X.509: add check for DN/SAN

Signed-off-by: Stephan Mueller <smueller@chronox.de>

Author: smuellerDD

CHANGES.md

@@ -23,6 +23,8 @@ Changes 1.7.0-prerelease
 
 * AVX2 / AVX512 / CLMUL detection: Follow Intel instructions on detecting support. Also, ensure that code compiled with acceleration support is always invoked by non-accelerated code which has the check for acceleration support.
 
+* X.509: add lc_x509_policy_cert_subject_match API
+
 Changes 1.6.0
 * ASN.1: use stack for small generator for small use cases
 

apps/src/lc_x509_generator.c

@@ -49,7 +49,6 @@ struct x509_generator_opts {
 	struct lc_x509_key_data signer_key_data;
 	struct x509_checker_options checker_opts;
 	struct lc_pkcs8_message pkcs8;
-	uint8_t ipaddr[16];
 	uint8_t *raw_skid;
 	size_t raw_skid_size;
 	uint8_t *raw_akid;
@@ -317,12 +316,13 @@ static int x509_enc_san_dns(struct x509_generator_opts *opts,
 static int x509_enc_san_ip(struct x509_generator_opts *opts, char *opt_optarg)
 {
 	struct lc_x509_certificate *cert = &opts->cert;
-	size_t ip_len = sizeof(opts->ipaddr);
+	uint8_t ipaddr[16];
+	size_t ip_len = sizeof(ipaddr);
 	int ret;
 
-	CKINT(lc_x509_enc_san_ip(cert, opt_optarg, opts->ipaddr, &ip_len));
+	CKINT(lc_x509_enc_san_ip(opt_optarg, ipaddr, &ip_len));
 
-	CKINT(lc_x509_cert_set_san_ip(cert, opts->ipaddr, ip_len));
+	CKINT(lc_x509_cert_set_san_ip(cert, ipaddr, ip_len));
 
 out:
 	return ret;

apps/src/lc_x509_generator_checker.c

@@ -171,8 +171,17 @@ int apply_checks_x509(const struct lc_x509_certificate *x509,
 	}
 
 	if (parsed_opts->issuer_cn) {
-		if (strncmp(x509->issuer, parsed_opts->issuer_cn,
-			    sizeof(x509->issuer))) {
+		struct lc_x509_certificate_name search_name = {
+			.cn = {
+				.value = parsed_opts->issuer_cn,
+				.size = (uint8_t)strlen(parsed_opts->issuer_cn),
+			}
+		};
+
+		if (lc_x509_policy_cert_subject_match(
+			x509, &search_name,
+			lc_x509_policy_cert_subject_match_issuer_only) ==
+		    LC_X509_POL_FALSE) {
 			printf("Issuers mismatch, expected %s, actual %s\n",
 			       parsed_opts->issuer_cn, x509->issuer);
 			return -EINVAL;
@@ -181,8 +190,17 @@ int apply_checks_x509(const struct lc_x509_certificate *x509,
 		}
 	}
 	if (parsed_opts->subject_cn) {
-		if (strncmp(x509->subject, parsed_opts->subject_cn,
-			    sizeof(x509->subject))) {
+		struct lc_x509_certificate_name search_name = {
+			.cn = {
+				.value = parsed_opts->subject_cn,
+				.size = (uint8_t)strlen(parsed_opts->subject_cn),
+			}
+		};
+
+		if (lc_x509_policy_cert_subject_match(
+			x509, &search_name,
+			lc_x509_policy_cert_subject_match_dn_only) ==
+		    LC_X509_POL_FALSE) {
 			printf("Subject mismatch, expected %s, actual %s\n",
 			       parsed_opts->subject_cn, x509->subject);
 			return -EINVAL;
@@ -227,41 +245,36 @@ int apply_checks_x509(const struct lc_x509_certificate *x509,
 	}
 
 	if (parsed_opts->san_dns) {
-		size_t exp_len = strlen(parsed_opts->san_dns);
-
-		if (exp_len != x509->san_dns_len) {
-			printf("SAN DNS: lengths differ (expected %zu, actual %zu)\n",
-			       exp_len, x509->san_dns_len);
-			return -EINVAL;
-		}
-
-		if (memcmp(parsed_opts->san_dns, x509->san_dns, exp_len)) {
-			char buf[128];
-
-			memcpy(buf, x509->san_dns,
-			       min_size(sizeof(buf), x509->san_dns_len));
+		struct lc_x509_certificate_name search_name = {
+			.cn = {
+				.value = parsed_opts->subject_cn,
+				.size = (uint8_t)strlen(parsed_opts->subject_cn),
+			}
+		};
 
+		if (lc_x509_policy_cert_subject_match(
+			x509, &search_name,
+			lc_x509_policy_cert_subject_match_san_dns_only) ==
+		    LC_X509_POL_FALSE) {
 			printf("SAN DNS: names mismatch (expected %s, actual %s)\n",
-			       parsed_opts->san_dns, buf);
+			       parsed_opts->san_dns, x509->san_dns);
 			return -EINVAL;
 		} else {
 			printf("SAN DNS match\n");
 		}
 	}
 	if (parsed_opts->san_ip) {
-		uint8_t exp_ip_bin[16];
-		size_t exp_len = strlen(parsed_opts->san_ip);
-
-		hex2bin(parsed_opts->san_ip, exp_len, exp_ip_bin,
-			sizeof(exp_ip_bin));
-
-		if (exp_len / 2 != x509->san_ip_len) {
-			printf("SAN IP: lengths differ (expected %zu, actual %zu)\n",
-			       exp_len, x509->san_ip_len);
-			return -EINVAL;
-		}
+		struct lc_x509_certificate_name search_name = {
+			.cn = {
+				.value = parsed_opts->san_ip,
+				.size = (uint8_t)strlen(parsed_opts->san_ip),
+			}
+		};
 
-		if (memcmp(exp_ip_bin, x509->san_ip, x509->san_ip_len)) {
+		if (lc_x509_policy_cert_subject_match(
+			x509, &search_name,
+			lc_x509_policy_cert_subject_match_issuer_only) ==
+		    LC_X509_POL_FALSE) {
 			char buf[33] = { 0 };
 
 			bin2hex(x509->san_ip, x509->san_ip_len, buf,

asn1/api/lc_x509_generator.h

@@ -325,20 +325,6 @@ int lc_x509_cert_set_san_dns(struct lc_x509_certificate *cert,
 int lc_x509_cert_set_san_ip(struct lc_x509_certificate *cert,
 			    const uint8_t *san_ip, size_t san_ip_len);
 
-/**
- * @ingroup X509Gen
- * @brief Helper to convert the human IP address value into binary form
- *
- * @param [in] cert Certificate data structure to be filled with the data
- * @param [in] ip_name Caller-provided buffer to fill with human-readable form
- * @param [out] ip Caller-provided buffer of binary representation of IP address
- * @param [in] ip_len Length of the IP address buffer
- *
- * @return 0 on success or < 0 on error
- */
-int lc_x509_enc_san_ip(struct lc_x509_certificate *cert, char *ip_name,
-		       uint8_t *ip, size_t *ip_len);
-
 /**
  * @ingroup X509Gen
  * @brief Set the SKID value

asn1/api/lc_x509_parser.h

@@ -544,6 +544,18 @@ int lc_x509_cert_get_keyusage_val(const struct lc_x509_certificate *cert,
 int lc_x509_cert_get_san_dns(const struct lc_x509_certificate *cert,
 			     const char **san_dns_name, size_t *san_dns_len);
 
+/**
+ * @ingroup X509
+ * @brief Helper to convert the human IP address value into binary form
+ *
+ * @param [in] ip_name Caller-provided buffer to fill with human-readable form
+ * @param [out] ip Caller-provided buffer of binary representation of IP address
+ * @param [in] ip_len Length of the IP address buffer
+ *
+ * @return 0 on success or < 0 on error
+ */
+int lc_x509_enc_san_ip(const char *ip_name, uint8_t *ip, size_t *ip_len);
+
 /**
  * @ingroup X509
  * @brief Get the SAN IP value
@@ -891,6 +903,10 @@ typedef int lc_x509_pol_ret_t /* __attribute__((warn_unused_result)) */;
  * @ingroup X509
  * @brief Is the given certificate a CA certificate (root or intermediate)?
  *
+ * \note The verification of the signature and the general constraints of the
+ * certificate is not performed here but must be invoked with
+ * \p lc_x509_policy_verify_cert.
+ *
  * @param [in] cert Reference to the certificate
  *
  * @return < 0 on error, LC_X509_POL_TRUE or LC_X509_POL_FALSE
@@ -924,6 +940,10 @@ lc_x509_policy_is_selfsigned(const struct lc_x509_certificate *cert);
  * @ingroup X509
  * @brief Is the given certificate a root CA certificate?
  *
+ * \note The verification of the signature and the general constraints of the
+ * certificate is not performed here but must be invoked with
+ * \p lc_x509_policy_verify_cert.
+ *
  * @param [in] cert Reference to the certificate
  *
  * @return < 0 on error, LC_X509_POL_TRUE or LC_X509_POL_FALSE
@@ -1039,6 +1059,49 @@ int lc_x509_policy_verify_cert(const struct lc_public_key *pkey,
 			       const struct lc_x509_certificate *cert,
 			       uint64_t flags);
 
+enum lc_x509_policy_cert_subject_match_flag {
+	/** Match DN or SAN IP or DNS - success if one matches */
+	lc_x509_policy_cert_subject_match_dn_and_san,
+	/** Match DN only */
+	lc_x509_policy_cert_subject_match_dn_only,
+	/** Match SAN IP only */
+	lc_x509_policy_cert_subject_match_san_ip_only,
+	/** Match SAN DNS only */
+	lc_x509_policy_cert_subject_match_san_dns_only,
+	/** Match SAN name segments */
+	lc_x509_policy_cert_subject_match_san_name_only,
+	/** Match issuer only */
+	lc_x509_policy_cert_subject_match_issuer_only,
+};
+
+/**
+ * @ingroup X509
+ * @brief Match certificate against a provided name
+ *
+ * This function matches the \p search_name information against the certificate
+ * DN and/or the SAN or the issuer as specified with the \p flag field. Only the
+ * name components specified with \p search_name are checked. If \p search_name
+ * does not contain a component, but the certificate has it, it will be matched.
+ *
+ * For example: The certificate has a DN with cn="aaa", c="bbb" and the search
+ * contains cn="aaa" with all other components empty, it will match the
+ * certificate. The string matching is an exact match (string length and
+ * content must be identical).
+ *
+ * \note The SAN DNS and IP search string must be provided in
+ * \p search_name->cn. For the IP, the unencoded IP is to be provided.
+ *
+ * @param [in] cert Reference to the certificate to be validated
+ * @param [in] search_name Search information
+ * @param [in] flags Flags for the search process
+ *
+ * @return 0 on success, < 0 on error
+ */
+lc_x509_pol_ret_t lc_x509_policy_cert_subject_match(
+	const struct lc_x509_certificate *cert,
+	const struct lc_x509_certificate_name *search_name,
+	enum lc_x509_policy_cert_subject_match_flag flag);
+
 #ifdef __cplusplus
 }
 #endif

asn1/src/x509_cert_generator_set_data.c

@@ -234,64 +234,6 @@ LC_INTERFACE_FUNCTION(int, lc_x509_cert_set_san_dns,
 	return ret;
 }
 
-LC_INTERFACE_FUNCTION(int, lc_x509_enc_san_ip, struct lc_x509_certificate *cert,
-		      char *ip_name, uint8_t *ip, size_t *ip_len)
-{
-	/*
-	 * EFI does not have support for strstr, strtok_r and strtoul, so
-	 * we simply do not compile this function. As this is a rarely used
-	 * helper, we simply do not provide this function.
-	 */
-#if defined(LC_EFI) || defined(LINUX_KERNEL)
-	int ret;
-
-	(void)cert;
-	(void)ip_name;
-	(void)ip;
-	(void)ip_len;
-
-	CKRET(1, -EOPNOTSUPP);
-
-out:
-	return ret;
-#else
-	unsigned long val;
-	char *saveptr = NULL;
-	char *res = NULL;
-	const char *tok = ".";
-	unsigned int i, upper = 4;
-	int ret = 0, base = 10;
-
-	CKNULL(cert, -EINVAL);
-	CKNULL(ip_name, -EINVAL);
-	CKNULL(ip, -EINVAL);
-	CKNULL(ip_len, -EINVAL);
-
-	/* Check for IPv6 */
-	if (strstr(ip_name, ":")) {
-		tok = ":";
-		upper = 16;
-		base = 16;
-	}
-
-	CKRET(*ip_len < upper, -EOVERFLOW);
-
-	res = strtok_r(ip_name, tok, &saveptr);
-	for (i = 0; i < upper; i++) {
-		CKNULL(res, -EINVAL);
-		val = strtoul(res, NULL, base);
-		CKRET(val > 255, -EINVAL);
-		ip[i] = (uint8_t)val;
-		res = strtok_r(NULL, tok, &saveptr);
-	}
-
-	*ip_len = i;
-
-out:
-	return ret;
-#endif
-}
-
 LC_INTERFACE_FUNCTION(int, lc_x509_cert_set_san_ip,
 		      struct lc_x509_certificate *cert, const uint8_t *san_ip,
 		      size_t san_ip_len)

asn1/src/x509_cert_parser.c

@@ -1390,3 +1390,60 @@ LC_INTERFACE_FUNCTION(void, lc_x509_keys_zero_free,
 	lc_x509_keys_zero(keys);
 	lc_free(keys);
 }
+
+LC_INTERFACE_FUNCTION(int, lc_x509_enc_san_ip, const char *ip_name, uint8_t *ip,
+		      size_t *ip_len)
+{
+	/*
+	 * EFI does not have support for strstr, strtok_r and strtoul, so
+	 * we simply do not compile this function. As this is a rarely used
+	 * helper, we simply do not provide this function.
+	 */
+#if defined(LC_EFI) || defined(LINUX_KERNEL)
+	int ret;
+
+	(void)ip_name;
+	(void)ip;
+	(void)ip_len;
+
+	CKRET(1, -EOPNOTSUPP);
+
+out:
+	return ret;
+#else
+	unsigned long val;
+	char *saveptr = NULL;
+	char *res = NULL;
+	const char *tok = ".";
+	unsigned int i, upper = 4;
+	int ret = 0, base = 10;
+
+	CKNULL(ip_name, -EINVAL);
+	CKNULL(ip, -EINVAL);
+	CKNULL(ip_len, -EINVAL);
+
+	/* Check for IPv6 */
+	if (strstr(ip_name, ":")) {
+		tok = ":";
+		upper = 16;
+		base = 16;
+	}
+
+	CKRET(*ip_len < upper, -EOVERFLOW);
+
+	/* Unconstify is acceptable, as we only read the value with strtoul */
+	res = strtok_r((char *)ip_name, tok, &saveptr);
+	for (i = 0; i < upper; i++) {
+		CKNULL(res, -EINVAL);
+		val = strtoul(res, NULL, base);
+		CKRET(val > 255, -EINVAL);
+		ip[i] = (uint8_t)val;
+		res = strtok_r(NULL, tok, &saveptr);
+	}
+
+	*ip_len = i;
+
+out:
+	return ret;
+#endif
+}