Mbed-TLS · BrianSipos · Jan 10, 2025
diff --git a/ChangeLog.d/register-name-constraints.txt b/ChangeLog.d/register-name-constraints.txt
@@ -0,0 +1,5 @@
+Features
+   * Decode Name Constraints extension.
+   * Show info for Name Constraints for a certificate.
+   * Handle Other Name type of General Name as opaque data.
+   * Show info for BundleEID Other Name for a certificate.
diff --git a/framework b/framework
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
@@ -134,6 +134,9 @@
 #define MBEDTLS_X509_SAN_IP_ADDRESS                      7
 #define MBEDTLS_X509_SAN_REGISTERED_ID                   8
 
+#define MBEDTLS_X509_NAME_CONST_INCL                     0
+#define MBEDTLS_X509_NAME_CONST_EXCL                     1
+
 /*
  * X.509 v3 Key Usage Extension flags
  * Reminder: update mbedtls_x509_info_key_usage() when adding new flags.
@@ -277,6 +280,9 @@ typedef struct mbedtls_x509_san_other_name {
             mbedtls_x509_buf val;               /**< The named value. */
         }
         hardware_module_name;
+        /** Raw source value for non-constructed types.
+         */
+        mbedtls_x509_buf raw;
     }
     value;
 }

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
@@ -67,6 +67,9 @@ typedef struct mbedtls_x509_crt {
     mbedtls_x509_buf subject_key_id;    /**< Optional X.509 v3 extension subject key identifier. */
     mbedtls_x509_authority authority_key_id;    /**< Optional X.509 v3 extension authority key identifier. */
 
+    mbedtls_x509_sequence name_constraints_incl;    /**< Optional list of raw entries of Name Constraints extension (currently only dNSName and OtherName are listed). */
+    mbedtls_x509_sequence name_constraints_excl;    /**< Optional list of raw entries of Name Constraints extension (currently only dNSName and OtherName are listed). */
+
     mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
 
     int MBEDTLS_PRIVATE(ext_types);              /**< Bit string containing detected and parsed extensions */

diff --git a/library/x509.c b/library/x509.c
@@ -1190,6 +1190,7 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from)
  *
  * NOTE: we currently only parse and use otherName of type HwModuleName,
  * as defined in RFC 4108.
+ * Other type-ids are kept as raw, undecoded ASN.1 bytes.
  */
 static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
                                mbedtls_x509_san_other_name *other_name)
@@ -1218,12 +1219,7 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
     cur_oid.p = p;
     cur_oid.len = len;
 
-    /*
-     * Only HwModuleName is currently supported.
-     */
-    if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) {
-        return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
-    }
+    /* Value context-specific tag */
     other_name->type_id = cur_oid;
 
     p += len;
@@ -1238,38 +1234,64 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
                                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
     }
 
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
-    }
+    /*
+     * HwModuleName
+     */
+    if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) == 0) {
+        if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                        MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        }
 
-    if (end != p + len) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
+        if (end != p + len) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                     MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+        }
 
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
-    }
+        if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        }
 
-    other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
-    other_name->value.hardware_module_name.oid.p = p;
-    other_name->value.hardware_module_name.oid.len = len;
+        other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
+        other_name->value.hardware_module_name.oid.p = p;
+        other_name->value.hardware_module_name.oid.len = len;
 
-    p += len;
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_OCTET_STRING)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        p += len;
+        if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                        MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        }
+
+        other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
+        other_name->value.hardware_module_name.val.p = p;
+        other_name->value.hardware_module_name.val.len = len;
+        p += len;
+        if (p != end) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                     MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+        }
     }
+    /* Arbitrary raw value */
+    else {
+        if (p >= end) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                     MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+        }
+        other_name->value.raw.tag = *p;
+        p++;
 
-    other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
-    other_name->value.hardware_module_name.val.p = p;
-    other_name->value.hardware_module_name.val.len = len;
-    p += len;
-    if (p != end) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+        if ((ret = mbedtls_asn1_get_len(&p, end, &len)) != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        }
+        other_name->value.raw.p = p;
+        other_name->value.raw.len = len;
+        p += len;
+        if (p != end) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                     MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+        }
     }
+
     return 0;
 }
 
@@ -1640,6 +1662,40 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
                         MBEDTLS_X509_SAFE_SNPRINTF;
                     }
                 }/* MBEDTLS_OID_ON_HW_MODULE_NAME */
+                else if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_BUNDLE_EID,
+                                    &other_name->type_id) == 0) {
+                    int len = 0;
+                    const char *str = NULL;
+                    if (other_name->value.raw.tag == MBEDTLS_ASN1_IA5_STRING) {
+                        len = other_name->value.raw.len;
+                        str = (char*)other_name->value.raw.p;
+                    }
+
+                    ret = mbedtls_snprintf(p, n, "\n%s        BundleEID : %.*s", prefix,
+                                           len, str);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+                }/* MBEDTLS_OID_ON_BUNDLE_EID */
+                else {
+                    /* Show type OID */
+                    ret = mbedtls_snprintf(p, n, "\n%s        type-id : ", prefix);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+
+                    ret = mbedtls_oid_get_numeric_string(p,
+                                                         n,
+                                                         &other_name->type_id);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+
+                    ret = mbedtls_snprintf(p, n, "\n%s        value : ", prefix);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+
+                    for (i = 0; i < other_name->value.raw.len; i++) {
+                        ret = mbedtls_snprintf(p,
+                                               n,
+                                               "%02X",
+                                               other_name->value.raw.p[i]);
+                        MBEDTLS_X509_SAFE_SNPRINTF;
+                    }
+                }
             }
             break;
             /*
+4 −4		data_files/.gitignore
+6 −0		data_files/Makefile
+ −		data_files/parse_input/server5-bp_eid.crt.der
+13 −0		data_files/parse_input/test-ca-name_constraints_dns_ec.crt
+7 −0		data_files/test-ca.opensslconf
+1 −1		scripts/all-core.sh
+4 −5		scripts/check_files.py
+46 −51		scripts/generate_psa_tests.py
+3 −3		scripts/mbedtls_framework/build_tree.py
+1 −1		scripts/mbedtls_framework/code_wrapper/psa_wrapper.py
+3 −7		scripts/mbedtls_framework/collect_test_cases.py
+0 −122		scripts/mbedtls_framework/min_requirements.py
+28 −17		scripts/mbedtls_framework/psa_information.py
+14 −9		scripts/mbedtls_framework/psa_storage.py
+14 −69		scripts/mbedtls_framework/psa_test_case.py
+0 −40		scripts/pkgconfig.sh