feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #8748 from ColtonWilley/pkcs7_x509_store_update

Browse Source 
Update PKCS7 to use X509 STORE for internal verification
This commit is contained in:
David Garske
2025-05-09 11:22:53 -07:00
committed by GitHub
parent 9d1bf83a43 9e7a4f6518
commit 0adb6eb788
2 changed files with 21 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/ssl_p7p12.c
View File

@ -772,6 +772,8 @@ int wolfSSL_PKCS7_verify(PKCS7* pkcs7, WOLFSSL_STACK* certs,
int contTypeLen; int contTypeLen;
WOLFSSL_X509* signer = NULL; WOLFSSL_X509* signer = NULL;
WOLFSSL_STACK* signers = NULL; WOLFSSL_STACK* signers = NULL;
X509_STORE_CTX* ctx = NULL;
WOLFSSL_ENTER("wolfSSL_PKCS7_verify"); WOLFSSL_ENTER("wolfSSL_PKCS7_verify");
@ -804,24 +806,37 @@ int wolfSSL_PKCS7_verify(PKCS7* pkcs7, WOLFSSL_STACK* certs,
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
ctx = X509_STORE_CTX_new();
if (ctx == NULL) {
WOLFSSL_MSG("Error allocating X509 Store Context");
return WOLFSSL_FAILURE;
}
signers = wolfSSL_PKCS7_get0_signers(pkcs7, certs, flags); signers = wolfSSL_PKCS7_get0_signers(pkcs7, certs, flags);
if (signers == NULL) { if (signers == NULL) {
WOLFSSL_MSG("No signers found to verify"); WOLFSSL_MSG("No signers found to verify");
wolfSSL_X509_STORE_CTX_free(ctx);
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
for (i = 0; i < wolfSSL_sk_X509_num(signers); i++) { for (i = 0; i < wolfSSL_sk_X509_num(signers); i++) {
signer = wolfSSL_sk_X509_value(signers, i); signer = wolfSSL_sk_X509_value(signers, i);
if (wolfSSL_X509_STORE_CTX_init(ctx, store, signer, NULL)
if (wolfSSL_CertManagerVerifyBuffer(store->cm, != WOLFSSL_SUCCESS) {
signer->derCert->buffer, WOLFSSL_MSG("Failed to initialize X509 STORE CTX");
signer->derCert->length, wolfSSL_sk_X509_pop_free(signers, NULL);
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { wolfSSL_X509_STORE_CTX_free(ctx);
return WOLFSSL_FAILURE;
}
if (wolfSSL_X509_verify_cert(ctx) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Failed to verify signer certificate"); WOLFSSL_MSG("Failed to verify signer certificate");
wolfSSL_sk_X509_pop_free(signers, NULL); wolfSSL_sk_X509_pop_free(signers, NULL);
wolfSSL_X509_STORE_CTX_free(ctx);
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
} }
wolfSSL_sk_X509_pop_free(signers, NULL); wolfSSL_sk_X509_pop_free(signers, NULL);
wolfSSL_X509_STORE_CTX_free(ctx);
} }
if (flags & PKCS7_TEXT) { if (flags & PKCS7_TEXT) {

2
src/x509_str.c
View File

@ -405,7 +405,7 @@ exit:
} }
/* Verifies certificate chain using WOLFSSL_X509_STORE_CTX /* Verifies certificate chain using WOLFSSL_X509_STORE_CTX
* returns 0 on success or < 0 on failure. * returns 1 on success or <= 0 on failure.
*/ */
int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx) int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
{ {