[openwrt/openwrt] px5g-mbedtls: add subjectAltName and extendedKeyUsage to SSL certs
LEDE Commits
lede-commits at lists.infradead.org
Tue Aug 13 12:07:17 PDT 2024
robimarko pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/efca89daefc0347c64209e4e588fe17536933cf6
commit efca89daefc0347c64209e4e588fe17536933cf6
Author: Hannu Nyman <hannu.nyman at iki.fi>
AuthorDate: Wed May 1 14:49:46 2024 +0300
px5g-mbedtls: add subjectAltName and extendedKeyUsage to SSL certs
To better acommodate with the current browsers' requirements, also
self-signed certificates should have subjectAltName and
extendedKeyUsage defined in the self-signed x509 SSL certificates.
The following case sensitive options are now possible:
-addext subjectAltName=DNS:...
-addext subjectAltName=EMAIL:...
-addext subjectAltName=IP:...
-addext subjectAltName=URI:...
-addext extendedKeyUsage=serverAuth OR -addext extendedKeyUsage=any
Initial draft by Paul Donald <newtwen at gmail.com>
Signed-off-by: Hannu Nyman <hannu.nyman at iki.fi>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko at gmail.com>
---
package/utils/px5g-mbedtls/Makefile | 2 +-
package/utils/px5g-mbedtls/px5g-mbedtls.c | 67 ++++++++++++++++++++++++++++++-
2 files changed, 67 insertions(+), 2 deletions(-)
diff --git a/package/utils/px5g-mbedtls/Makefile b/package/utils/px5g-mbedtls/Makefile
index 14c9f684a9..6addbbab12 100644
--- a/package/utils/px5g-mbedtls/Makefile
+++ b/package/utils/px5g-mbedtls/Makefile
@@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=px5g-mbedtls
-PKG_RELEASE:=10
+PKG_RELEASE:=11
PKG_LICENSE:=LGPL-2.1
PKG_BUILD_FLAGS:=no-mips16
diff --git a/package/utils/px5g-mbedtls/px5g-mbedtls.c b/package/utils/px5g-mbedtls/px5g-mbedtls.c
index 85abe7dc73..63f54bd9aa 100644
--- a/package/utils/px5g-mbedtls/px5g-mbedtls.c
+++ b/package/utils/px5g-mbedtls/px5g-mbedtls.c
@@ -38,8 +38,13 @@
#include <mbedtls/ecp.h>
#include <mbedtls/rsa.h>
#include <mbedtls/pk.h>
+#include <mbedtls/asn1.h>
+#include <mbedtls/oid.h>
-#define PX5G_VERSION "0.2"
+#define SET_OID(x, oid) \
+ do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char *) oid; } while (0)
+
+#define PX5G_VERSION "0.3"
#define PX5G_COPY "Copyright (c) 2009 Steven Barth <steven at midlink.org>"
#define PX5G_LICENSE "Licensed under the GNU Lesser General Public License v2.1"
@@ -193,6 +198,16 @@ int selfsigned(char **arg)
mbedtls_pk_context key;
mbedtls_x509write_cert cert;
mbedtls_mpi serial;
+ mbedtls_x509_san_list *san_list = NULL, *san_prev = NULL, *san_cur = NULL;
+ /*support
+ - MBEDTLS_X509_SAN_DNS_NAME
+ - MBEDTLS_X509_SAN_IP_ADDRESS
+ - MBEDTLS_X509_SAN_RFC822_NAME
+ - MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER
+ */
+ mbedtls_asn1_sequence *eku = NULL, *ext_key_usage = NULL;
+ char *sanval, *santype;
+ uint8_t ipaddr[16] = { 0 };
char *subject = "";
unsigned int ksize = 512;
@@ -267,8 +282,56 @@ int selfsigned(char **arg)
oldc = delim + 1;
} while(*delim);
arg++;
+ } else if (!strcmp(*arg, "-addext") && arg[1]) {
+ mbedtls_asn1_sequence **tail = &eku;
+ if (!strncmp(arg[1], "extendedKeyUsage=", strlen("extendedKeyUsage="))) {
+ ext_key_usage = calloc(1, sizeof(mbedtls_asn1_sequence));
+ ext_key_usage->buf.tag = MBEDTLS_ASN1_OID;
+ if (!strncmp(arg[1] + strlen("extendedKeyUsage="), "serverAuth", strlen("serverAuth"))) {
+ SET_OID(ext_key_usage->buf, MBEDTLS_OID_SERVER_AUTH);
+ } else if (!strncmp(arg[1] + strlen("extendedKeyUsage="), "any", strlen("any"))) {
+ SET_OID(ext_key_usage->buf, MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE);
+ } // there are other extendedKeyUsage OIDs but none conceivably useful here
+ *tail = ext_key_usage;
+ tail = &ext_key_usage->next;
+ arg++;
+ } else if (!strncmp(arg[1], "subjectAltName=", strlen("subjectAltName=")) && strchr(arg[1], ':') != NULL) {
+ santype = strchr(arg[1], '=') + 1;
+ sanval = strchr(arg[1], ':') + 1;
+ //build sAN list
+ san_cur = calloc(1, sizeof(mbedtls_x509_san_list));
+ san_cur->next = NULL;
+ if (!strncmp(santype, "DNS:", strlen("DNS:"))) {
+ san_cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
+ san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
+ san_cur->node.san.unstructured_name.len = strlen(sanval);
+ } else if (!strncmp(santype, "EMAIL:", strlen("EMAIL:"))) {
+ san_cur->node.type = MBEDTLS_X509_SAN_RFC822_NAME;
+ san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
+ san_cur->node.san.unstructured_name.len = strlen(sanval);
+ } else if (!strncmp(santype, "IP:", strlen("IP:"))) {
+ san_cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
+ mbedtls_x509_crt_parse_cn_inet_pton(sanval, ipaddr);
+ san_cur->node.san.unstructured_name.p = (unsigned char *) ipaddr;
+ san_cur->node.san.unstructured_name.len = sizeof(ipaddr);
+ } else if (!strncmp(santype, "URI:", strlen("URI:"))) {
+ san_cur->node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
+ san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
+ san_cur->node.san.unstructured_name.len = strlen(sanval);
+ }
+ else fprintf(stderr, "No match to subjectAltName content type.\n");
+ arg++;
+ }
}
arg++;
+
+ //set the pointers in our san_list linked list
+ if (san_prev == NULL) {
+ san_list = san_cur;
+ } else {
+ san_prev->next = san_cur;
+ }
+ san_prev = san_cur;
}
gen_key(&key, rsa, ksize, exp, curve, pem);
@@ -295,6 +358,8 @@ int selfsigned(char **arg)
mbedtls_x509write_crt_set_basic_constraints(&cert, 0, -1);
mbedtls_x509write_crt_set_subject_key_identifier(&cert);
mbedtls_x509write_crt_set_authority_key_identifier(&cert);
+ mbedtls_x509write_crt_set_subject_alternative_name(&cert, san_list);
+ mbedtls_x509write_crt_set_ext_key_usage(&cert, ext_key_usage);
_urandom(NULL, (void *) buf, 8);
for (len = 0; len < 8; len++)
More information about the lede-commits
mailing list