forked from wolfSSL/wolfssl
Merge pull request #6953 from SKlimaRA/SKlimaRA/enable-ca-false
Enable encoding CA:FALSE with build flag
This commit is contained in:
JacobBarthelmeh
GitHub
57
tests/api.c
57
tests/api.c
@@ -50676,6 +50676,62 @@ static int test_MakeCertWithPathLen(void)
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static int test_MakeCertWithCaFalse(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(WOLFSSL_ALLOW_ENCODING_CA_FALSE) && defined(WOLFSSL_CERT_REQ) && \
|
||||
!defined(NO_ASN_TIME) && defined(WOLFSSL_CERT_GEN) && defined(HAVE_ECC)
|
||||
const byte expectedIsCa = 0;
|
||||
Cert cert;
|
||||
DecodedCert decodedCert;
|
||||
byte der[FOURK_BUF];
|
||||
int derSize = 0;
|
||||
WC_RNG rng;
|
||||
ecc_key key;
|
||||
int ret;
|
||||
|
||||
XMEMSET(&rng, 0, sizeof(WC_RNG));
|
||||
XMEMSET(&key, 0, sizeof(ecc_key));
|
||||
XMEMSET(&cert, 0, sizeof(Cert));
|
||||
XMEMSET(&decodedCert, 0, sizeof(DecodedCert));
|
||||
|
||||
ExpectIntEQ(wc_InitRng(&rng), 0);
|
||||
ExpectIntEQ(wc_ecc_init(&key), 0);
|
||||
ExpectIntEQ(wc_ecc_make_key(&rng, 32, &key), 0);
|
||||
ExpectIntEQ(wc_InitCert(&cert), 0);
|
||||
|
||||
(void)XSTRNCPY(cert.subject.country, "US", CTC_NAME_SIZE);
|
||||
(void)XSTRNCPY(cert.subject.state, "state", CTC_NAME_SIZE);
|
||||
(void)XSTRNCPY(cert.subject.locality, "Bozeman", CTC_NAME_SIZE);
|
||||
(void)XSTRNCPY(cert.subject.org, "yourOrgNameHere", CTC_NAME_SIZE);
|
||||
(void)XSTRNCPY(cert.subject.unit, "yourUnitNameHere", CTC_NAME_SIZE);
|
||||
(void)XSTRNCPY(cert.subject.commonName, "www.yourDomain.com",
|
||||
CTC_NAME_SIZE);
|
||||
(void)XSTRNCPY(cert.subject.email, "yourEmail@yourDomain.com",
|
||||
CTC_NAME_SIZE);
|
||||
|
||||
cert.selfSigned = 1;
|
||||
cert.isCA = expectedIsCa;
|
||||
cert.isCaSet = 1;
|
||||
cert.sigType = CTC_SHA256wECDSA;
|
||||
|
||||
ExpectIntGE(wc_MakeCert(&cert, der, FOURK_BUF, NULL, &key, &rng), 0);
|
||||
ExpectIntGE(derSize = wc_SignCert(cert.bodySz, cert.sigType, der,
|
||||
FOURK_BUF, NULL, &key, &rng), 0);
|
||||
|
||||
wc_InitDecodedCert(&decodedCert, der, derSize, NULL);
|
||||
ExpectIntEQ(wc_ParseCert(&decodedCert, CERT_TYPE, NO_VERIFY, NULL), 0);
|
||||
ExpectIntEQ(decodedCert.isCA, expectedIsCa);
|
||||
|
||||
wc_FreeDecodedCert(&decodedCert);
|
||||
ret = wc_ecc_free(&key);
|
||||
ExpectIntEQ(ret, 0);
|
||||
ret = wc_FreeRng(&rng);
|
||||
ExpectIntEQ(ret, 0);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
/*----------------------------------------------------------------------------*
|
||||
| wolfCrypt ECC
|
||||
*----------------------------------------------------------------------------*/
|
||||
@@ -68515,6 +68571,7 @@ TEST_CASE testCases[] = {
|
||||
TEST_DECL(test_wc_ParseCert),
|
||||
TEST_DECL(test_wc_ParseCert_Error),
|
||||
TEST_DECL(test_MakeCertWithPathLen),
|
||||
TEST_DECL(test_MakeCertWithCaFalse),
|
||||
TEST_DECL(test_wc_SetKeyUsage),
|
||||
TEST_DECL(test_wc_SetAuthKeyIdFromPublicKey_ex),
|
||||
TEST_DECL(test_wc_SetSubjectBuffer),
|
||||
|
||||
@@ -96,6 +96,9 @@ ASN Options:
|
||||
cost of taking up more memory. Adds initials, givenname, dnQualifer for
|
||||
example.
|
||||
* WC_ASN_HASH_SHA256: Force use of SHA2-256 for the internal hash ID calcs.
|
||||
* WOLFSSL_ALLOW_ENCODING_CA_FALSE: Allow encoding BasicConstraints CA:FALSE
|
||||
* which is discouraged by X.690 specification - default values shall not
|
||||
* be encoded.
|
||||
*/
|
||||
|
||||
#include <wolfssl/wolfcrypt/error-crypt.h>
|
||||
@@ -18622,7 +18625,8 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
|
||||
if ((ret == 0) && (dataASN[BASICCONSASN_IDX_SEQ].length != 0)) {
|
||||
/* Bad encoding when CA Boolean is false
|
||||
* (default when not present). */
|
||||
#ifndef ASN_TEMPLATE_SKIP_ISCA_CHECK
|
||||
#if !defined(ASN_TEMPLATE_SKIP_ISCA_CHECK) && \
|
||||
!defined(WOLFSSL_ALLOW_ENCODING_CA_FALSE)
|
||||
if ((dataASN[BASICCONSASN_IDX_CA].length != 0) && (!isCA)) {
|
||||
WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E);
|
||||
ret = ASN_PARSE_E;
|
||||
@@ -26055,10 +26059,9 @@ static int SetCaWithPathLen(byte* out, word32 outSz, byte pathLen)
|
||||
return (int)sizeof(caPathLenBasicConstASN1);
|
||||
}
|
||||
|
||||
|
||||
/* encode CA basic constraints true
|
||||
/* encode CA basic constraints
|
||||
* return total bytes written */
|
||||
static int SetCa(byte* out, word32 outSz)
|
||||
static int SetCaEx(byte* out, word32 outSz, byte isCa)
|
||||
{
|
||||
/* ASN1->DER sequence for Basic Constraints True */
|
||||
const byte caBasicConstASN1[] = {
|
||||
@@ -26074,9 +26077,20 @@ static int SetCa(byte* out, word32 outSz)
|
||||
|
||||
XMEMCPY(out, caBasicConstASN1, sizeof(caBasicConstASN1));
|
||||
|
||||
if (!isCa) {
|
||||
out[sizeof(caBasicConstASN1)-1] = isCa;
|
||||
}
|
||||
|
||||
return (int)sizeof(caBasicConstASN1);
|
||||
}
|
||||
|
||||
/* encode CA basic constraints true
|
||||
* return total bytes written */
|
||||
static int SetCa(byte* out, word32 outSz)
|
||||
{
|
||||
return SetCaEx(out, outSz, 1);
|
||||
}
|
||||
|
||||
/* encode basic constraints without CA Boolean
|
||||
* return total bytes written */
|
||||
static int SetBC(byte* out, word32 outSz)
|
||||
@@ -27827,6 +27841,13 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
|
||||
dataASN[CERTEXTSASN_IDX_BC_PATHLEN].noOut = 1;
|
||||
}
|
||||
}
|
||||
#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
|
||||
else if (cert->isCaSet) {
|
||||
SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_BC_CA], 0);
|
||||
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID));
|
||||
dataASN[CERTEXTSASN_IDX_BC_PATHLEN].noOut = 1;
|
||||
}
|
||||
#endif
|
||||
else if (cert->basicConstSet) {
|
||||
/* Set Basic Constraints to be a non Certificate Authority. */
|
||||
SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID));
|
||||
@@ -28475,7 +28496,17 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
|
||||
|
||||
der->extensionsSz += der->caSz;
|
||||
}
|
||||
#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
|
||||
/* Set CA */
|
||||
else if (cert->isCaSet) {
|
||||
der->caSz = SetCaEx(der->ca, sizeof(der->ca), cert->isCA);
|
||||
if (der->caSz <= 0)
|
||||
return EXTENSIONS_E;
|
||||
|
||||
der->extensionsSz += der->caSz;
|
||||
}
|
||||
#endif
|
||||
/* Set CA true */
|
||||
else if (cert->isCA) {
|
||||
der->caSz = SetCa(der->ca, sizeof(der->ca));
|
||||
if (der->caSz <= 0)
|
||||
@@ -29873,7 +29904,17 @@ static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey,
|
||||
|
||||
der->extensionsSz += der->caSz;
|
||||
}
|
||||
#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
|
||||
/* Set CA */
|
||||
else if (cert->isCaSet) {
|
||||
der->caSz = SetCaEx(der->ca, sizeof(der->ca), cert->isCA);
|
||||
if (der->caSz <= 0)
|
||||
return EXTENSIONS_E;
|
||||
|
||||
der->extensionsSz += der->caSz;
|
||||
}
|
||||
#endif
|
||||
/* Set CA true */
|
||||
else if (cert->isCA) {
|
||||
der->caSz = SetCa(der->ca, sizeof(der->ca));
|
||||
if (der->caSz <= 0)
|
||||
|
||||
@@ -530,6 +530,9 @@ typedef struct Cert {
|
||||
byte* der; /* Pointer to buffer of current DecodedCert cache */
|
||||
void* heap; /* heap hint */
|
||||
byte basicConstSet:1; /* Indicator for when Basic Constraint is set */
|
||||
#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
|
||||
byte isCaSet:1; /* Indicator for when isCA is set */
|
||||
#endif
|
||||
byte pathLenSet:1; /* Indicator for when path length is set */
|
||||
#ifdef WOLFSSL_ALT_NAMES
|
||||
byte altNamesCrit:1; /* Indicator of criticality of SAN extension */
|
||||
|
||||
Reference in New Issue
Block a user