Merge #59

bors[bot] · jack-fortanix · web-flow · commit 336416c3ba23 · 2019-09-20T21:24:34.000Z
59: Add ability to read arbitrary certificate extensions r=Goirad a=jack-fortanix

mbedtls ignores extensions it doesn't know about, but the entire DER buffer is available in the v3_ext field so we can parse it ourselves to f.ex read the appid out of our custom extensions.

Co-authored-by: Jack Lloyd &lt;jack.lloyd@fortanix.com&gt;
diff --git a/mbedtls/Cargo.toml b/mbedtls/Cargo.toml
@@ -25,7 +25,7 @@ spin = { version = "0.4.0", default-features = false, optional = true }
 serde = { version = "1.0.7", default-features = false }
 serde_derive = "1.0.7"
 byteorder = "1.0.0"
-yasna = { version = "0.2", optional = true }
+yasna = "0.2"
 block-modes = { version = "0.3", optional = true }
 rc2 = { version = "0.3", optional = true }
 
@@ -66,7 +66,7 @@ zlib = ["mbedtls-sys-auto/zlib"]
 time = ["mbedtls-sys-auto/time"]
 padlock = ["mbedtls-sys-auto/padlock"]
 legacy_protocols = ["mbedtls-sys-auto/legacy_protocols"]
-pkcs12 = ["yasna"]
+pkcs12 = []
 pkcs12_rc2 = ["pkcs12", "rc2", "block-modes"]
 
 [[example]]
diff --git a/mbedtls/src/lib.rs b/mbedtls/src/lib.rs
@@ -26,6 +26,8 @@ extern crate mbedtls_sys;
 
 extern crate byteorder;
 
+extern crate yasna;
+
 extern crate serde;
 #[macro_use]
 extern crate serde_derive;
@@ -36,9 +38,6 @@ extern crate rs_libc;
 #[macro_use]
 mod wrapper_macros;
 
-#[cfg(feature = "pkcs12")]
-extern crate yasna;
-
 #[cfg(feature="pkcs12_rc2")]
 extern crate rc2;
 #[cfg(feature="pkcs12_rc2")]
diff --git a/mbedtls/src/pkcs12/mod.rs b/mbedtls/src/pkcs12/mod.rs
@@ -19,8 +19,6 @@ use crate::alloc_prelude::*;
 
 use core::result::Result as StdResult;
 
-extern crate yasna;
-
 #[cfg(feature = "pkcs12_rc2")]
 extern crate block_modes;
 #[cfg(feature = "pkcs12_rc2")]
diff --git a/mbedtls/src/x509/certificate.rs b/mbedtls/src/x509/certificate.rs
@@ -17,6 +17,9 @@ use crate::alloc_prelude::*;
 use mbedtls_sys::types::raw_types::c_char;
 use mbedtls_sys::*;
 
+use yasna::models::ObjectIdentifier;
+use yasna::{BERDecodable, BERReader, ASN1Result, ASN1Error, ASN1ErrorKind};
+
 use crate::pk::Pk;
 use crate::error::{Error, IntoResult, Result};
 use crate::private::UnsafeFrom;
@@ -37,6 +40,24 @@ define!(
     const drop: fn(&mut Self) = x509_crt_free;
 );
 
+#[derive(Debug, Clone, Eq, PartialEq)]
+pub struct Extension {
+    pub oid: ObjectIdentifier,
+    pub critical: bool,
+    pub value: Vec<u8>,
+}
+
+impl BERDecodable for Extension {
+    fn decode_ber(reader: BERReader) -> ASN1Result<Self> {
+        reader.read_sequence(|reader| {
+            let oid = reader.next().read_oid()?;
+            let critical = reader.read_optional(|r| r.read_bool())?.unwrap_or(false);
+            let value = reader.next().read_bytes()?;
+            Ok(Extension { oid, critical, value })
+        })
+    }
+}
+
 impl Certificate {
     pub fn from_der(der: &[u8]) -> Result<Certificate> {
         let mut ret = Self::init();
@@ -217,6 +238,25 @@ impl LinkedCertificate {
         Ok(x509_buf_to_vec(&self.inner.v3_ext))
     }
 
+    pub fn extensions(&self) -> Result<Vec<Extension>> {
+        let mut ext = Vec::new();
+
+        yasna::parse_der(&self.extensions_raw()?, |r| {
+            r.read_sequence_of(|r| {
+                if let Ok(data) = r.read_der() {
+                    let e: Extension = yasna::decode_der(&data)?;
+                    ext.push(e);
+                    return Ok(());
+                } else {
+                    return Err(ASN1Error::new(ASN1ErrorKind::Eof));
+                }
+            })?;
+            return Ok(());
+        }).map_err(|_| Error::X509InvalidExtensions)?;
+
+        Ok(ext)
+    }
+
     pub fn signature(&self) -> Result<Vec<u8>> {
         Ok(x509_buf_to_vec(&self.inner.sig))
     }
@@ -804,6 +844,35 @@ cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M
         use crate::x509::Time;
         assert_eq!(cert.not_before().unwrap(), Time::new(2019,1,8,0,18,35).unwrap());
         assert_eq!(cert.not_after().unwrap(), Time::new(2029,1,5,0,18,35).unwrap());
+
+        let ext = cert.extensions().unwrap();
+        assert_eq!(ext.len(), 5);
+
+        assert_eq!(ext[0], Extension {
+            oid: ObjectIdentifier::from_slice(&[2,5,29,14]),
+            critical: false,
+            value: hex::decode("04186839FAD57E6544121CC6BC421953CC9620655C57CFAC0602").unwrap(),
+        });
+        assert_eq!(ext[1], Extension {
+            oid: ObjectIdentifier::from_slice(&[2,5,29,17]),
+            critical: false,
+            value: hex::decode("302981117465737440666f7274616e69782e636f6d82146578616d706c652e666f7274616e69782e636f6d").unwrap()
+        });
+        assert_eq!(ext[2], Extension {
+            oid: ObjectIdentifier::from_slice(&[2,5,29,19]),
+            critical: true,
+            value: hex::decode("3000").unwrap()
+        });
+        assert_eq!(ext[3], Extension {
+            oid: ObjectIdentifier::from_slice(&[2,5,29,35]),
+            critical: false,
+            value: hex::decode("301a801879076BCC8DA0077E4116F84B8E4C9C5C6AF7EC4FA000D987").unwrap()
+        });
+        assert_eq!(ext[4], Extension {
+            oid: ObjectIdentifier::from_slice(&[2,5,29,37]),
+            critical: false,
+            value: hex::decode("300a06082b06010505070302").unwrap(),
+        });
     }
 
     #[test]
