diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 8a735f690..6c5efb25f 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -278,7 +278,7 @@ keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage=serverAuth nsCertType=server -# server-ecc extensions +# client-ecc extensions [ client_ecc ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always diff --git a/certs/test/cert-ext-ia.cfg b/certs/test/cert-ext-ia.cfg index 44be1126a..b65f96d01 100644 --- a/certs/test/cert-ext-ia.cfg +++ b/certs/test/cert-ext-ia.cfg @@ -10,7 +10,7 @@ L = Brisbane O = wolfSSL Inc OU = Engineering CN = www.wolfssl.com -emailAddress = support@wolfsssl.com +emailAddress = support@wolfssl.com [ v3_ca ] inhibitAnyPolicy = critical,1 diff --git a/certs/test/cert-ext-ia.der b/certs/test/cert-ext-ia.der index 1893b5cd1..742c68640 100644 Binary files a/certs/test/cert-ext-ia.der and b/certs/test/cert-ext-ia.der differ diff --git a/certs/test/cert-ext-ia.pem b/certs/test/cert-ext-ia.pem new file mode 100644 index 000000000..aee9dcc45 --- /dev/null +++ b/certs/test/cert-ext-ia.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEAzCCAuugAwIBAgIUSu44/nlA6ddYMKuTWT7jAAObXbwwDQYJKoZIhvcNAQEL +BQAwgZ8xCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH +DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu +ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEW +E3N1cHBvcnRAd29sZnNzbC5jb20wHhcNMjExMDI2MTMzMzAzWhcNMjQwNzIyMTMz +MzAzWjCBnzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNV +BAcMCEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5n +aW5lZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEiMCAGCSqGSIb3DQEJ +ARYTc3VwcG9ydEB3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hnf/5c +nFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/XGQ0l +T+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bMQLRp +o0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGW +Srzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgI +vDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaM1MDMwDQYDVR02AQH/BAMCAQEw +IgYJYIZIAYb4QgENBBUWE1Rlc3RpbmcgaW5oaWJpdCBhbnkwDQYJKoZIhvcNAQEL +BQADggEBAEPJZmwD9Lr+f2zp4AT4Yq7C45EBvEjvYHyHqk+QzIhxVF+aT6+gsMtG +irPW0GLjQEZtydpe9GeKvONvQRMEMovNJib/WuFiEKjRMgVGnRVNuL8Fya5RQgMy +lHLOuufqGyw4zpm/BxItMx/ChTWCdLHS3LDxV8lheKaU4FdzgEhutHTGiVoJKbZX +7lge6KTL8MtQ+A11dO5Eo6Yal5PoME/562AOe/0f0OZJQwW6t4XO1r+X5j7YX6dn +MCfc8skCCpro0YM2xE1OYaBTEFXcRYJaEU7U6lvIbWu09lVlzXb1IRdyCxa5xenI +i8/4jRVl9EDP3TBovy4o9BBhDXX4XZ8= +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-joi.der b/certs/test/cert-ext-joi.der index ec32d755b..77c1f2407 100644 Binary files a/certs/test/cert-ext-joi.der and b/certs/test/cert-ext-joi.der differ diff --git a/certs/test/cert-ext-joi.pem b/certs/test/cert-ext-joi.pem new file mode 100644 index 000000000..4a36256bf --- /dev/null +++ b/certs/test/cert-ext-joi.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFXDCCBESgAwIBAgIUdtjq13Vf1QryOYup6Qniboz466gwDQYJKoZIhvcNAQEL +BQAwgccxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv +bGZzc3NsLmNvbTETMBEGCysGAQQBgjc8AgEDEwJVUzEbMBkGCysGAQQBgjc8AgEC +DApDYWxpZm9ybmlhMB4XDTIxMTAyNjEzMzMwM1oXDTI0MDcyMjEzMzMwM1owgccx +CzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFu +MREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UE +AwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3Ns +LmNvbTETMBEGCysGAQQBgjc8AgEDEwJVUzEbMBkGCysGAQQBgjc8AgECDApDYWxp +Zm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRC +W804H0ryTXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3J +cncy6sqQu2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2n +onqNOCkcrMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4 +fcnlwtfaQG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1 +oGP1Vi+jJtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zY +KLNLve02eQIDAQABo4IBPDCCATgwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w +5ejVMIIBBwYDVR0jBIH/MIH8gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBzaSByjCB +xzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt +YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD +VQQDDA93d3cud29sZnNzbC5jb20xIDAeBgkqhkiG9w0BCQEWEWluZm9Ad29sZnNz +c2wuY29tMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQIMCkNh +bGlmb3JuaWGCFHbY6td1X9UK8jmLqekJ4m6M+OuoMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAKCwAqkAY84wjms5rRzLMdJSDBn3hnXyY+A1TctSMoxc +9mgytzwEaYQnMzCpoyC4Dut1RCL7D5ws1MAfBLd3zeMdc4mpIEtqMy2n7UDEP/Kx +6WCg6IRUTr+2ki0f+4egKrpZRdeJgZHhqn2rHP3MzxaLjWoGLbg5MDrX4xOwH+Kb +/yhoHI4ukiWXjP9hUsg1SD6emlK9ws7QeTC8pw2w7ybzIAR6sz+Zc/edcQlpywu1 +FgqqhJ7n1zxrnda1j5Dd3qC5motPGtxigyn+pwEUHmguiwQFsZAePTdTzsdYHrNo +y6g2C3CP8W7IdALiu8vxhMYXCs+6MCo8qkttJg/zoek= +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-mnc.der b/certs/test/cert-ext-mnc.der index b7df09abb..796f4d4b6 100644 Binary files a/certs/test/cert-ext-mnc.der and b/certs/test/cert-ext-mnc.der differ diff --git a/certs/test/cert-ext-multiple.cfg b/certs/test/cert-ext-multiple.cfg new file mode 100644 index 000000000..9fb4ef30d --- /dev/null +++ b/certs/test/cert-ext-multiple.cfg @@ -0,0 +1,24 @@ +[ req ] +distinguished_name = req_distinguished_name +prompt = no +x509_extensions = v3_ca + +[ req_distinguished_name ] +C = AU +ST = Queensland +L = Brisbane +O = wolfSSL Inc +OU = Engineering +CN = www.wolfssl.com +emailAddress = support@wolfssl.com +postalCode = 56-131 +street = Main St + +[ v3_ca ] +nsCertType = server +crlDistributionPoints = URI:http://www.wolfssl.com/crl.pem +extendedKeyUsage = serverAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always + + diff --git a/certs/test/cert-ext-multiple.der b/certs/test/cert-ext-multiple.der new file mode 100644 index 000000000..fb44e4c99 Binary files /dev/null and b/certs/test/cert-ext-multiple.der differ diff --git a/certs/test/cert-ext-multiple.pem b/certs/test/cert-ext-multiple.pem new file mode 100644 index 000000000..dfe4446bf --- /dev/null +++ b/certs/test/cert-ext-multiple.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFmDCCBICgAwIBAgIUIYnKdgsnPTG1eUAZKAmpUcb9N/4wDQYJKoZIhvcNAQEL +BQAwgcIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH +DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu +ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEW +E3N1cHBvcnRAd29sZnNzbC5jb20xDzANBgNVBBEMBjU2LTEzMTEQMA4GA1UECQwH +TWFpbiBTdDAeFw0yMTEwMjYxMzMzMDNaFw0yNDA3MjIxMzMzMDNaMIHCMQswCQYD +VQQGEwJBVTETMBEGA1UECAwKUXVlZW5zbGFuZDERMA8GA1UEBwwIQnJpc2JhbmUx +FDASBgNVBAoMC3dvbGZTU0wgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYG +A1UEAwwPd3d3LndvbGZzc2wuY29tMSIwIAYJKoZIhvcNAQkBFhNzdXBwb3J0QHdv +bGZzc2wuY29tMQ8wDQYDVQQRDAY1Ni0xMzExEDAOBgNVBAkMB01haW4gU3QwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgfSvJNdRDx +tjWf38p9A5jTrN4DZu4q8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLqypC7aVIQ +Ay+o85XF8YtiVhvvZ2+kEEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04KRysx+3y +fJWwlYJ9SVw4zXcl772AdVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC19pAb9gh +3HMbQi1TnP4a/H2rejY/mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VWL6Mm0rdv +sVoX1ziZCP6TWG/+wxNJCBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u97TZ5AgMB +AAGjggGCMIIBfjARBglghkgBhvhCAQEEBAMCBkAwLwYDVR0fBCgwJjAkoCKgIIYe +aHR0cDovL3d3dy53b2xmc3NsLmNvbS9jcmwucGVtMBMGA1UdJQQMMAoGCCsGAQUF +BwMBMB0GA1UdDgQWBBQnjmcRdMMmHT/tM2OzpNgdMOXo1TCCAQIGA1UdIwSB+jCB +94AUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgcikgcUwgcIxCzAJBgNVBAYTAkFVMRMw +EQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQHDAhCcmlzYmFuZTEUMBIGA1UECgwL +d29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93d3cu +d29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAd29sZnNzbC5jb20x +DzANBgNVBBEMBjU2LTEzMTEQMA4GA1UECQwHTWFpbiBTdIIUIYnKdgsnPTG1eUAZ +KAmpUcb9N/4wDQYJKoZIhvcNAQELBQADggEBABYF8t1yWicD7C0ZktxBMPQ9yJ3I +TBq/PdAJl18OthE33I9lyVmF65AEW4pJS8Xjss+WNs159IJLbKuT3tdiqmBA7V1H +sV03vMnhfdBDF0+zWnsKZF0tw2Gb772P2LiN/YrBc4KktcDqJocEy8D+P4jRVNM6 +toMD7KkzBrv+FU3OjzhP8MfaiIlqsvb4u4qOqi+lLyy6jgUQzrDp99uU986SrybW +ulnisYYRQGGZ0vyAKez8PzoKvodfTUg5lLkkqlBfITnCsI3gHcjyk+uT8F9nSDGy +VZGdHNOS++/gbeWwPyJ97gyu65yotc3fL89iM8BrzDSTxADaS18i5afEZFI= +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-nc.der b/certs/test/cert-ext-nc.der index a390dbfd3..f143b7b1e 100644 Binary files a/certs/test/cert-ext-nc.der and b/certs/test/cert-ext-nc.der differ diff --git a/certs/test/cert-ext-nc.pem b/certs/test/cert-ext-nc.pem new file mode 100644 index 000000000..cded0d188 --- /dev/null +++ b/certs/test/cert-ext-nc.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENTCCAx2gAwIBAgIUFtCwMsYG2mHNWoLk3+8pf7piWZowDQYJKoZIhvcNAQEL +BQAwezELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNVBAcM +CEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5naW5l +ZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTAeFw0yMTEwMjYxMzMzMDNa +Fw0yNDA3MjIxMzMzMDNaMHsxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNs +YW5kMREwDwYDVQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDAS +BgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20wggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu +8rwkMLiVzi9O1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu6 +4CHlci5vLobYlXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZ +aHhzpowYqQJtr8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1U +s+FtXxy8I3PRCQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT +0pdz4l0lyWoNwzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMB +AAGjgbAwga0wHQYDVR0OBBYEFLMRMsmSmITiyfjQO24DQsofDo48MB8GA1UdIwQY +MBaAFLMRMsmSmITiyfjQO24DQsofDo48MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD +VR0PAQH/BAQDAgGGMB4GA1UdHgEB/wQUMBKgEDAOgQwud29sZnNzbC5jb20wJwYJ +YIZIAYb4QgENBBoWGFRlc3RpbmcgbmFtZSBjb25zdHJhaW50czANBgkqhkiG9w0B +AQsFAAOCAQEAgD7lONgXq4cY/e/TP3hNok+ANPOTmwexPgQxYGr3p7lmV9veNLBD +xJE9J6kNb3T4Fge1wuSFFamnJyT5FbOdNn6v/RsCxIOm5snTUM8bXuA5Vw/lCB7C +hccGiOPmEhxD8K+IQqZ4a1Zp6HUHZuPrs99PRt+lWA3M5PJbzpCKzHMiFDGRpkib +RzC466/+V76ln7AtBbOh3w1QXAiHdIA2V40d0iX+q5e+L1X8sFGDvlxeTy+KXLwV +/7fNVLgtDfdP2XO+jwhkQJeoOmpNJDxsvwm7xhouK0L5G87QUtsaIwK9SnR07Aj5 +5LHpvNCgLQHO5nmJyJ13RlEUDfnnaGXCbA== +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-ncdns.der b/certs/test/cert-ext-ncdns.der index 5222e1523..17f8007b9 100644 Binary files a/certs/test/cert-ext-ncdns.der and b/certs/test/cert-ext-ncdns.der differ diff --git a/certs/test/cert-ext-ncmixed.der b/certs/test/cert-ext-ncmixed.der index a7fad165d..2ad0ea079 100644 Binary files a/certs/test/cert-ext-ncmixed.der and b/certs/test/cert-ext-ncmixed.der differ diff --git a/certs/test/cert-ext-nct.cfg b/certs/test/cert-ext-nct.cfg index fde389bf4..93d3da612 100644 --- a/certs/test/cert-ext-nct.cfg +++ b/certs/test/cert-ext-nct.cfg @@ -10,7 +10,7 @@ L = Brisbane O = wolfSSL Inc OU = Engineering CN = www.wolfssl.com -emailAddress = support@wolfsssl.com +emailAddress = support@wolfssl.com [ v3_ca ] nsCertType = critical,server diff --git a/certs/test/cert-ext-nct.der b/certs/test/cert-ext-nct.der index fb6ddacee..ad63f1c94 100644 Binary files a/certs/test/cert-ext-nct.der and b/certs/test/cert-ext-nct.der differ diff --git a/certs/test/cert-ext-nct.pem b/certs/test/cert-ext-nct.pem new file mode 100644 index 000000000..8337eb604 --- /dev/null +++ b/certs/test/cert-ext-nct.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEGDCCAwCgAwIBAgIUN9zd5Z6FAMRqEkWPoS4D42402XowDQYJKoZIhvcNAQEL +BQAwgZ8xCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH +DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu +ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEW +E3N1cHBvcnRAd29sZnNzbC5jb20wHhcNMjExMDI2MTMzMzAzWhcNMjQwNzIyMTMz +MzAzWjCBnzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNV +BAcMCEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5n +aW5lZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEiMCAGCSqGSIb3DQEJ +ARYTc3VwcG9ydEB3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hnf/5c +nFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/XGQ0l +T+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bMQLRp +o0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGW +Srzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgI +vDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaNKMEgwFAYJYIZIAYb4QgEBAQH/ +BAQDAgZAMDAGCWCGSAGG+EIBDQQjFiFUZXN0aW5nIE5ldHNjYXBlIENlcnRpZmlj +YXRlIFR5cGUwDQYJKoZIhvcNAQELBQADggEBADvSHYLUd9cwFnqktCMOVggvPEvi +QwiCn0Pfw5niwidHbdHeVqfcoA8hYYoLNFwSwiRpnlxoA6KBPkzmkat5s9ea4ATR +gTMdhicrTpldWldJtrm0ReR8vtxlEg8Ts8ZJrKOoyJ5MP5qPbZj+a0vyS2Qb8rnL +obou6pz2qbMhBrOYVP6gWnhZRHJmLplPNo/WEZMBXDgL62dca6oUiXWBpAO8j2PI +VShex+u2l6DNy/KvDlaUYvW88A5FwI1ThuoeRU76Y8QhB6zaC0wQttVVguzOcf3G +3c9jNLtz1Ydp3sLDmSJfHnI7dO4rRWd8go98GsGLt8O2ZhWZ1D8dkzRZfv0= +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-ndir-exc.der b/certs/test/cert-ext-ndir-exc.der index 25507a9d5..17fb2427f 100644 Binary files a/certs/test/cert-ext-ndir-exc.der and b/certs/test/cert-ext-ndir-exc.der differ diff --git a/certs/test/cert-ext-ndir-exc.pem b/certs/test/cert-ext-ndir-exc.pem new file mode 100644 index 000000000..69dd39566 --- /dev/null +++ b/certs/test/cert-ext-ndir-exc.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE/TCCA+WgAwIBAgIUNPy5nImvNHMmLnekTFdBX87LWIcwDQYJKoZIhvcNAQEL +BQAwgZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv +bGZzc3NsLmNvbTAeFw0yMTEwMjYxMzMzMDNaFw0yNDA3MjIxMzMzMDNaMIGVMQsw +CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjER +MA8GA1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMM +D3d3dy53b2xmc3NsLmNvbTEgMB4GCSqGSIb3DQEJARYRaW5mb0B3b2xmc3NzbC5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgf +SvJNdRDxtjWf38p9A5jTrN4DZu4q8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLq +ypC7aVIQAy+o85XF8YtiVhvvZ2+kEEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04 +KRysx+3yfJWwlYJ9SVw4zXcl772AdVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC +19pAb9gh3HMbQi1TnP4a/H2rejY/mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VW +L6Mm0rdvsVoX1ziZCP6TWG/+wxNJCBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u9 +7TZ5AgMBAAGjggFBMIIBPTAdBgNVHQ4EFgQUJ45nEXTDJh0/7TNjs6TYHTDl6NUw +gdUGA1UdIwSBzTCByoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZukgZgwgZUxCzAJ +BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw +DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP +d3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3NsLmNv +bYIUNPy5nImvNHMmLnekTFdBX87LWIcwDAYDVR0TBAUwAwEB/zA2BgNVHR4BAf8E +LDAqoSgwJqQkMCIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMA0G +CSqGSIb3DQEBCwUAA4IBAQCOsVInwF8jwAT/YzOZppX9UfOVKxRkJSaXWLKyskDY +NKsq2nY1bxn4QwZL7G/Blq0dBCpaW7wkpTrkeSOrYCtl+nkdNA+I40ek9W+M889L +WoDTh5gbm1pN4w/Y9Sn5eJG0jzg7eUgQ8dCbAqoEP/6R33TccMJIxG3eT9VeZSag +bra51uVAfZuU5ec1EHomC2QdFAW6ekf7Bk7mejkhkA4EtM0784Srjk7azYR3kc0n +ow2o9qwtA6lQnGmrZO0AArXosFW/MuZzBEIJxRCkATF/ZxMpAVvYb9h26GguiDu2 +B+LV1qS/UnQfqE78jojSA5JZ/wIHiDHwBiTaBTBx5Ub4 +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-ndir.der b/certs/test/cert-ext-ndir.der index a2549860c..78fc774cb 100644 Binary files a/certs/test/cert-ext-ndir.der and b/certs/test/cert-ext-ndir.der differ diff --git a/certs/test/cert-ext-ndir.pem b/certs/test/cert-ext-ndir.pem new file mode 100644 index 000000000..c5a545194 --- /dev/null +++ b/certs/test/cert-ext-ndir.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE6DCCA9CgAwIBAgIUUjnwSvtRITn8DePk5BV3FpOSt/EwDQYJKoZIhvcNAQEL +BQAwgZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv +bGZzc3NsLmNvbTAeFw0yMTEwMjYxMzMzMDNaFw0yNDA3MjIxMzMzMDNaMIGVMQsw +CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjER +MA8GA1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMM +D3d3dy53b2xmc3NsLmNvbTEgMB4GCSqGSIb3DQEJARYRaW5mb0B3b2xmc3NzbC5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgf +SvJNdRDxtjWf38p9A5jTrN4DZu4q8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLq +ypC7aVIQAy+o85XF8YtiVhvvZ2+kEEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04 +KRysx+3yfJWwlYJ9SVw4zXcl772AdVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC +19pAb9gh3HMbQi1TnP4a/H2rejY/mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VW +L6Mm0rdvsVoX1ziZCP6TWG/+wxNJCBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u9 +7TZ5AgMBAAGjggEsMIIBKDAdBgNVHQ4EFgQUJ45nEXTDJh0/7TNjs6TYHTDl6NUw +gdUGA1UdIwSBzTCByoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZukgZgwgZUxCzAJ +BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw +DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP +d3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3NsLmNv +bYIUUjnwSvtRITn8DePk5BV3FpOSt/EwDAYDVR0TBAUwAwEB/zAhBgNVHR4BAf8E +FzAVoBMwEaQPMA0xCzAJBgNVBAYTAlVTMA0GCSqGSIb3DQEBCwUAA4IBAQCftSer +x/DD+8l32zkBpvuVQtRcEpQ6w7Cl1PD8TaiXe0W9eqKeBmxOgJ+a0kyKIcYSJU5R +K8enk17q1FFiqdgU0lEo3tdOdvfxFyLTbdCVz/Q0KRhhELU+9ZQRl0NOj3NSRR+/ +QI0tHo9UvsojdlRUW2LTaVdHAz8yBp5dC73KM/7Y3bS4q8MDjVvXD+TiJdfbcbQo +1eBm5eEsmoYQoOqQAt8n9bmEAe6syFi/sBJU5PqBWuNlBVLlySxEzCA8vPXyvL95 +3eStUcicaHWFA3dljObenJ8m9UWLlZTf+XPA9BrUwXHSG3945Rb8/gAdPUgsIT67 +UQJbTMyGRwalE97X +-----END CERTIFICATE----- diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh index aa77314b0..cbaa010aa 100755 --- a/certs/test/gen-ext-certs.sh +++ b/certs/test/gen-ext-certs.sh @@ -5,20 +5,22 @@ TMP="/tmp/`basename $0`" KEY=certs/server-key.der gen_cert() { openssl req -x509 -keyform DER -key $KEY \ - -days 1000 -new -outform DER -out $OUT -config $CONFIG \ + -days 1000 -new -outform DER -out $OUT.der -config $CONFIG \ >$TMP 2>&1 - if [ "$?" = "0" -a -f $OUT ]; then + if [ "$?" = "0" -a -f $OUT.der ]; then echo "Created: $OUT" else cat $TMP echo "Failed: $OUT" fi + openssl x509 -in $OUT.der -inform DER -outform PEM > $OUT.pem + rm $TMP } -OUT=certs/test/cert-ext-nc.der +OUT=certs/test/cert-ext-nc KEYFILE=certs/test/cert-ext-nc-key.der CONFIG=certs/test/cert-ext-nc.cfg tee >$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <sig.buffer, x509->heap, DYNAMIC_TYPE_SIGNATURE); x509->sig.buffer = NULL; #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) - XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); + if (x509->authKeyIdSrc != NULL) { + XFREE(x509->authKeyIdSrc, x509->heap, DYNAMIC_TYPE_X509_EXT); + } + else { + XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); + } + x509->authKeyIdSrc = NULL; x509->authKeyId = NULL; XFREE(x509->subjKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); x509->subjKeyId = NULL; @@ -3903,6 +3909,10 @@ void FreeX509(WOLFSSL_X509* x509) XFREE(x509->authInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); x509->authInfo = NULL; } + if (x509->rawCRLInfo != NULL) { + XFREE(x509->rawCRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); + x509->rawCRLInfo = NULL; + } if (x509->CRLInfo != NULL) { XFREE(x509->CRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); x509->CRLInfo = NULL; @@ -10649,6 +10659,17 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->CRLdistSet = dCert->extCRLdistSet; x509->CRLdistCrit = dCert->extCRLdistCrit; + if (dCert->extCrlInfoRaw != NULL && dCert->extCrlInfoRawSz > 0) { + x509->rawCRLInfo = (byte*)XMALLOC(dCert->extCrlInfoRawSz, x509->heap, + DYNAMIC_TYPE_X509_EXT); + if (x509->rawCRLInfo != NULL) { + XMEMCPY(x509->rawCRLInfo, dCert->extCrlInfoRaw, dCert->extCrlInfoRawSz); + x509->rawCRLInfoSz = dCert->extCrlInfoRawSz; + } + else { + ret = MEMORY_E; + } + } if (dCert->extCrlInfo != NULL && dCert->extCrlInfoSz > 0) { x509->CRLInfo = (byte*)XMALLOC(dCert->extCrlInfoSz, x509->heap, DYNAMIC_TYPE_X509_EXT); @@ -10694,6 +10715,27 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->authKeyIdSet = dCert->extAuthKeyIdSet; x509->authKeyIdCrit = dCert->extAuthKeyIdCrit; if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) { + #ifdef WOLFSSL_AKID_NAME + if (dCert->extRawAuthKeyIdSrc != NULL && + dCert->extAuthKeyIdSrc > dCert->extRawAuthKeyIdSrc && + dCert->extAuthKeyIdSrc < + (dCert->extRawAuthKeyIdSrc + dCert->extRawAuthKeyIdSz)) { + /* Confirmed: extAuthKeyIdSrc points inside extRawAuthKeyIdSrc */ + x509->authKeyIdSrc = (byte*)XMALLOC(dCert->extRawAuthKeyIdSz, + x509->heap, DYNAMIC_TYPE_X509_EXT); + if (x509->authKeyIdSrc != NULL) { + XMEMCPY(x509->authKeyIdSrc, dCert->extRawAuthKeyIdSrc, + dCert->extRawAuthKeyIdSz); + x509->authKeyIdSrcSz = dCert->extRawAuthKeyIdSz; + /* Set authKeyId to same offset inside authKeyIdSrc */ + x509->authKeyId = x509->authKeyIdSrc + + (dCert->extAuthKeyIdSrc - dCert->extRawAuthKeyIdSrc); + x509->authKeyIdSz = dCert->extAuthKeyIdSz; + } + else + ret = MEMORY_E; + } + #else x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, x509->heap, DYNAMIC_TYPE_X509_EXT); if (x509->authKeyId != NULL) { @@ -10701,6 +10743,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz); x509->authKeyIdSz = dCert->extAuthKeyIdSz; } + #endif else ret = MEMORY_E; } @@ -10725,6 +10768,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) if (x509->extKeyUsageSrc != NULL) { XMEMCPY(x509->extKeyUsageSrc, dCert->extExtKeyUsageSrc, dCert->extExtKeyUsageSz); + x509->extKeyUsage = dCert->extExtKeyUsage; x509->extKeyUsageSz = dCert->extExtKeyUsageSz; x509->extKeyUsageCrit = dCert->extExtKeyUsageCrit; x509->extKeyUsageCount = dCert->extExtKeyUsageCount; @@ -10733,6 +10777,9 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) ret = MEMORY_E; } } + #ifndef IGNORE_NETSCAPE_CERT_TYPE + x509->nsCertType = dCert->nsCertType; + #endif #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) x509->certPolicySet = dCert->extCertPolicySet; x509->certPolicyCrit = dCert->extCertPolicyCrit; diff --git a/src/ssl.c b/src/ssl.c index 5598a5d76..db597a303 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8839,58 +8839,24 @@ unsigned int wolfSSL_X509_get_key_usage(WOLFSSL_X509* x509) unsigned int wolfSSL_X509_get_extended_key_usage(WOLFSSL_X509* x509) { int ret = 0; - int rc; - word32 idx = 0; - word32 oid; WOLFSSL_ENTER("wolfSSL_X509_get_extended_key_usage"); - if (x509 == NULL) { - WOLFSSL_MSG("x509 is NULL"); - } - else if (x509->extKeyUsageSrc != NULL) { - while (idx < x509->extKeyUsageSz) { - rc = GetObjectId(x509->extKeyUsageSrc, &idx, &oid, - oidCertKeyUseType, x509->extKeyUsageSz); - if (rc == ASN_UNKNOWN_OID_E) { - continue; - } - else if (rc < 0) { - WOLFSSL_MSG("GetObjectId failed"); - ret = -1; - break; - } - - switch (oid) { - case EKU_ANY_OID: - ret |= XKU_ANYEKU; - break; - case EKU_SERVER_AUTH_OID: - ret |= XKU_SSL_SERVER; - break; - case EKU_CLIENT_AUTH_OID: - ret |= XKU_SSL_CLIENT; - break; - case EKU_CODESIGNING_OID: - ret |= XKU_CODE_SIGN; - break; - case EKU_EMAILPROTECT_OID: - ret |= XKU_SMIME; - break; - case EKU_TIMESTAMP_OID: - ret |= XKU_TIMESTAMP; - break; - case EKU_OCSP_SIGN_OID: - ret |= XKU_OCSP_SIGN; - break; - default: - break; - } - } - } - else { - WOLFSSL_MSG("x509->extKeyUsageSrc is NULL"); - ret = -1; + if (x509 != NULL) { + if (x509->extKeyUsage & EXTKEYUSE_OCSP_SIGN) + ret |= XKU_OCSP_SIGN; + if (x509->extKeyUsage & EXTKEYUSE_TIMESTAMP) + ret |= XKU_TIMESTAMP; + if (x509->extKeyUsage & EXTKEYUSE_EMAILPROT) + ret |= XKU_SMIME; + if (x509->extKeyUsage & EXTKEYUSE_CODESIGN) + ret |= XKU_CODE_SIGN; + if (x509->extKeyUsage & EXTKEYUSE_CLIENT_AUTH) + ret |= XKU_SSL_CLIENT; + if (x509->extKeyUsage & EXTKEYUSE_SERVER_AUTH) + ret |= XKU_SSL_SERVER; + if (x509->extKeyUsage & EXTKEYUSE_ANY) + ret |= XKU_ANYEKU; } WOLFSSL_LEAVE("wolfSSL_X509_get_extended_key_usage", ret); @@ -9792,6 +9758,13 @@ int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int lo switch (ext->obj->type) { case NID_authority_key_identifier: + if (x509->authKeyIdSrc != NULL) { + /* If authKeyId points into authKeyIdSrc then free it and + * revert to old functionality */ + XFREE(x509->authKeyIdSrc, x509->heap, DYNAMIC_TYPE_X509_EXT); + x509->authKeyIdSrc = NULL; + x509->authKeyId = NULL; + } if (asn1_string_copy_to_buffer(&ext->value, &x509->authKeyId, &x509->authKeyIdSz, x509->heap) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("asn1_string_copy_to_buffer error"); @@ -31420,6 +31393,8 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { { NID_localityName, NID_localityName, oidCertNameType, "L", "localityName"}, { NID_stateOrProvinceName, NID_stateOrProvinceName, oidCertNameType, "ST", "stateOrProvinceName"}, + { NID_streetAddress, NID_streetAddress, oidCertNameType, "street", + "streetAddress"}, { NID_organizationName, NID_organizationName, oidCertNameType, "O", "organizationName"}, { NID_organizationalUnitName, NID_organizationalUnitName, oidCertNameType, @@ -31436,6 +31411,7 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { "jurisdictionCountryName"}, { NID_jurisdictionStateOrProvinceName, NID_jurisdictionStateOrProvinceName, oidCertNameType, "jurisdictionST", "jurisdictionStateOrProvinceName"}, + { NID_postalCode, NID_postalCode, oidCertNameType, "postalCode", "postalCode"}, #ifdef WOLFSSL_CERT_REQ { NID_pkcs9_challengePassword, CHALLENGE_PASSWORD_OID, @@ -41882,11 +41858,20 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) return WOLFSSL_FAILURE; } - if (x509->authKeyIdSz < CTC_MAX_AKID_SIZE) { + if (x509->authKeyIdSz < sizeof(cert->akid)) { + #ifdef WOLFSSL_AKID_NAME + cert->rawAkid = 0; + if (x509->authKeyIdSrc) { + XMEMCPY(cert->akid, x509->authKeyIdSrc, x509->authKeyIdSrcSz); + cert->akidSz = (int)x509->authKeyIdSrcSz; + cert->rawAkid = 1; + } + else + #endif if (x509->authKeyId) { XMEMCPY(cert->akid, x509->authKeyId, x509->authKeyIdSz); + cert->akidSz = (int)x509->authKeyIdSz; } - cert->akidSz = (int)x509->authKeyIdSz; } else { WOLFSSL_MSG("Auth Key ID too large"); @@ -41907,6 +41892,17 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) cert->certPoliciesNb = (word16)x509->certPoliciesNb; cert->keyUsage = x509->keyUsage; + cert->extKeyUsage = x509->extKeyUsage; + cert->nsCertType = x509->nsCertType; + + if (x509->rawCRLInfo != NULL) { + if (x509->rawCRLInfoSz > CTC_MAX_CRLINFO_SZ) { + WOLFSSL_MSG("CRL Info too large"); + return WOLFSSL_FAILURE; + } + XMEMCPY(cert->crlInfo, x509->rawCRLInfo, x509->rawCRLInfoSz); + cert->crlInfoSz = x509->rawCRLInfoSz; + } #endif /* WOLFSSL_CERT_EXT */ #ifdef WOLFSSL_CERT_REQ @@ -42446,12 +42442,14 @@ static int ConvertNIDToWolfSSL(int nid) case NID_countryName: return ASN_COUNTRY_NAME; case NID_localityName: return ASN_LOCALITY_NAME; case NID_stateOrProvinceName: return ASN_STATE_NAME; + case NID_streetAddress: return ASN_STREET_ADDR; case NID_organizationName: return ASN_ORG_NAME; case NID_organizationalUnitName: return ASN_ORGUNIT_NAME; case NID_emailAddress: return ASN_EMAIL_NAME; case NID_serialNumber: return ASN_SERIAL_NUMBER; case NID_businessCategory: return ASN_BUS_CAT; case NID_domainComponent: return ASN_DOMAIN_COMPONENT; + case NID_postalCode: return ASN_POSTAL_CODE; default: WOLFSSL_MSG("Attribute NID not found"); return -1; @@ -46006,6 +46004,9 @@ int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bio, WOLFSSL_X509 *cert) /* write the PEM to BIO */ ret = wolfSSL_BIO_write(bio, pem, pemSz); XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #ifdef WOLFSSL_SMALL_STACK + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif if (ret <= 0) return WOLFSSL_FAILURE; return WOLFSSL_SUCCESS; diff --git a/tests/api.c b/tests/api.c index 7b5a07afa..975250734 100644 --- a/tests/api.c +++ b/tests/api.c @@ -343,8 +343,11 @@ #endif #if (defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN)) || \ - defined(HAVE_SESSION_TICKET) - /* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT */ + defined(HAVE_SESSION_TICKET) || (defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) && \ + !defined(WOLFSSL_ASN_TEMPLATE)) + /* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT, + * or for setting authKeyIdSrc in WOLFSSL_X509 */ #include "wolfssl/internal.h" #endif @@ -35677,140 +35680,208 @@ static void test_wolfSSL_X509_sign2(void) time_t t; const unsigned char expected[] = { - 0x30, 0x82, 0x04, 0x25, 0x30, 0x82, 0x03, 0x0D, - 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, - 0xF1, 0x5C, 0x99, 0x43, 0x66, 0x3D, 0x96, 0x04, - 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, - 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, - 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, - 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, - 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, - 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, - 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, - 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, - 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, - 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, - 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, - 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, - 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, - 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, - 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, - 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, - 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, - 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, - 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, - 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, - 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E, - 0x17, 0x0D, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, - 0x32, 0x30, 0x33, 0x30, 0x30, 0x30, 0x5A, 0x17, - 0x0D, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, - 0x30, 0x33, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x81, - 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, - 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, - 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, - 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, - 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, - 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, - 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, - 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, - 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34, - 0x38, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, - 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, - 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, - 0x32, 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, - 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, - 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, - 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, - 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, - 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, - 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, - 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, - 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, - 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, - 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, - 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, - 0xC3, 0x03, 0xD1, 0x2B, 0xFE, 0x39, 0xA4, 0x32, - 0x45, 0x3B, 0x53, 0xC8, 0x84, 0x2B, 0x2A, 0x7C, - 0x74, 0x9A, 0xBD, 0xAA, 0x2A, 0x52, 0x07, 0x47, - 0xD6, 0xA6, 0x36, 0xB2, 0x07, 0x32, 0x8E, 0xD0, - 0xBA, 0x69, 0x7B, 0xC6, 0xC3, 0x44, 0x9E, 0xD4, - 0x81, 0x48, 0xFD, 0x2D, 0x68, 0xA2, 0x8B, 0x67, - 0xBB, 0xA1, 0x75, 0xC8, 0x36, 0x2C, 0x4A, 0xD2, - 0x1B, 0xF7, 0x8B, 0xBA, 0xCF, 0x0D, 0xF9, 0xEF, - 0xEC, 0xF1, 0x81, 0x1E, 0x7B, 0x9B, 0x03, 0x47, - 0x9A, 0xBF, 0x65, 0xCC, 0x7F, 0x65, 0x24, 0x69, - 0xA6, 0xE8, 0x14, 0x89, 0x5B, 0xE4, 0x34, 0xF7, - 0xC5, 0xB0, 0x14, 0x93, 0xF5, 0x67, 0x7B, 0x3A, - 0x7A, 0x78, 0xE1, 0x01, 0x56, 0x56, 0x91, 0xA6, - 0x13, 0x42, 0x8D, 0xD2, 0x3C, 0x40, 0x9C, 0x4C, - 0xEF, 0xD1, 0x86, 0xDF, 0x37, 0x51, 0x1B, 0x0C, - 0xA1, 0x3B, 0xF5, 0xF1, 0xA3, 0x4A, 0x35, 0xE4, - 0xE1, 0xCE, 0x96, 0xDF, 0x1B, 0x7E, 0xBF, 0x4E, - 0x97, 0xD0, 0x10, 0xE8, 0xA8, 0x08, 0x30, 0x81, - 0xAF, 0x20, 0x0B, 0x43, 0x14, 0xC5, 0x74, 0x67, - 0xB4, 0x32, 0x82, 0x6F, 0x8D, 0x86, 0xC2, 0x88, - 0x40, 0x99, 0x36, 0x83, 0xBA, 0x1E, 0x40, 0x72, - 0x22, 0x17, 0xD7, 0x52, 0x65, 0x24, 0x73, 0xB0, - 0xCE, 0xEF, 0x19, 0xCD, 0xAE, 0xFF, 0x78, 0x6C, - 0x7B, 0xC0, 0x12, 0x03, 0xD4, 0x4E, 0x72, 0x0D, - 0x50, 0x6D, 0x3B, 0xA3, 0x3B, 0xA3, 0x99, 0x5E, - 0x9D, 0xC8, 0xD9, 0x0C, 0x85, 0xB3, 0xD9, 0x8A, - 0xD9, 0x54, 0x26, 0xDB, 0x6D, 0xFA, 0xAC, 0xBB, - 0xFF, 0x25, 0x4C, 0xC4, 0xD1, 0x79, 0xF4, 0x71, - 0xD3, 0x86, 0x40, 0x18, 0x13, 0xB0, 0x63, 0xB5, - 0x72, 0x4E, 0x30, 0xC4, 0x97, 0x84, 0x86, 0x2D, - 0x56, 0x2F, 0xD7, 0x15, 0xF7, 0x7F, 0xC0, 0xAE, - 0xF5, 0xFC, 0x5B, 0xE5, 0xFB, 0xA1, 0xBA, 0xD3, - 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x6E, 0x30, - 0x6C, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, - 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, - 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x15, - 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, - 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, - 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, - 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, - 0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, 0x18, - 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, - 0xD7, 0x85, 0x65, 0xC0, 0x30, 0x1F, 0x06, 0x03, - 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, - 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, - 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, - 0x26, 0xD7, 0x85, 0x65, 0xC0, 0x30, 0x0D, 0x06, - 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, - 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, - 0x00, 0x79, 0x81, 0x5D, 0xAB, 0xDB, 0x44, 0x70, - 0xD6, 0x39, 0x4F, 0xA6, 0xBA, 0x09, 0x99, 0xBB, - 0xCB, 0x82, 0xF9, 0x17, 0x34, 0xBD, 0x3E, 0xB1, - 0x18, 0xA8, 0xF9, 0x10, 0x16, 0x2A, 0xE0, 0x74, - 0xC6, 0xCF, 0xB3, 0x5F, 0xC6, 0x2C, 0xFB, 0xE3, - 0x5D, 0x38, 0x2B, 0x99, 0x02, 0x98, 0x9D, 0x55, - 0x95, 0x65, 0xC3, 0xEB, 0x77, 0x13, 0xA0, 0x75, - 0x35, 0x68, 0x1F, 0x08, 0xE8, 0x82, 0x3E, 0xF1, - 0xEF, 0x4B, 0xE7, 0x6E, 0xAD, 0xC1, 0x7C, 0x57, - 0xCE, 0xF5, 0x24, 0x4E, 0x2F, 0xC4, 0xF7, 0x46, - 0xED, 0x0E, 0x27, 0x1D, 0xD2, 0x12, 0x5D, 0x9A, - 0xE5, 0x82, 0xB8, 0x92, 0x42, 0x8F, 0x9E, 0x4D, - 0x9B, 0x31, 0x85, 0x2E, 0xE0, 0x5E, 0x83, 0xFB, - 0xA4, 0x33, 0x32, 0x34, 0x2A, 0xAD, 0x38, 0x7A, - 0x6D, 0xD5, 0x02, 0xAE, 0x77, 0xCB, 0x26, 0x76, - 0x7B, 0xFA, 0xE0, 0x91, 0x9B, 0x6F, 0xF4, 0xC4, - 0xA1, 0x54, 0xB1, 0x13, 0x80, 0x6E, 0xFB, 0x70, - 0x4C, 0x7F, 0x4F, 0x58, 0x39, 0xFA, 0x5B, 0x3D, - 0x60, 0x63, 0xDF, 0xEF, 0x90, 0xB3, 0x9B, 0x9A, - 0xEE, 0x8E, 0x34, 0xFB, 0x8B, 0x75, 0x5F, 0xC7, - 0xE4, 0xDB, 0x7C, 0x63, 0x84, 0xE4, 0x6C, 0xC7, - 0xD8, 0xC8, 0xA9, 0xA4, 0x42, 0x64, 0x93, 0x65, - 0x17, 0x58, 0xC2, 0x51, 0x3E, 0x8E, 0x2A, 0x68, - 0x37, 0xC6, 0x59, 0x75, 0x68, 0xD4, 0x16, 0x6A, - 0x17, 0x87, 0xC0, 0xA8, 0x9A, 0x1F, 0x07, 0xCF, - 0x43, 0x58, 0xF4, 0xEA, 0xFE, 0xFB, 0xB2, 0x3F, - 0x7E, 0xC0, 0xF4, 0x83, 0x67, 0x85, 0x30, 0xF2, - 0xE1, 0x60, 0x37, 0x39, 0x45, 0x2A, 0x21, 0x51, - 0x0C, 0x4F, 0xFB, 0x0C, 0x0A, 0xFA, 0x7D, 0xD9, - 0xB4, 0x72, 0x86, 0x9C, 0x0D, 0x2A, 0x25, 0x0E, - 0xBB, 0x45, 0xEC, 0x5D, 0xFB, 0x7A, 0xAA, 0x67, - 0x49, 0x4F, 0x36, 0xAB, 0xDE, 0x4B, 0x57, 0x35, - 0xF3 +#ifdef WOLFSSL_AKID_NAME + 0x30, 0x82, 0x04, 0xfd, 0x30, 0x82, 0x03, 0xe5, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, + 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, + 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, + 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, + 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, + 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, + 0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, + 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, + 0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, + 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, + 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15, + 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c, + 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, + 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67, + 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38, + 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, + 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, + 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, + 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, + 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b, + 0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c, + 0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2, + 0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4, + 0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8, + 0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef, + 0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc, + 0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7, + 0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01, + 0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c, + 0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1, + 0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e, + 0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43, + 0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88, + 0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52, + 0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c, + 0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3, + 0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a, + 0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4, + 0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5, + 0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15, + 0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3, + 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x44, 0x30, 0x82, 0x01, + 0x40, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, + 0x01, 0x01, 0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, + 0x30, 0x13, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, + 0x63, 0x6f, 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06, + 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66, + 0xd7, 0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, + 0xd7, 0x85, 0x65, 0xc0, 0x30, 0x81, 0xd3, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x81, 0xcb, 0x30, 0x81, 0xc8, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66, + 0xd7, 0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, + 0xd7, 0x85, 0x65, 0xc0, 0xa1, 0x81, 0xa4, 0xa4, 0x81, 0xa1, 0x30, 0x81, + 0x9e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, + 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, + 0x61, 0x6e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x0c, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, + 0x38, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, + 0x50, 0x72, 0x6f, 0x67, 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, + 0x32, 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, + 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, + 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x82, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, + 0x96, 0x04, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, + 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, + 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, + 0x03, 0x82, 0x01, 0x01, 0x00, 0x59, 0x2e, 0xd1, 0xec, 0xbc, 0x99, 0xfe, + 0x50, 0x38, 0x47, 0x47, 0x88, 0x51, 0xcf, 0xe4, 0x88, 0x76, 0xdf, 0x89, + 0x8f, 0xea, 0x91, 0xbc, 0xd6, 0xc6, 0x91, 0xc9, 0xcc, 0x33, 0x77, 0x5d, + 0xdd, 0x4b, 0xc9, 0xf6, 0x10, 0x54, 0xe2, 0x04, 0x89, 0x51, 0xdb, 0xe1, + 0x00, 0x0c, 0x61, 0x03, 0x26, 0x86, 0x35, 0xac, 0x96, 0x23, 0x9d, 0xef, + 0xd9, 0x95, 0xe4, 0xb4, 0x83, 0x9e, 0x0f, 0x47, 0x30, 0x08, 0x96, 0x28, + 0x7f, 0x2d, 0xe3, 0x23, 0x30, 0x3b, 0xb0, 0x46, 0xe8, 0x21, 0x78, 0xb4, + 0xc0, 0xbc, 0x9f, 0x60, 0x02, 0xd4, 0x16, 0x2d, 0xe5, 0x5a, 0x00, 0x65, + 0x15, 0x95, 0x81, 0x93, 0x80, 0x06, 0x3e, 0xf7, 0xdf, 0x0c, 0x2b, 0x3f, + 0x14, 0xfc, 0xc3, 0x79, 0xfd, 0x59, 0x5c, 0xa7, 0xc3, 0xe0, 0xa8, 0xd4, + 0x53, 0x4f, 0x13, 0x0a, 0xa3, 0xfe, 0x1d, 0x63, 0x4e, 0x84, 0xb2, 0x98, + 0x19, 0x06, 0xe0, 0x60, 0x3a, 0xc9, 0x49, 0x73, 0x00, 0xe3, 0x72, 0x2f, + 0x68, 0x27, 0x9f, 0x14, 0x18, 0xb7, 0x57, 0xb9, 0x1d, 0xa8, 0xb3, 0x05, + 0x6c, 0xf5, 0x4b, 0x0e, 0xac, 0x26, 0x7a, 0xfe, 0xc1, 0xab, 0x1f, 0x27, + 0xf1, 0x1e, 0x21, 0x33, 0x31, 0xb6, 0x43, 0xb0, 0xf8, 0x74, 0x69, 0x6a, + 0xb1, 0x9b, 0xcb, 0xe4, 0xd3, 0xa2, 0x8e, 0x8a, 0x55, 0xef, 0x81, 0xf3, + 0x4a, 0x44, 0x90, 0x4d, 0x08, 0xb8, 0x31, 0x90, 0x1a, 0x82, 0x52, 0x56, + 0xeb, 0xf0, 0x50, 0x5b, 0x9f, 0x87, 0x98, 0x54, 0xfe, 0x6a, 0x60, 0x41, + 0x16, 0xdb, 0xdc, 0xff, 0x89, 0x4c, 0x98, 0x00, 0xb1, 0x87, 0x6c, 0xe7, + 0xec, 0xba, 0x3b, 0xa4, 0xfe, 0xa1, 0xfd, 0x26, 0x19, 0x7c, 0x2d, 0x14, + 0x91, 0x91, 0x61, 0x30, 0x3e, 0xf4, 0x5c, 0x97, 0x4c, 0x06, 0x84, 0xab, + 0x94, 0xa8, 0x17, 0x6c, 0xec, 0x19, 0xc0, 0x87, 0xd0 +#else + 0x30, 0x82, 0x04, 0x46, 0x30, 0x82, 0x03, 0x2e, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, + 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, + 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, + 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, + 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, + 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, + 0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, + 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, + 0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, + 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, + 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15, + 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c, + 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, + 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67, + 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38, + 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, + 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, + 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, + 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, + 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b, + 0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c, + 0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2, + 0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4, + 0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8, + 0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef, + 0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc, + 0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7, + 0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01, + 0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c, + 0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1, + 0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e, + 0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43, + 0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88, + 0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52, + 0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c, + 0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3, + 0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a, + 0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4, + 0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5, + 0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15, + 0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3, + 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0x8e, 0x30, 0x81, 0x8b, 0x30, + 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, + 0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, 0x30, 0x13, + 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, + 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, + 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, + 0x65, 0xc0, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, 0x87, 0x18, 0x7e, + 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, 0x65, 0xc0, 0x30, + 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x01, 0x00, 0x98, 0x2a, 0x3d, 0x94, 0x37, 0xae, 0xd6, 0x28, 0x12, 0xed, + 0x6d, 0x95, 0xc9, 0x05, 0x89, 0x4b, 0x5c, 0x5e, 0x88, 0xed, 0x9e, 0x14, + 0x89, 0x79, 0x65, 0x7b, 0x5c, 0xdb, 0xcd, 0x21, 0xc5, 0xfc, 0x7a, 0x05, + 0xd2, 0x33, 0x54, 0xa1, 0x1b, 0xb2, 0xc6, 0xd8, 0x3e, 0x88, 0x7d, 0x58, + 0xfd, 0xd0, 0xca, 0x71, 0x58, 0xd5, 0x37, 0x81, 0xe0, 0xef, 0x65, 0xfc, + 0x1b, 0xf1, 0x5d, 0xdd, 0x26, 0x68, 0x12, 0xfb, 0x12, 0x24, 0xd5, 0x45, + 0x4f, 0x41, 0xad, 0xee, 0x3f, 0x16, 0x40, 0xb2, 0x59, 0xe6, 0x5b, 0x76, + 0xe7, 0x47, 0x11, 0xa4, 0xe1, 0x2f, 0x0d, 0xe8, 0x13, 0x13, 0x49, 0xb0, + 0x01, 0x11, 0x15, 0xb5, 0xb3, 0x93, 0x4f, 0x28, 0xdc, 0xd0, 0x30, 0x03, + 0x48, 0x02, 0x95, 0x2d, 0xd9, 0x26, 0x87, 0x1f, 0x19, 0xa1, 0x03, 0x5c, + 0x7c, 0xde, 0x54, 0xd4, 0x98, 0x85, 0x34, 0xcc, 0x54, 0xf1, 0x24, 0x43, + 0xa6, 0x87, 0xfa, 0xb6, 0x62, 0xee, 0xa3, 0x4a, 0xb3, 0xce, 0x1c, 0x2e, + 0xbf, 0x94, 0xef, 0x4c, 0x75, 0x75, 0x55, 0x1d, 0xc9, 0xc2, 0xe4, 0xe5, + 0x24, 0xb2, 0x0a, 0x93, 0xf0, 0xff, 0x2e, 0x43, 0x99, 0xad, 0x4e, 0x83, + 0x11, 0x52, 0xf4, 0xb9, 0x92, 0x30, 0xe1, 0x02, 0x2f, 0xa5, 0xf2, 0x21, + 0xb1, 0xf4, 0xe9, 0x57, 0xbd, 0xba, 0x17, 0x56, 0xd7, 0x31, 0xcb, 0x63, + 0xa3, 0xd5, 0xcf, 0xc9, 0xd9, 0xa6, 0x4f, 0x51, 0x6c, 0x52, 0x4c, 0x53, + 0x88, 0x9a, 0x2e, 0xb9, 0x72, 0x02, 0x6e, 0x1b, 0x21, 0x93, 0xa1, 0x88, + 0x1b, 0x35, 0x0e, 0x9e, 0x2b, 0x63, 0x81, 0xba, 0xb4, 0x6b, 0x28, 0x01, + 0x56, 0xe1, 0x0e, 0x13, 0x73, 0xf6, 0xd6, 0xa0, 0xd2, 0xfd, 0xc9, 0x4d, + 0xbd, 0xa8, 0xa9, 0x22, 0x9e, 0xc7, 0x13, 0x76, 0x5a, 0x9c, 0xd3, 0x9a, + 0xf4, 0x0c, 0x52, 0xe6, 0x47, 0xcb +#endif }; printf(testingFmt, "wolfSSL_X509_sign2"); @@ -37526,6 +37597,76 @@ static void test_wolfSSL_i2t_ASN1_OBJECT(void) #endif /* OPENSSL_EXTRA && WOLFSSL_CERT_EXT && WOLFSSL_CERT_GEN */ } +static void test_wolfSSL_PEM_write_bio_X509(void) +{ +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_AKID_NAME) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) + /* This test contains the hard coded expected + * lengths. Update if necessary */ + + BIO* input; + BIO* output; + X509* x509 = NULL; + int expectedLen; + + printf(testingFmt, "wolfSSL_PEM_write_bio_X509()"); + + AssertNotNull(input = BIO_new_file( + "certs/test/cert-ext-multiple.pem", "rb")); + AssertIntEQ(wolfSSL_BIO_get_len(input), 2000); + + AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); + + AssertNotNull(PEM_read_bio_X509(input, &x509, NULL, NULL)); + + AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS); + +#ifdef WOLFSSL_ALT_NAMES + /* Here we copy the validity struct from the original */ + expectedLen = 2000; +#else + /* Only difference is that we generate the validity in generalized + * time. Generating UTCTime vs Generalized time should be fixed in + * the future */ + expectedLen = 2004; +#endif + AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen); + + /* Reset output buffer */ + BIO_free(output); + AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); + + /* Test forcing the AKID to be generated just from KeyIdentifier */ + if (x509->authKeyIdSrc != NULL) { + XMEMMOVE(x509->authKeyIdSrc, x509->authKeyId, x509->authKeyIdSz); + x509->authKeyId = x509->authKeyIdSrc; + x509->authKeyIdSrc = NULL; + x509->authKeyIdSrcSz = 0; + } + + AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS); + + /* Check that we generate a smaller output since the AKID will + * only contain the KeyIdentifier without any additional + * information */ + +#ifdef WOLFSSL_ALT_NAMES + /* Here we copy the validity struct from the original */ + expectedLen = 1688; +#else + /* UTCTime vs Generalized time */ + expectedLen = 1692; +#endif + AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen); + + X509_free(x509); + BIO_free(input); + BIO_free(output); + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_X509_NAME_ENTRY(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ @@ -51454,6 +51595,7 @@ void ApiTest(void) test_wolfSSL_OBJ_txt2nid(); test_wolfSSL_OBJ_txt2obj(); test_wolfSSL_i2t_ASN1_OBJECT(); + test_wolfSSL_PEM_write_bio_X509(); test_wolfSSL_X509_NAME_ENTRY(); test_wolfSSL_X509_set_name(); test_wolfSSL_X509_set_notAfter(); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 6ffca63ac..47e7f2c17 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -74,6 +74,8 @@ ASN Options: * WOLFSSL_ASN_TEMPLATE_TYPE_CHECK: Use ASN functions to better test compiler type issues for testing * CRLDP_VALIDATE_DATA: For ASN template only, validates the reason data + * WOLFSSL_AKID_NAME: Enable support for full AuthorityKeyIdentifier extension. + * Only supports copying full AKID from an existing certificate. */ #ifndef NO_ASN @@ -612,8 +614,8 @@ static void SizeASN_CalcDataLength(const ASNItem* asn, ASNSetData *data, /* The length of a header only item doesn't include the data unless * a replacement buffer is supplied. */ - if (asn[j].headerOnly && data[j].dataType != - ASN_DATA_TYPE_REPLACE_BUFFER) { + if (asn[j].headerOnly && data[j].data.buffer.data == NULL && + data[j].dataType != ASN_DATA_TYPE_REPLACE_BUFFER) { data[idx].data.buffer.length += data[j].data.buffer.length; } } @@ -685,8 +687,16 @@ int SizeASN_Items(const ASNItem* asn, ASNSetData *data, int count, int* encSz) * Mostly used for constructed items. */ if (asn[i].headerOnly) { - /* Calculate data length from items below. */ - SizeASN_CalcDataLength(asn, data, i, count); + if (data[i].data.buffer.data != NULL) { + /* Force all child nodes to be ignored. Buffer + * overwrites children. */ + SetASNItem_NoOutBelow(data, asn, i, count); + } + else { + /* Calculate data length from items below if no buffer + * supplied. */ + SizeASN_CalcDataLength(asn, data, i, count); + } } if (asn[i].tag == ASN_BOOLEAN) { dataLen = 1; @@ -705,8 +715,9 @@ int SizeASN_Items(const ASNItem* asn, ASNSetData *data, int count, int* encSz) } /* Add in the size of tag and length. */ len += SizeASNHeader(dataLen); - /* Include data in length if not header only. */ - if (!asn[i].headerOnly) { + /* Include data in length if not header only or if + * buffer supplied. */ + if (!asn[i].headerOnly || data[i].data.buffer.data != NULL) { len += dataLen; } break; @@ -933,8 +944,10 @@ int SetASN_Items(const ASNItem* asn, ASNSetData *data, int count, byte* output) if (data[i].data.buffer.data == NULL) { data[i].data.buffer.data = out + idx; } - /* Copy supplied data if not putting out header only. */ - else if (!asn[i].headerOnly) { + /* Copy supplied data if not putting out header only or + * if buffer supplied. */ + else if (!asn[i].headerOnly || + data[i].data.buffer.data != NULL) { /* Allow data to come from output buffer. */ XMEMMOVE(out + idx, data[i].data.buffer.data, data[i].data.buffer.length); @@ -3239,7 +3252,7 @@ word32 SetBitString(word32 len, byte unusedBits, byte* output) idx += ASN_TAG_SZ; /* Encode length - passing NULL for output will not encode. - * Add one to length for unsued bits. */ + * Add one to length for unused bits. */ idx += SetLength(len + 1, output ? output + idx : NULL); if (output) { /* Write out unused bits. */ @@ -10113,8 +10126,6 @@ static int GetHashId(const byte* id, int length, byte* hash) #endif /* !NO_CERTS */ #ifdef WOLFSSL_ASN_TEMPLATE -/* Id for street address - not used. */ -#define ASN_STREET 9 /* Id for email address. */ #define ASN_EMAIL 0x100 /* Id for user id. */ @@ -10146,6 +10157,10 @@ static int GetHashId(const byte* id, int length, byte* hash) #define GetCertNameSubjectNID(id) \ (certNameSubject[(id) - 3].nid) +#define ValidCertNameSubject(id) \ + ((id - 3) >= 0 && (id - 3) < certNameSubjectSz && \ + (certNameSubject[(id) - 3].strLen > 0)) + /* Mapping of certificate name component to useful information. */ typedef struct CertNameData { /* Type string of name component. */ @@ -10240,16 +10255,16 @@ static const CertNameData certNameSubject[] = { NID_stateOrProvinceName #endif }, - /* Undefined - Street */ + /* Street Address */ { - NULL, 0, + "/street=", 8, #ifdef WOLFSSL_CERT_GEN - 0, - 0, - 0, + OFFSETOF(DecodedCert, subjectStreet), + OFFSETOF(DecodedCert, subjectStreetLen), + OFFSETOF(DecodedCert, subjectStreetEnc), #endif #ifdef WOLFSSL_X509_NAME_AVAILABLE - 0, + NID_streetAddress #endif }, /* Organization Name */ @@ -10328,10 +10343,43 @@ static const CertNameData certNameSubject[] = { #endif #ifdef WOLFSSL_X509_NAME_AVAILABLE NID_businessCategory +#endif + }, + /* Undefined */ + { + NULL, 0, +#ifdef WOLFSSL_CERT_GEN + 0, + 0, + 0, +#endif +#ifdef WOLFSSL_X509_NAME_AVAILABLE + 0, +#endif + }, + /* Postal Code */ + { + "/postalCode=", 12, +#ifdef WOLFSSL_CERT_GEN +#ifdef WOLFSSL_CERT_EXT + OFFSETOF(DecodedCert, subjectPC), + OFFSETOF(DecodedCert, subjectPCLen), + OFFSETOF(DecodedCert, subjectPCEnc), +#else + 0, + 0, + 0, +#endif +#endif +#ifdef WOLFSSL_X509_NAME_AVAILABLE + NID_postalCode #endif }, }; +static const int certNameSubjectSz = + (int) (sizeof(certNameSubject) / sizeof(CertNameData)); + /* Full email OID. */ static const byte emailOid[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01 @@ -10527,8 +10575,7 @@ static int GetRDN(DecodedCert* cert, char* full, word32* idx, int* nid, if ((oidSz == 3) && (oid[0] == 0x55) && (oid[1] == 0x04)) { id = oid[2]; /* Check range of supported ids in table. */ - if (((id >= ASN_COMMON_NAME) && (id <= ASN_ORGUNIT_NAME) && - (id != ASN_STREET)) || (id == ASN_BUS_CAT)) { + if (ValidCertNameSubject(id)) { /* Get the type string, length and NID from table. */ typeStr = GetCertNameSubjectStr(id); typeStrLen = GetCertNameSubjectStrLen(id); @@ -10887,6 +10934,22 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, #endif /* OPENSSL_EXTRA */ } #ifdef WOLFSSL_CERT_EXT + else if (id == ASN_STREET_ADDR) { + copy = WOLFSSL_STREET_ADDR_NAME; + copyLen = sizeof(WOLFSSL_STREET_ADDR_NAME) - 1; + #ifdef WOLFSSL_CERT_GEN + if (nameType == SUBJECT) { + cert->subjectStreet = (char*)&input[srcIdx]; + cert->subjectStreetLen = strLen; + cert->subjectStreetEnc = b; + } + #endif /* WOLFSSL_CERT_GEN */ + #if (defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) \ + && !defined(WOLFCRYPT_ONLY) + nid = NID_streetAddress; + #endif /* OPENSSL_EXTRA */ + } else if (id == ASN_BUS_CAT) { copy = WOLFSSL_BUS_CAT; copyLen = sizeof(WOLFSSL_BUS_CAT) - 1; @@ -10902,6 +10965,22 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, nid = NID_businessCategory; #endif /* OPENSSL_EXTRA */ } + else if (id == ASN_POSTAL_CODE) { + copy = WOLFSSL_POSTAL_NAME; + copyLen = sizeof(WOLFSSL_POSTAL_NAME) - 1; + #ifdef WOLFSSL_CERT_GEN + if (nameType == SUBJECT) { + cert->subjectPC = (char*)&input[srcIdx]; + cert->subjectPCLen = strLen; + cert->subjectPCEnc = b; + } + #endif /* WOLFSSL_CERT_GEN */ + #if (defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) \ + && !defined(WOLFCRYPT_ONLY) + nid = NID_postalCode; + #endif /* OPENSSL_EXTRA */ + } #endif /* WOLFSSL_CERT_EXT */ } #ifdef WOLFSSL_CERT_EXT @@ -14533,6 +14612,9 @@ static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert) WOLFSSL_ENTER("DecodeCrlDist"); + cert->extCrlInfoRaw = input; + cert->extCrlInfoRawSz = sz; + /* Unwrap the list of Distribution Points*/ if (GetSequence(input, &idx, &length, sz) < 0) return ASN_PARSE_E; @@ -14625,6 +14707,9 @@ static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert) CALLOC_ASNGETDATA(dataASN, crlDistASN_Length, ret, cert->heap); + cert->extCrlInfoRaw = input; + cert->extCrlInfoRawSz = sz; + if (ret == 0) { /* Get the GeneralName choice */ GetASN_Choice(&dataASN[4], generalNameChoice); @@ -14869,6 +14954,10 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert) } #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +#ifdef WOLFSSL_AKID_NAME + cert->extRawAuthKeyIdSrc = input; + cert->extRawAuthKeyIdSz = sz; +#endif cert->extAuthKeyIdSrc = &input[idx]; cert->extAuthKeyIdSz = length; #endif /* OPENSSL_EXTRA */ @@ -14895,7 +14984,11 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert) } else { #ifdef OPENSSL_EXTRA - /* Store the autority key id. */ + /* Store the authority key id. */ +#ifdef WOLFSSL_AKID_NAME + cert->extRawAuthKeyIdSrc = input; + cert->extRawAuthKeyIdSz = sz; +#endif GetASN_GetConstRef(&dataASN[1], &cert->extAuthKeyIdSrc, &cert->extAuthKeyIdSz); #endif /* OPENSSL_EXTRA */ @@ -15163,6 +15256,26 @@ static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert) #endif /* WOLFSSL_ASN_TEMPLATE */ } +#ifndef IGNORE_NETSCAPE_CERT_TYPE + +static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert) +{ + word32 idx = 0; + int len = 0; + + WOLFSSL_ENTER("DecodeNsCertType"); + if (CheckBitString(input, &idx, &len, (word32)sz, 0, NULL) < 0) { + return ASN_PARSE_E; + } + + /* Don't need to worry about unused bits as CheckBitString makes sure + * they're zero. */ + cert->nsCertType = input[idx]; + + return 0; +} +#endif + #ifndef IGNORE_NAME_CONSTRAINTS #ifdef WOLFSSL_ASN_TEMPLATE @@ -15976,11 +16089,8 @@ static int DecodeExtensionType(const byte* input, int length, word32 oid, #ifndef IGNORE_NETSCAPE_CERT_TYPE /* Netscape's certificate type. */ case NETSCAPE_CT_OID: - WOLFSSL_MSG("Netscape certificate type extension not supported " - "yet."); - if (CheckBitString(input, &idx, &length, length, 0, NULL) < 0) { + if (DecodeNsCertType(input, length, cert) < 0) ret = ASN_PARSE_E; - } break; #endif #ifdef HAVE_OCSP @@ -19927,10 +20037,18 @@ typedef struct DerCert { byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */ #ifdef WOLFSSL_CERT_EXT byte skid[MAX_KID_SZ]; /* Subject Key Identifier extension */ - byte akid[MAX_KID_SZ]; /* Authority Key Identifier extension */ + byte akid[MAX_KID_SZ +#ifdef WOLFSSL_AKID_NAME + + sizeof(CertName) + CTC_SERIAL_SIZE +#endif + ]; /* Authority Key Identifier extension */ byte keyUsage[MAX_KEYUSAGE_SZ]; /* Key Usage extension */ byte extKeyUsage[MAX_EXTKEYUSAGE_SZ]; /* Extended Key Usage extension */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType[MAX_NSCERTTYPE_SZ]; /* Extended Key Usage extension */ +#endif byte certPolicies[MAX_CERTPOL_NB*MAX_CERTPOL_SZ]; /* Certificate Policies */ + byte crlInfo[CTC_MAX_CRLINFO_SZ]; /* CRL Distribution Points */ #endif #ifdef WOLFSSL_CERT_REQ byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */ @@ -19952,7 +20070,12 @@ typedef struct DerCert { int akidSz; /* encoded SKID extension length */ int keyUsageSz; /* encoded KeyUsage extension length */ int extKeyUsageSz; /* encoded ExtendedKeyUsage extension length */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + int nsCertTypeSz; /* encoded Netscape Certifcate Type + * extension length */ +#endif int certPoliciesSz; /* encoded CertPolicies extension length*/ + int crlInfoSz; /* encoded CRL Dist Points length */ #endif #ifdef WOLFSSL_ALT_NAMES int altNamesSz; /* encoded AltNames extension length */ @@ -20621,28 +20744,34 @@ const char* GetOneCertName(CertName* name, int idx) return name->state; case 2: - return name->locality; + return name->street; case 3: - return name->sur; + return name->locality; case 4: - return name->org; + return name->sur; case 5: - return name->unit; + return name->org; case 6: - return name->commonName; + return name->unit; case 7: - return name->serialDev; + return name->commonName; case 8: + return name->serialDev; + + case 9: + return name->postalCode; + + case 10: #ifdef WOLFSSL_CERT_EXT return name->busCat; - case 9: + case 11: #endif return name->email; @@ -20663,28 +20792,34 @@ static char GetNameType(CertName* name, int idx) return name->stateEnc; case 2: - return name->localityEnc; + return name->postalCodeEnc; case 3: - return name->surEnc; + return name->localityEnc; case 4: - return name->orgEnc; + return name->surEnc; case 5: - return name->unitEnc; + return name->orgEnc; case 6: - return name->commonNameEnc; + return name->unitEnc; case 7: - return name->serialDevEnc; + return name->commonNameEnc; case 8: + return name->serialDevEnc; + + case 9: + return name->postalCodeEnc; + + case 10: #ifdef WOLFSSL_CERT_EXT return name->busCatEnc; - case 9: + case 11: #endif /* FALL THROUGH */ /* The last index, email name, does not have encoding type. @@ -20706,28 +20841,34 @@ byte GetCertNameId(int idx) return ASN_STATE_NAME; case 2: - return ASN_LOCALITY_NAME; + return ASN_STREET_ADDR; case 3: - return ASN_SUR_NAME; + return ASN_LOCALITY_NAME; case 4: - return ASN_ORG_NAME; + return ASN_SUR_NAME; case 5: - return ASN_ORGUNIT_NAME; + return ASN_ORG_NAME; case 6: - return ASN_COMMON_NAME; + return ASN_ORGUNIT_NAME; case 7: - return ASN_SERIAL_NUMBER; + return ASN_COMMON_NAME; case 8: + return ASN_SERIAL_NUMBER; + + case 9: + return ASN_POSTAL_CODE; + + case 10: #ifdef WOLFSSL_CERT_EXT return ASN_BUS_CAT; - case 9: + case 11: #endif return ASN_EMAIL_NAME; @@ -20890,36 +21031,60 @@ static int SetSKID(byte* output, word32 outSz, const byte *input, word32 length) /* encode Authority Key Identifier, return total bytes written * RFC5280 : non-critical */ -static int SetAKID(byte* output, word32 outSz, - byte *input, word32 length, void* heap) +static int SetAKID(byte* output, word32 outSz, byte *input, word32 length, + byte rawAkid) { - byte *enc_val; - int ret, enc_valSz; - const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04 }; + int enc_valSz, inSeqSz; + byte enc_val_buf[MAX_KID_SZ]; + byte* enc_val; + const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23 }; const byte akid_cs[] = { 0x80 }; + word32 idx; - (void)heap; + (void)rawAkid; if (output == NULL || input == NULL) return BAD_FUNC_ARG; - enc_valSz = length + 3 + sizeof(akid_cs); - enc_val = (byte *)XMALLOC(enc_valSz, heap, DYNAMIC_TYPE_TMP_BUFFER); - if (enc_val == NULL) - return MEMORY_E; +#ifdef WOLFSSL_AKID_NAME + if (rawAkid) { + enc_val = input; + enc_valSz = length; + } + else +#endif + { + enc_val = enc_val_buf; + enc_valSz = length + 3 + sizeof(akid_cs); + if (enc_valSz > (int)sizeof(enc_val_buf)) + return BAD_FUNC_ARG; - /* sequence for ContentSpec & value */ - ret = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs), - input, length); - if (ret > 0) { - enc_valSz = ret; - - ret = SetOidValue(output, outSz, akid_oid, sizeof(akid_oid), - enc_val, enc_valSz); + /* sequence for ContentSpec & value */ + enc_valSz = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs), + input, length); + if (enc_valSz <= 0) + return enc_valSz; } - XFREE(enc_val, heap, DYNAMIC_TYPE_TMP_BUFFER); - return ret; + /* The size of the extension sequence contents */ + inSeqSz = sizeof(akid_oid) + SetOctetString(enc_valSz, NULL) + + enc_valSz; + + if (SetSequence(inSeqSz, NULL) + inSeqSz > outSz) + return BAD_FUNC_ARG; + + /* Write out the sequence header */ + idx = SetSequence(inSeqSz, output); + + /* Write out OID */ + XMEMCPY(output + idx, akid_oid, sizeof(akid_oid)); + idx += sizeof(akid_oid); + + /* Write out AKID */ + idx += SetOctetString(enc_valSz, output + idx); + XMEMCPY(output + idx, enc_val, enc_valSz); + + return idx + enc_valSz; } /* encode Key Usage, return total bytes written @@ -21163,6 +21328,89 @@ static int SetExtKeyUsage(Cert* cert, byte* output, word32 outSz, byte input) #endif } +#ifndef IGNORE_NETSCAPE_CERT_TYPE +#ifndef WOLFSSL_ASN_TEMPLATE +static int SetNsCertType(Cert* cert, byte* output, word32 outSz, byte input) +{ + word32 idx; + byte unusedBits = 0; + byte nsCertType = input; + word32 totalSz; + word32 bitStrSz; + const byte nscerttype_oid[] = { 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x86, 0xF8, 0x42, 0x01, 0x01 }; + + if (cert == NULL || output == NULL || + input == 0) + return BAD_FUNC_ARG; + + totalSz = sizeof(nscerttype_oid); + + /* Get amount of lsb zero's */ + for (;(input & 1) == 0; input >>= 1) + unusedBits++; + + /* 1 byte of NS Cert Type extension */ + bitStrSz = SetBitString(1, unusedBits, NULL) + 1; + totalSz += SetOctetString(bitStrSz, NULL) + bitStrSz; + + if (SetSequence(totalSz, NULL) + totalSz > outSz) + return BAD_FUNC_ARG; + + /* 1. Seq + Total Len */ + idx = SetSequence(totalSz, output); + + /* 2. Object ID */ + XMEMCPY(&output[idx], nscerttype_oid, sizeof(nscerttype_oid)); + idx += sizeof(nscerttype_oid); + + /* 3. Octet String */ + idx += SetOctetString(bitStrSz, &output[idx]); + + /* 4. Bit String */ + idx += SetBitString(1, unusedBits, &output[idx]); + output[idx++] = nsCertType; + + return idx; +} +#endif +#endif + +#ifndef WOLFSSL_ASN_TEMPLATE +static int SetCRLInfo(Cert* cert, byte* output, word32 outSz, byte* input, + int inSz) +{ + word32 idx; + word32 totalSz; + const byte crlinfo_oid[] = { 0x06, 0x03, 0x55, 0x1D, 0x1F }; + + if (cert == NULL || output == NULL || + input == 0 || inSz <= 0) + return BAD_FUNC_ARG; + + totalSz = sizeof(crlinfo_oid) + SetOctetString(inSz, NULL) + inSz; + + if (SetSequence(totalSz, NULL) + totalSz > outSz) + return BAD_FUNC_ARG; + + /* 1. Seq + Total Len */ + idx = SetSequence(totalSz, output); + + /* 2. Object ID */ + XMEMCPY(&output[idx], crlinfo_oid, sizeof(crlinfo_oid)); + idx += sizeof(crlinfo_oid); + + /* 3. Octet String */ + idx += SetOctetString(inSz, &output[idx]); + + /* 4. CRL Info */ + XMEMCPY(&output[idx], input, inSz); + idx += inSz; + + return idx; +} +#endif + /* encode Certificate Policies, return total bytes written * each input value must be ITU-T X.690 formatted : a.b.c... * input must be an array of values with a NULL terminated for the latest @@ -21625,6 +21873,7 @@ int wc_EncodeName(EncodedName* name, const char* nameStr, char nameType, static const byte nameOid[NAME_ENTRIES - 1][NAME_OID_SZ] = { { 0x55, 0x04, ASN_COUNTRY_NAME }, { 0x55, 0x04, ASN_STATE_NAME }, + { 0x55, 0x04, ASN_STREET_ADDR }, { 0x55, 0x04, ASN_LOCALITY_NAME }, { 0x55, 0x04, ASN_SUR_NAME }, { 0x55, 0x04, ASN_ORG_NAME }, @@ -21634,6 +21883,7 @@ static const byte nameOid[NAME_ENTRIES - 1][NAME_OID_SZ] = { #ifdef WOLFSSL_CERT_EXT { 0x55, 0x04, ASN_BUS_CAT }, #endif + { 0x55, 0x04, ASN_POSTAL_CODE }, /* Email OID is much longer. */ }; @@ -22042,6 +22292,15 @@ static const ASNItem certExtsASN[] = { /* 28 */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* 29 */ { 2, ASN_OCTET_STRING, 0, 1, 0 }, /* 30 */ { 3, ASN_SEQUENCE, 0, 0, 0 }, + /* Netscape Certificate Type */ +/* 31 */ { 1, ASN_SEQUENCE, 1, 1, 0 }, +/* 32 */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, +/* 33 */ { 2, ASN_OCTET_STRING, 0, 1, 0 }, +/* 34 */ { 3, ASN_BIT_STRING, 0, 0, 0 }, +/* 35 */ { 1, ASN_SEQUENCE, 1, 1, 0 }, +/* 36 */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, +/* 37 */ { 2, ASN_OCTET_STRING, 0, 0, 0 }, + #endif }; @@ -22064,6 +22323,9 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, static const byte kuOID[] = { 0x55, 0x1d, 0x0f }; static const byte ekuOID[] = { 0x55, 0x1d, 0x25 }; static const byte cpOID[] = { 0x55, 0x1d, 0x20 }; + static const byte nsCertOID[] = { 0x60, 0x86, 0x48, 0x01, + 0x86, 0xF8, 0x42, 0x01, 0x01 }; + static const byte crlInfoOID[] = { 0x55, 0x1D, 0x1F }; #endif (void)forRequest; @@ -22107,7 +22369,15 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, if (cert->akidSz > 0) { /* Set Authority Key Identifier OID and data. */ SetASN_Buffer(&dataASN[15], akidOID, sizeof(akidOID)); - SetASN_Buffer(&dataASN[18], cert->akid, cert->akidSz); + if (cert->rawAkid) { + SetASN_Buffer(&dataASN[16], cert->akid, cert->akidSz); + /* cert->akid contains the internal ext structure */ + SetASNItem_NoOutBelow(dataASN, certExtsASN, 16, + certExtsASN_Length); + } + else { + SetASN_Buffer(&dataASN[18], cert->akid, cert->akidSz); + } } else { /* Don't write out Authority Key Identifier extension items. */ @@ -22156,6 +22426,28 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, /* Don't write out Certificate Policies extension items. */ SetASNItem_NoOut(dataASN, 27, 30); } + #ifndef IGNORE_NETSCAPE_CERT_TYPE + /* Netscape Certificate Type */ + if (cert->nsCertType != 0) { + /* Set Netscape Certificate Type OID and data. */ + SetASN_Buffer(&dataASN[32], nsCertOID, sizeof(nsCertOID)); + SetASN_Buffer(&dataASN[34], &cert->nsCertType, 1); + } + else + #endif + { + /* Don't write out Netscape Certificate Type. */ + SetASNItem_NoOut(dataASN, 31, 34); + } + if (cert->crlInfoSz > 0) { + /* Set CRL Distribution Points OID and data. */ + SetASN_Buffer(&dataASN[36], crlInfoOID, sizeof(crlInfoOID)); + SetASN_Buffer(&dataASN[37], cert->crlInfo, cert->crlInfoSz); + } + else { + /* Don't write out CRL Distribution Points. */ + SetASNItem_NoOut(dataASN, 35, 37); + } #endif } @@ -22179,7 +22471,7 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, SetASN_Items(certExtsASN, dataASN, certExtsASN_Length, output); #ifdef WOLFSSL_CERT_EXT - if (cert->keyUsage != 0){ + if (cert->extKeyUsage != 0){ /* Encode Extended Key Usage into space provided. */ if (SetExtKeyUsage(cert, (byte*)dataASN[26].data.buffer.data, dataASN[26].data.buffer.length, cert->extKeyUsage) <= 0) { @@ -22209,6 +22501,10 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, #ifndef WOLFSSL_ASN_TEMPLATE /* Set Date validity from now until now + daysValid * return size in bytes written to output, 0 on error */ +/* TODO https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5 + * "MUST always encode certificate validity dates through the year 2049 as + * UTCTime; certificate validity dates in 2050 or later MUST be encoded as + * GeneralizedTime." */ static int SetValidity(byte* output, int daysValid) { #ifndef NO_ASN_TIME @@ -22562,11 +22858,25 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, /* AKID */ if (cert->akidSz) { /* check the provided AKID size */ - if (cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid))) + if (( +#ifdef WOLFSSL_AKID_NAME + !cert->rawAkid && +#endif + cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid))) +#ifdef WOLFSSL_AKID_NAME + || (cert->rawAkid && cert->akidSz > (int)sizeof(der->akid)) +#endif + ) return AKID_E; - der->akidSz = SetAKID(der->akid, sizeof(der->akid), - cert->akid, cert->akidSz, cert->heap); + der->akidSz = SetAKID(der->akid, sizeof(der->akid), cert->akid, + cert->akidSz, +#ifdef WOLFSSL_AKID_NAME + cert->rawAkid +#else + 0 +#endif + ); if (der->akidSz <= 0) return AKID_E; @@ -22599,6 +22909,31 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, else der->extKeyUsageSz = 0; +#ifndef IGNORE_NETSCAPE_CERT_TYPE + /* Netscape Certificate Type */ + if (cert->nsCertType != 0) { + der->nsCertTypeSz = SetNsCertType(cert, der->nsCertType, + sizeof(der->nsCertType), cert->nsCertType); + if (der->nsCertTypeSz <= 0) + return EXTENSIONS_E; + + der->extensionsSz += der->nsCertTypeSz; + } + else + der->nsCertTypeSz = 0; +#endif + + if (cert->crlInfoSz > 0) { + der->crlInfoSz = SetCRLInfo(cert, der->crlInfo, sizeof(der->crlInfo), + cert->crlInfo, cert->crlInfoSz); + if (der->crlInfoSz <= 0) + return EXTENSIONS_E; + + der->extensionsSz += der->crlInfoSz; + } + else + der->crlInfoSz = 0; + /* Certificate Policies */ if (cert->certPoliciesNb != 0) { der->certPoliciesSz = SetCertificatePolicies(der->certPolicies, @@ -22664,6 +22999,15 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, return EXTENSIONS_E; } + /* put CRL Distribution Points */ + if (der->crlInfoSz) { + ret = SetExtensions(der->extensions, sizeof(der->extensions), + &der->extensionsSz, + der->crlInfo, der->crlInfoSz); + if (ret <= 0) + return EXTENSIONS_E; + } + /* put KeyUsage */ if (der->keyUsageSz) { ret = SetExtensions(der->extensions, sizeof(der->extensions), @@ -22682,6 +23026,17 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, return EXTENSIONS_E; } + /* put Netscape Cert Type */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + if (der->nsCertTypeSz) { + ret = SetExtensions(der->extensions, sizeof(der->extensions), + &der->extensionsSz, + der->nsCertType, der->nsCertTypeSz); + if (ret <= 0) + return EXTENSIONS_E; + } +#endif + /* put Certificate Policies */ if (der->certPoliciesSz) { ret = SetExtensions(der->extensions, sizeof(der->extensions), @@ -26957,16 +27312,20 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz, return ASN_PARSE_E; /* key header */ - ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); + ret = CheckBitString(input, inOutIdx, &length, inSz, 1, NULL); if (ret != 0) return ret; /* check that the value found is not too large for pubKey buffer */ - if (inSz - *inOutIdx > *pubKeyLen) + if ((word32)length > *pubKeyLen) + return ASN_PARSE_E; + + /* check that input buffer is exhausted */ + if (*inOutIdx + (word32)length != inSz) return ASN_PARSE_E; /* This is the raw point data compressed or uncompressed. */ - *pubKeyLen = inSz - *inOutIdx; + *pubKeyLen = length; XMEMCPY(pubKey, input + *inOutIdx, *pubKeyLen); #else len = inSz - *inOutIdx; @@ -26982,9 +27341,11 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz, /* Decode Ed25519 private key. */ ret = GetASN_Items(edPubKeyASN, dataASN, edPubKeyASN_Length, 1, input, inOutIdx, inSz); - if (ret != 0) { + if (ret != 0) + ret = ASN_PARSE_E; + /* check that input buffer is exhausted */ + if (*inOutIdx != inSz) ret = ASN_PARSE_E; - } } /* Check the public value length is correct. */ if ((ret == 0) && (dataASN[3].data.ref.length > *pubKeyLen)) { diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 94d55690d..c73c68952 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -12289,18 +12289,20 @@ static void initDefaultName(void) static const CertName certDefaultName = { "US", CTC_PRINTABLE, /* country */ "Oregon", CTC_UTF8, /* state */ + "Main St", CTC_UTF8, /* street */ "Portland", CTC_UTF8, /* locality */ "Test", CTC_UTF8, /* sur */ "wolfSSL", CTC_UTF8, /* org */ "Development", CTC_UTF8, /* unit */ "www.wolfssl.com", CTC_UTF8, /* commonName */ "wolfSSL12345", CTC_PRINTABLE, /* serial number of device */ + "12-456", CTC_PRINTABLE, /* Postal Code */ #ifdef WOLFSSL_CERT_EXT "Private Organization", CTC_UTF8, /* businessCategory */ "US", CTC_PRINTABLE, /* jurisdiction country */ "Oregon", CTC_PRINTABLE, /* jurisdiction state */ #endif - "info@wolfssl.com" /* email */ + "info@wolfssl.com", /* email */ }; #endif /* WOLFSSL_MULTI_ATTRIB */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index dd26e61fd..9edbf21eb 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3854,12 +3854,14 @@ struct WOLFSSL_X509 { #ifdef HAVE_EX_DATA WOLFSSL_CRYPTO_EX_DATA ex_data; #endif - byte* authKeyId; + byte* authKeyId; /* Points into authKeyIdSrc */ + byte* authKeyIdSrc; byte* subjKeyId; byte* extKeyUsageSrc; #ifdef OPENSSL_ALL byte* subjAltNameSrc; #endif + byte* rawCRLInfo; byte* CRLInfo; byte* authInfo; #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) @@ -3868,12 +3870,18 @@ struct WOLFSSL_X509 { #endif word32 pathLength; word16 keyUsage; + int rawCRLInfoSz; int CRLInfoSz; int authInfoSz; word32 authKeyIdSz; + word32 authKeyIdSrcSz; word32 subjKeyIdSz; + byte extKeyUsage; word32 extKeyUsageSz; word32 extKeyUsageCount; +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType; +#endif #ifdef OPENSSL_ALL word32 subjAltNameSz; #endif diff --git a/wolfssl/openssl/x509v3.h b/wolfssl/openssl/x509v3.h index fa30dcc1b..2e3298226 100644 --- a/wolfssl/openssl/x509v3.h +++ b/wolfssl/openssl/x509v3.h @@ -57,8 +57,8 @@ #define X509_PURPOSE_SSL_CLIENT 0 #define X509_PURPOSE_SSL_SERVER 1 -#define NS_SSL_CLIENT 0 -#define NS_SSL_SERVER 1 +#define NS_SSL_CLIENT WC_NS_SSL_CLIENT +#define NS_SSL_SERVER WC_NS_SSL_SERVER /* Forward reference */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 80a7ece30..4cc9714bc 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -166,7 +166,9 @@ typedef struct ASNItem { byte tag; /* Whether the ASN.1 item is constructed. */ byte constructed:1; - /* Whether to parse the header only or skip data. */ + /* Whether to parse the header only or skip data. If + * ASNSetData.data.buffer.data is supplied then this option gets + * overwritten and the child nodes get ignored. */ byte headerOnly:1; /* Whether ASN.1 item is optional. * - 0 means not optional @@ -587,6 +589,23 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType); } \ while (0) +/* Set the data items below node to not be encoded. + * + * @param [in] dataASN Dynamic ASN data item. + * @param [in] node Node who's children should not be encoded. + * @param [in] dataASNLen Number of items in dataASN. + */ +#define SetASNItem_NoOutBelow(dataASN, asn, node, dataASNLen) \ + do { \ + int ii; \ + for (ii = node + 1; ii < (int)(dataASNLen); ii++) { \ + if (asn[ii].depth <= asn[node].depth) \ + break; \ + dataASN[ii].noOut = 1; \ + } \ + } \ + while (0) + #endif /* WOLFSSL_ASN_TEMPLATE */ @@ -598,9 +617,11 @@ enum DN_Tags { ASN_COUNTRY_NAME = 0x06, /* C */ ASN_LOCALITY_NAME = 0x07, /* L */ ASN_STATE_NAME = 0x08, /* ST */ + ASN_STREET_ADDR = 0x09, /* street */ ASN_ORG_NAME = 0x0a, /* O */ ASN_ORGUNIT_NAME = 0x0b, /* OU */ ASN_BUS_CAT = 0x0f, /* businessCategory */ + ASN_POSTAL_CODE = 0x11, /* postalCode */ ASN_EMAIL_NAME = 0x98, /* not oid number there is 97 in 2.5.4.0-97 */ /* pilot attribute types @@ -636,6 +657,9 @@ extern const WOLFSSL_ObjectInfo wolfssl_object_info[]; #define WOLFSSL_LN_LOCALITY_NAME "/localityName=" #define WOLFSSL_STATE_NAME "/ST=" #define WOLFSSL_LN_STATE_NAME "/stateOrProvinceName=" +#define WOLFSSL_STREET_ADDR_NAME "/street=" +#define WOLFSSL_LN_STREET_ADDR_NAME "/streetAddress=" +#define WOLFSSL_POSTAL_NAME "/postalCode=" #define WOLFSSL_ORG_NAME "/O=" #define WOLFSSL_LN_ORG_NAME "/organizationName=" #define WOLFSSL_ORGUNIT_NAME "/OU=" @@ -715,12 +739,14 @@ enum NID_countryName = 0x06, /* C */ NID_localityName = 0x07, /* L */ NID_stateOrProvinceName = 0x08, /* ST */ + NID_streetAddress = ASN_STREET_ADDR, /* street */ NID_organizationName = 0x0a, /* O */ NID_organizationalUnitName = 0x0b, /* OU */ NID_jurisdictionCountryName = 0xc, NID_jurisdictionStateOrProvinceName = 0xd, NID_businessCategory = ASN_BUS_CAT, NID_domainComponent = ASN_DOMAIN_COMPONENT, + NID_postalCode = ASN_POSTAL_CODE, /* postalCode */ NID_favouriteDrink = 462, NID_userId = 458, NID_emailAddress = 0x30, /* emailAddress */ @@ -857,6 +883,10 @@ enum Misc_ASN { CTC_MAX_EKU_OID_SZ, /* Max encoded ExtKeyUsage (SEQ/LEN + OBJID + OCTSTR/LEN + SEQ + (6 * (SEQ + OID))) */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + MAX_NSCERTTYPE_SZ = MAX_SEQ_SZ + 17, /* SEQ + OID + OCTET STR + + * NS BIT STR */ +#endif MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */ MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ, #endif @@ -1127,6 +1157,15 @@ enum CsrAttrType { #define EXTKEYUSE_SERVER_AUTH 0x02 #define EXTKEYUSE_ANY 0x01 +#define WC_NS_SSL_CLIENT 0x80 +#define WC_NS_SSL_SERVER 0x40 +#define WC_NS_SMIME 0x20 +#define WC_NS_OBJSIGN 0x10 +#define WC_NS_SSL_CA 0x04 +#define WC_NS_SMIME_CA 0x02 +#define WC_NS_OBJSIGN_CA 0x01 + + typedef struct DNS_entry DNS_entry; struct DNS_entry { @@ -1382,6 +1421,10 @@ struct DecodedCert { const byte* extAuthInfoCaIssuer; /* Authority Info Access caIssuer URI */ int extAuthInfoCaIssuerSz; /* length of the caIssuer URI */ #endif + const byte* extCrlInfoRaw; /* Entire CRL Distribution Points + * Extension. This is useful when + * re-generating the DER. */ + int extCrlInfoRawSz; /* length of the extension */ const byte* extCrlInfo; /* CRL Distribution Points */ int extCrlInfoSz; /* length of the URI */ byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */ @@ -1398,6 +1441,10 @@ struct DecodedCert { const byte* extExtKeyUsageSrc; word32 extExtKeyUsageSz; word32 extExtKeyUsageCount; +#ifdef WOLFSSL_AKID_NAME + const byte* extRawAuthKeyIdSrc; + word32 extRawAuthKeyIdSz; +#endif const byte* extAuthKeyIdSrc; word32 extAuthKeyIdSz; const byte* extSubjKeyIdSrc; @@ -1447,6 +1494,9 @@ struct DecodedCert { int subjectSNDLen; char subjectSNDEnc; #ifdef WOLFSSL_CERT_EXT + char* subjectStreet; + int subjectStreetLen; + char subjectStreetEnc; char* subjectBC; int subjectBCLen; char subjectBCEnc; @@ -1456,10 +1506,13 @@ struct DecodedCert { char* subjectJS; int subjectJSLen; char subjectJSEnc; + char* subjectPC; + int subjectPCLen; + char subjectPCEnc; #endif char* subjectEmail; int subjectEmailLen; -#endif /* WOLFSSL_CERT_GEN */ +#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* WOLFSSL_X509_NAME structures (used void* to avoid including ssl.h) */ void* issuerName; @@ -1476,7 +1529,10 @@ struct DecodedCert { #ifdef WOLFSSL_CERT_EXT char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ]; int extCertPoliciesNb; -#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */ +#endif /* WOLFSSL_CERT_EXT */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType; +#endif #ifdef WOLFSSL_CERT_REQ /* CSR attributes */ @@ -1880,9 +1936,9 @@ WOLFSSL_LOCAL int wc_MIME_free_hdrs(MimeHdr* head); enum cert_enums { #ifdef WOLFSSL_CERT_EXT - NAME_ENTRIES = 10, + NAME_ENTRIES = 12, #else - NAME_ENTRIES = 9, + NAME_ENTRIES = 11, #endif JOINT_LEN = 2, EMAIL_JOINT_LEN = 9, diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index f108c17ad..7f2ab82be 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -197,7 +197,9 @@ enum Ctc_Misc { CTC_MAX_SKID_SIZE = 32, /* SHA256_DIGEST_SIZE */ CTC_MAX_AKID_SIZE = 32, /* SHA256_DIGEST_SIZE */ CTC_MAX_CERTPOL_SZ = 64, - CTC_MAX_CERTPOL_NB = 2 /* Max number of Certificate Policy */ + CTC_MAX_CERTPOL_NB = 2, /* Max number of Certificate Policy */ + CTC_MAX_CRLINFO_SZ = 200, /* Arbitrary size that should be enough for at + * least two distribution points. */ #endif /* WOLFSSL_CERT_EXT */ }; @@ -305,6 +307,8 @@ typedef struct CertName { char countryEnc; char state[CTC_NAME_SIZE]; char stateEnc; + char street[CTC_NAME_SIZE]; + char streetEnc; char locality[CTC_NAME_SIZE]; char localityEnc; char sur[CTC_NAME_SIZE]; @@ -317,6 +321,8 @@ typedef struct CertName { char commonNameEnc; char serialDev[CTC_NAME_SIZE]; char serialDevEnc; + char postalCode[CTC_NAME_SIZE]; + char postalCodeEnc; #ifdef WOLFSSL_CERT_EXT char busCat[CTC_NAME_SIZE]; char busCatEnc; @@ -357,10 +363,24 @@ typedef struct Cert { #ifdef WOLFSSL_CERT_EXT byte skid[CTC_MAX_SKID_SIZE]; /* Subject Key Identifier */ int skidSz; /* SKID size in bytes */ - byte akid[CTC_MAX_AKID_SIZE]; /* Authority Key Identifier */ + byte akid[CTC_MAX_AKID_SIZE +#ifdef WOLFSSL_AKID_NAME + + sizeof(CertName) + CTC_SERIAL_SIZE +#endif + ]; /* Authority Key + * Identifier */ int akidSz; /* AKID size in bytes */ +#ifdef WOLFSSL_AKID_NAME + byte rawAkid; /* Set to true if akid is a + * AuthorityKeyIdentifier object. + * Set to false if akid is just a + * KeyIdentifier object. */ +#endif word16 keyUsage; /* Key Usage */ byte extKeyUsage; /* Extended Key Usage */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType; /* Netscape Certificate Type */ +#endif #ifdef WOLFSSL_EKU_OID /* Extended Key Usage OIDs */ byte extKeyUsageOID[CTC_MAX_EKU_NB][CTC_MAX_EKU_OID_SZ]; @@ -368,6 +388,8 @@ typedef struct Cert { #endif char certPolicies[CTC_MAX_CERTPOL_NB][CTC_MAX_CERTPOL_SZ]; word16 certPoliciesNb; /* Number of Cert Policy */ + byte crlInfo[CTC_MAX_CRLINFO_SZ]; /* CRL Distribution points */ + int crlInfoSz; #endif #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \ defined(WOLFSSL_CERT_REQ)