You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
wolfSSL_X509_load_certificate_file doesn't load certificates that use UUID (RFC 4122) or URNs for device identifiers (RFC 9039) in the subjectAltName. This would be useful for embedded devices without domain names that use URN device identifiers, for example.
In asn.c, DecodeAltNames checks for the presence of "\" to check the subjectAltName is not a relative URI:
#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_FPKI)
/* Verify RFC 5280 Sec 4.2.1.6 rule:
"The name MUST NOT be a relative URI" */
{
int i;
/* skip past scheme (i.e http,ftp,...) finding first ':' char */
for (i = 0; i < strLen; i++) {
if (input[idx + i] == ':') {
break;
}
if (input[idx + i] == '/') {
WOLFSSL_MSG("\tAlt Name must be absolute URI");
WOLFSSL_ERROR_VERBOSE(ASN_ALT_NAME_E);
return ASN_ALT_NAME_E;
}
}
/* test if no ':' char was found and test that the next two
* chars are "//" to match the pattern "://" */
if (i >= strLen - 2 || (input[idx + i + 1] != '/' ||
input[idx + i + 2] != '/')) {
WOLFSSL_MSG("\tAlt Name must be absolute URI");
WOLFSSL_ERROR_VERBOSE(ASN_ALT_NAME_E);
return ASN_ALT_NAME_E;
}
}
#endif
However this excludes many URIs that are not relative including uuids and device ids. From §4.3 of RFC 3986, absolute-URI = scheme ":" heir-part ["?"query], with (§3):
Because an empty-path is a valid 'heir-part' a URI that contains a scheme must be an absolute path.
However, from §4.2.16 RFC 5280, when the subjectAltName extension contains a URI the name:
* MUST NOT be a relative URI
* MUST follow the URI syntax in RFC 3986
* MUST include both a scheme and a scheme-specific-part (this might mean that path-empty is not valid).
So it would seem that a non-relative URI for a subjectAltName is one that:
has a scheme
has a non-empty scheme specific part following the scheme delimiter (a ':').
Reproduction steps
No response
Relevant log output
No response
The text was updated successfully, but these errors were encountered:
Contact Details
No response
Version
master branch
Description
wolfSSL_X509_load_certificate_file
doesn't load certificates that use UUID (RFC 4122) or URNs for device identifiers (RFC 9039) in the subjectAltName. This would be useful for embedded devices without domain names that use URN device identifiers, for example.In
asn.c
,DecodeAltNames
checks for the presence of "\" to check the subjectAltName is not a relative URI:However this excludes many URIs that are not relative including uuids and device ids. From §4.3 of RFC 3986,
absolute-URI = scheme ":" heir-part ["?"query]
, with (§3):and in §3.3 --- Path:
Because an empty-path is a valid 'heir-part' a URI that contains a scheme must be an absolute path.
However, from §4.2.16 RFC 5280, when the subjectAltName extension contains a URI the name:
* MUST NOT be a relative URI
* MUST follow the URI syntax in RFC 3986
* MUST include both a scheme and a scheme-specific-part (this might mean that path-empty is not valid).
So it would seem that a non-relative URI for a subjectAltName is one that:
Reproduction steps
No response
Relevant log output
No response
The text was updated successfully, but these errors were encountered: