Mbed-TLS
diff --git a/‎ChangeLog.d/register-name-constraints.txt‎
Lines changed: 5 additions & 0 deletions b/‎ChangeLog.d/register-name-constraints.txt‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎framework‎ b/‎framework‎
diff --git a/‎include/mbedtls/x509.h‎
Lines changed: 6 additions & 0 deletions b/‎include/mbedtls/x509.h‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎include/mbedtls/x509_crt.h‎
Lines changed: 3 additions & 0 deletions b/‎include/mbedtls/x509_crt.h‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎library/x509.c‎
Lines changed: 87 additions & 31 deletions b/‎library/x509.c‎
Lines changed: 87 additions & 31 deletions
@@ -0,0 +1,5 @@
+Features
+   * Decode Name Constraints extension.
+   * Show info for Name Constraints for a certificate.
+   * Handle Other Name type of General Name as opaque data.
+   * Show info for BundleEID Other Name for a certificate.
@@ -134,6 +134,9 @@
 #define MBEDTLS_X509_SAN_IP_ADDRESS                      7
 #define MBEDTLS_X509_SAN_REGISTERED_ID                   8
 
+#define MBEDTLS_X509_NAME_CONST_INCL                     0
+#define MBEDTLS_X509_NAME_CONST_EXCL                     1
+
 /*
  * X.509 v3 Key Usage Extension flags
  * Reminder: update mbedtls_x509_info_key_usage() when adding new flags.
@@ -277,6 +280,9 @@ typedef struct mbedtls_x509_san_other_name {
             mbedtls_x509_buf val;               /**< The named value. */
         }
         hardware_module_name;
+        /** Raw source value for non-constructed types.
+         */
+        mbedtls_x509_buf raw;
     }
     value;
 }
 
@@ -67,6 +67,9 @@ typedef struct mbedtls_x509_crt {
     mbedtls_x509_buf subject_key_id;    /**< Optional X.509 v3 extension subject key identifier. */
     mbedtls_x509_authority authority_key_id;    /**< Optional X.509 v3 extension authority key identifier. */
 
+    mbedtls_x509_sequence name_constraints_incl;    /**< Optional list of raw entries of Name Constraints extension (currently only dNSName and OtherName are listed). */
+    mbedtls_x509_sequence name_constraints_excl;    /**< Optional list of raw entries of Name Constraints extension (currently only dNSName and OtherName are listed). */
+
     mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
 
     int MBEDTLS_PRIVATE(ext_types);              /**< Bit string containing detected and parsed extensions */
 
@@ -1190,6 +1190,7 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from)
  *
  * NOTE: we currently only parse and use otherName of type HwModuleName,
  * as defined in RFC 4108.
+ * Other type-ids are kept as raw, undecoded ASN.1 bytes.
  */
 static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
                                mbedtls_x509_san_other_name *other_name)
@@ -1218,12 +1219,7 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
     cur_oid.p = p;
     cur_oid.len = len;
 
-    /*
-     * Only HwModuleName is currently supported.
-     */
-    if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) {
-        return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
-    }
+    /* Value context-specific tag */
     other_name->type_id = cur_oid;
 
     p += len;
@@ -1238,38 +1234,64 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
                                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
     }
 
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
-    }
+    /*
+     * HwModuleName
+     */
+    if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) == 0) {
+        if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                        MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        }
 
-    if (end != p + len) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
+        if (end != p + len) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                     MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+        }
 
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
-    }
+        if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        }
 
-    other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
-    other_name->value.hardware_module_name.oid.p = p;
-    other_name->value.hardware_module_name.oid.len = len;
+        other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
+        other_name->value.hardware_module_name.oid.p = p;
+        other_name->value.hardware_module_name.oid.len = len;
 
-    p += len;
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_OCTET_STRING)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        p += len;
+        if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                        MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        }
+
+        other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
+        other_name->value.hardware_module_name.val.p = p;
+        other_name->value.hardware_module_name.val.len = len;
+        p += len;
+        if (p != end) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                     MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+        }
     }
+    /* Arbitrary raw value */
+    else {
+        if (p >= end) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                     MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+        }
+        other_name->value.raw.tag = *p;
+        p++;
 
-    other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
-    other_name->value.hardware_module_name.val.p = p;
-    other_name->value.hardware_module_name.val.len = len;
-    p += len;
-    if (p != end) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+        if ((ret = mbedtls_asn1_get_len(&p, end, &len)) != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        }
+        other_name->value.raw.p = p;
+        other_name->value.raw.len = len;
+        p += len;
+        if (p != end) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                     MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+        }
     }
+
     return 0;
 }
 
@@ -1640,6 +1662,40 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
                         MBEDTLS_X509_SAFE_SNPRINTF;
                     }
                 }/* MBEDTLS_OID_ON_HW_MODULE_NAME */
+                else if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_BUNDLE_EID,
+                                    &other_name->type_id) == 0) {
+                    int len = 0;
+                    const char *str = NULL;
+                    if (other_name->value.raw.tag == MBEDTLS_ASN1_IA5_STRING) {
+                        len = other_name->value.raw.len;
+                        str = (char*)other_name->value.raw.p;
+                    }
+
+                    ret = mbedtls_snprintf(p, n, "\n%s        BundleEID : %.*s", prefix,
+                                           len, str);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+                }/* MBEDTLS_OID_ON_BUNDLE_EID */
+                else {
+                    /* Show type OID */
+                    ret = mbedtls_snprintf(p, n, "\n%s        type-id : ", prefix);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+
+                    ret = mbedtls_oid_get_numeric_string(p,
+                                                         n,
+                                                         &other_name->type_id);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+
+                    ret = mbedtls_snprintf(p, n, "\n%s        value : ", prefix);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+
+                    for (i = 0; i < other_name->value.raw.len; i++) {
+                        ret = mbedtls_snprintf(p,
+                                               n,
+                                               "%02X",
+                                               other_name->value.raw.p[i]);
+                        MBEDTLS_X509_SAFE_SNPRINTF;
+                    }
+                }
             }
             break;
             /*
Original file line number	Diff line number	Diff line change
`@@ -134,6 +134,9 @@`
`134`	`134`	`#define MBEDTLS_X509_SAN_IP_ADDRESS 7`
`135`	`135`	`#define MBEDTLS_X509_SAN_REGISTERED_ID 8`
`136`	`136`
	`137`	`+#define MBEDTLS_X509_NAME_CONST_INCL 0`
	`138`	`+#define MBEDTLS_X509_NAME_CONST_EXCL 1`
	`139`	`+`
`137`	`140`	`/*`
`138`	`141`	`* X.509 v3 Key Usage Extension flags`
`139`	`142`	`* Reminder: update mbedtls_x509_info_key_usage() when adding new flags.`
`@@ -277,6 +280,9 @@ typedef struct mbedtls_x509_san_other_name {`
`277`	`280`	`mbedtls_x509_buf val; /*< The named value. /`
`278`	`281`	`}`
`279`	`282`	`hardware_module_name;`
	`283`	`+ /** Raw source value for non-constructed types.`
	`284`	`+ */`
	`285`	`+ mbedtls_x509_buf raw;`
`280`	`286`	`}`
`281`	`287`	`value;`
`282`	`288`	`}`