From: ethan-thompson Date: Wed, 12 Feb 2025 18:36:08 +0000 (-0500) Subject: feat: Wrote dictionaries for DER related things (certificates and CSR's) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fdcc425372cf9d22b8e9985f9d9217cb0e4e6a85;p=thirdparty%2Ffreeradius-server.git feat: Wrote dictionaries for DER related things (certificates and CSR's) Signed-off-by: ethan-thompson --- diff --git a/Makefile b/Makefile index 15c7aa10e83..b2fe000cd02 100644 --- a/Makefile +++ b/Makefile @@ -96,6 +96,7 @@ export PROJECT_NAME := freeradius PROTOCOLS := \ arp \ bfd \ + der \ dhcpv4 \ dhcpv6 \ dns \ diff --git a/share/dictionary/der/dictionary b/share/dictionary/der/dictionary new file mode 100644 index 00000000000..103b56c5771 --- /dev/null +++ b/share/dictionary/der/dictionary @@ -0,0 +1,17 @@ +# -*- text -*- +# Copyright (C) 2025 Network RADIUS SAS (legal@networkradius.com) +# This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0 +# Version $Id$ +# +# The FreeRADIUS Vendor-Specific dictionary for TLS operations. +# +# Version: $Id$ +# +BEGIN PROTOCOL DER 11354911 + +$INCLUDE dictionary.common +$INCLUDE dictionary.oids +$INCLUDE dictionary.rfc2986 +$INCLUDE dictionary.rfc5280 + +END-PROTOCOL DER diff --git a/share/dictionary/der/dictionary.common b/share/dictionary/der/dictionary.common new file mode 100644 index 00000000000..dc085e6cb1d --- /dev/null +++ b/share/dictionary/der/dictionary.common @@ -0,0 +1,59 @@ +# -*- text -*- +# Copyright (C) 2025 Network RADIUS SAS (legal@networkradius.com) +# This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0 +# Version $Id$ +DEFINE GeneralName choice +BEGIN GeneralName + +ATTRIBUTE otherName 0 sequence option=0 +BEGIN otherName +DEFINE type-id string subtype=oid +DEFINE Value-thing tlv subtype=sequence,class=context-specific,tagnum=0 +BEGIN Value-thing +DEFINE userPrincipalName string subtype=utf8string +END Value-thing +END otherName + +ATTRIBUTE rfc822Name 1 ia5string option=1 +ATTRIBUTE dNSName 2 ia5string option=2 + +ATTRIBUTE directoryName 4 sequence option=4 +BEGIN directoryName +DEFINE RDNSequence sequence sequence_of=set +BEGIN RDNSequence +DEFINE RelativeDistinguishedName set +BEGIN RelativeDistinguishedName +DEFINE AttributeTypeAndValue group ref=OID-Tree,is_pair +END RelativeDistinguishedName +END RDNSequence +END directoryName + +ATTRIBUTE uniformResourceIdentifier 6 ia5string option=6 + +END GeneralName + +DEFINE DirectoryName choice +BEGIN DirectoryName +ATTRIBUTE printableString 19 printablestring +ATTRIBUTE universalString 28 universalstring +ATTRIBUTE utf8String 12 utf8string +END DirectoryName + +DEFINE GeneralSubtree sequence +BEGIN GeneralSubtree +DEFINE base sequence clone=GeneralName +DEFINE minimum integer option=0,has_default +VALUE minimum DEFAULT 0 +DEFINE maximum integer option=1 +END GeneralSubtree + +DEFINE Name sequence +BEGIN Name +DEFINE RDNSequence sequence sequence_of=set +BEGIN RDNSequence +DEFINE RelativeDistinguishedName set +BEGIN RelativeDistinguishedName +DEFINE AttributeTypeAndValue group ref=OID-Tree,is_pair +END RelativeDistinguishedName +END RDNSequence +END Name diff --git a/share/dictionary/der/dictionary.extensions b/share/dictionary/der/dictionary.extensions new file mode 100644 index 00000000000..cf46c417e51 --- /dev/null +++ b/share/dictionary/der/dictionary.extensions @@ -0,0 +1,195 @@ +# -*- text -*- +# Copyright (C) 2025 Network RADIUS SAS (legal@networkradius.com) +# This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0 +# Version $Id$ +DEFINE Critical group ref=OID-Tree + +ATTRIBUTE authorityInfoAccess 1.3.6.1.5.5.7.1.1 sequence sequence_of=sequence,is_oid_leaf +BEGIN 1.3.6.1.5.5.7.1.1 +DEFINE accessDescription sequence +BEGIN accessDescription +DEFINE accessMethod oid + +DEFINE accessLocation choice +BEGIN accessLocation +ATTRIBUTE otherName 0 sequence option=0 +BEGIN otherName +DEFINE type-id string subtype=oid +DEFINE Value-thing tlv subtype=sequence,class=context-specific,tagnum=0 +BEGIN Value-thing +DEFINE userPrincipalName string subtype=utf8string +END Value-thing +END otherName + +ATTRIBUTE rfc822Name 1 ia5string option=1 +ATTRIBUTE dNSName 2 ia5string option=2 + +ATTRIBUTE uniformResourceIdentifier 6 ia5string option=6 +END accessLocation + +END accessDescription +END 1.3.6.1.5.5.7.1.1 + +ATTRIBUTE subjectInfoAccess 1.3.6.1.5.5.7.1.11 sequence sequence_of=sequence,is_oid_leaf +BEGIN 1.3.6.1.5.5.7.1.11 +DEFINE accessDescription sequence +BEGIN accessDescription +DEFINE accessMethod oid + +DEFINE accessLocation choice +BEGIN accessLocation +ATTRIBUTE otherName 0 sequence option=0 +BEGIN otherName +DEFINE type-id string subtype=oid +DEFINE Value-thing tlv subtype=sequence,class=context-specific,tagnum=0 +BEGIN Value-thing +DEFINE userPrincipalName string subtype=utf8string +END Value-thing +END otherName + +ATTRIBUTE rfc822Name 1 ia5string option=1 +ATTRIBUTE dNSName 2 ia5string option=2 + +ATTRIBUTE uniformResourceIdentifier 6 ia5string option=6 +END accessLocation + +END accessDescription +END 1.3.6.1.5.5.7.1.11 + +ATTRIBUTE subjectKeyIdentifier 2.5.29.14 octetstring is_oid_leaf + +ATTRIBUTE keyUsage 2.5.29.15 struct subtype=bitstring,is_oid_leaf +BEGIN 2.5.29.15 +MEMBER digitalSignature bit[1] +MEMBER nonRepudation bit[1] +MEMBER keyEncipherment bit[1] +MEMBER dataEncipherment bit[1] +MEMBER keyAgreement bit[1] +MEMBER keyCertSign bit[1] +MEMBER cRLSign bit[1] +MEMBER encipherOnly bit[1] +MEMBER decipherOnly bit[1] +MEMBER unused_bits bit[7] +END 2.5.29.15 + +ATTRIBUTE subjectAltName 2.5.29.17 group ref=GeneralName,subtype=sequence,sequence_of=choice,is_oid_leaf + +ATTRIBUTE basicConstraints 2.5.29.19 sequence is_oid_leaf +BEGIN 2.5.29.19 +DEFINE cA boolean has_default +VALUE cA DEFAULT false +DEFINE pathLenConstraint integer +END 2.5.29.19 + +ATTRIBUTE nameConstraints 2.5.29.30 sequence is_oid_leaf +BEGIN 2.5.29.30 +DEFINE permittedSubtrees group ref=GeneralSubtree,sequence_of=sequence,option=0 +DEFINE excludedSubtrees group ref=GeneralSubtree,sequence_of=sequence,option=1 +END 2.5.29.30 + +ATTRIBUTE cRLDIstributionPoints 2.5.29.31 sequence sequence_of=sequence,is_oid_leaf +BEGIN 2.5.29.31 +DEFINE distributionPoint sequence +BEGIN distributionPoint +DEFINE distributionPointName sequence option=0 +BEGIN distributionPointName +ATTRIBUTE fullName 0 group ref=GeneralName,subtype=sequence,sequence_of=choice,option=0 +ATTRIBUTE nameRelativeToCRLIssuer 1 sequence option=1 +BEGIN nameRelativeToCRLIssuer +DEFINE RelativeDistinguishedName tlv subtype=set +BEGIN RelativeDistinguishedName +DEFINE AttributeTypeandValue group ref=OID-Tree,is_pair +END RelativeDistinguishedName +END nameRelativeToCRLIssuer +END distributionPointName + +DEFINE reasons struct option=1 +BEGIN reasons +MEMBER unused bit[1] +MEMBER keyCompromise bit[1] +MEMBER cACompromise bit[1] +MEMBER affiliationChanged bit[1] +MEMBER superseded bit[1] +MEMBER cessationOfOperation bit[1] +MEMBER certificateHold bit[1] +MEMBER privilegeWithdrawn bit[1] +MEMBER aACompromise bit[1] +END reasons + +DEFINE cRLIssuer group ref=GeneralName,subtype=sequence,sequence_of=choice,option=2 + +END distributionPoint +END 2.5.29.31 + +ATTRIBUTE certificatePolicies 2.5.29.32 sequence sequence_of=sequence,is_oid_leaf +BEGIN 2.5.29.32 +DEFINE policyInformation sequence +BEGIN policyInformation +DEFINE policyIdentifier oid + +DEFINE policyQualifiers sequence sequence_of=sequence +BEGIN policyQualifiers +DEFINE policyQualifierInfo group ref=OID-Tree,is_pair +END policyQualifiers + +END policyInformation +END 2.5.29.32 + +ATTRIBUTE policyMappings 2.5.29.33 sequence is_oid_leaf +BEGIN 2.5.29.33 +DEFINE issuerDomainPolicy oid +DEFINE subjectDomainPolicy oid +END 2.5.29.33 + +ATTRIBUTE authorityKeyIdentifier 2.5.29.35 sequence sequence_of=choice,is_oid_leaf +BEGIN 2.5.29.35 +ATTRIBUTE keyIdentifier 0 octetstring option=0 +ATTRIBUTE authorityCertIssuer 1 group ref=GeneralName,subtype=sequence,sequence_of=choice,option=1 +ATTRIBUTE authorityCertSerialNumber 2 octetstring option=2 +END 2.5.29.35 + +ATTRIBUTE policyConstraints 2.5.29.36 sequence is_oid_leaf +BEGIN 2.5.29.36 +DEFINE requireExplicitPolicy octetstring option=0 +DEFINE inhibitPolicyMapping octetstring option=1 +END 2.5.29.36 + +ATTRIBUTE extKeyUsage 2.5.29.37 sequence sequence_of=oid,is_oid_leaf +#DEFINE extKeyUsageSyntax sequence +BEGIN 2.5.29.37 +DEFINE keyPurposeId oid +END 2.5.29.37 + +ATTRIBUTE freshestCRL 2.5.29.46 sequence sequence_of=sequence,is_oid_leaf +DEFINE distributionPoint sequence +BEGIN distributionPoint +DEFINE distributionPointName sequence option=0 +BEGIN distributionPointName +ATTRIBUTE fullName 0 group ref=GeneralName,subtype=sequence,sequence_of=choice,option=0 +ATTRIBUTE nameRelativeToCRLIssuer 1 sequence option=1 +BEGIN nameRelativeToCRLIssuer +DEFINE RelativeDistinguishedName tlv subtype=set +BEGIN RelativeDistinguishedName +DEFINE AttributeTypeandValue group ref=OID-Tree,is_pair +END RelativeDistinguishedName +END nameRelativeToCRLIssuer +END distributionPointName + +DEFINE reasons struct option=1 +BEGIN reasons +MEMBER unused bit[1] +MEMBER keyCompromise bit[1] +MEMBER cACompromise bit[1] +MEMBER affiliationChanged bit[1] +MEMBER superseded bit[1] +MEMBER cessationOfOperation bit[1] +MEMBER certificateHold bit[1] +MEMBER privilegeWithdrawn bit[1] +MEMBER aACompromise bit[1] +END reasons + +DEFINE cRLIssuer group ref=GeneralName,subtype=sequence,sequence_of=choice,option=2 + +END distributionPoint + +ATTRIBUTE inhibitAnyPolicy 2.5.29.54 integer is_oid_leaf diff --git a/share/dictionary/der/dictionary.oids b/share/dictionary/der/dictionary.oids new file mode 100644 index 00000000000..e4efa59cfa6 --- /dev/null +++ b/share/dictionary/der/dictionary.oids @@ -0,0 +1,49 @@ +# -*- text -*- +# Copyright (C) 2025 Network RADIUS SAS (legal@networkradius.com) +# This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0 +# Version $Id$ +DEFINE OID-Tree tlv +BEGIN OID-Tree +ATTRIBUTE iso 1 tlv +ATTRIBUTE member-body 1.2 tlv +ATTRIBUTE us 1.2.840 tlv +ATTRIBUTE ansi-x962 1.2.840.10045 tlv +ATTRIBUTE keyType 1.2.840.10045.2 tlv +ATTRIBUTE ecPublicKey 1.2.840.10045.2.1 oid is_oid_leaf + +ATTRIBUTE signatures 1.2.840.10045.4 tlv +ATTRIBUTE ecdsa-with-SHA2 1.2.840.10045.4.3 tlv +ATTRIBUTE ecdsa-with-SHA384 1.2.840.10045.4.3.3 bool is_oid_leaf,has_default +VALUE 1.2.840.10045.4.3.3 DEFAULT false + +ATTRIBUTE rsadsi 1.2.840.113549 tlv +ATTRIBUTE pkcs 1.2.840.113549.1 tlv +ATTRIBUTE pkcs-1 1.2.840.113549.1.1 tlv +ATTRIBUTE rsaEncryption 1.2.840.113549.1.1.1 bool is_oid_leaf,subtype=null + +ATTRIBUTE sha256WithRSAEncryption 1.2.840.113549.1.1.11 bool is_oid_leaf,subtype=null + +ATTRIBUTE identified-organization 1.3 tlv +ATTRIBUTE dod 1.3.6 tlv +ATTRIBUTE internet 1.3.6.1 tlv +ATTRIBUTE security 1.3.6.1.5 tlv +ATTRIBUTE mechanisms 1.3.6.1.5.5 tlv +ATTRIBUTE pkix 1.3.6.1.5.5.7 tlv +ATTRIBUTE pe 1.3.6.1.5.5.7.1 tlv + +ATTRIBUTE joint-iso-itu-t 2 tlv +ATTRIBUTE ds 2.5 tlv + +ATTRIBUTE attributeType 2.5.4 tlv +ATTRIBUTE commonName 2.5.4.3 printablestring is_oid_leaf +ATTRIBUTE countryName 2.5.4.6 string[2] subtype=printablestring,is_oid_leaf +ATTRIBUTE serialNumber 2.5.4.5 printablestring is_oid_leaf +ATTRIBUTE localityName 2.5.4.7 string is_oid_leaf +ATTRIBUTE stateOrProvinceName 2.5.4.8 string is_oid_leaf +ATTRIBUTE organizationName 2.5.4.10 printablestring is_oid_leaf + +ATTRIBUTE certificateExtension 2.5.29 tlv + +$INCLUDE dictionary.extensions + +END OID-Tree diff --git a/share/dictionary/der/dictionary.rfc2986 b/share/dictionary/der/dictionary.rfc2986 new file mode 100644 index 00000000000..ad17b0d1f4d --- /dev/null +++ b/share/dictionary/der/dictionary.rfc2986 @@ -0,0 +1,50 @@ +# -*- text -*- +# Copyright (C) 2025 Network RADIUS SAS (legal@networkradius.com) +# This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0 +# Version $Id$ +DEFINE CertificateRequest tlv +BEGIN CertificateRequest + +DEFINE certificationRequestInfo tlv +BEGIN certificationRequestInfo +DEFINE version integer + +DEFINE subject tlv +BEGIN subject +DEFINE RelativeDistinguishedName tlv subtype=set +BEGIN RelativeDistinguishedName +DEFINE AttributeTypeandValue tlv +BEGIN AttributeTypeAndValue +DEFINE OID string subtype=oid +DEFINE Value-Thing string subtype=utf8string +END AttributeTypeAndValue +END RelativeDistinguishedName +END subject + +DEFINE subjectPublicKeyInfo tlv +BEGIN subjectPublicKeyInfo +DEFINE algorithm tlv +BEGIN algorithm +DEFINE OID string subtype=oid +END algorithm +DEFINE subjectPublicKey octets subtype=bitstring +END subjectPublicKeyInfo + +DEFINE Attributes tlv class=context-specific,tagnum=0,subtype=sequence +BEGIN Attributes +DEFINE Attribute-thing tlv +BEGIN Attribute-thing +DEFINE OID string subtype=oid +DEFINE Extensions group ref=OID-Tree,subtype=set,is_extensions +END Attribute-thing +END Attributes + +END certificationRequestInfo + +DEFINE signatureAlgorithm tlv +BEGIN signatureAlgorithm +DEFINE OID string subtype=oid +END signatureAlgorithm + +DEFINE signature octets subtype=bitstring +END CertificateRequest diff --git a/share/dictionary/der/dictionary.rfc5280 b/share/dictionary/der/dictionary.rfc5280 new file mode 100644 index 00000000000..8a09fc41512 --- /dev/null +++ b/share/dictionary/der/dictionary.rfc5280 @@ -0,0 +1,52 @@ +# -*- text -*- +# Copyright (C) 2025 Network RADIUS SAS (legal@networkradius.com) +# This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0 +# Version $Id$ +DEFINE Certificate tlv +BEGIN Certificate + +DEFINE tbsCertificate tlv +BEGIN tbsCertificate +DEFINE version tlv class=context-specific,tagnum=0,subtype=sequence +BEGIN version +DEFINE VersionNum integer +END version +DEFINE serialNumber octets tagnum=2 +DEFINE signature group ref=OID-Tree,is_pair + +DEFINE issuer tlv subtype=sequence,sequence_of=set,is_pairs +BEGIN issuer +DEFINE RelativeDistinguishedName tlv subtype=set +BEGIN RelativeDistinguishedName +DEFINE AttributeTypeAndValue group ref=OID-Tree,is_pair +END RelativeDistinguishedName +END issuer + +DEFINE validity tlv +BEGIN validity +DEFINE notBefore utctime +DEFINE notAfter utctime +END validity + +DEFINE subject tlv sequence_of=set,is_pairs +BEGIN subject +DEFINE RelativeDistinguishedName tlv subtype=set +BEGIN RelativeDistinguishedName +DEFINE AttributeTypeandValue group ref=OID-Tree,is_pair +END RelativeDistinguishedName +END subject + +DEFINE subjectPublicKeyInfo tlv +BEGIN subjectPublicKeyInfo +DEFINE algorithm group ref=OID-Tree,is_pair +DEFINE subjectPublicKey octets subtype=bitstring +END subjectPublicKeyInfo + +DEFINE extensions x509_extensions ref=OID-Tree + +END tbsCertificate + +DEFINE signatureAlgorithm group ref=OID-Tree,is_pair + +DEFINE signature octets subtype=bitstring +END Certificate diff --git a/src/protocols/der/base.c b/src/protocols/der/base.c index d1c97495639..06a32fe8955 100644 --- a/src/protocols/der/base.c +++ b/src/protocols/der/base.c @@ -87,7 +87,6 @@ fr_table_num_sorted_t const tag_name_to_number[] = { { L("utf8string"), FR_DER_TAG_UTF8_STRING }, { L("visiblestring"), FR_DER_TAG_VISIBLE_STRING }, }; - static size_t tag_name_to_number_len = NUM_ELEMENTS(tag_name_to_number); int fr_der_global_init(void) @@ -123,11 +122,11 @@ void fr_der_global_free(void) static int dict_flag_tagnum(fr_dict_attr_t **da_p, char const *value, UNUSED fr_dict_flag_parser_rule_t const *rules) { fr_der_attr_flags_t *flags = fr_dict_attr_ext(*da_p, FR_DICT_ATTR_EXT_PROTOCOL_SPECIFIC); - long num; + unsigned long num; char *end = NULL; num = strtoul(value, &end, 10); - if ((num > 255) || !*end) { + if ((num > 255) || *end) { fr_strerror_printf("Invalid tag number '%s'", value); return -1; } @@ -312,7 +311,7 @@ static fr_dict_flag_parser_t const der_flags[] = { static bool attr_type(fr_type_t *type ,fr_dict_attr_t **da_p, char const *name) { - static fr_table_num_sorted_t const table[] = { + static fr_table_num_sorted_t const type_table[] = { { L("bitstring"), FR_TYPE_OCTETS }, { L("boolean"), FR_TYPE_BOOL }, { L("choice"), FR_TYPE_TLV }, @@ -333,7 +332,7 @@ static bool attr_type(fr_type_t *type ,fr_dict_attr_t **da_p, char const *name) { L("visiblestring"), FR_TYPE_STRING }, { L("x509_extensions"), FR_TYPE_GROUP } }; - static size_t table_len = NUM_ELEMENTS(table); + static size_t type_table_len = NUM_ELEMENTS(type_table); static fr_table_num_sorted_t const der_tag_table[] = { { L("bitstring"), FR_DER_TAG_BITSTRING }, @@ -363,7 +362,7 @@ static bool attr_type(fr_type_t *type ,fr_dict_attr_t **da_p, char const *name) fr_der_attr_flags_t *flags = fr_dict_attr_ext(*da_p, FR_DICT_ATTR_EXT_PROTOCOL_SPECIFIC); fr_der_tag_num_t subtype; - *type = fr_table_value_by_str(table, name, UINT8_MAX); + *type = fr_table_value_by_str(type_table, name, UINT8_MAX); if (*type == UINT8_MAX) { fr_strerror_printf("Invalid type '%s'", name); return false; @@ -392,7 +391,7 @@ static bool attr_type(fr_type_t *type ,fr_dict_attr_t **da_p, char const *name) dict_flag_sequence_of(da_p, "sequence", NULL); } - flags->is_choice =(strcmp(name, "choice") == 0); + flags->is_choice = (strcmp(name, "choice") == 0); return true; } @@ -437,8 +436,8 @@ fr_dict_protocol_t libfreeradius_der_dict_protocol = { .valid = attr_valid }, - .init = fr_der_global_init, - .free = fr_der_global_free, + .init = fr_der_global_init, + .free = fr_der_global_free, // .decode = fr_der_decode_foreign, // .encode = fr_der_encode_foreign,