From c77d01bd5eb14493c8589748c9dbd6e0f0dbde6b Mon Sep 17 00:00:00 2001 From: arj-singh Date: Sat, 11 Nov 2023 15:37:42 -0800 Subject: [PATCH 1/4] as - basic constraints extension (cA and pathlen) --- lib/src/X509Utils.dart | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/lib/src/X509Utils.dart b/lib/src/X509Utils.dart index db3b18d..0deaef3 100644 --- a/lib/src/X509Utils.dart +++ b/lib/src/X509Utils.dart @@ -290,6 +290,8 @@ class X509Utils { /// * [sans] = Subject alternative names to place within the certificate /// * [keyUsage] = The key usage definition extension /// * [extKeyUsage] = The extended key usage definition + /// * [cA] = The cA boolean of the basic constraints extension, which indicates whether the certificate is a CA + /// * [pathLenConstraint] = The pathLenConstraint field of the basic constraints extension. This is ignored if cA is null or false, or if pathLenConstraint is less than 0. /// * [serialNumber] = The serialnumber. If not set the default will be 1. /// * [issuer] = The issuer. If null, the issuer will be the subject of the given csr. /// * [notBefore] = The Timestamp after when the certificate is valid. If null, this will be [DateTime.now]. @@ -302,6 +304,8 @@ class X509Utils { List? sans, List? keyUsage, List? extKeyUsage, + bool? cA, + int? pathLenConstraint, String serialNumber = '1', Map? issuer, DateTime? notBefore, @@ -397,7 +401,8 @@ class X509Utils { // Add Extensions if (IterableUtils.isNotNullOrEmpty(sans) || IterableUtils.isNotNullOrEmpty(keyUsage) || - IterableUtils.isNotNullOrEmpty(extKeyUsage)) { + IterableUtils.isNotNullOrEmpty(extKeyUsage) || + cA != null) { var extensionTopSequence = ASN1Sequence(); if (IterableUtils.isNotNullOrEmpty(keyUsage)) { @@ -484,6 +489,27 @@ class X509Utils { extensionTopSequence.add(sanSequence); } + if (cA != null) { + var basicConstraintsSequence = ASN1Sequence(); + + basicConstraintsSequence + .add(ASN1ObjectIdentifier.fromIdentifierString("2.5.29.19")); + basicConstraintsSequence.add(ASN1Boolean(true)); + + var basicConstraintsList = ASN1Sequence(); + basicConstraintsList.add(ASN1Boolean(cA)); + + // check if CA to allow pathLenConstraint + if (pathLenConstraint != null && cA && pathLenConstraint >= 0) { + basicConstraintsList.add(ASN1Integer.fromtInt(pathLenConstraint)); + } + + basicConstraintsSequence + .add(ASN1OctetString(octets: basicConstraintsList.encode())); + + extensionTopSequence.add(basicConstraintsSequence); + } + var extObj = ASN1Object(tag: 0xA3); extObj.valueBytes = extensionTopSequence.encode(); From ced7860fbd37b918bb75ebbd14a07e8fe40f51d6 Mon Sep 17 00:00:00 2001 From: arj-singh Date: Sun, 12 Nov 2023 19:23:59 -0800 Subject: [PATCH 2/4] as - add cA bool to sequence only if set to true --- lib/src/X509Utils.dart | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/lib/src/X509Utils.dart b/lib/src/X509Utils.dart index 0deaef3..788049a 100644 --- a/lib/src/X509Utils.dart +++ b/lib/src/X509Utils.dart @@ -497,7 +497,10 @@ class X509Utils { basicConstraintsSequence.add(ASN1Boolean(true)); var basicConstraintsList = ASN1Sequence(); - basicConstraintsList.add(ASN1Boolean(cA)); + + if (cA) { + basicConstraintsList.add(ASN1Boolean(cA)); + } // check if CA to allow pathLenConstraint if (pathLenConstraint != null && cA && pathLenConstraint >= 0) { @@ -1443,6 +1446,28 @@ class X509Utils { return extKeyUsage; } + /// + /// Parses the given ASN1Object to the two basic constraint + /// fields cA and pathLenConstraint. Returns a list of types [bool, int] if + /// cA is true and a valid pathLenConstraint is specified, else the + /// corresponding element will be null. + /// + static List _fetchBasicConstraintsFromExtension(ASN1Object extData) { + var basicConstraints = [null, null]; + var octet = extData as ASN1OctetString; + var constraintParser = ASN1Parser(octet.valueBytes); + var constraintSeq = constraintParser.nextObject() as ASN1Sequence; + constraintSeq.elements!.forEach((ASN1Object obj) { + if (obj is ASN1Boolean) { + basicConstraints[0] = obj.boolValue; + } + if (obj is ASN1Integer) { + basicConstraints[1] = obj.integer!.toInt(); + } + }); + return basicConstraints; + } + /// /// Parses the given object identifier values to the internal enum /// @@ -1952,6 +1977,7 @@ class X509Utils { List? sans; List? keyUsage; List? extKeyUsage; + List basicConstraints; var extensions = X509CertificateDataExtensions(); extSequence.elements!.forEach( (ASN1Object subseq) { @@ -1988,6 +2014,17 @@ class X509Utils { } extensions.extKeyUsage = extKeyUsage; } + if (oi.objectIdentifierAsString == '2.5.29.19') { + if (seq.elements!.length == 3) { + basicConstraints = + _fetchBasicConstraintsFromExtension(seq.elements!.elementAt(2)); + } else { + basicConstraints = [null, null]; + } + + extensions.cA = basicConstraints[0]; + extensions.pathLenConstraint = basicConstraints[1]; + } if (oi.objectIdentifierAsString == '1.3.6.1.5.5.7.1.12') { var vmcData = _fetchVmcLogo(seq.elements!.elementAt(1)); extensions.vmc = vmcData; From b54bee02f23750f44c686bd5c5e1af0d3d1c3265 Mon Sep 17 00:00:00 2001 From: arj-singh Date: Sun, 12 Nov 2023 19:25:01 -0800 Subject: [PATCH 3/4] as - cA and pathLenConstraint to X509CertificateDataExtensions --- lib/src/model/x509/X509CertificateDataExtensions.dart | 8 ++++++++ lib/src/model/x509/X509CertificateDataExtensions.g.dart | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/lib/src/model/x509/X509CertificateDataExtensions.dart b/lib/src/model/x509/X509CertificateDataExtensions.dart index 21b5db2..2b35000 100644 --- a/lib/src/model/x509/X509CertificateDataExtensions.dart +++ b/lib/src/model/x509/X509CertificateDataExtensions.dart @@ -19,6 +19,12 @@ class X509CertificateDataExtensions { /// The key usage extension List? keyUsage; + /// The cA field of the basic constraints extension + bool? cA; + + /// The pathLenConstraint field of the basic constraints extension + int? pathLenConstraint; + /// The base64 encoded VMC logo VmcData? vmc; @@ -29,6 +35,8 @@ class X509CertificateDataExtensions { this.subjectAlternativNames, this.extKeyUsage, this.keyUsage, + this.cA, + this.pathLenConstraint, this.vmc, this.cRLDistributionPoints, }); diff --git a/lib/src/model/x509/X509CertificateDataExtensions.g.dart b/lib/src/model/x509/X509CertificateDataExtensions.g.dart index 49c87d8..56584bf 100644 --- a/lib/src/model/x509/X509CertificateDataExtensions.g.dart +++ b/lib/src/model/x509/X509CertificateDataExtensions.g.dart @@ -18,6 +18,8 @@ X509CertificateDataExtensions _$X509CertificateDataExtensionsFromJson( keyUsage: (json['keyUsage'] as List?) ?.map((e) => $enumDecode(_$KeyUsageEnumMap, e)) .toList(), + cA: json['cA'] as bool?, + pathLenConstraint: json['pathLenConstraint'] as int?, vmc: json['vmc'] == null ? null : VmcData.fromJson(json['vmc'] as Map), @@ -41,6 +43,8 @@ Map _$X509CertificateDataExtensionsToJson( instance.extKeyUsage?.map((e) => _$ExtendedKeyUsageEnumMap[e]!).toList()); writeNotNull('keyUsage', instance.keyUsage?.map((e) => _$KeyUsageEnumMap[e]!).toList()); + writeNotNull('cA', instance.cA); + writeNotNull('pathLenConstraint', instance.pathLenConstraint); writeNotNull('vmc', instance.vmc?.toJson()); writeNotNull('cRLDistributionPoints', instance.cRLDistributionPoints); return val; From b1648511b998e430ede12513fcd3e3383c7f982d Mon Sep 17 00:00:00 2001 From: arj-singh Date: Sun, 12 Nov 2023 19:41:12 -0800 Subject: [PATCH 4/4] as - basicConstraints unit tests --- test/x509_utils_test.dart | 97 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 95 insertions(+), 2 deletions(-) diff --git a/test/x509_utils_test.dart b/test/x509_utils_test.dart index f267e35..2eb2e56 100644 --- a/test/x509_utils_test.dart +++ b/test/x509_utils_test.dart @@ -1652,10 +1652,16 @@ SEQUENCE (1 elem) notBefore: notBefore, ); var x509 = X509Utils.x509CertificateFromPem(pem); - expect(x509.tbsCertificate?.validity.notBefore.toIso8601String().substring(0, 10), + expect( + x509.tbsCertificate?.validity.notBefore + .toIso8601String() + .substring(0, 10), notBefore.toUtc().toIso8601String().substring(0, 10), reason: "notBefore match except milliseconds as utc"); - expect(x509.tbsCertificate?.validity.notAfter.toIso8601String().substring(0, 10), + expect( + x509.tbsCertificate?.validity.notAfter + .toIso8601String() + .substring(0, 10), notAfter.toUtc().toIso8601String().substring(0, 10), reason: "notAfter match except milliseconds as utc"); }); @@ -1707,6 +1713,93 @@ SEQUENCE (1 elem) KeyUsage.DECIPHER_ONLY); }); + test('Test generateSelfSignedCertificate with cA true and valid pathlen', () { + var pair = CryptoUtils.generateEcKeyPair(); + var dn = { + 'CN': 'basic-utils.dev', + 'O': 'Magic Company', + 'L': 'Fakecity', + 'S': 'FakeState', + 'C': 'DE', + }; + var csr = X509Utils.generateEccCsrPem( + dn, pair.privateKey as ECPrivateKey, pair.publicKey as ECPublicKey, + san: ['san1.basic-utils.dev', 'san2.basic-utils.dev']); + + var pem = X509Utils.generateSelfSignedCertificate(pair.privateKey, csr, 365, + cA: true, pathLenConstraint: 10); + var x509 = X509Utils.x509CertificateFromPem(pem); + + expect(x509.tbsCertificate?.extensions?.cA, true); + expect(x509.tbsCertificate?.extensions?.pathLenConstraint, 10); + }); + + test('Test generateSelfSignedCertificate with cA false and valid pathLen', + () { + var pair = CryptoUtils.generateEcKeyPair(); + var dn = { + 'CN': 'basic-utils.dev', + 'O': 'Magic Company', + 'L': 'Fakecity', + 'S': 'FakeState', + 'C': 'DE', + }; + var csr = X509Utils.generateEccCsrPem( + dn, pair.privateKey as ECPrivateKey, pair.publicKey as ECPublicKey, + san: ['san1.basic-utils.dev', 'san2.basic-utils.dev']); + + var pem = X509Utils.generateSelfSignedCertificate(pair.privateKey, csr, 365, + cA: false, pathLenConstraint: 10); + var x509 = X509Utils.x509CertificateFromPem(pem); + + expect(x509.tbsCertificate?.extensions?.cA, null); + expect(x509.tbsCertificate?.extensions?.pathLenConstraint, null); + }); + + test('Test generateSelfSignedCertificate with cA true and invalid pathLen', + () { + var pair = CryptoUtils.generateEcKeyPair(); + var dn = { + 'CN': 'basic-utils.dev', + 'O': 'Magic Company', + 'L': 'Fakecity', + 'S': 'FakeState', + 'C': 'DE', + }; + var csr = X509Utils.generateEccCsrPem( + dn, pair.privateKey as ECPrivateKey, pair.publicKey as ECPublicKey, + san: ['san1.basic-utils.dev', 'san2.basic-utils.dev']); + + var pem = X509Utils.generateSelfSignedCertificate(pair.privateKey, csr, 365, + cA: true, pathLenConstraint: -10); + var x509 = X509Utils.x509CertificateFromPem(pem); + + expect(x509.tbsCertificate?.extensions?.cA, true); + expect(x509.tbsCertificate?.extensions?.pathLenConstraint, null); + }); + + test('Test generateSelfSignedCertificate with cA false and invalid pathLen', + () { + var pair = CryptoUtils.generateEcKeyPair(); + var dn = { + 'CN': 'basic-utils.dev', + 'O': 'Magic Company', + 'L': 'Fakecity', + 'S': 'FakeState', + 'C': 'DE', + }; + var csr = X509Utils.generateEccCsrPem( + dn, pair.privateKey as ECPrivateKey, pair.publicKey as ECPublicKey, + san: ['san1.basic-utils.dev', 'san2.basic-utils.dev']); + + var pem = X509Utils.generateSelfSignedCertificate(pair.privateKey, csr, 365, + cA: false, pathLenConstraint: -10); + var x509 = X509Utils.x509CertificateFromPem(pem); + + expect(x509.tbsCertificate?.extensions?.cA, null); + expect(x509.tbsCertificate?.extensions?.pathLenConstraint, null); + }); + test('Test x509CertificateFromPem with vmc', () { var data = X509Utils.x509CertificateFromPem(vmc);