cert name: improve check
This commit is contained in:
parent
7229a56eef
commit
4c52f23b9d
@ -170,7 +170,7 @@ pub enum ExtensionValue<'a> {
|
|||||||
|
|
||||||
// Embedded value might be empty (&[])
|
// Embedded value might be empty (&[])
|
||||||
// This means a reject-all/accept-none condition
|
// This means a reject-all/accept-none condition
|
||||||
#[derive(Debug, Clone, Copy, Eq, PartialEq)]
|
#[derive(Debug, Clone, Eq, PartialEq)]
|
||||||
pub enum GeneralName<'a> {
|
pub enum GeneralName<'a> {
|
||||||
OtherName {
|
OtherName {
|
||||||
type_id: &'a [u8],
|
type_id: &'a [u8],
|
||||||
@ -179,7 +179,7 @@ pub enum GeneralName<'a> {
|
|||||||
RFC822Name(&'a [u8]),
|
RFC822Name(&'a [u8]),
|
||||||
DNSName(&'a [u8]),
|
DNSName(&'a [u8]),
|
||||||
X400Address(&'a [u8]),
|
X400Address(&'a [u8]),
|
||||||
DirectoryName(&'a [u8]),
|
DirectoryName(Name<'a>),
|
||||||
EDIPartyName{
|
EDIPartyName{
|
||||||
name_assigner: &'a [u8],
|
name_assigner: &'a [u8],
|
||||||
party_name: &'a [u8],
|
party_name: &'a [u8],
|
||||||
@ -193,11 +193,13 @@ pub enum GeneralName<'a> {
|
|||||||
// Will not handle `OtherName`, `X400Address`, `EDIPartyName`, `RegisteredID`,
|
// Will not handle `OtherName`, `X400Address`, `EDIPartyName`, `RegisteredID`,
|
||||||
// as these restrictions of these variants are not suggested
|
// as these restrictions of these variants are not suggested
|
||||||
impl<'a> GeneralName<'a> {
|
impl<'a> GeneralName<'a> {
|
||||||
|
|
||||||
pub fn is_subset_of(&self, other: &Self) -> bool {
|
pub fn is_subset_of(&self, other: &Self) -> bool {
|
||||||
match (self, other) {
|
match (self, other) {
|
||||||
// Special case: empty set
|
// Special case: empty set
|
||||||
// Empty set is a subset of everything
|
// Empty set is a subset of everything
|
||||||
|
// The caveat is that Empty set represents the wild card
|
||||||
|
// Which means everything is part of the empty set
|
||||||
|
// This behavior is represented in the `belongs_to()` method
|
||||||
(Self::URI(self_uri), Self::URI(other_uri)) => {
|
(Self::URI(self_uri), Self::URI(other_uri)) => {
|
||||||
if self_uri.len() == 0 || other_uri.len() == 0 {
|
if self_uri.len() == 0 || other_uri.len() == 0 {
|
||||||
self_uri.len() == 0
|
self_uri.len() == 0
|
||||||
@ -301,6 +303,72 @@ impl<'a> GeneralName<'a> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// See if a specific name is part of the subtree
|
||||||
|
// The subtle difference between determining subset and ownership is the empty set
|
||||||
|
// Recall:
|
||||||
|
// - Empty set is a subset of everything, intersection between 2 disjoint set is an empty set
|
||||||
|
// - Empty set is also a wildcard, everything fits in a restriction with empty set
|
||||||
|
//
|
||||||
|
// IP address in SAN only includes the IP part, without network mask
|
||||||
|
// This method is to make sure that IPv4 and IPv6 address can compare with
|
||||||
|
// their corresponding CIDR address (i.e. 192.168.0.1 belongs to 192.168.0.0/24 network)
|
||||||
|
pub fn belongs_to(&self, other: &Self) -> bool {
|
||||||
|
match (self, other) {
|
||||||
|
(Self::URI(self_uri), Self::URI(other_uri)) => {
|
||||||
|
self_uri.ends_with(other_uri)
|
||||||
|
}
|
||||||
|
(Self::RFC822Name(..), Self::RFC822Name(..))
|
||||||
|
| (Self::DNSName(..), Self::DNSName(..)) => {
|
||||||
|
self.is_subset_of(other)
|
||||||
|
},
|
||||||
|
|
||||||
|
(Self::IPAddress(san_ip), Self::IPAddress(cidr_network)) => {
|
||||||
|
// Use smoltcp API to covert into IPv4/Ipv6 address/CIDR
|
||||||
|
match (san_ip.len(), cidr_network.len()) {
|
||||||
|
// Wildcard case: CIDR is empty
|
||||||
|
// Everything fits into an empty set
|
||||||
|
(_, 0) => true,
|
||||||
|
|
||||||
|
// IPv4 case
|
||||||
|
(4, 8) => {
|
||||||
|
let ipv4_san_addr = smoltcp::wire::Ipv4Address::from_bytes(san_ip);
|
||||||
|
let ipv4_cidr = smoltcp::wire::Ipv4Cidr::from_netmask(
|
||||||
|
smoltcp::wire::Ipv4Address::from_bytes(
|
||||||
|
&cidr_network[0..4]
|
||||||
|
),
|
||||||
|
smoltcp::wire::Ipv4Address::from_bytes(
|
||||||
|
&cidr_network[4..]
|
||||||
|
),
|
||||||
|
).unwrap();
|
||||||
|
ipv4_cidr.contains_addr(&ipv4_san_addr)
|
||||||
|
},
|
||||||
|
|
||||||
|
// IPv6 case
|
||||||
|
(16, 32) => {
|
||||||
|
let ipv6_san_addr = smoltcp::wire::Ipv6Address::from_bytes(san_ip);
|
||||||
|
let mut prefix_len = 0;
|
||||||
|
for index in 16..32 {
|
||||||
|
prefix_len += cidr_network[index].count_ones();
|
||||||
|
}
|
||||||
|
let ipv6_cidr = smoltcp::wire::Ipv6Cidr::new(
|
||||||
|
smoltcp::wire::Ipv6Address::from_bytes(
|
||||||
|
&cidr_network[0..16]
|
||||||
|
),
|
||||||
|
prefix_len.try_into().unwrap()
|
||||||
|
);
|
||||||
|
ipv6_cidr.contains_addr(&ipv6_san_addr)
|
||||||
|
},
|
||||||
|
|
||||||
|
// Malformatted IP address/CIDR
|
||||||
|
_ => false,
|
||||||
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
// Unsupported variant/heterogeneous comparison
|
||||||
|
_ => false,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
pub fn is_same_variant(&self, other: &Self) -> bool {
|
pub fn is_same_variant(&self, other: &Self) -> bool {
|
||||||
match (self, other) {
|
match (self, other) {
|
||||||
(Self::URI(..), Self::URI(..))
|
(Self::URI(..), Self::URI(..))
|
||||||
@ -326,11 +394,32 @@ pub struct AlgorithmIdentifier<'a> {
|
|||||||
pub parameters: &'a [u8],
|
pub parameters: &'a [u8],
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug, Clone)]
|
#[derive(Debug, Clone, Eq)]
|
||||||
pub struct Name<'a> {
|
pub struct Name<'a> {
|
||||||
pub relative_distinguished_name: Vec<RelativeDistinguishedName<'a>>
|
pub relative_distinguished_name: Vec<RelativeDistinguishedName<'a>>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl<'a> Name<'a> {
|
||||||
|
pub fn belongs_to(&self, other: &Self) -> bool {
|
||||||
|
if self.relative_distinguished_name.len()
|
||||||
|
< other.relative_distinguished_name.len()
|
||||||
|
{
|
||||||
|
false
|
||||||
|
} else {
|
||||||
|
// For each RDN in other, self must have the same RDN
|
||||||
|
// then self is within the subtree of other
|
||||||
|
for other_rdn in other.relative_distinguished_name.iter() {
|
||||||
|
if self.relative_distinguished_name.iter().find(
|
||||||
|
|&self_rdn| self_rdn == other_rdn
|
||||||
|
).is_none() {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
impl<'a> PartialEq for Name<'a> {
|
impl<'a> PartialEq for Name<'a> {
|
||||||
fn eq(&self, other: &Self) -> bool {
|
fn eq(&self, other: &Self) -> bool {
|
||||||
for self_name in self.relative_distinguished_name.iter() {
|
for self_name in self.relative_distinguished_name.iter() {
|
||||||
@ -344,12 +433,12 @@ impl<'a> PartialEq for Name<'a> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug, Clone, PartialEq)]
|
#[derive(Debug, Clone, Eq, PartialEq)]
|
||||||
pub struct RelativeDistinguishedName<'a> {
|
pub struct RelativeDistinguishedName<'a> {
|
||||||
pub type_and_attributes: Vec<AttributeTypeAndValue<'a>>
|
pub type_and_attributes: Vec<AttributeTypeAndValue<'a>>
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug, Clone, PartialEq)]
|
#[derive(Debug, Clone, Eq, PartialEq)]
|
||||||
pub struct AttributeTypeAndValue<'a> {
|
pub struct AttributeTypeAndValue<'a> {
|
||||||
pub attribute_type: &'a [u8], // OID
|
pub attribute_type: &'a [u8], // OID
|
||||||
pub attribute_value: &'a str,
|
pub attribute_value: &'a str,
|
||||||
@ -667,47 +756,138 @@ pub fn verify_certificate_chain(
|
|||||||
return Err(TlsError::CertificateIssuerMismatch);
|
return Err(TlsError::CertificateIssuerMismatch);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// (b, c) If certificate is self-issued and not the end-entity certificate,
|
||||||
|
// verify that subject name is
|
||||||
|
// - within one of the permitted subtrees
|
||||||
|
// - not within any of the excluded subtrees
|
||||||
|
//
|
||||||
|
// and verify that each subjectAltName is
|
||||||
|
// - within one of the permitted_subtrees for that type
|
||||||
|
// - not within any of the excluded_subtrees for that name type
|
||||||
if current_certificate.tbs_certificate.issuer != current_certificate.tbs_certificate.subject
|
if current_certificate.tbs_certificate.issuer != current_certificate.tbs_certificate.subject
|
||||||
&& (cert_index + 1) != certificates.len() {
|
&& (cert_index + 1) != certificates.len() {
|
||||||
|
|
||||||
if permitted_subtrees.len() != 0 {
|
/*
|
||||||
// Find the SAN extension
|
* Permitted subtreee block
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
// Check if there are permitted name, and find any matching name
|
||||||
|
let mut has_dir_name_restriction = false;
|
||||||
|
let mut has_rfc_822_name_restriction = false;
|
||||||
|
let mut has_dns_name_restriction = false;
|
||||||
|
let mut has_uri_restriction = false;
|
||||||
|
let mut has_ip_address_restriction = false;
|
||||||
|
let mut subject_name_permitted = false;
|
||||||
|
for permitted_dir_name in permitted_subtrees.iter() {
|
||||||
|
match permitted_dir_name {
|
||||||
|
GeneralName::DirectoryName(dir_name) => {
|
||||||
|
has_dir_name_restriction = true;
|
||||||
|
if current_certificate.tbs_certificate.subject
|
||||||
|
.belongs_to(dir_name)
|
||||||
|
{
|
||||||
|
subject_name_permitted = true;
|
||||||
|
}
|
||||||
|
},
|
||||||
|
GeneralName::RFC822Name(..) => {
|
||||||
|
has_rfc_822_name_restriction = true;
|
||||||
|
},
|
||||||
|
GeneralName::DNSName(..) => {
|
||||||
|
has_dns_name_restriction = true;
|
||||||
|
},
|
||||||
|
GeneralName::URI(..) => {
|
||||||
|
has_uri_restriction = true;
|
||||||
|
},
|
||||||
|
GeneralName::IPAddress(..) => {
|
||||||
|
has_ip_address_restriction = true;
|
||||||
|
},
|
||||||
|
_ => {}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// If there are restrictions in terms of permitted_subtrees,
|
||||||
|
// while subject cannot fulfill it, reject certificate
|
||||||
|
if has_dir_name_restriction && !subject_name_permitted {
|
||||||
|
return Err(TlsError::CertificateSubjectNotPermitted)
|
||||||
|
}
|
||||||
|
|
||||||
for extension in current_certificate.tbs_certificate
|
for extension in current_certificate.tbs_certificate
|
||||||
.extensions.extensions.iter() {
|
.extensions.extensions.iter()
|
||||||
|
{
|
||||||
if let ExtensionValue::SubjectAlternativeName {
|
if let ExtensionValue::SubjectAlternativeName {
|
||||||
general_names
|
general_names
|
||||||
} = &extension.extension_value {
|
} = &extension.extension_value {
|
||||||
// For each alt. names in SAN, it is within one of the
|
// For each alt. names in SAN, it is within one of the
|
||||||
// permitted_subtrees for that name type
|
// permitted_subtrees for that name type
|
||||||
// TODO: Do more than find exact match
|
for san_general_name in general_names.iter() {
|
||||||
for general_name in general_names.iter() {
|
if permitted_subtrees.iter().find(
|
||||||
permitted_subtrees.iter().find(
|
|&permitted_name| {
|
||||||
|&permitted_name| permitted_name == general_name
|
// Either the general name are identical
|
||||||
).ok_or(
|
// (for names that does not support subset operation subset),
|
||||||
TlsError::CertificateSubjectNotPermitted
|
// Or it belongs to a subtree
|
||||||
)?;
|
permitted_name == san_general_name ||
|
||||||
|
san_general_name.belongs_to(permitted_name)
|
||||||
|
}
|
||||||
|
).is_none() {
|
||||||
|
match san_general_name {
|
||||||
|
GeneralName::RFC822Name(..) => if has_rfc_822_name_restriction {
|
||||||
|
return Err(TlsError::CertificateSubjectNotPermitted)
|
||||||
|
},
|
||||||
|
GeneralName::DNSName(..) => if has_dns_name_restriction {
|
||||||
|
return Err(TlsError::CertificateSubjectNotPermitted)
|
||||||
|
},
|
||||||
|
GeneralName::URI(..) => if has_uri_restriction {
|
||||||
|
return Err(TlsError::CertificateSubjectNotPermitted)
|
||||||
|
},
|
||||||
|
GeneralName::IPAddress(..) => if has_ip_address_restriction {
|
||||||
|
return Err(TlsError::CertificateSubjectNotPermitted)
|
||||||
|
},
|
||||||
|
|
||||||
|
// Other types of restrictions are not recognized
|
||||||
|
_ => {},
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if excluded_subtrees.len() != 0 {
|
/*
|
||||||
// Find the SAN extension
|
* Excluded subtrees block
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
// Check if there are excluded name, and find any matching name
|
||||||
|
for excluded_dir_name in excluded_subtrees.iter() {
|
||||||
|
match excluded_dir_name {
|
||||||
|
GeneralName::DirectoryName(dir_name) => {
|
||||||
|
if current_certificate.tbs_certificate.subject
|
||||||
|
.belongs_to(dir_name)
|
||||||
|
{
|
||||||
|
return Err(TlsError::CertificateSubjectExcluded);
|
||||||
|
}
|
||||||
|
},
|
||||||
|
_ => {}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
for extension in current_certificate.tbs_certificate
|
for extension in current_certificate.tbs_certificate
|
||||||
.extensions.extensions.iter() {
|
.extensions.extensions.iter()
|
||||||
|
{
|
||||||
if let ExtensionValue::SubjectAlternativeName {
|
if let ExtensionValue::SubjectAlternativeName {
|
||||||
general_names
|
general_names
|
||||||
} = &extension.extension_value {
|
} = &extension.extension_value {
|
||||||
// For each alt. names in SAN, it is NOT within one of the
|
// For each alt. names in SAN, it is not within any excluded subtrees
|
||||||
// excluded_subtrees for that name type
|
for san_general_name in general_names.iter() {
|
||||||
// TODO: Do more than find exact match
|
if excluded_subtrees.iter().find(
|
||||||
for general_name in general_names.iter() {
|
|&excluded_name| {
|
||||||
excluded_subtrees.iter().find(
|
// Either the general name are identical
|
||||||
|&excluded_name| excluded_name == general_name
|
// (for names that does not support subset operation subset),
|
||||||
).map_or(
|
// Or it belongs to a subtree
|
||||||
Ok(()),
|
excluded_name == san_general_name ||
|
||||||
|_| Err(TlsError::CertificateSubjectExcluded)
|
san_general_name.belongs_to(excluded_name)
|
||||||
)?;
|
}
|
||||||
|
).is_some() {
|
||||||
|
return Err(TlsError::CertificateSubjectExcluded);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1018,22 +1198,22 @@ fn get_subtree_intersection<'a>(
|
|||||||
match general_name {
|
match general_name {
|
||||||
GeneralName::URI(..) => {
|
GeneralName::URI(..) => {
|
||||||
if !has_other_uri_tree {
|
if !has_other_uri_tree {
|
||||||
preserved_subtrees.push(*general_name);
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
GeneralName::RFC822Name(..) => {
|
GeneralName::RFC822Name(..) => {
|
||||||
if !has_other_rfc_822_name_tree {
|
if !has_other_rfc_822_name_tree {
|
||||||
preserved_subtrees.push(*general_name);
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
GeneralName::DNSName(..) => {
|
GeneralName::DNSName(..) => {
|
||||||
if !has_other_dns_name_tree {
|
if !has_other_dns_name_tree {
|
||||||
preserved_subtrees.push(*general_name);
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
GeneralName::IPAddress(..) => {
|
GeneralName::IPAddress(..) => {
|
||||||
if !has_other_ip_address_tree {
|
if !has_other_ip_address_tree {
|
||||||
preserved_subtrees.push(*general_name);
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// Other general_name variants should not appear in this subtree
|
// Other general_name variants should not appear in this subtree
|
||||||
@ -1045,22 +1225,22 @@ fn get_subtree_intersection<'a>(
|
|||||||
match general_name {
|
match general_name {
|
||||||
GeneralName::URI(..) => {
|
GeneralName::URI(..) => {
|
||||||
if !has_self_uri_tree {
|
if !has_self_uri_tree {
|
||||||
preserved_subtrees.push(*general_name);
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
GeneralName::RFC822Name(..) => {
|
GeneralName::RFC822Name(..) => {
|
||||||
if !has_self_rfc_822_name_tree {
|
if !has_self_rfc_822_name_tree {
|
||||||
preserved_subtrees.push(*general_name);
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
GeneralName::DNSName(..) => {
|
GeneralName::DNSName(..) => {
|
||||||
if !has_self_dns_name_tree {
|
if !has_self_dns_name_tree {
|
||||||
preserved_subtrees.push(*general_name);
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
GeneralName::IPAddress(..) => {
|
GeneralName::IPAddress(..) => {
|
||||||
if !has_self_ip_address_tree {
|
if !has_self_ip_address_tree {
|
||||||
preserved_subtrees.push(*general_name);
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// Other general_name variants should not appear in this subtree
|
// Other general_name variants should not appear in this subtree
|
||||||
@ -1114,9 +1294,9 @@ fn get_subtree_intersection<'a>(
|
|||||||
|
|
||||||
// Make use of subset method, note that all general names are hierarchical
|
// Make use of subset method, note that all general names are hierarchical
|
||||||
if self_name.is_subset_of(other_name) {
|
if self_name.is_subset_of(other_name) {
|
||||||
preserved_subtrees.push(*self_name)
|
preserved_subtrees.push((*self_name).clone())
|
||||||
} else if other_name.is_subset_of(self_name) {
|
} else if other_name.is_subset_of(self_name) {
|
||||||
preserved_subtrees.push(*other_name)
|
preserved_subtrees.push((*other_name).clone())
|
||||||
}
|
}
|
||||||
|
|
||||||
// If neither are subset of the other, the intersection shall be none
|
// If neither are subset of the other, the intersection shall be none
|
||||||
@ -1181,7 +1361,7 @@ fn prune_subset<'a>(subtree_out: &mut Vec<GeneralName<'a>>, subtree_in: &mut Vec
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
subtree_out.push(subtree_in[i])
|
subtree_out.push(subtree_in[i].clone())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1231,7 +1231,10 @@ pub fn parse_asn1_der_general_name(bytes: &[u8]) -> IResult<&[u8], Asn1DerGenera
|
|||||||
},
|
},
|
||||||
|
|
||||||
0x84 => {
|
0x84 => {
|
||||||
Asn1DerGeneralName::DirectoryName(name_value)
|
let (_, name) = complete(
|
||||||
|
parse_asn1_der_name
|
||||||
|
)(name_value)?;
|
||||||
|
Asn1DerGeneralName::DirectoryName(name)
|
||||||
},
|
},
|
||||||
|
|
||||||
0xA5 => {
|
0xA5 => {
|
||||||
|
Loading…
Reference in New Issue
Block a user