Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: wolfSSL_X509_load_certificate_file doesn't load certificates use UUID or device identifier URNs #5963

Open
PaulMartinsen opened this issue Jan 8, 2023 · 0 comments
Assignees
Labels

Comments

@PaulMartinsen
Copy link

PaulMartinsen commented Jan 8, 2023

Contact Details

No response

Version

master branch

Description

wolfSSL_X509_load_certificate_file doesn't load certificates that use UUID (RFC 4122) or URNs for device identifiers (RFC 9039) in the subjectAltName. This would be useful for embedded devices without domain names that use URN device identifiers, for example.

In asn.c, DecodeAltNames checks for the presence of "\" to check the subjectAltName is not a relative URI:

        #if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_FPKI)
            /* Verify RFC 5280 Sec 4.2.1.6 rule:
                "The name MUST NOT be a relative URI" */

            {
                int i;

                /* skip past scheme (i.e http,ftp,...) finding first ':' char */
                for (i = 0; i < strLen; i++) {
                    if (input[idx + i] == ':') {
                        break;
                    }
                    if (input[idx + i] == '/') {
                        WOLFSSL_MSG("\tAlt Name must be absolute URI");
                        WOLFSSL_ERROR_VERBOSE(ASN_ALT_NAME_E);
                        return ASN_ALT_NAME_E;
                    }
                }

                /* test if no ':' char was found and test that the next two
                 * chars are "//" to match the pattern "://" */
                if (i >= strLen - 2 || (input[idx + i + 1] != '/' ||
                                        input[idx + i + 2] != '/')) {
                    WOLFSSL_MSG("\tAlt Name must be absolute URI");
                    WOLFSSL_ERROR_VERBOSE(ASN_ALT_NAME_E);
                    return ASN_ALT_NAME_E;
                }
            }
        #endif

However this excludes many URIs that are not relative including uuids and device ids. From §4.3 of RFC 3986, absolute-URI = scheme ":" heir-part ["?"query], with (§3):

    hier-part     = "//" authority path-abempty
                  / path-absolute
                  / path-rootless
                  / path-empty

and in §3.3 --- Path:

    path-abempty  = *( "/" segment )
    path-absolute = "/" [ segment-nz *( "/" segment ) ]
    path-rootless = segment-nz *( "/" segment )
    path-empty    = 0<pchar>
    segment       = *pchar
    segment-nz    = 1*pchar
    segment-nz-nc = 1*( unreserved / pct-encoded / sub-delims / "@" )
                  ; non-zero-length segment without any colon ":"
    pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

Because an empty-path is a valid 'heir-part' a URI that contains a scheme must be an absolute path.

However, from §4.2.16 RFC 5280, when the subjectAltName extension contains a URI the name:
* MUST NOT be a relative URI
* MUST follow the URI syntax in RFC 3986
* MUST include both a scheme and a scheme-specific-part (this might mean that path-empty is not valid).

So it would seem that a non-relative URI for a subjectAltName is one that:

  1. has a scheme
  2. has a non-empty scheme specific part following the scheme delimiter (a ':').

Reproduction steps

No response

Relevant log output

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants