fix other name san parsing and add RID cert to test parsing

certs/include.am

@@ -64,7 +64,8 @@ EXTRA_DIST += \
 	     certs/entity-no-ca-bool-cert.pem \
 	     certs/entity-no-ca-bool-key.pem \
 	     certs/x942dh2048.pem \
-	     certs/fpki-cert.der
+	     certs/fpki-cert.der \
+	     certs/rid-cert.der
 
 EXTRA_DIST += \
 	     certs/ca-key.der \

certs/renewcerts.sh

@@ -28,6 +28,7 @@
 #                       client-crl-dist.pem
 #                       entity-no-ca-bool-cert.pem
 #                       fpki-cert.der
+#                       rid-cert.der
 # updates the following crls:
 #                       crl/cliCrl.pem
 #                       crl/crl.pem
@@ -359,6 +360,20 @@ run_renewcerts(){
     echo "End of section"
     echo "---------------------------------------------------------------------"
     ###########################################################
+    ########## update and sign rid-cert.der ################
+    ###########################################################
+    echo "Updating rid-cert.der"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nRID\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > rid-req.pem
+    check_result $? "Step 1"
+
+    openssl x509 -req -in rid-req.pem -extfile wolfssl.cnf -extensions rid_ext -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 7 -out rid-cert.der -outform DER
+    check_result $? "Step 2"
+    rm rid-req.pem
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+    ###########################################################
     ########## update and sign server-cert.pem ################
     ###########################################################
     echo "Updating server-cert.pem"

certs/renewcerts/wolfssl.cnf

@@ -372,3 +372,18 @@ attribute = SEQUENCE:PCE_attr
 type = OID:2.16.840.1.101.3.6.9.1
 value = BOOLEAN:true
 
+[rid_ext]
+basicConstraints = CA:FALSE,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+keyUsage = critical, digitalSignature
+subjectAltName = @RID_altname
+
+[RID_altname]
+otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:facts@wolfssl.com
+RID.1 = 1.2.3.4.5
+DNS.1 = www.example.org
+URI.1 = https://www.wolfssl.com/
+otherName.2 = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D1:38:10:D8:28:AF:2C:10:84:35:15:A1:68:58:28:AF:02:10:86:A2:84:E7:39:C3:EB
+
+

src/x509.c

@@ -5381,6 +5381,31 @@ static int X509PrintSubjAltName(WOLFSSL_BIO* bio, WOLFSSL_X509* x509,
                         break;
                     }
                 }
+                else if (entry->type == ASN_DIR_TYPE) {
+                    /* @TODO entry->name in ASN1 syntax */
+                    len = XSNPRINTF(scratch, MAX_WIDTH,
+                        "DirName:<print out not supported yet>");
+                    if (len >= MAX_WIDTH) {
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                }
+                else if (entry->type == ASN_URI_TYPE) {
+                    len = XSNPRINTF(scratch, MAX_WIDTH, "URI:%s",
+                        entry->name);
+                    if (len >= MAX_WIDTH) {
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                }
+                else if (entry->type == ASN_OTHER_TYPE) {
+                    len = XSNPRINTF(scratch, MAX_WIDTH,
+                        "othername <unsupported>");
+                    if (len >= MAX_WIDTH) {
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                }
                 else {
                     WOLFSSL_MSG("Bad alt name type.");
                     ret = WOLFSSL_FAILURE;

tests/api.c

@@ -2859,6 +2859,33 @@ static int test_wolfSSL_FPKI(void)
     return res;
 }
 
+/* use RID in confuncture with other names to test parsing of unknown other
+ * names */
+static int test_wolfSSL_OtherName(void)
+{
+    int res = TEST_SKIPPED;
+#if !defined(NO_RSA) && !defined(NO_FILESYSTEM)
+    XFILE f;
+    const char* ridCert = "./certs/rid-cert.der";
+    DecodedCert cert;
+    byte buf[4096];
+    int bytes;
+
+    f = XFOPEN(ridCert, "rb");
+    AssertTrue((f != XBADFILE));
+    bytes = (int)XFREAD(buf, 1, sizeof(buf), f);
+    XFCLOSE(f);
+
+    wc_InitDecodedCert(&cert, buf, bytes, NULL);
+    AssertIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0);
+    wc_FreeDecodedCert(&cert);
+
+    res = TEST_RES_CHECK(1);
+#endif
+
+    return res;
+}
+
 static int test_wolfSSL_CertRsaPss(void)
 {
     int res = TEST_SKIPPED;
@@ -59260,6 +59287,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_CertManagerNameConstraint4),
     TEST_DECL(test_wolfSSL_CertManagerNameConstraint5),
     TEST_DECL(test_wolfSSL_FPKI),
+    TEST_DECL(test_wolfSSL_OtherName),
     TEST_DECL(test_wolfSSL_CertRsaPss),
     TEST_DECL(test_wolfSSL_CertManagerCRL),
     TEST_DECL(test_wolfSSL_CTX_load_verify_locations_ex),

wolfcrypt/src/asn.c

@@ -17284,7 +17284,6 @@ static int DecodeConstructedOtherName(DecodedCert* cert, const byte* input,
 
             default:
                 WOLFSSL_MSG("Unknown constructed other name, skipping");
-                *idx += strLen;
                 XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
                 dnsEntry = NULL;
         }
@@ -17645,13 +17644,8 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert)
                             WOLFSSL_MSG("\tfail: unsupported other name length");
                             return ASN_PARSE_E;
                         }
-                        else {
-                            /* idx will have been advanced to end of alt name */
-                            length -= (idx - lenStartIdx);
-                        }
                     }
                     else {
-                        length -= (strLen + idx - lenStartIdx);
                         idx += strLen;
                     }
             }