feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fix loading of CRLs and certs.

Browse Source 
Change function wolfSSL_X509_LOOKUP_load_file to load multiple CRLs and
certificates from a file.
Change CRL loading to have a flag to not verify CRL signature - only do
this when using wolfSSL_X509_LOOKUP_load_file() as the certificate is
not always available.
Add test case for loading multiple CRLs in one file without certificate.
This commit is contained in:
Sean Parkinson
2017-04-07 09:44:09 +10:00
committed by Sean Parkinson
parent 3297280e62
commit 4d77e80d04
8 changed files with 153 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
certs/crl/crl2.pem Normal file
View File

@@ -0,0 +1,80 @@
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
Last Update: Aug 11 20:07:38 2016 GMT
Next Update: May 8 20:07:38 2019 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 02
Revocation Date: Aug 11 20:07:38 2016 GMT
Signature Algorithm: sha256WithRSAEncryption
35:c6:7f:57:9a:e5:86:5a:15:1a:e2:e5:2b:9f:54:79:2a:58:
51:a2:12:0c:4e:53:58:eb:99:e3:c2:ee:2b:d7:23:e4:3c:4d:
0a:ab:ae:71:9b:ce:b1:c1:75:a1:b6:e5:32:5f:10:b0:72:28:
2e:74:b1:99:dd:47:53:20:f6:9a:83:5c:bd:20:b0:aa:df:32:
f6:95:54:98:9e:59:96:55:7b:0a:74:be:94:66:44:b7:32:82:
f0:eb:16:f8:30:86:16:9f:73:43:98:82:b5:5e:ad:58:c0:c8:
79:da:ad:b1:b4:d7:fb:34:c1:cc:3a:67:af:a4:56:5a:70:5c:
2d:1f:73:16:78:92:01:06:e3:2c:fb:f1:ba:d5:8f:f9:be:dd:
e1:4a:ce:de:ca:e6:2d:96:09:24:06:40:9e:10:15:2e:f2:cd:
85:d6:84:88:db:9c:4a:7b:75:7a:06:0e:40:02:20:60:7e:91:
f7:92:53:1e:34:7a:ea:ee:df:e7:cd:a8:9e:a6:61:b4:56:50:
4d:dc:b1:78:0d:86:cf:45:c3:a6:0a:b9:88:2c:56:a7:b1:d3:
d3:0d:44:aa:93:a4:05:4d:ce:9f:01:b0:c6:1e:e4:ea:6b:92:
6f:93:dd:98:cf:fb:1d:06:72:ac:d4:99:e7:f2:b4:11:57:bd:
9d:63:e5:dc
-----BEGIN X509 CRL-----
MIICBDCB7QIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMxEDAOBgNV
BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3Ro
MRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTE2MDgxMTIwMDczOFoX
DTE5MDUwODIwMDczOFowFDASAgECFw0xNjA4MTEyMDA3MzhaoA4wDDAKBgNVHRQE
AwIBATANBgkqhkiG9w0BAQsFAAOCAQEANcZ/V5rlhloVGuLlK59UeSpYUaISDE5T
WOuZ48LuK9cj5DxNCquucZvOscF1obblMl8QsHIoLnSxmd1HUyD2moNcvSCwqt8y
9pVUmJ5ZllV7CnS+lGZEtzKC8OsW+DCGFp9zQ5iCtV6tWMDIedqtsbTX+zTBzDpn
r6RWWnBcLR9zFniSAQbjLPvxutWP+b7d4UrO3srmLZYJJAZAnhAVLvLNhdaEiNuc
Snt1egYOQAIgYH6R95JTHjR66u7f582onqZhtFZQTdyxeA2Gz0XDpgq5iCxWp7HT
0w1EqpOkBU3OnwGwxh7k6muSb5PdmM/7HQZyrNSZ5/K0EVe9nWPl3A==
-----END X509 CRL-----
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
Last Update: Aug 11 20:07:38 2016 GMT
Next Update: May 8 20:07:38 2019 GMT
CRL extensions:
X509v3 CRL Number:
3
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
14:85:d5:c8:db:62:74:48:94:5e:dc:52:0f:5e:43:8b:29:83:
32:e0:7a:4c:5c:76:e3:7e:c1:87:74:40:b2:6f:f8:33:4c:2c:
32:08:f0:5f:d9:85:b3:20:05:34:5d:15:4d:ba:45:bc:2d:9c:
ae:40:d0:d8:9a:b3:a1:4f:0b:94:ce:c4:23:c6:bf:a2:f8:a6:
02:4c:6d:ad:5a:59:b3:83:55:dd:37:91:f6:75:d4:6f:83:5f:
1c:29:94:cd:01:09:dc:38:d8:6c:c0:9f:1e:76:9d:f9:8f:70:
0d:48:e5:99:82:90:3a:36:f1:33:17:69:73:8a:ee:a7:22:4c:
58:93:a1:dc:59:b9:44:8f:88:99:0b:c4:d3:74:aa:02:9a:84:
36:48:d8:a0:05:73:bc:14:32:1e:76:23:85:c5:94:56:b2:2c:
61:3b:07:d7:bd:0c:27:f7:d7:23:40:bd:0c:6c:c7:e0:f7:28:
74:67:98:20:93:72:16:b6:6e:67:3f:9e:c9:34:c5:64:09:bf:
b1:ab:87:0c:80:b6:1f:89:d8:0e:67:c2:c7:19:df:ee:9f:b2:
e6:fb:64:3d:82:7a:47:e2:8d:a3:93:1d:29:f6:94:db:83:2f:
b6:0a:a0:da:77:e3:56:ec:d7:d2:22:3c:88:4d:4a:87:de:b5:
1c:eb:7b:08
-----BEGIN X509 CRL-----
MIIB+DCB4QIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVVMxEDAOBgNV
BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xf
MjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEYMBYGA1UEAwwPd3d3Lndv
bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0xNjA4
MTEyMDA3MzhaFw0xOTA1MDgyMDA3MzhaoA4wDDAKBgNVHRQEAwIBAzANBgkqhkiG
9w0BAQsFAAOCAQEAFIXVyNtidEiUXtxSD15DiymDMuB6TFx2437Bh3RAsm/4M0ws
MgjwX9mFsyAFNF0VTbpFvC2crkDQ2JqzoU8LlM7EI8a/ovimAkxtrVpZs4NV3TeR
9nXUb4NfHCmUzQEJ3DjYbMCfHnad+Y9wDUjlmYKQOjbxMxdpc4rupyJMWJOh3Fm5
RI+ImQvE03SqApqENkjYoAVzvBQyHnYjhcWUVrIsYTsH170MJ/fXI0C9DGzH4Pco
dGeYIJNyFrZuZz+eyTTFZAm/sauHDIC2H4nYDmfCxxnf7p+y5vtkPYJ6R+KNo5Md
KfaU24Mvtgqg2nfjVuzX0iI8iE1Kh961HOt7CA==
-----END X509 CRL-----

3
certs/crl/include.am
View File

@@ -6,7 +6,8 @@ EXTRA_DIST += \
certs/crl/crl.pem \ certs/crl/crl.pem \
certs/crl/cliCrl.pem \ certs/crl/cliCrl.pem \
certs/crl/eccSrvCRL.pem \ certs/crl/eccSrvCRL.pem \
certs/crl/eccCliCRL.pem certs/crl/eccCliCRL.pem \
certs/crl/crl2.pem
EXTRA_DIST += \ EXTRA_DIST += \
certs/crl/crl.revoked certs/crl/crl.revoked

5
src/crl.c
View File

@@ -293,7 +293,8 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl)
/* Load CRL File of type, SSL_SUCCESS on ok */ /* Load CRL File of type, SSL_SUCCESS on ok */
int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type) int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
int noVerify)
{ {
int ret = SSL_SUCCESS; int ret = SSL_SUCCESS;
const byte* myBuffer = buff; /* if DER ok, otherwise switch */ const byte* myBuffer = buff; /* if DER ok, otherwise switch */
@@ -336,7 +337,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
InitDecodedCRL(dcrl, crl->heap); InitDecodedCRL(dcrl, crl->heap);
ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm); ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm);
if (ret != 0) { if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && noVerify)) {
WOLFSSL_MSG("ParseCRL error"); WOLFSSL_MSG("ParseCRL error");
} }
else { else {

2
src/io.c
View File

@@ -1226,7 +1226,7 @@ int wolfIO_HttpProcessResponseCrl(WOLFSSL_CRL* crl, int sfd, byte* httpBuf,
result = wolfIO_HttpProcessResponse(sfd, "application/pkix-crl", result = wolfIO_HttpProcessResponse(sfd, "application/pkix-crl",
&respBuf, httpBuf, httpBufSz, DYNAMIC_TYPE_CRL, crl->heap); &respBuf, httpBuf, httpBufSz, DYNAMIC_TYPE_CRL, crl->heap);
if (result >= 0) { if (result >= 0) {
result = BufferLoadCRL(crl, respBuf, result, SSL_FILETYPE_ASN1); result = BufferLoadCRL(crl, respBuf, result, SSL_FILETYPE_ASN1, 0);
} }
XFREE(respBuf, crl->heap, DYNAMIC_TYPE_CRL); XFREE(respBuf, crl->heap, DYNAMIC_TYPE_CRL);

50
src/ssl.c
View File

@@ -4833,7 +4833,7 @@ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
NULL) == 0) { NULL) == 0) {
WOLFSSL_MSG(" Proccessed a CRL"); WOLFSSL_MSG(" Proccessed a CRL");
wolfSSL_CertManagerLoadCRLBuffer(ctx->cm, der->buffer, wolfSSL_CertManagerLoadCRLBuffer(ctx->cm, der->buffer,
der->length,SSL_FILETYPE_ASN1); der->length,SSL_FILETYPE_ASN1, 0);
FreeDer(&der); FreeDer(&der);
used += info.consumed; used += info.consumed;
continue; continue;
@@ -4937,7 +4937,7 @@ int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm,
} }
} }
return BufferLoadCRL(cm->crl, buff, sz, type); return BufferLoadCRL(cm->crl, buff, sz, type, 0);
} }
@@ -5428,7 +5428,7 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
ret = ProcessChainBuffer(ctx, myBuffer, sz, format, type, ssl); ret = ProcessChainBuffer(ctx, myBuffer, sz, format, type, ssl);
#ifdef HAVE_CRL #ifdef HAVE_CRL
else if (type == CRL_TYPE) else if (type == CRL_TYPE)
ret = BufferLoadCRL(crl, myBuffer, sz, format); ret = BufferLoadCRL(crl, myBuffer, sz, format, 0);
#endif #endif
else else
ret = ProcessBuffer(ctx, myBuffer, sz, format, type, ssl, NULL, ret = ProcessBuffer(ctx, myBuffer, sz, format, type, ssl, NULL,
@@ -14704,6 +14704,8 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
XFILE fp; XFILE fp;
long sz; long sz;
byte* pem = NULL; byte* pem = NULL;
byte* curr = NULL;
byte* prev = NULL;
WOLFSSL_X509* x509; WOLFSSL_X509* x509;
if (type != X509_FILETYPE_PEM) if (type != X509_FILETYPE_PEM)
@@ -14726,23 +14728,51 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
goto end; goto end;
} }
/* Read in file which may be a CRL or certificate. */ /* Read in file which may be CRLs or certificates. */
if (XFREAD(pem, (size_t)sz, 1, fp) != 1) if (XFREAD(pem, (size_t)sz, 1, fp) != 1)
goto end; goto end;
if (XSTRNSTR((char*)pem, BEGIN_X509_CRL, (unsigned int)sz) != NULL) { prev = curr = pem;
do {
if (XSTRNSTR((char*)curr, BEGIN_X509_CRL, (unsigned int)sz) != NULL) {
#ifdef HAVE_CRL #ifdef HAVE_CRL
ret = wolfSSL_CertManagerLoadCRLBuffer(lookup->store->cm, pem, sz, WOLFSSL_CERT_MANAGER* cm = lookup->store->cm;
SSL_FILETYPE_PEM);
#endif if (cm->crl == NULL) {
if (wolfSSL_CertManagerEnableCRL(cm, 0) != SSL_SUCCESS) {
WOLFSSL_MSG("Enable CRL failed");
goto end;
} }
else { }
x509 = wolfSSL_X509_load_certificate_buffer(pem, (int)sz,
ret = BufferLoadCRL(cm->crl, curr, sz, SSL_FILETYPE_PEM, 1);
if (ret != SSL_SUCCESS)
goto end;
#endif
curr = (byte*)XSTRNSTR((char*)curr, END_X509_CRL, (unsigned int)sz);
}
else if (XSTRNSTR((char*)curr, BEGIN_CERT, (unsigned int)sz) != NULL) {
x509 = wolfSSL_X509_load_certificate_buffer(curr, (int)sz,
SSL_FILETYPE_PEM); SSL_FILETYPE_PEM);
if (x509 == NULL) if (x509 == NULL)
goto end; goto end;
ret = wolfSSL_X509_STORE_add_cert(lookup->store, x509); ret = wolfSSL_X509_STORE_add_cert(lookup->store, x509);
wolfSSL_X509_free(x509);
if (ret != SSL_SUCCESS)
goto end;
curr = (byte*)XSTRNSTR((char*)curr, END_CERT, (unsigned int)sz);
} }
else
goto end;
if (curr == NULL)
goto end;
curr++;
sz -= curr - prev;
prev = curr;
}
while (ret == SSL_SUCCESS);
end: end:
if (pem != NULL) if (pem != NULL)

22
tests/api.c
View File

@@ -2752,6 +2752,26 @@ static void test_wolfSSL_X509_STORE_set_flags(void)
!defined(NO_FILESYSTEM) && !defined(NO_RSA) */ !defined(NO_FILESYSTEM) && !defined(NO_RSA) */
} }
static void test_wolfSSL_X509_LOOKUP_load_file(void)
{
#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \
!defined(NO_FILESYSTEM) && !defined(NO_RSA)
WOLFSSL_X509_STORE* store;
WOLFSSL_X509_LOOKUP* lookup;
printf(testingFmt, "wolfSSL_X509_LOOKUP_load_file()");
AssertNotNull(store = wolfSSL_X509_STORE_new());
AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()));
AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/crl/crl2.pem",
X509_FILETYPE_PEM), 1);
wolfSSL_X509_STORE_free(store);
printf(resultFmt, passed);
#endif /* defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \
!defined(NO_FILESYSTEM) && !defined(NO_RSA) */
}
static void test_wolfSSL_BN(void) static void test_wolfSSL_BN(void)
{ {
@@ -2837,7 +2857,6 @@ static void test_wolfSSL_set_options(void)
!defined(NO_FILESYSTEM) && !defined(NO_RSA) */ !defined(NO_FILESYSTEM) && !defined(NO_RSA) */
} }
static void test_wolfSSL_PEM_read_bio(void) static void test_wolfSSL_PEM_read_bio(void)
{ {
#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
@@ -3426,6 +3445,7 @@ void ApiTest(void)
test_wolfSSL_CTX_add_extra_chain_cert(); test_wolfSSL_CTX_add_extra_chain_cert();
test_wolfSSL_ERR_peek_last_error_line(); test_wolfSSL_ERR_peek_last_error_line();
test_wolfSSL_X509_STORE_set_flags(); test_wolfSSL_X509_STORE_set_flags();
test_wolfSSL_X509_LOOKUP_load_file();
test_wolfSSL_BN(); test_wolfSSL_BN();
test_wolfSSL_set_options(); test_wolfSSL_set_options();
test_wolfSSL_PEM_read_bio(); test_wolfSSL_PEM_read_bio();

2
wolfssl/crl.h
View File

@@ -38,7 +38,7 @@ WOLFSSL_LOCAL int InitCRL(WOLFSSL_CRL*, WOLFSSL_CERT_MANAGER*);
WOLFSSL_LOCAL void FreeCRL(WOLFSSL_CRL*, int dynamic); WOLFSSL_LOCAL void FreeCRL(WOLFSSL_CRL*, int dynamic);
WOLFSSL_LOCAL int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int mon); WOLFSSL_LOCAL int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int mon);
WOLFSSL_LOCAL int BufferLoadCRL(WOLFSSL_CRL*, const byte*, long, int); WOLFSSL_LOCAL int BufferLoadCRL(WOLFSSL_CRL*, const byte*, long, int, int);
WOLFSSL_LOCAL int CheckCertCRL(WOLFSSL_CRL*, DecodedCert*); WOLFSSL_LOCAL int CheckCertCRL(WOLFSSL_CRL*, DecodedCert*);