Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate subjAltName for uuid and similar URNs #5964

Closed
wants to merge 6 commits into from

Conversation

PaulMartinsen
Copy link

Description

An attempt to improve validation of subjAltName to allow UUID (RFC 4122) and URNs for device identifiers (RFC 9039) in subjAltName field, but still ensuring the URN is not relative. For #5963 .

Testing

Tested

  • loading custom certificate with a UUID in the subjAltName
  • all tests in testsuite project pass.

It would be good to add another test to the testsuite with a certificate that uses, for example, a UUID in the subjAltName. Could someone generate a suitable certificate that fits the bill please? Then I could add the test. I don't want to put our own certificates in the repo!

@wolfSSL-Bot
Copy link

Can one of the admins verify this patch?

@kareem-wolfssl kareem-wolfssl self-assigned this Jan 9, 2023
@kareem-wolfssl
Copy link
Contributor

Hi @PaulMartinsen,

Thanks for the bug report and PR. We do require a signed contributor agreement on file for us to accept external contributions. If you are interested, please reach out to us at support [at] wolfssl [dot] com for a copy of our contributor agreement.

@@ -42,46 +42,46 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<PlatformToolset>v110</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We cannot accept the visual studio project changes. Those must be reverted.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand the need to continue to have the VS2012 files for existing customers. Any objection to including additional project files that target more modern, such as VS2022? Perhaps a naming convention of simply adding _VS2022 to the project file name?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is great you're continuing to support older versions of the VS toolchain such as VS2012 and VS2005. Though it was a very big red flag to me to see reliance on a decade old complier & standard library as the default selection as the primary Windows build path in a security library.

As the VS2012 toolchain is no longer available outside specific MSDN subscriptions, I suggest you create additional 2012 project files for legacy users and update to a more modern toolchain that will make it easier for the majority of new Windows users to work with your library. This has the additional benefit of clearly surfacing the v110 build chain support.

I have updated the PR as suggested, targeting the v143 toolchain. This can be used from the most recent versions of Visual Studio, which automatically prompts the user to download the toolchain if it isn't installed.

Note, sslSniffTest was not changed as it targets the v141 toolchain (VS2017), and is still readily available.

wolfcrypt/src/asn.c Show resolved Hide resolved
* chars are "//" to match the pattern "://" */
if (i >= strLen - 2 || (input[idx + i + 1] != '/' ||
input[idx + i + 2] != '/')) {
/* test if scheme is missing or heir-part is empty */
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a test case for the new feature.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. And, as I mentioned in the PR, I'm happy to write it if someone will generate a suitable certificate. Unfortunately, I wasn't able to follow the generation of test certificates in the library test suite to do it myself.

Here's an example of how I generate the signing request through OpenSSL:

set DeviceId=9259c005-fa68-4857-b0e7-683bc4236f26
%OPENSSL% req -new -newkey rsa:4096 -keyout Output\Device-PrivateKey-%DeviceId%.pem ^
  -out Output\Device-CertificateRequest-%DeviceId%.pem ^
  -passout pass:secret ^
  -subj "/C=NZ/ST=Waikato/L=Hamilton/O=Blue Leaf Software Ltd/CN=Lumos/serialNumber=%DeviceId%" ^
  -addext "subjectAltName = URI:uuid:%DeviceId%" ^
  -addext "extendedKeyUsage = serverAuth, clientAuth"

Please let me know when you have a suitable certificate ready.

@gojimmypi gojimmypi mentioned this pull request Mar 6, 2023
kareem-wolfssl added a commit to kareem-wolfssl/wolfssl that referenced this pull request Mar 16, 2023
@kareem-wolfssl
Copy link
Contributor

Hello @PaulMartinsen ,

Thank you for your contribution. I have had a separate customer request for absolute URN support, and I need it in our upcoming release, so I've integrated your fix into my PR here: #6181
Please let me know if you have any feedback in my PR.

Thanks,
Kareem

@PaulMartinsen
Copy link
Author

Hi @kareem-wolfssl ; I don't see any issues. Will be good to get this incorporated.

@gojimmypi
Copy link
Contributor

Hello @PaulMartinsen -

It looks like this was a good and approved update, but there's currently a conflict with wolfcrypt/src/asn.c.

Would you like to resolve the commit conflict?

@PaulMartinsen
Copy link
Author

Hi @gojimmypi , it sounds like @kareem-wolfssl added these changes to #PR6181 , which has already been merged. So I think this one might be orphaned? Is that right @kareem-wolfssl ?

@JacobBarthelmeh
Copy link
Contributor

@PaulMartinsen getting back to some of the lingering pull requests. You're right that the other pull request from Kareem addressed the same issue that this one did. Closing this out in favor of the already merged one. Thanks again for opening this and feel free to reach out with any issues or code changes in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants