509_buf MBEDTLS_PRIVATE(raw);
mbedtls_x509_buf MBEDTLS_PRIVATE(serial);
mbedtls_x509_time MBEDTLS_PRIVATE(revocation_date);
mbedtls_x509_buf MBEDTLS_PRIVATE(entry_ext);
/** Direct access to the whole entry inside the containing buffer. */
mbedtls_x509_buf raw;
/** The serial number of the revoked certificate. */
mbedtls_x509_buf serial;
/** The revocation date of this entry. */
mbedtls_x509_time revocation_date;
/** Direct access to the list of CRL entry extensions
* (an ASN.1 constructed sequence).
*
* If there are no extensions, `entry_ext.len == 0` and
* `entry_ext.p == NULL`. */
mbedtls_x509_buf entry_ext;
struct mbedtls_x509_crl_entry *MBEDTLS_PRIVATE(next);
}
@ -64,22 +73,22 @@ mbedtls_x509_crl_entry;
*/
typedef struct mbedtls_x509_crl
{
mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */
mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */
mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
int MBEDTLS_PRIVATE(version); /**< CRL version (1=v1, 2=v2) */
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< CRL signature type identifier */
int version; /**< CRL version (1=v1, 2=v2) */
mbedtls_x509_buf sig_oid; /**< CRL signature type identifier */
mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). */
mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). */
mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
mbedtls_x509_time MBEDTLS_PRIVATE(this_update);
mbedtls_x509_time MBEDTLS_PRIVATE(next_update);
mbedtls_x509_time this_update;
mbedtls_x509_time next_update;
mbedtls_x509_crl_entry MBEDTLS_PRIVATE(entry); /**< The CRL entries containing the certificate revocation times for this CA. */
mbedtls_x509_crl_entry entry; /**< The CRL entries containing the certificate revocation times for this CA. */
mbedtls_x509_buf MBEDTLS_PRIVATE(crl_ext);
mbedtls_x509_buf crl_ext;
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2);
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);

69
include/mbedtls/x509_crt.h
View File

@ -45,36 +45,40 @@ extern "C" {
/**
* Container for an X.509 certificate. The certificate may be chained.
*
* Some fields of this structure are publicly readable. Do not modify
* them except via Mbed TLS library functions: the effect of modifying
* those fields or the data that those fields points to is unspecified.
*/
typedef struct mbedtls_x509_crt
{
int MBEDTLS_PRIVATE(own_buffer); /**< Indicates if \c raw is owned
* by the structure or not. */
mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */
mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */
mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
int MBEDTLS_PRIVATE(version); /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
mbedtls_x509_buf MBEDTLS_PRIVATE(serial); /**< Unique id for certificate issued by a specific CA. */
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< Signature algorithm, e.g. sha1RSA */
int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */
mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */
mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). Used for quick comparison. */
mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). Used for quick comparison. */
mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */
mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */
mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
mbedtls_x509_time MBEDTLS_PRIVATE(valid_from); /**< Start time of certificate validity. */
mbedtls_x509_time MBEDTLS_PRIVATE(valid_to); /**< End time of certificate validity. */
mbedtls_x509_time valid_from; /**< Start time of certificate validity. */
mbedtls_x509_time valid_to; /**< End time of certificate validity. */
mbedtls_x509_buf MBEDTLS_PRIVATE(pk_raw);
mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */
mbedtls_x509_buf pk_raw;
mbedtls_pk_context pk; /**< Container for the public key context. */
mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_id); /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf MBEDTLS_PRIVATE(subject_id); /**< Optional X.509 v2/v3 subject unique identifier. */
mbedtls_x509_buf MBEDTLS_PRIVATE(v3_ext); /**< Optional X.509 v3 extensions. */
mbedtls_x509_sequence MBEDTLS_PRIVATE(subject_alt_names); /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
mbedtls_x509_sequence MBEDTLS_PRIVATE(certificate_policies); /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */
int MBEDTLS_PRIVATE(ca_istrue); /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
@ -82,7 +86,7 @@ typedef struct mbedtls_x509_crt
unsigned int MBEDTLS_PRIVATE(key_usage); /**< Optional key usage extension value: See the values in x509.h */
mbedtls_x509_sequence MBEDTLS_PRIVATE(ext_key_usage); /**< Optional list of extended key usage OIDs. */
mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
unsigned char MBEDTLS_PRIVATE(ns_cert_type); /**< Optional Netscape certificate type extension value: See the values in x509.h */
@ -100,6 +104,9 @@ mbedtls_x509_crt;
* OtherName ::= SEQUENCE {
* type-id OBJECT IDENTIFIER,
* value [0] EXPLICIT ANY DEFINED BY type-id }
*
* Future versions of the library may add new fields to this structure or
* to its embedded union and structure.
*/
typedef struct mbedtls_x509_san_other_name
{
@ -108,7 +115,7 @@ typedef struct mbedtls_x509_san_other_name
* To check the value of the type id, you should use
* \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
*/
mbedtls_x509_buf MBEDTLS_PRIVATE(type_id); /**< The type id. */
mbedtls_x509_buf type_id; /**< The type id. */
union
{
/**
@ -119,26 +126,30 @@ typedef struct mbedtls_x509_san_other_name
*/
struct
{
mbedtls_x509_buf MBEDTLS_PRIVATE(oid); /**< The object identifier. */
mbedtls_x509_buf MBEDTLS_PRIVATE(val); /**< The named value. */
mbedtls_x509_buf oid; /**< The object identifier. */
mbedtls_x509_buf val; /**< The named value. */
}
MBEDTLS_PRIVATE(hardware_module_name);
hardware_module_name;
}
MBEDTLS_PRIVATE(value);
value;
}
mbedtls_x509_san_other_name;
/**
* A structure for holding the parsed Subject Alternative Name, according to type
* A structure for holding the parsed Subject Alternative Name,
* according to type.
*
* Future versions of the library may add new fields to this structure or
* to its embedded union and structure.
*/
typedef struct mbedtls_x509_subject_alternative_name
{
int MBEDTLS_PRIVATE(type); /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
union {
mbedtls_x509_san_other_name MBEDTLS_PRIVATE(other_name); /**< The otherName supported type. */
mbedtls_x509_buf MBEDTLS_PRIVATE(unstructured_name); /**< The buffer for the un constructed types. Only dnsName currently supported */
mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
}
MBEDTLS_PRIVATE(san); /**< A union of the supported SAN types */
san; /**< A union of the supported SAN types */
}
mbedtls_x509_subject_alternative_name;

18
include/mbedtls/x509_csr.h
View File

@ -42,20 +42,24 @@ extern "C" {
/**
* Certificate Signing Request (CSR) structure.
*
* Some fields of this structure are publicly readable. Do not modify
* them except via Mbed TLS library functions: the effect of modifying
* those fields or the data that those fields points to is unspecified.
*/
typedef struct mbedtls_x509_csr
{
mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw CSR data (DER). */
mbedtls_x509_buf MBEDTLS_PRIVATE(cri); /**< The raw CertificateRequestInfo body (DER). */
mbedtls_x509_buf raw; /**< The raw CSR data (DER). */
mbedtls_x509_buf cri; /**< The raw CertificateRequestInfo body (DER). */
int MBEDTLS_PRIVATE(version); /**< CSR version (1=v1). */
int version; /**< CSR version (1=v1). */
mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). */
mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */
mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). */
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */
mbedtls_pk_context pk; /**< Container for the public key context. */
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid);
mbedtls_x509_buf sig_oid;
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */

8
programs/x509/cert_write.c
View File

@ -514,7 +514,7 @@ int main( int argc, char *argv[] )
}
ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name),
&issuer_crt.MBEDTLS_PRIVATE(subject) );
&issuer_crt.subject );
if( ret < 0 )
{
mbedtls_strerror( ret, buf, 1024 );
@ -548,7 +548,7 @@ int main( int argc, char *argv[] )
}
ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name),
&csr.MBEDTLS_PRIVATE(subject) );
&csr.subject );
if( ret < 0 )
{
mbedtls_strerror( ret, buf, 1024 );
@ -558,7 +558,7 @@ int main( int argc, char *argv[] )
}
opt.subject_name = subject_name;
subject_key = &csr.MBEDTLS_PRIVATE(pk);
subject_key = &csr.pk;
mbedtls_printf( " ok\n" );
}
@ -602,7 +602,7 @@ int main( int argc, char *argv[] )
//
if( strlen( opt.issuer_crt ) )
{
if( mbedtls_pk_check_pair( &issuer_crt.MBEDTLS_PRIVATE(pk), issuer_key,
if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key,
mbedtls_ctr_drbg_random, &ctr_drbg ) != 0 )
{
mbedtls_printf( " failed\n ! issuer_key does not match "