diff --git a/src/crl.c b/src/crl.c index e9609b353..a716e1801 100644 --- a/src/crl.c +++ b/src/crl.c @@ -99,7 +99,17 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, crle->lastDateFormat = dcrl->lastDateFormat; crle->nextDateFormat = dcrl->nextDateFormat; crle->version = dcrl->version; + #if defined(OPENSSL_EXTRA) + crle->lastDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (crle->lastDateAsn1.data, crle->lastDate, + crle->lastDateAsn1.length); + crle->lastDateAsn1.type = crle->lastDateFormat; + crle->nextDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (crle->nextDateAsn1.data, crle->nextDate, + crle->nextDateAsn1.length); + crle->nextDateAsn1.type = crle->nextDateFormat; + crle->issuer = NULL; wolfSSL_d2i_X509_NAME(&crle->issuer, (unsigned char**)&dcrl->issuer, dcrl->issuerSz); @@ -696,6 +706,17 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) dupl->lastDateFormat = ent->lastDateFormat; dupl->nextDateFormat = ent->nextDateFormat; +#if defined(OPENSSL_EXTRA) + dupl->lastDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (dupl->lastDateAsn1.data, dupl->lastDate, + dupl->lastDateAsn1.length); + dupl->lastDateAsn1.type = dupl->lastDateFormat; + dupl->nextDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (dupl->nextDateAsn1.data, dupl->nextDate, + dupl->nextDateAsn1.length); + dupl->nextDateAsn1.type = dupl->nextDateFormat; +#endif + #ifdef CRL_STATIC_REVOKED_LIST XMEMCPY(dupl->certs, ent->certs, ent->totalCerts*sizeof(RevokedCert)); #else diff --git a/src/ocsp.c b/src/ocsp.c index d18e5739d..1141b9e22 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1068,6 +1068,51 @@ int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id, unsigned char** data) return id->rawCertIdSize; } +WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, + const unsigned char** derIn, + int length) +{ + WOLFSSL_OCSP_CERTID *cid = NULL; + + if ((cidOut != NULL) && (derIn != NULL) && (*derIn != NULL) && + (length > 0)) { + + cid = *cidOut; + + /* If a NULL is passed we allocate the memory for the caller. */ + if (cid == NULL) { + cid = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*cid), NULL, + DYNAMIC_TYPE_OPENSSL); + } + else if (cid->rawCertId != NULL) { + XFREE(cid->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL); + cid->rawCertId = NULL; + cid->rawCertIdSize = 0; + } + + if (cid != NULL) { + cid->rawCertId = (byte*)XMALLOC(length + 1, NULL, DYNAMIC_TYPE_OPENSSL); + if (cid->rawCertId != NULL) { + XMEMCPY(cid->rawCertId, *derIn, length); + cid->rawCertIdSize = length; + + /* Per spec. advance past the data that is being returned + * to the caller. */ + *cidOut = cid; + *derIn = *derIn + length; + + return cid; + } + } + } + + if (cid && (!cidOut || cid != *cidOut)) { + XFREE(cid, NULL, DYNAMIC_TYPE_OPENSSL); + } + + return NULL; +} + const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SINGLERESP *single) { return single; diff --git a/src/x509.c b/src/x509.c index 9a40ca74f..68b1f9704 100644 --- a/src/x509.c +++ b/src/x509.c @@ -7595,7 +7595,7 @@ int wolfSSL_X509_CRL_get_signature_nid(const WOLFSSL_X509_CRL* crl) } /* Retrieve signature from CRL - * return WOLFSSL_SUCCESS on success + * return WOLFSSL_SUCCESS on success and negative values on failure */ int wolfSSL_X509_CRL_get_signature(WOLFSSL_X509_CRL* crl, unsigned char* buf, int* bufSz) @@ -7613,7 +7613,7 @@ int wolfSSL_X509_CRL_get_signature(WOLFSSL_X509_CRL* crl, } /* Retrieve serial number from RevokedCert - * return WOLFSSL_SUCCESS on success + * return WOLFSSL_SUCCESS on success and negative values on failure */ int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, byte* in, int* inOutSz) @@ -7635,8 +7635,32 @@ int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, return WOLFSSL_SUCCESS; } +const WOLFSSL_ASN1_INTEGER* wolfSSL_X509_REVOKED_get0_serial_number(const + WOLFSSL_X509_REVOKED *rev) +{ + WOLFSSL_ENTER("wolfSSL_X509_REVOKED_get0_serial_number"); + + if (rev != NULL) { + return rev->serialNumber; + } + else + return NULL; +} + +#ifndef NO_WOLFSSL_STUB +const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const + WOLFSSL_X509_REVOKED *rev) +{ + WOLFSSL_STUB("wolfSSL_X509_REVOKED_get0_revocation_date"); + + (void) rev; + return NULL; +} +#endif + + /* print serial number out -* return WOLFSSL_SUCCESS on success +* return WOLFSSL_SUCCESS on success */ static int X509RevokedPrintSerial(WOLFSSL_BIO* bio, RevokedCert* rev, int indent) @@ -8015,23 +8039,25 @@ void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl) #endif /* HAVE_CRL && (OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL) */ #ifdef OPENSSL_EXTRA -#ifndef NO_WOLFSSL_STUB WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) { - (void)crl; - WOLFSSL_STUB("X509_CRL_get_lastUpdate"); - return 0; + if ((crl != NULL) && (crl->crlList != NULL) && + (crl->crlList->lastDateAsn1.data[0] != 0)) { + return &crl->crlList->lastDateAsn1; + } + else + return NULL; } -#endif -#ifndef NO_WOLFSSL_STUB + WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_nextUpdate(WOLFSSL_X509_CRL* crl) { - (void)crl; - WOLFSSL_STUB("X509_CRL_get_nextUpdate"); - return 0; + if ((crl != NULL) && (crl->crlList != NULL) && + (crl->crlList->nextDateAsn1.data[0] != 0)) { + return &crl->crlList->nextDateAsn1; + } + else + return NULL; } -#endif - #ifndef NO_WOLFSSL_STUB int wolfSSL_X509_CRL_verify(WOLFSSL_X509_CRL* crl, WOLFSSL_EVP_PKEY* key) diff --git a/tests/api.c b/tests/api.c index 3981e4242..1459c2e80 100644 --- a/tests/api.c +++ b/tests/api.c @@ -48439,6 +48439,73 @@ static int test_wolfSSL_i2d_OCSP_CERTID(void) return 0; } +static int test_wolfSSL_d2i_OCSP_CERTID(void) +{ +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY)) && defined(HAVE_OCSP) + WOLFSSL_OCSP_CERTID* certId; + WOLFSSL_OCSP_CERTID* certIdBad; + const unsigned char* rawCertIdPtr; + + const unsigned char rawCertId[] = { + 0x30, 0x49, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, + 0x00, 0x04, 0x14, 0x80, 0x51, 0x06, 0x01, 0x32, 0xad, 0x9a, 0xc2, 0x7d, + 0x51, 0x87, 0xa0, 0xe8, 0x87, 0xfb, 0x01, 0x62, 0x01, 0x55, 0xee, 0x04, + 0x14, 0x03, 0xde, 0x50, 0x35, 0x56, 0xd1, 0x4c, 0xbb, 0x66, 0xf0, 0xa3, + 0xe2, 0x1b, 0x1b, 0xc3, 0x97, 0xb2, 0x3d, 0xd1, 0x55, 0x02, 0x10, 0x01, + 0xfd, 0xa3, 0xeb, 0x6e, 0xca, 0x75, 0xc8, 0x88, 0x43, 0x8b, 0x72, 0x4b, + 0xcf, 0xbc, 0x91 + }; + + rawCertIdPtr = &rawCertId[0]; + + printf(testingFmt, "wolfSSL_d2i_OCSP_CERTID()"); + + /* If the cert ID is NULL the function should allocate it and copy the + * data to it. */ + certId = NULL; + certId = wolfSSL_d2i_OCSP_CERTID(&certId, &rawCertIdPtr, sizeof(rawCertId)); + + AssertNotNull(certId); + AssertIntEQ(certId->rawCertIdSize, sizeof(rawCertId)); + + XFREE(certId->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL); + XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); + + /* If the cert ID is not NULL the function will just copy the data to it. */ + certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*certId), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + XMEMSET(certId, 0, sizeof(*certId)); + + /* Reset rawCertIdPtr since it was push forward in the previous call. */ + rawCertIdPtr = &rawCertId[0]; + certId = wolfSSL_d2i_OCSP_CERTID(&certId, &rawCertIdPtr, sizeof(rawCertId)); + + AssertNotNull(certId); + AssertIntEQ(certId->rawCertIdSize, sizeof(rawCertId)); + + XFREE(certId->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL); + XFREE(certId, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + /* The below tests should fail when passed bad parameters. NULL should + * always be returned. */ + certIdBad = (WOLFSSL_OCSP_CERTID*) 1; + certIdBad = wolfSSL_d2i_OCSP_CERTID(NULL, &rawCertIdPtr, sizeof(rawCertId)); + AssertNull(certIdBad); + + certIdBad = (WOLFSSL_OCSP_CERTID*) 1; + certIdBad = wolfSSL_d2i_OCSP_CERTID(&certId, NULL, sizeof(rawCertId)); + AssertNull(certIdBad); + + certIdBad = (WOLFSSL_OCSP_CERTID*) 1; + certIdBad = wolfSSL_d2i_OCSP_CERTID(&certId, &rawCertIdPtr, 0); + AssertNull(certIdBad); + + printf(resultFmt, passed); +#endif + + return 0; +} + static int test_wolfSSL_OCSP_id_cmp(void) { #if defined(OPENSSL_ALL) && defined(HAVE_OCSP) @@ -59896,6 +59963,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_i2d_PrivateKey), TEST_DECL(test_wolfSSL_OCSP_id_get0_info), TEST_DECL(test_wolfSSL_i2d_OCSP_CERTID), + TEST_DECL(test_wolfSSL_d2i_OCSP_CERTID), TEST_DECL(test_wolfSSL_OCSP_id_cmp), TEST_DECL(test_wolfSSL_OCSP_SINGLERESP_get0_id), TEST_DECL(test_wolfSSL_OCSP_single_get0_status), diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c2858b62c..15206793e 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2217,13 +2217,17 @@ struct CRL_Entry { byte nextDate[MAX_DATE_SIZE]; /* next update date */ byte lastDateFormat; /* last date format */ byte nextDateFormat; /* next date format */ +#if defined(OPENSSL_EXTRA) + WOLFSSL_ASN1_TIME lastDateAsn1; /* last date updated */ + WOLFSSL_ASN1_TIME nextDateAsn1; /* next update date */ +#endif #ifdef CRL_STATIC_REVOKED_LIST RevokedCert certs[CRL_MAX_REVOKED_CERTS]; #else - RevokedCert* certs; /* revoked cert list */ + RevokedCert* certs; /* revoked cert list */ #endif - int totalCerts; /* number on list */ - int version; /* version of certficate */ + int totalCerts; /* number on list */ + int version; /* version of certficate */ int verified; byte* toBeSigned; word32 tbsSz; diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index d75e1c1d6..d9ffb6778 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -112,6 +112,10 @@ WOLFSSL_API int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out, WOLFSSL_API int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id, unsigned char** data); +WOLFSSL_API +WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, + const unsigned char** derIn, + int length); WOLFSSL_API const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id( const WOLFSSL_OCSP_SINGLERESP *single); WOLFSSL_API int wolfSSL_OCSP_id_cmp(WOLFSSL_OCSP_CERTID *a, WOLFSSL_OCSP_CERTID *b); diff --git a/wolfssl/openssl/ocsp.h b/wolfssl/openssl/ocsp.h index a68ddeb25..4b2a4de04 100644 --- a/wolfssl/openssl/ocsp.h +++ b/wolfssl/openssl/ocsp.h @@ -78,6 +78,7 @@ #define i2d_OCSP_REQUEST_bio wolfSSL_i2d_OCSP_REQUEST_bio #define i2d_OCSP_CERTID wolfSSL_i2d_OCSP_CERTID +#define d2i_OCSP_CERTID wolfSSL_d2i_OCSP_CERTID #define OCSP_SINGLERESP_get0_id wolfSSL_OCSP_SINGLERESP_get0_id #define OCSP_id_cmp wolfSSL_OCSP_id_cmp #define OCSP_single_get0_status wolfSSL_OCSP_single_get0_status diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 21fa61416..6a913203f 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -701,9 +701,14 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_CRL_free wolfSSL_X509_CRL_free #define X509_CRL_get_lastUpdate wolfSSL_X509_CRL_get_lastUpdate +#define X509_CRL_get0_lastUpdate wolfSSL_X509_CRL_get_lastUpdate #define X509_CRL_get_nextUpdate wolfSSL_X509_CRL_get_nextUpdate +#define X509_CRL_get0_nextUpdate wolfSSL_X509_CRL_get_nextUpdate #define X509_CRL_verify wolfSSL_X509_CRL_verify #define X509_CRL_get_REVOKED wolfSSL_X509_CRL_get_REVOKED +#define X509_CRL_get_issuer wolfSSL_X509_CRL_get_issuer_name +#define X509_CRL_get_signature_nid wolfSSL_X509_CRL_get_signature_nid +#define X509_CRL_get_version wolfSSL_X509_CRL_version #define X509_load_crl_file wolfSSL_X509_load_crl_file #define X509_get_X509_PUBKEY wolfSSL_X509_get_X509_PUBKEY @@ -728,6 +733,9 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_OBJECT_get0_X509 wolfSSL_X509_OBJECT_get0_X509 #define X509_OBJECT_get0_X509_CRL wolfSSL_X509_OBJECT_get0_X509_CRL +#define X509_REVOKED_get0_serialNumber wolfSSL_X509_REVOKED_get0_serial_number +#define X509_REVOKED_get0_revocationDate wolfSSL_X509_REVOKED_get0_revocation_date + #define X509_check_purpose(...) 0 #define OCSP_parse_url wolfSSL_OCSP_parse_url diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 236d4051c..b939b3d50 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2901,6 +2901,13 @@ WOLFSSL_API int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, WOLFSSL_API void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl); #endif +WOLFSSL_API +const WOLFSSL_ASN1_INTEGER* wolfSSL_X509_REVOKED_get0_serial_number(const + WOLFSSL_X509_REVOKED *rev); +WOLFSSL_API +const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const + WOLFSSL_X509_REVOKED *rev); + #ifndef NO_FILESYSTEM #ifndef NO_STDIO_FILESYSTEM WOLFSSL_API WOLFSSL_X509*