diff --git a/.gitignore b/.gitignore index 9f16a6fbb..9bcdbf8a2 100644 --- a/.gitignore +++ b/.gitignore @@ -81,6 +81,8 @@ certecc.der certecc.pem othercert.der othercert.pem +certeccrsa.der +certeccrsa.pem ntru-cert.der ntru-cert.pem ntru-key.raw diff --git a/certs/ca-ecc-cert.der b/certs/ca-ecc-cert.der new file mode 100755 index 000000000..fa709f369 Binary files /dev/null and b/certs/ca-ecc-cert.der differ diff --git a/certs/ca-ecc-cert.pem b/certs/ca-ecc-cert.pem new file mode 100755 index 000000000..24aedf49f --- /dev/null +++ b/certs/ca-ecc-cert.pem @@ -0,0 +1,51 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 10982604883445917224 (0x986a0cf40243a628) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Validity + Not Before: Oct 19 19:06:49 2017 GMT + Not After : Oct 14 19:06:49 2037 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:e6:38:df:16:e3:4b:ea:aa:9f:91:a3:f3:32:40: + f6:6c:7e:a1:55:01:38:05:fe:6b:39:37:1c:ea:f9: + f9:4d:87:4b:2d:2f:4b:54:e5:9b:4a:1a:ba:0d:02: + a5:1c:ec:c1:51:30:c9:3c:94:ac:2e:5b:2f:40:f6: + 3c:a7:7a:d0:68 + ASN1 OID: prime256v1 + X509v3 extensions: + X509v3 Subject Key Identifier: + FD:9D:85:D5:C1:6F:47:EA:C6:75:96:59:25:37:46:8C:61:DB:E1:C3 + X509v3 Authority Key Identifier: + keyid:FD:9D:85:D5:C1:6F:47:EA:C6:75:96:59:25:37:46:8C:61:DB:E1:C3 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:03:cf:3f:6e:26:f7:76:be:98:81:20:57:6b:4a: + 55:f7:16:19:21:a0:4c:c8:a1:19:83:4c:66:55:2d:43:36:e1: + 02:20:4d:26:29:2b:f2:38:94:85:7e:a0:13:b6:c5:8d:61:be: + 96:15:ad:fe:ae:61:ed:a1:88:f9:79:c6:40:57:e4:9b +-----BEGIN CERTIFICATE----- +MIICiTCCAjCgAwIBAgIJAJhqDPQCQ6YoMAoGCCqGSM49BAMCMIGXMQswCQYDVQQG +EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G +A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3 +dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe +Fw0xNzEwMTkxOTA2NDlaFw0zNzEwMTQxOTA2NDlaMIGXMQswCQYDVQQGEwJVUzET +MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH +d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm +c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqG +SM49AgEGCCqGSM49AwEHA0IABOY43xbjS+qqn5Gj8zJA9mx+oVUBOAX+azk3HOr5 ++U2HSy0vS1Tlm0oaug0CpRzswVEwyTyUrC5bL0D2PKd60GijYzBhMB0GA1UdDgQW +BBT9nYXVwW9H6sZ1llklN0aMYdvhwzAfBgNVHSMEGDAWgBT9nYXVwW9H6sZ1llkl +N0aMYdvhwzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO +PQQDAgNHADBEAiADzz9uJvd2vpiBIFdrSlX3FhkhoEzIoRmDTGZVLUM24QIgTSYp +K/I4lIV+oBO2xY1hvpYVrf6uYe2hiPl5xkBX5Js= +-----END CERTIFICATE----- diff --git a/certs/ca-ecc-key.der b/certs/ca-ecc-key.der new file mode 100755 index 000000000..e65735c8d Binary files /dev/null and b/certs/ca-ecc-key.der differ diff --git a/certs/ca-ecc-key.pem b/certs/ca-ecc-key.pem new file mode 100755 index 000000000..67dc7fb55 --- /dev/null +++ b/certs/ca-ecc-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgrLj6Fn0Y1kN7krjS +pmBtRA6quQ8cOltX0F9nEcurSIehRANCAATmON8W40vqqp+Ro/MyQPZsfqFVATgF +/ms5Nxzq+flNh0stL0tU5ZtKGroNAqUc7MFRMMk8lKwuWy9A9jynetBo +-----END PRIVATE KEY----- diff --git a/certs/ca-ecc384-cert.der b/certs/ca-ecc384-cert.der new file mode 100755 index 000000000..3cb35a3d4 Binary files /dev/null and b/certs/ca-ecc384-cert.der differ diff --git a/certs/ca-ecc384-cert.pem b/certs/ca-ecc384-cert.pem new file mode 100755 index 000000000..cc93d29fa --- /dev/null +++ b/certs/ca-ecc384-cert.pem @@ -0,0 +1,56 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 12125228858566244640 (0xa84577679727f920) + Signature Algorithm: ecdsa-with-SHA384 + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Validity + Not Before: Oct 19 19:06:49 2017 GMT + Not After : Oct 14 19:06:49 2037 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:11:3c:5c:d0:64:22:a7:0f:c8:b6:40:84:d7:e9: + 42:13:88:b9:11:b5:8d:9e:bb:40:b4:9e:f7:20:35: + 2b:f5:dc:59:70:00:19:32:63:de:56:55:6a:0b:d5: + 29:ba:c1:26:53:3f:11:b4:9c:d1:0e:23:bf:03:2b: + 46:45:4e:65:f4:77:22:0a:63:e2:49:5d:f0:a7:8c: + 29:49:00:33:00:b1:40:19:bf:67:3f:d1:f2:4e:6e: + 1d:18:81:50:eb:13:6a + ASN1 OID: secp384r1 + X509v3 extensions: + X509v3 Subject Key Identifier: + 97:FD:B4:6D:CE:08:B3:02:57:AB:F3:40:D6:1D:AC:75:32:35:AA:F2 + X509v3 Authority Key Identifier: + keyid:97:FD:B4:6D:CE:08:B3:02:57:AB:F3:40:D6:1D:AC:75:32:35:AA:F2 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA384 + 30:65:02:31:00:9d:49:9e:68:10:55:b3:92:89:23:cf:58:fb: + 04:ee:ab:ed:3e:3c:f6:94:66:d1:bd:16:8e:ca:52:9f:39:f3: + d6:47:c0:cb:45:e2:1e:c6:dd:50:08:37:37:ba:ae:e6:72:02: + 30:6b:38:53:41:32:3e:55:84:39:65:9b:a7:40:98:05:cd:16: + fe:dd:54:3a:38:19:f0:63:b9:c1:45:46:dc:b4:4d:47:21:49: + fc:5b:63:a8:16:4c:d8:3f:3b:a8:c9:fb:fa +-----BEGIN CERTIFICATE----- +MIICxzCCAk2gAwIBAgIJAKhFd2eXJ/kgMAoGCCqGSM49BAMDMIGXMQswCQYDVQQG +EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G +A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3 +dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe +Fw0xNzEwMTkxOTA2NDlaFw0zNzEwMTQxOTA2NDlaMIGXMQswCQYDVQQGEwJVUzET +MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH +d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm +c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTB2MBAGByqG +SM49AgEGBSuBBAAiA2IABBE8XNBkIqcPyLZAhNfpQhOIuRG1jZ67QLSe9yA1K/Xc +WXAAGTJj3lZVagvVKbrBJlM/EbSc0Q4jvwMrRkVOZfR3Igpj4kld8KeMKUkAMwCx +QBm/Zz/R8k5uHRiBUOsTaqNjMGEwHQYDVR0OBBYEFJf9tG3OCLMCV6vzQNYdrHUy +NaryMB8GA1UdIwQYMBaAFJf9tG3OCLMCV6vzQNYdrHUyNaryMA8GA1UdEwEB/wQF +MAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMQCdSZ5oEFWz +kokjz1j7BO6r7T489pRm0b0WjspSnznz1kfAy0XiHsbdUAg3N7qu5nICMGs4U0Ey +PlWEOWWbp0CYBc0W/t1UOjgZ8GO5wUVG3LRNRyFJ/FtjqBZM2D87qMn7+g== +-----END CERTIFICATE----- diff --git a/certs/ca-ecc384-key.der b/certs/ca-ecc384-key.der new file mode 100755 index 000000000..b8af53cda Binary files /dev/null and b/certs/ca-ecc384-key.der differ diff --git a/certs/ca-ecc384-key.pem b/certs/ca-ecc384-key.pem new file mode 100755 index 000000000..3065f8d7b --- /dev/null +++ b/certs/ca-ecc384-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAle3GsRkzyxKVZhvYJ +tHOExBgEpBojdYDOXglcBOCtBI5f18eR53bLiu/A8TQo7lyhZANiAAQRPFzQZCKn +D8i2QITX6UITiLkRtY2eu0C0nvcgNSv13FlwABkyY95WVWoL1Sm6wSZTPxG0nNEO +I78DK0ZFTmX0dyIKY+JJXfCnjClJADMAsUAZv2c/0fJObh0YgVDrE2o= +-----END PRIVATE KEY----- diff --git a/certs/crl/caEcc384Crl.pem b/certs/crl/caEcc384Crl.pem new file mode 100755 index 000000000..945ffe767 --- /dev/null +++ b/certs/crl/caEcc384Crl.pem @@ -0,0 +1,30 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Last Update: Oct 19 19:06:54 2017 GMT + Next Update: Jul 15 19:06:54 2020 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:97:FD:B4:6D:CE:08:B3:02:57:AB:F3:40:D6:1D:AC:75:32:35:AA:F2 + + X509v3 CRL Number: + 8193 +No Revoked Certificates. + Signature Algorithm: ecdsa-with-SHA256 + 30:64:02:30:37:0c:54:d6:da:d1:0b:a0:f9:9f:91:91:41:6d: + e3:5f:91:1e:1b:18:ad:ef:cd:a9:80:25:1b:47:81:7a:95:64: + fe:a3:98:19:be:8f:a7:69:c7:d0:b4:b5:f1:a2:d5:e0:02:30: + 2a:33:97:79:c7:31:5a:d6:e0:f0:17:ae:2c:72:3a:8e:5e:82: + 93:87:af:17:1f:6e:83:dc:81:06:6d:3c:6e:2a:9c:b5:50:bd: + a5:66:b3:82:de:48:9a:88:84:a4:a0:f3 +-----BEGIN X509 CRL----- +MIIBcTCB+QIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx +FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTE3MTAxOTE5MDY1NFoX +DTIwMDcxNTE5MDY1NFqgMDAuMB8GA1UdIwQYMBaAFJf9tG3OCLMCV6vzQNYdrHUy +NaryMAsGA1UdFAQEAgIgATAKBggqhkjOPQQDAgNnADBkAjA3DFTW2tELoPmfkZFB +beNfkR4bGK3vzamAJRtHgXqVZP6jmBm+j6dpx9C0tfGi1eACMCozl3nHMVrW4PAX +rixyOo5egpOHrxcfboPcgQZtPG4qnLVQvaVms4LeSJqIhKSg8w== +-----END X509 CRL----- diff --git a/certs/crl/caEccCrl.pem b/certs/crl/caEccCrl.pem new file mode 100755 index 000000000..001f8cc61 --- /dev/null +++ b/certs/crl/caEccCrl.pem @@ -0,0 +1,28 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Last Update: Oct 19 19:06:54 2017 GMT + Next Update: Jul 15 19:06:54 2020 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FD:9D:85:D5:C1:6F:47:EA:C6:75:96:59:25:37:46:8C:61:DB:E1:C3 + + X509v3 CRL Number: + 8192 +No Revoked Certificates. + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:02:41:b8:0e:b1:33:d2:5e:b5:1f:fd:0d:09:20: + 46:25:7e:98:09:d2:2e:20:eb:75:cd:b8:ed:ad:b6:b8:80:2a: + 02:20:2a:56:04:d8:1a:ab:d7:3a:96:bb:a7:06:b2:93:b7:8b: + 22:da:f8:49:9c:64:2a:24:6e:c1:b5:b3:8d:80:4c:c7 +-----BEGIN X509 CRL----- +MIIBUTCB+QIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx +FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTE3MTAxOTE5MDY1NFoX +DTIwMDcxNTE5MDY1NFqgMDAuMB8GA1UdIwQYMBaAFP2dhdXBb0fqxnWWWSU3Roxh +2+HDMAsGA1UdFAQEAgIgADAKBggqhkjOPQQDAgNHADBEAiACQbgOsTPSXrUf/Q0J +IEYlfpgJ0i4g63XNuO2ttriAKgIgKlYE2Bqr1zqWu6cGspO3iyLa+EmcZCokbsG1 +s42ATMc= +-----END X509 CRL----- diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index 3e500ff84..ddeb01fe2 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -55,6 +55,28 @@ mv tmp crl.revoked # remove revoked so next time through the normal CA won't have server revoked cp blank.index.txt demoCA/index.txt +# caEccCrl +openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem + +openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem + +# metadata +openssl crl -in caEccCrl.pem -text > tmp +mv tmp caEccCrl.pem +# install (only needed if working outside wolfssl) +#cp caEccCrl.pem ~/wolfssl/certs/crl/caEccCrl.pem + +# caEcc384Crl +openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem + +openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem + +# metadata +openssl crl -in caEcc384Crl.pem -text > tmp +mv tmp caEcc384Crl.pem +# install (only needed if working outside wolfssl) +#cp caEcc384Crl.pem ~/wolfssl/certs/crl/caEcc384Crl.pem + # cliCrl openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out cliCrl.pem -keyfile ../client-key.pem -cert ../client-cert.pem diff --git a/certs/crl/include.am b/certs/crl/include.am index 47f0d5a25..0cdd3a91c 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -7,9 +7,9 @@ EXTRA_DIST += \ certs/crl/cliCrl.pem \ certs/crl/eccSrvCRL.pem \ certs/crl/eccCliCRL.pem \ - certs/crl/crl2.pem + certs/crl/crl2.pem \ + certs/crl/caEccCrl.pem \ + certs/crl/caEcc384Crl.pem EXTRA_DIST += \ certs/crl/crl.revoked - - diff --git a/certs/ecc/genecc.sh b/certs/ecc/genecc.sh new file mode 100755 index 000000000..ef28371ba --- /dev/null +++ b/certs/ecc/genecc.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +# run from wolfssl root + +rm ./certs/ecc/*.old +rm ./certs/ecc/index.txt* +rm ./certs/ecc/serial +rm ./certs/ecc/crlnumber + +touch ./certs/ecc/index.txt +echo 1000 > ./certs/ecc/serial +echo 2000 > ./certs/ecc/crlnumber + +# generate ECC 256-bit CA +openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1 +openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" + +openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER +openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER + +rm ./certs/ca-ecc-key.par + +# generate ECC 384-bit CA +openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1 +openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" + +openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER +openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER + +rm ./certs/ca-ecc384-key.par + + +# Generate ECC 256-bit server cert +openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc-key.pem -out ./certs/server-ecc-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl x509 -req -in ./certs/server-ecc-req.pem -CA ./certs/ca-ecc-cert.pem -CAkey ./certs/ca-ecc-key.pem -CAcreateserial -out ./certs/server-ecc.pem -sha256 + +# Sign server certificate +openssl ca -config ./certs/ecc/wolfssl.cnf -extensions server_cert -days 3650 -notext -md sha256 -in ./certs/server-ecc-req.pem -out ./certs/server-ecc.pem +openssl x509 -in ./certs/server-ecc.pem -outform der -out ./certs/server-ecc.der + +rm ./certs/server-ecc-req.pem + +# Gen CRL +openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem +openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem + +# Also manually need to: +# 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der` +# 2. Modify last byte so its invalidates signature in ./certs/test/server-cert-ecc-badsig.der +# 3. Covert bad cert to pem `openssl x509 -inform der -in ./certs/test/server-cert-ecc-badsig.der -outform pem -out ./certs/test/server-cert-ecc-badsig.pem` +# 4. Update AKID's for CA's in test.c certext_test() function akid_ecc. diff --git a/certs/ecc/include.am b/certs/ecc/include.am new file mode 100644 index 000000000..3c4eddbd4 --- /dev/null +++ b/certs/ecc/include.am @@ -0,0 +1,8 @@ +# vim:ft=automake +# All paths should be given relative to the root +# + +EXTRA_DIST += \ + certs/ecc/genecc.sh \ + certs/ecc/wolfssl.cnf + diff --git a/certs/ecc/wolfssl.cnf b/certs/ecc/wolfssl.cnf new file mode 100644 index 000000000..3e1360f28 --- /dev/null +++ b/certs/ecc/wolfssl.cnf @@ -0,0 +1,109 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = . +certs = $dir/certs +new_certs_dir = $dir/certs +database = $dir/certs/ecc/index.txt +serial = $dir/certs/ecc/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/certs/ca-ecc-key.pem +certificate = $dir/certs/ca-ecc-cert.pem + +# For certificate revocation lists. +crlnumber = $dir/certs/ecc/crlnumber +crl_extensions = crl_ext +default_crl_days = 1000 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 3650 +preserve = no +policy = policy_loose + + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +countryName = US +stateOrProvinceName = Washington +localityName = Seattle +0.organizationName = wolfSSL +organizationalUnitName = Development +commonName = www.wolfssl.com +emailAddress = info@wolfssl.com + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always diff --git a/certs/include.am b/certs/include.am old mode 100644 new mode 100755 index 41407af34..192de5351 --- a/certs/include.am +++ b/certs/include.am @@ -21,6 +21,7 @@ EXTRA_DIST += \ certs/dh2048.pem \ certs/server-cert.pem \ certs/server-ecc.pem \ + certs/server-ecc-self.pem \ certs/server-ecc-comp.pem \ certs/server-ecc-rsa.pem \ certs/server-keyEnc.pem \ @@ -35,8 +36,8 @@ EXTRA_DIST += \ certs/wolfssl-website-ca.pem \ certs/test-servercert.p12 \ certs/dsaparams.pem \ - certs/ecc-privOnlyKey.pem \ - certs/ecc-privOnlyCert.pem \ + certs/ecc-privOnlyKey.pem \ + certs/ecc-privOnlyCert.pem \ certs/dh3072.pem \ certs/client-cert-3072.pem \ certs/client-key-3072.pem @@ -58,25 +59,40 @@ EXTRA_DIST += \ certs/server-cert.der \ certs/server-ecc-comp.der \ certs/server-ecc.der \ + certs/server-ecc-self.der \ certs/server-ecc-rsa.der \ certs/server-cert-chain.der EXTRA_DIST += \ - certs/ed25519/ca-ed25519.der \ - certs/ed25519/ca-ed25519-key.der \ - certs/ed25519/ca-ed25519-key.pem \ - certs/ed25519/ca-ed25519.pem \ - certs/ed25519/client-ed25519.der \ - certs/ed25519/client-ed25519-key.der \ - certs/ed25519/client-ed25519-key.pem \ - certs/ed25519/client-ed25519.pem \ - certs/ed25519/root-ed25519.der \ - certs/ed25519/root-ed25519-key.der \ - certs/ed25519/root-ed25519-key.pem \ - certs/ed25519/root-ed25519.pem \ - certs/ed25519/server-ed25519.der \ - certs/ed25519/server-ed25519-key.der \ - certs/ed25519/server-ed25519-key.pem \ - certs/ed25519/server-ed25519.pem + certs/ed25519/ca-ed25519.der \ + certs/ed25519/ca-ed25519-key.der \ + certs/ed25519/ca-ed25519-key.pem \ + certs/ed25519/ca-ed25519.pem \ + certs/ed25519/client-ed25519.der \ + certs/ed25519/client-ed25519-key.der \ + certs/ed25519/client-ed25519-key.pem \ + certs/ed25519/client-ed25519.pem \ + certs/ed25519/root-ed25519.der \ + certs/ed25519/root-ed25519-key.der \ + certs/ed25519/root-ed25519-key.pem \ + certs/ed25519/root-ed25519.pem \ + certs/ed25519/server-ed25519.der \ + certs/ed25519/server-ed25519-key.der \ + certs/ed25519/server-ed25519-key.pem \ + certs/ed25519/server-ed25519.pem + +# ECC CA prime256v1 +EXTRA_DIST += \ + certs/ca-ecc-cert.der \ + certs/ca-ecc-cert.pem \ + certs/ca-ecc-key.der \ + certs/ca-ecc-key.pem + +# ECC CA SECP384R1 +EXTRA_DIST += \ + certs/ca-ecc384-cert.der \ + certs/ca-ecc384-cert.pem \ + certs/ca-ecc384-key.der \ + certs/ca-ecc384-key.pem dist_doc_DATA+= certs/taoCert.txt @@ -85,3 +101,4 @@ EXTRA_DIST+= certs/ntru-key.raw include certs/test/include.am include certs/test-pathlen/include.am include certs/test/include.am +include certs/ecc/include.am diff --git a/certs/server-ecc-self.der b/certs/server-ecc-self.der new file mode 100644 index 000000000..c28dec1cb Binary files /dev/null and b/certs/server-ecc-self.der differ diff --git a/certs/server-ecc-self.pem b/certs/server-ecc-self.pem new file mode 100644 index 000000000..9c92c53ef --- /dev/null +++ b/certs/server-ecc-self.pem @@ -0,0 +1,56 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ef:46:c7:a4:9b:bb:60:d3 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Validity + Not Before: Aug 11 20:07:38 2016 GMT + Not After : May 8 20:07:38 2019 GMT + Subject: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de: + 9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c: + 16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92: + 21:7f:f0:cf:18:da:91:11:02:34:86:e8:20:58:33: + 0b:80:34:89:d8 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Subject Key Identifier: + 5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30 + X509v3 Authority Key Identifier: + keyid:5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30 + DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:EF:46:C7:A4:9B:BB:60:D3 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:f1:d0:a6:3e:83:33:24:d1:7a:05:5f:1e:0e: + bd:7d:6b:33:e9:f2:86:f3:f3:3d:a9:ef:6a:87:31:b3:b7:7e: + 50:02:21:00:f0:60:dd:ce:a2:db:56:ec:d9:f4:e4:e3:25:d4: + b0:c9:25:7d:ca:7a:5d:ba:c4:b2:f6:7d:04:c7:bd:62:c9:20 +-----BEGIN CERTIFICATE----- +MIIDEDCCArWgAwIBAgIJAO9Gx6Sbu2DTMAoGCCqGSM49BAMCMIGPMQswCQYDVQQG +EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G +A1UECgwHRWxpcHRpYzEMMAoGA1UECwwDRUNDMRgwFgYDVQQDDA93d3cud29sZnNz +bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx +MjAwNzM4WhcNMTkwNTA4MjAwNzM4WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx +DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI +hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD +QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih +f/DPGNqREQI0huggWDMLgDSJ2KOB9zCB9DAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr +SiUCI++yiTAwgcQGA1UdIwSBvDCBuYAUXV0m76x+NvmbdhUrSiUCI++yiTChgZWk +gZIwgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMQwwCgYDVQQLDANFQ0MxGDAWBgNV +BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns +LmNvbYIJAO9Gx6Sbu2DTMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIh +APHQpj6DMyTRegVfHg69fWsz6fKG8/M9qe9qhzGzt35QAiEA8GDdzqLbVuzZ9OTj +JdSwySV9ynpdusSy9n0Ex71iySA= +-----END CERTIFICATE----- diff --git a/certs/server-ecc.der b/certs/server-ecc.der old mode 100644 new mode 100755 index c28dec1cb..e139f181e Binary files a/certs/server-ecc.der and b/certs/server-ecc.der differ diff --git a/certs/server-ecc.pem b/certs/server-ecc.pem old mode 100644 new mode 100755 index 9c92c53ef..28bd7cedb --- a/certs/server-ecc.pem +++ b/certs/server-ecc.pem @@ -1,13 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: - ef:46:c7:a4:9b:bb:60:d3 + Serial Number: 4096 (0x1000) Signature Algorithm: ecdsa-with-SHA256 - Issuer: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Aug 11 20:07:38 2016 GMT - Not After : May 8 20:07:38 2019 GMT + Not Before: Oct 19 19:06:49 2017 GMT + Not After : Oct 17 19:06:49 2027 GMT Subject: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey @@ -19,38 +18,44 @@ Certificate: 21:7f:f0:cf:18:da:91:11:02:34:86:e8:20:58:33: 0b:80:34:89:d8 ASN1 OID: prime256v1 - NIST CURVE: P-256 X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Cert Type: + SSL Server X509v3 Subject Key Identifier: 5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30 X509v3 Authority Key Identifier: - keyid:5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30 - DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:EF:46:C7:A4:9B:BB:60:D3 + keyid:FD:9D:85:D5:C1:6F:47:EA:C6:75:96:59:25:37:46:8C:61:DB:E1:C3 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:98:6A:0C:F4:02:43:A6:28 - X509v3 Basic Constraints: - CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication Signature Algorithm: ecdsa-with-SHA256 - 30:46:02:21:00:f1:d0:a6:3e:83:33:24:d1:7a:05:5f:1e:0e: - bd:7d:6b:33:e9:f2:86:f3:f3:3d:a9:ef:6a:87:31:b3:b7:7e: - 50:02:21:00:f0:60:dd:ce:a2:db:56:ec:d9:f4:e4:e3:25:d4: - b0:c9:25:7d:ca:7a:5d:ba:c4:b2:f6:7d:04:c7:bd:62:c9:20 + 30:45:02:21:00:ce:09:22:ab:21:c1:30:80:33:4b:b4:75:19: + 0b:37:e5:18:c6:6a:48:b1:a6:2a:0c:d0:91:96:d3:97:db:75: + cf:02:20:03:97:6b:90:e1:2e:20:10:e7:bf:c3:25:97:4d:a8: + 07:9e:14:86:99:bd:87:98:fd:2e:d2:4d:1f:da:52:92:b9 -----BEGIN CERTIFICATE----- -MIIDEDCCArWgAwIBAgIJAO9Gx6Sbu2DTMAoGCCqGSM49BAMCMIGPMQswCQYDVQQG -EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G -A1UECgwHRWxpcHRpYzEMMAoGA1UECwwDRUNDMRgwFgYDVQQDDA93d3cud29sZnNz -bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx -MjAwNzM4WhcNMTkwNTA4MjAwNzM4WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM -Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx -DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI -hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD -QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih -f/DPGNqREQI0huggWDMLgDSJ2KOB9zCB9DAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr -SiUCI++yiTAwgcQGA1UdIwSBvDCBuYAUXV0m76x+NvmbdhUrSiUCI++yiTChgZWk -gZIwgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH -DAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMQwwCgYDVQQLDANFQ0MxGDAWBgNV -BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns -LmNvbYIJAO9Gx6Sbu2DTMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIh -APHQpj6DMyTRegVfHg69fWsz6fKG8/M9qe9qhzGzt35QAiEA8GDdzqLbVuzZ9OTj -JdSwySV9ynpdusSy9n0Ex71iySA= +MIIDTzCCAvWgAwIBAgICEAAwCgYIKoZIzj0EAwIwgZcxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3 +b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz +c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE3MTAx +OTE5MDY0OVoXDTI3MTAxNzE5MDY0OVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj +MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG +SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABLszrEwnUErGSqUEwzzenzbbci3OlOor+ssgCTksFuhhAumvTdMCk5oxW5eS +IX/wzxjakRECNIboIFgzC4A0idijggE1MIIBMTAJBgNVHRMEAjAAMBEGCWCGSAGG ++EIBAQQEAwIGQDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwgcwGA1Ud +IwSBxDCBwYAU/Z2F1cFvR+rGdZZZJTdGjGHb4cOhgZ2kgZowgZcxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3 +LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkA +mGoM9AJDpigwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoG +CCqGSM49BAMCA0gAMEUCIQDOCSKrIcEwgDNLtHUZCzflGMZqSLGmKgzQkZbTl9t1 +zwIgA5drkOEuIBDnv8Mll02oB54Uhpm9h5j9LtJNH9pSkrk= -----END CERTIFICATE----- diff --git a/certs/test/include.am b/certs/test/include.am index 591e2f7ff..1bc9e8e78 100644 --- a/certs/test/include.am +++ b/certs/test/include.am @@ -11,3 +11,9 @@ EXTRA_DIST += \ certs/test/gen-ext-certs.sh \ certs/test/server-duplicate-policy.pem +# The certs/server-cert with the last byte (signature byte) changed +EXTRA_DIST += \ + certs/test/server-cert-rsa-badsig.der \ + certs/test/server-cert-rsa-badsig.pem \ + certs/test/server-cert-ecc-badsig.der \ + certs/test/server-cert-ecc-badsig.pem diff --git a/certs/test/server-cert-ecc-badsig.der b/certs/test/server-cert-ecc-badsig.der new file mode 100755 index 000000000..9aa84dc6f Binary files /dev/null and b/certs/test/server-cert-ecc-badsig.der differ diff --git a/certs/test/server-cert-ecc-badsig.pem b/certs/test/server-cert-ecc-badsig.pem new file mode 100755 index 000000000..6af093e10 --- /dev/null +++ b/certs/test/server-cert-ecc-badsig.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDTzCCAvWgAwIBAgICEAAwCgYIKoZIzj0EAwIwgZcxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3 +b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz +c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE3MTAx +OTE5MDY0OVoXDTI3MTAxNzE5MDY0OVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj +MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG +SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABLszrEwnUErGSqUEwzzenzbbci3OlOor+ssgCTksFuhhAumvTdMCk5oxW5eS +IX/wzxjakRECNIboIFgzC4A0idijggE1MIIBMTAJBgNVHRMEAjAAMBEGCWCGSAGG ++EIBAQQEAwIGQDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwgcwGA1Ud +IwSBxDCBwYAU/Z2F1cFvR+rGdZZZJTdGjGHb4cOhgZ2kgZowgZcxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3 +LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkA +mGoM9AJDpigwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoG +CCqGSM49BAMCA0gAMEUCIQDOCSKrIcEwgDNLtHUZCzflGMZqSLGmKgzQkZbTl9t1 +zwIgA5drkOEuIBDnv8Mll02oB54Uhpm9h5j9LtJNH9pSkro= +-----END CERTIFICATE----- diff --git a/certs/test/server-cert-rsa-badsig.der b/certs/test/server-cert-rsa-badsig.der new file mode 100644 index 000000000..cbede895b Binary files /dev/null and b/certs/test/server-cert-rsa-badsig.der differ diff --git a/certs/test/server-cert-rsa-badsig.pem b/certs/test/server-cert-rsa-badsig.pem new file mode 100644 index 000000000..00dd52c0b --- /dev/null +++ b/certs/test/server-cert-rsa-badsig.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEnjCCA4agAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh +d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz +bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx +MjAwNzM3WhcNMTkwNTA4MjAwNzM3WjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM +B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO +BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG +SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn +f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X +GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM +QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq +0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ +6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOB/DCB+TAdBgNVHQ4EFgQU +sxEyyZKYhOLJ+NA7bgNCyh8OjjwwgckGA1UdIwSBwTCBvoAUJ45nEXTDJh0/7TNj +s6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5h +MRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwK +Q29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcN +AQkBFhBpbmZvQHdvbGZzc2wuY29tggkAt7aQM2YbayMwDAYDVR0TBAUwAwEB/zAN +BgkqhkiG9w0BAQsFAAOCAQEAUf4q3wd+Q8pmjRXEK9tXsgZtDZBm/6UknBTvgfKk +q5mpakkgpdJx5xw8mQfHR/zolrT1QjDOOQFL0cLovJWEh85VXZefz3jzVpulCG2s +9qVcxO8+KjmmSCYpey3gzaaMV0gLuzEywr/ZQ0xHJRiBqMkzgkGbumGG14STFyQl +NspNY2tPlXnYYOAe9azBiqGxfoWOhyAvCDGtXsZKyGH0ngceoiLtc3yF7vpi3FA2 +qv3HnaoYBPvqzCxom7OpwpbYwcxafvcNngjgnSmLhEaP05Fqtbh6XMxPVQG4mkig +lEPKJUdSCvf0vrDRcW2lUkplULKtTh3gbAHY+0OA5uQMOA== +-----END CERTIFICATE----- diff --git a/configure.ac b/configure.ac index 04031f403..2773712a5 100644 --- a/configure.ac +++ b/configure.ac @@ -3631,6 +3631,18 @@ fi AM_CONDITIONAL([BUILD_TRUST_PEER_CERT], [test "x$have_tp" = "xyes"]) +# dertermine if we have key validation mechanism +if test "x$ENABLED_ECC" = "xyes" || test "x$ENABLED_RSA" = "xyes" +then + if test "x$ENABLED_ASN" = "xyes" + then + ENABLED_PKI="yes" + fi +fi +AM_CONDITIONAL([BUILD_PKI], [test "x$ENABLED_PKI" = "xyes"]) + + + ################################################################################ # Check for build-type conflicts # ################################################################################ diff --git a/examples/client/client.c b/examples/client/client.c index fcb167201..6510263fe 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -736,7 +736,7 @@ static void Usage(void) #ifdef HAVE_WNR printf("-q Whitewood config file, default %s\n", wnrConfig); #endif - printf("-H Force use of the default cipher suite list\n"); + printf("-H Internal tests [defCipherList, badCert]\n"); #ifdef WOLFSSL_TLS13 printf("-J Use HelloRetryRequest to choose group for KE\n"); printf("-K Key Exchange for PSK not using (EC)DHE\n"); @@ -826,6 +826,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) unsigned char alpn_opt = 0; char* cipherList = NULL; int useDefCipherList = 0; + int useBadCert = 0; const char* verifyCert = caCertFile; const char* ourCert = cliCertFile; const char* ourKey = cliKeyFile; @@ -887,7 +888,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) ((func_args*)args)->return_code = -1; /* error state */ #ifdef NO_RSA - verifyCert = (char*)eccCertFile; + verifyCert = (char*)caEccCertFile; ourCert = (char*)cliEccCertFile; ourKey = (char*)cliEccKeyFile; #endif @@ -910,6 +911,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) (void)updateKeysIVs; (void)useX25519; (void)helloRetry; + (void)useBadCert; StackTrap(); @@ -917,7 +919,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) /* Not used: All used */ while ((ch = mygetopt(argc, argv, "?" "ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz" - "A:B:CDE:F:GHIJKL:M:NO:PQRS:TUVW:XYZ:" + "A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:" "03:")) != -1) { switch (ch) { case '?' : @@ -1026,7 +1028,18 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) break; case 'H' : - useDefCipherList = 1; + if (XSTRNCMP(myoptarg, "defCipherList", 13) == 0) { + printf("Using default cipher list for testing\n"); + useDefCipherList = 1; + } + else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) { + printf("Using bad certificate for testing\n"); + useBadCert = 1; + } + else { + Usage(); + exit(MY_EX_USAGE); + } break; case 'A' : @@ -1461,7 +1474,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) defaultCipherList = "PSK-AES128-CBC-SHA256"; #endif if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList) - !=WOLFSSL_SUCCESS) { + !=WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); err_sys("client can't set cipher list 2"); } @@ -1477,7 +1490,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (cipherList == NULL || (cipherList && useDefCipherList)) { wolfSSL_CTX_allow_anon_cipher(ctx); if (wolfSSL_CTX_set_cipher_list(ctx,"ADH-AES128-SHA") - != WOLFSSL_SUCCESS) { + != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); err_sys("client can't set cipher list 4"); } @@ -1531,7 +1544,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (useClientCert){ #if !defined(NO_FILESYSTEM) if (wolfSSL_CTX_use_certificate_chain_file(ctx, ourCert) - != WOLFSSL_SUCCESS) { + != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); err_sys("can't load client cert file, check file and run from" " wolfSSL home dir"); @@ -1549,10 +1562,19 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif /* !defined(NO_FILESYSTEM) */ } + /* for testing only - use client cert as CA to force no signer error */ + if (useBadCert) { + #if !defined(NO_RSA) + verifyCert = "./certs/client-cert.pem"; + #elif defined(HAVE_ECC) + verifyCert = "./certs/client-ecc-cert.pem"; + #endif + } + if (!usePsk && !useAnon && !useVerifyCb) { #if !defined(NO_FILESYSTEM) if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0) - != WOLFSSL_SUCCESS) { + != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); err_sys("can't load ca file, Please run from wolfSSL home dir"); } @@ -1562,7 +1584,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef HAVE_ECC /* load ecc verify too, echoserver uses it by default w/ ecc */ #if !defined(NO_FILESYSTEM) - if (wolfSSL_CTX_load_verify_locations(ctx, eccCertFile, 0) != WOLFSSL_SUCCESS) { + if (wolfSSL_CTX_load_verify_locations(ctx, eccCertFile, 0) + != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); err_sys("can't load ecc ca file, Please run from wolfSSL home dir"); } @@ -1573,7 +1596,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #if defined(WOLFSSL_TRUST_PEER_CERT) && !defined(NO_FILESYSTEM) if (trustCert) { if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert, - WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) { + WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); err_sys("can't load trusted peer cert file"); } @@ -1599,7 +1622,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef HAVE_SNI if (sniHostName) if (wolfSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName)) - != WOLFSSL_SUCCESS) { + != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); err_sys("UseSNI failed"); } @@ -1634,11 +1657,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #if defined(HAVE_CURVE25519) && defined(HAVE_SUPPORTED_CURVES) if (useX25519) { if (wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_X25519) - != WOLFSSL_SUCCESS) { + != WOLFSSL_SUCCESS) { err_sys("unable to support X25519"); } if (wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_SECP256R1) - != WOLFSSL_SUCCESS) { + != WOLFSSL_SUCCESS) { err_sys("unable to support secp256r1"); } } @@ -1688,7 +1711,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (doMcast) { #ifdef WOLFSSL_MULTICAST wolfSSL_CTX_mcast_set_member_id(ctx, mcastID); - if (wolfSSL_CTX_set_cipher_list(ctx, "WDM-NULL-SHA256") != WOLFSSL_SUCCESS) { + if (wolfSSL_CTX_set_cipher_list(ctx, "WDM-NULL-SHA256") + != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); err_sys("Couldn't set multicast cipher list."); } @@ -1733,7 +1757,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } if (onlyKeyShare == 0 || onlyKeyShare == 1) { #ifdef HAVE_FFDHE_2048 - if (wolfSSL_UseKeyShare(ssl, WOLFSSL_FFDHE_2048) != WOLFSSL_SUCCESS) { + if (wolfSSL_UseKeyShare(ssl, WOLFSSL_FFDHE_2048) + != WOLFSSL_SUCCESS) { err_sys("unable to use DH 2048-bit parameters"); } #endif @@ -1756,7 +1781,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) XMEMSET(sr, 0x5A, sizeof(sr)); if (wolfSSL_set_secret(ssl, 1, pms, sizeof(pms), cr, sr, suite) - != WOLFSSL_SUCCESS) { + != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); err_sys("unable to set mcast secret"); } @@ -1778,7 +1803,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) switch (statusRequest) { case WOLFSSL_CSR_OCSP: if (wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP, - WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) { + WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) { wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); err_sys("UseCertificateStatusRequest failed"); @@ -1796,7 +1821,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) case WOLFSSL_CSR2_OCSP: if (wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE) - != WOLFSSL_SUCCESS) { + != WOLFSSL_SUCCESS) { wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); err_sys("UseCertificateStatusRequest failed"); @@ -1805,7 +1830,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) case WOLFSSL_CSR2_OCSP_MULTI: if (wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP_MULTI, 0) - != WOLFSSL_SUCCESS) { + != WOLFSSL_SUCCESS) { wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); err_sys("UseCertificateStatusRequest failed"); @@ -1846,7 +1871,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) err_sys("can't enable crl check"); } if (wolfSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, 0) - != WOLFSSL_SUCCESS) { + != WOLFSSL_SUCCESS) { wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); err_sys("can't load crl, check crlfile and date validity"); diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index c4d7cb55b..a51a5d12a 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -139,7 +139,7 @@ void echoclient_test(void* args) err_sys("can't load ca file, Please run from wolfSSL home dir"); #endif #ifdef HAVE_ECC - if (SSL_CTX_load_verify_locations(ctx, eccCertFile, 0) != WOLFSSL_SUCCESS) + if (SSL_CTX_load_verify_locations(ctx, caEccCertFile, 0) != WOLFSSL_SUCCESS) err_sys("can't load ca file, Please run from wolfSSL home dir"); #endif #elif !defined(NO_CERTS) diff --git a/examples/server/server.c b/examples/server/server.c index 2e5ef6bbc..eb976fc59 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -411,7 +411,7 @@ static void Usage(void) #endif printf("-g Return basic HTML web page\n"); printf("-C The number of connections to accept, default: 1\n"); - printf("-H Force use of the default cipher suite list\n"); + printf("-H Internal tests [defCipherList, badCert]\n"); #ifdef WOLFSSL_TLS13 printf("-K Key Exchange for PSK not using (EC)DHE\n"); printf("-U Update keys and IVs before sending\n"); @@ -481,6 +481,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) unsigned char alpn_opt = 0; char* cipherList = NULL; int useDefCipherList = 0; + int useBadCert = 0; const char* verifyCert = cliCertFile; const char* ourCert = svrCertFile; const char* ourKey = svrKeyFile; @@ -561,6 +562,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) (void)readySignal; (void)updateKeysIVs; (void)mcastID; + (void)useBadCert; #ifdef CYASSL_TIRTOS fdOpenSession(Task_self()); @@ -572,7 +574,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) /* Not Used: h, m, t, y, z, F, M, T, V, W, X, Y */ while ((ch = mygetopt(argc, argv, "?" "abc:defgijk:l:nop:q:rsuv:wx" - "A:B:C:D:E:GHIJKL:NO:PQR:S:UYZ:" + "A:B:C:D:E:GH:IJKL:NO:PQR:S:UYZ:" "03:")) != -1) { switch (ch) { case '?' : @@ -656,7 +658,18 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) break; case 'H' : - useDefCipherList = 1; + if (XSTRNCMP(myoptarg, "defCipherList", 13) == 0) { + printf("Using default cipher list for testing\n"); + useDefCipherList = 1; + } + else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) { + printf("Using bad certificate for testing\n"); + useBadCert = 1; + } + else { + Usage(); + exit(MY_EX_USAGE); + } break; case 'A' : @@ -969,6 +982,15 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif #if !defined(NO_CERTS) + /* for testing only - use bad cert as server cert for sig confirm err */ + if (useBadCert) { + #if !defined(NO_RSA) + ourCert = "./certs/test/server-cert-rsa-badsig.pem"; + #elif defined(HAVE_ECC) + ourCert = "./certs/test/server-cert-ecc-badsig.pem"; + #endif + } + if ((!usePsk || usePskPlus) && !useAnon) { #if !defined(NO_FILESYSTEM) if (SSL_CTX_use_certificate_chain_file(ctx, ourCert) @@ -1063,8 +1085,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) if using PSK Plus then verify peer certs except PSK suites */ if (doCliCertCheck && (usePsk == 0 || usePskPlus) && useAnon == 0) { SSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER | - ((usePskPlus)? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK : - WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT),0); + (usePskPlus ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK : + WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT), 0); if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != WOLFSSL_SUCCESS) err_sys_ex(runWithErrors, "can't load ca file, Please run from wolfSSL home dir"); #ifdef WOLFSSL_TRUST_PEER_CERT diff --git a/gencertbuf.pl b/gencertbuf.pl index e7dc9f7d6..bd752c1a6 100755 --- a/gencertbuf.pl +++ b/gencertbuf.pl @@ -26,7 +26,19 @@ my @fileList_ecc = ( [ "./certs/ecc-keyPub.der", "ecc_key_pub_der_256" ], [ "./certs/server-ecc-comp.der", "serv_ecc_comp_der_256" ], [ "./certs/server-ecc-rsa.der", "serv_ecc_rsa_der_256" ], - [ "./certs/server-ecc.der", "serv_ecc_der_256" ] + [ "./certs/server-ecc.der", "serv_ecc_der_256" ], + [ "./certs/ca-ecc-key.der", "ca_ecc_key_der_256" ], + [ "./certs/ca-ecc-cert.der", "ca_ecc_cert_der_256" ], + [ "./certs/ca-ecc384-key.der", "ca_ecc_key_der_384" ], + [ "./certs/ca-ecc384-cert.der", "ca_ecc_cert_der_384" ] + ); + + +# ed25519 keys and certs +# Used with HAVE_ED25519 define. +my @fileList_ed = ( + [ "./certs/ed25519/server-ed25519.der", "server_ed25519_cert" ], + [ "./certs/ed25519/ca-ed25519.der", "ca_ed25519_cert" ] ); # 1024-bit certs/keys to be converted @@ -64,6 +76,7 @@ my @fileList_2048 = ( # ---------------------------------------------------------------------------- my $num_ecc = @fileList_ecc; +my $num_ed = @fileList_ed; my $num_1024 = @fileList_1024; my $num_2048 = @fileList_2048; @@ -109,7 +122,7 @@ for (my $i = 0; $i < $num_2048; $i++) { print OUT_FILE "#endif /* USE_CERT_BUFFERS_2048 */\n\n"; -# convert and print 256-bit cert/keys +# convert and print ECC cert/keys print OUT_FILE "#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)\n\n"; for (my $i = 0; $i < $num_ecc; $i++) { @@ -147,6 +160,23 @@ static const unsigned char dh_g[] = { 0x02, };\n\n"; + +# convert and print ed25519 cert/keys +print OUT_FILE "#if defined(HAVE_ED25519)\n\n"; +for (my $i = 0; $i < $num_ed; $i++) { + + my $fname = $fileList_ed[$i][0]; + my $sname = $fileList_ed[$i][1]; + + print OUT_FILE "/* $fname, ED25519 */\n"; + print OUT_FILE "static const unsigned char $sname\[] =\n"; + print OUT_FILE "{\n"; + file_to_hex($fname); + print OUT_FILE "};\n"; + print OUT_FILE "static const int sizeof_$sname = sizeof($sname);\n\n"; +} +print OUT_FILE "#endif /* HAVE_ED25519 */\n\n"; + print OUT_FILE "#endif /* WOLFSSL_CERTS_TEST_H */\n\n"; # close certs_test.h file diff --git a/scripts/include.am b/scripts/include.am index d9f874ef6..1a6c3ec23 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -11,6 +11,12 @@ endif if BUILD_EXAMPLE_SERVERS dist_noinst_SCRIPTS+= scripts/resume.test + +# only run this test if we have the ability to support cert validation +if BUILD_PKI +dist_noinst_SCRIPTS+= scripts/tls-cert-fail.test +endif + EXTRA_DIST+= scripts/benchmark.test if BUILD_CRL diff --git a/scripts/openssl.test b/scripts/openssl.test index 7969169c1..d8ed4fdf5 100755 --- a/scripts/openssl.test +++ b/scripts/openssl.test @@ -269,9 +269,12 @@ do psk="" adh="" port=$openssl_port + caCert="" case $wolfSuite in *ECDH-RSA*) port=$ecdh_port ;; + *ECDHE-ECDSA*|*ECDH-ECDSA*) + caCert="-A./certs/ca-ecc-cert.pem" ;; *PSK*) psk="-s " ;; *ADH*) @@ -280,10 +283,10 @@ do if [ $version -lt 4 ] then - ./examples/client/client -p $port -g -r -l $wolfSuite -v $version $psk $adh + ./examples/client/client -p $port -g -r -l $wolfSuite -v $version $psk $adh $caCert else # do all versions - ./examples/client/client -p $port -g -r -l $wolfSuite $psk $adh + ./examples/client/client -p $port -g -r -l $wolfSuite $psk $adh $caCert fi client_result=$? diff --git a/scripts/tls-cert-fail.test b/scripts/tls-cert-fail.test new file mode 100755 index 000000000..ea7d49177 --- /dev/null +++ b/scripts/tls-cert-fail.test @@ -0,0 +1,173 @@ +#!/bin/sh + +#tls-cert-fail.test + +asn_no_signer_e="-188" +asn_sig_confirm_e="-155" +exit_code=1 +counter=0 + +# need a unique resume port since may run the same time as testsuite +# use server port zero hack to get one +tls_port=0 + +#no_pid tells us process was never started if -1 +no_pid=-1 + +#server_pid captured on startup, stores the id of the server process +server_pid=$no_pid + +# let's use absolute path to a local dir (make distcheck may be in sub dir) +# also let's add some randomness by adding pid in case multiple 'make check's +# per source tree +ready_file=`pwd`/wolfssl_tls_ready$$ + +remove_ready_file() { + if test -e $ready_file; then + echo -e "removing existing ready file" + rm $ready_file + fi +} + +# trap this function so if user aborts with ^C or other kill signal we still +# get an exit that will in turn clean up the file system +abort_trap() { + echo "script aborted" + + if [ $server_pid != $no_pid ] + then + echo "killing server" + kill -9 $server_pid + fi + + exit_code=2 #different exit code in case of user interrupt + + echo "got abort signal, exiting with $exit_code" + exit $exit_code +} +trap abort_trap INT TERM + + +# trap this function so that if we exit on an error the file system will still +# be restored and the other tests may still pass. Never call this function +# instead use "exit " and this function will run automatically +restore_file_system() { + remove_ready_file +} +trap restore_file_system EXIT + +run_tls_no_signer_test() { + echo -e "\nStarting example server for tls no signer fail test...\n" + + remove_ready_file + + # starts the server on tls_port, -R generates ready file to be used as a + # mutex lock. We capture the processid into the variable server_pid + ./examples/server/server -R $ready_file -p $tls_port & + server_pid=$! + + while [ ! -s $ready_file -a "$counter" -lt 20 ]; do + echo -e "waiting for ready file..." + sleep 0.1 + counter=$((counter+ 1)) + done + + if test -e $ready_file; then + echo -e "found ready file, starting client..." + else + echo -e "NO ready file ending test..." + exit 1 + fi + + # get created port 0 ephemeral port + tls_port=`cat $ready_file` + + # starts client on tls_port and captures the output from client + capture_out=$(./examples/client/client -p $tls_port -H badCert 2>&1) + client_result=$? + + wait $server_pid + server_result=$? + + case "$capture_out" in + *$asn_no_signer_e*) + # only exit with zero on detection of the expected error code + echo "" + echo "$capture_out" + echo "" + echo "No signer error as expected! Test pass" + echo "" + exit_code=0 + ;; + *) + echo "" + echo "Client did not return asn_no_signer_e as expected: $capture_out" + echo "" + exit_code=1 + esac +} + +run_tls_sig_confirm_test() { + echo -e "\nStarting example server for tls sig confirm fail test...\n" + + remove_ready_file + + # starts the server on tls_port, -R generates ready file to be used as a + # mutex lock. We capture the processid into the variable server_pid + ./examples/server/server -R $ready_file -p $tls_port -H badCert & + server_pid=$! + + while [ ! -s $ready_file -a "$counter" -lt 20 ]; do + echo -e "waiting for ready file..." + sleep 0.1 + counter=$((counter+ 1)) + done + + if test -e $ready_file; then + echo -e "found ready file, starting client..." + else + echo -e "NO ready file ending test..." + exit 1 + fi + + # get created port 0 ephemeral port + tls_port=`cat $ready_file` + + # starts client on tls_port and captures the output from client + capture_out=$(./examples/client/client -p $tls_port 2>&1) + client_result=$? + + wait $server_pid + server_result=$? + + case "$capture_out" in + *$asn_sig_confirm_e*) + # only exit with zero on detection of the expected error code + echo "" + echo "$capture_out" + echo "" + echo "Sig confirm error as expected! Test pass" + echo "" + exit_code=0 + ;; + *) + echo "" + echo "Client did not return asn_sig_confirm_e as expected: $capture_out" + echo "" + exit_code=1 + esac +} + + +######### begin program ######### + +# run the test +run_tls_no_signer_test + +tls_port=0 +run_tls_sig_confirm_test + +echo "exiting with $exit_code" +exit $exit_code +########## end program ########## + diff --git a/scripts/tls13.test b/scripts/tls13.test index 4ba1bb86e..c740ae8dd 100755 --- a/scripts/tls13.test +++ b/scripts/tls13.test @@ -181,7 +181,7 @@ port=0 ./examples/server/server -v 4 -A certs/client-ecc-cert.pem -c certs/server-ecc.pem -k certs/ecc-key.pem -R $ready_file -p $port & server_pid=$! create_port -./examples/client/client -v 4 -A certs/server-ecc.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port +./examples/client/client -v 4 -A certs/ca-ecc-cert.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then diff --git a/tests/api.c b/tests/api.c index 4c9b3df5e..c0aae0a19 100644 --- a/tests/api.c +++ b/tests/api.c @@ -10641,7 +10641,7 @@ static void test_wc_ecc_get_curve_id_from_params(void) { int ret = 0; /* self-signed ECC cert, so use server cert as CA */ - const char* ca_cert = "./certs/server-ecc.pem"; + const char* ca_cert = "./certs/ca-ecc-cert.pem"; const char* server_cert = "./certs/server-ecc.der"; byte* cert_buf = NULL; size_t cert_sz = 0; diff --git a/tests/suites.c b/tests/suites.c index c701f2471..6ca2c8e15 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -54,7 +54,7 @@ static char flagSep[] = " "; static char portFlag[] = "-p"; static char svrPort[] = "0"; #endif -static char forceDefCipherListFlag[] = "-H"; +static char forceDefCipherListFlag[] = "-HdefCipherList"; #ifdef WOLFSSL_ASYNC_CRYPT static int devId = INVALID_DEVID; diff --git a/tests/test-dtls.conf b/tests/test-dtls.conf index 5bd76c694..7a124f2a2 100644 --- a/tests/test-dtls.conf +++ b/tests/test-dtls.conf @@ -29,7 +29,7 @@ -u -v 3 -l ECDHE-ECDSA-CHACHA20-POLY1305 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 DHE-PSK-CHACHA20-POLY1305 -u @@ -98,7 +98,7 @@ -u -v 3 -l ECDHE-ECDSA-CHACHA20-POLY1305-OLD --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1 IDEA-CBC-SHA -u @@ -291,7 +291,7 @@ -u -v 1 -l ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-ECDSA-NULL-SHA -u @@ -304,7 +304,7 @@ -u -v 2 -l ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-NULL-SHA -u @@ -317,7 +317,7 @@ -u -v 3 -l ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDHE-ECDSA-DES3 -u @@ -330,7 +330,7 @@ -u -v 2 -l ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDHE-ECDSA-AES128 -u @@ -343,7 +343,7 @@ -u -v 2 -l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDHE-ECDSA-AES256 -u @@ -356,7 +356,7 @@ -u -v 2 -l ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-DES3 -u @@ -369,7 +369,7 @@ -u -v 3 -l ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES128 -u @@ -382,7 +382,7 @@ -u -v 3 -l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES128-SHA256 -u @@ -395,7 +395,7 @@ -u -v 3 -l ECDHE-ECDSA-AES128-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES256 -u @@ -408,7 +408,7 @@ -u -v 3 -l ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDH-RSA-DES3 -u @@ -505,7 +505,7 @@ -u -v 2 -l ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDH-ECDSA-AES128 -u @@ -518,7 +518,7 @@ -u -v 2 -l ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDH-ECDSA-AES256 -u @@ -531,7 +531,7 @@ -u -v 2 -l ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-DES3 -u @@ -544,7 +544,7 @@ -u -v 3 -l ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-AES128 -u @@ -557,7 +557,7 @@ -u -v 3 -l ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-AES128-SHA256 -u @@ -570,7 +570,7 @@ -u -v 3 -l ECDH-ECDSA-AES128-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-AES256 -u @@ -583,7 +583,7 @@ -u -v 3 -l ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-RSA-AES256-SHA384 -u @@ -606,7 +606,7 @@ -u -v 3 -l ECDHE-ECDSA-AES256-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-RSA-AES256-SHA384 -u @@ -631,7 +631,7 @@ -u -v 3 -l ECDH-ECDSA-AES256-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDHE-PSK-AES128-SHA256 -s @@ -788,7 +788,7 @@ -u -v 3 -l ECDHE-ECDSA-AES128-GCM-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 -u @@ -801,7 +801,7 @@ -u -v 3 -l ECDHE-ECDSA-AES256-GCM-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 -u @@ -814,7 +814,7 @@ -u -v 3 -l ECDH-ECDSA-AES128-GCM-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 -u @@ -827,7 +827,7 @@ -u -v 3 -l ECDH-ECDSA-AES256-GCM-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 -u @@ -908,7 +908,7 @@ -u -v 3 -l ECDHE-ECDSA-AES128-CCM --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -u @@ -921,7 +921,7 @@ -u -v 3 -l ECDHE-ECDSA-AES128-CCM-8 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8 -u @@ -934,7 +934,7 @@ -u -v 3 -l ECDHE-ECDSA-AES256-CCM-8 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ADH-AES128-SHA -u diff --git a/tests/test-qsh.conf b/tests/test-qsh.conf index 96cf62778..d7ed05867 100644 --- a/tests/test-qsh.conf +++ b/tests/test-qsh.conf @@ -53,7 +53,7 @@ # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-OLD -v 3 -l QSH:ECDHE-ECDSA-CHACHA20-POLY1305-OLD --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 DHE-RSA-CHACHA20-POLY1305 -v 3 @@ -80,7 +80,7 @@ # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305 -v 3 -l QSH:ECDHE-ECDSA-CHACHA20-POLY1305 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server SSLv3 RC4-SHA -v 0 @@ -339,7 +339,7 @@ # client TLSv1 ECDHE-ECDSA-NULL-SHA -v 1 -l QSH:ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-ECDSA-NULL-SHA -v 2 @@ -350,7 +350,7 @@ # client TLSv1 ECDHE-ECDSA-NULL-SHA -v 2 -l QSH:ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-NULL-SHA -v 3 @@ -361,7 +361,7 @@ # client TLSv1.2 ECDHE-ECDSA-NULL-SHA -v 3 -l QSH:ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-RSA-RC4 -v 2 @@ -444,7 +444,7 @@ # client TLSv1 ECDHE-ECDSA-RC4 -v 1 -l QSH:ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDHE-ECDSA-DES3 -v 1 @@ -455,7 +455,7 @@ # client TLSv1 ECDHE-ECDSA-DES3 -v 1 -l QSH:ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDHE-ECDSA-AES128 -v 1 @@ -466,7 +466,7 @@ # client TLSv1 ECDHE-ECDSA-AES128 -v 1 -l QSH:ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDHE-ECDSA-AES256 -v 1 @@ -477,7 +477,7 @@ # client TLSv1 ECDHE-ECDSA-AES256 -v 1 -l QSH:ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-EDCSA-RC4 -v 2 @@ -488,7 +488,7 @@ # client TLSv1.1 ECDHE-ECDSA-RC4 -v 2 -l QSH:ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-ECDSA-DES3 -v 2 @@ -499,7 +499,7 @@ # client TLSv1.1 ECDHE-ECDSA-DES3 -v 2 -l QSH:ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-ECDSA-AES128 -v 2 @@ -510,7 +510,7 @@ # client TLSv1.1 ECDHE-ECDSA-AES128 -v 2 -l QSH:ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-ECDSA-AES256 -v 2 @@ -521,7 +521,7 @@ # client TLSv1.1 ECDHE-ECDSA-AES256 -v 2 -l QSH:ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-RC4 -v 3 @@ -532,7 +532,7 @@ # client TLSv1.2 ECDHE-ECDSA-RC4 -v 3 -l QSH:ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-DES3 -v 3 @@ -543,7 +543,7 @@ # client TLSv1.2 ECDHE-ECDSA-DES3 -v 3 -l QSH:ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES128 -v 3 @@ -554,7 +554,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES128 -v 3 -l QSH:ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES128-SHA256 -v 3 @@ -565,7 +565,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES128-SHA256 -v 3 -l QSH:ECDHE-ECDSA-AES128-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES256 -v 3 @@ -576,7 +576,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES256 -v 3 -l QSH:ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDH-RSA-RC4 -v 1 @@ -717,7 +717,7 @@ # client TLSv1 ECDH-ECDSA-RC4 -v 1 -l QSH:ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDH-ECDSA-DES3 -v 1 @@ -728,7 +728,7 @@ # client TLSv1 ECDH-ECDSA-DES3 -v 1 -l QSH:ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDH-ECDSA-AES128 -v 1 @@ -739,7 +739,7 @@ # client TLSv1 ECDH-ECDSA-AES128 -v 1 -l QSH:ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDH-ECDSA-AES256 -v 1 @@ -750,7 +750,7 @@ # client TLSv1 ECDH-ECDSA-AES256 -v 1 -l QSH:ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDH-EDCSA-RC4 -v 2 @@ -761,7 +761,7 @@ # client TLSv1.1 ECDH-ECDSA-RC4 -v 2 -l QSH:ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDH-ECDSA-DES3 -v 2 @@ -772,7 +772,7 @@ # client TLSv1.1 ECDH-ECDSA-DES3 -v 2 -l QSH:ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDH-ECDSA-AES128 -v 2 @@ -783,7 +783,7 @@ # client TLSv1.1 ECDH-ECDSA-AES128 -v 2 -l QSH:ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDH-ECDSA-AES256 -v 2 @@ -794,7 +794,7 @@ # client TLSv1.1 ECDH-ECDSA-AES256 -v 2 -l QSH:ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-RC4 -v 3 @@ -805,7 +805,7 @@ # client TLSv1.2 ECDH-ECDSA-RC4 -v 3 -l QSH:ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-DES3 -v 3 @@ -816,7 +816,7 @@ # client TLSv1.2 ECDH-ECDSA-DES3 -v 3 -l QSH:ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-AES128 -v 3 @@ -827,7 +827,7 @@ # client TLSv1.2 ECDH-ECDSA-AES128 -v 3 -l QSH:ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-AES128-SHA256 -v 3 @@ -838,7 +838,7 @@ # client TLSv1.2 ECDH-ECDSA-AES128-SHA256 -v 3 -l QSH:ECDH-ECDSA-AES128-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-AES256 -v 3 @@ -849,7 +849,7 @@ # client TLSv1.2 ECDH-ECDSA-AES256 -v 3 -l QSH:ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-RSA-AES256-SHA384 -v 3 @@ -868,7 +868,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES256-SHA384 -v 3 -l QSH:ECDHE-ECDSA-AES256-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-RSA-AES256-SHA384 -v 3 @@ -889,7 +889,7 @@ # client TLSv1.2 ECDH-ECDSA-AES256-SHA384 -v 3 -l QSH:ECDH-ECDSA-AES256-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 HC128-SHA -v 1 @@ -1646,7 +1646,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 -v 3 -l QSH:ECDHE-ECDSA-AES128-GCM-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 -v 3 @@ -1657,7 +1657,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 -v 3 -l QSH:ECDHE-ECDSA-AES256-GCM-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 -v 3 @@ -1668,7 +1668,7 @@ # client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 -v 3 -l QSH:ECDH-ECDSA-AES128-GCM-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 -v 3 @@ -1679,7 +1679,7 @@ # client TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 -v 3 -l QSH:ECDH-ECDSA-AES256-GCM-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 -v 3 @@ -1778,7 +1778,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES128-CCM -v 3 -l QSH:ECDHE-ECDSA-AES128-CCM --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -v 3 @@ -1789,7 +1789,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -v 3 -l QSH:ECDHE-ECDSA-AES128-CCM-8 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8 -v 3 @@ -1800,7 +1800,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8 -v 3 -l QSH:ECDHE-ECDSA-AES256-CCM-8 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 PSK-AES128-CCM -s diff --git a/tests/test-sctp.conf b/tests/test-sctp.conf index 26fe6fd7c..8dcd6e800 100644 --- a/tests/test-sctp.conf +++ b/tests/test-sctp.conf @@ -29,7 +29,7 @@ -G -v 2 -l ECDHE-ECDSA-CHACHA20-POLY1305 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 DHE-RSA-CHACHA20-POLY1305 -G @@ -62,7 +62,7 @@ -G -v 3 -l ECDHE-ECDSA-CHACHA20-POLY1305 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 DHE-PSK-CHACHA20-POLY1305 -G @@ -131,7 +131,7 @@ -G -v 3 -l ECDHE-ECDSA-CHACHA20-POLY1305-OLD --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1 RC4-SHA -G @@ -364,7 +364,7 @@ -G -v 1 -l ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-ECDSA-NULL-SHA -G @@ -377,7 +377,7 @@ -G -v 2 -l ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-NULL-SHA -G @@ -390,7 +390,7 @@ -G -v 3 -l ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDHE-EDCSA-RC4 -G @@ -403,7 +403,7 @@ -G -v 2 -l ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDHE-ECDSA-DES3 -G @@ -416,7 +416,7 @@ -G -v 2 -l ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDHE-ECDSA-AES128 -G @@ -429,7 +429,7 @@ -G -v 2 -l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDHE-ECDSA-AES256 -G @@ -442,7 +442,7 @@ -G -v 2 -l ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-RC4 -G @@ -455,7 +455,7 @@ -G -v 3 -l ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-DES3 -G @@ -468,7 +468,7 @@ -G -v 3 -l ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES128 -G @@ -481,7 +481,7 @@ -G -v 3 -l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES128-SHA256 -G @@ -494,7 +494,7 @@ -G -v 3 -l ECDHE-ECDSA-AES128-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES256 -G @@ -507,7 +507,7 @@ -G -v 3 -l ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDH-RSA-RC4 -G @@ -628,7 +628,7 @@ -G -v 2 -l ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDH-ECDSA-DES3 -G @@ -641,7 +641,7 @@ -G -v 2 -l ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDH-ECDSA-AES128 -G @@ -654,7 +654,7 @@ -G -v 2 -l ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.1 ECDH-ECDSA-AES256 -G @@ -667,7 +667,7 @@ -G -v 2 -l ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-RC4 -G @@ -680,7 +680,7 @@ -G -v 3 -l ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-DES3 -G @@ -693,7 +693,7 @@ -G -v 3 -l ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-AES128 -G @@ -706,7 +706,7 @@ -G -v 3 -l ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-AES128-SHA256 -G @@ -719,7 +719,7 @@ -G -v 3 -l ECDH-ECDSA-AES128-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-AES256 -G @@ -732,7 +732,7 @@ -G -v 3 -l ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-RSA-AES256-SHA384 -G @@ -755,7 +755,7 @@ -G -v 3 -l ECDHE-ECDSA-AES256-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-RSA-AES256-SHA384 -G @@ -780,7 +780,7 @@ -G -v 3 -l ECDH-ECDSA-AES256-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDHE-PSK-AES128-SHA256 -s @@ -937,7 +937,7 @@ -G -v 3 -l ECDHE-ECDSA-AES128-GCM-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 -G @@ -950,7 +950,7 @@ -G -v 3 -l ECDHE-ECDSA-AES256-GCM-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 -G @@ -963,7 +963,7 @@ -G -v 3 -l ECDH-ECDSA-AES128-GCM-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 -G @@ -976,7 +976,7 @@ -G -v 3 -l ECDH-ECDSA-AES256-GCM-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 -G @@ -1057,7 +1057,7 @@ -G -v 3 -l ECDHE-ECDSA-AES128-CCM --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -G @@ -1070,7 +1070,7 @@ -G -v 3 -l ECDHE-ECDSA-AES128-CCM-8 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8 -G @@ -1083,7 +1083,7 @@ -G -v 3 -l ECDHE-ECDSA-AES256-CCM-8 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server DTLSv1.2 ADH-AES128-SHA -G diff --git a/tests/test-sig.conf b/tests/test-sig.conf index aa7f3b295..adf0ce952 100644 --- a/tests/test-sig.conf +++ b/tests/test-sig.conf @@ -18,7 +18,7 @@ # client TLSv1 ECDHE-ECDSA-AES128 -v 1 -l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDHE-ECDSA-AES128 -v 1 @@ -62,7 +62,7 @@ # client TLSv1.1 ECDHE-ECDSA-AES128 -v 2 -l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-ECDSA-AES128 -v 2 @@ -106,7 +106,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES128 -v 3 -l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES128-SHA256 -v 3 diff --git a/tests/test-tls13.conf b/tests/test-tls13.conf index 4f2c30eea..c5f8c3a07 100644 --- a/tests/test-tls13.conf +++ b/tests/test-tls13.conf @@ -47,7 +47,7 @@ # client TLSv1.3 TLS13-CHACH20-POLY1305-SHA256 -v 4 -l TLS13-CHACH20-POLY1305-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.3 TLS13-AES128-GCM-SHA256 -v 4 @@ -58,7 +58,7 @@ # client TLSv1.3 TLS13-AES128-GCM-SHA256 -v 4 -l TLS13-AES128-GCM-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.3 TLS13-AES256-GCM-SHA384 -v 4 @@ -69,7 +69,7 @@ # client TLSv1.3 TLS13-AES256-GCM-SHA384 -v 4 -l TLS13-AES256-GCM-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.3 TLS13-AES128-CCM-SHA256 -v 4 @@ -80,7 +80,7 @@ # client TLSv1.3 TLS13-AES128-CCM-SHA256 -v 4 -l TLS13-AES128-CCM-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.3 TLS13-AES128-CCM-8-SHA256 -v 4 @@ -91,7 +91,7 @@ # client TLSv1.3 TLS13-AES128-CCM-8-SHA256 -v 4 -l TLS13-AES128-CCM-8-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.3 TLS13-AES128-GCM-SHA256 -v 4 @@ -102,7 +102,7 @@ # client TLSv1.3 TLS13-AES128-GCM-SHA256 -v 4 -l TLS13-AES128-GCM-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem -t # server TLSv1.3 accepting EarlyData diff --git a/tests/test.conf b/tests/test.conf index 0425fe873..560b84743 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -23,7 +23,7 @@ # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305 -v 3 -l ECDHE-ECDSA-CHACHA20-POLY1305 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 DHE-PSK-CHACHA20-POLY1305 -v 3 @@ -80,7 +80,7 @@ # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-OLD -v 3 -l ECDHE-ECDSA-CHACHA20-POLY1305-OLD --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server SSLv3 RC4-SHA -v 0 @@ -411,7 +411,7 @@ # client TLSv1 ECDHE-ECDSA-NULL-SHA -v 1 -l ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-ECDSA-NULL-SHA -v 2 @@ -422,7 +422,7 @@ # client TLSv1 ECDHE-ECDSA-NULL-SHA -v 2 -l ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-NULL-SHA -v 3 @@ -433,7 +433,7 @@ # client TLSv1.2 ECDHE-ECDSA-NULL-SHA -v 3 -l ECDHE-ECDSA-NULL-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDHE-ECDSA-RC4 -v 1 @@ -444,7 +444,7 @@ # client TLSv1 ECDHE-ECDSA-RC4 -v 1 -l ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDHE-ECDSA-DES3 -v 1 @@ -455,7 +455,7 @@ # client TLSv1 ECDHE-ECDSA-DES3 -v 1 -l ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDHE-ECDSA-AES128 -v 1 @@ -466,7 +466,7 @@ # client TLSv1 ECDHE-ECDSA-AES128 -v 1 -l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDHE-ECDSA-AES256 -v 1 @@ -477,7 +477,7 @@ # client TLSv1 ECDHE-ECDSA-AES256 -v 1 -l ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-EDCSA-RC4 -v 2 @@ -488,7 +488,7 @@ # client TLSv1.1 ECDHE-ECDSA-RC4 -v 2 -l ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-ECDSA-DES3 -v 2 @@ -499,7 +499,7 @@ # client TLSv1.1 ECDHE-ECDSA-DES3 -v 2 -l ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-ECDSA-AES128 -v 2 @@ -510,7 +510,7 @@ # client TLSv1.1 ECDHE-ECDSA-AES128 -v 2 -l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDHE-ECDSA-AES256 -v 2 @@ -521,7 +521,7 @@ # client TLSv1.1 ECDHE-ECDSA-AES256 -v 2 -l ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-RC4 -v 3 @@ -532,7 +532,7 @@ # client TLSv1.2 ECDHE-ECDSA-RC4 -v 3 -l ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-DES3 -v 3 @@ -543,7 +543,7 @@ # client TLSv1.2 ECDHE-ECDSA-DES3 -v 3 -l ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES128 -v 3 @@ -554,7 +554,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES128 -v 3 -l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES128-SHA256 -v 3 @@ -565,7 +565,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES128-SHA256 -v 3 -l ECDHE-ECDSA-AES128-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES256 -v 3 @@ -576,7 +576,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES256 -v 3 -l ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDH-RSA-RC4 -v 1 @@ -717,7 +717,7 @@ # client TLSv1 ECDH-ECDSA-RC4 -v 1 -l ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDH-ECDSA-DES3 -v 1 @@ -728,7 +728,7 @@ # client TLSv1 ECDH-ECDSA-DES3 -v 1 -l ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDH-ECDSA-AES128 -v 1 @@ -739,7 +739,7 @@ # client TLSv1 ECDH-ECDSA-AES128 -v 1 -l ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 ECDH-ECDSA-AES256 -v 1 @@ -750,7 +750,7 @@ # client TLSv1 ECDH-ECDSA-AES256 -v 1 -l ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDH-EDCSA-RC4 -v 2 @@ -761,7 +761,7 @@ # client TLSv1.1 ECDH-ECDSA-RC4 -v 2 -l ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDH-ECDSA-DES3 -v 2 @@ -772,7 +772,7 @@ # client TLSv1.1 ECDH-ECDSA-DES3 -v 2 -l ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDH-ECDSA-AES128 -v 2 @@ -783,7 +783,7 @@ # client TLSv1.1 ECDH-ECDSA-AES128 -v 2 -l ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.1 ECDH-ECDSA-AES256 -v 2 @@ -794,7 +794,7 @@ # client TLSv1.1 ECDH-ECDSA-AES256 -v 2 -l ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-RC4 -v 3 @@ -805,7 +805,7 @@ # client TLSv1.2 ECDH-ECDSA-RC4 -v 3 -l ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-DES3 -v 3 @@ -816,7 +816,7 @@ # client TLSv1.2 ECDH-ECDSA-DES3 -v 3 -l ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-AES128 -v 3 @@ -827,7 +827,7 @@ # client TLSv1.2 ECDH-ECDSA-AES128 -v 3 -l ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-AES128-SHA256 -v 3 @@ -838,7 +838,7 @@ # client TLSv1.2 ECDH-ECDSA-AES128-SHA256 -v 3 -l ECDH-ECDSA-AES128-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-AES256 -v 3 @@ -849,7 +849,7 @@ # client TLSv1.2 ECDH-ECDSA-AES256 -v 3 -l ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-RSA-AES256-SHA384 -v 3 @@ -868,7 +868,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES256-SHA384 -v 3 -l ECDHE-ECDSA-AES256-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-RSA-AES256-SHA384 -v 3 @@ -889,7 +889,7 @@ # client TLSv1.2 ECDH-ECDSA-AES256-SHA384 -v 3 -l ECDH-ECDSA-AES256-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1 HC128-SHA -v 1 @@ -1662,7 +1662,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 -v 3 -l ECDHE-ECDSA-AES128-GCM-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 -v 3 @@ -1673,7 +1673,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 -v 3 -l ECDHE-ECDSA-AES256-GCM-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 -v 3 @@ -1684,7 +1684,7 @@ # client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 -v 3 -l ECDH-ECDSA-AES128-GCM-SHA256 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 -v 3 @@ -1695,7 +1695,7 @@ # client TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 -v 3 -l ECDH-ECDSA-AES256-GCM-SHA384 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 -v 3 @@ -1794,7 +1794,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES128-CCM -v 3 -l ECDHE-ECDSA-AES128-CCM --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -v 3 @@ -1805,7 +1805,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -v 3 -l ECDHE-ECDSA-AES128-CCM-8 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8 -v 3 @@ -1816,7 +1816,7 @@ # client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8 -v 3 -l ECDHE-ECDSA-AES256-CCM-8 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem # server TLSv1.2 PSK-AES128-CCM -s @@ -2187,7 +2187,7 @@ # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305 -v 3 -l ECDHE-ECDSA-CHACHA20-POLY1305 --A ./certs/server-ecc.pem +-A ./certs/ca-ecc-cert.pem -t # server TLSv1.2 private-only key diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 36ff9fbee..0bdb8c01b 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -162,7 +162,8 @@ ASN Options: #define XTIME(t1) mqx_time((t1)) #define HAVE_GMTIME_R -#elif defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS) +#elif defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) || \ + defined(FREESCALE_KSDK_FREERTOS) #include #ifndef XTIME /*extern time_t ksdk_time(time_t* timer);*/ @@ -763,7 +764,10 @@ static int GetInteger7Bit(const byte* input, word32* inOutIdx, word32 maxIdx) return b; } -#if !defined(NO_DSA) || defined(HAVE_ECC) || (!defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)))) +#if !defined(NO_DSA) || defined(HAVE_ECC) || \ + (!defined(NO_RSA) && \ + (defined(WOLFSSL_CERT_GEN) || \ + (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)))) /* Set the DER/BER encoding of the ASN.1 INTEGER header. * * len Length of data to encode. @@ -786,7 +790,8 @@ static int SetASNInt(int len, byte firstByte, byte* output) } #endif -#if !defined(NO_DSA) || defined(HAVE_ECC) || defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)) +#if !defined(NO_DSA) || defined(HAVE_ECC) || defined(WOLFSSL_CERT_GEN) || \ + (defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)) /* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int. * The number is assumed to be positive. * @@ -851,8 +856,7 @@ static int SetASNIntRSA(mp_int* n, byte* output) return idx; } -#endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN && - !HAVE_USER_RSA))) */ +#endif /* !NO_RSA && HAVE_USER_RSA && WOLFSSL_CERT_GEN */ /* Windows header clash for WinCE using GetVersion */ WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, @@ -4295,7 +4299,7 @@ static int SetCurve(ecc_key* key, byte* output) return idx; } -#endif /* HAVE_ECC && WOLFSSL_CERT_GEN */ +#endif /* HAVE_ECC && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */ static INLINE int IsSigAlgoECDSA(int algoOID) @@ -6668,9 +6672,10 @@ int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz, return outLen + headerLen + footerLen; } -#endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */ +#endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN || OPENSSL_EXTRA */ -#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA))) +#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || \ + (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA))) /* USER RSA ifdef portions used instead of refactor in consideration for possible fips build */ /* Write a public RSA key to output */ @@ -6932,7 +6937,7 @@ int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen) #endif /* WOLFSSL_KEY_GEN && !NO_RSA && !HAVE_USER_RSA */ -#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) +#ifdef WOLFSSL_CERT_GEN /* Initialize and Set Certificate defaults: version = 3 (0x2) @@ -7082,8 +7087,8 @@ static word32 SetUTF8String(word32 len, byte* output) #endif /* WOLFSSL_CERT_REQ */ +#endif /*WOLFSSL_CERT_GEN */ -#endif /* defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) */ #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)) /* Write a public ECC key to output */ @@ -7216,6 +7221,7 @@ int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen, return SetEccPublicKey(output, key, with_AlgCurve); } #endif /* HAVE_ECC && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */ + #if defined(HAVE_ED25519) && (defined(WOLFSSL_CERT_GEN) || \ defined(WOLFSSL_KEY_GEN)) @@ -7320,7 +7326,9 @@ int wc_Ed25519PublicKeyToDer(ed25519_key* key, byte* output, word32 inLen, return SetEd25519PublicKey(output, key, withAlg); } #endif /* HAVE_ED25519 && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */ -#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) + + +#ifdef WOLFSSL_CERT_GEN static INLINE byte itob(int number) { @@ -8163,14 +8171,13 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, { int ret; - (void)eccKey; - (void)ntruKey; - (void)ntruSz; - (void)ed25519Key; - if (cert == NULL || der == NULL || rng == NULL) return BAD_FUNC_ARG; + /* make sure at least one key type is provided */ + if (rsaKey == NULL && eccKey == NULL && ed25519Key == NULL && ntruKey == NULL) + return PUBLIC_KEY_E; + /* init */ XMEMSET(der, 0, sizeof(DerCert)); @@ -8198,32 +8205,28 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, return ALGO_ID_E; /* public key */ +#ifndef NO_RSA if (cert->keyType == RSA_KEY) { if (rsaKey == NULL) return PUBLIC_KEY_E; der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey, sizeof(der->publicKey), 1); - if (der->publicKeySz <= 0) - return PUBLIC_KEY_E; } +#endif #ifdef HAVE_ECC if (cert->keyType == ECC_KEY) { if (eccKey == NULL) return PUBLIC_KEY_E; der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1); - if (der->publicKeySz <= 0) - return PUBLIC_KEY_E; } -#endif /* HAVE_ECC */ +#endif #ifdef HAVE_ED25519 if (cert->keyType == ED25519_KEY) { if (ed25519Key == NULL) return PUBLIC_KEY_E; der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1); - if (der->publicKeySz <= 0) - return PUBLIC_KEY_E; } #endif @@ -8232,22 +8235,30 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, word32 rc; word16 encodedSz; - rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz, + if (ntruKey == NULL) + return PUBLIC_KEY_E; + + rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz, ntruKey, &encodedSz, NULL); if (rc != NTRU_OK) return PUBLIC_KEY_E; if (encodedSz > MAX_PUBLIC_KEY_SZ) return PUBLIC_KEY_E; - rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz, + rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz, ntruKey, &encodedSz, der->publicKey); if (rc != NTRU_OK) return PUBLIC_KEY_E; der->publicKeySz = encodedSz; } +#else + (void)ntruSz; #endif /* HAVE_NTRU */ + if (der->publicKeySz <= 0) + return PUBLIC_KEY_E; + der->validitySz = 0; #ifdef WOLFSSL_ALT_NAMES /* date validity copy ? */ @@ -8800,6 +8811,9 @@ static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey, if (cert == NULL || der == NULL) return BAD_FUNC_ARG; + if (rsaKey == NULL && eccKey == NULL && ed25519Key == NULL) + return PUBLIC_KEY_E; + /* init */ XMEMSET(der, 0, sizeof(DerCert)); @@ -8812,34 +8826,31 @@ static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey, return SUBJECT_E; /* public key */ +#ifndef NO_RSA if (cert->keyType == RSA_KEY) { if (rsaKey == NULL) return PUBLIC_KEY_E; der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey, sizeof(der->publicKey), 1); - if (der->publicKeySz <= 0) - return PUBLIC_KEY_E; } +#endif #ifdef HAVE_ECC if (cert->keyType == ECC_KEY) { - if (eccKey == NULL) - return PUBLIC_KEY_E; der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1); - if (der->publicKeySz <= 0) - return PUBLIC_KEY_E; } -#endif /* HAVE_ECC */ +#endif #ifdef HAVE_ED25519 if (cert->keyType == ED25519_KEY) { if (ed25519Key == NULL) return PUBLIC_KEY_E; der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1); - if (der->publicKeySz <= 0) - return PUBLIC_KEY_E; } -#endif /* HAVE_ED25519 */ +#endif + + if (der->publicKeySz <= 0) + return PUBLIC_KEY_E; /* set the extensions */ der->extensionsSz = 0; @@ -9167,24 +9178,17 @@ int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz, #ifdef WOLFSSL_CERT_EXT -/* Set KID from RSA or ECC public key */ +/* Set KID from public key */ static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey, byte *ntruKey, word16 ntruKeySz, ed25519_key* ed25519Key, int kid_type) { - byte *buffer; - int bufferSz, ret; - -#ifndef HAVE_NTRU - (void)ntruKeySz; -#endif + byte *buffer; + int bufferSz, ret; if (cert == NULL || (rsakey == NULL && eckey == NULL && ntruKey == NULL && ed25519Key == NULL) || - (rsakey != NULL && eckey != NULL) || - (rsakey != NULL && ntruKey != NULL) || - (ntruKey != NULL && eckey != NULL) || (kid_type != SKID_TYPE && kid_type != AKID_TYPE)) return BAD_FUNC_ARG; @@ -9193,31 +9197,35 @@ static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey, if (buffer == NULL) return MEMORY_E; + /* Public Key */ + bufferSz = -1; +#ifndef NO_RSA /* RSA public key */ if (rsakey != NULL) bufferSz = SetRsaPublicKey(buffer, rsakey, MAX_PUBLIC_KEY_SZ, 0); +#endif #ifdef HAVE_ECC /* ECC public key */ - else if (eckey != NULL) + if (eckey != NULL) bufferSz = SetEccPublicKey(buffer, eckey, 0); -#endif /* HAVE_ECC */ +#endif #ifdef HAVE_NTRU /* NTRU public key */ - else if (ntruKey != NULL) { + if (ntruKey != NULL) { bufferSz = MAX_PUBLIC_KEY_SZ; ret = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruKeySz, ntruKey, (word16 *)(&bufferSz), buffer); if (ret != NTRU_OK) bufferSz = -1; } +#else + (void)ntruKeySz; #endif #ifdef HAVE_ED25519 /* ED25519 public key */ - else if (ed25519Key != NULL) + if (ed25519Key != NULL) bufferSz = SetEd25519PublicKey(buffer, ed25519Key, 0); -#endif /* HAVE_ECC */ - else - bufferSz = -1; +#endif if (bufferSz <= 0) { XFREE(buffer, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); @@ -9338,6 +9346,7 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file) } /* Load PubKey in internal structure */ +#ifndef NO_RSA rsakey = (RsaKey*) XMALLOC(sizeof(RsaKey), cert->heap, DYNAMIC_TYPE_RSA); if (rsakey == NULL) { XFREE(der, cert->heap, DYNAMIC_TYPE_CERT); @@ -9353,11 +9362,15 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file) idx = 0; ret = wc_RsaPublicKeyDecode(der, &idx, rsakey, derSz); - if (ret != 0) { + if (ret != 0) +#endif + { +#ifndef NO_RSA WOLFSSL_MSG("wc_RsaPublicKeyDecode failed"); wc_FreeRsaKey(rsakey); XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA); rsakey = NULL; +#endif #ifdef HAVE_ECC /* Check to load ecc public key */ eckey = (ecc_key*) XMALLOC(sizeof(ecc_key), cert->heap, @@ -9393,8 +9406,10 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file) ret = wc_SetSubjectKeyIdFromPublicKey(cert, rsakey, eckey); +#ifndef NO_RSA wc_FreeRsaKey(rsakey); XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA); +#endif #ifdef HAVE_ECC wc_ecc_free(eckey); XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC); @@ -9766,9 +9781,7 @@ static int SetDatesFromCert(Cert* cert, const byte* der, int derSz) return ret < 0 ? ret : 0; } - -#endif /* WOLFSSL_ALT_NAMES && !NO_RSA */ - +#endif /* WOLFSSL_ALT_NAMES */ /* Set cn name from der buffer, return 0 on success */ static int SetNameFromCert(CertName* cn, const byte* der, int derSz) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 909eb954e..dee937b28 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -177,6 +177,10 @@ #include #endif +#if defined(WOLFSSL_CERT_GEN) && (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) + #define ENABLE_ECC384_CERT_GEN_TEST +#endif + #ifdef THREADX /* since just testing, use THREADX log printf instead */ @@ -727,20 +731,6 @@ int wolfcrypt_test(void* args) printf( "RSA test passed!\n"); #endif -#if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) - if ( (ret = cert_test()) != 0) - return err_sys("CERT test failed!\n", ret); - else - printf( "CERT test passed!\n"); -#endif - -#if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT) - if ( (ret = certext_test()) != 0) - return err_sys("CERT EXT test failed!\n", ret); - else - printf( "CERT EXT test passed!\n"); -#endif - #ifndef NO_DH if ( (ret = dh_test()) != 0) return err_sys("DH test failed!\n", ret); @@ -795,6 +785,20 @@ int wolfcrypt_test(void* args) #endif #endif +#if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) + if ( (ret = cert_test()) != 0) + return err_sys("CERT test failed!\n", ret); + else + printf( "CERT test passed!\n"); +#endif + +#if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT) + if ( (ret = certext_test()) != 0) + return err_sys("CERT EXT test failed!\n", ret); + else + printf( "CERT EXT test passed!\n"); +#endif + #ifdef HAVE_CURVE25519 if ( (ret = curve25519_test()) != 0) return err_sys("CURVE25519 test failed!\n", ret); @@ -915,6 +919,64 @@ int wolfcrypt_test(void* args) #endif /* NO_MAIN_DRIVER */ +/* helper to save DER, convert to PEM and save PEM */ +#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) + +#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) +#define SaveDerAndPem(d, dSz, p, pSz, fD, fP, pT, eB) _SaveDerAndPem(d, dSz, p, pSz, fD, fP, pT, eB) +#else +#define SaveDerAndPem(d, dSz, p, pSz, fD, fP, pT, eB) _SaveDerAndPem(d, dSz, p, pSz, NULL, NULL, pT, eB) +#endif + +static int _SaveDerAndPem(const byte* der, int derSz, + byte* pem, int pemSz, const char* fileDer, + const char* filePem, int pemType, int errBase) +{ + int ret; +#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) + FILE* derFile; + + derFile = fopen(fileDer, "wb"); + if (!derFile) { + return errBase + 0; + } + ret = (int)fwrite(der, 1, derSz, derFile); + fclose(derFile); + if (ret != derSz) { + return errBase + 1; + } +#endif + + if (pem && filePem) { + #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) + FILE* pemFile; + #endif + + pemSz = wc_DerToPem(der, derSz, pem, pemSz, pemType); + if (pemSz < 0) { + return errBase + 2; + } + + #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) + pemFile = fopen(filePem, "wb"); + if (!pemFile) { + return errBase + 3; + } + ret = (int)fwrite(pem, 1, pemSz, pemFile); + fclose(pemFile); + if (ret != pemSz) { + return errBase + 4; + } + #endif + } + + /* suppress unused variable warnings */ + (void)filePem; + (void)fileDer; + + return 0; +} +#endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */ int error_test(void) { @@ -6765,17 +6827,24 @@ byte GetEntropy(ENTROPY_CMD cmd, byte* out) #if !defined(USE_CERT_BUFFERS_256) && !defined(NO_ASN) #ifdef HAVE_ECC /* cert files to be used in rsa cert gen test, check if RSA enabled */ - #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) - static const char* eccCaCertFile = CERT_ROOT "server-ecc.pem"; + #ifdef HAVE_ECC_KEY_IMPORT + static const char* eccKeyDerFile = CERT_ROOT "ecc-key.der"; + #endif + #ifdef WOLFSSL_CERT_GEN + static const char* eccKeyPubFile = CERT_ROOT "ecc-keyPub.der"; + static const char* eccCaKeyFile = CERT_ROOT "ca-ecc-key.der"; + static const char* eccCaCertFile = CERT_ROOT "ca-ecc-cert.pem"; + #ifdef ENABLE_ECC384_CERT_GEN_TEST + static const char* eccCaKey384File = + CERT_ROOT "ca-ecc384-key.der"; + static const char* eccCaCert384File = + CERT_ROOT "ca-ecc384-cert.pem"; + #endif #endif - static const char* eccCaKeyFile = CERT_ROOT "ecc-key.der"; #if defined(HAVE_PKCS7) && defined(HAVE_ECC) static const char* eccClientKey = CERT_ROOT "ecc-client-key.der"; static const char* eccClientCert = CERT_ROOT "client-ecc-cert.der"; #endif - #ifdef WOLFSSL_CERT_EXT - static const char* eccCaKeyPubFile = CERT_ROOT "ecc-keyPub.der"; - #endif #endif /* HAVE_ECC */ #ifdef HAVE_ED25519 #ifdef WOLFSSL_TEST_CERT @@ -6789,20 +6858,21 @@ byte GetEntropy(ENTROPY_CMD cmd, byte* out) #ifndef NO_WRITE_TEMP_FILES #ifdef HAVE_ECC - /* Temporary Cert Files to be used in rsa cert gen test, is RSA enabled */ + #ifdef WOLFSSL_CERT_GEN + static const char* certEccPemFile = CERT_PREFIX "certecc.pem"; + #endif #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) - static const char* certEccPemFile = CERT_PREFIX "certecc.pem"; + static const char* certEccRsaPemFile = CERT_PREFIX "certeccrsa.pem"; + static const char* certEccRsaDerFile = CERT_PREFIX "certeccrsa.der"; #endif #ifdef WOLFSSL_KEY_GEN static const char* eccCaKeyPemFile = CERT_PREFIX "ecc-key.pem"; static const char* eccPubKeyDerFile = CERT_PREFIX "ecc-public-key.der"; static const char* eccCaKeyTempFile = CERT_PREFIX "ecc-key.der"; #endif - #ifndef NO_RSA - #if defined(WOLFSSL_CERT_GEN) || \ + #if defined(WOLFSSL_CERT_GEN) || \ (defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT)) static const char* certEccDerFile = CERT_PREFIX "certecc.der"; - #endif #endif #endif /* HAVE_ECC */ @@ -6815,18 +6885,45 @@ byte GetEntropy(ENTROPY_CMD cmd, byte* out) static const char* otherCertPemFile = CERT_PREFIX "othercert.pem"; static const char* certPemFile = CERT_PREFIX "cert.pem"; #endif - #ifdef WOLFSSL_KEY_GEN - static const char* keyDerFile = CERT_PREFIX "key.der"; - static const char* keyPemFile = CERT_PREFIX "key.pem"; - #endif #ifdef WOLFSSL_CERT_REQ static const char* certReqDerFile = CERT_PREFIX "certreq.der"; static const char* certReqPemFile = CERT_PREFIX "certreq.pem"; #endif #endif /* !NO_RSA */ + +#if !defined(NO_RSA) || !defined(NO_DSA) + #ifdef WOLFSSL_KEY_GEN + static const char* keyDerFile = CERT_PREFIX "key.der"; + static const char* keyPemFile = CERT_PREFIX "key.pem"; + #endif +#endif + #endif /* !NO_WRITE_TEMP_FILES */ #endif /* !NO_FILESYSTEM */ + +#ifdef WOLFSSL_CERT_GEN +static const CertName certDefaultName = { + "US", CTC_PRINTABLE, /* country */ + "Orgeon", CTC_UTF8, /* state */ + "Portland", CTC_UTF8, /* locality */ + "Test", CTC_UTF8, /* sur */ + "wolfSSL", CTC_UTF8, /* org */ + "Development", CTC_UTF8, /* unit */ + "www.wolfssl.com", CTC_UTF8, /* commonName */ + "info@wolfssl.com" /* email */ +}; + +#ifdef WOLFSSL_CERT_EXT + static const char certKeyUsage[] = + "digitalSignature,nonRepudiation"; + #if defined(WOLFSSL_CERT_REQ) || defined(HAVE_NTRU) + static const char certKeyUsage2[] = + "digitalSignature,nonRepudiation,keyEncipherment,keyAgreement"; + #endif +#endif /* WOLFSSL_CERT_EXT */ +#endif /* WOLFSSL_CERT_GEN */ + #ifndef NO_RSA #if !defined(NO_ASN_TIME) && defined(WOLFSSL_TEST_CERT) @@ -6849,16 +6946,14 @@ int cert_test(void) file = fopen("./certs/test/cert-ext-nc.der", "rb"); #endif if (!file) { - ret = -5201; - goto done; + ERROR_OUT(-5201, done); } bytes = fread(tmp, 1, FOURK_BUF, file); fclose(file); InitDecodedCert(&cert, tmp, (word32)bytes, 0); ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL); if (ret != 0) { - ret = -5202; - goto done; + ERROR_OUT(-5202, done); } FreeDecodedCert(&cert); @@ -6869,16 +6964,14 @@ int cert_test(void) file = fopen("./certs/test/cert-ext-ia.der", "rb"); #endif if (!file) { - ret = -5203; - goto done; + ERROR_OUT(-5203, done); } bytes = fread(tmp, 1, FOURK_BUF, file); fclose(file); InitDecodedCert(&cert, tmp, (word32)bytes, 0); ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL); if (ret != 0) { - ret = -5204; - goto done; + ERROR_OUT(-5204, done); } done: @@ -6907,10 +7000,17 @@ int certext_test(void) "\x33\x63\xB3\xA4\xD8\x1D\x30\xE5\xE8\xD5"; #ifdef HAVE_ECC - /* created from rsa_test : certecc.der */ - byte akid_ecc[] = "\x5D\x5D\x26\xEF\xAC\x7E\x36\xF9\x9B\x76" - "\x15\x2B\x4A\x25\x02\x23\xEF\xB2\x89\x30"; + /* created from ecc_test_cert_gen : certecc.der */ +#ifdef ENABLE_ECC384_CERT_GEN_TEST + /* Authority key id from ./certs/ca-ecc384-cert.pem */ + byte akid_ecc[] = "\x97\xFD\xB4\x6D\xCE\x08\xB3\x02\x57\xAB" + "\xF3\x40\xD6\x1D\xAC\x75\x32\x35\xAA\xF2"; +#else + /* Authority key id from ./certs/ca-ecc-cert.pem */ + byte akid_ecc[] = "\xFD\x9D\x85\xD5\xC1\x6F\x47\xEA\xC6\x75" + "\x96\x59\x25\x37\x46\x8C\x61\xDB\xE1\xC3"; #endif +#endif /* HAVE_ECC */ /* created from rsa_test : cert.der */ byte kid_ca[] = "\x33\xD8\x45\x66\xD7\x68\x87\x18\x7E\x54" @@ -6967,7 +7067,7 @@ int certext_test(void) FreeDecodedCert(&cert); #ifdef HAVE_ECC - /* load certecc.der (Cert signed by an authority) */ + /* load certecc.der (Cert signed by our ECC CA test in ecc_test_cert_gen) */ file = fopen(certEccDerFile, "rb"); if (!file) { XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER); @@ -6983,9 +7083,7 @@ int certext_test(void) if (ret != 0) return -5311; - /* check the SKID from a ECC certificate */ - if (XMEMCMP(skid_rsa, cert.extSubjKeyId, sizeof(cert.extSubjKeyId))) - return -5312; + /* check the SKID from a ECC certificate - generated dynamically */ /* check the AKID from an ECC certificate */ if (XMEMCMP(akid_ecc, cert.extAuthKeyId, sizeof(cert.extAuthKeyId))) @@ -7566,9 +7664,7 @@ int rsa_test(void) #ifdef HAVE_ECC #ifdef WOLFSSL_CERT_GEN ecc_key caEccKey; - #ifdef WOLFSSL_CERT_EXT - ecc_key caEccKeyPub; - #endif + ecc_key caEccKeyPub; #endif #endif /* HAVE_ECC */ word32 idx = 0; @@ -7609,9 +7705,7 @@ int rsa_test(void) #ifdef HAVE_ECC #ifdef WOLFSSL_CERT_GEN XMEMSET(&caEccKey, 0, sizeof(caEccKey)); - #ifdef WOLFSSL_CERT_EXT - XMEMSET(&caEccKeyPub, 0, sizeof(caEccKeyPub)); - #endif + XMEMSET(&caEccKeyPub, 0, sizeof(caEccKeyPub)); #endif #endif /* HAVE_ECC */ @@ -8121,12 +8215,6 @@ int rsa_test(void) #ifdef WOLFSSL_KEY_GEN { int derSz = 0; - int pemSz = 0; - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - FILE* keyFile; - FILE* pemFile; - #endif - ret = wc_InitRsaKey(&genKey, HEAP_HINT); if (ret != 0) { ERROR_OUT(-5550, exit_rsa); @@ -8150,34 +8238,11 @@ int rsa_test(void) ERROR_OUT(-5554, exit_rsa); } - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - keyFile = fopen(keyDerFile, "wb"); - if (!keyFile) { - ERROR_OUT(-5555, exit_rsa); + ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, keyDerFile, keyPemFile, + PRIVATEKEY_TYPE, -5555); + if (ret != 0) { + goto exit_rsa; } - ret = (int)fwrite(der, 1, derSz, keyFile); - fclose(keyFile); - if (ret != derSz) { - ERROR_OUT(-5556, exit_rsa); - } - #endif - - pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, PRIVATEKEY_TYPE); - if (pemSz < 0) { - ERROR_OUT(-5557, exit_rsa); - } - - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - pemFile = fopen(keyPemFile, "wb"); - if (!pemFile) { - ERROR_OUT(-5558, exit_rsa); - } - ret = (int)fwrite(pem, 1, pemSz, pemFile); - fclose(pemFile); - if (ret != pemSz) { - ERROR_OUT(-5559, exit_rsa); - } - #endif wc_FreeRsaKey(&genKey); ret = wc_InitRsaKey(&genKey, HEAP_HINT); @@ -8203,12 +8268,7 @@ int rsa_test(void) { Cert myCert; const byte mySerial[8] = {1,2,3,4,5,6,7,8}; - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - FILE* derFile; - FILE* pemFile; - #endif int certSz; - int pemSz; #ifdef WOLFSSL_TEST_CERT DecodedCert decode; #endif @@ -8226,17 +8286,16 @@ int rsa_test(void) ERROR_OUT(-5572, exit_rsa); } - XSTRNCPY(myCert.subject.country, "US", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.state, "OR", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.locality, "Portland", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.org, "yaSSL", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.unit, "Development", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.commonName, "www.yassl.com", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.email, "info@yassl.com", CTC_NAME_SIZE); + XMEMCPY(&myCert.subject, &certDefaultName, sizeof(CertName)); XMEMCPY(myCert.serial, mySerial, sizeof(mySerial)); myCert.serialSz = (int)sizeof(mySerial); myCert.isCA = 1; + #ifndef NO_SHA256 myCert.sigType = CTC_SHA256wRSA; + #else + myCert.sigType = CTC_SHAwRSA; + #endif + #ifdef WOLFSSL_CERT_EXT /* add Policies */ @@ -8286,49 +8345,170 @@ int rsa_test(void) FreeDecodedCert(&decode); #endif - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - derFile = fopen(certDerFile, "wb"); - if (!derFile) { - ERROR_OUT(-5578, exit_rsa); + ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, certDerFile, + certPemFile, CERT_TYPE, -5578); + if (ret != 0) { + goto exit_rsa; } - ret = (int)fwrite(der, 1, certSz, derFile); - fclose(derFile); - if (ret != certSz) { - ERROR_OUT(-5579, exit_rsa); - } - #endif - - pemSz = wc_DerToPem(der, certSz, pem, FOURK_BUF, CERT_TYPE); - if (pemSz < 0) { - ERROR_OUT(-5580, exit_rsa); - } - - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - pemFile = fopen(certPemFile, "wb"); - if (!pemFile) { - ERROR_OUT(-5581, exit_rsa); - } - ret = (int)fwrite(pem, 1, pemSz, pemFile); - fclose(pemFile); - if (ret != pemSz) { - ERROR_OUT(-5582, exit_rsa); - } - #endif XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); pem = NULL; XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); der = NULL; } - /* CA style */ + /* Make Cert / Sign example for RSA cert and RSA CA */ + { + Cert myCert; + int certSz; + size_t bytes3; + word32 idx3 = 0; + #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) + FILE* file3; + #endif + #ifdef WOLFSSL_TEST_CERT + DecodedCert decode; + #endif + + der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (der == NULL) { + ERROR_OUT(-5580, exit_rsa); + } + pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); + if (pem == NULL) { + ERROR_OUT(-5581, exit_rsa); + } + + /* Get CA Key */ + #ifdef USE_CERT_BUFFERS_1024 + XMEMCPY(tmp, ca_key_der_1024, sizeof_ca_key_der_1024); + bytes3 = sizeof_ca_key_der_1024; + #elif defined(USE_CERT_BUFFERS_2048) + XMEMCPY(tmp, ca_key_der_2048, sizeof_ca_key_der_2048); + bytes3 = sizeof_ca_key_der_2048; + #else + file3 = fopen(rsaCaKeyFile, "rb"); + if (!file3) { + ERROR_OUT(-5582, exit_rsa); + } + + bytes3 = fread(tmp, 1, FOURK_BUF, file3); + fclose(file3); + #endif /* USE_CERT_BUFFERS */ + + ret = wc_InitRsaKey(&caKey, HEAP_HINT); + if (ret != 0) { + ERROR_OUT(-5583, exit_rsa); + } + ret = wc_RsaPrivateKeyDecode(tmp, &idx3, &caKey, (word32)bytes3); + if (ret != 0) { + ERROR_OUT(-5584, exit_rsa); + } + + /* Setup Certificate */ + if (wc_InitCert(&myCert)) { + ERROR_OUT(-5585, exit_rsa); + } + + #ifndef NO_SHA256 + myCert.sigType = CTC_SHA256wRSA; + #else + myCert.sigType = CTC_SHAwRSA; + #endif + + XMEMCPY(&myCert.subject, &certDefaultName, sizeof(CertName)); + + #ifdef WOLFSSL_CERT_EXT + /* add Policies */ + XSTRNCPY(myCert.certPolicies[0], "2.16.840.1.101.3.4.1.42", + CTC_MAX_CERTPOL_SZ); + myCert.certPoliciesNb =1; + + /* add SKID from the Public Key */ + if (wc_SetSubjectKeyIdFromPublicKey(&myCert, &key, NULL) != 0) { + ERROR_OUT(-5586, exit_rsa); + } + + /* add AKID from the CA certificate */ + #if defined(USE_CERT_BUFFERS_2048) + ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_2048, + sizeof_ca_cert_der_2048); + #elif defined(USE_CERT_BUFFERS_1024) + ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_1024, + sizeof_ca_cert_der_1024); + #else + ret = wc_SetAuthKeyId(&myCert, rsaCaCertFile); + #endif + if (ret != 0) { + ERROR_OUT(-5587, exit_rsa); + } + + /* add Key Usage */ + if (wc_SetKeyUsage(&myCert,"keyEncipherment,keyAgreement") != 0) { + ERROR_OUT(-5588, exit_rsa); + } + #endif /* WOLFSSL_CERT_EXT */ + + #if defined(USE_CERT_BUFFERS_2048) + ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_2048, + sizeof_ca_cert_der_2048); + #elif defined(USE_CERT_BUFFERS_1024) + ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_1024, + sizeof_ca_cert_der_1024); + #else + ret = wc_SetIssuer(&myCert, rsaCaCertFile); + #endif + if (ret < 0) { + ERROR_OUT(-5589, exit_rsa); + } + + certSz = wc_MakeCert(&myCert, der, FOURK_BUF, &key, NULL, &rng); + if (certSz < 0) { + ERROR_OUT(-5590, exit_rsa); + } + + ret = 0; + do { + #if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_AsyncWait(ret, &caKey.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); + #endif + if (ret >= 0) { + ret = wc_SignCert(myCert.bodySz, myCert.sigType, der, FOURK_BUF, + &caKey, NULL, &rng); + } + } while (ret == WC_PENDING_E); + if (ret < 0) { + ERROR_OUT(-5591, exit_rsa); + } + certSz = ret; + + #ifdef WOLFSSL_TEST_CERT + InitDecodedCert(&decode, der, certSz, HEAP_HINT); + ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0); + if (ret != 0) { + FreeDecodedCert(&decode); + ERROR_OUT(-5592, exit_rsa); + } + FreeDecodedCert(&decode); + #endif + + ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, otherCertDerFile, + otherCertPemFile, CERT_TYPE, -5593); + if (ret != 0) { + goto exit_rsa; + } + + wc_FreeRsaKey(&caKey); + + XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + pem = NULL; + XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + der = NULL; + } +#if !defined(NO_RSA) && defined(HAVE_ECC) + /* Make Cert / Sign example for ECC cert and RSA CA */ { Cert myCert; - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - FILE* derFile; - FILE* pemFile; - #endif int certSz; - int pemSz; size_t bytes3; word32 idx3 = 0; #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) @@ -8347,6 +8527,7 @@ int rsa_test(void) ERROR_OUT(-5601, exit_rsa); } + /* Get CA Key */ #ifdef USE_CERT_BUFFERS_1024 XMEMCPY(tmp, ca_key_der_1024, sizeof_ca_key_der_1024); bytes3 = sizeof_ca_key_der_1024; @@ -8372,194 +8553,43 @@ int rsa_test(void) ERROR_OUT(-5604, exit_rsa); } - if (wc_InitCert(&myCert)) { - ERROR_OUT(-5617, exit_rsa); - } - - #ifdef NO_SHA - myCert.sigType = CTC_SHA256wRSA; - #endif - - XSTRNCPY(myCert.subject.country, "US", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.state, "OR", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.locality, "Portland", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.org, "yaSSL", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.unit, "Development", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.commonName, "www.yassl.com", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.email, "info@yassl.com", CTC_NAME_SIZE); - - #ifdef WOLFSSL_CERT_EXT - /* add Policies */ - XSTRNCPY(myCert.certPolicies[0], "2.16.840.1.101.3.4.1.42", - CTC_MAX_CERTPOL_SZ); - myCert.certPoliciesNb =1; - - /* add SKID from the Public Key */ - if (wc_SetSubjectKeyIdFromPublicKey(&myCert, &key, NULL) != 0) { - ERROR_OUT(-5605, exit_rsa); - } - - /* add AKID from the CA certificate */ - #if defined(USE_CERT_BUFFERS_2048) - ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_2048, - sizeof_ca_cert_der_2048); - #elif defined(USE_CERT_BUFFERS_1024) - ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_1024, - sizeof_ca_cert_der_1024); - #else - ret = wc_SetAuthKeyId(&myCert, rsaCaCertFile); - #endif - if (ret != 0) { - ERROR_OUT(-5606, exit_rsa); - } - - /* add Key Usage */ - if (wc_SetKeyUsage(&myCert,"keyEncipherment,keyAgreement") != 0) { - ERROR_OUT(-5607, exit_rsa); - } - #endif /* WOLFSSL_CERT_EXT */ - - #if defined(USE_CERT_BUFFERS_2048) - ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_2048, - sizeof_ca_cert_der_2048); - #elif defined(USE_CERT_BUFFERS_1024) - ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_1024, - sizeof_ca_cert_der_1024); - #else - ret = wc_SetIssuer(&myCert, rsaCaCertFile); - #endif - if (ret < 0) { - ERROR_OUT(-5608, exit_rsa); - } - - certSz = wc_MakeCert(&myCert, der, FOURK_BUF, &key, NULL, &rng); - if (certSz < 0) { - ERROR_OUT(-5609, exit_rsa); - } - - ret = 0; - do { - #if defined(WOLFSSL_ASYNC_CRYPT) - ret = wc_AsyncWait(ret, &caKey.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - #endif - if (ret >= 0) { - ret = wc_SignCert(myCert.bodySz, myCert.sigType, der, FOURK_BUF, - &caKey, NULL, &rng); - } - } while (ret == WC_PENDING_E); - if (ret < 0) { - ERROR_OUT(-5610, exit_rsa); - } - certSz = ret; - - #ifdef WOLFSSL_TEST_CERT - InitDecodedCert(&decode, der, certSz, HEAP_HINT); - ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0); - if (ret != 0) { - FreeDecodedCert(&decode); - ERROR_OUT(-5611, exit_rsa); - } - FreeDecodedCert(&decode); - #endif - - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - derFile = fopen(otherCertDerFile, "wb"); - if (!derFile) { - ERROR_OUT(-5612, exit_rsa); - } - ret = (int)fwrite(der, 1, certSz, derFile); - fclose(derFile); - if (ret != certSz) { - ERROR_OUT(-5613, exit_rsa); - } - #endif - - pemSz = wc_DerToPem(der, certSz, pem, FOURK_BUF, CERT_TYPE); - if (pemSz < 0) { - ERROR_OUT(-5614, exit_rsa); - } - - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - pemFile = fopen(otherCertPemFile, "wb"); - if (!pemFile) { - ERROR_OUT(-5615, exit_rsa); - } - ret = (int)fwrite(pem, 1, pemSz, pemFile); - if (ret != pemSz) { - fclose(pemFile); - ERROR_OUT(-5616, exit_rsa); - } - fclose(pemFile); - #endif - - wc_FreeRsaKey(&caKey); - XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - pem = NULL; - XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - der = NULL; - } -#ifdef HAVE_ECC - /* ECC CA style */ - { - Cert myCert; - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - FILE* derFile; - FILE* pemFile; - #endif - int certSz; - int pemSz; - size_t bytes3; - word32 idx3 = 0; - #ifndef USE_CERT_BUFFERS_256 - FILE* file3; - #endif - #ifdef WOLFSSL_TEST_CERT - DecodedCert decode; - #endif - - der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (der == NULL) { - ERROR_OUT(-5620, exit_rsa); - } - pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); - if (pem == NULL) { - ERROR_OUT(-5621, exit_rsa); - } - + /* Get Cert Key */ #ifdef USE_CERT_BUFFERS_256 - XMEMCPY(tmp, ecc_key_der_256, sizeof_ecc_key_der_256); - bytes3 = sizeof_ecc_key_der_256; + XMEMCPY(tmp, ecc_key_pub_der_256, sizeof_ecc_key_pub_der_256); + bytes3 = sizeof_ecc_key_pub_der_256; #else - file3 = fopen(eccCaKeyFile, "rb"); + file3 = fopen(eccKeyPubFile, "rb"); if (!file3) { - ERROR_OUT(-5622, exit_rsa); + ERROR_OUT(-5605, exit_rsa); } bytes3 = fread(tmp, 1, FOURK_BUF, file3); fclose(file3); - #endif /* USE_CERT_BUFFERS_256 */ + #endif - ret = wc_ecc_init_ex(&caEccKey, HEAP_HINT, devId); + ret = wc_ecc_init_ex(&caEccKeyPub, HEAP_HINT, devId); if (ret != 0) { - ERROR_OUT(-5623, exit_rsa); - } - ret = wc_EccPrivateKeyDecode(tmp, &idx3, &caEccKey, (word32)bytes3); - if (ret != 0) { - ERROR_OUT(-5624, exit_rsa); + ERROR_OUT(-5606, exit_rsa); } + idx3 = 0; + ret = wc_EccPublicKeyDecode(tmp, &idx3, &caEccKeyPub, (word32)bytes3); + if (ret != 0) { + ERROR_OUT(-5607, exit_rsa); + } + + /* Setup Certificate */ if (wc_InitCert(&myCert)) { - ERROR_OUT(-5640, exit_rsa); + ERROR_OUT(-5608, exit_rsa); } - myCert.sigType = CTC_SHA256wECDSA; - XSTRNCPY(myCert.subject.country, "US", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.state, "OR", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.locality, "Portland", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.org, "wolfSSL", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.unit, "Development", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.commonName, "www.wolfssl.com", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.email, "info@wolfssl.com", CTC_NAME_SIZE); + #ifndef NO_SHA256 + myCert.sigType = CTC_SHA256wRSA; + #else + myCert.sigType = CTC_SHAwRSA; + #endif + + XMEMCPY(&myCert.subject, &certDefaultName, sizeof(CertName)); #ifdef WOLFSSL_CERT_EXT /* add Policies */ @@ -8569,60 +8599,47 @@ int rsa_test(void) CTC_MAX_CERTPOL_SZ); myCert.certPoliciesNb = 2; - #ifdef USE_CERT_BUFFERS_256 - XMEMCPY(tmp, ecc_key_pub_der_256, sizeof_ecc_key_pub_der_256); - bytes3 = sizeof_ecc_key_pub_der_256; - #else - file3 = fopen(eccCaKeyPubFile, "rb"); - if (!file3) { - ERROR_OUT(-5625, exit_rsa); - } - - bytes3 = fread(tmp, 1, FOURK_BUF, file3); - fclose(file3); - #endif - - ret = wc_ecc_init_ex(&caEccKeyPub, HEAP_HINT, devId); - if (ret != 0) { - ERROR_OUT(-5626, exit_rsa); - } - - idx3 = 0; - ret = wc_EccPublicKeyDecode(tmp, &idx3, &caEccKeyPub, (word32)bytes3); - if (ret != 0) { - ERROR_OUT(-5627, exit_rsa); - } - /* add SKID from the Public Key */ - if (wc_SetSubjectKeyIdFromPublicKey(&myCert, &key, NULL) != 0) { - ERROR_OUT(-5628, exit_rsa); + if (wc_SetSubjectKeyIdFromPublicKey(&myCert, NULL, &caEccKeyPub) != 0) { + ERROR_OUT(-5609, exit_rsa); } - /* add AKID from the Public Key */ - if (wc_SetAuthKeyIdFromPublicKey(&myCert, NULL, &caEccKeyPub) != 0) { - ERROR_OUT(-5629, exit_rsa); + /* add AKID from the CA certificate */ + #if defined(USE_CERT_BUFFERS_2048) + ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_2048, + sizeof_ca_cert_der_2048); + #elif defined(USE_CERT_BUFFERS_1024) + ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_1024, + sizeof_ca_cert_der_1024); + #else + ret = wc_SetAuthKeyId(&myCert, rsaCaCertFile); + #endif + if (ret != 0) { + ERROR_OUT(-5610, exit_rsa); } - wc_ecc_free(&caEccKeyPub); /* add Key Usage */ - if (wc_SetKeyUsage(&myCert,"digitalSignature,nonRepudiation") != 0) { - ERROR_OUT(-5630, exit_rsa); + if (wc_SetKeyUsage(&myCert, certKeyUsage) != 0) { + ERROR_OUT(-5611, exit_rsa); } #endif /* WOLFSSL_CERT_EXT */ - #if defined(USE_CERT_BUFFERS_256) - ret = wc_SetIssuerBuffer(&myCert, serv_ecc_der_256, - sizeof_serv_ecc_der_256); + #if defined(USE_CERT_BUFFERS_2048) + ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_2048, + sizeof_ca_cert_der_2048); + #elif defined(USE_CERT_BUFFERS_1024) + ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_1024, + sizeof_ca_cert_der_1024); #else - ret = wc_SetIssuer(&myCert, eccCaCertFile); + ret = wc_SetIssuer(&myCert, rsaCaCertFile); #endif if (ret < 0) { - ERROR_OUT(-5631, exit_rsa); + ERROR_OUT(-5612, exit_rsa); } - certSz = wc_MakeCert(&myCert, der, FOURK_BUF, &key, NULL, &rng); + certSz = wc_MakeCert(&myCert, der, FOURK_BUF, NULL, &caEccKeyPub, &rng); if (certSz < 0) { - ERROR_OUT(-5632, exit_rsa); + ERROR_OUT(-5613, exit_rsa); } ret = 0; @@ -8632,11 +8649,11 @@ int rsa_test(void) #endif if (ret >= 0) { ret = wc_SignCert(myCert.bodySz, myCert.sigType, der, - FOURK_BUF, NULL, &caEccKey, &rng); + FOURK_BUF, &caKey, NULL, &rng); } } while (ret == WC_PENDING_E); if (ret < 0) { - ERROR_OUT(-5633, exit_rsa); + ERROR_OUT(-5614, exit_rsa); } certSz = ret; @@ -8645,73 +8662,39 @@ int rsa_test(void) ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0); if (ret != 0) { FreeDecodedCert(&decode); - ERROR_OUT(-5634, exit_rsa); + ERROR_OUT(-5615, exit_rsa); } FreeDecodedCert(&decode); #endif - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - derFile = fopen(certEccDerFile, "wb"); - if (!derFile) { - ERROR_OUT(-5635, exit_rsa); - } - ret = (int)fwrite(der, 1, certSz, derFile); - fclose(derFile); - if (ret != certSz) { - ERROR_OUT(-5636, exit_rsa); - } - #endif - - pemSz = wc_DerToPem(der, certSz, pem, FOURK_BUF, CERT_TYPE); - if (pemSz < 0) { - ERROR_OUT(-5637, exit_rsa); + ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, certEccRsaDerFile, + certEccRsaPemFile, CERT_TYPE, -5616); + if (ret != 0) { + goto exit_rsa; } - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - pemFile = fopen(certEccPemFile, "wb"); - if (!pemFile) { - ERROR_OUT(-5638, exit_rsa); - } - ret = (int)fwrite(pem, 1, pemSz, pemFile); - if (ret != pemSz) { - fclose(pemFile); - ERROR_OUT(-5639, exit_rsa); - } - fclose(pemFile); - #endif + wc_ecc_free(&caEccKeyPub); + wc_FreeRsaKey(&caKey); - wc_ecc_free(&caEccKey); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); pem = NULL; XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); der = NULL; } -#endif /* HAVE_ECC */ +#endif /* !NO_RSA && HAVE_ECC */ #ifdef HAVE_NTRU { Cert myCert; - FILE* derFile; - FILE* pemFile; #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) FILE* caFile; #endif FILE* ntruPrivFile; int certSz; - int pemSz; word32 idx3 = 0; #ifdef WOLFSSL_TEST_CERT DecodedCert decode; #endif - der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (der == NULL) { - ERROR_OUT(-5650, exit_rsa); - } - pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); - if (pem == NULL) { - ERROR_OUT(-5651, exit_rsa); - } - byte public_key[557]; /* sized for EES401EP2 */ word16 public_key_len; /* no. of octets in public key */ byte private_key[607]; /* sized for EES401EP2 */ @@ -8723,26 +8706,26 @@ int rsa_test(void) word32 rc = ntru_crypto_drbg_instantiate(112, pers_str, sizeof(pers_str), GetEntropy, &drbg); if (rc != DRBG_OK) { - ERROR_OUT(-5652, exit_rsa); + ERROR_OUT(-5620, exit_rsa); } rc = ntru_crypto_ntru_encrypt_keygen(drbg, NTRU_EES401EP2, &public_key_len, NULL, &private_key_len, NULL); if (rc != NTRU_OK) { - ERROR_OUT(-5653, exit_rsa); + ERROR_OUT(-5621, exit_rsa); } rc = ntru_crypto_ntru_encrypt_keygen(drbg, NTRU_EES401EP2, &public_key_len, public_key, &private_key_len, private_key); if (rc != NTRU_OK) { - ERROR_OUT(-5654, exit_rsa); + ERROR_OUT(-5622, exit_rsa); } rc = ntru_crypto_drbg_uninstantiate(drbg); if (rc != NTRU_OK) { - ERROR_OUT(-5655, exit_rsa); + ERROR_OUT(-5623, exit_rsa); } #ifdef USE_CERT_BUFFERS_1024 @@ -8754,7 +8737,7 @@ int rsa_test(void) #else caFile = fopen(rsaCaKeyFile, "rb"); if (!caFile) { - ERROR_OUT(-5656, exit_rsa); + ERROR_OUT(-5624, exit_rsa); } bytes = fread(tmp, 1, FOURK_BUF, caFile); @@ -8763,31 +8746,25 @@ int rsa_test(void) ret = wc_InitRsaKey(&caKey, HEAP_HINT); if (ret != 0) { - ERROR_OUT(-5657, exit_rsa); + ERROR_OUT(-5625, exit_rsa); } ret = wc_RsaPrivateKeyDecode(tmp, &idx3, &caKey, (word32)bytes); if (ret != 0) { - ERROR_OUT(-5658, exit_rsa); + ERROR_OUT(-5626, exit_rsa); } if (wc_InitCert(&myCert)) { - ERROR_OUT(-5573, exit_rsa); + ERROR_OUT(-5627, exit_rsa); } - XSTRNCPY(myCert.subject.country, "US", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.state, "OR", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.locality, "Portland", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.org, "yaSSL", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.unit, "Development", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.commonName, "www.yassl.com", CTC_NAME_SIZE); - XSTRNCPY(myCert.subject.email, "info@yassl.com", CTC_NAME_SIZE); + XMEMCPY(&myCert.subject, &certDefaultName, sizeof(CertName)); myCert.daysValid = 1000; #ifdef WOLFSSL_CERT_EXT /* add SKID from the Public Key */ if (wc_SetSubjectKeyIdFromNtruPublicKey(&myCert, public_key, public_key_len) != 0) { - ERROR_OUT(-5659, exit_rsa); + ERROR_OUT(-5628, exit_rsa); } /* add AKID from the CA certificate */ @@ -8801,33 +8778,41 @@ int rsa_test(void) ret = wc_SetAuthKeyId(&myCert, rsaCaCertFile); #endif if (ret != 0) { - ERROR_OUT(-5660, exit_rsa); + ERROR_OUT(-5629, exit_rsa); } /* add Key Usage */ - if (wc_SetKeyUsage(&myCert,"digitalSignature,nonRepudiation," - "keyEncipherment,keyAgreement") != 0) { - ERROR_OUT(-5661, exit_rsa); + if (wc_SetKeyUsage(&myCert, certKeyUsage2) != 0) { + ERROR_OUT(-5630, exit_rsa); } #endif /* WOLFSSL_CERT_EXT */ #if defined(USE_CERT_BUFFERS_2048) ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_2048, - sizeof_ca_cert_der_2048); + sizeof_ca_cert_der_2048); #elif defined(USE_CERT_BUFFERS_1024) ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_1024, - sizeof_ca_cert_der_1024); + sizeof_ca_cert_der_1024); #else ret = wc_SetIssuer(&myCert, rsaCaCertFile); #endif if (ret < 0) { - ERROR_OUT(-5662, exit_rsa); + ERROR_OUT(-5631, exit_rsa); + } + + der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (der == NULL) { + ERROR_OUT(-5632, exit_rsa); + } + pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); + if (pem == NULL) { + ERROR_OUT(-5633, exit_rsa); } certSz = wc_MakeNtruCert(&myCert, der, FOURK_BUF, public_key, public_key_len, &rng); if (certSz < 0) { - ERROR_OUT(-5663, exit_rsa); + ERROR_OUT(-5634, exit_rsa); } ret = 0; @@ -8842,7 +8827,7 @@ int rsa_test(void) } while (ret == WC_PENDING_E); wc_FreeRsaKey(&caKey); if (ret < 0) { - ERROR_OUT(-5664, exit_rsa); + ERROR_OUT(-5635, exit_rsa); } certSz = ret; @@ -8851,47 +8836,26 @@ int rsa_test(void) ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0); if (ret != 0) { FreeDecodedCert(&decode); - ERROR_OUT(-5665, exit_rsa); + ERROR_OUT(-5636, exit_rsa); } FreeDecodedCert(&decode); #endif - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - derFile = fopen("./ntru-cert.der", "wb"); - if (!derFile) { - ERROR_OUT(-5666, exit_rsa); - } - ret = (int)fwrite(der, 1, certSz, derFile); - fclose(derFile); - if (ret != certSz) { - ERROR_OUT(-5667, exit_rsa); - } - #endif - - pemSz = wc_DerToPem(der, certSz, pem, FOURK_BUF, CERT_TYPE); - if (pemSz < 0) { - ERROR_OUT(-5668, exit_rsa); + ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, "./ntru-cert.der", + "./ntru-cert.pem", CERT_TYPE, -5637); + if (ret != 0) { + goto exit_rsa; } #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - pemFile = fopen("./ntru-cert.pem", "wb"); - if (!pemFile) { - ERROR_OUT(-5669, exit_rsa); - } - ret = (int)fwrite(pem, 1, pemSz, pemFile); - fclose(pemFile); - if (ret != pemSz) { - ERROR_OUT(-5670, exit_rsa); - } - ntruPrivFile = fopen("./ntru-key.raw", "wb"); if (!ntruPrivFile) { - ERROR_OUT(-5671, exit_rsa); + ERROR_OUT(-5638, exit_rsa); } ret = (int)fwrite(private_key, 1, private_key_len, ntruPrivFile); fclose(ntruPrivFile); if (ret != private_key_len) { - ERROR_OUT(-5672, exit_rsa); + ERROR_OUT(-5639, exit_rsa); } #endif @@ -8905,68 +8869,62 @@ int rsa_test(void) { Cert req; int derSz; - int pemSz; - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - FILE* reqFile; - #endif der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); if (der == NULL) { - ERROR_OUT(-5680, exit_rsa); + ERROR_OUT(-5640, exit_rsa); } pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); if (pem == NULL) { - ERROR_OUT(-5681, exit_rsa); + ERROR_OUT(-5641, exit_rsa); } if (wc_InitCert(&req)) { - ERROR_OUT(-5691, exit_rsa); + ERROR_OUT(-5642, exit_rsa); } req.version = 0; req.isCA = 1; - XSTRNCPY(req.challengePw, "yassl123", CTC_NAME_SIZE); - XSTRNCPY(req.subject.country, "US", CTC_NAME_SIZE); - XSTRNCPY(req.subject.state, "OR", CTC_NAME_SIZE); - XSTRNCPY(req.subject.locality, "Portland", CTC_NAME_SIZE); - XSTRNCPY(req.subject.org, "yaSSL", CTC_NAME_SIZE); - XSTRNCPY(req.subject.unit, "Development", CTC_NAME_SIZE); - XSTRNCPY(req.subject.commonName, "www.yassl.com", CTC_NAME_SIZE); - XSTRNCPY(req.subject.email, "info@yassl.com", CTC_NAME_SIZE); + XSTRNCPY(req.challengePw, "wolf123", CTC_NAME_SIZE); + XMEMCPY(&req.subject, &certDefaultName, sizeof(CertName)); + + #ifndef NO_SHA256 req.sigType = CTC_SHA256wRSA; + #else + req.sigType = CTC_SHAwRSA; + #endif #ifdef WOLFSSL_CERT_EXT /* add SKID from the Public Key */ if (wc_SetSubjectKeyIdFromPublicKey(&req, &keypub, NULL) != 0) { - ERROR_OUT(-5682, exit_rsa); + ERROR_OUT(-5643, exit_rsa); } /* add Key Usage */ - if (wc_SetKeyUsage(&req,"digitalSignature,nonRepudiation," - "keyEncipherment,keyAgreement") != 0) { - ERROR_OUT(-5683, exit_rsa); + if (wc_SetKeyUsage(&req, certKeyUsage2) != 0) { + ERROR_OUT(-5644, exit_rsa); } /* add Extended Key Usage */ if (wc_SetExtKeyUsage(&req, "serverAuth,clientAuth,codeSigning," "emailProtection,timeStamping,OCSPSigning") != 0) { - ERROR_OUT(-5684, exit_rsa); + ERROR_OUT(-5645, exit_rsa); } #endif /* WOLFSSL_CERT_EXT */ derSz = wc_MakeCertReq(&req, der, FOURK_BUF, &key, NULL); if (derSz < 0) { - ERROR_OUT(-5685, exit_rsa); + ERROR_OUT(-5646, exit_rsa); } #ifdef WOLFSSL_CERT_EXT /* Try again with "any" flag set, will override all others */ if (wc_SetExtKeyUsage(&req, "any") != 0) { - ERROR_OUT(-5686, exit_rsa); + ERROR_OUT(-5647, exit_rsa); } derSz = wc_MakeCertReq(&req, der, FOURK_BUF, &key, NULL); if (derSz < 0) { - ERROR_OUT(-5687, exit_rsa); + ERROR_OUT(-5648, exit_rsa); } #endif /* WOLFSSL_CERT_EXT */ @@ -8981,38 +8939,16 @@ int rsa_test(void) } } while (ret == WC_PENDING_E); if (ret < 0) { - ERROR_OUT(-5688, exit_rsa); + ERROR_OUT(-5649, exit_rsa); } derSz = ret; - pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, CERTREQ_TYPE); - if (pemSz < 0) { - ERROR_OUT(-5689, exit_rsa); + ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, certReqDerFile, + certReqPemFile, CERTREQ_TYPE, -5650); + if (ret != 0) { + goto exit_rsa; } - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - reqFile = fopen(certReqDerFile, "wb"); - if (!reqFile) { - ERROR_OUT(-5690, exit_rsa); - } - - ret = (int)fwrite(der, 1, derSz, reqFile); - fclose(reqFile); - if (ret != derSz) { - ERROR_OUT(-5691, exit_rsa); - } - - reqFile = fopen(certReqPemFile, "wb"); - if (!reqFile) { - ERROR_OUT(-5692, exit_rsa); - } - ret = (int)fwrite(pem, 1, pemSz, reqFile); - fclose(reqFile); - if (ret != pemSz) { - ERROR_OUT(-5693, exit_rsa); - } - #endif - XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); pem = NULL; XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -9319,13 +9255,8 @@ int dsa_test(void) byte* der; byte* pem; int derSz = 0; - int pemSz = 0; DsaKey derIn; DsaKey genKey; -#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - FILE* keyFile; - FILE* pemFile; -#endif ret = wc_InitDsaKey(&genKey); if (ret != 0) return -5808; @@ -9361,49 +9292,14 @@ int dsa_test(void) return -5813; } -#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - keyFile = fopen(keyDerFile, "wb"); - if (!keyFile) { + ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, keyDerFile, + keyPemFile, DSA_PRIVATEKEY_TYPE, -5814); + if (ret != 0) { XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeDsaKey(&genKey); - return -5814; + return ret; } - ret = (int)fwrite(der, 1, derSz, keyFile); - fclose(keyFile); - if (ret != derSz) { - XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeDsaKey(&genKey); - return -5815; - } -#endif - - pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, DSA_PRIVATEKEY_TYPE); - if (pemSz < 0) { - XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeDsaKey(&genKey); - return -5816; - } - -#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - pemFile = fopen(keyPemFile, "wb"); - if (!pemFile) { - XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeDsaKey(&genKey); - return -5817; - } - ret = (int)fwrite(pem, 1, pemSz, pemFile); - fclose(pemFile); - if (ret != pemSz) { - XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeDsaKey(&genKey); - return -5818; - } -#endif ret = wc_InitDsaKey(&derIn); if (ret != 0) { @@ -11079,22 +10975,37 @@ done: static int ecc_test_make_pub(WC_RNG* rng) { ecc_key key; - unsigned char exportBuf[FOURK_BUF]; - unsigned char tmp[FOURK_BUF]; + unsigned char* exportBuf; + unsigned char* tmp; unsigned char msg[] = "test wolfSSL ECC public gen"; word32 x, tmpSz; int ret = 0; ecc_point* pubPoint = NULL; +#if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT) + ecc_key pub; +#endif +#ifdef HAVE_ECC_VERIFY + int verify = 0; +#endif + + tmp = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (tmp == NULL) { + return -6810; + } + exportBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (exportBuf == NULL) { + XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + return -6811; + } #ifdef USE_CERT_BUFFERS_256 XMEMCPY(tmp, ecc_key_der_256, (size_t)sizeof_ecc_key_der_256); tmpSz = (size_t)sizeof_ecc_key_der_256; #else FILE* file; - file = fopen(eccCaKeyFile, "rb"); + file = fopen(eccKeyDerFile, "rb"); if (!file) { - ret = -6000; - goto exit_ecc_make_pub; + ERROR_OUT(-6812, done); } tmpSz = (word32)fread(tmp, 1, FOURK_BUF, file); @@ -11106,141 +11017,140 @@ static int ecc_test_make_pub(WC_RNG* rng) /* import private only then test with */ ret = wc_ecc_import_private_key(tmp, tmpSz, NULL, 0, NULL); if (ret == 0) { - ret = -6001; - goto exit_ecc_make_pub; + ERROR_OUT(-6813, done); } ret = wc_ecc_import_private_key(NULL, tmpSz, NULL, 0, &key); if (ret == 0) { - ret = -6002; - goto exit_ecc_make_pub; + ERROR_OUT(-6814, done); } x = 0; ret = wc_EccPrivateKeyDecode(tmp, &x, &key, tmpSz); - if (ret != 0) - goto exit_ecc_make_pub; + if (ret != 0) { + ERROR_OUT(-6815, done); + } #ifdef HAVE_ECC_KEY_EXPORT - x = sizeof(exportBuf); + x = FOURK_BUF; ret = wc_ecc_export_private_only(&key, exportBuf, &x); - if (ret != 0) - goto exit_ecc_make_pub; + if (ret != 0) { + ERROR_OUT(-6816, done); + } /* make private only key */ wc_ecc_free(&key); wc_ecc_init(&key); ret = wc_ecc_import_private_key(exportBuf, x, NULL, 0, &key); - if (ret != 0) - goto exit_ecc_make_pub; + if (ret != 0) { + ERROR_OUT(-6817, done); + } - x = sizeof(exportBuf); + x = FOURK_BUF; ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0); if (ret == 0) { - ret = -6003; - goto exit_ecc_make_pub; + ERROR_OUT(-6818, done); } #endif /* HAVE_ECC_KEY_EXPORT */ ret = wc_ecc_make_pub(NULL, NULL); if (ret == 0) { - ret = -6004; - goto exit_ecc_make_pub; + ERROR_OUT(-6819, done); } pubPoint = wc_ecc_new_point_h(HEAP_HINT); if (pubPoint == NULL) { - ret = -6005; - goto exit_ecc_make_pub; + ERROR_OUT(-6820, done); } ret = wc_ecc_make_pub(&key, pubPoint); - if (ret != 0) - goto exit_ecc_make_pub; + if (ret != 0) { + ERROR_OUT(-6821, done); + } #ifdef HAVE_ECC_KEY_EXPORT /* export should still fail, is private only key */ - x = sizeof(exportBuf); + x = FOURK_BUF; ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0); if (ret == 0) { - ret = -6006; - goto exit_ecc_make_pub; + ERROR_OUT(-6822, done); } #endif /* HAVE_ECC_KEY_EXPORT */ #ifdef HAVE_ECC_SIGN - tmpSz = sizeof(tmp); + tmpSz = FOURK_BUF; ret = wc_ecc_sign_hash(msg, sizeof(msg), tmp, &tmpSz, rng, &key); - if (ret != 0) - goto exit_ecc_make_pub; + if (ret != 0) { + ERROR_OUT(-6823, done); + } #ifdef HAVE_ECC_VERIFY - { - int res = 0; - /* try verify with private only key */ - ret = wc_ecc_verify_hash(tmp, tmpSz, msg, sizeof(msg), &res, &key); - if (ret != 0) - goto exit_ecc_make_pub; - - if (res != 1) { - ret = -6007; - goto exit_ecc_make_pub; - } - #ifdef HAVE_ECC_KEY_EXPORT - /* exporting the public part should now work */ - x = sizeof(exportBuf); - ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0); - if (ret != 0) - goto exit_ecc_make_pub; - #endif /* HAVE_ECC_KEY_EXPORT */ + /* try verify with private only key */ + ret = wc_ecc_verify_hash(tmp, tmpSz, msg, sizeof(msg), &verify, &key); + if (ret != 0) { + ERROR_OUT(-6824, done); } + + if (verify != 1) { + ERROR_OUT(-6825, done); + } +#ifdef HAVE_ECC_KEY_EXPORT + /* exporting the public part should now work */ + x = FOURK_BUF; + ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0); + if (ret != 0) { + ERROR_OUT(-6826, done); + } +#endif /* HAVE_ECC_KEY_EXPORT */ #endif /* HAVE_ECC_VERIFY */ #endif /* HAVE_ECC_SIGN */ #if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT) /* now test private only key with creating a shared secret */ - { - ecc_key pub; - - x = sizeof(exportBuf); - ret = wc_ecc_export_private_only(&key, exportBuf, &x); - if (ret != 0) - goto exit_ecc_make_pub; - - /* make private only key */ - wc_ecc_free(&key); - wc_ecc_init(&key); - ret = wc_ecc_import_private_key(exportBuf, x, NULL, 0, &key); - if (ret != 0) - goto exit_ecc_make_pub; - - /* check that public export fails with private only key */ - x = sizeof(exportBuf); - ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0); - if (ret == 0) { - ret = -6008; - goto exit_ecc_make_pub; - } - - /* make public key for shared secret */ - wc_ecc_init(&pub); - ret = wc_ecc_make_key(rng, 32, &pub); - if (ret != 0) - goto exit_ecc_make_pub; - - x = sizeof(exportBuf); - ret = wc_ecc_shared_secret(&key, &pub, exportBuf, &x); - if (ret != 0) { - wc_ecc_free(&pub); - goto exit_ecc_make_pub; - } - - wc_ecc_free(&pub); + x = FOURK_BUF; + ret = wc_ecc_export_private_only(&key, exportBuf, &x); + if (ret != 0) { + ERROR_OUT(-6827, done); } -#endif /* defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT) */ -exit_ecc_make_pub: + + /* make private only key */ + wc_ecc_free(&key); + wc_ecc_init(&key); + ret = wc_ecc_import_private_key(exportBuf, x, NULL, 0, &key); + if (ret != 0) { + ERROR_OUT(-6828, done); + } + + /* check that public export fails with private only key */ + x = FOURK_BUF; + ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0); + if (ret == 0) { + ERROR_OUT(-6829, done); + } + + /* make public key for shared secret */ + wc_ecc_init(&pub); + ret = wc_ecc_make_key(rng, 32, &pub); + if (ret != 0) { + ERROR_OUT(-6830, done); + } + + x = FOURK_BUF; + ret = wc_ecc_shared_secret(&key, &pub, exportBuf, &x); + wc_ecc_free(&pub); + if (ret != 0) { + ERROR_OUT(-6831, done); + } +#endif /* HAVE_ECC_DHE && HAVE_ECC_KEY_EXPORT */ + + ret = 0; + +done: + + XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(exportBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_del_point_h(pubPoint, HEAP_HINT); wc_ecc_free(&key); @@ -11254,16 +11164,21 @@ exit_ecc_make_pub: static int ecc_test_key_gen(WC_RNG* rng, int keySize) { int ret = 0; - int derSz, pemSz; - byte der[FOURK_BUF]; - byte pem[FOURK_BUF]; -#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - FILE* keyFile; - FILE* pemFile; -#endif - + int derSz; + byte* der; + byte* pem; ecc_key userA; + der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (der == NULL) { + return -6840; + } + pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (pem == NULL) { + XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + return -6840; + } + ret = wc_ecc_init_ex(&userA, HEAP_HINT, devId); if (ret != 0) goto done; @@ -11284,34 +11199,11 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize) ERROR_OUT(derSz, done); } -#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - keyFile = fopen(eccCaKeyTempFile, "wb"); - if (!keyFile) { - ERROR_OUT(-6510, done); + ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, eccCaKeyTempFile, + eccCaKeyPemFile, ECC_PRIVATEKEY_TYPE, -6510); + if (ret != 0) { + goto done; } - ret = (int)fwrite(der, 1, derSz, keyFile); - fclose(keyFile); - if (ret != derSz) { - ERROR_OUT(-6511, done); - } -#endif - - pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, ECC_PRIVATEKEY_TYPE); - if (pemSz < 0) { - ERROR_OUT(pemSz, done); - } - -#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - pemFile = fopen(eccCaKeyPemFile, "wb"); - if (!pemFile) { - ERROR_OUT(-6512, done); - } - ret = (int)fwrite(pem, 1, pemSz, pemFile); - fclose(pemFile); - if (ret != pemSz) { - ERROR_OUT(-6513, done); - } -#endif /* test export of public key */ derSz = wc_EccPublicKeyToDer(&userA, der, FOURK_BUF, 1); @@ -11322,21 +11214,16 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize) ERROR_OUT(-6514, done); } -#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - keyFile = fopen(eccPubKeyDerFile, "wb"); - if (!keyFile) { - ERROR_OUT(-6515, done); + ret = SaveDerAndPem(der, derSz, NULL, 0, eccPubKeyDerFile, + NULL, 0, -6515); + if (ret != 0) { + goto done; } - ret = (int)fwrite(der, 1, derSz, keyFile); - fclose(keyFile); - if (ret != derSz) { - ERROR_OUT(-6516, done); - } -#endif - - ret = 0; done: + + XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&userA); return ret; @@ -12299,6 +12186,196 @@ static int ecc_test_custom_curves(WC_RNG* rng) } #endif /* WOLFSSL_CUSTOM_CURVES */ +#ifdef WOLFSSL_CERT_GEN + +/* Make Cert / Sign example for ECC cert and ECC CA */ +static int ecc_test_cert_gen(WC_RNG* rng) +{ + int ret; + Cert myCert; + int certSz; + size_t bytes; + word32 idx = 0; +#ifndef USE_CERT_BUFFERS_256 + FILE* file; +#endif +#ifdef WOLFSSL_TEST_CERT + DecodedCert decode; +#endif + byte* der = NULL; + byte* pem = NULL; + ecc_key caEccKey; + ecc_key certPubKey; + + XMEMSET(&caEccKey, 0, sizeof(caEccKey)); + XMEMSET(&certPubKey, 0, sizeof(certPubKey)); + + der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (der == NULL) { + ERROR_OUT(-6720, exit); + } + pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (pem == NULL) { + ERROR_OUT(-6721, exit); + } + + /* Get cert private key */ +#ifdef ENABLE_ECC384_CERT_GEN_TEST + /* Get Cert Key 384 */ +#ifdef USE_CERT_BUFFERS_256 + XMEMCPY(der, ca_ecc_key_der_384, sizeof_ca_ecc_key_der_384); + bytes = sizeof_ca_ecc_key_der_384; +#else + file = fopen(eccCaKey384File, "rb"); + if (!file) { + ERROR_OUT(-6722, exit); + } + + bytes = fread(der, 1, FOURK_BUF, file); + fclose(file); + (void)eccCaKeyFile; +#endif /* USE_CERT_BUFFERS_256 */ +#else +#ifdef USE_CERT_BUFFERS_256 + XMEMCPY(der, ca_ecc_key_der_256, sizeof_ca_ecc_key_der_256); + bytes = sizeof_ca_ecc_key_der_256; +#else + file = fopen(eccCaKeyFile, "rb"); + if (!file) { + ERROR_OUT(-6722, exit); + } + bytes = fread(der, 1, FOURK_BUF, file); + fclose(file); + (void)eccCaKey384File; +#endif /* USE_CERT_BUFFERS_256 */ +#endif /* ENABLE_ECC384_CERT_GEN_TEST */ + + /* Get CA Key */ + ret = wc_ecc_init_ex(&caEccKey, HEAP_HINT, devId); + if (ret != 0) { + ERROR_OUT(-6723, exit); + } + ret = wc_EccPrivateKeyDecode(der, &idx, &caEccKey, (word32)bytes); + if (ret != 0) { + ERROR_OUT(-6724, exit); + } + + /* Make a public key */ + ret = wc_ecc_init_ex(&certPubKey, HEAP_HINT, devId); + if (ret != 0) { + ERROR_OUT(-6725, exit); + } + + ret = wc_ecc_make_key(rng, 32, &certPubKey); + if (ret != 0) { + ERROR_OUT(-6726, exit); + } + + /* Setup Certificate */ + if (wc_InitCert(&myCert)) { + ERROR_OUT(-6727, exit); + } + +#ifndef NO_SHA256 + myCert.sigType = CTC_SHA256wECDSA; +#else + myCert.sigType = CTC_SHAwECDSA; +#endif + XMEMCPY(&myCert.subject, &certDefaultName, sizeof(CertName)); + +#ifdef WOLFSSL_CERT_EXT + /* add Policies */ + XSTRNCPY(myCert.certPolicies[0], "2.4.589440.587.101.2.1.9632587.1", + CTC_MAX_CERTPOL_SZ); + XSTRNCPY(myCert.certPolicies[1], "1.2.13025.489.1.113549", + CTC_MAX_CERTPOL_SZ); + myCert.certPoliciesNb = 2; + + /* add SKID from the Public Key */ + if (wc_SetSubjectKeyIdFromPublicKey(&myCert, NULL, &certPubKey) != 0) { + ERROR_OUT(-6728, exit); + } + + /* add AKID from the Public Key */ + if (wc_SetAuthKeyIdFromPublicKey(&myCert, NULL, &caEccKey) != 0) { + ERROR_OUT(-6729, exit); + } + + /* add Key Usage */ + if (wc_SetKeyUsage(&myCert, certKeyUsage) != 0) { + ERROR_OUT(-6730, exit); + } +#endif /* WOLFSSL_CERT_EXT */ + +#ifdef ENABLE_ECC384_CERT_GEN_TEST + #if defined(USE_CERT_BUFFERS_256) + ret = wc_SetIssuerBuffer(&myCert, ca_ecc_cert_der_384, + sizeof_ca_ecc_cert_der_384); +#else + ret = wc_SetIssuer(&myCert, eccCaCert384File); + (void)eccCaCertFile; +#endif +#else +#if defined(USE_CERT_BUFFERS_256) + ret = wc_SetIssuerBuffer(&myCert, ca_ecc_cert_der_256, + sizeof_ca_ecc_cert_der_256); +#else + ret = wc_SetIssuer(&myCert, eccCaCertFile); + (void)eccCaCert384File; +#endif +#endif /* ENABLE_ECC384_CERT_GEN_TEST */ + if (ret < 0) { + ERROR_OUT(-6731, exit); + } + + certSz = wc_MakeCert(&myCert, der, FOURK_BUF, NULL, &certPubKey, rng); + if (certSz < 0) { + ERROR_OUT(-6732, exit); + } + + ret = 0; + do { + #if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_AsyncWait(ret, &caEccKey.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); + #endif + if (ret >= 0) { + ret = wc_SignCert(myCert.bodySz, myCert.sigType, der, + FOURK_BUF, NULL, &caEccKey, rng); + } + } while (ret == WC_PENDING_E); + if (ret < 0) { + ERROR_OUT(-6733, exit); + } + certSz = ret; + +#ifdef WOLFSSL_TEST_CERT + InitDecodedCert(&decode, der, certSz, 0); + ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0); + if (ret != 0) { + FreeDecodedCert(&decode); + ERROR_OUT(-6734, exit); + + } + FreeDecodedCert(&decode); +#endif + + ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, certEccDerFile, + certEccPemFile, CERT_TYPE, -6735); + if (ret != 0) { + goto exit; + } + +exit: + wc_ecc_free(&certPubKey); + wc_ecc_free(&caEccKey); + + XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + + return ret; +} +#endif /* WOLFSSL_CERT_GEN */ + int ecc_test(void) { int ret; @@ -12407,15 +12484,24 @@ int ecc_test(void) ret = ecc_test_cdh_vectors(); if (ret != 0) { printf("ecc_test_cdh_vectors failed! %d\n", ret); + goto done; } #endif ret = ecc_test_make_pub(&rng); - if (ret < 0) { + if (ret != 0) { printf("ecc_test_make_pub failed!: %d\n", ret); - return ret; + goto done; } +#ifdef WOLFSSL_CERT_GEN + ret = ecc_test_cert_gen(&rng); + if (ret != 0) { + printf("ecc_test_cert_gen failed!: %d\n", ret); + goto done; + } +#endif + done: wc_FreeRng(&rng); @@ -12885,8 +12971,7 @@ static int ed25519_test_cert(void) tmp = XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) { - ret = -7200; - goto done; + ERROR_OUT(-7200, done); } #ifdef USE_CERT_BUFFERS_256 @@ -12895,23 +12980,20 @@ static int ed25519_test_cert(void) #elif !defined(NO_FILESYSTEM) file = fopen(caEd25519Cert, "rb"); if (file == NULL) { - ret = -7201; - goto done; + ERROR_OUT(-7201, done); } bytes = fread(tmp, 1, FOURK_BUF, file); fclose(file); #else /* No certificate to use. */ - ret = -7202; - goto done; + ERROR_OUT(-7202, done); #endif InitDecodedCert(&cert[0], tmp, (word32)bytes, 0); caCert = &cert[0]; ret = ParseCert(caCert, CERT_TYPE, NO_VERIFY, NULL); if (ret != 0) { - ret = -7203; - goto done; + ERROR_OUT(-7203, done); } #ifdef USE_CERT_BUFFERS_256 @@ -12920,45 +13002,39 @@ static int ed25519_test_cert(void) #elif !defined(NO_FILESYSTEM) file = fopen(serverEd25519Cert, "rb"); if (file == NULL) { - ret = -7204; - goto done; + ERROR_OUT(-7204, done); } bytes = fread(tmp, 1, FOURK_BUF, file); fclose(file); #else /* No certificate to use. */ - ret = -7205; - goto done; + ERROR_OUT(-7205, done); #endif InitDecodedCert(&cert[1], tmp, (word32)bytes, 0); serverCert = &cert[1]; ret = ParseCert(serverCert, CERT_TYPE, NO_VERIFY, NULL); if (ret != 0) { - ret = -7206; - goto done; + ERROR_OUT(-7206, done); } #ifdef HAVE_ED25519_VERIFY ret = wc_ed25519_init(&key); if (ret < 0) { - ret = -7207; - goto done; + ERROR_OUT(-7207, done); } pubKey = &key; ret = wc_ed25519_import_public(caCert->publicKey, caCert->pubKeySize, pubKey); if (ret < 0) { - ret = -7208; - goto done; + ERROR_OUT(-7208, done); } if (wc_ed25519_verify_msg(serverCert->signature, serverCert->sigLength, serverCert->source + serverCert->certBegin, serverCert->sigIndex - serverCert->certBegin, &verify, pubKey) < 0 || verify != 1) { - ret = -7209; - goto done; + ERROR_OUT(-7209, done); } #endif /* HAVE_ED25519_VERIFY */ @@ -12976,21 +13052,6 @@ done: return ret; } -#ifdef WOLFSSL_CERT_GEN -static const CertName defaultName = { - "US", CTC_PRINTABLE, - "Montana", CTC_UTF8, - "Bozeman", CTC_UTF8, - "Test", CTC_UTF8, - "wolfSSL", CTC_UTF8, - "ED25519", CTC_UTF8, - "www.wolfssl.com", CTC_UTF8, - "info@wolfssl.com" -}; -#ifdef WOLFSSL_CERT_EXT -static const char leafKeyUsage[] = "digitalSignature,nonRepudiation"; -#endif - static int ed25519_test_make_cert(void) { WC_RNG rng; @@ -13017,51 +13078,44 @@ static int ed25519_test_make_cert(void) cert.daysValid = 365 * 2; cert.selfSigned = 1; - XMEMCPY(&cert.issuer, &defaultName, sizeof(CertName)); - XMEMCPY(&cert.subject, &defaultName, sizeof(CertName)); + XMEMCPY(&cert.issuer, &certDefaultName, sizeof(CertName)); + XMEMCPY(&cert.subject, &certDefaultName, sizeof(CertName)); cert.isCA = 0; #ifdef WOLFSSL_CERT_EXT - ret = wc_SetKeyUsage(&cert, leafKeyUsage); + ret = wc_SetKeyUsage(&cert, certKeyUsage); if (ret < 0) { - ret = -7221; - goto done; + ERROR_OUT(-7221, done); } ret = wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ED25519_TYPE, privKey); if (ret < 0) { - ret = -7222; - goto done; + ERROR_OUT(-7222, done); } ret = wc_SetAuthKeyIdFromPublicKey_ex(&cert, ED25519_TYPE, privKey); if (ret < 0) { - ret = -7223; - goto done; + ERROR_OUT(-7223, done); } #endif tmp = XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) { - ret = -7224; - goto done; + ERROR_OUT(-7224, done); } cert.sigType = CTC_ED25519; ret = wc_MakeCert_ex(&cert, tmp, FOURK_BUF, ED25519_TYPE, privKey, &rng); if (ret < 0) { - ret = -7225; - goto done; + ERROR_OUT(-7225, done); } ret = wc_SignCert_ex(cert.bodySz, cert.sigType, tmp, FOURK_BUF, ED25519_TYPE, privKey, &rng); if (ret < 0) { - ret = -7226; - goto done; + ERROR_OUT(-7226, done); } InitDecodedCert(&decode, tmp, ret, HEAP_HINT); ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0); FreeDecodedCert(&decode); if (ret != 0) { - ret = -7227; - goto done; + ERROR_OUT(-7227, done); } done: @@ -13071,7 +13125,6 @@ done: wc_FreeRng(&rng); return ret; } -#endif /* WOLFSSL_CERT_GEN */ #endif /* WOLFSSL_TEST_CERT */ int ed25519_test(void) @@ -13802,28 +13855,29 @@ int compress_test(void) c = XMALLOC(cSz * sizeof(byte), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); d = XMALLOC(dSz * sizeof(byte), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (c == NULL || d == NULL) { + ERROR_OUT(-7400, exit); + } /* follow calloc and initialize to 0 */ XMEMSET(c, 0, cSz); XMEMSET(d, 0, dSz); - if (c == NULL || d == NULL) - ret = -7400; + if ((ret = wc_Compress(c, cSz, sample_text, dSz, 0)) < 0) { + ERROR_OUT(-7401, exit); + } + cSz = (word32)ret; - if (ret == 0 && (ret = wc_Compress(c, cSz, sample_text, dSz, 0)) < 0) - ret = -7401; - - if (ret > 0) { - cSz = (word32)ret; - ret = 0; + if ((ret = wc_DeCompress(d, dSz, c, cSz)) != (int)dSz) { + ERROR_OUT(-7402, exit); } - if (ret == 0 && wc_DeCompress(d, dSz, c, cSz) != (int)dSz) - ret = -7402; - - if (ret == 0 && XMEMCMP(d, sample_text, dSz)) - ret = -7403; + if (XMEMCMP(d, sample_text, dSz)) { + ERROR_OUT(-7403, exit); + } + ret = 0; +exit: if (c) XFREE(c, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (d) XFREE(d, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -13961,10 +14015,18 @@ static int pkcs7_load_certs_keys(byte* rsaCert, word32* rsaCertSz, #endif /* USE_CERT_BUFFERS_256 */ #endif /* HAVE_ECC */ +#ifdef NO_RSA + (void)rsaCert; + (void)rsaCertSz; + (void)rsaPrivKey; + (void)rsaPrivKeySz; +#endif +#ifndef HAVE_ECC (void)eccCert; (void)eccCertSz; (void)eccPrivKey; (void)eccPrivKeySz; +#endif #ifndef NO_FILESYSTEM (void)certFile; (void)keyFile; @@ -14126,10 +14188,19 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, wc_PKCS7_Free(&pkcs7); } +#ifndef HAVE_ECC (void)eccCert; (void)eccCertSz; (void)eccPrivKey; (void)eccPrivKeySz; +#endif +#ifdef NO_RSA + (void)rsaCert; + (void)rsaCertSz; + (void)rsaPrivKey; + (void)rsaPrivKeySz; +#endif + return 0; } @@ -14139,13 +14210,13 @@ int pkcs7enveloped_test(void) int ret = 0; byte* rsaCert = NULL; - byte* eccCert = NULL; byte* rsaPrivKey = NULL; - byte* eccPrivKey = NULL; - word32 rsaCertSz = 0; - word32 eccCertSz = 0; word32 rsaPrivKeySz = 0; + + byte* eccCert = NULL; + byte* eccPrivKey = NULL; + word32 eccCertSz = 0; word32 eccPrivKeySz = 0; #ifndef NO_RSA @@ -14168,15 +14239,19 @@ int pkcs7enveloped_test(void) /* read client ECC cert and key in DER format */ eccCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (eccCert == NULL) { + #ifndef NO_RSA XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + #endif return -7504; } eccPrivKey =(byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (eccPrivKey == NULL) { + #ifndef NO_RSA XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + #endif XFREE(eccCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); return -7505; } @@ -14189,10 +14264,14 @@ int pkcs7enveloped_test(void) &rsaPrivKeySz, eccCert, &eccCertSz, eccPrivKey, &eccPrivKeySz); if (ret < 0) { + #ifndef NO_RSA XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + #endif + #ifdef HAVE_ECC XFREE(eccCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(eccPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + #endif return ret; } @@ -14201,10 +14280,14 @@ int pkcs7enveloped_test(void) eccCert, (word32)eccCertSz, eccPrivKey, (word32)eccPrivKeySz); +#ifndef NO_RSA XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#endif +#ifdef HAVE_ECC XFREE(eccCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(eccPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#endif return ret; } @@ -14572,8 +14655,10 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, ret = wc_PKCS7_InitWithCert(&pkcs7, testVectors[i].cert, (word32)testVectors[i].certSz); - if (ret != 0) + if (ret != 0) { + XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); return -7702; + } pkcs7.rng = &rng; pkcs7.content = (byte*)testVectors[i].content; @@ -14682,10 +14767,19 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, if (ret > 0) return 0; +#ifndef HAVE_ECC (void)eccCert; (void)eccCertSz; (void)eccPrivKey; (void)eccPrivKeySz; +#endif +#ifdef NO_RSA + (void)rsaCert; + (void)rsaCertSz; + (void)rsaPrivKey; + (void)rsaPrivKeySz; +#endif + return ret; } diff --git a/wolfssl/certs_test.h b/wolfssl/certs_test.h index 621936c00..15d27a1a6 100644 --- a/wolfssl/certs_test.h +++ b/wolfssl/certs_test.h @@ -2077,87 +2077,286 @@ static const int sizeof_serv_ecc_rsa_der_256 = sizeof(serv_ecc_rsa_der_256); /* ./certs/server-ecc.der, ECC */ static const unsigned char serv_ecc_der_256[] = { - 0x30, 0x82, 0x03, 0x10, 0x30, 0x82, 0x02, 0xB5, 0xA0, 0x03, - 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xEF, 0x46, 0xC7, 0xA4, - 0x9B, 0xBB, 0x60, 0xD3, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, - 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0x8F, 0x31, + 0x30, 0x82, 0x03, 0x4F, 0x30, 0x82, 0x02, 0xF5, 0xA0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x02, 0x10, 0x00, 0x30, 0x0A, 0x06, + 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, + 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, + 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, + 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, + 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, + 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, + 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, + 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, + 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, + 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, + 0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37, 0x31, + 0x30, 0x31, 0x39, 0x31, 0x39, 0x30, 0x36, 0x34, 0x39, 0x5A, + 0x17, 0x0D, 0x32, 0x37, 0x31, 0x30, 0x31, 0x37, 0x31, 0x39, + 0x30, 0x36, 0x34, 0x39, 0x5A, 0x30, 0x81, 0x8F, 0x31, 0x0B, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, + 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, + 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, + 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, + 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, + 0x07, 0x45, 0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x31, 0x0C, + 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x03, 0x45, + 0x43, 0x43, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, + 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, + 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, + 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, + 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, + 0x6D, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, + 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xBB, 0x33, + 0xAC, 0x4C, 0x27, 0x50, 0x4A, 0xC6, 0x4A, 0xA5, 0x04, 0xC3, + 0x3C, 0xDE, 0x9F, 0x36, 0xDB, 0x72, 0x2D, 0xCE, 0x94, 0xEA, + 0x2B, 0xFA, 0xCB, 0x20, 0x09, 0x39, 0x2C, 0x16, 0xE8, 0x61, + 0x02, 0xE9, 0xAF, 0x4D, 0xD3, 0x02, 0x93, 0x9A, 0x31, 0x5B, + 0x97, 0x92, 0x21, 0x7F, 0xF0, 0xCF, 0x18, 0xDA, 0x91, 0x11, + 0x02, 0x34, 0x86, 0xE8, 0x20, 0x58, 0x33, 0x0B, 0x80, 0x34, + 0x89, 0xD8, 0xA3, 0x82, 0x01, 0x35, 0x30, 0x82, 0x01, 0x31, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x02, 0x30, + 0x00, 0x30, 0x11, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, + 0xF8, 0x42, 0x01, 0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, + 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, + 0x14, 0x5D, 0x5D, 0x26, 0xEF, 0xAC, 0x7E, 0x36, 0xF9, 0x9B, + 0x76, 0x15, 0x2B, 0x4A, 0x25, 0x02, 0x23, 0xEF, 0xB2, 0x89, + 0x30, 0x30, 0x81, 0xCC, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, + 0x81, 0xC4, 0x30, 0x81, 0xC1, 0x80, 0x14, 0xFD, 0x9D, 0x85, + 0xD5, 0xC1, 0x6F, 0x47, 0xEA, 0xC6, 0x75, 0x96, 0x59, 0x25, + 0x37, 0x46, 0x8C, 0x61, 0xDB, 0xE1, 0xC3, 0xA1, 0x81, 0x9D, + 0xA4, 0x81, 0x9A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, + 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, + 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, + 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, + 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, + 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, + 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, + 0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, + 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, + 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, + 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, + 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, + 0x98, 0x6A, 0x0C, 0xF4, 0x02, 0x43, 0xA6, 0x28, 0x30, 0x0E, + 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, + 0x03, 0x02, 0x05, 0xA0, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1D, + 0x25, 0x04, 0x0C, 0x30, 0x0A, 0x06, 0x08, 0x2B, 0x06, 0x01, + 0x05, 0x05, 0x07, 0x03, 0x01, 0x30, 0x0A, 0x06, 0x08, 0x2A, + 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, + 0x30, 0x45, 0x02, 0x21, 0x00, 0xCE, 0x09, 0x22, 0xAB, 0x21, + 0xC1, 0x30, 0x80, 0x33, 0x4B, 0xB4, 0x75, 0x19, 0x0B, 0x37, + 0xE5, 0x18, 0xC6, 0x6A, 0x48, 0xB1, 0xA6, 0x2A, 0x0C, 0xD0, + 0x91, 0x96, 0xD3, 0x97, 0xDB, 0x75, 0xCF, 0x02, 0x20, 0x03, + 0x97, 0x6B, 0x90, 0xE1, 0x2E, 0x20, 0x10, 0xE7, 0xBF, 0xC3, + 0x25, 0x97, 0x4D, 0xA8, 0x07, 0x9E, 0x14, 0x86, 0x99, 0xBD, + 0x87, 0x98, 0xFD, 0x2E, 0xD2, 0x4D, 0x1F, 0xDA, 0x52, 0x92, + 0xB9 +}; +static const int sizeof_serv_ecc_der_256 = sizeof(serv_ecc_der_256); + +/* ./certs/ca-ecc-key.der, ECC */ +static const unsigned char ca_ecc_key_der_256[] = +{ + 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xAC, 0xB8, 0xFA, + 0x16, 0x7D, 0x18, 0xD6, 0x43, 0x7B, 0x92, 0xB8, 0xD2, 0xA6, + 0x60, 0x6D, 0x44, 0x0E, 0xAA, 0xB9, 0x0F, 0x1C, 0x3A, 0x5B, + 0x57, 0xD0, 0x5F, 0x67, 0x11, 0xCB, 0xAB, 0x48, 0x87, 0xA0, + 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, + 0x07, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xE6, 0x38, 0xDF, + 0x16, 0xE3, 0x4B, 0xEA, 0xAA, 0x9F, 0x91, 0xA3, 0xF3, 0x32, + 0x40, 0xF6, 0x6C, 0x7E, 0xA1, 0x55, 0x01, 0x38, 0x05, 0xFE, + 0x6B, 0x39, 0x37, 0x1C, 0xEA, 0xF9, 0xF9, 0x4D, 0x87, 0x4B, + 0x2D, 0x2F, 0x4B, 0x54, 0xE5, 0x9B, 0x4A, 0x1A, 0xBA, 0x0D, + 0x02, 0xA5, 0x1C, 0xEC, 0xC1, 0x51, 0x30, 0xC9, 0x3C, 0x94, + 0xAC, 0x2E, 0x5B, 0x2F, 0x40, 0xF6, 0x3C, 0xA7, 0x7A, 0xD0, + 0x68 +}; +static const int sizeof_ca_ecc_key_der_256 = sizeof(ca_ecc_key_der_256); + +/* ./certs/ca-ecc-cert.der, ECC */ +static const unsigned char ca_ecc_cert_der_256[] = +{ + 0x30, 0x82, 0x02, 0x89, 0x30, 0x82, 0x02, 0x30, 0xA0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x98, 0x6A, 0x0C, 0xF4, + 0x02, 0x43, 0xA6, 0x28, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, + 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, - 0x0C, 0x07, 0x45, 0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x31, - 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x03, - 0x45, 0x43, 0x43, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, - 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, - 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, - 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, - 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, - 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, - 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x36, 0x30, 0x38, - 0x31, 0x31, 0x32, 0x30, 0x30, 0x37, 0x33, 0x38, 0x5A, 0x17, - 0x0D, 0x31, 0x39, 0x30, 0x35, 0x30, 0x38, 0x32, 0x30, 0x30, - 0x37, 0x33, 0x38, 0x5A, 0x30, 0x81, 0x8F, 0x31, 0x0B, 0x30, - 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, - 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, - 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, - 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, - 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, - 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, - 0x45, 0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x31, 0x0C, 0x30, - 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x03, 0x45, 0x43, - 0x43, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, + 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, + 0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, + 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, - 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, - 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, - 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xBB, 0x33, 0xAC, - 0x4C, 0x27, 0x50, 0x4A, 0xC6, 0x4A, 0xA5, 0x04, 0xC3, 0x3C, - 0xDE, 0x9F, 0x36, 0xDB, 0x72, 0x2D, 0xCE, 0x94, 0xEA, 0x2B, - 0xFA, 0xCB, 0x20, 0x09, 0x39, 0x2C, 0x16, 0xE8, 0x61, 0x02, - 0xE9, 0xAF, 0x4D, 0xD3, 0x02, 0x93, 0x9A, 0x31, 0x5B, 0x97, - 0x92, 0x21, 0x7F, 0xF0, 0xCF, 0x18, 0xDA, 0x91, 0x11, 0x02, - 0x34, 0x86, 0xE8, 0x20, 0x58, 0x33, 0x0B, 0x80, 0x34, 0x89, - 0xD8, 0xA3, 0x81, 0xF7, 0x30, 0x81, 0xF4, 0x30, 0x1D, 0x06, - 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x5D, 0x5D, - 0x26, 0xEF, 0xAC, 0x7E, 0x36, 0xF9, 0x9B, 0x76, 0x15, 0x2B, - 0x4A, 0x25, 0x02, 0x23, 0xEF, 0xB2, 0x89, 0x30, 0x30, 0x81, - 0xC4, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0xBC, 0x30, - 0x81, 0xB9, 0x80, 0x14, 0x5D, 0x5D, 0x26, 0xEF, 0xAC, 0x7E, - 0x36, 0xF9, 0x9B, 0x76, 0x15, 0x2B, 0x4A, 0x25, 0x02, 0x23, - 0xEF, 0xB2, 0x89, 0x30, 0xA1, 0x81, 0x95, 0xA4, 0x81, 0x92, - 0x30, 0x81, 0x8F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, - 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, - 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, - 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, - 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, - 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, - 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x45, 0x6C, 0x69, 0x70, - 0x74, 0x69, 0x63, 0x31, 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, - 0x04, 0x0B, 0x0C, 0x03, 0x45, 0x43, 0x43, 0x31, 0x18, 0x30, + 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37, 0x31, 0x30, 0x31, 0x39, + 0x31, 0x39, 0x30, 0x36, 0x34, 0x39, 0x5A, 0x17, 0x0D, 0x33, + 0x37, 0x31, 0x30, 0x31, 0x34, 0x31, 0x39, 0x30, 0x36, 0x34, + 0x39, 0x5A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, + 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, + 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, + 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, + 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, + 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, + 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 0x06, + 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 0x65, + 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, - 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, 0xEF, - 0x46, 0xC7, 0xA4, 0x9B, 0xBB, 0x60, 0xD3, 0x30, 0x0C, 0x06, - 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, - 0xFF, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, - 0x04, 0x03, 0x02, 0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, - 0x00, 0xF1, 0xD0, 0xA6, 0x3E, 0x83, 0x33, 0x24, 0xD1, 0x7A, - 0x05, 0x5F, 0x1E, 0x0E, 0xBD, 0x7D, 0x6B, 0x33, 0xE9, 0xF2, - 0x86, 0xF3, 0xF3, 0x3D, 0xA9, 0xEF, 0x6A, 0x87, 0x31, 0xB3, - 0xB7, 0x7E, 0x50, 0x02, 0x21, 0x00, 0xF0, 0x60, 0xDD, 0xCE, - 0xA2, 0xDB, 0x56, 0xEC, 0xD9, 0xF4, 0xE4, 0xE3, 0x25, 0xD4, - 0xB0, 0xC9, 0x25, 0x7D, 0xCA, 0x7A, 0x5D, 0xBA, 0xC4, 0xB2, - 0xF6, 0x7D, 0x04, 0xC7, 0xBD, 0x62, 0xC9, 0x20 + 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x59, 0x30, 0x13, + 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, + 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, + 0x42, 0x00, 0x04, 0xE6, 0x38, 0xDF, 0x16, 0xE3, 0x4B, 0xEA, + 0xAA, 0x9F, 0x91, 0xA3, 0xF3, 0x32, 0x40, 0xF6, 0x6C, 0x7E, + 0xA1, 0x55, 0x01, 0x38, 0x05, 0xFE, 0x6B, 0x39, 0x37, 0x1C, + 0xEA, 0xF9, 0xF9, 0x4D, 0x87, 0x4B, 0x2D, 0x2F, 0x4B, 0x54, + 0xE5, 0x9B, 0x4A, 0x1A, 0xBA, 0x0D, 0x02, 0xA5, 0x1C, 0xEC, + 0xC1, 0x51, 0x30, 0xC9, 0x3C, 0x94, 0xAC, 0x2E, 0x5B, 0x2F, + 0x40, 0xF6, 0x3C, 0xA7, 0x7A, 0xD0, 0x68, 0xA3, 0x63, 0x30, + 0x61, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, + 0x04, 0x14, 0xFD, 0x9D, 0x85, 0xD5, 0xC1, 0x6F, 0x47, 0xEA, + 0xC6, 0x75, 0x96, 0x59, 0x25, 0x37, 0x46, 0x8C, 0x61, 0xDB, + 0xE1, 0xC3, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, + 0x18, 0x30, 0x16, 0x80, 0x14, 0xFD, 0x9D, 0x85, 0xD5, 0xC1, + 0x6F, 0x47, 0xEA, 0xC6, 0x75, 0x96, 0x59, 0x25, 0x37, 0x46, + 0x8C, 0x61, 0xDB, 0xE1, 0xC3, 0x30, 0x0F, 0x06, 0x03, 0x55, + 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, + 0x01, 0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, + 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0A, + 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, + 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x03, 0xCF, 0x3F, + 0x6E, 0x26, 0xF7, 0x76, 0xBE, 0x98, 0x81, 0x20, 0x57, 0x6B, + 0x4A, 0x55, 0xF7, 0x16, 0x19, 0x21, 0xA0, 0x4C, 0xC8, 0xA1, + 0x19, 0x83, 0x4C, 0x66, 0x55, 0x2D, 0x43, 0x36, 0xE1, 0x02, + 0x20, 0x4D, 0x26, 0x29, 0x2B, 0xF2, 0x38, 0x94, 0x85, 0x7E, + 0xA0, 0x13, 0xB6, 0xC5, 0x8D, 0x61, 0xBE, 0x96, 0x15, 0xAD, + 0xFE, 0xAE, 0x61, 0xED, 0xA1, 0x88, 0xF9, 0x79, 0xC6, 0x40, + 0x57, 0xE4, 0x9B }; -static const int sizeof_serv_ecc_der_256 = sizeof(serv_ecc_der_256); +static const int sizeof_ca_ecc_cert_der_256 = sizeof(ca_ecc_cert_der_256); + +/* ./certs/ca-ecc384-key.der, ECC */ +static const unsigned char ca_ecc_key_der_384[] = +{ + 0x30, 0x81, 0xA4, 0x02, 0x01, 0x01, 0x04, 0x30, 0x25, 0x7B, + 0x71, 0xAC, 0x46, 0x4C, 0xF2, 0xC4, 0xA5, 0x59, 0x86, 0xF6, + 0x09, 0xB4, 0x73, 0x84, 0xC4, 0x18, 0x04, 0xA4, 0x1A, 0x23, + 0x75, 0x80, 0xCE, 0x5E, 0x09, 0x5C, 0x04, 0xE0, 0xAD, 0x04, + 0x8E, 0x5F, 0xD7, 0xC7, 0x91, 0xE7, 0x76, 0xCB, 0x8A, 0xEF, + 0xC0, 0xF1, 0x34, 0x28, 0xEE, 0x5C, 0xA0, 0x07, 0x06, 0x05, + 0x2B, 0x81, 0x04, 0x00, 0x22, 0xA1, 0x64, 0x03, 0x62, 0x00, + 0x04, 0x11, 0x3C, 0x5C, 0xD0, 0x64, 0x22, 0xA7, 0x0F, 0xC8, + 0xB6, 0x40, 0x84, 0xD7, 0xE9, 0x42, 0x13, 0x88, 0xB9, 0x11, + 0xB5, 0x8D, 0x9E, 0xBB, 0x40, 0xB4, 0x9E, 0xF7, 0x20, 0x35, + 0x2B, 0xF5, 0xDC, 0x59, 0x70, 0x00, 0x19, 0x32, 0x63, 0xDE, + 0x56, 0x55, 0x6A, 0x0B, 0xD5, 0x29, 0xBA, 0xC1, 0x26, 0x53, + 0x3F, 0x11, 0xB4, 0x9C, 0xD1, 0x0E, 0x23, 0xBF, 0x03, 0x2B, + 0x46, 0x45, 0x4E, 0x65, 0xF4, 0x77, 0x22, 0x0A, 0x63, 0xE2, + 0x49, 0x5D, 0xF0, 0xA7, 0x8C, 0x29, 0x49, 0x00, 0x33, 0x00, + 0xB1, 0x40, 0x19, 0xBF, 0x67, 0x3F, 0xD1, 0xF2, 0x4E, 0x6E, + 0x1D, 0x18, 0x81, 0x50, 0xEB, 0x13, 0x6A +}; +static const int sizeof_ca_ecc_key_der_384 = sizeof(ca_ecc_key_der_384); + +/* ./certs/ca-ecc384-cert.der, ECC */ +static const unsigned char ca_ecc_cert_der_384[] = +{ + 0x30, 0x82, 0x02, 0xC7, 0x30, 0x82, 0x02, 0x4D, 0xA0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xA8, 0x45, 0x77, 0x67, + 0x97, 0x27, 0xF9, 0x20, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, + 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, 0x30, 0x81, 0x97, 0x31, + 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, + 0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, + 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, + 0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, + 0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, + 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, + 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, + 0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, + 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, + 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, + 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, + 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, + 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, + 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37, 0x31, 0x30, 0x31, 0x39, + 0x31, 0x39, 0x30, 0x36, 0x34, 0x39, 0x5A, 0x17, 0x0D, 0x33, + 0x37, 0x31, 0x30, 0x31, 0x34, 0x31, 0x39, 0x30, 0x36, 0x34, + 0x39, 0x5A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, + 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, + 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, + 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, + 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, + 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, + 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 0x06, + 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 0x65, + 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 0x30, + 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, + 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, + 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, + 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, + 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, + 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x76, 0x30, 0x10, + 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, + 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, + 0x11, 0x3C, 0x5C, 0xD0, 0x64, 0x22, 0xA7, 0x0F, 0xC8, 0xB6, + 0x40, 0x84, 0xD7, 0xE9, 0x42, 0x13, 0x88, 0xB9, 0x11, 0xB5, + 0x8D, 0x9E, 0xBB, 0x40, 0xB4, 0x9E, 0xF7, 0x20, 0x35, 0x2B, + 0xF5, 0xDC, 0x59, 0x70, 0x00, 0x19, 0x32, 0x63, 0xDE, 0x56, + 0x55, 0x6A, 0x0B, 0xD5, 0x29, 0xBA, 0xC1, 0x26, 0x53, 0x3F, + 0x11, 0xB4, 0x9C, 0xD1, 0x0E, 0x23, 0xBF, 0x03, 0x2B, 0x46, + 0x45, 0x4E, 0x65, 0xF4, 0x77, 0x22, 0x0A, 0x63, 0xE2, 0x49, + 0x5D, 0xF0, 0xA7, 0x8C, 0x29, 0x49, 0x00, 0x33, 0x00, 0xB1, + 0x40, 0x19, 0xBF, 0x67, 0x3F, 0xD1, 0xF2, 0x4E, 0x6E, 0x1D, + 0x18, 0x81, 0x50, 0xEB, 0x13, 0x6A, 0xA3, 0x63, 0x30, 0x61, + 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, + 0x14, 0x97, 0xFD, 0xB4, 0x6D, 0xCE, 0x08, 0xB3, 0x02, 0x57, + 0xAB, 0xF3, 0x40, 0xD6, 0x1D, 0xAC, 0x75, 0x32, 0x35, 0xAA, + 0xF2, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0x97, 0xFD, 0xB4, 0x6D, 0xCE, 0x08, + 0xB3, 0x02, 0x57, 0xAB, 0xF3, 0x40, 0xD6, 0x1D, 0xAC, 0x75, + 0x32, 0x35, 0xAA, 0xF2, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, + 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, + 0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, + 0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0A, 0x06, + 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, 0x03, + 0x68, 0x00, 0x30, 0x65, 0x02, 0x31, 0x00, 0x9D, 0x49, 0x9E, + 0x68, 0x10, 0x55, 0xB3, 0x92, 0x89, 0x23, 0xCF, 0x58, 0xFB, + 0x04, 0xEE, 0xAB, 0xED, 0x3E, 0x3C, 0xF6, 0x94, 0x66, 0xD1, + 0xBD, 0x16, 0x8E, 0xCA, 0x52, 0x9F, 0x39, 0xF3, 0xD6, 0x47, + 0xC0, 0xCB, 0x45, 0xE2, 0x1E, 0xC6, 0xDD, 0x50, 0x08, 0x37, + 0x37, 0xBA, 0xAE, 0xE6, 0x72, 0x02, 0x30, 0x6B, 0x38, 0x53, + 0x41, 0x32, 0x3E, 0x55, 0x84, 0x39, 0x65, 0x9B, 0xA7, 0x40, + 0x98, 0x05, 0xCD, 0x16, 0xFE, 0xDD, 0x54, 0x3A, 0x38, 0x19, + 0xF0, 0x63, 0xB9, 0xC1, 0x45, 0x46, 0xDC, 0xB4, 0x4D, 0x47, + 0x21, 0x49, 0xFC, 0x5B, 0x63, 0xA8, 0x16, 0x4C, 0xD8, 0x3F, + 0x3B, 0xA8, 0xC9, 0xFB, 0xFA +}; +static const int sizeof_ca_ecc_cert_der_384 = sizeof(ca_ecc_cert_der_384); #endif /* HAVE_ECC && USE_CERT_BUFFERS_256 */ @@ -2183,158 +2382,142 @@ static const unsigned char dh_g[] = 0x02, }; -#ifdef HAVE_ED25519 -/* - * Subject: /C=US/ST=Montana/L=Bozeman/SN=Leaf/O=wolfSSL/OU=ED25519/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - * Issuer: /C=US/ST=Montana/L=Bozeman/SN=CA/O=wolfSSL/OU=ED25519/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - */ -static const unsigned char server_ed25519_pkey[44] = { - 0x30, 0x2A, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, - 0x21, 0x00, 0x1A, 0x30, 0x88, 0x18, 0x47, 0x2F, 0x97, 0xDA, - 0x04, 0xF4, 0xA4, 0xE3, 0xBD, 0x6C, 0x0C, 0x16, 0xB9, 0x48, - 0xC1, 0xD1, 0x42, 0xD7, 0x8E, 0x92, 0x84, 0xA0, 0x74, 0x2A, - 0x43, 0x9E, 0x0E, 0x29 -}; -static const int sizeof_server_ed25519_pkey = sizeof(server_ed25519_pkey); +#if defined(HAVE_ED25519) -static const unsigned char server_ed25519_cert[591] = { - 0x30, 0x82, 0x02, 0x4B, 0x30, 0x82, 0x01, 0xFD, 0xA0, 0x03, - 0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xD0, 0x92, 0x10, 0x6A, - 0x5A, 0x46, 0x57, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, - 0x30, 0x81, 0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, - 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, - 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, - 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, - 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, - 0x61, 0x6E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, - 0x04, 0x0C, 0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, - 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, - 0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, - 0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, - 0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, - 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, - 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, - 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, - 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, - 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, - 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x30, 0x35, - 0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x18, - 0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, 0x39, 0x32, - 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, 0x9F, 0x31, - 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, - 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, - 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, - 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, - 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x0D, - 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, 0x04, 0x4C, - 0x65, 0x61, 0x66, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, - 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, - 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, - 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, - 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, - 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, - 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, - 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, - 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, - 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, - 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, - 0x1A, 0x30, 0x88, 0x18, 0x47, 0x2F, 0x97, 0xDA, 0x04, 0xF4, - 0xA4, 0xE3, 0xBD, 0x6C, 0x0C, 0x16, 0xB9, 0x48, 0xC1, 0xD1, - 0x42, 0xD7, 0x8E, 0x92, 0x84, 0xA0, 0x74, 0x2A, 0x43, 0x9E, - 0x0E, 0x29, 0xA3, 0x53, 0x30, 0x51, 0x30, 0x1D, 0x06, 0x03, - 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xF6, 0xB2, 0x84, - 0x1A, 0x95, 0xB4, 0x70, 0x32, 0x53, 0xFE, 0xD9, 0xEB, 0x9B, - 0x29, 0x80, 0x4B, 0xD6, 0xB5, 0xF1, 0xC0, 0x30, 0x1F, 0x06, - 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, - 0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, 0x8B, - 0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, 0xC9, - 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, - 0x04, 0x05, 0x03, 0x02, 0x06, 0xC0, 0x00, 0x30, 0x05, 0x06, - 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 0x00, 0x12, 0x56, 0x77, - 0x0C, 0x96, 0x42, 0x98, 0xDA, 0xC9, 0x15, 0x6C, 0x4E, 0x48, - 0x95, 0x05, 0x1D, 0xD0, 0x78, 0x32, 0xF8, 0x86, 0x46, 0x9A, - 0x46, 0x9B, 0x64, 0x8B, 0x31, 0xB0, 0x19, 0x6B, 0x77, 0x99, - 0x8B, 0xFF, 0xFC, 0x02, 0x36, 0x05, 0x0B, 0x69, 0x37, 0x87, - 0x62, 0x75, 0xDA, 0x50, 0x2C, 0x2D, 0x5D, 0x52, 0x94, 0x3F, - 0x00, 0x9D, 0x18, 0x45, 0x6F, 0x37, 0x12, 0x8E, 0xF4, 0xE4, - 0x00 +/* ./certs/ed25519/server-ed25519.der, ED25519 */ +static const unsigned char server_ed25519_cert[] = +{ + 0x30, 0x82, 0x02, 0x4B, 0x30, 0x82, 0x01, 0xFD, 0xA0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xD0, 0x92, 0x10, 0x6A, + 0x5A, 0x46, 0x57, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, + 0x30, 0x81, 0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, + 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, + 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, + 0x61, 0x6E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x04, 0x0C, 0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, + 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, + 0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, + 0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, + 0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, + 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, + 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, + 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, + 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, + 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x30, 0x35, + 0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x18, + 0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, 0x39, 0x32, + 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, 0x9F, 0x31, + 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, + 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, + 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, + 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x0D, + 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, 0x04, 0x4C, + 0x65, 0x61, 0x66, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, + 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, + 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, + 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, + 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, + 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, + 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, + 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, + 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, + 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, + 0x1A, 0x30, 0x88, 0x18, 0x47, 0x2F, 0x97, 0xDA, 0x04, 0xF4, + 0xA4, 0xE3, 0xBD, 0x6C, 0x0C, 0x16, 0xB9, 0x48, 0xC1, 0xD1, + 0x42, 0xD7, 0x8E, 0x92, 0x84, 0xA0, 0x74, 0x2A, 0x43, 0x9E, + 0x0E, 0x29, 0xA3, 0x53, 0x30, 0x51, 0x30, 0x1D, 0x06, 0x03, + 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xF6, 0xB2, 0x84, + 0x1A, 0x95, 0xB4, 0x70, 0x32, 0x53, 0xFE, 0xD9, 0xEB, 0x9B, + 0x29, 0x80, 0x4B, 0xD6, 0xB5, 0xF1, 0xC0, 0x30, 0x1F, 0x06, + 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, + 0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, 0x8B, + 0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, 0xC9, + 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, + 0x04, 0x05, 0x03, 0x02, 0x06, 0xC0, 0x00, 0x30, 0x05, 0x06, + 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 0x00, 0x12, 0x56, 0x77, + 0x0C, 0x96, 0x42, 0x98, 0xDA, 0xC9, 0x15, 0x6C, 0x4E, 0x48, + 0x95, 0x05, 0x1D, 0xD0, 0x78, 0x32, 0xF8, 0x86, 0x46, 0x9A, + 0x46, 0x9B, 0x64, 0x8B, 0x31, 0xB0, 0x19, 0x6B, 0x77, 0x99, + 0x8B, 0xFF, 0xFC, 0x02, 0x36, 0x05, 0x0B, 0x69, 0x37, 0x87, + 0x62, 0x75, 0xDA, 0x50, 0x2C, 0x2D, 0x5D, 0x52, 0x94, 0x3F, + 0x00, 0x9D, 0x18, 0x45, 0x6F, 0x37, 0x12, 0x8E, 0xF4, 0xE4, + 0x00 }; static const int sizeof_server_ed25519_cert = sizeof(server_ed25519_cert); -static const unsigned char ca_ed25519_pkey[44] = { - 0x30, 0x2A, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, - 0x21, 0x00, 0x41, 0x07, 0xEC, 0x75, 0x0C, 0x68, 0x72, 0x12, - 0x3C, 0x04, 0x82, 0x07, 0x6E, 0x16, 0x6F, 0x40, 0x41, 0x6D, - 0xA4, 0x8F, 0x08, 0xF2, 0xE2, 0x9D, 0xA7, 0x43, 0xC2, 0x24, - 0x28, 0x98, 0x7E, 0xAC -}; -static const int sizeof_ca_ed25519_pkey = sizeof(ca_ed25519_pkey); - -static const unsigned char ca_ed25519_cert[605] = { - 0x30, 0x82, 0x02, 0x59, 0x30, 0x82, 0x02, 0x0B, 0xA0, 0x03, - 0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xF6, 0xE1, 0x3E, 0xBC, - 0x79, 0xA1, 0x85, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, - 0x30, 0x81, 0x9F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, - 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, - 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, - 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, - 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, - 0x61, 0x6E, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, - 0x04, 0x0C, 0x04, 0x52, 0x6F, 0x6F, 0x74, 0x31, 0x10, 0x30, - 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, - 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, - 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, - 0x35, 0x31, 0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, - 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, - 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, - 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, - 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, - 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, - 0x6F, 0x6D, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, - 0x30, 0x35, 0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, - 0x5A, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, - 0x39, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, - 0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, - 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, - 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, - 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, - 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, - 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, - 0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, - 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, - 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, - 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, - 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, - 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, - 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, - 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, - 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, - 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, - 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, - 0x41, 0x07, 0xEC, 0x75, 0x0C, 0x68, 0x72, 0x12, 0x3C, 0x04, - 0x82, 0x07, 0x6E, 0x16, 0x6F, 0x40, 0x41, 0x6D, 0xA4, 0x8F, - 0x08, 0xF2, 0xE2, 0x9D, 0xA7, 0x43, 0xC2, 0x24, 0x28, 0x98, - 0x7E, 0xAC, 0xA3, 0x61, 0x30, 0x5F, 0x30, 0x0C, 0x06, 0x03, - 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, - 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, - 0x14, 0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, - 0x8B, 0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, - 0xC9, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, - 0x30, 0x16, 0x80, 0x14, 0x86, 0xC0, 0x27, 0xE9, 0x9E, 0xFA, - 0x85, 0xC1, 0xFD, 0xE3, 0x6F, 0xFC, 0x54, 0x59, 0x72, 0x37, - 0xC7, 0x33, 0x92, 0xBB, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, - 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x03, 0x02, 0x01, 0xC6, - 0x00, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, - 0x00, 0x22, 0x1B, 0x06, 0x17, 0xC0, 0x11, 0x74, 0x1F, 0x64, - 0xD1, 0xA3, 0xF6, 0x7B, 0x06, 0x00, 0x1A, 0x0B, 0x50, 0x8E, - 0xEB, 0xB1, 0x63, 0x92, 0x45, 0xBA, 0xDC, 0xE2, 0xC1, 0x68, - 0x14, 0x23, 0x0C, 0x6E, 0x2C, 0x95, 0x3C, 0xB1, 0x1C, 0x19, - 0x27, 0x98, 0x50, 0x3E, 0x55, 0x51, 0xCC, 0xC4, 0x49, 0x58, - 0xAF, 0xB9, 0x46, 0x4F, 0xED, 0x9C, 0x57, 0x38, 0x04, 0x29, - 0xD4, 0xA9, 0x12, 0xFE, 0x08 +/* ./certs/ed25519/ca-ed25519.der, ED25519 */ +static const unsigned char ca_ed25519_cert[] = +{ + 0x30, 0x82, 0x02, 0x59, 0x30, 0x82, 0x02, 0x0B, 0xA0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xF6, 0xE1, 0x3E, 0xBC, + 0x79, 0xA1, 0x85, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, + 0x30, 0x81, 0x9F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, + 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, + 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, + 0x61, 0x6E, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, + 0x04, 0x0C, 0x04, 0x52, 0x6F, 0x6F, 0x74, 0x31, 0x10, 0x30, + 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, + 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, + 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, + 0x35, 0x31, 0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, + 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, + 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, + 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, + 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, + 0x6F, 0x6D, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, + 0x30, 0x35, 0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, + 0x5A, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, + 0x39, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, + 0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, + 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, + 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, + 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, + 0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, + 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, + 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, + 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, + 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, + 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, + 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, + 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, + 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, + 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, + 0x41, 0x07, 0xEC, 0x75, 0x0C, 0x68, 0x72, 0x12, 0x3C, 0x04, + 0x82, 0x07, 0x6E, 0x16, 0x6F, 0x40, 0x41, 0x6D, 0xA4, 0x8F, + 0x08, 0xF2, 0xE2, 0x9D, 0xA7, 0x43, 0xC2, 0x24, 0x28, 0x98, + 0x7E, 0xAC, 0xA3, 0x61, 0x30, 0x5F, 0x30, 0x0C, 0x06, 0x03, + 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, + 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, + 0x14, 0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, + 0x8B, 0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, + 0xC9, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0x86, 0xC0, 0x27, 0xE9, 0x9E, 0xFA, + 0x85, 0xC1, 0xFD, 0xE3, 0x6F, 0xFC, 0x54, 0x59, 0x72, 0x37, + 0xC7, 0x33, 0x92, 0xBB, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, + 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x03, 0x02, 0x01, 0xC6, + 0x00, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, + 0x00, 0x22, 0x1B, 0x06, 0x17, 0xC0, 0x11, 0x74, 0x1F, 0x64, + 0xD1, 0xA3, 0xF6, 0x7B, 0x06, 0x00, 0x1A, 0x0B, 0x50, 0x8E, + 0xEB, 0xB1, 0x63, 0x92, 0x45, 0xBA, 0xDC, 0xE2, 0xC1, 0x68, + 0x14, 0x23, 0x0C, 0x6E, 0x2C, 0x95, 0x3C, 0xB1, 0x1C, 0x19, + 0x27, 0x98, 0x50, 0x3E, 0x55, 0x51, 0xCC, 0xC4, 0x49, 0x58, + 0xAF, 0xB9, 0x46, 0x4F, 0xED, 0x9C, 0x57, 0x38, 0x04, 0x29, + 0xD4, 0xA9, 0x12, 0xFE, 0x08 }; static const int sizeof_ca_ed25519_cert = sizeof(ca_ed25519_cert); -#endif + +#endif /* HAVE_ED25519 */ #endif /* WOLFSSL_CERTS_TEST_H */ diff --git a/wolfssl/test.h b/wolfssl/test.h index a42596599..cad7e38bc 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -265,6 +265,7 @@ #define dhParamFile "certs/dh2048.pem" #define cliEccKeyFile "certs/ecc-client-key.pem" #define cliEccCertFile "certs/client-ecc-cert.pem" +#define caEccCertFile "certs/ca-ecc-cert/pem" #define crlPemDir "certs/crl" #ifdef HAVE_WNR /* Whitewood netRandom default config file */ @@ -283,6 +284,7 @@ #define dhParamFile "./certs/dh2048.pem" #define cliEccKeyFile "./certs/ecc-client-key.pem" #define cliEccCertFile "./certs/client-ecc-cert.pem" +#define caEccCertFile "./certs/ca-ecc-cert.pem" #define crlPemDir "./certs/crl" #ifdef HAVE_WNR /* Whitewood netRandom default config file */