diff --git a/tests/api.c b/tests/api.c index 9caf14b41..abc90b640 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1727,9 +1727,13 @@ static void test_wolfSSL_CertManagerNameConstraint2(void) wolfSSL_X509_sign(x509, priv, EVP_sha256()); #endif AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E); - +#else + AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif /* check that it still fails if one bad altname and one good altname is in * the certificate */ @@ -1748,8 +1752,13 @@ static void test_wolfSSL_CertManagerNameConstraint2(void) wolfSSL_X509_sign(x509, priv, EVP_sha256()); #endif AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E); +#else + AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif /* check it fails with switching position of bad altname */ wolfSSL_X509_free(x509); @@ -1767,8 +1776,13 @@ static void test_wolfSSL_CertManagerNameConstraint2(void) wolfSSL_X509_sign(x509, priv, EVP_sha256()); #endif AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E); +#else + AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif wolfSSL_CertManagerFree(cm); wolfSSL_X509_free(x509); @@ -1795,8 +1809,13 @@ static void test_wolfSSL_CertManagerNameConstraint2(void) wolfSSL_X509_sign(x509, priv, EVP_sha256()); #endif AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E); +#else + AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif wolfSSL_CertManagerFree(cm); wolfSSL_X509_free(x509); wolfSSL_X509_free(ca); @@ -8542,7 +8561,7 @@ static void test_wolfSSL_URI(void) wolfSSL_FreeX509(x509); x509 = wolfSSL_X509_load_certificate_file(badUri, WOLFSSL_FILETYPE_PEM); -#ifndef IGNORE_NAME_CONSTRAINTS +#if !defined(IGNORE_NAME_CONSTRAINTS) && !defined(WOLFSSL_NO_ASN_STRICT) AssertNull(x509); #else AssertNotNull(x509); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 9ce3e4c85..08d50dd75 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -13501,7 +13501,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) int permittedDns = 0; base = signer->permittedNames; do { - /* Looking for perrmittedNames that are for DNS. */ + /* Looking for permittedNames that are for DNS. */ if (base->type == ASN_DNS_TYPE) { permittedDns = 1; matchDns = MatchBaseName(ASN_DNS_TYPE, @@ -13509,8 +13509,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) base->name, base->nameSz); } base = base->next; - } - while (base != NULL && !matchDns); + } while (base != NULL && !matchDns); /* If we found an DNS type permittedName then name must have had a * match. */ if (permittedDns && !matchDns) @@ -13529,7 +13528,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) int permittedEmail = 0; base = signer->permittedNames; do { - /* Looking for perrmittedNames that are for email. */ + /* Looking for permittedNames that are for email. */ if (base->type == ASN_RFC822_TYPE) { permittedEmail = 1; matchEmail = MatchBaseName(ASN_DNS_TYPE, @@ -13537,8 +13536,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) base->name, base->nameSz); } base = base->next; - } - while ((base != NULL) && !matchEmail); + } while ((base != NULL) && !matchEmail); /* If we found an email type permittedName then name must have had a * match. */ if (permittedEmail && !matchEmail) @@ -13556,7 +13554,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) permittedDir = 0; base = signer->permittedNames; while (base != NULL && !matchDir) { - /* Looking for perrmittedNames that are for directoryName. */ + /* Looking for permittedNames that are for directoryName. */ if (base->type == ASN_DIR_TYPE) { permittedDir = 1; if (cert->subjectRawLen >= base->nameSz && @@ -13586,15 +13584,14 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) int matchAltDir = 0; base = signer->permittedNames; do { - /* Looking for perrmittedNames that are for directoryName. */ + /* Looking for permittedNames that are for directoryName. */ if (base->type == ASN_DIR_TYPE) { if (XMEMCMP(name->name, base->name, base->nameSz) == 0) { matchAltDir = 1; } } base = base->next; - } - while ((base != NULL) && !matchAltDir); + } while ((base != NULL) && !matchAltDir); /* If we found an dir name type permittedName then name must have * had a match. */ if (permittedDir && !matchAltDir)