10 files changed, 66 insertions, 15 deletions

diff --git a/NEWS b/NEWS
index 5a3dcb3257..ed1b0dec44 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ See the end for copying conditions.
 ** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
    flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash().
 
+** libgnutls: Added support for Generalname registeredID.
+
 ** The priority configuration was enhanced to allow more elaborate
    system-wide configuration of the library (#587).
    The following changes were included:
@@ -55,6 +57,7 @@ gnutls_hmac_copy: Added
 GNUTLS_MAC_AES_GMAC_128: Added
 GNUTLS_MAC_AES_GMAC_192: Added
 GNUTLS_MAC_AES_CMAC_256: Added
+GNUTLS_SAN_REGISTERED_ID: Added
 
 
 * Version 3.6.8 (released 2019-05-28)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 11652a8c2b..15f4ac048b 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2579,6 +2579,7 @@ gnutls_psk_set_server_params_function(gnutls_psk_server_credentials_t
  * @GNUTLS_SAN_IPADDRESS: IP address SAN.
  * @GNUTLS_SAN_OTHERNAME: OtherName SAN.
  * @GNUTLS_SAN_DN: DN SAN.
+ * @GNUTLS_SAN_REGISTERED_ID: RegisteredID.
  * @GNUTLS_SAN_OTHERNAME_XMPP: Virtual SAN, used by certain functions for convenience.
  * @GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL: Virtual SAN, used by certain functions for convenience.
  *
@@ -2591,7 +2592,8 @@ typedef enum gnutls_x509_subject_alt_name_t {
 	GNUTLS_SAN_IPADDRESS = 4,
 	GNUTLS_SAN_OTHERNAME = 5,
 	GNUTLS_SAN_DN = 6,
-	GNUTLS_SAN_MAX = GNUTLS_SAN_DN,
+	GNUTLS_SAN_REGISTERED_ID = 7,
+	GNUTLS_SAN_MAX = GNUTLS_SAN_REGISTERED_ID,
 	/* The following are "virtual" subject alternative name types, in
 	   that they are represented by an otherName value and an OID.
 	   Used by gnutls_x509_crt_get_subject_alt_othername_oid.  */
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 4669d37ad5..3f1a1776c4 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -537,6 +537,9 @@ gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type(char *str_type)
 		return GNUTLS_SAN_OTHERNAME;
 	if (strcmp(str_type, "directoryName") == 0)
 		return GNUTLS_SAN_DN;
+	if (strcmp(str_type, "registeredID") == 0)
+		return GNUTLS_SAN_REGISTERED_ID;
+
 	return (gnutls_x509_subject_alt_name_t) - 1;
 }
 
@@ -703,6 +706,8 @@ x509_read_value(ASN1_TYPE c, const char *root,
 	if (result == 0 && allow_null == 0 && len == 0) {
 		/* don't allow null strings */
 		return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
+	} else if (result == 0 && allow_null == 0 && etype == ASN1_ETYPE_OBJECT_ID && len == 1) {
+		return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
 	}
 
 	if (result != ASN1_MEM_ERROR) {
diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c
index 8506da2b93..c9fef21a12 100644
--- a/lib/x509/extensions.c
+++ b/lib/x509/extensions.c
@@ -715,6 +715,9 @@ _gnutls_write_general_name(ASN1_TYPE ext, const char *ext_name,
 	case GNUTLS_SAN_IPADDRESS:
 		str = "iPAddress";
 		break;
+	case GNUTLS_SAN_REGISTERED_ID:
+		str = "registeredID";
+		break;
 	default:
 		gnutls_assert();
 		return GNUTLS_E_INTERNAL_ERROR;
diff --git a/lib/x509/output.c b/lib/x509/output.c
index 6c5055cf22..40ba77b7ea 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -144,6 +144,10 @@ print_name(gnutls_buffer_st *str, const char *prefix, unsigned type, gnutls_datu
 		addf(str,  _("%sdirectoryName: %.*s\n"), prefix, name->size, NON_NULL(name->data));
 		break;
 
+	case GNUTLS_SAN_REGISTERED_ID:
+			addf(str,  _("%sRegistered ID: %.*s\n"), prefix, name->size, NON_NULL(name->data));
+			break;
+
 	case GNUTLS_SAN_OTHERNAME_XMPP:
 		addf(str,  _("%sXMPP Address: %.*s\n"), prefix, name->size, NON_NULL(name->data));
 		break;
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 26055e08a3..48ab2a7526 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -1344,7 +1344,7 @@ inline static int is_type_printable(int type)
 {
 	if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
 	    type == GNUTLS_SAN_URI || type == GNUTLS_SAN_OTHERNAME_XMPP ||
-	    type == GNUTLS_SAN_OTHERNAME)
+	    type == GNUTLS_SAN_OTHERNAME || type == GNUTLS_SAN_REGISTERED_ID)
 		return 1;
 	else
 		return 0;
@@ -1657,7 +1657,6 @@ _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name,
 
 	len = sizeof(choice_type);
 	result = asn1_read_value(src, nptr, choice_type, &len);
-
 	if (result == ASN1_VALUE_NOT_FOUND
 	    || result == ASN1_ELEMENT_NOT_FOUND) {
 		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
@@ -1739,6 +1738,12 @@ _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name,
 			return ret;
 		}
 
+		if (type == GNUTLS_SAN_REGISTERED_ID && tmp.size > 0) {
+			/* see #805; OIDs contain the null termination byte */
+			assert(tmp.data[tmp.size-1] == 0);
+			tmp.size--;
+		}
+
 		/* _gnutls_x509_read_value() null terminates */
 		dname->size = tmp.size;
 		dname->data = tmp.data;
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 34e3c5a970..7970ad6b30 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -50,9 +50,9 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
 	certs-interesting/README.md certs-interesting/cert1.der certs-interesting/cert1.der.err \
 	certs-interesting/cert2.der certs-interesting/cert2.der.err certs-interesting/cert3.der \
 	certs-interesting/cert3.der.err certs-interesting/cert4.der certs-interesting/cert5.der \
-	certs-interesting/cert6.der certs-interesting/cert6.der.err \
+	certs-interesting/cert5.der.err certs-interesting/cert6.der certs-interesting/cert6.der.err \
 	certs-interesting/cert7.der certs-interesting/cert8.der \
-	certs-interesting/cert9.der certs-interesting/cert5.der.err \
+	certs-interesting/cert9.der certs-interesting/cert10.der \
 	certs-interesting/cert3.der.err certs-interesting/cert4.der \
 	scripts/common.sh scripts/starttls-common.sh \
 	rng-op.c x509sign-verify-common.h common-key-tests.h \
diff --git a/tests/certs-interesting/cert10.der b/tests/certs-interesting/cert10.der
new file mode 100644
index 0000000000..07ab16d3ee
--- /dev/null
+++ b/tests/certs-interesting/cert10.der
diff --git a/tests/certs-interesting/cert5.der b/tests/certs-interesting/cert5.der
index 44b3f0e4df..f950ff3e1b 100644
--- a/tests/certs-interesting/cert5.der
+++ b/tests/certs-interesting/cert5.der
diff --git a/tests/crt_apis.c b/tests/crt_apis.c
index cf0c7fd800..e62ec90d9a 100644
--- a/tests/crt_apis.c
+++ b/tests/crt_apis.c
@@ -39,19 +39,19 @@
 
 static unsigned char saved_crt_pem[] =
 	"-----BEGIN CERTIFICATE-----\n"
-	"MIICWTCCAcKgAwIBAgIDChEAMA0GCSqGSIb3DQEBCwUAMCsxDjAMBgNVBAMTBW5p\n"
+	"MIICWjCCAcOgAwIBAgIDChEAMA0GCSqGSIb3DQEBCwUAMCsxDjAMBgNVBAMTBW5p\n"
 	"a29zMRkwFwYDVQQKExBub25lIHRvLCBtZW50aW9uMCAXDTA4MDMzMTIyMDAwMFoY\n"
 	"Dzk5OTkxMjMxMjM1OTU5WjArMQ4wDAYDVQQDEwVuaWtvczEZMBcGA1UEChMQbm9u\n"
 	"ZSB0bywgbWVudGlvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu2ZD9fLF\n"
 	"17aMzMXf9Yg7sclLag6hrSBQQAiAoU9co9D4bM/mPPfsBHYTF4tkiSJbwN1TfDvt\n"
 	"fAS7gLkovo6bxo6gpRLL9Vceoue7tzNJn+O7Sq5qTWj/yRHiMo3OPYALjXXv2ACB\n"
-	"jygEA6AijWEEB/q2N30hB0nSCWFpmJCjWKkCAwEAAYEFAAABAgOCBQAEAwIBo3sw\n"
-	"eTAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAwNgYDVR0RBC8wLYIDYXBh\n"
-	"ghF4bi0tbXhhYTRhczZkLmNvbYETdGVzdEB4bi0ta3hhd2hrLm9yZzAgBgNVHSUB\n"
-	"Af8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAsCHT\n"
-	"vpIFkQG8th0DbEU3BE3KP5aa93HDLpZPu5PVLkoBb4PPWjKPK+737mwaSs9zXe58\n"
-	"awhM0ycZ1ymSC+MiRuQlzt4Opx1Fm8WFsDr7d0g/C96Arr1Ss4ZhNi15nyoYeaWJ\n"
-	"1n7nX+msWnuc+aABt1d8aAhAvaU8do0+WI2jY90=\n"
+	"jygEA6AijWEEB/q2N30hB0nSCWFpmJCjWKkCAwEAAYEFAAABAgOCBQAEAwIBo3ww\n"
+	"ejAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAwNwYDVR0RBDAwLogEKgME\n"
+	"BYIReG4tLW14YWE0YXM2ZC5jb22BE3Rlc3RAeG4tLWt4YXdoay5vcmcwIAYDVR0l\n"
+	"AQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4GBADzP\n"
+	"piA0s50R+oM/OWcHrARRMFhmOv8oj4mQeXjePCUJub8CDj1XnZwseIY9K9IU6Lxm\n"
+	"43p7kw1jFzPRBJyuZC5X92AdG1meR1RKd91M3VEvn2cgfesX7/MbhZIYJ8ZD2S1L\n"
+	"rqzVabXTZjKdHT727mCJdqzjDh7CFmb9Q2ZU6jDR\n"
 	"-----END CERTIFICATE-----\n";
 
 const gnutls_datum_t saved_crt = { saved_crt_pem, sizeof(saved_crt_pem)-1 };
@@ -71,6 +71,8 @@ static time_t mytime(time_t * t)
 	return then;
 }
 
+#define REGISTERED_OID "1.2.3.4.5"
+
 void doit(void)
 {
 	gnutls_x509_privkey_t pkey;
@@ -79,9 +81,9 @@ void doit(void)
 	const char *err = NULL;
 	unsigned char buf[64];
 	unsigned char large_buf[5*1024];
-	unsigned int status;
+	unsigned int status, san_type;
 	gnutls_datum_t out;
-	size_t s = 0;
+	size_t s = 0, i;
 	int ret;
 
 	ret = global_init();
@@ -181,6 +183,11 @@ void doit(void)
 	if (ret != 0)
 		fail("gnutls_x509_crt_set_subject_alt_name\n");
 
+	ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_REGISTERED_ID,
+						   REGISTERED_OID, strlen(REGISTERED_OID), 0);
+	if (ret != 0)
+		fail("gnutls_x509_crt_set_subject_alt_name\n");
+
 	ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
 						   "απαλό.com", strlen("απαλό.com"), 1);
 #if defined(HAVE_LIBIDN2) || defined(HAVE_LIBIDN)
@@ -355,6 +362,28 @@ void doit(void)
 	assert(s == out.size);
 	assert(memcmp(large_buf, out.data, out.size) == 0);
 
+	/* verify some values written in the original cert */
+	gnutls_x509_crt_deinit(crt2);
+	ret = gnutls_x509_crt_init(&crt2);
+	if (ret != 0)
+		fail("gnutls_x509_crt_init\n");
+
+	ret = gnutls_x509_crt_import(crt2, &out, GNUTLS_X509_FMT_DER);
+	if (ret != 0)
+		fail("gnutls_x509_crt_import\n");
+
+	i = 0;
+	do {
+		s = sizeof(buf);
+		ret = gnutls_x509_crt_get_subject_alt_name2(crt2, i++, buf, &s, &san_type, NULL);
+		if (ret < 0)
+			fail("gnutls_x509_crt_get_subject_alt_name2: %s\n", gnutls_strerror(ret));
+	} while (san_type != GNUTLS_SAN_REGISTERED_ID);
+
+	assert(san_type == GNUTLS_SAN_REGISTERED_ID);
+	assert(s == strlen(REGISTERED_OID));
+	assert(memcmp(buf, REGISTERED_OID, s) == 0);
+
 	gnutls_free(out.data);
 
 	gnutls_x509_crt_deinit(crt);