Suppport otherName of type hardware module name
Add support of parsing of subject alternative name, of type otherName.
Currently supports only hardware module name, as defined in rfc 4108.
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index a0f32cb..4a79617 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -76,7 +76,7 @@
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
- mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
+ mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName and OtherName supported). */
int ext_types; /**< Bit string containing detected and parsed extensions */
int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
@@ -97,6 +97,44 @@
}
mbedtls_x509_crt;
+/*
+ * From RFC 5280 section 4.2.1.6:
+ * OtherName ::= SEQUENCE {
+ * type-id OBJECT IDENTIFIER,
+ * value [0] EXPLICIT ANY DEFINED BY type-id }
+ */
+typedef struct mbedtls_x509_san_other_name
+{
+ mbedtls_x509_buf type_id; /**< The type id. */
+ union
+ {
+ /*
+ * From RFC 4108 section 5:
+ * HardwareModuleName ::= SEQUENCE {
+ * hwType OBJECT IDENTIFIER,
+ * hwSerialNum OCTET STRING }
+ */
+ mbedtls_x509_name hardware_module_name;
+ }
+ value;
+}
+mbedtls_x509_san_other_name;
+
+/*
+ * A structure for holding the parsed Subject Alternative Name, according to type
+ */
+typedef struct mbedtls_x509_subject_alternative_name
+{
+ int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
+ union {
+ mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
+ mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
+ }
+ san; /**< A union of the supported SAN types */
+ struct mbedtls_x509_subject_alternative_name *next; /**< The next SAN in the list. */
+}
+mbedtls_x509_subject_alternative_name;
+
/**
* Build flag from an algorithm/curve identifier (pk, md, ecp)
* Since 0 is always XXX_NONE, ignore it.
@@ -347,7 +385,26 @@
*/
int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
#endif /* MBEDTLS_FS_IO */
-
+/**
+ * \brief Parses the subject alternative name list of a given certificate;
+ *
+ * \param crt The X509 certificate to parse.
+ *
+ * \param san A list holding the parsed certificate.
+ *
+ * \note Only "dnsName" and "otherName" of type hardware_module_name,
+ * as defined in RFC 4180 is supported.
+ *
+ * \note Any unsupported san type is ignored.
+ *
+ * \note The function allocates a list of mbedtls_x509_subject_alternative_name
+ * and it is the caller's responsibility to free it.
+ *
+ * \return Zero for success and negative
+ * value for any other failure.
+ */
+int mbedtls_x509_parse_subject_alternative_name( const mbedtls_x509_crt *crt,
+ mbedtls_x509_subject_alternative_name **san );
/**
* \brief Returns an informational string about the
* certificate.