Skip to content

Commit

Permalink
os_stub/cryptlib_mbedtls: x509: Fixup setting the CSR constraints
Browse files Browse the repository at this point in the history 
We were incorrectly not actually copying the OIDs from the existing
cert. This ensures that we do apply the OIDs

Fixes: 6f798df "os_stub: cryptlib: CSR: Allow copying attributes from an existing cert"
Signed-off-by: Alistair Francis <[email protected]>
  • Loading branch information
@alistair23 @jyao1
alistair23 authored and jyao1 committed Nov 29, 2023
1 parent 402ad07 commit 495f047
Showing 1 changed file with 28 additions and 28 deletions.
56 changes: 28 additions & 28 deletions os_stub/cryptlib_mbedtls/pk/x509.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1951,15 +1951,15 @@ bool libspdm_gen_x509_csr(size_t hash_nid, size_t asym_nid,
mbedtls_x509write_csr req;
mbedtls_md_type_t md_alg;
mbedtls_asn1_sequence extns;
mbedtls_asn1_sequence *next;
mbedtls_asn1_sequence *next_oid;
mbedtls_x509_buf buf;
mbedtls_x509_crt *cert;
mbedtls_pk_context key;

uint8_t pubkey_buffer[LIBSPDM_MAX_PUBKEY_DER_BUFFER_SIZE];
uint8_t *pubkey_der_data;
size_t pubkey_der_len;
size_t tag_len;
size_t oid_tag_len;

/*basic_constraints: CA: false */
#define BASIC_CONSTRAINTS_STRING_FALSE {0x30, 0x00}
Expand All @@ -1973,7 +1973,7 @@ bool libspdm_gen_x509_csr(size_t hash_nid, size_t asym_nid,
mbedtls_x509write_csr_init(&req);
mbedtls_pk_init(&key);
csr_buffer_size = *csr_len;
next = NULL;
next_oid = NULL;

ret = 1;
switch (asym_nid)
Expand Down Expand Up @@ -2073,55 +2073,55 @@ bool libspdm_gen_x509_csr(size_t hash_nid, size_t asym_nid,
/* Set key */
mbedtls_x509write_csr_set_key(&req, &key);

/*set basicConstraints*/
if (mbedtls_x509write_csr_set_extension(&req, MBEDTLS_OID_BASIC_CONSTRAINTS,
MBEDTLS_OID_SIZE(MBEDTLS_OID_BASIC_CONSTRAINTS),
is_ca ? basic_constraints_true : basic_constraints_false,
is_ca ?
sizeof(basic_constraints_true) :
sizeof(basic_constraints_false)
) != 0) {
ret = 1;
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
"mbedtls_x509write_csr_set_extension set basicConstraints failed \n"));
goto free_all;
}

if (base_cert != NULL) {
cert = base_cert;
buf = cert->v3_ext;
if (mbedtls_asn1_get_sequence_of(&buf.p, buf.p + buf.len, &extns,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
ret = 1;
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
"mbedtls_x509write_csr_set_extension unable to get tag\n"));
"mbedtls_x509write_csr_set_extension unable to get sequence\n"));
goto free_all;
}

next = &extns;
next_oid = &extns;
}

while (next) {
if (mbedtls_asn1_get_tag(&(next->buf.p), next->buf.p + next->buf.len, &tag_len,
MBEDTLS_ASN1_OID)) {
while (next_oid) {
if (mbedtls_asn1_get_tag(&(next_oid->buf.p), next_oid->buf.p + next_oid->buf.len,
&oid_tag_len, MBEDTLS_ASN1_OID)) {
ret = 1;
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
"mbedtls_x509write_csr_set_extension unable to get tag\n"));
"mbedtls_x509write_csr_set_extension unable to get OID tag\n"));
goto free_all;
}

if (mbedtls_x509write_csr_set_extension(&req, MBEDTLS_OID_BASIC_CONSTRAINTS,
MBEDTLS_OID_SIZE(MBEDTLS_OID_BASIC_CONSTRAINTS),
next->buf.p,
tag_len
if (mbedtls_x509write_csr_set_extension(&req, next_oid->buf.p,
oid_tag_len,
next_oid->buf.p + oid_tag_len,
next_oid->buf.len - oid_tag_len
) != 0) {
ret = 1;
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
"mbedtls_x509write_csr_set_extension set custom OID failed \n"));
goto free_all;
}

next = next->next;
}

/*set basicConstraints*/
if (mbedtls_x509write_csr_set_extension(&req, MBEDTLS_OID_BASIC_CONSTRAINTS,
MBEDTLS_OID_SIZE(MBEDTLS_OID_BASIC_CONSTRAINTS),
is_ca ? basic_constraints_true : basic_constraints_false,
is_ca ?
sizeof(basic_constraints_true) :
sizeof(basic_constraints_false)
) != 0) {
ret = 1;
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
"mbedtls_x509write_csr_set_extension set basicConstraints failed \n"));
goto free_all;
next_oid = next_oid->next;
}

/*csr data is written at the end of the buffer*/
Expand Down

0 comments on commit 495f047

Please sign in to comment.