From efca89daefc0347c64209e4e588fe17536933cf6 Mon Sep 17 00:00:00 2001
From: Hannu Nyman <hannu.nyman@iki.fi>
Date: Wed, 1 May 2024 14:49:46 +0300
Subject: [PATCH] px5g-mbedtls: add subjectAltName and extendedKeyUsage to SSL
 certs

To better acommodate with the current browsers' requirements, also
self-signed certificates should have subjectAltName and
extendedKeyUsage defined in the self-signed x509 SSL certificates.

The following case sensitive options are now possible:
-addext subjectAltName=DNS:...
-addext subjectAltName=EMAIL:...
-addext subjectAltName=IP:...
-addext subjectAltName=URI:...
-addext extendedKeyUsage=serverAuth OR -addext extendedKeyUsage=any

Initial draft by Paul Donald <newtwen@gmail.com>

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko@gmail.com>
---
 package/utils/px5g-mbedtls/Makefile       |  2 +-
 package/utils/px5g-mbedtls/px5g-mbedtls.c | 67 ++++++++++++++++++++++-
 2 files changed, 67 insertions(+), 2 deletions(-)

diff --git a/package/utils/px5g-mbedtls/Makefile b/package/utils/px5g-mbedtls/Makefile
index 14c9f684a9..6addbbab12 100644
--- a/package/utils/px5g-mbedtls/Makefile
+++ b/package/utils/px5g-mbedtls/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=px5g-mbedtls
-PKG_RELEASE:=10
+PKG_RELEASE:=11
 PKG_LICENSE:=LGPL-2.1
 
 PKG_BUILD_FLAGS:=no-mips16
diff --git a/package/utils/px5g-mbedtls/px5g-mbedtls.c b/package/utils/px5g-mbedtls/px5g-mbedtls.c
index 85abe7dc73..63f54bd9aa 100644
--- a/package/utils/px5g-mbedtls/px5g-mbedtls.c
+++ b/package/utils/px5g-mbedtls/px5g-mbedtls.c
@@ -38,8 +38,13 @@
 #include <mbedtls/ecp.h>
 #include <mbedtls/rsa.h>
 #include <mbedtls/pk.h>
+#include <mbedtls/asn1.h>
+#include <mbedtls/oid.h>
 
-#define PX5G_VERSION "0.2"
+#define SET_OID(x, oid) \
+	do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char *) oid; } while (0)
+
+#define PX5G_VERSION "0.3"
 #define PX5G_COPY "Copyright (c) 2009 Steven Barth <steven@midlink.org>"
 #define PX5G_LICENSE "Licensed under the GNU Lesser General Public License v2.1"
 
@@ -193,6 +198,16 @@ int selfsigned(char **arg)
 	mbedtls_pk_context key;
 	mbedtls_x509write_cert cert;
 	mbedtls_mpi serial;
+	mbedtls_x509_san_list *san_list = NULL, *san_prev = NULL, *san_cur = NULL;
+	/*support
+	- MBEDTLS_X509_SAN_DNS_NAME
+	- MBEDTLS_X509_SAN_IP_ADDRESS
+	- MBEDTLS_X509_SAN_RFC822_NAME
+	- MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER
+	*/
+	mbedtls_asn1_sequence *eku = NULL, *ext_key_usage = NULL;
+	char *sanval, *santype;
+	uint8_t ipaddr[16] = { 0 };
 
 	char *subject = "";
 	unsigned int ksize = 512;
@@ -267,8 +282,56 @@ int selfsigned(char **arg)
 				oldc = delim + 1;
 			} while(*delim);
 			arg++;
+		} else if (!strcmp(*arg, "-addext") && arg[1]) {
+			mbedtls_asn1_sequence **tail = &eku;
+			if (!strncmp(arg[1], "extendedKeyUsage=", strlen("extendedKeyUsage="))) {
+				ext_key_usage = calloc(1, sizeof(mbedtls_asn1_sequence));
+				ext_key_usage->buf.tag = MBEDTLS_ASN1_OID;
+				if (!strncmp(arg[1] + strlen("extendedKeyUsage="), "serverAuth", strlen("serverAuth"))) {
+					SET_OID(ext_key_usage->buf, MBEDTLS_OID_SERVER_AUTH);
+				} else if (!strncmp(arg[1] + strlen("extendedKeyUsage="), "any", strlen("any"))) {
+					SET_OID(ext_key_usage->buf, MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE);
+				} // there are other extendedKeyUsage OIDs but none conceivably useful here
+				*tail = ext_key_usage;
+				tail = &ext_key_usage->next;
+				arg++;
+			} else if (!strncmp(arg[1], "subjectAltName=", strlen("subjectAltName=")) && strchr(arg[1], ':') != NULL) {
+				santype = strchr(arg[1], '=') + 1;
+				sanval = strchr(arg[1], ':') + 1;
+				//build sAN list
+				san_cur = calloc(1, sizeof(mbedtls_x509_san_list));
+				san_cur->next = NULL;
+				if (!strncmp(santype, "DNS:", strlen("DNS:"))) {
+					san_cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
+					san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
+					san_cur->node.san.unstructured_name.len = strlen(sanval);
+				} else if (!strncmp(santype, "EMAIL:", strlen("EMAIL:"))) {
+					san_cur->node.type = MBEDTLS_X509_SAN_RFC822_NAME;
+					san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
+					san_cur->node.san.unstructured_name.len = strlen(sanval);
+				} else if (!strncmp(santype, "IP:", strlen("IP:"))) {
+					san_cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
+					mbedtls_x509_crt_parse_cn_inet_pton(sanval, ipaddr);
+					san_cur->node.san.unstructured_name.p = (unsigned char *) ipaddr;
+					san_cur->node.san.unstructured_name.len = sizeof(ipaddr);
+				} else if (!strncmp(santype, "URI:", strlen("URI:"))) {
+					san_cur->node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
+					san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
+					san_cur->node.san.unstructured_name.len = strlen(sanval);
+				}
+				else fprintf(stderr, "No match to subjectAltName content type.\n");
+			arg++;
+			}
 		}
 		arg++;
+
+		//set the pointers in our san_list linked list
+		if (san_prev == NULL) {
+			san_list = san_cur;
+		} else {
+			san_prev->next = san_cur;
+		}
+		san_prev = san_cur;
 	}
 	gen_key(&key, rsa, ksize, exp, curve, pem);
 
@@ -295,6 +358,8 @@ int selfsigned(char **arg)
 	mbedtls_x509write_crt_set_basic_constraints(&cert, 0, -1);
 	mbedtls_x509write_crt_set_subject_key_identifier(&cert);
 	mbedtls_x509write_crt_set_authority_key_identifier(&cert);
+	mbedtls_x509write_crt_set_subject_alternative_name(&cert, san_list);
+	mbedtls_x509write_crt_set_ext_key_usage(&cert, ext_key_usage);
 
 	_urandom(NULL, (void *) buf, 8);
 	for (len = 0; len < 8; len++)
-- 
2.30.2