Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 1 | // Copyright 2017 The Chromium Authors |
David Benjamin | 33d1049 | 2025-02-03 17:00:03 -0500 | [diff] [blame] | 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // https://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 14 | |
| 15 | #include "general_names.h" |
| 16 | |
Bob Beck | 0500756 | 2023-08-17 20:22:17 +0000 | [diff] [blame] | 17 | #include <openssl/base.h> |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 18 | #include <openssl/bytestring.h> |
Bob Beck | 0500756 | 2023-08-17 20:22:17 +0000 | [diff] [blame] | 19 | |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 20 | #include <climits> |
| 21 | #include <cstring> |
| 22 | |
| 23 | #include "cert_error_params.h" |
| 24 | #include "cert_errors.h" |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 25 | #include "input.h" |
Bob Beck | 5c7a2a0 | 2023-11-20 17:28:21 -0700 | [diff] [blame] | 26 | #include "ip_util.h" |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 27 | #include "parser.h" |
Bob Beck | 5c7a2a0 | 2023-11-20 17:28:21 -0700 | [diff] [blame] | 28 | #include "string_util.h" |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 29 | |
David Benjamin | 0fbc17a | 2024-08-21 15:13:10 -0400 | [diff] [blame] | 30 | BSSL_NAMESPACE_BEGIN |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 31 | |
| 32 | DEFINE_CERT_ERROR_ID(kFailedParsingGeneralName, "Failed parsing GeneralName"); |
| 33 | |
| 34 | namespace { |
| 35 | |
| 36 | DEFINE_CERT_ERROR_ID(kRFC822NameNotAscii, "rfc822Name is not ASCII"); |
| 37 | DEFINE_CERT_ERROR_ID(kDnsNameNotAscii, "dNSName is not ASCII"); |
| 38 | DEFINE_CERT_ERROR_ID(kURINotAscii, "uniformResourceIdentifier is not ASCII"); |
| 39 | DEFINE_CERT_ERROR_ID(kFailedParsingIp, "Failed parsing iPAddress"); |
| 40 | DEFINE_CERT_ERROR_ID(kUnknownGeneralNameType, "Unknown GeneralName type"); |
| 41 | DEFINE_CERT_ERROR_ID(kFailedReadingGeneralNames, |
| 42 | "Failed reading GeneralNames SEQUENCE"); |
| 43 | DEFINE_CERT_ERROR_ID(kGeneralNamesTrailingData, |
| 44 | "GeneralNames contains trailing data after the sequence"); |
| 45 | DEFINE_CERT_ERROR_ID(kGeneralNamesEmpty, |
| 46 | "GeneralNames is a sequence of 0 elements"); |
| 47 | DEFINE_CERT_ERROR_ID(kFailedReadingGeneralName, |
| 48 | "Failed reading GeneralName TLV"); |
| 49 | |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 50 | } // namespace |
| 51 | |
| 52 | GeneralNames::GeneralNames() = default; |
| 53 | |
| 54 | GeneralNames::~GeneralNames() = default; |
| 55 | |
| 56 | // static |
David Benjamin | 81138bc | 2024-01-23 14:53:40 -0500 | [diff] [blame] | 57 | std::unique_ptr<GeneralNames> GeneralNames::Create(der::Input general_names_tlv, |
| 58 | CertErrors *errors) { |
Bob Beck | 0500756 | 2023-08-17 20:22:17 +0000 | [diff] [blame] | 59 | BSSL_CHECK(errors); |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 60 | |
| 61 | // RFC 5280 section 4.2.1.6: |
| 62 | // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName |
| 63 | der::Parser parser(general_names_tlv); |
| 64 | der::Input sequence_value; |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 65 | if (!parser.ReadTag(CBS_ASN1_SEQUENCE, &sequence_value)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 66 | errors->AddError(kFailedReadingGeneralNames); |
| 67 | return nullptr; |
| 68 | } |
| 69 | // Should not have trailing data after GeneralNames sequence. |
| 70 | if (parser.HasMore()) { |
| 71 | errors->AddError(kGeneralNamesTrailingData); |
| 72 | return nullptr; |
| 73 | } |
| 74 | return CreateFromValue(sequence_value, errors); |
| 75 | } |
| 76 | |
| 77 | // static |
| 78 | std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue( |
David Benjamin | 81138bc | 2024-01-23 14:53:40 -0500 | [diff] [blame] | 79 | der::Input general_names_value, CertErrors *errors) { |
Bob Beck | 0500756 | 2023-08-17 20:22:17 +0000 | [diff] [blame] | 80 | BSSL_CHECK(errors); |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 81 | |
| 82 | auto general_names = std::make_unique<GeneralNames>(); |
| 83 | |
| 84 | der::Parser sequence_parser(general_names_value); |
| 85 | // The GeneralNames sequence should have at least 1 element. |
| 86 | if (!sequence_parser.HasMore()) { |
| 87 | errors->AddError(kGeneralNamesEmpty); |
| 88 | return nullptr; |
| 89 | } |
| 90 | |
| 91 | while (sequence_parser.HasMore()) { |
| 92 | der::Input raw_general_name; |
| 93 | if (!sequence_parser.ReadRawTLV(&raw_general_name)) { |
| 94 | errors->AddError(kFailedReadingGeneralName); |
| 95 | return nullptr; |
| 96 | } |
| 97 | |
| 98 | if (!ParseGeneralName(raw_general_name, IP_ADDRESS_ONLY, |
| 99 | general_names.get(), errors)) { |
| 100 | errors->AddError(kFailedParsingGeneralName); |
| 101 | return nullptr; |
| 102 | } |
| 103 | } |
| 104 | |
| 105 | return general_names; |
| 106 | } |
| 107 | |
| 108 | [[nodiscard]] bool ParseGeneralName( |
David Benjamin | 81138bc | 2024-01-23 14:53:40 -0500 | [diff] [blame] | 109 | der::Input input, |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 110 | GeneralNames::ParseGeneralNameIPAddressType ip_address_type, |
Bob Beck | 5c7a2a0 | 2023-11-20 17:28:21 -0700 | [diff] [blame] | 111 | GeneralNames *subtrees, CertErrors *errors) { |
Bob Beck | 0500756 | 2023-08-17 20:22:17 +0000 | [diff] [blame] | 112 | BSSL_CHECK(errors); |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 113 | der::Parser parser(input); |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 114 | CBS_ASN1_TAG tag; |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 115 | der::Input value; |
Bob Beck | 6beabf3 | 2023-11-21 09:43:52 -0700 | [diff] [blame] | 116 | if (!parser.ReadTagAndValue(&tag, &value)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 117 | return false; |
Bob Beck | 6beabf3 | 2023-11-21 09:43:52 -0700 | [diff] [blame] | 118 | } |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 119 | GeneralNameTypes name_type = GENERAL_NAME_NONE; |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 120 | if (tag == (CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 121 | // otherName [0] OtherName, |
| 122 | name_type = GENERAL_NAME_OTHER_NAME; |
| 123 | subtrees->other_names.push_back(value); |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 124 | } else if (tag == (CBS_ASN1_CONTEXT_SPECIFIC | 1)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 125 | // rfc822Name [1] IA5String, |
| 126 | name_type = GENERAL_NAME_RFC822_NAME; |
David Benjamin | 71c5896 | 2024-01-29 22:20:18 -0500 | [diff] [blame] | 127 | const std::string_view s = BytesAsStringView(value); |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 128 | if (!bssl::string_util::IsAscii(s)) { |
| 129 | errors->AddError(kRFC822NameNotAscii); |
| 130 | return false; |
| 131 | } |
| 132 | subtrees->rfc822_names.push_back(s); |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 133 | } else if (tag == (CBS_ASN1_CONTEXT_SPECIFIC | 2)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 134 | // dNSName [2] IA5String, |
| 135 | name_type = GENERAL_NAME_DNS_NAME; |
David Benjamin | 71c5896 | 2024-01-29 22:20:18 -0500 | [diff] [blame] | 136 | const std::string_view s = BytesAsStringView(value); |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 137 | if (!bssl::string_util::IsAscii(s)) { |
| 138 | errors->AddError(kDnsNameNotAscii); |
| 139 | return false; |
| 140 | } |
| 141 | subtrees->dns_names.push_back(s); |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 142 | } else if (tag == (CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 3)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 143 | // x400Address [3] ORAddress, |
| 144 | name_type = GENERAL_NAME_X400_ADDRESS; |
| 145 | subtrees->x400_addresses.push_back(value); |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 146 | } else if (tag == (CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 4)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 147 | // directoryName [4] Name, |
| 148 | name_type = GENERAL_NAME_DIRECTORY_NAME; |
| 149 | // Name is a CHOICE { rdnSequence RDNSequence }, therefore the SEQUENCE |
| 150 | // tag is explicit. Remove it, since the name matching functions expect |
| 151 | // only the value portion. |
| 152 | der::Parser name_parser(value); |
| 153 | der::Input name_value; |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 154 | if (!name_parser.ReadTag(CBS_ASN1_SEQUENCE, &name_value) || |
| 155 | parser.HasMore()) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 156 | return false; |
Bob Beck | 6beabf3 | 2023-11-21 09:43:52 -0700 | [diff] [blame] | 157 | } |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 158 | subtrees->directory_names.push_back(name_value); |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 159 | } else if (tag == (CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 5)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 160 | // ediPartyName [5] EDIPartyName, |
| 161 | name_type = GENERAL_NAME_EDI_PARTY_NAME; |
| 162 | subtrees->edi_party_names.push_back(value); |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 163 | } else if (tag == (CBS_ASN1_CONTEXT_SPECIFIC | 6)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 164 | // uniformResourceIdentifier [6] IA5String, |
| 165 | name_type = GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER; |
David Benjamin | 71c5896 | 2024-01-29 22:20:18 -0500 | [diff] [blame] | 166 | const std::string_view s = BytesAsStringView(value); |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 167 | if (!bssl::string_util::IsAscii(s)) { |
| 168 | errors->AddError(kURINotAscii); |
| 169 | return false; |
| 170 | } |
| 171 | subtrees->uniform_resource_identifiers.push_back(s); |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 172 | } else if (tag == (CBS_ASN1_CONTEXT_SPECIFIC | 7)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 173 | // iPAddress [7] OCTET STRING, |
| 174 | name_type = GENERAL_NAME_IP_ADDRESS; |
| 175 | if (ip_address_type == GeneralNames::IP_ADDRESS_ONLY) { |
| 176 | // RFC 5280 section 4.2.1.6: |
| 177 | // When the subjectAltName extension contains an iPAddress, the address |
| 178 | // MUST be stored in the octet string in "network byte order", as |
| 179 | // specified in [RFC791]. The least significant bit (LSB) of each octet |
| 180 | // is the LSB of the corresponding byte in the network address. For IP |
| 181 | // version 4, as specified in [RFC791], the octet string MUST contain |
| 182 | // exactly four octets. For IP version 6, as specified in [RFC2460], |
| 183 | // the octet string MUST contain exactly sixteen octets. |
David Benjamin | 90ceeb0 | 2024-01-23 14:25:39 -0500 | [diff] [blame] | 184 | if ((value.size() != kIPv4AddressSize && |
| 185 | value.size() != kIPv6AddressSize)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 186 | errors->AddError(kFailedParsingIp); |
| 187 | return false; |
| 188 | } |
Bob Beck | 8e7025e | 2023-09-05 17:05:26 -0600 | [diff] [blame] | 189 | subtrees->ip_addresses.push_back(value); |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 190 | } else { |
Bob Beck | 0500756 | 2023-08-17 20:22:17 +0000 | [diff] [blame] | 191 | BSSL_CHECK(ip_address_type == GeneralNames::IP_ADDRESS_AND_NETMASK); |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 192 | // RFC 5280 section 4.2.1.10: |
| 193 | // The syntax of iPAddress MUST be as described in Section 4.2.1.6 with |
| 194 | // the following additions specifically for name constraints. For IPv4 |
| 195 | // addresses, the iPAddress field of GeneralName MUST contain eight (8) |
| 196 | // octets, encoded in the style of RFC 4632 (CIDR) to represent an |
| 197 | // address range [RFC4632]. For IPv6 addresses, the iPAddress field |
| 198 | // MUST contain 32 octets similarly encoded. For example, a name |
| 199 | // constraint for "class C" subnet 192.0.2.0 is represented as the |
| 200 | // octets C0 00 02 00 FF FF FF 00, representing the CIDR notation |
| 201 | // 192.0.2.0/24 (mask 255.255.255.0). |
David Benjamin | 90ceeb0 | 2024-01-23 14:25:39 -0500 | [diff] [blame] | 202 | if (value.size() != kIPv4AddressSize * 2 && |
| 203 | value.size() != kIPv6AddressSize * 2) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 204 | errors->AddError(kFailedParsingIp); |
| 205 | return false; |
| 206 | } |
David Benjamin | 90ceeb0 | 2024-01-23 14:25:39 -0500 | [diff] [blame] | 207 | der::Input addr = value.first(value.size() / 2); |
| 208 | der::Input mask = value.subspan(value.size() / 2); |
Bob Beck | 8e7025e | 2023-09-05 17:05:26 -0600 | [diff] [blame] | 209 | if (!IsValidNetmask(mask)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 210 | errors->AddError(kFailedParsingIp); |
| 211 | return false; |
| 212 | } |
Bob Beck | 8e7025e | 2023-09-05 17:05:26 -0600 | [diff] [blame] | 213 | subtrees->ip_address_ranges.emplace_back(addr, mask); |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 214 | } |
David Benjamin | 2a5db68 | 2024-02-06 21:56:57 -0500 | [diff] [blame] | 215 | } else if (tag == (CBS_ASN1_CONTEXT_SPECIFIC | 8)) { |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 216 | // registeredID [8] OBJECT IDENTIFIER } |
| 217 | name_type = GENERAL_NAME_REGISTERED_ID; |
| 218 | subtrees->registered_ids.push_back(value); |
| 219 | } else { |
| 220 | errors->AddError(kUnknownGeneralNameType, |
| 221 | CreateCertErrorParams1SizeT("tag", tag)); |
| 222 | return false; |
| 223 | } |
Bob Beck | 0500756 | 2023-08-17 20:22:17 +0000 | [diff] [blame] | 224 | BSSL_CHECK(GENERAL_NAME_NONE != name_type); |
Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame] | 225 | subtrees->present_name_types |= name_type; |
| 226 | return true; |
| 227 | } |
| 228 | |
David Benjamin | 0fbc17a | 2024-08-21 15:13:10 -0400 | [diff] [blame] | 229 | BSSL_NAMESPACE_END |