feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #6953 from SKlimaRA/SKlimaRA/enable-ca-false

Browse Source 
Enable encoding CA:FALSE with build flag
This commit is contained in:
JacobBarthelmeh
2023-11-20 15:03:14 -07:00
committed by GitHub
parent 14906df3ec 308346aa0d
commit 538ce14c62
3 changed files with 105 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
tests/api.c
View File

@@ -50676,6 +50676,62 @@ static int test_MakeCertWithPathLen(void)
return EXPECT_RESULT(); return EXPECT_RESULT();
} }
static int test_MakeCertWithCaFalse(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_ALLOW_ENCODING_CA_FALSE) && defined(WOLFSSL_CERT_REQ) && \
!defined(NO_ASN_TIME) && defined(WOLFSSL_CERT_GEN) && defined(HAVE_ECC)
const byte expectedIsCa = 0;
Cert cert;
DecodedCert decodedCert;
byte der[FOURK_BUF];
int derSize = 0;
WC_RNG rng;
ecc_key key;
int ret;
XMEMSET(&rng, 0, sizeof(WC_RNG));
XMEMSET(&key, 0, sizeof(ecc_key));
XMEMSET(&cert, 0, sizeof(Cert));
XMEMSET(&decodedCert, 0, sizeof(DecodedCert));
ExpectIntEQ(wc_InitRng(&rng), 0);
ExpectIntEQ(wc_ecc_init(&key), 0);
ExpectIntEQ(wc_ecc_make_key(&rng, 32, &key), 0);
ExpectIntEQ(wc_InitCert(&cert), 0);
(void)XSTRNCPY(cert.subject.country, "US", CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.state, "state", CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.locality, "Bozeman", CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.org, "yourOrgNameHere", CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.unit, "yourUnitNameHere", CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.commonName, "www.yourDomain.com",
CTC_NAME_SIZE);
(void)XSTRNCPY(cert.subject.email, "yourEmail@yourDomain.com",
CTC_NAME_SIZE);
cert.selfSigned = 1;
cert.isCA = expectedIsCa;
cert.isCaSet = 1;
cert.sigType = CTC_SHA256wECDSA;
ExpectIntGE(wc_MakeCert(&cert, der, FOURK_BUF, NULL, &key, &rng), 0);
ExpectIntGE(derSize = wc_SignCert(cert.bodySz, cert.sigType, der,
FOURK_BUF, NULL, &key, &rng), 0);
wc_InitDecodedCert(&decodedCert, der, derSize, NULL);
ExpectIntEQ(wc_ParseCert(&decodedCert, CERT_TYPE, NO_VERIFY, NULL), 0);
ExpectIntEQ(decodedCert.isCA, expectedIsCa);
wc_FreeDecodedCert(&decodedCert);
ret = wc_ecc_free(&key);
ExpectIntEQ(ret, 0);
ret = wc_FreeRng(&rng);
ExpectIntEQ(ret, 0);
#endif
return EXPECT_RESULT();
}
/*----------------------------------------------------------------------------* /*----------------------------------------------------------------------------*
| wolfCrypt ECC | wolfCrypt ECC
*----------------------------------------------------------------------------*/ *----------------------------------------------------------------------------*/
@@ -68515,6 +68571,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wc_ParseCert), TEST_DECL(test_wc_ParseCert),
TEST_DECL(test_wc_ParseCert_Error), TEST_DECL(test_wc_ParseCert_Error),
TEST_DECL(test_MakeCertWithPathLen), TEST_DECL(test_MakeCertWithPathLen),
TEST_DECL(test_MakeCertWithCaFalse),
TEST_DECL(test_wc_SetKeyUsage), TEST_DECL(test_wc_SetKeyUsage),
TEST_DECL(test_wc_SetAuthKeyIdFromPublicKey_ex), TEST_DECL(test_wc_SetAuthKeyIdFromPublicKey_ex),
TEST_DECL(test_wc_SetSubjectBuffer), TEST_DECL(test_wc_SetSubjectBuffer),

49
wolfcrypt/src/asn.c
View File

@@ -96,6 +96,9 @@ ASN Options:
cost of taking up more memory. Adds initials, givenname, dnQualifer for cost of taking up more memory. Adds initials, givenname, dnQualifer for
example. example.
* WC_ASN_HASH_SHA256: Force use of SHA2-256 for the internal hash ID calcs. * WC_ASN_HASH_SHA256: Force use of SHA2-256 for the internal hash ID calcs.
* WOLFSSL_ALLOW_ENCODING_CA_FALSE: Allow encoding BasicConstraints CA:FALSE
* which is discouraged by X.690 specification - default values shall not
* be encoded.
*/ */
#include <wolfssl/wolfcrypt/error-crypt.h> #include <wolfssl/wolfcrypt/error-crypt.h>
@@ -18622,7 +18625,8 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
if ((ret == 0) && (dataASN[BASICCONSASN_IDX_SEQ].length != 0)) { if ((ret == 0) && (dataASN[BASICCONSASN_IDX_SEQ].length != 0)) {
/* Bad encoding when CA Boolean is false /* Bad encoding when CA Boolean is false
* (default when not present). */ * (default when not present). */
#ifndef ASN_TEMPLATE_SKIP_ISCA_CHECK #if !defined(ASN_TEMPLATE_SKIP_ISCA_CHECK) && \
!defined(WOLFSSL_ALLOW_ENCODING_CA_FALSE)
if ((dataASN[BASICCONSASN_IDX_CA].length != 0) && (!isCA)) { if ((dataASN[BASICCONSASN_IDX_CA].length != 0) && (!isCA)) {
WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E); WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E);
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
@@ -26055,10 +26059,9 @@ static int SetCaWithPathLen(byte* out, word32 outSz, byte pathLen)
return (int)sizeof(caPathLenBasicConstASN1); return (int)sizeof(caPathLenBasicConstASN1);
} }
/* encode CA basic constraints
/* encode CA basic constraints true
* return total bytes written */ * return total bytes written */
static int SetCa(byte* out, word32 outSz) static int SetCaEx(byte* out, word32 outSz, byte isCa)
{ {
/* ASN1->DER sequence for Basic Constraints True */ /* ASN1->DER sequence for Basic Constraints True */
const byte caBasicConstASN1[] = { const byte caBasicConstASN1[] = {
@@ -26074,9 +26077,20 @@ static int SetCa(byte* out, word32 outSz)
XMEMCPY(out, caBasicConstASN1, sizeof(caBasicConstASN1)); XMEMCPY(out, caBasicConstASN1, sizeof(caBasicConstASN1));
if (!isCa) {
out[sizeof(caBasicConstASN1)-1] = isCa;
}
return (int)sizeof(caBasicConstASN1); return (int)sizeof(caBasicConstASN1);
} }
/* encode CA basic constraints true
* return total bytes written */
static int SetCa(byte* out, word32 outSz)
{
return SetCaEx(out, outSz, 1);
}
/* encode basic constraints without CA Boolean /* encode basic constraints without CA Boolean
* return total bytes written */ * return total bytes written */
static int SetBC(byte* out, word32 outSz) static int SetBC(byte* out, word32 outSz)
@@ -27827,6 +27841,13 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
dataASN[CERTEXTSASN_IDX_BC_PATHLEN].noOut = 1; dataASN[CERTEXTSASN_IDX_BC_PATHLEN].noOut = 1;
} }
} }
#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
else if (cert->isCaSet) {
SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_BC_CA], 0);
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID));
dataASN[CERTEXTSASN_IDX_BC_PATHLEN].noOut = 1;
}
#endif
else if (cert->basicConstSet) { else if (cert->basicConstSet) {
/* Set Basic Constraints to be a non Certificate Authority. */ /* Set Basic Constraints to be a non Certificate Authority. */
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID)); SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID));
@@ -28475,7 +28496,17 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
der->extensionsSz += der->caSz; der->extensionsSz += der->caSz;
} }
#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
/* Set CA */ /* Set CA */
else if (cert->isCaSet) {
der->caSz = SetCaEx(der->ca, sizeof(der->ca), cert->isCA);
if (der->caSz <= 0)
return EXTENSIONS_E;
der->extensionsSz += der->caSz;
}
#endif
/* Set CA true */
else if (cert->isCA) { else if (cert->isCA) {
der->caSz = SetCa(der->ca, sizeof(der->ca)); der->caSz = SetCa(der->ca, sizeof(der->ca));
if (der->caSz <= 0) if (der->caSz <= 0)
@@ -29873,7 +29904,17 @@ static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey,
der->extensionsSz += der->caSz; der->extensionsSz += der->caSz;
} }
#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
/* Set CA */ /* Set CA */
else if (cert->isCaSet) {
der->caSz = SetCaEx(der->ca, sizeof(der->ca), cert->isCA);
if (der->caSz <= 0)
return EXTENSIONS_E;
der->extensionsSz += der->caSz;
}
#endif
/* Set CA true */
else if (cert->isCA) { else if (cert->isCA) {
der->caSz = SetCa(der->ca, sizeof(der->ca)); der->caSz = SetCa(der->ca, sizeof(der->ca));
if (der->caSz <= 0) if (der->caSz <= 0)

3
wolfssl/wolfcrypt/asn_public.h
View File

@@ -530,6 +530,9 @@ typedef struct Cert {
byte* der; /* Pointer to buffer of current DecodedCert cache */ byte* der; /* Pointer to buffer of current DecodedCert cache */
void* heap; /* heap hint */ void* heap; /* heap hint */
byte basicConstSet:1; /* Indicator for when Basic Constraint is set */ byte basicConstSet:1; /* Indicator for when Basic Constraint is set */
#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
byte isCaSet:1; /* Indicator for when isCA is set */
#endif
byte pathLenSet:1; /* Indicator for when path length is set */ byte pathLenSet:1; /* Indicator for when path length is set */
#ifdef WOLFSSL_ALT_NAMES #ifdef WOLFSSL_ALT_NAMES
byte altNamesCrit:1; /* Indicator of criticality of SAN extension */ byte altNamesCrit:1; /* Indicator of criticality of SAN extension */