-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add access to mbedtls_x509_name::next_merged
#5431
Comments
include/mbedtls/asn1.h contains
It would be easy to submit a patch to remove |
That's what I was trying to ask yesterday: if (Or we could also do both: improve the performance of
I'm not aware of any concrete plans in the immediate future (though in general I've always found this "merged" thing a bit dirty and would be happy if it was refactored to something cleaner at some point). @gilles-peskine-arm according to the history you wrote that comment, do you know more? |
Yes, I still need to walk the list to create separate variables in the lighttpd environment for each component of the DN. If I were not able to walk the list, I could attempt to parse the value returned from |
Well as we already discussed, having a function that builds a string that you then parse seems highly inefficient, so let's wait for Gilles' opinion and see if we can make Independently of that, if you'd like to contribute improvements to |
I went through ASN.1 and X.509 parsing structures. I made fields public when I thought there it wasn't likely that the field might disappear or change in semantics in the future. I was not comfortable making So there are no concrete plans for a change, but a willingness to change. I'm not fundamentally opposed to making it public, but I'd much prefer to improve the interface or implementation of |
I agree with @gilles-peskine-arm The reason I am walking the I would prefer not to re-parse the string generated by |
And since there is a willingness to review a PR reducing the use of mbedtls_snprintf, I'll look to provide a patch next week. :) |
The following is completely untested. I tried to follow the coding conventions in the library/x509.c file. Before I continue, please let me know if this approach appears acceptable or if there are non-starters. Thank you. I aimed for behavior identical to the prior code except that if truncation will occur, I truncate before adding the next short_name, and truncate within the name->val, if necessary. Is C90 declaration in 'for' loop ok?
|
@gilles-peskine-arm wrote
Can you give me some hints about how and when something might be encoded in a way that uses |
Hmmm. So the |
Sorry about my misunderstanding. I did not know about multi-valued RDNs. This issue can be closed. Hiding Once I get a thumbs up or thumbs down for the reimplementation above of |
Your code looks plausible at first glance. C99 declarations are ok. I don't actually know what |
We do need to make sure that we have enough test cases that cover the cases that |
At a glance, I don't see any obvious blocker with your code. Out of curiosity, I tried and it passes our existing tests. But then I looked, and we only have 4 test cases, and none of them seems to be exercising edge cases or the use of So, you're welcome to open a PR with a new version of |
Yes, writing more tests is, of course, a requirement for string slinging functions. I wanted to test the temperature with this mock-up before spending more effort on lots of tests. This may take me some time, as I have run out of tuits this week. |
Data point: I did a quick, non-scientific benchmark and found the |
@gilles-peskine-arm wrote (#3326):
One use case is in web servers which support client certificate verification, where the client provides a certificate to authenticate the client with the server. When client certificate verification fails, certificate info may end up in error logs. Since encoding/escaping data sent to error logs is a good practice to do on all data, let us put the failure case to the side. When client certificate verification succeeds, the web server presumably has validated that the client certificate is signed by a CA trusted by the web server. Many web servers (lighttpd included) will set the environment variable
There are a host of complicated rules and conventions and RFCs for stringifying and formatting a DN. Without creating a complex function similar to openssl Regarding this github issue about the hiding of After this research, I have concluded that this github issue is not a blocker or in any way urgent for lighttpd use of mbedtls, so I am okay with this github issue being closed. |
@gstrauss Thanks for the detailed explanation! I guess that apart from RDN, you're planning to access And for RDN, I guess we should add a function I wish we could remove |
reconstruct SSL_CLIENT_S_DN in lighttpd due to limitations of mbedtls_x509_dn_gets(). Adds support for non-ASCII UTF-8, but loses support for multi-valued RDNs. x-ref: "Add access to mbedtls_x509_name::next_merged" Mbed-TLS/mbedtls#5431
@gilles-peskine-arm it is difficult to provide a one-size fits all "convenience" interface. ;)
Yes. In lighttpd's case, I replaced |
@mpg wrote:
Ideally, I would be able to add a line to tests/suites/test_suite_x509write.data to validate I can look into adding some tests where the output buffer is too small, but I do not plan to add multi-valued RDN tests. |
Sorry for the late reply. I think your point is entirely fair, we appreciate your time in giving us very valuable feedback and contributing improvements, and we don't want to impose. However, I'm not sure that's entirely the same question as whether changing this part of the code without testing that case (which, as you say, it relatively esoteric, but precisely for that reason, an area where mistakes seem more likely) is technically acceptable. I'll try to find some time this week to have a closer look and see if I can perhaps extend testing myself, then we'd be in a better position to accept you contribution. |
I thought of a possible way to test this without having to write tests using binary-encoded strings for input: use mbedtls_x509_string_to_names() to parse a string, and then manually set |
I filed #5494. I expect that you will find it too large a change, but I wanted to share the code. lighttpd no longer uses these functions in common lighttpd code paths due to limitations in these mbedtls routines, such as not supporting non-ASCII UTF-8. (However, lighttpd mod_mbedtls does still use For lighttpd, I deemed support for non-ASCII UTF-8 more valuable than seldom-used multi-valued RDNs. As I mentioned above, multi-valued RDNs are not fully supported in mbedtls, either, e.g. |
This issue was long ago closed, but it may be worth pointing out that the X.509 spec states in Appendix M.5:
Which as I read it implies that multi-valued RDNs are not to be used for X.509 certificates at all. This would make the |
Access to most fields of
mbedtls_x509_name
was added back in 3.1, but without access tonext_merged
, applications cannot reliably walk the list. Originally reported in #5331.The text was updated successfully, but these errors were encountered: