commit 0ab5b9392231dc585717e91593cdc7fc0ee9451a
author Przemek Stekiel <przemyslaw.stekiel@mobica.com> Mon May 29 16:30:50 2023 +0200
committer Przemek Stekiel <przemyslaw.stekiel@mobica.com> Tue Jun 06 11:44:25 2023 +0200
tree f73acbc24fc8dea91493a1dfcb2b97e370b9cc82
parent 265ce7c1da775e2e57ce93984fba3d86c4c6a1ea

Add support for parsing SAN IP address

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

library/x509.c

diff --git a/library/x509.c b/library/x509.c
index 8a44264..32846f9 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -1438,7 +1438,18 @@
                    san_buf, sizeof(*san_buf));
         }
         break;
+        /*
+         * IP address
+         */
+        case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_IP_ADDRESS):
+        {
+            memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+            san->type = MBEDTLS_X509_SAN_IP_ADDRESS;
 
+            memcpy(&san->san.unstructured_name,
+                   san_buf, sizeof(*san_buf));
+        }
+        break;
         /*
          * rfc822Name
          */
@@ -1449,7 +1460,6 @@
             memcpy(&san->san.unstructured_name, san_buf, sizeof(*san_buf));
         }
         break;
-
         /*
          * directoryName
          */
@@ -1576,27 +1586,47 @@
             /*
              * dNSName
              * RFC822 Name
+             * iPAddress
              */
             case MBEDTLS_X509_SAN_DNS_NAME:
             case MBEDTLS_X509_SAN_RFC822_NAME:
+            case MBEDTLS_X509_SAN_IP_ADDRESS:
             {
                 const char *dns_name = "dNSName";
                 const char *rfc822_name = "rfc822Name";
+                const char *ip_name = "iPAddress";
+
+                const char *name = san.type == MBEDTLS_X509_SAN_DNS_NAME ? dns_name : san.type ==
+                                   MBEDTLS_X509_SAN_RFC822_NAME ? rfc822_name : ip_name;
 
                 ret = mbedtls_snprintf(p, n,
                                        "\n%s    %s : ",
                                        prefix,
-                                       san.type ==
-                                       MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name);
+                                       name);
                 MBEDTLS_X509_SAFE_SNPRINTF;
                 if (san.san.unstructured_name.len >= n) {
                     *p = '\0';
                     return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
                 }
 
-                memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
-                p += san.san.unstructured_name.len;
-                n -= san.san.unstructured_name.len;
+                if (san.type == MBEDTLS_X509_SAN_IP_ADDRESS) {
+                    int len = 0;
+                    unsigned char *ip = san.san.unstructured_name.p;
+                    // Only IPv6 (16 bytes) and IPv4 (4 bytes) types are supported
+                    if (san.san.unstructured_name.len == 4) {
+                        len = sprintf(p, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
+                    } else {
+                        len = sprintf(p, "%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X",
+                                      ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6], ip[7], ip[8],
+                                      ip[9], ip[10], ip[11], ip[12], ip[13], ip[14], ip[15]);
+                    }
+                    p += len;
+                    n -= len;
+                } else {
+                    memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
+                    p += san.san.unstructured_name.len;
+                    n -= san.san.unstructured_name.len;
+                }
             }
             break;