From 06a8cbe2b286d04d03ebfd5823d083f12fda17d6 Mon Sep 17 00:00:00 2001 From: Julius Pfrommer Date: Mon, 9 Dec 2024 21:13:47 +0100 Subject: [PATCH] refactor(plugins): Parse the certificate subject alt name using the new mbedTLS API in mbedtls/certificategroup.c --- plugins/crypto/mbedtls/certificategroup.c | 49 ++++++++++++++++++++--- 1 file changed, 44 insertions(+), 5 deletions(-) diff --git a/plugins/crypto/mbedtls/certificategroup.c b/plugins/crypto/mbedtls/certificategroup.c index 10f7f72c1e2..41ae76f5812 100644 --- a/plugins/crypto/mbedtls/certificategroup.c +++ b/plugins/crypto/mbedtls/certificategroup.c @@ -696,6 +696,8 @@ UA_CertificateGroup_Memorystore(UA_CertificateGroup *certGroup, return retval; } +#if !defined(mbedtls_x509_subject_alternative_name) + /* Find binary substring. Taken and adjusted from * http://tungchingkai.blogspot.com/2011/07/binary-strstr.html */ @@ -735,6 +737,8 @@ UA_Bstrstr(const unsigned char *s1, size_t l1, const unsigned char *s2, size_t l return NULL; } +#endif + UA_StatusCode UA_CertificateUtils_verifyApplicationURI(UA_RuleHandling ruleHandling, const UA_ByteString *certificate, @@ -748,21 +752,56 @@ UA_CertificateUtils_verifyApplicationURI(UA_RuleHandling ruleHandling, if(retval != UA_STATUSCODE_GOOD) return retval; +#if defined(mbedtls_x509_subject_alternative_name) + /* Get the Subject Alternative Name and compate */ + mbedtls_x509_subject_alternative_name san; + mbedtls_x509_sequence *cur = &remoteCertificate.subject_alt_names; + retval = UA_STATUSCODE_BADCERTIFICATEURIINVALID; + for(; cur; cur = cur->next) { + int res = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san); + if(res != 0) + continue; + if(san.type != MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER) { + mbedtls_x509_free_subject_alt_name(&san); + continue; + } + + UA_String uri = {san.san.unstructured_name.len, san.san.unstructured_name.p}; + UA_Boolean found = UA_String_equal(&uri, applicationURI); + if(found) { + retval = UA_STATUSCODE_GOOD; + } else if(ruleHandling != UA_RULEHANDLING_ACCEPT) { + UA_LOG_WARNING(logger, UA_LOGCATEGORY_SECURITYPOLICY, + "The certificate's Subject Alternative Name URI (%S) " + "does not match the ApplicationURI (%S)", + uri, *applicationURI); + } + mbedtls_x509_free_subject_alt_name(&san); + break; + } + + if(!cur && ruleHandling != UA_RULEHANDLING_ACCEPT) { + UA_LOG_WARNING(logger, UA_LOGCATEGORY_SECURITYPOLICY, + "The certificate has no Subject Alternative Name URI defined"); + } +#else /* Poor man's ApplicationUri verification. mbedTLS does not parse all fields * of the Alternative Subject Name. Instead test whether the URI-string is - * present in the v3_ext field in general. - * - * TODO: Improve parsing of the Alternative Subject Name */ + * present in the v3_ext field in general. */ if(UA_Bstrstr(remoteCertificate.v3_ext.p, remoteCertificate.v3_ext.len, applicationURI->data, applicationURI->length) == NULL) retval = UA_STATUSCODE_BADCERTIFICATEURIINVALID; - if(retval != UA_STATUSCODE_GOOD && ruleHandling == UA_RULEHANDLING_DEFAULT) { + if(retval != UA_STATUSCODE_GOOD && ruleHandling != UA_RULEHANDLING_ACCEPT) { UA_LOG_WARNING(logger, UA_LOGCATEGORY_SECURITYPOLICY, "The certificate's application URI could not be verified. StatusCode %s", UA_StatusCode_name(retval)); - retval = UA_STATUSCODE_GOOD; } +#endif + + if(ruleHandling != UA_RULEHANDLING_ABORT) + retval = UA_STATUSCODE_GOOD; + mbedtls_x509_crt_free(&remoteCertificate); return retval; }