From c162196b27e823fb26424cdc8c6e5ab6b1ea94ae Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 7 Oct 2021 16:16:52 +0200 Subject: [PATCH 01/11] Add x509 name attributes and extensions to DER parsing and generation - Postal Code - Street Address - External Key Usage - Netscape Certificate Type - CRL Distribution Points - Storing full Authority Key Identifier information - Add new certificates to `certs/test` for testing - Update WOLFSSL_ASN_TEMPLATE to match new features --- certs/renewcerts/wolfssl.cnf | 2 +- certs/test/cert-ext-ia.der | Bin 1022 -> 1033 bytes certs/test/cert-ext-ia.pem | 24 ++ certs/test/cert-ext-joi.der | Bin 1376 -> 1376 bytes certs/test/cert-ext-joi.pem | 31 ++ certs/test/cert-ext-multiple.cfg | 24 ++ certs/test/cert-ext-multiple.der | Bin 0 -> 1439 bytes certs/test/cert-ext-multiple.pem | 32 ++ certs/test/cert-ext-nc.der | Bin 1070 -> 1157 bytes certs/test/cert-ext-nc.pem | 27 ++ certs/test/cert-ext-nct.der | Bin 1043 -> 1054 bytes certs/test/cert-ext-nct.pem | 24 ++ certs/test/cert-ext-ndir-exc.der | Bin 1259 -> 1281 bytes certs/test/cert-ext-ndir-exc.pem | 29 ++ certs/test/cert-ext-ndir.der | Bin 1238 -> 1260 bytes certs/test/cert-ext-ndir.pem | 29 ++ certs/test/gen-ext-certs.sh | 54 +++- certs/test/include.am | 12 +- src/internal.c | 51 +++- src/ssl.c | 101 ++++--- tests/api.c | 417 +++++++++++++++++--------- wolfcrypt/src/asn.c | 486 ++++++++++++++++++++++++++----- wolfcrypt/test/test.c | 4 +- wolfssl/internal.h | 10 +- wolfssl/openssl/x509v3.h | 4 +- wolfssl/wolfcrypt/asn.h | 43 ++- wolfssl/wolfcrypt/asn_public.h | 20 +- 27 files changed, 1139 insertions(+), 285 deletions(-) create mode 100644 certs/test/cert-ext-ia.pem create mode 100644 certs/test/cert-ext-joi.pem create mode 100644 certs/test/cert-ext-multiple.cfg create mode 100644 certs/test/cert-ext-multiple.der create mode 100644 certs/test/cert-ext-multiple.pem create mode 100644 certs/test/cert-ext-nc.pem create mode 100644 certs/test/cert-ext-nct.pem create mode 100644 certs/test/cert-ext-ndir-exc.pem create mode 100644 certs/test/cert-ext-ndir.pem diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 8a735f690..6c5efb25f 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -278,7 +278,7 @@ keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage=serverAuth nsCertType=server -# server-ecc extensions +# client-ecc extensions [ client_ecc ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always diff --git a/certs/test/cert-ext-ia.der b/certs/test/cert-ext-ia.der index 1893b5cd1d8d573bcf8fb95286d10b9389dd330e..9ece2e7bec93b5eeb63b0fe4219a28ab0fada7a1 100644 GIT binary patch delta 332 zcmeyz-pQeC(8R)O(8Tn10W%XL6O#z@`M`qhGtc?{pU-i1n_%A(+l(u^6D4*?8X6dw z85$Xx8JI+g^BS2Lm>U>DxEo)JGSzQ?*yO=;+_~#S{f*Z%I%fvo;J@^9mDWB+t%Wb= zOqo%@Rr0-=KOjQ*#lEa}%glBqe&=yX>Ac;rVuEW=y)5r(ji>kBUby*M&WoLY{MF8Y z#rkVYOD3%1@8Q)?WUIaWpW(=&|K__VUlEM4_-1-t@L{68U~!UT>(rmyT^v>~ZgP|f zt#`ikK*{7nN?62gQ7HqnsfziZm5@Y?!G>8Q{b%F&V)1l59iEh`ZNOo3f`D! delta 321 zcmeC=_{T0`(8T=9po!_x0%j&gCMHgX#UD59dH#6P@rlYiBn^xV4Gb+!EKQB0#CeU3 z4Gj&55$M49RnbU$$(xZSvP@!?P5Q@7=K9$d0FNM3iAg!#pWQ_GT8E51ookT9rK z%Ky=PDKAlXXGcm1v(B3KX~&m^-ssct^Z7A<+x8=V750J8UTyR>zsa+ZcW&w{7k_^b z|B{Gb`{DxauI#?0Vo@jl>dp6Xi)AkZZ5JiDILwZGcVfFmGn&2g?({F1HT7%E1O-0Uji)b%1O&`C5@I~bW&0ARihows`^XV0-#jlfFgjox;d<7m=q^VpBzjwU+R#wH1#o}N4Zl74& zF>#LCb)6Ey@LfyQZNoO-zhbFX8_fGHt>9;b(pjdi;zR2LPF}J2tGRGNMABvNgG*QB xzWKb4YvJ)fab7cy%`9T7Nt+@n9hIN%SJ8QR(ww_43{o=UHf{^LA2Qvu0suzXpnd=V delta 363 zcmaFB^?*y+poulcpozt00W%XL6O)LLTlI`vzG4!qOYPdM_v`PExf@?PQTe`dQruaSv?v7r%^J2{T|)aGZ5F4*->wqsGMH)#63_|5Y({ymvu66a=|UH0_b zx_2B!{y$q){)--c=0$$#JIChQ z=T|6l^`mf3%JURS3#$*tGRunpZG5zKqSy{+PWyis+2=|y^#8ffy)R7326;_-)pXJ^K1|iA?JWEdQ9Z);GMk yb5x)Aj;3Ji0n-^@!q&Wqdt|xx(a89bbsUG9HiW96GbC)wnHiWwiSrtn7?>LvLAk@kmraaH$kE5h%D~*j$j@NV z#K^_e#K_37pXZdW$R@cKr|7d5@?M{OO9eh|Go63`R4wz2%WLj2r@hnqcw<9t9(xG4 zzzjv-hSNd{&(HYZbFDpDRBrU@)P&ucK?2PBD?U#>`msAHO!|F#{t^MlscX4rKVEuZ z!=-|<0E6fiFF15+-Y#EM)oY6FOl_+5jIlUduKIp&Luv378{1RK(ep*O zUX~Tsm%M0myUgm$j@pw?4_&|Ikbgt*PO-F;Zt$FcQh#b!SDD$*xYts{ntm=z#G-xW z$DXYjr!(pc6|}!DNd6k8zgX?k_WX@e;@2%^a{QYdk^k?ouqTHY_j2EKh9JXqWxpA3 z16^fzvfSi;b3RIT+}( zF^9^^vuGHo8K^8!TA4GJP)nx788YgdFazobO>5HodO^nPS11M`cHnxeyrH6QDxa*llJR7f9&oES|54MxK6a?mHL6st<}mknVd6x zm9E@+sS$iTFq!d~jP2%Sf??Ofre#It2+L`({biR6?$()XwAyra^4;C;*|HD)?_9og z)yVbU)mbZ>0u+pv>hr!|zAj*{6!WS8_cXz~PU~kC*h^_I?fL$t@QLX<@lc^Be`IuH z7(=4JzLdIl#q>n`rWeoG3jIkpt+&&P5MuP}E_2y_36!y&TlmRnNAe17P;9kZ`3GtOw` z^gm-}>U^HRUVZ!4iXC$nh=$wpRxDnif0HeKrclBZo?x|S>lVD6RCzqzk}LgT-cQwS z({ki4#~quj{^w;OyWTRVTZUKb!zZqey(r!%>ELr@vDkd}TMbv7GGcP}|J{~)&Em^z u_B)R@$R2b!q0B89wb^rGWc;>0IunmMyxE>y#`b)5x!|JM{JIDxi3|XQ{H}rk delta 351 zcmZqWT*skl(8Qu;(8MgXfSHMriHVb8f3iP+N3*1g0WTY;R+~rLcV0$DZdL|^>WM$9 zl?>#>d5sJW4Gb-f42;c;%%jA4jZ6&84Nak3u&T{77~eA17cBVk%vos3vjV}C4M|I5 zURuZ0*)Cq(-LZ3v$Ju{6JWE%1>^Xk;qtXl0+_Pqv4D&uP9=U(+Vp;n9N-oAbg~D92 zHl@v{8T;#2n@b;1KF7iHRq0^gIi~Lu7TGP4oA8YNm?Eon&y1VTZ!#V-zaV}rc%ws* z_s*|3_FXIy{GD@7#^zzY<)_pPZJ(kOdHyq>I>&DKwfXmnO&xK^-Mx?8`q?<4NQFf} zF#Jz?Y+eF?O;YU6)+Jj$ukkLK>5@F-^K8jh=?2dyn_Xs|C<a$GRd7i27y&OWec6aYzIX|#{{;GFhwq>PA5=OvPmxYH~%yFyXW)#Af})_E&AIW&K92+ zXMTRH+WkLornZj}lgCAOrz*9NDlZjXe;iVZn&uqt#B%$L?cW)5%hJ-LFHH=1;Sx20 zpW{?_y*a<_zOyWk)^9Y(cJ69@{V?=<)`4k~GK+I$L!CTY?|=An^x5iuU-wr50^xt^ zmmgfedeX8*bInz+T?w>&Q~2p*@3X7lbr=5aDqDFZY{R3Y+jlQhm|p+J%;0(9)U}FM z787?a@L9OfVB?F%!lLD^Hu-l=jxS+25T-R_c5i3zwv=D3$1lpSuyVQy>6p{ggWZ delta 321 zcmbQoF_}ZcpoxXwpo!`G0%j&gCMHgX%X}{~I+g#0OjO<>X<%e%U}$M#X=)rL&TC|B zXlP&#;con*#Z>RnY{?K^eAe;W+OR{d%9*z30RTg^nP&h1 diff --git a/certs/test/cert-ext-nct.pem b/certs/test/cert-ext-nct.pem new file mode 100644 index 000000000..355548016 --- /dev/null +++ b/certs/test/cert-ext-nct.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEGjCCAwKgAwIBAgIUAk4+yIZ3S7BdgUTUopeUVK7oAgAwDQYJKoZIhvcNAQEL +BQAwgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH +DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu +ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0BCQEW +FHN1cHBvcnRAd29sZnNzc2wuY29tMB4XDTIxMTAwNjEyMjYwNFoXDTI0MDcwMjEy +MjYwNFowgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYD +VQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0Vu +Z2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0B +CQEWFHN1cHBvcnRAd29sZnNzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAwJUI4VdB8nFtt9JFQScBZcZFrvK8JDC4lc4vTtb2HIi8fJ/7qGd/ +/lycUXX3isoH5zUvj+G9e8AvfKtkqBf8yl17uuAh5XIuby6G2JVz2qwbU7lfP9cZ +DSVP4WNjUYsLZD+tQ7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxA +tGmjRjNph27Euxem8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTSELlkwyrQ +oZZKvOHUGlvHoMDBY3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp +2Ai8MyCzWCKnquvE4eZhg8XSlt/Z0E+t1wIDAQABo0owSDAUBglghkgBhvhCAQEB +Af8EBAMCBkAwMAYJYIZIAYb4QgENBCMWIVRlc3RpbmcgTmV0c2NhcGUgQ2VydGlm +aWNhdGUgVHlwZTANBgkqhkiG9w0BAQsFAAOCAQEAgo2UG9wBBhmnTzf8k/dJ529S +AlK8hC+2QM1zzxcD58Z7R/8NaStMMgJI0UdCeibxJOkhRfjCIlqWQ1dCBNvMPf2Y +nXZmZ1vSkVDoRFqQDwjKi383Dz2+zQTir7Ewa0OKhevhVfdqwJYZHKNsHVVCSIXf +8PzF5quPTUfqUBBX/KfBr6uSpqKdNyXW1FE57HHyyY3m1fctof2KdqnEVrDixbe7 +piCXf+w2MOdxla0hOjiRuaBMoaEwseiBcXKnhTxv3TTHpADAViqYm42JjbZk+oXH +0R+oP0GrCjI/IMWL5l9VFV9IDVkBTrJAYaAdBDxdkhxlzdZx+zi2O4WGjt2CUQ== +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-ndir-exc.der b/certs/test/cert-ext-ndir-exc.der index 25507a9d59ecf59db39039e5f63294b02a2e1e31..1ef41bc32a68afa3deca5502416a8eef58382691 100644 GIT binary patch delta 390 zcmaFO*~q1A(8TiBpo#hE0%j&gCMFSn^>tR05-0E_?Ra2!>VCn6KZzffO_W$GX=q?z zW@uz&W?&K}&TC|1U~XUp;cmQlh>_LNpo!6T@=_*6-m7fPp|Z*>jb{xSPc=+l&m=ne z1=D;{tj12B$Q)IlAZ^+ucqi_S_*)eL$57|#x8SWp5LEJ35xwiD*f_ zDVVYNX@HjXTTQc1!a|phCPrFZ@N`a)xz5w5C-O3_Cf?|U*y-DQ>SsmfA7rm;e|vi3 z-DjaoGf({zbx3SHcmM3^&mU%f{m0C@#%I#Pg$HepS|6LSd}HN37vm-djp_Gi1UQwy za?uqNT*>rnVNA@_-3&HH$A5?()rxgC*V6I{>GWLx?5}?mOVdr`rB(O*1?|l~$-J?Y bEVk^AUaEAxz&ZSgz~VEzv&?ogg=Yc)xtpr7 delta 363 zcmZqVdd(?e(8TiGpo#hX0%j&gCMHgX7hw~bzDA2FOjKSgX<%e%U}$M#X=)rL&TC|B zXlP&#;ck3+h>_LIpo!6F@&+bFo>Oehp|Z*>jfV^x_fNjdw3Q2C%;e?FQS~c+9oQ5r zC%L^>WV6mQ+04CFymA-#`BaMKCO>8SsK8?PlTX)j-bLTT;X znE`6EqVlg+TPyr|9xS$hix1ZZ`F+RvC&@Gi&pb2Z;Yyahalcz;zt%mLS7fo|Yc~Ie z-l>;XC~VyOIP*^aZSUC9{H$vKWl^?D^;N}^j(cuSV^Lx^-)bJ`e&y<=ytpovjq@=_*6-m7fPp|Z*>jb{xSPc=+l&m=ne z1=D;{tj12B$n095J|}ATlefN0d>?PS=&;4zEwG|M*?QvvgU*M_MFE*d5A#}?_&sx* zefDUI-c zG*9`hvvKoG3Uj-9=16ETfA)iS200B6FGZ_A)MR*aPwnuTl1cCXJ*Y2v^fBt(>zq~T zGB%a=SxglVwZb%6qgEX}eZ;3E>oPn4*$F(nC42Y}rXE{ir!5wpnil))*mj+U`kaXu_ZPpr%wm^3DO_<$+T(=A0I}^4R$tY7}x{)Y< c=Jn;u9Ge|fujy2s`ZI0s^DkVHOq*{30IIaJZvX%Q delta 363 zcmaFEd5u%Tpo!&@K@;@X)71Pn90kTUF+xHytQ2T z=ZnuT^k+R$z9;c*Vj{!3@W@t=D@<>md_4c;`~Rro(77kLKOR=QWdG}u^)dm4FA^>hKJf*ayIm{#zq9?w1d*utIf-Ak`mE7j$g}6c z%loaqyU*A}R~_v?pf-2LEQYwk?ff>EH7nb=XPs8R@5C@=$LqNL;fdO|Pgw7@q#yqz LVyq&^)GY-7vTUI6 diff --git a/certs/test/cert-ext-ndir.pem b/certs/test/cert-ext-ndir.pem new file mode 100644 index 000000000..d7b8716bc --- /dev/null +++ b/certs/test/cert-ext-ndir.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE6DCCA9CgAwIBAgIUf/jV/P1olEjAao7TEGdZx5xTD/EwDQYJKoZIhvcNAQEL +BQAwgZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv +bGZzc3NsLmNvbTAeFw0yMTEwMDYxMjI2MDRaFw0yNDA3MDIxMjI2MDRaMIGVMQsw +CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjER +MA8GA1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMM +D3d3dy53b2xmc3NsLmNvbTEgMB4GCSqGSIb3DQEJARYRaW5mb0B3b2xmc3NzbC5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgf +SvJNdRDxtjWf38p9A5jTrN4DZu4q8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLq +ypC7aVIQAy+o85XF8YtiVhvvZ2+kEEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04 +KRysx+3yfJWwlYJ9SVw4zXcl772AdVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC +19pAb9gh3HMbQi1TnP4a/H2rejY/mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VW +L6Mm0rdvsVoX1ziZCP6TWG/+wxNJCBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u9 +7TZ5AgMBAAGjggEsMIIBKDAdBgNVHQ4EFgQUJ45nEXTDJh0/7TNjs6TYHTDl6NUw +gdUGA1UdIwSBzTCByoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZukgZgwgZUxCzAJ +BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw +DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP +d3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3NsLmNv +bYIUf/jV/P1olEjAao7TEGdZx5xTD/EwDAYDVR0TBAUwAwEB/zAhBgNVHR4BAf8E +FzAVoBMwEaQPMA0xCzAJBgNVBAYTAlVTMA0GCSqGSIb3DQEBCwUAA4IBAQBnnFq7 +5O1NpE3jttFAtEdGUXhwIzuxwDCJ4SNyUGnFww06NE7mRpvN22vzqi/UwlViuCbE +Sl9MkBD2FEYM/raKyHiO1ZFne4FTzqjuQMsvng9vdHknPpBEKcpOrjxGSWJWRtXM +xFVTD2vg7jBsgOHSWyfhKQDk3ibDzHSS7/7gdOLxWs7rbKpnHDx5P2oCeOEqVikF +WqrBy8RMdGrTBw/NkAwNdLwPwWXGqD4rFltlZl3mxrcsgKeAsoHiaIqKm8F/gYx5 ++xP1bgNnnJHRv3Pu0wQ+Y5JXIaRm42CBUBa34KvSDeC/xk5nMhUPadenIwizQCXW +LHrK/Ja95/QKWbPa +-----END CERTIFICATE----- diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh index aa77314b0..320973501 100755 --- a/certs/test/gen-ext-certs.sh +++ b/certs/test/gen-ext-certs.sh @@ -5,20 +5,22 @@ TMP="/tmp/`basename $0`" KEY=certs/server-key.der gen_cert() { openssl req -x509 -keyform DER -key $KEY \ - -days 1000 -new -outform DER -out $OUT -config $CONFIG \ + -days 1000 -new -outform DER -out $OUT.der -config $CONFIG \ >$TMP 2>&1 - if [ "$?" = "0" -a -f $OUT ]; then + if [ "$?" = "0" -a -f $OUT.der ]; then echo "Created: $OUT" else cat $TMP echo "Failed: $OUT" fi + openssl x509 -in $OUT.der -inform DER -outform PEM > $OUT.pem + rm $TMP } -OUT=certs/test/cert-ext-nc.der +OUT=certs/test/cert-ext-nc KEYFILE=certs/test/cert-ext-nc-key.der CONFIG=certs/test/cert-ext-nc.cfg tee >$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <sig.buffer, x509->heap, DYNAMIC_TYPE_SIGNATURE); x509->sig.buffer = NULL; #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) - XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); + if (x509->authKeyIdSrc != NULL) { + XFREE(x509->authKeyIdSrc, x509->heap, DYNAMIC_TYPE_X509_EXT); + } + else { + XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); + } + x509->authKeyIdSrc = NULL; x509->authKeyId = NULL; XFREE(x509->subjKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); x509->subjKeyId = NULL; @@ -3903,6 +3909,10 @@ void FreeX509(WOLFSSL_X509* x509) XFREE(x509->authInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); x509->authInfo = NULL; } + if (x509->rawCRLInfo != NULL) { + XFREE(x509->rawCRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); + x509->rawCRLInfo = NULL; + } if (x509->CRLInfo != NULL) { XFREE(x509->CRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); x509->CRLInfo = NULL; @@ -10649,6 +10659,17 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->CRLdistSet = dCert->extCRLdistSet; x509->CRLdistCrit = dCert->extCRLdistCrit; + if (dCert->extCrlInfoRaw != NULL && dCert->extCrlInfoRawSz > 0) { + x509->rawCRLInfo = (byte*)XMALLOC(dCert->extCrlInfoRawSz, x509->heap, + DYNAMIC_TYPE_X509_EXT); + if (x509->rawCRLInfo != NULL) { + XMEMCPY(x509->rawCRLInfo, dCert->extCrlInfoRaw, dCert->extCrlInfoRawSz); + x509->rawCRLInfoSz = dCert->extCrlInfoRawSz; + } + else { + ret = MEMORY_E; + } + } if (dCert->extCrlInfo != NULL && dCert->extCrlInfoSz > 0) { x509->CRLInfo = (byte*)XMALLOC(dCert->extCrlInfoSz, x509->heap, DYNAMIC_TYPE_X509_EXT); @@ -10694,12 +10715,24 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->authKeyIdSet = dCert->extAuthKeyIdSet; x509->authKeyIdCrit = dCert->extAuthKeyIdCrit; if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) { - x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, x509->heap, - DYNAMIC_TYPE_X509_EXT); - if (x509->authKeyId != NULL) { - XMEMCPY(x509->authKeyId, - dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz); - x509->authKeyIdSz = dCert->extAuthKeyIdSz; + if (dCert->extRawAuthKeyIdSrc != NULL && + dCert->extAuthKeyIdSrc > dCert->extRawAuthKeyIdSrc && + dCert->extAuthKeyIdSrc < + (dCert->extRawAuthKeyIdSrc + dCert->extRawAuthKeyIdSz)) { + /* Confirmed: extAuthKeyIdSrc points inside extRawAuthKeyIdSrc */ + x509->authKeyIdSrc = (byte*)XMALLOC(dCert->extRawAuthKeyIdSz, + x509->heap, DYNAMIC_TYPE_X509_EXT); + if (x509->authKeyIdSrc != NULL) { + XMEMCPY(x509->authKeyIdSrc, dCert->extRawAuthKeyIdSrc, + dCert->extRawAuthKeyIdSz); + x509->authKeyIdSrcSz = dCert->extRawAuthKeyIdSz; + /* Set authKeyId to same offset inside authKeyIdSrc */ + x509->authKeyId = x509->authKeyIdSrc + + (dCert->extAuthKeyIdSrc - dCert->extRawAuthKeyIdSrc); + x509->authKeyIdSz = dCert->extAuthKeyIdSz; + } + else + ret = MEMORY_E; } else ret = MEMORY_E; @@ -10725,6 +10758,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) if (x509->extKeyUsageSrc != NULL) { XMEMCPY(x509->extKeyUsageSrc, dCert->extExtKeyUsageSrc, dCert->extExtKeyUsageSz); + x509->extKeyUsage = dCert->extExtKeyUsage; x509->extKeyUsageSz = dCert->extExtKeyUsageSz; x509->extKeyUsageCrit = dCert->extExtKeyUsageCrit; x509->extKeyUsageCount = dCert->extExtKeyUsageCount; @@ -10733,6 +10767,9 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) ret = MEMORY_E; } } + #ifndef IGNORE_NETSCAPE_CERT_TYPE + x509->nsCertType = dCert->nsCertType; + #endif #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) x509->certPolicySet = dCert->extCertPolicySet; x509->certPolicyCrit = dCert->extCertPolicyCrit; diff --git a/src/ssl.c b/src/ssl.c index b6f8872e8..eae102b9e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8839,58 +8839,24 @@ unsigned int wolfSSL_X509_get_key_usage(WOLFSSL_X509* x509) unsigned int wolfSSL_X509_get_extended_key_usage(WOLFSSL_X509* x509) { int ret = 0; - int rc; - word32 idx = 0; - word32 oid; WOLFSSL_ENTER("wolfSSL_X509_get_extended_key_usage"); - if (x509 == NULL) { - WOLFSSL_MSG("x509 is NULL"); - } - else if (x509->extKeyUsageSrc != NULL) { - while (idx < x509->extKeyUsageSz) { - rc = GetObjectId(x509->extKeyUsageSrc, &idx, &oid, - oidCertKeyUseType, x509->extKeyUsageSz); - if (rc == ASN_UNKNOWN_OID_E) { - continue; - } - else if (rc < 0) { - WOLFSSL_MSG("GetObjectId failed"); - ret = -1; - break; - } - - switch (oid) { - case EKU_ANY_OID: - ret |= XKU_ANYEKU; - break; - case EKU_SERVER_AUTH_OID: - ret |= XKU_SSL_SERVER; - break; - case EKU_CLIENT_AUTH_OID: - ret |= XKU_SSL_CLIENT; - break; - case EKU_CODESIGNING_OID: - ret |= XKU_CODE_SIGN; - break; - case EKU_EMAILPROTECT_OID: - ret |= XKU_SMIME; - break; - case EKU_TIMESTAMP_OID: - ret |= XKU_TIMESTAMP; - break; - case EKU_OCSP_SIGN_OID: - ret |= XKU_OCSP_SIGN; - break; - default: - break; - } - } - } - else { - WOLFSSL_MSG("x509->extKeyUsageSrc is NULL"); - ret = -1; + if (x509 != NULL) { + if (x509->extKeyUsage & EXTKEYUSE_OCSP_SIGN) + ret |= XKU_OCSP_SIGN; + if (x509->extKeyUsage & EXTKEYUSE_TIMESTAMP) + ret |= XKU_TIMESTAMP; + if (x509->extKeyUsage & EXTKEYUSE_EMAILPROT) + ret |= XKU_SMIME; + if (x509->extKeyUsage & EXTKEYUSE_CODESIGN) + ret |= XKU_CODE_SIGN; + if (x509->extKeyUsage & EXTKEYUSE_CLIENT_AUTH) + ret |= XKU_SSL_CLIENT; + if (x509->extKeyUsage & EXTKEYUSE_SERVER_AUTH) + ret |= XKU_SSL_SERVER; + if (x509->extKeyUsage & EXTKEYUSE_ANY) + ret |= XKU_ANYEKU; } WOLFSSL_LEAVE("wolfSSL_X509_get_extended_key_usage", ret); @@ -9792,6 +9758,13 @@ int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int lo switch (ext->obj->type) { case NID_authority_key_identifier: + if (x509->authKeyIdSrc != NULL) { + /* If authKeyId points into authKeyIdSrc then free it and + * revert to old functionality */ + XFREE(x509->authKeyIdSrc, x509->heap, DYNAMIC_TYPE_X509_EXT); + x509->authKeyIdSrc = NULL; + x509->authKeyId = NULL; + } if (asn1_string_copy_to_buffer(&ext->value, &x509->authKeyId, &x509->authKeyIdSz, x509->heap) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("asn1_string_copy_to_buffer error"); @@ -31420,6 +31393,8 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { { NID_localityName, NID_localityName, oidCertNameType, "L", "localityName"}, { NID_stateOrProvinceName, NID_stateOrProvinceName, oidCertNameType, "ST", "stateOrProvinceName"}, + { NID_streetAddress, NID_streetAddress, oidCertNameType, "street", + "streetAddress"}, { NID_organizationName, NID_organizationName, oidCertNameType, "O", "organizationName"}, { NID_organizationalUnitName, NID_organizationalUnitName, oidCertNameType, @@ -31436,6 +31411,7 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { "jurisdictionCountryName"}, { NID_jurisdictionStateOrProvinceName, NID_jurisdictionStateOrProvinceName, oidCertNameType, "jurisdictionST", "jurisdictionStateOrProvinceName"}, + { NID_postalCode, NID_postalCode, oidCertNameType, "postalCode", "postalCode"}, #ifdef WOLFSSL_CERT_REQ { NID_pkcs9_challengePassword, CHALLENGE_PASSWORD_OID, @@ -41881,11 +41857,21 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) return WOLFSSL_FAILURE; } - if (x509->authKeyIdSz < CTC_MAX_AKID_SIZE) { + if (x509->authKeyIdSz < sizeof(cert->akid)) { + #ifndef WOLFSSL_ASN_TEMPLATE + /* Not supported with WOLFSSL_ASN_TEMPLATE at the moment. */ + if (x509->authKeyIdSrc) { + XMEMCPY(cert->akid, x509->authKeyIdSrc, x509->authKeyIdSrcSz); + cert->akidSz = (int)x509->authKeyIdSrcSz; + cert->rawAkid = 1; + } + else + #endif if (x509->authKeyId) { XMEMCPY(cert->akid, x509->authKeyId, x509->authKeyIdSz); + cert->akidSz = (int)x509->authKeyIdSz; + cert->rawAkid = 0; } - cert->akidSz = (int)x509->authKeyIdSz; } else { WOLFSSL_MSG("Auth Key ID too large"); @@ -41906,6 +41892,17 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) cert->certPoliciesNb = (word16)x509->certPoliciesNb; cert->keyUsage = x509->keyUsage; + cert->extKeyUsage = x509->extKeyUsage; + cert->nsCertType = x509->nsCertType; + + if (x509->rawCRLInfo != NULL) { + if (x509->rawCRLInfoSz > CTC_MAX_CRLINFO_SZ) { + WOLFSSL_MSG("CRL Info too large"); + return WOLFSSL_FAILURE; + } + XMEMCPY(cert->crlInfo, x509->rawCRLInfo, x509->rawCRLInfoSz); + cert->crlInfoSz = x509->rawCRLInfoSz; + } #endif /* WOLFSSL_CERT_EXT */ #ifdef WOLFSSL_CERT_REQ @@ -42445,12 +42442,14 @@ static int ConvertNIDToWolfSSL(int nid) case NID_countryName: return ASN_COUNTRY_NAME; case NID_localityName: return ASN_LOCALITY_NAME; case NID_stateOrProvinceName: return ASN_STATE_NAME; + case NID_streetAddress: return ASN_STREET_ADDR; case NID_organizationName: return ASN_ORG_NAME; case NID_organizationalUnitName: return ASN_ORGUNIT_NAME; case NID_emailAddress: return ASN_EMAIL_NAME; case NID_serialNumber: return ASN_SERIAL_NUMBER; case NID_businessCategory: return ASN_BUS_CAT; case NID_domainComponent: return ASN_DOMAIN_COMPONENT; + case NID_postalCode: return ASN_POSTAL_CODE; default: WOLFSSL_MSG("Attribute NID not found"); return -1; diff --git a/tests/api.c b/tests/api.c index 43f2ca73e..3d0eec56e 100644 --- a/tests/api.c +++ b/tests/api.c @@ -343,8 +343,11 @@ #endif #if (defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN)) || \ - defined(HAVE_SESSION_TICKET) - /* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT */ + defined(HAVE_SESSION_TICKET) || (defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) && \ + !defined(WOLFSSL_ASN_TEMPLATE)) + /* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT, + * or for setting authKeyIdSrc in WOLFSSL_X509 */ #include "wolfssl/internal.h" #endif @@ -35677,140 +35680,208 @@ static void test_wolfSSL_X509_sign2(void) time_t t; const unsigned char expected[] = { - 0x30, 0x82, 0x04, 0x25, 0x30, 0x82, 0x03, 0x0D, - 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, - 0xF1, 0x5C, 0x99, 0x43, 0x66, 0x3D, 0x96, 0x04, - 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, - 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, - 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, - 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, - 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, - 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, - 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, - 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, - 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, - 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, - 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, - 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, - 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, - 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, - 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, - 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, - 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, - 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, - 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, - 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, - 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E, - 0x17, 0x0D, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, - 0x32, 0x30, 0x33, 0x30, 0x30, 0x30, 0x5A, 0x17, - 0x0D, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, - 0x30, 0x33, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x81, - 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, - 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, - 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, - 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, - 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, - 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, - 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, - 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, - 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34, - 0x38, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, - 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, - 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, - 0x32, 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, - 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, - 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, - 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, - 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, - 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, - 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, - 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, - 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, - 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, - 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, - 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, - 0xC3, 0x03, 0xD1, 0x2B, 0xFE, 0x39, 0xA4, 0x32, - 0x45, 0x3B, 0x53, 0xC8, 0x84, 0x2B, 0x2A, 0x7C, - 0x74, 0x9A, 0xBD, 0xAA, 0x2A, 0x52, 0x07, 0x47, - 0xD6, 0xA6, 0x36, 0xB2, 0x07, 0x32, 0x8E, 0xD0, - 0xBA, 0x69, 0x7B, 0xC6, 0xC3, 0x44, 0x9E, 0xD4, - 0x81, 0x48, 0xFD, 0x2D, 0x68, 0xA2, 0x8B, 0x67, - 0xBB, 0xA1, 0x75, 0xC8, 0x36, 0x2C, 0x4A, 0xD2, - 0x1B, 0xF7, 0x8B, 0xBA, 0xCF, 0x0D, 0xF9, 0xEF, - 0xEC, 0xF1, 0x81, 0x1E, 0x7B, 0x9B, 0x03, 0x47, - 0x9A, 0xBF, 0x65, 0xCC, 0x7F, 0x65, 0x24, 0x69, - 0xA6, 0xE8, 0x14, 0x89, 0x5B, 0xE4, 0x34, 0xF7, - 0xC5, 0xB0, 0x14, 0x93, 0xF5, 0x67, 0x7B, 0x3A, - 0x7A, 0x78, 0xE1, 0x01, 0x56, 0x56, 0x91, 0xA6, - 0x13, 0x42, 0x8D, 0xD2, 0x3C, 0x40, 0x9C, 0x4C, - 0xEF, 0xD1, 0x86, 0xDF, 0x37, 0x51, 0x1B, 0x0C, - 0xA1, 0x3B, 0xF5, 0xF1, 0xA3, 0x4A, 0x35, 0xE4, - 0xE1, 0xCE, 0x96, 0xDF, 0x1B, 0x7E, 0xBF, 0x4E, - 0x97, 0xD0, 0x10, 0xE8, 0xA8, 0x08, 0x30, 0x81, - 0xAF, 0x20, 0x0B, 0x43, 0x14, 0xC5, 0x74, 0x67, - 0xB4, 0x32, 0x82, 0x6F, 0x8D, 0x86, 0xC2, 0x88, - 0x40, 0x99, 0x36, 0x83, 0xBA, 0x1E, 0x40, 0x72, - 0x22, 0x17, 0xD7, 0x52, 0x65, 0x24, 0x73, 0xB0, - 0xCE, 0xEF, 0x19, 0xCD, 0xAE, 0xFF, 0x78, 0x6C, - 0x7B, 0xC0, 0x12, 0x03, 0xD4, 0x4E, 0x72, 0x0D, - 0x50, 0x6D, 0x3B, 0xA3, 0x3B, 0xA3, 0x99, 0x5E, - 0x9D, 0xC8, 0xD9, 0x0C, 0x85, 0xB3, 0xD9, 0x8A, - 0xD9, 0x54, 0x26, 0xDB, 0x6D, 0xFA, 0xAC, 0xBB, - 0xFF, 0x25, 0x4C, 0xC4, 0xD1, 0x79, 0xF4, 0x71, - 0xD3, 0x86, 0x40, 0x18, 0x13, 0xB0, 0x63, 0xB5, - 0x72, 0x4E, 0x30, 0xC4, 0x97, 0x84, 0x86, 0x2D, - 0x56, 0x2F, 0xD7, 0x15, 0xF7, 0x7F, 0xC0, 0xAE, - 0xF5, 0xFC, 0x5B, 0xE5, 0xFB, 0xA1, 0xBA, 0xD3, - 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x6E, 0x30, - 0x6C, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, - 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, - 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x15, - 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, - 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, - 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, - 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, - 0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, 0x18, - 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, - 0xD7, 0x85, 0x65, 0xC0, 0x30, 0x1F, 0x06, 0x03, - 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, - 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, - 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, - 0x26, 0xD7, 0x85, 0x65, 0xC0, 0x30, 0x0D, 0x06, - 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, - 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, - 0x00, 0x79, 0x81, 0x5D, 0xAB, 0xDB, 0x44, 0x70, - 0xD6, 0x39, 0x4F, 0xA6, 0xBA, 0x09, 0x99, 0xBB, - 0xCB, 0x82, 0xF9, 0x17, 0x34, 0xBD, 0x3E, 0xB1, - 0x18, 0xA8, 0xF9, 0x10, 0x16, 0x2A, 0xE0, 0x74, - 0xC6, 0xCF, 0xB3, 0x5F, 0xC6, 0x2C, 0xFB, 0xE3, - 0x5D, 0x38, 0x2B, 0x99, 0x02, 0x98, 0x9D, 0x55, - 0x95, 0x65, 0xC3, 0xEB, 0x77, 0x13, 0xA0, 0x75, - 0x35, 0x68, 0x1F, 0x08, 0xE8, 0x82, 0x3E, 0xF1, - 0xEF, 0x4B, 0xE7, 0x6E, 0xAD, 0xC1, 0x7C, 0x57, - 0xCE, 0xF5, 0x24, 0x4E, 0x2F, 0xC4, 0xF7, 0x46, - 0xED, 0x0E, 0x27, 0x1D, 0xD2, 0x12, 0x5D, 0x9A, - 0xE5, 0x82, 0xB8, 0x92, 0x42, 0x8F, 0x9E, 0x4D, - 0x9B, 0x31, 0x85, 0x2E, 0xE0, 0x5E, 0x83, 0xFB, - 0xA4, 0x33, 0x32, 0x34, 0x2A, 0xAD, 0x38, 0x7A, - 0x6D, 0xD5, 0x02, 0xAE, 0x77, 0xCB, 0x26, 0x76, - 0x7B, 0xFA, 0xE0, 0x91, 0x9B, 0x6F, 0xF4, 0xC4, - 0xA1, 0x54, 0xB1, 0x13, 0x80, 0x6E, 0xFB, 0x70, - 0x4C, 0x7F, 0x4F, 0x58, 0x39, 0xFA, 0x5B, 0x3D, - 0x60, 0x63, 0xDF, 0xEF, 0x90, 0xB3, 0x9B, 0x9A, - 0xEE, 0x8E, 0x34, 0xFB, 0x8B, 0x75, 0x5F, 0xC7, - 0xE4, 0xDB, 0x7C, 0x63, 0x84, 0xE4, 0x6C, 0xC7, - 0xD8, 0xC8, 0xA9, 0xA4, 0x42, 0x64, 0x93, 0x65, - 0x17, 0x58, 0xC2, 0x51, 0x3E, 0x8E, 0x2A, 0x68, - 0x37, 0xC6, 0x59, 0x75, 0x68, 0xD4, 0x16, 0x6A, - 0x17, 0x87, 0xC0, 0xA8, 0x9A, 0x1F, 0x07, 0xCF, - 0x43, 0x58, 0xF4, 0xEA, 0xFE, 0xFB, 0xB2, 0x3F, - 0x7E, 0xC0, 0xF4, 0x83, 0x67, 0x85, 0x30, 0xF2, - 0xE1, 0x60, 0x37, 0x39, 0x45, 0x2A, 0x21, 0x51, - 0x0C, 0x4F, 0xFB, 0x0C, 0x0A, 0xFA, 0x7D, 0xD9, - 0xB4, 0x72, 0x86, 0x9C, 0x0D, 0x2A, 0x25, 0x0E, - 0xBB, 0x45, 0xEC, 0x5D, 0xFB, 0x7A, 0xAA, 0x67, - 0x49, 0x4F, 0x36, 0xAB, 0xDE, 0x4B, 0x57, 0x35, - 0xF3 +#ifndef WOLFSSL_ASN_TEMPLATE + 0x30, 0x82, 0x04, 0xfd, 0x30, 0x82, 0x03, 0xe5, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, + 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, + 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, + 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, + 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, + 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, + 0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, + 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, + 0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, + 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, + 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15, + 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c, + 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, + 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67, + 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38, + 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, + 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, + 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, + 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, + 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b, + 0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c, + 0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2, + 0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4, + 0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8, + 0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef, + 0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc, + 0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7, + 0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01, + 0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c, + 0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1, + 0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e, + 0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43, + 0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88, + 0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52, + 0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c, + 0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3, + 0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a, + 0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4, + 0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5, + 0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15, + 0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3, + 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x44, 0x30, 0x82, 0x01, + 0x40, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, + 0x01, 0x01, 0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, + 0x30, 0x13, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, + 0x63, 0x6f, 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06, + 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66, + 0xd7, 0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, + 0xd7, 0x85, 0x65, 0xc0, 0x30, 0x81, 0xd3, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x81, 0xcb, 0x30, 0x81, 0xc8, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66, + 0xd7, 0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, + 0xd7, 0x85, 0x65, 0xc0, 0xa1, 0x81, 0xa4, 0xa4, 0x81, 0xa1, 0x30, 0x81, + 0x9e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, + 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, + 0x61, 0x6e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x0c, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, + 0x38, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, + 0x50, 0x72, 0x6f, 0x67, 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, + 0x32, 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, + 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, + 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x82, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, + 0x96, 0x04, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, + 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, + 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, + 0x03, 0x82, 0x01, 0x01, 0x00, 0x59, 0x2e, 0xd1, 0xec, 0xbc, 0x99, 0xfe, + 0x50, 0x38, 0x47, 0x47, 0x88, 0x51, 0xcf, 0xe4, 0x88, 0x76, 0xdf, 0x89, + 0x8f, 0xea, 0x91, 0xbc, 0xd6, 0xc6, 0x91, 0xc9, 0xcc, 0x33, 0x77, 0x5d, + 0xdd, 0x4b, 0xc9, 0xf6, 0x10, 0x54, 0xe2, 0x04, 0x89, 0x51, 0xdb, 0xe1, + 0x00, 0x0c, 0x61, 0x03, 0x26, 0x86, 0x35, 0xac, 0x96, 0x23, 0x9d, 0xef, + 0xd9, 0x95, 0xe4, 0xb4, 0x83, 0x9e, 0x0f, 0x47, 0x30, 0x08, 0x96, 0x28, + 0x7f, 0x2d, 0xe3, 0x23, 0x30, 0x3b, 0xb0, 0x46, 0xe8, 0x21, 0x78, 0xb4, + 0xc0, 0xbc, 0x9f, 0x60, 0x02, 0xd4, 0x16, 0x2d, 0xe5, 0x5a, 0x00, 0x65, + 0x15, 0x95, 0x81, 0x93, 0x80, 0x06, 0x3e, 0xf7, 0xdf, 0x0c, 0x2b, 0x3f, + 0x14, 0xfc, 0xc3, 0x79, 0xfd, 0x59, 0x5c, 0xa7, 0xc3, 0xe0, 0xa8, 0xd4, + 0x53, 0x4f, 0x13, 0x0a, 0xa3, 0xfe, 0x1d, 0x63, 0x4e, 0x84, 0xb2, 0x98, + 0x19, 0x06, 0xe0, 0x60, 0x3a, 0xc9, 0x49, 0x73, 0x00, 0xe3, 0x72, 0x2f, + 0x68, 0x27, 0x9f, 0x14, 0x18, 0xb7, 0x57, 0xb9, 0x1d, 0xa8, 0xb3, 0x05, + 0x6c, 0xf5, 0x4b, 0x0e, 0xac, 0x26, 0x7a, 0xfe, 0xc1, 0xab, 0x1f, 0x27, + 0xf1, 0x1e, 0x21, 0x33, 0x31, 0xb6, 0x43, 0xb0, 0xf8, 0x74, 0x69, 0x6a, + 0xb1, 0x9b, 0xcb, 0xe4, 0xd3, 0xa2, 0x8e, 0x8a, 0x55, 0xef, 0x81, 0xf3, + 0x4a, 0x44, 0x90, 0x4d, 0x08, 0xb8, 0x31, 0x90, 0x1a, 0x82, 0x52, 0x56, + 0xeb, 0xf0, 0x50, 0x5b, 0x9f, 0x87, 0x98, 0x54, 0xfe, 0x6a, 0x60, 0x41, + 0x16, 0xdb, 0xdc, 0xff, 0x89, 0x4c, 0x98, 0x00, 0xb1, 0x87, 0x6c, 0xe7, + 0xec, 0xba, 0x3b, 0xa4, 0xfe, 0xa1, 0xfd, 0x26, 0x19, 0x7c, 0x2d, 0x14, + 0x91, 0x91, 0x61, 0x30, 0x3e, 0xf4, 0x5c, 0x97, 0x4c, 0x06, 0x84, 0xab, + 0x94, 0xa8, 0x17, 0x6c, 0xec, 0x19, 0xc0, 0x87, 0xd0 +#else + 0x30, 0x82, 0x04, 0x46, 0x30, 0x82, 0x03, 0x2e, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, + 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, + 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, + 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, + 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, + 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, + 0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, + 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, + 0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, + 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, + 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15, + 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c, + 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, + 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67, + 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38, + 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, + 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, + 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, + 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, + 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b, + 0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c, + 0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2, + 0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4, + 0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8, + 0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef, + 0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc, + 0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7, + 0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01, + 0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c, + 0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1, + 0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e, + 0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43, + 0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88, + 0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52, + 0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c, + 0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3, + 0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a, + 0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4, + 0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5, + 0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15, + 0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3, + 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0x8e, 0x30, 0x81, 0x8b, 0x30, + 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, + 0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, 0x30, 0x13, + 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, + 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, + 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, + 0x65, 0xc0, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, 0x87, 0x18, 0x7e, + 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, 0x65, 0xc0, 0x30, + 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x01, 0x00, 0x74, 0x83, 0x39, 0xc0, 0x03, 0x76, 0xfa, 0xdd, 0x8b, 0x00, + 0xfa, 0xaa, 0x5b, 0xdb, 0x56, 0xef, 0x2c, 0x26, 0x9a, 0xc2, 0x07, 0xdb, + 0xfd, 0x10, 0xd0, 0x55, 0xb9, 0xe2, 0x9e, 0xe7, 0x34, 0x26, 0x8b, 0xd2, + 0x62, 0x49, 0x86, 0x93, 0x8c, 0x6c, 0x41, 0x02, 0xdf, 0x7e, 0x99, 0xf7, + 0x7e, 0x1f, 0xda, 0x08, 0xad, 0x4d, 0x91, 0xdf, 0x11, 0x39, 0x6d, 0x90, + 0xf5, 0xfe, 0x91, 0xee, 0xc7, 0x44, 0xd2, 0x0f, 0xd1, 0x2d, 0xe2, 0xb8, + 0xf2, 0x89, 0x50, 0x9f, 0x55, 0xf3, 0x44, 0x44, 0x07, 0xd9, 0xd9, 0x71, + 0x68, 0xe6, 0xd6, 0xa8, 0x09, 0x01, 0xe6, 0x03, 0xd4, 0x5a, 0x57, 0xf3, + 0x8a, 0xab, 0x53, 0xe7, 0x71, 0x03, 0x65, 0xe3, 0x20, 0x57, 0xaf, 0x2a, + 0xbb, 0xc0, 0x1f, 0xe3, 0x2a, 0xcf, 0xbd, 0x39, 0x26, 0x4d, 0x58, 0x18, + 0x8c, 0x98, 0x22, 0x42, 0xf0, 0xaa, 0x20, 0x8f, 0xa2, 0x4c, 0x81, 0x8b, + 0xe1, 0x4a, 0xa4, 0xb1, 0x4e, 0x22, 0x8f, 0x09, 0xd9, 0x4c, 0x9d, 0x35, + 0xc7, 0x92, 0xc7, 0x77, 0xaf, 0x42, 0x0b, 0x38, 0x2c, 0xeb, 0xb8, 0xd4, + 0x67, 0xa6, 0xd4, 0x70, 0x79, 0x0f, 0x9a, 0xf9, 0xad, 0xd4, 0x7b, 0x21, + 0x25, 0xb5, 0xa6, 0xa1, 0x7b, 0xf5, 0xb4, 0x1d, 0x06, 0x9a, 0xad, 0xeb, + 0xc5, 0xe4, 0x39, 0xd6, 0xea, 0xd9, 0x15, 0xbf, 0x49, 0x32, 0x97, 0xe5, + 0x52, 0x52, 0x11, 0x7e, 0x2b, 0x32, 0x07, 0x44, 0x81, 0x37, 0x2e, 0xd4, + 0xa4, 0x1e, 0x32, 0xbf, 0x2f, 0xbd, 0xac, 0xcc, 0xb3, 0x77, 0x82, 0xae, + 0xbb, 0xf0, 0x37, 0xc0, 0x10, 0x4b, 0x64, 0xcf, 0x8e, 0xd7, 0x25, 0x59, + 0xf8, 0xaa, 0x83, 0xad, 0xeb, 0x7d, 0x00, 0x8b, 0x3e, 0xb8, 0x91, 0x3c, + 0x6c, 0x4c, 0x35, 0x53, 0x36, 0xa4, 0x02, 0xb8, 0xbe, 0x2d, 0x34, 0xb4, + 0x26, 0x03, 0x6b, 0x92, 0x2e, 0xd6 +#endif }; printf(testingFmt, "wolfSSL_X509_sign2"); @@ -37526,6 +37597,79 @@ static void test_wolfSSL_i2t_ASN1_OBJECT(void) #endif /* OPENSSL_EXTRA && WOLFSSL_CERT_EXT && WOLFSSL_CERT_GEN */ } +static void test_wolfSSL_PEM_write_bio_X509(void) +{ +#if defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) + /* This test contains the hard coded expected + * lengths. Update if necessary */ + + BIO* input; + BIO* output; + X509* x509 = NULL; + + printf(testingFmt, "wolfSSL_PEM_write_bio_X509()"); + + AssertNotNull(input = BIO_new_file( + "certs/test/cert-ext-multiple.pem", "rb")); + AssertIntEQ(wolfSSL_BIO_get_len(input), 2004); + + AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); + + AssertNotNull(PEM_read_bio_X509(input, &x509, NULL, NULL)); + + AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS); + +#ifndef WOLFSSL_ASN_TEMPLATE + /* WOLFSSL_ASN_TEMPLATE doesn't support writing the full AKID */ + /* Check that we generate the same output as was the input. */ + AssertIntEQ(wolfSSL_BIO_get_len(output), +#ifdef WOLFSSL_ALT_NAMES + /* Here we copy the validity struct from the original */ + 2004 +#else + /* Only difference is that we generate the validity in generalized + * time. Generating UTCTime vs Generalized time should be fixed in + * the future */ + 2009 +#endif + ); + + /* Reset output buffer */ + BIO_free(output); + AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); + + /* Test forcing the AKID to be generated just from KeyIdentifier */ + if (x509->authKeyIdSrc != NULL) { + XMEMMOVE(x509->authKeyIdSrc, x509->authKeyId, x509->authKeyIdSz); + x509->authKeyId = x509->authKeyIdSrc; + x509->authKeyIdSrc = NULL; + x509->authKeyIdSrcSz = 0; + } + + AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS); +#endif + + /* Check that we generate a smaller output since the AKID will + * only contain the KeyIdentifier without any additional + * information */ + AssertIntEQ(wolfSSL_BIO_get_len(output), +#ifdef WOLFSSL_ALT_NAMES + /* Here we copy the validity struct from the original */ + 1692 +#else + /* UTCTime vs Generalized time */ + 1696 +#endif + ); + + BIO_free(input); + BIO_free(output); + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_X509_NAME_ENTRY(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ @@ -51454,6 +51598,7 @@ void ApiTest(void) test_wolfSSL_OBJ_txt2nid(); test_wolfSSL_OBJ_txt2obj(); test_wolfSSL_i2t_ASN1_OBJECT(); + test_wolfSSL_PEM_write_bio_X509(); test_wolfSSL_X509_NAME_ENTRY(); test_wolfSSL_X509_set_name(); test_wolfSSL_X509_set_notAfter(); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 6ffca63ac..850bbf83a 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -3239,7 +3239,7 @@ word32 SetBitString(word32 len, byte unusedBits, byte* output) idx += ASN_TAG_SZ; /* Encode length - passing NULL for output will not encode. - * Add one to length for unsued bits. */ + * Add one to length for unused bits. */ idx += SetLength(len + 1, output ? output + idx : NULL); if (output) { /* Write out unused bits. */ @@ -10113,8 +10113,6 @@ static int GetHashId(const byte* id, int length, byte* hash) #endif /* !NO_CERTS */ #ifdef WOLFSSL_ASN_TEMPLATE -/* Id for street address - not used. */ -#define ASN_STREET 9 /* Id for email address. */ #define ASN_EMAIL 0x100 /* Id for user id. */ @@ -10146,6 +10144,10 @@ static int GetHashId(const byte* id, int length, byte* hash) #define GetCertNameSubjectNID(id) \ (certNameSubject[(id) - 3].nid) +#define ValidCertNameSubject(id) \ + ((id - 3) >= 0 && (id - 3) < certNameSubjectSz && \ + (certNameSubject[(id) - 3].strLen > 0)) + /* Mapping of certificate name component to useful information. */ typedef struct CertNameData { /* Type string of name component. */ @@ -10240,16 +10242,16 @@ static const CertNameData certNameSubject[] = { NID_stateOrProvinceName #endif }, - /* Undefined - Street */ + /* Street Address */ { - NULL, 0, + "/street=", 8, #ifdef WOLFSSL_CERT_GEN - 0, - 0, - 0, + OFFSETOF(DecodedCert, subjectStreet), + OFFSETOF(DecodedCert, subjectStreetLen), + OFFSETOF(DecodedCert, subjectStreetEnc), #endif #ifdef WOLFSSL_X509_NAME_AVAILABLE - 0, + NID_streetAddress #endif }, /* Organization Name */ @@ -10328,10 +10330,43 @@ static const CertNameData certNameSubject[] = { #endif #ifdef WOLFSSL_X509_NAME_AVAILABLE NID_businessCategory +#endif + }, + /* Undefined */ + { + NULL, 0, +#ifdef WOLFSSL_CERT_GEN + 0, + 0, + 0, +#endif +#ifdef WOLFSSL_X509_NAME_AVAILABLE + 0, +#endif + }, + /* Postal Code */ + { + "/postalCode=", 12, +#ifdef WOLFSSL_CERT_GEN +#ifdef WOLFSSL_CERT_EXT + OFFSETOF(DecodedCert, subjectPC), + OFFSETOF(DecodedCert, subjectPCLen), + OFFSETOF(DecodedCert, subjectPCEnc), +#else + 0, + 0, + 0, +#endif +#endif +#ifdef WOLFSSL_X509_NAME_AVAILABLE + NID_postalCode #endif }, }; +static const int certNameSubjectSz = + sizeof(certNameSubject) / sizeof(CertNameData); + /* Full email OID. */ static const byte emailOid[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01 @@ -10527,8 +10562,7 @@ static int GetRDN(DecodedCert* cert, char* full, word32* idx, int* nid, if ((oidSz == 3) && (oid[0] == 0x55) && (oid[1] == 0x04)) { id = oid[2]; /* Check range of supported ids in table. */ - if (((id >= ASN_COMMON_NAME) && (id <= ASN_ORGUNIT_NAME) && - (id != ASN_STREET)) || (id == ASN_BUS_CAT)) { + if (ValidCertNameSubject(id)) { /* Get the type string, length and NID from table. */ typeStr = GetCertNameSubjectStr(id); typeStrLen = GetCertNameSubjectStrLen(id); @@ -10593,6 +10627,9 @@ static int GetRDN(DecodedCert* cert, char* full, word32* idx, int* nid, WOLFSSL_MSG("Unknown Jurisdiction, skipping"); } } + else { + ret = 0; + } if ((ret == 0) && (typeStr != NULL)) { /* OID type to store for subject name and add to full string. */ @@ -10838,6 +10875,22 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, nid = NID_stateOrProvinceName; #endif /* OPENSSL_EXTRA */ } + else if (id == ASN_STREET_ADDR) { + copy = WOLFSSL_STREET_ADDR_NAME; + copyLen = sizeof(WOLFSSL_STREET_ADDR_NAME) - 1; + #ifdef WOLFSSL_CERT_GEN + if (nameType == SUBJECT) { + cert->subjectStreet = (char*)&input[srcIdx]; + cert->subjectStreetLen = strLen; + cert->subjectStreetEnc = b; + } + #endif /* WOLFSSL_CERT_GEN */ + #if (defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) \ + && !defined(WOLFCRYPT_ONLY) + nid = NID_streetAddress; + #endif /* OPENSSL_EXTRA */ + } else if (id == ASN_ORG_NAME) { copy = WOLFSSL_ORG_NAME; copyLen = sizeof(WOLFSSL_ORG_NAME) - 1; @@ -10903,6 +10956,22 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, #endif /* OPENSSL_EXTRA */ } #endif /* WOLFSSL_CERT_EXT */ + else if (id == ASN_POSTAL_CODE) { + copy = WOLFSSL_POSTAL_NAME; + copyLen = sizeof(WOLFSSL_POSTAL_NAME) - 1; + #ifdef WOLFSSL_CERT_GEN + if (nameType == SUBJECT) { + cert->subjectPC = (char*)&input[srcIdx]; + cert->subjectPCLen = strLen; + cert->subjectPCEnc = b; + } + #endif /* WOLFSSL_CERT_GEN */ + #if (defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) \ + && !defined(WOLFCRYPT_ONLY) + nid = NID_postalCode; + #endif /* OPENSSL_EXTRA */ + } } #ifdef WOLFSSL_CERT_EXT else if ((srcIdx + ASN_JOI_PREFIX_SZ + 2 <= (word32)maxIdx) && @@ -14533,6 +14602,9 @@ static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert) WOLFSSL_ENTER("DecodeCrlDist"); + cert->extCrlInfoRaw = input; + cert->extCrlInfoRawSz = sz; + /* Unwrap the list of Distribution Points*/ if (GetSequence(input, &idx, &length, sz) < 0) return ASN_PARSE_E; @@ -14625,6 +14697,9 @@ static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert) CALLOC_ASNGETDATA(dataASN, crlDistASN_Length, ret, cert->heap); + cert->extCrlInfoRaw = input; + cert->extCrlInfoRawSz = sz; + if (ret == 0) { /* Get the GeneralName choice */ GetASN_Choice(&dataASN[4], generalNameChoice); @@ -14869,6 +14944,8 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert) } #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + cert->extRawAuthKeyIdSrc = input; + cert->extRawAuthKeyIdSz = sz; cert->extAuthKeyIdSrc = &input[idx]; cert->extAuthKeyIdSz = length; #endif /* OPENSSL_EXTRA */ @@ -14895,7 +14972,9 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert) } else { #ifdef OPENSSL_EXTRA - /* Store the autority key id. */ + /* Store the authority key id. */ + cert->extRawAuthKeyIdSrc = input; + cert->extRawAuthKeyIdSz = sz; GetASN_GetConstRef(&dataASN[1], &cert->extAuthKeyIdSrc, &cert->extAuthKeyIdSz); #endif /* OPENSSL_EXTRA */ @@ -15163,6 +15242,58 @@ static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert) #endif /* WOLFSSL_ASN_TEMPLATE */ } +#ifndef IGNORE_NETSCAPE_CERT_TYPE + +#ifdef WOLFSSL_ASN_TEMPLATE +/* ASN.1 template for Netscape Certificate Type + * https://docs.oracle.com/cd/E19957-01/816-5533-10/ext.htm#1033183 + */ +static const ASNItem nsCertTypeASN[] = { +/* 0 */ { 0, ASN_BIT_STRING, 0, 0, 0 }, +}; + +/* Number of items in ASN.1 template for nsCertType. */ +#define nsCertTypeASN_Length (sizeof(nsCertTypeASN) / sizeof(ASNItem)) +#endif + +static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert) +{ +#ifndef WOLFSSL_ASN_TEMPLATE + word32 idx = 0; + int len = 0; + + WOLFSSL_ENTER("DecodeNsCertType"); + if (CheckBitString(input, &idx, &len, (word32)sz, 0, NULL) < 0) { + return ASN_PARSE_E; + } + + /* Don't need to worry about unused bits as CheckBitString makes sure + * they're zero. */ + cert->nsCertType = input[idx]; + + return 0; +#else + DECL_ASNGETDATA(dataASN, nsCertTypeASN_Length); + int ret = 0; + word32 idx = 0; + + WOLFSSL_ENTER("DecodeNsCertType"); + (void)cert; + + CALLOC_ASNGETDATA(dataASN, nsCertTypeASN_Length, ret, cert->heap); + + if (ret == 0) + ret = GetASN_Items(nsCertTypeASN, dataASN, nsCertTypeASN_Length, 1, + input, &idx, sz); + if (ret == 0) + cert->nsCertType = dataASN[0].data.buffer.data[0]; + + FREE_ASNGETDATA(dataASN, cert->heap); + return ret; +#endif +} +#endif + #ifndef IGNORE_NAME_CONSTRAINTS #ifdef WOLFSSL_ASN_TEMPLATE @@ -15976,11 +16107,8 @@ static int DecodeExtensionType(const byte* input, int length, word32 oid, #ifndef IGNORE_NETSCAPE_CERT_TYPE /* Netscape's certificate type. */ case NETSCAPE_CT_OID: - WOLFSSL_MSG("Netscape certificate type extension not supported " - "yet."); - if (CheckBitString(input, &idx, &length, length, 0, NULL) < 0) { + if (DecodeNsCertType(input, length, cert) < 0) ret = ASN_PARSE_E; - } break; #endif #ifdef HAVE_OCSP @@ -19927,10 +20055,14 @@ typedef struct DerCert { byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */ #ifdef WOLFSSL_CERT_EXT byte skid[MAX_KID_SZ]; /* Subject Key Identifier extension */ - byte akid[MAX_KID_SZ]; /* Authority Key Identifier extension */ + byte akid[MAX_KID_SZ + sizeof(CertName)]; /* Authority Key Identifier extension */ byte keyUsage[MAX_KEYUSAGE_SZ]; /* Key Usage extension */ byte extKeyUsage[MAX_EXTKEYUSAGE_SZ]; /* Extended Key Usage extension */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType[MAX_NSCERTTYPE_SZ]; /* Extended Key Usage extension */ +#endif byte certPolicies[MAX_CERTPOL_NB*MAX_CERTPOL_SZ]; /* Certificate Policies */ + byte crlInfo[CTC_MAX_CRLINFO_SZ]; /* CRL Distribution Points */ #endif #ifdef WOLFSSL_CERT_REQ byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */ @@ -19952,7 +20084,12 @@ typedef struct DerCert { int akidSz; /* encoded SKID extension length */ int keyUsageSz; /* encoded KeyUsage extension length */ int extKeyUsageSz; /* encoded ExtendedKeyUsage extension length */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + int nsCertTypeSz; /* encoded Netscape Certifcate Type + * extension length */ +#endif int certPoliciesSz; /* encoded CertPolicies extension length*/ + int crlInfoSz; /* encoded CRL Dist Points length */ #endif #ifdef WOLFSSL_ALT_NAMES int altNamesSz; /* encoded AltNames extension length */ @@ -20621,28 +20758,34 @@ const char* GetOneCertName(CertName* name, int idx) return name->state; case 2: - return name->locality; + return name->street; case 3: - return name->sur; + return name->locality; case 4: - return name->org; + return name->sur; case 5: - return name->unit; + return name->org; case 6: - return name->commonName; + return name->unit; case 7: - return name->serialDev; + return name->commonName; case 8: + return name->serialDev; + + case 9: + return name->postalCode; + + case 10: #ifdef WOLFSSL_CERT_EXT return name->busCat; - case 9: + case 11: #endif return name->email; @@ -20663,28 +20806,34 @@ static char GetNameType(CertName* name, int idx) return name->stateEnc; case 2: - return name->localityEnc; + return name->postalCodeEnc; case 3: - return name->surEnc; + return name->localityEnc; case 4: - return name->orgEnc; + return name->surEnc; case 5: - return name->unitEnc; + return name->orgEnc; case 6: - return name->commonNameEnc; + return name->unitEnc; case 7: - return name->serialDevEnc; + return name->commonNameEnc; case 8: + return name->serialDevEnc; + + case 9: + return name->postalCodeEnc; + + case 10: #ifdef WOLFSSL_CERT_EXT return name->busCatEnc; - case 9: + case 11: #endif /* FALL THROUGH */ /* The last index, email name, does not have encoding type. @@ -20706,28 +20855,34 @@ byte GetCertNameId(int idx) return ASN_STATE_NAME; case 2: - return ASN_LOCALITY_NAME; + return ASN_STREET_ADDR; case 3: - return ASN_SUR_NAME; + return ASN_LOCALITY_NAME; case 4: - return ASN_ORG_NAME; + return ASN_SUR_NAME; case 5: - return ASN_ORGUNIT_NAME; + return ASN_ORG_NAME; case 6: - return ASN_COMMON_NAME; + return ASN_ORGUNIT_NAME; case 7: - return ASN_SERIAL_NUMBER; + return ASN_COMMON_NAME; case 8: + return ASN_SERIAL_NUMBER; + + case 9: + return ASN_POSTAL_CODE; + + case 10: #ifdef WOLFSSL_CERT_EXT return ASN_BUS_CAT; - case 9: + case 11: #endif return ASN_EMAIL_NAME; @@ -20890,36 +21045,55 @@ static int SetSKID(byte* output, word32 outSz, const byte *input, word32 length) /* encode Authority Key Identifier, return total bytes written * RFC5280 : non-critical */ -static int SetAKID(byte* output, word32 outSz, - byte *input, word32 length, void* heap) +static int SetAKID(byte* output, word32 outSz, byte *input, word32 length, + byte rawAkid) { - byte *enc_val; - int ret, enc_valSz; - const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04 }; + int enc_valSz, inSeqSz; + byte enc_val_buf[MAX_KID_SZ]; + byte* enc_val; + const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23 }; const byte akid_cs[] = { 0x80 }; - - (void)heap; + word32 idx; if (output == NULL || input == NULL) return BAD_FUNC_ARG; - enc_valSz = length + 3 + sizeof(akid_cs); - enc_val = (byte *)XMALLOC(enc_valSz, heap, DYNAMIC_TYPE_TMP_BUFFER); - if (enc_val == NULL) - return MEMORY_E; + if (rawAkid) { + enc_val = input; + enc_valSz = length; + } + else { + enc_val = enc_val_buf; + enc_valSz = length + 3 + sizeof(akid_cs); + if (enc_valSz > (int)sizeof(enc_val_buf)) + return BAD_FUNC_ARG; - /* sequence for ContentSpec & value */ - ret = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs), - input, length); - if (ret > 0) { - enc_valSz = ret; - - ret = SetOidValue(output, outSz, akid_oid, sizeof(akid_oid), - enc_val, enc_valSz); + /* sequence for ContentSpec & value */ + enc_valSz = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs), + input, length); + if (enc_valSz <= 0) + return enc_valSz; } - XFREE(enc_val, heap, DYNAMIC_TYPE_TMP_BUFFER); - return ret; + /* The size of the extension sequence contents */ + inSeqSz = sizeof(akid_oid) + SetOctetString(enc_valSz, NULL) + + enc_valSz; + + if (SetSequence(inSeqSz, NULL) + inSeqSz > outSz) + return BAD_FUNC_ARG; + + /* Write out the sequence header */ + idx = SetSequence(inSeqSz, output); + + /* Write out OID */ + XMEMCPY(output + idx, akid_oid, sizeof(akid_oid)); + idx += sizeof(akid_oid); + + /* Write out AKID */ + idx += SetOctetString(enc_valSz, output + idx); + XMEMCPY(output + idx, enc_val, enc_valSz); + + return idx + enc_valSz; } /* encode Key Usage, return total bytes written @@ -21163,6 +21337,89 @@ static int SetExtKeyUsage(Cert* cert, byte* output, word32 outSz, byte input) #endif } +#ifndef IGNORE_NETSCAPE_CERT_TYPE +#ifndef WOLFSSL_ASN_TEMPLATE +static int SetNsCertType(Cert* cert, byte* output, word32 outSz, byte input) +{ + word32 idx; + byte unusedBits = 0; + byte nsCertType = input; + word32 totalSz; + word32 bitStrSz; + const byte nscerttype_oid[] = { 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x86, 0xF8, 0x42, 0x01, 0x01 }; + + if (cert == NULL || output == NULL || + input == 0) + return BAD_FUNC_ARG; + + totalSz = sizeof(nscerttype_oid); + + /* Get amount of lsb zero's */ + for (;(input & 1) == 0; input >>= 1) + unusedBits++; + + /* 1 byte of NS Cert Type extension */ + bitStrSz = SetBitString(1, unusedBits, NULL) + 1; + totalSz += SetOctetString(bitStrSz, NULL) + bitStrSz; + + if (SetSequence(totalSz, NULL) + totalSz > outSz) + return BAD_FUNC_ARG; + + /* 1. Seq + Total Len */ + idx = SetSequence(totalSz, output); + + /* 2. Object ID */ + XMEMCPY(&output[idx], nscerttype_oid, sizeof(nscerttype_oid)); + idx += sizeof(nscerttype_oid); + + /* 3. Octet String */ + idx += SetOctetString(bitStrSz, &output[idx]); + + /* 4. Bit String */ + idx += SetBitString(1, unusedBits, &output[idx]); + output[idx++] = nsCertType; + + return idx; +} +#endif +#endif + +#ifndef WOLFSSL_ASN_TEMPLATE +static int SetCRLInfo(Cert* cert, byte* output, word32 outSz, byte* input, + int inSz) +{ + word32 idx; + word32 totalSz; + const byte crlinfo_oid[] = { 0x06, 0x03, 0x55, 0x1D, 0x1F }; + + if (cert == NULL || output == NULL || + input == 0 || inSz <= 0) + return BAD_FUNC_ARG; + + totalSz = sizeof(crlinfo_oid) + SetOctetString(inSz, NULL) + inSz; + + if (SetSequence(totalSz, NULL) + totalSz > outSz) + return BAD_FUNC_ARG; + + /* 1. Seq + Total Len */ + idx = SetSequence(totalSz, output); + + /* 2. Object ID */ + XMEMCPY(&output[idx], crlinfo_oid, sizeof(crlinfo_oid)); + idx += sizeof(crlinfo_oid); + + /* 3. Octet String */ + idx += SetOctetString(inSz, &output[idx]); + + /* 4. CRL Info */ + XMEMCPY(&output[idx], input, inSz); + idx += inSz; + + return idx; +} +#endif + /* encode Certificate Policies, return total bytes written * each input value must be ITU-T X.690 formatted : a.b.c... * input must be an array of values with a NULL terminated for the latest @@ -21625,6 +21882,7 @@ int wc_EncodeName(EncodedName* name, const char* nameStr, char nameType, static const byte nameOid[NAME_ENTRIES - 1][NAME_OID_SZ] = { { 0x55, 0x04, ASN_COUNTRY_NAME }, { 0x55, 0x04, ASN_STATE_NAME }, + { 0x55, 0x04, ASN_STREET_ADDR }, { 0x55, 0x04, ASN_LOCALITY_NAME }, { 0x55, 0x04, ASN_SUR_NAME }, { 0x55, 0x04, ASN_ORG_NAME }, @@ -21634,6 +21892,7 @@ static const byte nameOid[NAME_ENTRIES - 1][NAME_OID_SZ] = { #ifdef WOLFSSL_CERT_EXT { 0x55, 0x04, ASN_BUS_CAT }, #endif + { 0x55, 0x04, ASN_POSTAL_CODE }, /* Email OID is much longer. */ }; @@ -22042,6 +22301,15 @@ static const ASNItem certExtsASN[] = { /* 28 */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* 29 */ { 2, ASN_OCTET_STRING, 0, 1, 0 }, /* 30 */ { 3, ASN_SEQUENCE, 0, 0, 0 }, + /* Netscape Certificate Type */ +/* 31 */ { 1, ASN_SEQUENCE, 1, 1, 0 }, +/* 32 */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, +/* 33 */ { 2, ASN_OCTET_STRING, 0, 1, 0 }, +/* 34 */ { 3, ASN_BIT_STRING, 0, 0, 0 }, +/* 35 */ { 1, ASN_SEQUENCE, 1, 1, 0 }, +/* 36 */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, +/* 37 */ { 2, ASN_OCTET_STRING, 0, 0, 0 }, + #endif }; @@ -22064,6 +22332,9 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, static const byte kuOID[] = { 0x55, 0x1d, 0x0f }; static const byte ekuOID[] = { 0x55, 0x1d, 0x25 }; static const byte cpOID[] = { 0x55, 0x1d, 0x20 }; + static const byte nsCertOID[] = { 0x60, 0x86, 0x48, 0x01, + 0x86, 0xF8, 0x42, 0x01, 0x01 }; + static const byte crlInfoOID[] = { 0x55, 0x1D, 0x1F }; #endif (void)forRequest; @@ -22156,6 +22427,28 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, /* Don't write out Certificate Policies extension items. */ SetASNItem_NoOut(dataASN, 27, 30); } + #ifndef IGNORE_NETSCAPE_CERT_TYPE + /* Netscape Certificate Type */ + if (cert->nsCertType != 0) { + /* Set Netscape Certificate Type OID and data. */ + SetASN_Buffer(&dataASN[32], nsCertOID, sizeof(nsCertOID)); + SetASN_Buffer(&dataASN[34], &cert->nsCertType, 1); + } + else + #endif + { + /* Don't write out Netscape Certificate Type. */ + SetASNItem_NoOut(dataASN, 31, 34); + } + if (cert->crlInfoSz > 0) { + /* Set CRL Distribution Points OID and data. */ + SetASN_Buffer(&dataASN[36], crlInfoOID, sizeof(crlInfoOID)); + SetASN_Buffer(&dataASN[37], cert->crlInfo, cert->crlInfoSz); + } + else { + /* Don't write out Netscape Certificate Type. */ + SetASNItem_NoOut(dataASN, 35, 37); + } #endif } @@ -22179,7 +22472,7 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, SetASN_Items(certExtsASN, dataASN, certExtsASN_Length, output); #ifdef WOLFSSL_CERT_EXT - if (cert->keyUsage != 0){ + if (cert->extKeyUsage != 0){ /* Encode Extended Key Usage into space provided. */ if (SetExtKeyUsage(cert, (byte*)dataASN[26].data.buffer.data, dataASN[26].data.buffer.length, cert->extKeyUsage) <= 0) { @@ -22209,6 +22502,10 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, #ifndef WOLFSSL_ASN_TEMPLATE /* Set Date validity from now until now + daysValid * return size in bytes written to output, 0 on error */ +/* TODO https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5 + * "MUST always encode certificate validity dates through the year 2049 as + * UTCTime; certificate validity dates in 2050 or later MUST be encoded as + * GeneralizedTime." */ static int SetValidity(byte* output, int daysValid) { #ifndef NO_ASN_TIME @@ -22562,11 +22859,13 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, /* AKID */ if (cert->akidSz) { /* check the provided AKID size */ - if (cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid))) + if ((!cert->rawAkid && + cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid))) || + (cert->rawAkid && cert->akidSz > (int)sizeof(der->akid))) return AKID_E; - der->akidSz = SetAKID(der->akid, sizeof(der->akid), - cert->akid, cert->akidSz, cert->heap); + der->akidSz = SetAKID(der->akid, sizeof(der->akid), cert->akid, + cert->akidSz, cert->rawAkid); if (der->akidSz <= 0) return AKID_E; @@ -22599,6 +22898,31 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, else der->extKeyUsageSz = 0; +#ifndef IGNORE_NETSCAPE_CERT_TYPE + /* Netscape Certificate Type */ + if (cert->nsCertType != 0) { + der->nsCertTypeSz = SetNsCertType(cert, der->nsCertType, + sizeof(der->nsCertType), cert->nsCertType); + if (der->nsCertTypeSz <= 0) + return EXTENSIONS_E; + + der->extensionsSz += der->nsCertTypeSz; + } + else + der->nsCertTypeSz = 0; +#endif + + if (cert->crlInfoSz > 0) { + der->crlInfoSz = SetCRLInfo(cert, der->crlInfo, sizeof(der->crlInfo), + cert->crlInfo, cert->crlInfoSz); + if (der->crlInfoSz <= 0) + return EXTENSIONS_E; + + der->extensionsSz += der->crlInfoSz; + } + else + der->crlInfoSz = 0; + /* Certificate Policies */ if (cert->certPoliciesNb != 0) { der->certPoliciesSz = SetCertificatePolicies(der->certPolicies, @@ -22664,6 +22988,15 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, return EXTENSIONS_E; } + /* put CRL Distribution Points */ + if (der->crlInfoSz) { + ret = SetExtensions(der->extensions, sizeof(der->extensions), + &der->extensionsSz, + der->crlInfo, der->crlInfoSz); + if (ret <= 0) + return EXTENSIONS_E; + } + /* put KeyUsage */ if (der->keyUsageSz) { ret = SetExtensions(der->extensions, sizeof(der->extensions), @@ -22682,6 +23015,17 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, return EXTENSIONS_E; } + /* put Netscape Cert Type */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + if (der->nsCertTypeSz) { + ret = SetExtensions(der->extensions, sizeof(der->extensions), + &der->extensionsSz, + der->nsCertType, der->nsCertTypeSz); + if (ret <= 0) + return EXTENSIONS_E; + } +#endif + /* put Certificate Policies */ if (der->certPoliciesSz) { ret = SetExtensions(der->extensions, sizeof(der->extensions), @@ -26957,16 +27301,20 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz, return ASN_PARSE_E; /* key header */ - ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); + ret = CheckBitString(input, inOutIdx, &length, inSz, 1, NULL); if (ret != 0) return ret; /* check that the value found is not too large for pubKey buffer */ - if (inSz - *inOutIdx > *pubKeyLen) + if ((word32)length > *pubKeyLen) + return ASN_PARSE_E; + + /* check that input buffer is exhausted */ + if (*inOutIdx + (word32)length != inSz) return ASN_PARSE_E; /* This is the raw point data compressed or uncompressed. */ - *pubKeyLen = inSz - *inOutIdx; + *pubKeyLen = length; XMEMCPY(pubKey, input + *inOutIdx, *pubKeyLen); #else len = inSz - *inOutIdx; @@ -26982,9 +27330,11 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz, /* Decode Ed25519 private key. */ ret = GetASN_Items(edPubKeyASN, dataASN, edPubKeyASN_Length, 1, input, inOutIdx, inSz); - if (ret != 0) { + if (ret != 0) + ret = ASN_PARSE_E; + /* check that input buffer is exhausted */ + if (*inOutIdx != inSz) ret = ASN_PARSE_E; - } } /* Check the public value length is correct. */ if ((ret == 0) && (dataASN[3].data.ref.length > *pubKeyLen)) { diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 94d55690d..c73c68952 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -12289,18 +12289,20 @@ static void initDefaultName(void) static const CertName certDefaultName = { "US", CTC_PRINTABLE, /* country */ "Oregon", CTC_UTF8, /* state */ + "Main St", CTC_UTF8, /* street */ "Portland", CTC_UTF8, /* locality */ "Test", CTC_UTF8, /* sur */ "wolfSSL", CTC_UTF8, /* org */ "Development", CTC_UTF8, /* unit */ "www.wolfssl.com", CTC_UTF8, /* commonName */ "wolfSSL12345", CTC_PRINTABLE, /* serial number of device */ + "12-456", CTC_PRINTABLE, /* Postal Code */ #ifdef WOLFSSL_CERT_EXT "Private Organization", CTC_UTF8, /* businessCategory */ "US", CTC_PRINTABLE, /* jurisdiction country */ "Oregon", CTC_PRINTABLE, /* jurisdiction state */ #endif - "info@wolfssl.com" /* email */ + "info@wolfssl.com", /* email */ }; #endif /* WOLFSSL_MULTI_ATTRIB */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 0804e3209..d00a5b3e5 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3854,12 +3854,14 @@ struct WOLFSSL_X509 { #ifdef HAVE_EX_DATA WOLFSSL_CRYPTO_EX_DATA ex_data; #endif - byte* authKeyId; + byte* authKeyId; /* Points into authKeyIdSrc */ + byte* authKeyIdSrc; byte* subjKeyId; byte* extKeyUsageSrc; #ifdef OPENSSL_ALL byte* subjAltNameSrc; #endif + byte* rawCRLInfo; byte* CRLInfo; byte* authInfo; #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) @@ -3868,12 +3870,18 @@ struct WOLFSSL_X509 { #endif word32 pathLength; word16 keyUsage; + int rawCRLInfoSz; int CRLInfoSz; int authInfoSz; word32 authKeyIdSz; + word32 authKeyIdSrcSz; word32 subjKeyIdSz; + byte extKeyUsage; word32 extKeyUsageSz; word32 extKeyUsageCount; +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType; +#endif #ifdef OPENSSL_ALL word32 subjAltNameSz; #endif diff --git a/wolfssl/openssl/x509v3.h b/wolfssl/openssl/x509v3.h index fa30dcc1b..2e3298226 100644 --- a/wolfssl/openssl/x509v3.h +++ b/wolfssl/openssl/x509v3.h @@ -57,8 +57,8 @@ #define X509_PURPOSE_SSL_CLIENT 0 #define X509_PURPOSE_SSL_SERVER 1 -#define NS_SSL_CLIENT 0 -#define NS_SSL_SERVER 1 +#define NS_SSL_CLIENT WC_NS_SSL_CLIENT +#define NS_SSL_SERVER WC_NS_SSL_SERVER /* Forward reference */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 80a7ece30..840fa7b0c 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -598,9 +598,11 @@ enum DN_Tags { ASN_COUNTRY_NAME = 0x06, /* C */ ASN_LOCALITY_NAME = 0x07, /* L */ ASN_STATE_NAME = 0x08, /* ST */ + ASN_STREET_ADDR = 0x09, /* street */ ASN_ORG_NAME = 0x0a, /* O */ ASN_ORGUNIT_NAME = 0x0b, /* OU */ ASN_BUS_CAT = 0x0f, /* businessCategory */ + ASN_POSTAL_CODE = 0x11, /* postalCode */ ASN_EMAIL_NAME = 0x98, /* not oid number there is 97 in 2.5.4.0-97 */ /* pilot attribute types @@ -636,6 +638,9 @@ extern const WOLFSSL_ObjectInfo wolfssl_object_info[]; #define WOLFSSL_LN_LOCALITY_NAME "/localityName=" #define WOLFSSL_STATE_NAME "/ST=" #define WOLFSSL_LN_STATE_NAME "/stateOrProvinceName=" +#define WOLFSSL_STREET_ADDR_NAME "/street=" +#define WOLFSSL_LN_STREET_ADDR_NAME "/streetAddress=" +#define WOLFSSL_POSTAL_NAME "/postalCode=" #define WOLFSSL_ORG_NAME "/O=" #define WOLFSSL_LN_ORG_NAME "/organizationName=" #define WOLFSSL_ORGUNIT_NAME "/OU=" @@ -715,12 +720,14 @@ enum NID_countryName = 0x06, /* C */ NID_localityName = 0x07, /* L */ NID_stateOrProvinceName = 0x08, /* ST */ + NID_streetAddress = ASN_STREET_ADDR, /* street */ NID_organizationName = 0x0a, /* O */ NID_organizationalUnitName = 0x0b, /* OU */ NID_jurisdictionCountryName = 0xc, NID_jurisdictionStateOrProvinceName = 0xd, NID_businessCategory = ASN_BUS_CAT, NID_domainComponent = ASN_DOMAIN_COMPONENT, + NID_postalCode = ASN_POSTAL_CODE, /* postalCode */ NID_favouriteDrink = 462, NID_userId = 458, NID_emailAddress = 0x30, /* emailAddress */ @@ -857,6 +864,10 @@ enum Misc_ASN { CTC_MAX_EKU_OID_SZ, /* Max encoded ExtKeyUsage (SEQ/LEN + OBJID + OCTSTR/LEN + SEQ + (6 * (SEQ + OID))) */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + MAX_NSCERTTYPE_SZ = MAX_SEQ_SZ + 17, /* SEQ + OID + OCTET STR + + * NS BIT STR */ +#endif MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */ MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ, #endif @@ -1127,6 +1138,15 @@ enum CsrAttrType { #define EXTKEYUSE_SERVER_AUTH 0x02 #define EXTKEYUSE_ANY 0x01 +#define WC_NS_SSL_CLIENT 0x80 +#define WC_NS_SSL_SERVER 0x40 +#define WC_NS_SMIME 0x20 +#define WC_NS_OBJSIGN 0x10 +#define WC_NS_SSL_CA 0x04 +#define WC_NS_SMIME_CA 0x02 +#define WC_NS_OBJSIGN_CA 0x01 + + typedef struct DNS_entry DNS_entry; struct DNS_entry { @@ -1382,6 +1402,10 @@ struct DecodedCert { const byte* extAuthInfoCaIssuer; /* Authority Info Access caIssuer URI */ int extAuthInfoCaIssuerSz; /* length of the caIssuer URI */ #endif + const byte* extCrlInfoRaw; /* Entire CRL Distribution Points + * Extension. This is useful when + * re-generating the DER. */ + int extCrlInfoRawSz; /* length of the extension */ const byte* extCrlInfo; /* CRL Distribution Points */ int extCrlInfoSz; /* length of the URI */ byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */ @@ -1398,6 +1422,8 @@ struct DecodedCert { const byte* extExtKeyUsageSrc; word32 extExtKeyUsageSz; word32 extExtKeyUsageCount; + const byte* extRawAuthKeyIdSrc; + word32 extRawAuthKeyIdSz; const byte* extAuthKeyIdSrc; word32 extAuthKeyIdSz; const byte* extSubjKeyIdSrc; @@ -1437,6 +1463,9 @@ struct DecodedCert { char* subjectST; int subjectSTLen; char subjectSTEnc; + char* subjectStreet; + int subjectStreetLen; + char subjectStreetEnc; char* subjectO; int subjectOLen; char subjectOEnc; @@ -1457,9 +1486,12 @@ struct DecodedCert { int subjectJSLen; char subjectJSEnc; #endif + char* subjectPC; + int subjectPCLen; + char subjectPCEnc; char* subjectEmail; int subjectEmailLen; -#endif /* WOLFSSL_CERT_GEN */ +#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* WOLFSSL_X509_NAME structures (used void* to avoid including ssl.h) */ void* issuerName; @@ -1476,7 +1508,10 @@ struct DecodedCert { #ifdef WOLFSSL_CERT_EXT char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ]; int extCertPoliciesNb; -#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */ +#endif /* WOLFSSL_CERT_EXT */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType; +#endif #ifdef WOLFSSL_CERT_REQ /* CSR attributes */ @@ -1880,9 +1915,9 @@ WOLFSSL_LOCAL int wc_MIME_free_hdrs(MimeHdr* head); enum cert_enums { #ifdef WOLFSSL_CERT_EXT - NAME_ENTRIES = 10, + NAME_ENTRIES = 12, #else - NAME_ENTRIES = 9, + NAME_ENTRIES = 11, #endif JOINT_LEN = 2, EMAIL_JOINT_LEN = 9, diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index f108c17ad..a11ceb623 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -197,7 +197,9 @@ enum Ctc_Misc { CTC_MAX_SKID_SIZE = 32, /* SHA256_DIGEST_SIZE */ CTC_MAX_AKID_SIZE = 32, /* SHA256_DIGEST_SIZE */ CTC_MAX_CERTPOL_SZ = 64, - CTC_MAX_CERTPOL_NB = 2 /* Max number of Certificate Policy */ + CTC_MAX_CERTPOL_NB = 2, /* Max number of Certificate Policy */ + CTC_MAX_CRLINFO_SZ = 200, /* Arbitrary size that should be enough for at + * least two distribution points. */ #endif /* WOLFSSL_CERT_EXT */ }; @@ -305,6 +307,8 @@ typedef struct CertName { char countryEnc; char state[CTC_NAME_SIZE]; char stateEnc; + char street[CTC_NAME_SIZE]; + char streetEnc; char locality[CTC_NAME_SIZE]; char localityEnc; char sur[CTC_NAME_SIZE]; @@ -317,6 +321,8 @@ typedef struct CertName { char commonNameEnc; char serialDev[CTC_NAME_SIZE]; char serialDevEnc; + char postalCode[CTC_NAME_SIZE]; + char postalCodeEnc; #ifdef WOLFSSL_CERT_EXT char busCat[CTC_NAME_SIZE]; char busCatEnc; @@ -357,10 +363,18 @@ typedef struct Cert { #ifdef WOLFSSL_CERT_EXT byte skid[CTC_MAX_SKID_SIZE]; /* Subject Key Identifier */ int skidSz; /* SKID size in bytes */ - byte akid[CTC_MAX_AKID_SIZE]; /* Authority Key Identifier */ + byte akid[CTC_MAX_AKID_SIZE + sizeof(CertName)]; /* Authority Key + * Identifier */ int akidSz; /* AKID size in bytes */ + byte rawAkid; /* Set to true if akid is a + * AuthorityKeyIdentifier object. + * Set to false if akid is just a + * KeyIdentifier object. */ word16 keyUsage; /* Key Usage */ byte extKeyUsage; /* Extended Key Usage */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType; /* Netscape Certificate Type */ +#endif #ifdef WOLFSSL_EKU_OID /* Extended Key Usage OIDs */ byte extKeyUsageOID[CTC_MAX_EKU_NB][CTC_MAX_EKU_OID_SZ]; @@ -368,6 +382,8 @@ typedef struct Cert { #endif char certPolicies[CTC_MAX_CERTPOL_NB][CTC_MAX_CERTPOL_SZ]; word16 certPoliciesNb; /* Number of Cert Policy */ + byte crlInfo[CTC_MAX_CRLINFO_SZ]; /* CRL Distribution points */ + int crlInfoSz; #endif #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \ defined(WOLFSSL_CERT_REQ) From d9af698aa46bab93a245e3ebb5c76846e226a254 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 20 Oct 2021 17:27:56 +0200 Subject: [PATCH 02/11] Implement raw AKID with WOLFSSL_ASN_TEMPLATE --- src/ssl.c | 5 +-- tests/api.c | 99 ----------------------------------------- wolfcrypt/src/asn.c | 37 +++++++++++---- wolfssl/wolfcrypt/asn.h | 21 ++++++++- 4 files changed, 49 insertions(+), 113 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index eae102b9e..51dc8dee2 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -41858,16 +41858,13 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) } if (x509->authKeyIdSz < sizeof(cert->akid)) { - #ifndef WOLFSSL_ASN_TEMPLATE /* Not supported with WOLFSSL_ASN_TEMPLATE at the moment. */ if (x509->authKeyIdSrc) { XMEMCPY(cert->akid, x509->authKeyIdSrc, x509->authKeyIdSrcSz); cert->akidSz = (int)x509->authKeyIdSrcSz; cert->rawAkid = 1; } - else - #endif - if (x509->authKeyId) { + else if (x509->authKeyId) { XMEMCPY(cert->akid, x509->authKeyId, x509->authKeyIdSz); cert->akidSz = (int)x509->authKeyIdSz; cert->rawAkid = 0; diff --git a/tests/api.c b/tests/api.c index 3d0eec56e..2b9cbab56 100644 --- a/tests/api.c +++ b/tests/api.c @@ -35680,7 +35680,6 @@ static void test_wolfSSL_X509_sign2(void) time_t t; const unsigned char expected[] = { -#ifndef WOLFSSL_ASN_TEMPLATE 0x30, 0x82, 0x04, 0xfd, 0x30, 0x82, 0x03, 0xe5, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, @@ -35788,100 +35787,6 @@ static void test_wolfSSL_X509_sign2(void) 0xec, 0xba, 0x3b, 0xa4, 0xfe, 0xa1, 0xfd, 0x26, 0x19, 0x7c, 0x2d, 0x14, 0x91, 0x91, 0x61, 0x30, 0x3e, 0xf4, 0x5c, 0x97, 0x4c, 0x06, 0x84, 0xab, 0x94, 0xa8, 0x17, 0x6c, 0xec, 0x19, 0xc0, 0x87, 0xd0 -#else - 0x30, 0x82, 0x04, 0x46, 0x30, 0x82, 0x03, 0x2e, 0xa0, 0x03, 0x02, 0x01, - 0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04, - 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, - 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, - 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, - 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, - 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06, - 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, - 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, - 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, - 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, - 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, - 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, - 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, - 0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, - 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, - 0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, - 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, - 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, - 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, - 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15, - 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c, - 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, - 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67, - 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38, - 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, - 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, - 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, - 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, - 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, - 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b, - 0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c, - 0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2, - 0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4, - 0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8, - 0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef, - 0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc, - 0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7, - 0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01, - 0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c, - 0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1, - 0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e, - 0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43, - 0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88, - 0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52, - 0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c, - 0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3, - 0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a, - 0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4, - 0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5, - 0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15, - 0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3, - 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0x8e, 0x30, 0x81, 0x8b, 0x30, - 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, - 0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, 0x30, 0x13, - 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, - 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1d, 0x06, 0x03, 0x55, - 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, - 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, - 0x65, 0xc0, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, - 0x16, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, 0x87, 0x18, 0x7e, - 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, 0x65, 0xc0, 0x30, - 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, - 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, - 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, - 0x01, 0x00, 0x74, 0x83, 0x39, 0xc0, 0x03, 0x76, 0xfa, 0xdd, 0x8b, 0x00, - 0xfa, 0xaa, 0x5b, 0xdb, 0x56, 0xef, 0x2c, 0x26, 0x9a, 0xc2, 0x07, 0xdb, - 0xfd, 0x10, 0xd0, 0x55, 0xb9, 0xe2, 0x9e, 0xe7, 0x34, 0x26, 0x8b, 0xd2, - 0x62, 0x49, 0x86, 0x93, 0x8c, 0x6c, 0x41, 0x02, 0xdf, 0x7e, 0x99, 0xf7, - 0x7e, 0x1f, 0xda, 0x08, 0xad, 0x4d, 0x91, 0xdf, 0x11, 0x39, 0x6d, 0x90, - 0xf5, 0xfe, 0x91, 0xee, 0xc7, 0x44, 0xd2, 0x0f, 0xd1, 0x2d, 0xe2, 0xb8, - 0xf2, 0x89, 0x50, 0x9f, 0x55, 0xf3, 0x44, 0x44, 0x07, 0xd9, 0xd9, 0x71, - 0x68, 0xe6, 0xd6, 0xa8, 0x09, 0x01, 0xe6, 0x03, 0xd4, 0x5a, 0x57, 0xf3, - 0x8a, 0xab, 0x53, 0xe7, 0x71, 0x03, 0x65, 0xe3, 0x20, 0x57, 0xaf, 0x2a, - 0xbb, 0xc0, 0x1f, 0xe3, 0x2a, 0xcf, 0xbd, 0x39, 0x26, 0x4d, 0x58, 0x18, - 0x8c, 0x98, 0x22, 0x42, 0xf0, 0xaa, 0x20, 0x8f, 0xa2, 0x4c, 0x81, 0x8b, - 0xe1, 0x4a, 0xa4, 0xb1, 0x4e, 0x22, 0x8f, 0x09, 0xd9, 0x4c, 0x9d, 0x35, - 0xc7, 0x92, 0xc7, 0x77, 0xaf, 0x42, 0x0b, 0x38, 0x2c, 0xeb, 0xb8, 0xd4, - 0x67, 0xa6, 0xd4, 0x70, 0x79, 0x0f, 0x9a, 0xf9, 0xad, 0xd4, 0x7b, 0x21, - 0x25, 0xb5, 0xa6, 0xa1, 0x7b, 0xf5, 0xb4, 0x1d, 0x06, 0x9a, 0xad, 0xeb, - 0xc5, 0xe4, 0x39, 0xd6, 0xea, 0xd9, 0x15, 0xbf, 0x49, 0x32, 0x97, 0xe5, - 0x52, 0x52, 0x11, 0x7e, 0x2b, 0x32, 0x07, 0x44, 0x81, 0x37, 0x2e, 0xd4, - 0xa4, 0x1e, 0x32, 0xbf, 0x2f, 0xbd, 0xac, 0xcc, 0xb3, 0x77, 0x82, 0xae, - 0xbb, 0xf0, 0x37, 0xc0, 0x10, 0x4b, 0x64, 0xcf, 0x8e, 0xd7, 0x25, 0x59, - 0xf8, 0xaa, 0x83, 0xad, 0xeb, 0x7d, 0x00, 0x8b, 0x3e, 0xb8, 0x91, 0x3c, - 0x6c, 0x4c, 0x35, 0x53, 0x36, 0xa4, 0x02, 0xb8, 0xbe, 0x2d, 0x34, 0xb4, - 0x26, 0x03, 0x6b, 0x92, 0x2e, 0xd6 -#endif }; printf(testingFmt, "wolfSSL_X509_sign2"); @@ -37620,9 +37525,6 @@ static void test_wolfSSL_PEM_write_bio_X509(void) AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS); -#ifndef WOLFSSL_ASN_TEMPLATE - /* WOLFSSL_ASN_TEMPLATE doesn't support writing the full AKID */ - /* Check that we generate the same output as was the input. */ AssertIntEQ(wolfSSL_BIO_get_len(output), #ifdef WOLFSSL_ALT_NAMES /* Here we copy the validity struct from the original */ @@ -37648,7 +37550,6 @@ static void test_wolfSSL_PEM_write_bio_X509(void) } AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS); -#endif /* Check that we generate a smaller output since the AKID will * only contain the KeyIdentifier without any additional diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 850bbf83a..3e4c05312 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -612,8 +612,8 @@ static void SizeASN_CalcDataLength(const ASNItem* asn, ASNSetData *data, /* The length of a header only item doesn't include the data unless * a replacement buffer is supplied. */ - if (asn[j].headerOnly && data[j].dataType != - ASN_DATA_TYPE_REPLACE_BUFFER) { + if (asn[j].headerOnly && data[j].data.buffer.data == NULL && + data[j].dataType != ASN_DATA_TYPE_REPLACE_BUFFER) { data[idx].data.buffer.length += data[j].data.buffer.length; } } @@ -685,8 +685,16 @@ int SizeASN_Items(const ASNItem* asn, ASNSetData *data, int count, int* encSz) * Mostly used for constructed items. */ if (asn[i].headerOnly) { - /* Calculate data length from items below. */ - SizeASN_CalcDataLength(asn, data, i, count); + if (data[i].data.buffer.data != NULL) { + /* Force all child nodes to be ignored. Buffer + * overwrites children. */ + SetASNItem_NoOutBelow(data, asn, i, count); + } + else { + /* Calculate data length from items below if no buffer + * supplied. */ + SizeASN_CalcDataLength(asn, data, i, count); + } } if (asn[i].tag == ASN_BOOLEAN) { dataLen = 1; @@ -705,8 +713,9 @@ int SizeASN_Items(const ASNItem* asn, ASNSetData *data, int count, int* encSz) } /* Add in the size of tag and length. */ len += SizeASNHeader(dataLen); - /* Include data in length if not header only. */ - if (!asn[i].headerOnly) { + /* Include data in length if not header only or if + * buffer supplied. */ + if (!asn[i].headerOnly || data[i].data.buffer.data != NULL) { len += dataLen; } break; @@ -933,8 +942,10 @@ int SetASN_Items(const ASNItem* asn, ASNSetData *data, int count, byte* output) if (data[i].data.buffer.data == NULL) { data[i].data.buffer.data = out + idx; } - /* Copy supplied data if not putting out header only. */ - else if (!asn[i].headerOnly) { + /* Copy supplied data if not putting out header only or + * if buffer supplied. */ + else if (!asn[i].headerOnly || + data[i].data.buffer.data != NULL) { /* Allow data to come from output buffer. */ XMEMMOVE(out + idx, data[i].data.buffer.data, data[i].data.buffer.length); @@ -22378,7 +22389,15 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, if (cert->akidSz > 0) { /* Set Authority Key Identifier OID and data. */ SetASN_Buffer(&dataASN[15], akidOID, sizeof(akidOID)); - SetASN_Buffer(&dataASN[18], cert->akid, cert->akidSz); + if (cert->rawAkid) { + SetASN_Buffer(&dataASN[16], cert->akid, cert->akidSz); + /* cert->akid contains the internal ext structure */ + SetASNItem_NoOutBelow(dataASN, certExtsASN, 16, + certExtsASN_Length); + } + else { + SetASN_Buffer(&dataASN[18], cert->akid, cert->akidSz); + } } else { /* Don't write out Authority Key Identifier extension items. */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 840fa7b0c..a4c1829cc 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -166,7 +166,9 @@ typedef struct ASNItem { byte tag; /* Whether the ASN.1 item is constructed. */ byte constructed:1; - /* Whether to parse the header only or skip data. */ + /* Whether to parse the header only or skip data. If + * ASNSetData.data.buffer.data is supplied then this option gets + * overwritten and the child nodes get ignored. */ byte headerOnly:1; /* Whether ASN.1 item is optional. * - 0 means not optional @@ -587,6 +589,23 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType); } \ while (0) +/* Set the data items below node to not be encoded. + * + * @param [in] dataASN Dynamic ASN data item. + * @param [in] node Node who's children should not be encoded. + * @param [in] dataASNLen Number of items in dataASN. + */ +#define SetASNItem_NoOutBelow(dataASN, asn, node, dataASNLen) \ + do { \ + int ii; \ + for (ii = node + 1; ii < (int)(dataASNLen); ii++) { \ + if (asn[ii].depth <= asn[node].depth) \ + break; \ + dataASN[ii].noOut = 1; \ + } \ + } \ + while (0) + #endif /* WOLFSSL_ASN_TEMPLATE */ From 2531cd961f76cac2d11f76209e039fe1b0d6d862 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 20 Oct 2021 17:40:57 +0200 Subject: [PATCH 03/11] Code review fixes --- wolfcrypt/src/asn.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 3e4c05312..2461e6537 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -10638,9 +10638,6 @@ static int GetRDN(DecodedCert* cert, char* full, word32* idx, int* nid, WOLFSSL_MSG("Unknown Jurisdiction, skipping"); } } - else { - ret = 0; - } if ((ret == 0) && (typeStr != NULL)) { /* OID type to store for subject name and add to full string. */ From 842dba7946fadbd9b5ba035bd34f5081f62313e1 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 21 Oct 2021 10:49:13 +0200 Subject: [PATCH 04/11] Put address and postal code in `WOLFSSL_CERT_EXT` --- wolfcrypt/src/asn.c | 34 +++++++++++++++++----------------- wolfssl/wolfcrypt/asn.h | 8 ++++---- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 2461e6537..864419def 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -10883,22 +10883,6 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, nid = NID_stateOrProvinceName; #endif /* OPENSSL_EXTRA */ } - else if (id == ASN_STREET_ADDR) { - copy = WOLFSSL_STREET_ADDR_NAME; - copyLen = sizeof(WOLFSSL_STREET_ADDR_NAME) - 1; - #ifdef WOLFSSL_CERT_GEN - if (nameType == SUBJECT) { - cert->subjectStreet = (char*)&input[srcIdx]; - cert->subjectStreetLen = strLen; - cert->subjectStreetEnc = b; - } - #endif /* WOLFSSL_CERT_GEN */ - #if (defined(OPENSSL_EXTRA) || \ - defined(OPENSSL_EXTRA_X509_SMALL)) \ - && !defined(WOLFCRYPT_ONLY) - nid = NID_streetAddress; - #endif /* OPENSSL_EXTRA */ - } else if (id == ASN_ORG_NAME) { copy = WOLFSSL_ORG_NAME; copyLen = sizeof(WOLFSSL_ORG_NAME) - 1; @@ -10948,6 +10932,22 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, #endif /* OPENSSL_EXTRA */ } #ifdef WOLFSSL_CERT_EXT + else if (id == ASN_STREET_ADDR) { + copy = WOLFSSL_STREET_ADDR_NAME; + copyLen = sizeof(WOLFSSL_STREET_ADDR_NAME) - 1; + #ifdef WOLFSSL_CERT_GEN + if (nameType == SUBJECT) { + cert->subjectStreet = (char*)&input[srcIdx]; + cert->subjectStreetLen = strLen; + cert->subjectStreetEnc = b; + } + #endif /* WOLFSSL_CERT_GEN */ + #if (defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) \ + && !defined(WOLFCRYPT_ONLY) + nid = NID_streetAddress; + #endif /* OPENSSL_EXTRA */ + } else if (id == ASN_BUS_CAT) { copy = WOLFSSL_BUS_CAT; copyLen = sizeof(WOLFSSL_BUS_CAT) - 1; @@ -10963,7 +10963,6 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, nid = NID_businessCategory; #endif /* OPENSSL_EXTRA */ } - #endif /* WOLFSSL_CERT_EXT */ else if (id == ASN_POSTAL_CODE) { copy = WOLFSSL_POSTAL_NAME; copyLen = sizeof(WOLFSSL_POSTAL_NAME) - 1; @@ -10980,6 +10979,7 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, nid = NID_postalCode; #endif /* OPENSSL_EXTRA */ } + #endif /* WOLFSSL_CERT_EXT */ } #ifdef WOLFSSL_CERT_EXT else if ((srcIdx + ASN_JOI_PREFIX_SZ + 2 <= (word32)maxIdx) && diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index a4c1829cc..13292b3b0 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1482,9 +1482,6 @@ struct DecodedCert { char* subjectST; int subjectSTLen; char subjectSTEnc; - char* subjectStreet; - int subjectStreetLen; - char subjectStreetEnc; char* subjectO; int subjectOLen; char subjectOEnc; @@ -1495,6 +1492,9 @@ struct DecodedCert { int subjectSNDLen; char subjectSNDEnc; #ifdef WOLFSSL_CERT_EXT + char* subjectStreet; + int subjectStreetLen; + char subjectStreetEnc; char* subjectBC; int subjectBCLen; char subjectBCEnc; @@ -1504,10 +1504,10 @@ struct DecodedCert { char* subjectJS; int subjectJSLen; char subjectJSEnc; -#endif char* subjectPC; int subjectPCLen; char subjectPCEnc; +#endif char* subjectEmail; int subjectEmailLen; #endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */ From cb79bc5c46fc882f7292d2195638d55849360ee0 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 21 Oct 2021 10:51:45 +0200 Subject: [PATCH 05/11] Use same code for `DecodeNsCertType` with templates --- wolfcrypt/src/asn.c | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 864419def..768357bfc 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -15252,21 +15252,8 @@ static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert) #ifndef IGNORE_NETSCAPE_CERT_TYPE -#ifdef WOLFSSL_ASN_TEMPLATE -/* ASN.1 template for Netscape Certificate Type - * https://docs.oracle.com/cd/E19957-01/816-5533-10/ext.htm#1033183 - */ -static const ASNItem nsCertTypeASN[] = { -/* 0 */ { 0, ASN_BIT_STRING, 0, 0, 0 }, -}; - -/* Number of items in ASN.1 template for nsCertType. */ -#define nsCertTypeASN_Length (sizeof(nsCertTypeASN) / sizeof(ASNItem)) -#endif - static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert) { -#ifndef WOLFSSL_ASN_TEMPLATE word32 idx = 0; int len = 0; @@ -15280,25 +15267,6 @@ static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert) cert->nsCertType = input[idx]; return 0; -#else - DECL_ASNGETDATA(dataASN, nsCertTypeASN_Length); - int ret = 0; - word32 idx = 0; - - WOLFSSL_ENTER("DecodeNsCertType"); - (void)cert; - - CALLOC_ASNGETDATA(dataASN, nsCertTypeASN_Length, ret, cert->heap); - - if (ret == 0) - ret = GetASN_Items(nsCertTypeASN, dataASN, nsCertTypeASN_Length, 1, - input, &idx, sz); - if (ret == 0) - cert->nsCertType = dataASN[0].data.buffer.data[0]; - - FREE_ASNGETDATA(dataASN, cert->heap); - return ret; -#endif } #endif From a6be15762834f03f16d378707d05d6ddb3bfb050 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 21 Oct 2021 12:44:13 +0200 Subject: [PATCH 06/11] Gate new AKID functionality on `WOLFSSL_AKID_NAME` --- configure.ac | 1 + src/internal.c | 10 ++++ src/ssl.c | 8 +-- tests/api.c | 97 +++++++++++++++++++++++++++++++++- wolfcrypt/src/asn.c | 41 +++++++++++--- wolfssl/wolfcrypt/asn.h | 2 + wolfssl/wolfcrypt/asn_public.h | 8 ++- 7 files changed, 155 insertions(+), 12 deletions(-) diff --git a/configure.ac b/configure.ac index 0c1838cfe..72d96f51d 100644 --- a/configure.ac +++ b/configure.ac @@ -6795,6 +6795,7 @@ then AM_CFLAGS="-DOPENSSL_EXTRA -DWOLFSSL_ALWAYS_VERIFY_CB $AM_CFLAGS" AM_CFLAGS="-DWOLFSSL_VERIFY_CB_ALL_CERTS -DWOLFSSL_EXTRA_ALERTS $AM_CFLAGS" AM_CFLAGS="-DHAVE_EXT_CACHE -DWOLFSSL_FORCE_CACHE_ON_TICKET $AM_CFLAGS" + AM_CFLAGS="-DWOLFSSL_AKID_NAME $AM_CFLAGS" fi if test "$ENABLED_OPENSSLEXTRA" = "x509small" diff --git a/src/internal.c b/src/internal.c index 37ae538e3..2574cd946 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10715,6 +10715,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->authKeyIdSet = dCert->extAuthKeyIdSet; x509->authKeyIdCrit = dCert->extAuthKeyIdCrit; if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) { + #ifdef WOLFSSL_AKID_NAME if (dCert->extRawAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSrc > dCert->extRawAuthKeyIdSrc && dCert->extAuthKeyIdSrc < @@ -10734,6 +10735,15 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) else ret = MEMORY_E; } + #else + x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, x509->heap, + DYNAMIC_TYPE_X509_EXT); + if (x509->authKeyId != NULL) { + XMEMCPY(x509->authKeyId, + dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz); + x509->authKeyIdSz = dCert->extAuthKeyIdSz; + } + #endif else ret = MEMORY_E; } diff --git a/src/ssl.c b/src/ssl.c index 51dc8dee2..bc62c71d4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -41858,16 +41858,18 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) } if (x509->authKeyIdSz < sizeof(cert->akid)) { - /* Not supported with WOLFSSL_ASN_TEMPLATE at the moment. */ + #ifdef WOLFSSL_AKID_NAME + cert->rawAkid = 0; if (x509->authKeyIdSrc) { XMEMCPY(cert->akid, x509->authKeyIdSrc, x509->authKeyIdSrcSz); cert->akidSz = (int)x509->authKeyIdSrcSz; cert->rawAkid = 1; } - else if (x509->authKeyId) { + else + #endif + if (x509->authKeyId) { XMEMCPY(cert->akid, x509->authKeyId, x509->authKeyIdSz); cert->akidSz = (int)x509->authKeyIdSz; - cert->rawAkid = 0; } } else { diff --git a/tests/api.c b/tests/api.c index 2b9cbab56..cd4bcc2f9 100644 --- a/tests/api.c +++ b/tests/api.c @@ -35680,6 +35680,7 @@ static void test_wolfSSL_X509_sign2(void) time_t t; const unsigned char expected[] = { +#ifdef WOLFSSL_AKID_NAME 0x30, 0x82, 0x04, 0xfd, 0x30, 0x82, 0x03, 0xe5, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, @@ -35787,6 +35788,100 @@ static void test_wolfSSL_X509_sign2(void) 0xec, 0xba, 0x3b, 0xa4, 0xfe, 0xa1, 0xfd, 0x26, 0x19, 0x7c, 0x2d, 0x14, 0x91, 0x91, 0x61, 0x30, 0x3e, 0xf4, 0x5c, 0x97, 0x4c, 0x06, 0x84, 0xab, 0x94, 0xa8, 0x17, 0x6c, 0xec, 0x19, 0xc0, 0x87, 0xd0 +#else + 0x30, 0x82, 0x04, 0x46, 0x30, 0x82, 0x03, 0x2e, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, + 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, + 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, + 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, + 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, + 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, + 0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, + 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, + 0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, + 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, + 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15, + 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c, + 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, + 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67, + 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38, + 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, + 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, + 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, + 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, + 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b, + 0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c, + 0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2, + 0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4, + 0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8, + 0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef, + 0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc, + 0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7, + 0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01, + 0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c, + 0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1, + 0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e, + 0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43, + 0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88, + 0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52, + 0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c, + 0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3, + 0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a, + 0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4, + 0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5, + 0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15, + 0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3, + 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0x8e, 0x30, 0x81, 0x8b, 0x30, + 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, + 0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, 0x30, 0x13, + 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, + 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, + 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, + 0x65, 0xc0, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, 0x87, 0x18, 0x7e, + 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, 0x65, 0xc0, 0x30, + 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x01, 0x00, 0x98, 0x2a, 0x3d, 0x94, 0x37, 0xae, 0xd6, 0x28, 0x12, 0xed, + 0x6d, 0x95, 0xc9, 0x05, 0x89, 0x4b, 0x5c, 0x5e, 0x88, 0xed, 0x9e, 0x14, + 0x89, 0x79, 0x65, 0x7b, 0x5c, 0xdb, 0xcd, 0x21, 0xc5, 0xfc, 0x7a, 0x05, + 0xd2, 0x33, 0x54, 0xa1, 0x1b, 0xb2, 0xc6, 0xd8, 0x3e, 0x88, 0x7d, 0x58, + 0xfd, 0xd0, 0xca, 0x71, 0x58, 0xd5, 0x37, 0x81, 0xe0, 0xef, 0x65, 0xfc, + 0x1b, 0xf1, 0x5d, 0xdd, 0x26, 0x68, 0x12, 0xfb, 0x12, 0x24, 0xd5, 0x45, + 0x4f, 0x41, 0xad, 0xee, 0x3f, 0x16, 0x40, 0xb2, 0x59, 0xe6, 0x5b, 0x76, + 0xe7, 0x47, 0x11, 0xa4, 0xe1, 0x2f, 0x0d, 0xe8, 0x13, 0x13, 0x49, 0xb0, + 0x01, 0x11, 0x15, 0xb5, 0xb3, 0x93, 0x4f, 0x28, 0xdc, 0xd0, 0x30, 0x03, + 0x48, 0x02, 0x95, 0x2d, 0xd9, 0x26, 0x87, 0x1f, 0x19, 0xa1, 0x03, 0x5c, + 0x7c, 0xde, 0x54, 0xd4, 0x98, 0x85, 0x34, 0xcc, 0x54, 0xf1, 0x24, 0x43, + 0xa6, 0x87, 0xfa, 0xb6, 0x62, 0xee, 0xa3, 0x4a, 0xb3, 0xce, 0x1c, 0x2e, + 0xbf, 0x94, 0xef, 0x4c, 0x75, 0x75, 0x55, 0x1d, 0xc9, 0xc2, 0xe4, 0xe5, + 0x24, 0xb2, 0x0a, 0x93, 0xf0, 0xff, 0x2e, 0x43, 0x99, 0xad, 0x4e, 0x83, + 0x11, 0x52, 0xf4, 0xb9, 0x92, 0x30, 0xe1, 0x02, 0x2f, 0xa5, 0xf2, 0x21, + 0xb1, 0xf4, 0xe9, 0x57, 0xbd, 0xba, 0x17, 0x56, 0xd7, 0x31, 0xcb, 0x63, + 0xa3, 0xd5, 0xcf, 0xc9, 0xd9, 0xa6, 0x4f, 0x51, 0x6c, 0x52, 0x4c, 0x53, + 0x88, 0x9a, 0x2e, 0xb9, 0x72, 0x02, 0x6e, 0x1b, 0x21, 0x93, 0xa1, 0x88, + 0x1b, 0x35, 0x0e, 0x9e, 0x2b, 0x63, 0x81, 0xba, 0xb4, 0x6b, 0x28, 0x01, + 0x56, 0xe1, 0x0e, 0x13, 0x73, 0xf6, 0xd6, 0xa0, 0xd2, 0xfd, 0xc9, 0x4d, + 0xbd, 0xa8, 0xa9, 0x22, 0x9e, 0xc7, 0x13, 0x76, 0x5a, 0x9c, 0xd3, 0x9a, + 0xf4, 0x0c, 0x52, 0xe6, 0x47, 0xcb +#endif }; printf(testingFmt, "wolfSSL_X509_sign2"); @@ -37504,7 +37599,7 @@ static void test_wolfSSL_i2t_ASN1_OBJECT(void) static void test_wolfSSL_PEM_write_bio_X509(void) { -#if defined(OPENSSL_EXTRA) && \ +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_AKID_NAME) && \ defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) /* This test contains the hard coded expected * lengths. Update if necessary */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 768357bfc..a3f7c0f07 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -74,6 +74,8 @@ ASN Options: * WOLFSSL_ASN_TEMPLATE_TYPE_CHECK: Use ASN functions to better test compiler type issues for testing * CRLDP_VALIDATE_DATA: For ASN template only, validates the reason data + * WOLFSSL_AKID_NAME: Enable support for full AuthorityKeyIdentifier extension. + * Only supports copying full AKID from an existing certificate. */ #ifndef NO_ASN @@ -14952,8 +14954,10 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert) } #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +#ifdef WOLFSSL_AKID_NAME cert->extRawAuthKeyIdSrc = input; cert->extRawAuthKeyIdSz = sz; +#endif cert->extAuthKeyIdSrc = &input[idx]; cert->extAuthKeyIdSz = length; #endif /* OPENSSL_EXTRA */ @@ -14981,8 +14985,10 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert) else { #ifdef OPENSSL_EXTRA /* Store the authority key id. */ +#ifdef WOLFSSL_AKID_NAME cert->extRawAuthKeyIdSrc = input; cert->extRawAuthKeyIdSz = sz; +#endif GetASN_GetConstRef(&dataASN[1], &cert->extAuthKeyIdSrc, &cert->extAuthKeyIdSz); #endif /* OPENSSL_EXTRA */ @@ -20031,7 +20037,11 @@ typedef struct DerCert { byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */ #ifdef WOLFSSL_CERT_EXT byte skid[MAX_KID_SZ]; /* Subject Key Identifier extension */ - byte akid[MAX_KID_SZ + sizeof(CertName)]; /* Authority Key Identifier extension */ + byte akid[MAX_KID_SZ +#ifdef WOLFSSL_AKID_NAME + + sizeof(CertName) + CTC_SERIAL_SIZE +#endif + ]; /* Authority Key Identifier extension */ byte keyUsage[MAX_KEYUSAGE_SZ]; /* Key Usage extension */ byte extKeyUsage[MAX_EXTKEYUSAGE_SZ]; /* Extended Key Usage extension */ #ifndef IGNORE_NETSCAPE_CERT_TYPE @@ -21022,7 +21032,7 @@ static int SetSKID(byte* output, word32 outSz, const byte *input, word32 length) /* encode Authority Key Identifier, return total bytes written * RFC5280 : non-critical */ static int SetAKID(byte* output, word32 outSz, byte *input, word32 length, - byte rawAkid) + byte rawAkid) { int enc_valSz, inSeqSz; byte enc_val_buf[MAX_KID_SZ]; @@ -21031,14 +21041,19 @@ static int SetAKID(byte* output, word32 outSz, byte *input, word32 length, const byte akid_cs[] = { 0x80 }; word32 idx; + (void)rawAkid; + if (output == NULL || input == NULL) return BAD_FUNC_ARG; +#ifdef WOLFSSL_AKID_NAME if (rawAkid) { enc_val = input; enc_valSz = length; } - else { + else +#endif + { enc_val = enc_val_buf; enc_valSz = length + 3 + sizeof(akid_cs); if (enc_valSz > (int)sizeof(enc_val_buf)) @@ -22843,13 +22858,25 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, /* AKID */ if (cert->akidSz) { /* check the provided AKID size */ - if ((!cert->rawAkid && - cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid))) || - (cert->rawAkid && cert->akidSz > (int)sizeof(der->akid))) + if (( +#ifdef WOLFSSL_AKID_NAME + !cert->rawAkid && +#endif + cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid))) +#ifdef WOLFSSL_AKID_NAME + || (cert->rawAkid && cert->akidSz > (int)sizeof(der->akid)) +#endif + ) return AKID_E; der->akidSz = SetAKID(der->akid, sizeof(der->akid), cert->akid, - cert->akidSz, cert->rawAkid); + cert->akidSz, +#ifdef WOLFSSL_AKID_NAME + cert->rawAkid +#else + 0 +#endif + ); if (der->akidSz <= 0) return AKID_E; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 13292b3b0..4cc9714bc 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1441,8 +1441,10 @@ struct DecodedCert { const byte* extExtKeyUsageSrc; word32 extExtKeyUsageSz; word32 extExtKeyUsageCount; +#ifdef WOLFSSL_AKID_NAME const byte* extRawAuthKeyIdSrc; word32 extRawAuthKeyIdSz; +#endif const byte* extAuthKeyIdSrc; word32 extAuthKeyIdSz; const byte* extSubjKeyIdSrc; diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index a11ceb623..7f2ab82be 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -363,13 +363,19 @@ typedef struct Cert { #ifdef WOLFSSL_CERT_EXT byte skid[CTC_MAX_SKID_SIZE]; /* Subject Key Identifier */ int skidSz; /* SKID size in bytes */ - byte akid[CTC_MAX_AKID_SIZE + sizeof(CertName)]; /* Authority Key + byte akid[CTC_MAX_AKID_SIZE +#ifdef WOLFSSL_AKID_NAME + + sizeof(CertName) + CTC_SERIAL_SIZE +#endif + ]; /* Authority Key * Identifier */ int akidSz; /* AKID size in bytes */ +#ifdef WOLFSSL_AKID_NAME byte rawAkid; /* Set to true if akid is a * AuthorityKeyIdentifier object. * Set to false if akid is just a * KeyIdentifier object. */ +#endif word16 keyUsage; /* Key Usage */ byte extKeyUsage; /* Extended Key Usage */ #ifndef IGNORE_NETSCAPE_CERT_TYPE From ef37eeaeaa6025a56b2e1808e2e9a5c400e0726d Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 21 Oct 2021 13:00:24 +0200 Subject: [PATCH 07/11] Code review fixes --- certs/test/include.am | 1 - wolfcrypt/src/asn.c | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/certs/test/include.am b/certs/test/include.am index 9e582c077..8f123f35f 100644 --- a/certs/test/include.am +++ b/certs/test/include.am @@ -19,7 +19,6 @@ EXTRA_DIST += \ certs/test/cert-ext-ndir.der \ certs/test/cert-ext-ndir.pem \ certs/test/cert-ext-ns.der \ - certs/test/cert-ext-ns.pem \ certs/test/cert-ext-ndir-exc.cfg \ certs/test/cert-ext-ndir-exc.der \ certs/test/cert-ext-ndir-exc.pem \ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a3f7c0f07..a8307eabe 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -22445,7 +22445,7 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, SetASN_Buffer(&dataASN[37], cert->crlInfo, cert->crlInfoSz); } else { - /* Don't write out Netscape Certificate Type. */ + /* Don't write out CRL Distribution Points. */ SetASNItem_NoOut(dataASN, 35, 37); } #endif From 7d6f8ea2550c83fe60216ec7076c31975db22f0a Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 26 Oct 2021 16:20:27 +0200 Subject: [PATCH 08/11] Update wrong email in gen script --- certs/test/cert-ext-ia.cfg | 2 +- certs/test/cert-ext-ia.der | Bin 1033 -> 1031 bytes certs/test/cert-ext-ia.pem | 42 +++++++++++----------- certs/test/cert-ext-joi.der | Bin 1376 -> 1376 bytes certs/test/cert-ext-joi.pem | 18 +++++----- certs/test/cert-ext-mnc.der | Bin 1086 -> 1097 bytes certs/test/cert-ext-multiple.cfg | 2 +- certs/test/cert-ext-multiple.der | Bin 1439 -> 1436 bytes certs/test/cert-ext-multiple.pem | 58 +++++++++++++++---------------- certs/test/cert-ext-nc.der | Bin 1157 -> 1081 bytes certs/test/cert-ext-nc.pem | 48 ++++++++++++------------- certs/test/cert-ext-ncdns.der | Bin 1084 -> 1095 bytes certs/test/cert-ext-ncmixed.der | Bin 1081 -> 1092 bytes certs/test/cert-ext-nct.cfg | 2 +- certs/test/cert-ext-nct.der | Bin 1054 -> 1052 bytes certs/test/cert-ext-nct.pem | 42 +++++++++++----------- certs/test/cert-ext-ndir-exc.der | Bin 1281 -> 1281 bytes certs/test/cert-ext-ndir-exc.pem | 18 +++++----- certs/test/cert-ext-ndir.der | Bin 1260 -> 1260 bytes certs/test/cert-ext-ndir.pem | 20 +++++------ certs/test/gen-ext-certs.sh | 6 ++-- tests/api.c | 10 +++--- 22 files changed, 133 insertions(+), 135 deletions(-) diff --git a/certs/test/cert-ext-ia.cfg b/certs/test/cert-ext-ia.cfg index 44be1126a..b65f96d01 100644 --- a/certs/test/cert-ext-ia.cfg +++ b/certs/test/cert-ext-ia.cfg @@ -10,7 +10,7 @@ L = Brisbane O = wolfSSL Inc OU = Engineering CN = www.wolfssl.com -emailAddress = support@wolfsssl.com +emailAddress = support@wolfssl.com [ v3_ca ] inhibitAnyPolicy = critical,1 diff --git a/certs/test/cert-ext-ia.der b/certs/test/cert-ext-ia.der index 9ece2e7bec93b5eeb63b0fe4219a28ab0fada7a1..742c68640efe3f1cb31875b2fb1b9da7200353db 100644 GIT binary patch delta 428 zcmeC=Xy-6BXkuYDXkvQ3fSHMriAlukoyEUOhnLqQ3|3E$w0q3JJUe!e0WTY;R+~rL zcV0$DZdL|^#`zO})VL`bD8Pj|8O4N)OA89}i%J~I^K;UQi*xjn^K%X4#CeSj4GoOU z42_MA4UD72d5ugA%#DnoT!=|B_)OY7k+FiY-uYx&4)d2?|LSvIK4AHgwC>R3iHv(Z z-Y3+wukxR8rlT+14TtZs8feRu3iP>mM(YamEUrFm&oSV6yT}anh{!puFQ_03lcQ$+sKbcsu zY|4Z1;s%fUye%ciI-@u>w}ropkbAM@^oP>{KX^+^-nlGZCN+KX3j_b3uM_yH|H@x@ z=IPA3YkTXtYx}1^v%3+$Jl#P3&Zm=1T(e$WY&JXM>zBA7SRnL{Yg3e<-<4Oxtu~Lg z@4SqR+^h@+jSD7zuW?s4P=pI}GKz^5mlhP{7nL}a=jWsq7Z>N~CFkcF$cghB85$ZG zm>C)wnHiWwiSrtn7?>LvLAem4Wbqocxu3Cuv3~o*CJ&zD&Rr+!Z@iw-IWzbM|D~U+ zwDvJ-Eqpm=%8UZ8lJCv@0TIG4_GP_WX0|KwJC93B=k10S6I^@hWqD6)JiYJs!p+xm zUhMqiuXYA3)?Zs%GGP^e53hbATkYll3`Z9IH{U(^ieQYzH`D8a4-@SLi<2B%r~cgT z;;?#glcP*%z4N69N+uUl!Xj>qN*S0a$a3xny)Pg@6$sE6Kw*~G>Fygwka*3?N#}JA1WjR;Q u{c6lQF)8! z;_q_{IWtdlZx!QO)iUq-b(`$D*S7XgxO;EG&RO05Qg@P?HUBMV6p_o&>t)X!q%lEyu*U&hIkNvRUPwtH%GCY2ix%;&Y{K delta 361 zcmaFB^?*y+poulcpozt00W%XL6O%|a-&5Vg>zr)IqEtV%KFf95*38VQCOzlFm;;VEB*-%_ zG+fJFC&QlR`Ag5V|MZi6%7=u7q|8;{3w(T&w|$n=PQwr1KiL+4o@ur@%KGuz=FNXvK%r_EZIV1BnbI;cckCrh`yy$a%g5mx@ zGIG;C*x$`tSpSEmOD*&16{*FqlUsyY3$%O%9#y2NTnoQjO?+vG}XGa6v@UW$%MaSLD9= vypC((@jr21GmgzHVya1-A}Sq~pYB)Dd3e&CyDkh;GU7IF3%VaN-LnD!u8yD` diff --git a/certs/test/cert-ext-joi.pem b/certs/test/cert-ext-joi.pem index 9faf68fc9..4a36256bf 100644 --- a/certs/test/cert-ext-joi.pem +++ b/certs/test/cert-ext-joi.pem @@ -1,10 +1,10 @@ -----BEGIN CERTIFICATE----- -MIIFXDCCBESgAwIBAgIUew7lLcN3cnN8wi3WWIgFLwDnp7owDQYJKoZIhvcNAQEL +MIIFXDCCBESgAwIBAgIUdtjq13Vf1QryOYup6Qniboz466gwDQYJKoZIhvcNAQEL BQAwgccxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv bGZzc3NsLmNvbTETMBEGCysGAQQBgjc8AgEDEwJVUzEbMBkGCysGAQQBgjc8AgEC -DApDYWxpZm9ybmlhMB4XDTIxMTAwNjEyMjYwNFoXDTI0MDcwMjEyMjYwNFowgccx +DApDYWxpZm9ybmlhMB4XDTIxMTAyNjEzMzMwM1oXDTI0MDcyMjEzMzMwM1owgccx CzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFu MREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UE AwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3Ns @@ -21,11 +21,11 @@ xzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD VQQDDA93d3cud29sZnNzbC5jb20xIDAeBgkqhkiG9w0BCQEWEWluZm9Ad29sZnNz c2wuY29tMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQIMCkNh -bGlmb3JuaWGCFHsO5S3Dd3JzfMIt1liIBS8A56e6MAwGA1UdEwQFMAMBAf8wDQYJ -KoZIhvcNAQELBQADggEBAJV/akWWtWlplTSMz1YDUMZAYB8DoTGtC34cB2ZJ+i41 -j8vkviPCExIaNyXvEPHsbreaQrkx8PfyPXPzmTa1UbIpZF1UpvIidjpl0QFog0tu -3I+gmpX1XJAgDgWxy9NUUFCfMhIEzBztabz10OKmAZHRTNeQMb/8HB6W8D/dbqH8 -BIomaeXUGqPrY4QTBXAqTRDieGYk1lfex3faani4oxf1jtvIrYiRnCbXLHQRV7ql -Jz1Ws9/UOSp9Uw32ZnD5WCLNAopzwq9QydQ4/SmhoFhi00vBpaht7POuCqHH/F5K -mMaZcgJ8ZpQVG1pvZ054icOSnN1EABocFzxGoIvh3jo= +bGlmb3JuaWGCFHbY6td1X9UK8jmLqekJ4m6M+OuoMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAKCwAqkAY84wjms5rRzLMdJSDBn3hnXyY+A1TctSMoxc +9mgytzwEaYQnMzCpoyC4Dut1RCL7D5ws1MAfBLd3zeMdc4mpIEtqMy2n7UDEP/Kx +6WCg6IRUTr+2ki0f+4egKrpZRdeJgZHhqn2rHP3MzxaLjWoGLbg5MDrX4xOwH+Kb +/yhoHI4ukiWXjP9hUsg1SD6emlK9ws7QeTC8pw2w7ybzIAR6sz+Zc/edcQlpywu1 +FgqqhJ7n1zxrnda1j5Dd3qC5motPGtxigyn+pwEUHmguiwQFsZAePTdTzsdYHrNo +y6g2C3CP8W7IdALiu8vxhMYXCs+6MCo8qkttJg/zoek= -----END CERTIFICATE----- diff --git a/certs/test/cert-ext-mnc.der b/certs/test/cert-ext-mnc.der index b7df09abb97d680921cdbd83b8612f117ef4a6b1..796f4d4b6324ffcc59870cd8c716447067f5cb8e 100644 GIT binary patch delta 335 zcmdnTagsyXpozuRpov*`0W%XL6O%|p#KTVxb0m7DTmLfpGR0|b`^o=fqQn#lBQrx| zV`Bs3C~;mR69aQ2BPe&GdfjFx#y^bpt9{EQ<4(($H^26~?a3y>_5WISsBy@gxT6P? zl$3vLbxEmn zsn2BIclU0oPH^7DlbB`RCD(t%#iw?^O72d9(v^G)OaUgYcP~D!;*U!NNx?SS>ytS>M8BA$_;W p<-6#-lGiqZtaMbR5-?LGYN!9Rz>)(B+_H^`d9B2Aj0RX^|nmhmi delta 319 zcmX@fv5!N-pozuGpov*&0W%XL6B8%Hlpr1X*A(K3L@(8a3uJ#ros+wImBD3M<5F{OA?>QTBljlDT1`k> z9<=vfjfnoFxVW{lRXaVZE`ONYbD>31SWfiQx1N1B3dOhF{qAyITJ(J5!}F2~pF}$@hv>^m53U zf6Ntk3tD3H;QSXs1ECXt6V>zL`>XyIWvno9?kv4g!!8o~>uX>ZcVLmfia-)CgV6pN WU9QLf1h+JQtlq`OQu3VX&nW;-&4)Vx diff --git a/certs/test/cert-ext-multiple.cfg b/certs/test/cert-ext-multiple.cfg index 94fb7adc4..9fb4ef30d 100644 --- a/certs/test/cert-ext-multiple.cfg +++ b/certs/test/cert-ext-multiple.cfg @@ -10,7 +10,7 @@ L = Brisbane O = wolfSSL Inc OU = Engineering CN = www.wolfssl.com -emailAddress = support@wolfsssl.com +emailAddress = support@wolfssl.com postalCode = 56-131 street = Main St diff --git a/certs/test/cert-ext-multiple.der b/certs/test/cert-ext-multiple.der index 6fb01c2fd21d9c42cdb458acb54fa5f058d94c4a..fb44e4c99f8e6c42c8b7665443660e3d4d7a3c19 100644 GIT binary patch delta 538 zcmbQwJ%`)Wpow*cK@&^E0%j&gCMFTZ&QoRF>b8bkD;*>?I9CQ9`)mHsfR~L^tIebB zJ1-+6H!FidMlkPYge6c+-_k@qse%lM2)8qNJ37X&OPdypg z`g#IObeE_1(Z`$4Pcu7P`K8G_XZ7TJ*OOKyIJ}K@-xzDY=j6lM3(n&Ho1?0^Qex|M z4=2ukzqkL!j^4jr2aB7QY(4Nwt)1ocfq(WL7eg*vZEI$Jv(lJt_dikJbNv?nACBMZ z=*-&m?Z@t}zE%25^>udju?n2q@bdfZDc{dcTCa9(SLCCOZGsMoGcWyV(0ud9-im8q zd%UlQ<&>Q&s{-N`Ee~zzeIR?{)8yBaKg6ed7;e%Doj6zK@}%GIALKsWV6RmBj%VHL fIV-lFy{~^h$@oC_8I#FJ7;bsTD?MF)Bqay{h|k`- delta 538 zcmbQkJ)hgupow+1K@&^!0%j&gCMJ;>VYxO*^CO*mR!^`|;G4AjpI1SM0WTY;R+~rL zcV0$DZdL|^#>100FxSW`8z{oXIT^)7ic1R$@{39w%JXy5iYJ~mk~T0iG%_+XFo_c9 zH8L?UH!y;7i8Mfa^Ib*_M%HG7CdT^7T+G!x%xuh|vdS!tzYQ9HOrFRr!G3Z{<1r!) z)2eSG#&66`jEoGLu92tKe%5%Gaf^L{Twc?Zr0sno*LCZ+v$pOGPdt;+Q7wP8()Grb zjlpj!88@EkcG&7a`5pVQVzWk-Wq(cDukZY^yCZ0Q02RgS_E7xRl*3a-& zx^nBKM)2*xWX5AMwwsp;hFuGrmKBvFET_Ttmt8KnTW7M-YSY!pcXzvI%RcnKbNSL$ zBiDOZXRT}sP%v7m&-;G)x`4S-%&P+2(**B2t)Eq3FQvV-=lhq!C#LJfLxrCFkxtu~Lg z@4SqR+^h@+)f0bID;da%^BNf%8W@=w8XFrM7)Oco8krcF8yP{lU{#xEFurB1Z?Jo6 zaYKA{yTsr3m+dQj7x_1se4ad;eWM+VVM5mT{|~# zX%$_$TwUd-=;pa*b?g61GaYGO_Uz>4fb-IE4=ls^pK{0@YCX=@@%WjLjPr-}9Zt(C zvcoc8l(MHie!cm=zuWz#5xi%fe2P9dq3cY2v66`4#AP0{-3@lUUjHwA-_rRTbXhkq zyw4jD!_i*SU>4phdr9@*>goIRL;q|DY~B|W=da%tvq$v*_Ol^7ba}t~-z?tO&ynIV zeT7w)uZm61e$L&;r1Z3%eoCLa5OiBgnQ5adB~uUUGh}ft)z6k)ff1 zftjI^k(q%>lsK=EiGjI+5tIutOAfzTn_U^dFxG3dMkJiNUwcM1T4dj?;HWn17ymE6 zXpgvD#PdJ?ZGp|iFpKu-nOp7$Y`$Wzb@lF}-!`X@%lwzNvD439=-NGj*I?TOqoZMy z>)$AedO4`A$!)q7xur2pj*T^B`O%Y}mDM`D7V{>~f2Ym+)VreK`25gwJ7!;7W}MN= z>3_z|)cHJrz54d86+7lE5DmBGtysK3|0Y}fOreA+Ji%(u)-8BBsq%QbC0F{xyq~Ju zrsc?8jypD4{m;uncD-dzw+ye=hfiD`dr`bk(!uA*VzK$`w;HZEWyIv{|GO>qn#Gsb u>~|h*kUi*dLYZ4IYP09W$oOr0bS55ic(XmZjP3dAa=}Hh`E?OY5*Ywmr?2P$ diff --git a/certs/test/cert-ext-nc.pem b/certs/test/cert-ext-nc.pem index 90b26ac8b..cded0d188 100644 --- a/certs/test/cert-ext-nc.pem +++ b/certs/test/cert-ext-nc.pem @@ -1,27 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEgTCCA2mgAwIBAgIUTT801Rb2AUDHoZhAiituiPxyJgUwDQYJKoZIhvcNAQEL -BQAwgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH -DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu -ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0BCQEW -FHN1cHBvcnRAd29sZnNzc2wuY29tMB4XDTIxMTAwNjEyMjYwNFoXDTI0MDcwMjEy -MjYwNFowgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYD -VQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0Vu -Z2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0B -CQEWFHN1cHBvcnRAd29sZnNzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAwJUI4VdB8nFtt9JFQScBZcZFrvK8JDC4lc4vTtb2HIi8fJ/7qGd/ -/lycUXX3isoH5zUvj+G9e8AvfKtkqBf8yl17uuAh5XIuby6G2JVz2qwbU7lfP9cZ -DSVP4WNjUYsLZD+tQ7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxA -tGmjRjNph27Euxem8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTSELlkwyrQ -oZZKvOHUGlvHoMDBY3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp -2Ai8MyCzWCKnquvE4eZhg8XSlt/Z0E+t1wIDAQABo4GwMIGtMB0GA1UdDgQWBBSz -ETLJkpiE4sn40DtuA0LKHw6OPDAfBgNVHSMEGDAWgBSzETLJkpiE4sn40DtuA0LK -Hw6OPDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAeBgNVHR4B -Af8EFDASoBAwDoEMLndvbGZzc2wuY29tMCcGCWCGSAGG+EIBDQQaFhhUZXN0aW5n -IG5hbWUgY29uc3RyYWludHMwDQYJKoZIhvcNAQELBQADggEBACiFWGDK333MJVsU -vtpTWoY76P/T6IdY03IM/1/tcDyRVjiHl2m031Cz1D8q1d3i+zzLxxz/Gzw+L2uh -RYuQDTC2kDLFVpN/7CIVSkAmrG2C2lm0gWYeBgVUp8XJSXl7LA04npGf7isN5Ut4 -cMefVc64m9amM2iFCU/MNjVDzw8nt7V4uJygFVc9DXijoC/ZBl+ZEmCUDFMm5q6g -6ZJ5x2c5CmfhbvkltpZsHtNexpMn/OlxBy6mQtox1X9Xkatd0ReOGUBMxKMWnwfa -gNRCaFxsv/22ZdY49OsH3OKwHcFAyCMLEVqzSZFZX7a8LJHGQOy3Y3YG56t3EaJd -b35YGGg= +MIIENTCCAx2gAwIBAgIUFtCwMsYG2mHNWoLk3+8pf7piWZowDQYJKoZIhvcNAQEL +BQAwezELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNVBAcM +CEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5naW5l +ZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTAeFw0yMTEwMjYxMzMzMDNa +Fw0yNDA3MjIxMzMzMDNaMHsxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNs +YW5kMREwDwYDVQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDAS +BgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20wggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu +8rwkMLiVzi9O1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu6 +4CHlci5vLobYlXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZ +aHhzpowYqQJtr8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1U +s+FtXxy8I3PRCQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT +0pdz4l0lyWoNwzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMB +AAGjgbAwga0wHQYDVR0OBBYEFLMRMsmSmITiyfjQO24DQsofDo48MB8GA1UdIwQY +MBaAFLMRMsmSmITiyfjQO24DQsofDo48MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD +VR0PAQH/BAQDAgGGMB4GA1UdHgEB/wQUMBKgEDAOgQwud29sZnNzbC5jb20wJwYJ +YIZIAYb4QgENBBoWGFRlc3RpbmcgbmFtZSBjb25zdHJhaW50czANBgkqhkiG9w0B +AQsFAAOCAQEAgD7lONgXq4cY/e/TP3hNok+ANPOTmwexPgQxYGr3p7lmV9veNLBD +xJE9J6kNb3T4Fge1wuSFFamnJyT5FbOdNn6v/RsCxIOm5snTUM8bXuA5Vw/lCB7C +hccGiOPmEhxD8K+IQqZ4a1Zp6HUHZuPrs99PRt+lWA3M5PJbzpCKzHMiFDGRpkib +RzC466/+V76ln7AtBbOh3w1QXAiHdIA2V40d0iX+q5e+L1X8sFGDvlxeTy+KXLwV +/7fNVLgtDfdP2XO+jwhkQJeoOmpNJDxsvwm7xhouK0L5G87QUtsaIwK9SnR07Aj5 +5LHpvNCgLQHO5nmJyJ13RlEUDfnnaGXCbA== -----END CERTIFICATE----- diff --git a/certs/test/cert-ext-ncdns.der b/certs/test/cert-ext-ncdns.der index 5222e152346d66a136d5d7fbc47dce616a4e20b0..17f8007b947f7ac4549e727373b8d6ca9ecbe01f 100644 GIT binary patch delta 334 zcmdnPahyZhpozuVpov*~0W%XL6O%|@@&Ea+KAniK$&l#q-Wu|IQ@nfmM2V^5W`@Sb z#sf++ZR02+kPi8c>U#^eKWF)lV1Ov z7WjL5PhH<}wyg{7uQ*t3G~AhXYQF;G;+Lv(*xsG?cg(RCj*xosE@$_K>0O@=L@p_R z%~hYzQuA(Y*6!*5Wj=0s_(?K%L-SOYQ|I#*PvjB{wb5GrkGsn8>COq<&sz`wn&d1W za!f7Q^~=S3d(IZW*|;O;{6$`cmEW9n1Fy|haXh-o#3sv$|H~xz=H=ogK6ZvzRy#Db ong%bC71R!0zv~_UwX;HHZpo8aZmIr$;wWu3eO}2?2d3MG0B5C{*8l(j delta 318 zcmX@kv4=y#pozu8pov*w0W%XL6B8#xn^)#JhIjYcCMr)AGcdF?u{1S}66ZBCF)%kY zgK#&Vt7NK|i%I{cb?t1}uj>Ji+hRX0w=8*o^2hs!o`RA$KP{|(VldCzf89sJiEdxN zlr6L{{j4v+6<}zRb%pcLx1t#>#{GBFE?pB!cab~Qym@)BpTyO&ea=}~7j*68RO0_; zE^uO4Rd9B>jB?@Y-&e!tJicak=~hsyxJv2DUI}i0u4{{@C)Br{|0*>>FnWPR+Mk@Y zyk@7~+^ja5`TxB~_Z)Y#jtvq^jvbY?@Db(TW$M_Pv#F>s;B{cwm+6lWIVZ+E_HY&L zd$)7KoSc&HXYA+fyuWVK44ysmFSrlO{ca1My1R+@L1NF;;N-~FpHs~hqC}>yk*SvO Yw3gxB_HOn5#usHDi%v);GhHkO0Gbh!R{#J2 diff --git a/certs/test/cert-ext-ncmixed.der b/certs/test/cert-ext-ncmixed.der index a7fad165dbe62753332c079e876593480b99a9fe..2ad0ea079a935e05d8c18a1a4e2348688b2eedcc 100644 GIT binary patch delta 334 zcmdnVafCzJpozu7pov*y0W%XL6O%~c;XXapO+o68+Y=tI@>u!p0*?dBM2V^5W`@Sb z#sPm)gAeuFRL+#XFK zHUWXkclXl6ml^Dxm~cZ$*!1<{qTj#kr}-x>teBI2Cr3J{R47k>*6jlZonj}N;wSbQ z)L+SFePh7Y|H*vL>+I0RrVi`(t64g9X0V)P z7d+KCU)y|5LgU(}db@tieZJ5!{Lyz=UbEd^w;9>F^3)c7VG?c7@(mA?eC(ZlJJP(q l-94a6@t8l$DKAsUzgYphAAX3KqjG6!d delta 318 zcmX@Yv6Dl>pozuQpov*_0W%XL6B8%HmdhK8ID12zCMr)AGcdF?u{1S}66ZBCF)%kY zgK#&VD`TqPbS%j&U`a-2!u2~$>=h!ifv@8O`#Z%t_1ErQzf!pT!=y{Io}D^7f0DfD z^X8uH&kzCzH&|9$9O@ Y-v0Re=LLuDCS6EAb~3`vo9S>g0I+nFdjJ3c diff --git a/certs/test/cert-ext-nct.cfg b/certs/test/cert-ext-nct.cfg index fde389bf4..93d3da612 100644 --- a/certs/test/cert-ext-nct.cfg +++ b/certs/test/cert-ext-nct.cfg @@ -10,7 +10,7 @@ L = Brisbane O = wolfSSL Inc OU = Engineering CN = www.wolfssl.com -emailAddress = support@wolfsssl.com +emailAddress = support@wolfssl.com [ v3_ca ] nsCertType = critical,server diff --git a/certs/test/cert-ext-nct.der b/certs/test/cert-ext-nct.der index 43851bb1755307992d1a013102ec3799bce2f19c..ad63f1c9477c219ed8f816cafb9f626b6635788d 100644 GIT binary patch delta 428 zcmbQoF^9v{povAopoy7b0W%XL6O)Mfox4xxwK5#Z5_0WdsK@*`&*Wy60WTY;R+~rL zcV0$DZdL|^#`zO})VL`bD8Pj|8O4N)OA89}i%J~I^K;UQi*xjn^K%X4#CeSj4GoOU z42_MA4UD72d5ugA%#DnoT!=|B_)OY7k+GMt-ujYk)0Oh;24Yo9wkY$3ap>E4KXT@1 zn(uu7@XSYt)ZKG0-V0lPX92%rVi&hbjL;#K%y}^x%!?ZBe4b5QUAg)CtOqO?8;xb# z)V2L)#zuvEZri!V^-0aXJE=na!kdqIu35a|#5^DSS^c>){$+cA@=lTdwDa`BU3#zP zd|SC$k!^GRjF5i|qADU?iqiCE`kVD%6P(N#W5NA8JtljVNM~u|66QVq$tOZJ;*P)G zHhsa_)1TJ!g-uENy5|F*>w(_jwpVhle!r5BD6+4)#qA@o?P_S#n{$PKkKH|=Y_hxf tYJ29rLx*Q7#mg00m%P(~z5VdEG|`z?>}4mLL^9R=1pvtSv04BC delta 430 zcmbQkF^|L4povAwpoy7j0W%XL6O#y&pWTVJa_0?D$04PtY0lwJEVs|t{+%(mEG<3y z(!_ulE>RQsIZk!goAcZ5JInHD{YHaq=dRY*4@19a9hfF5vp7dK)XAgu{)azDpRMlq zb$=Bg5dNor`N8$8CoNkv*If15l|aikg`ZCLKD+u|cj4czvXw`|Hat4IefKhj>Gf~S z44xNGU8`tiF>&VtpM?tzHoj;qELz@blYiIb_!5Q#VOle0_jdMfOZnA${G$8{d&kvW uM)nFvyPw5}ipG2JMl$+sa!6bt%VHBdNhbB|wZh*P+pJsL`tC9{1p)x5!?H&J diff --git a/certs/test/cert-ext-nct.pem b/certs/test/cert-ext-nct.pem index 355548016..8337eb604 100644 --- a/certs/test/cert-ext-nct.pem +++ b/certs/test/cert-ext-nct.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEGjCCAwKgAwIBAgIUAk4+yIZ3S7BdgUTUopeUVK7oAgAwDQYJKoZIhvcNAQEL -BQAwgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH +MIIEGDCCAwCgAwIBAgIUN9zd5Z6FAMRqEkWPoS4D42402XowDQYJKoZIhvcNAQEL +BQAwgZ8xCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu -ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0BCQEW -FHN1cHBvcnRAd29sZnNzc2wuY29tMB4XDTIxMTAwNjEyMjYwNFoXDTI0MDcwMjEy -MjYwNFowgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYD -VQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0Vu -Z2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0B -CQEWFHN1cHBvcnRAd29sZnNzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAwJUI4VdB8nFtt9JFQScBZcZFrvK8JDC4lc4vTtb2HIi8fJ/7qGd/ -/lycUXX3isoH5zUvj+G9e8AvfKtkqBf8yl17uuAh5XIuby6G2JVz2qwbU7lfP9cZ -DSVP4WNjUYsLZD+tQ7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxA -tGmjRjNph27Euxem8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTSELlkwyrQ -oZZKvOHUGlvHoMDBY3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp -2Ai8MyCzWCKnquvE4eZhg8XSlt/Z0E+t1wIDAQABo0owSDAUBglghkgBhvhCAQEB -Af8EBAMCBkAwMAYJYIZIAYb4QgENBCMWIVRlc3RpbmcgTmV0c2NhcGUgQ2VydGlm -aWNhdGUgVHlwZTANBgkqhkiG9w0BAQsFAAOCAQEAgo2UG9wBBhmnTzf8k/dJ529S -AlK8hC+2QM1zzxcD58Z7R/8NaStMMgJI0UdCeibxJOkhRfjCIlqWQ1dCBNvMPf2Y -nXZmZ1vSkVDoRFqQDwjKi383Dz2+zQTir7Ewa0OKhevhVfdqwJYZHKNsHVVCSIXf -8PzF5quPTUfqUBBX/KfBr6uSpqKdNyXW1FE57HHyyY3m1fctof2KdqnEVrDixbe7 -piCXf+w2MOdxla0hOjiRuaBMoaEwseiBcXKnhTxv3TTHpADAViqYm42JjbZk+oXH -0R+oP0GrCjI/IMWL5l9VFV9IDVkBTrJAYaAdBDxdkhxlzdZx+zi2O4WGjt2CUQ== +ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEW +E3N1cHBvcnRAd29sZnNzbC5jb20wHhcNMjExMDI2MTMzMzAzWhcNMjQwNzIyMTMz +MzAzWjCBnzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNV +BAcMCEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5n +aW5lZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEiMCAGCSqGSIb3DQEJ +ARYTc3VwcG9ydEB3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hnf/5c +nFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/XGQ0l +T+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bMQLRp +o0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGW +Srzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgI +vDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaNKMEgwFAYJYIZIAYb4QgEBAQH/ +BAQDAgZAMDAGCWCGSAGG+EIBDQQjFiFUZXN0aW5nIE5ldHNjYXBlIENlcnRpZmlj +YXRlIFR5cGUwDQYJKoZIhvcNAQELBQADggEBADvSHYLUd9cwFnqktCMOVggvPEvi +QwiCn0Pfw5niwidHbdHeVqfcoA8hYYoLNFwSwiRpnlxoA6KBPkzmkat5s9ea4ATR +gTMdhicrTpldWldJtrm0ReR8vtxlEg8Ts8ZJrKOoyJ5MP5qPbZj+a0vyS2Qb8rnL +obou6pz2qbMhBrOYVP6gWnhZRHJmLplPNo/WEZMBXDgL62dca6oUiXWBpAO8j2PI +VShex+u2l6DNy/KvDlaUYvW88A5FwI1ThuoeRU76Y8QhB6zaC0wQttVVguzOcf3G +3c9jNLtz1Ydp3sLDmSJfHnI7dO4rRWd8go98GsGLt8O2ZhWZ1D8dkzRZfv0= -----END CERTIFICATE----- diff --git a/certs/test/cert-ext-ndir-exc.der b/certs/test/cert-ext-ndir-exc.der index 1ef41bc32a68afa3deca5502416a8eef58382691..17fb2427f811b7344a10a9d08aa18126d812a4ca 100644 GIT binary patch delta 355 zcmZqVYUENjXkz(m(8T<70W%XL6O)L^pPh3$*P9fp>6I_>33rS?cRHedqVjriBQrx| zV`Bs3C~;mR69aQ2BM5in%T?I*OkU0$Ro}NUNc}*(@&T6r$;LC6P5m4Ad8)QZimKZ5 zh)tU|IovQ=t#zx+G+*+EGn@CD{Dafh%CcxhMek8rYW1X2d3Azz>aR*!6aJ3J?n}Pr z_k2F@9o2BTeTMYxDBs8YH@<5AteCi^-@>}mL*V0u*-Wcg?Eg)?Uvj75kjIhSd;VAB zQq>mJ=WW}0?WsfU>?u#5n+jB^ai_?NubcI@?k{ z@vQn{-WA{0=rXSin3K6W_ZvMcW^v*?DzJpnus&T_lQH^6{*AI18G0So p+t?pny|!e3P>K8szdwB)mzXC-{%2zEF#N!#a*NfV@F|nq4*=JNoj3ph delta 355 zcmZqVYUENjXkz(m(8T<70W%XL6O#zP`Z}vgi4*vec08~U^)Gtwo#Kv>?&z}DLVdmF=%&cpCCM{fe(B`Q1u^G!Z zR^D?lZeq}wet$-QQ~4_wT`|FxOurV!#7y1IU}JRrhv-qQSZ8xBEuWB1&-Ks#`bV)e p-85cWbU1SWXo}V0 z4NI?l_~W}`dbR7`szvkIa{LsGM54e}yRTCOr#t)g7YDh@?|10cmFo}LcS^Y|BqTcNa%Q+Yv%L}9 zyjbqNr|OOW-MG7D$Lhn(z0ueCpFC2%e!Fms#?=RDPao>cY7<=@cw$aQX)AMiYR|KKbLOjkb?u%y t<^Ip&17D=B94x#fU0?B3?9V?2Sz8YsMZ4XBOwm4P+T7We3Nzii4gfXwsOkU! delta 353 zcmaFE`G!-;po!&$K@;W7D@>C$YSqEhM|?`MF0=EWoxsCevWNd*>ai7e z+G5eEX|d0aZP#g7-mt0hQAStS?1S}^(Ed1`;Ymh8;SB~USF=vvDrcOnoiZJKhyR;|H2i?wD}eQ1}3JL diff --git a/certs/test/cert-ext-ndir.pem b/certs/test/cert-ext-ndir.pem index d7b8716bc..c5a545194 100644 --- a/certs/test/cert-ext-ndir.pem +++ b/certs/test/cert-ext-ndir.pem @@ -1,9 +1,9 @@ -----BEGIN CERTIFICATE----- -MIIE6DCCA9CgAwIBAgIUf/jV/P1olEjAao7TEGdZx5xTD/EwDQYJKoZIhvcNAQEL +MIIE6DCCA9CgAwIBAgIUUjnwSvtRITn8DePk5BV3FpOSt/EwDQYJKoZIhvcNAQEL BQAwgZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv -bGZzc3NsLmNvbTAeFw0yMTEwMDYxMjI2MDRaFw0yNDA3MDIxMjI2MDRaMIGVMQsw +bGZzc3NsLmNvbTAeFw0yMTEwMjYxMzMzMDNaFw0yNDA3MjIxMzMzMDNaMIGVMQsw CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjER MA8GA1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMM D3d3dy53b2xmc3NsLmNvbTEgMB4GCSqGSIb3DQEJARYRaW5mb0B3b2xmc3NzbC5j @@ -18,12 +18,12 @@ gdUGA1UdIwSBzTCByoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZukgZgwgZUxCzAJ BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP d3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3NsLmNv -bYIUf/jV/P1olEjAao7TEGdZx5xTD/EwDAYDVR0TBAUwAwEB/zAhBgNVHR4BAf8E -FzAVoBMwEaQPMA0xCzAJBgNVBAYTAlVTMA0GCSqGSIb3DQEBCwUAA4IBAQBnnFq7 -5O1NpE3jttFAtEdGUXhwIzuxwDCJ4SNyUGnFww06NE7mRpvN22vzqi/UwlViuCbE -Sl9MkBD2FEYM/raKyHiO1ZFne4FTzqjuQMsvng9vdHknPpBEKcpOrjxGSWJWRtXM -xFVTD2vg7jBsgOHSWyfhKQDk3ibDzHSS7/7gdOLxWs7rbKpnHDx5P2oCeOEqVikF -WqrBy8RMdGrTBw/NkAwNdLwPwWXGqD4rFltlZl3mxrcsgKeAsoHiaIqKm8F/gYx5 -+xP1bgNnnJHRv3Pu0wQ+Y5JXIaRm42CBUBa34KvSDeC/xk5nMhUPadenIwizQCXW -LHrK/Ja95/QKWbPa +bYIUUjnwSvtRITn8DePk5BV3FpOSt/EwDAYDVR0TBAUwAwEB/zAhBgNVHR4BAf8E +FzAVoBMwEaQPMA0xCzAJBgNVBAYTAlVTMA0GCSqGSIb3DQEBCwUAA4IBAQCftSer +x/DD+8l32zkBpvuVQtRcEpQ6w7Cl1PD8TaiXe0W9eqKeBmxOgJ+a0kyKIcYSJU5R +K8enk17q1FFiqdgU0lEo3tdOdvfxFyLTbdCVz/Q0KRhhELU+9ZQRl0NOj3NSRR+/ +QI0tHo9UvsojdlRUW2LTaVdHAz8yBp5dC73KM/7Y3bS4q8MDjVvXD+TiJdfbcbQo +1eBm5eEsmoYQoOqQAt8n9bmEAe6syFi/sBJU5PqBWuNlBVLlySxEzCA8vPXyvL95 +3eStUcicaHWFA3dljObenJ8m9UWLlZTf+XPA9BrUwXHSG3945Rb8/gAdPUgsIT67 +UQJbTMyGRwalE97X -----END CERTIFICATE----- diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh index 320973501..cbaa010aa 100755 --- a/certs/test/gen-ext-certs.sh +++ b/certs/test/gen-ext-certs.sh @@ -150,7 +150,7 @@ L = Brisbane O = wolfSSL Inc OU = Engineering CN = www.wolfssl.com -emailAddress = support@wolfsssl.com +emailAddress = support@wolfssl.com [ v3_ca ] inhibitAnyPolicy = critical,1 @@ -175,7 +175,7 @@ L = Brisbane O = wolfSSL Inc OU = Engineering CN = www.wolfssl.com -emailAddress = support@wolfsssl.com +emailAddress = support@wolfssl.com [ v3_ca ] nsCertType = critical,server @@ -290,7 +290,7 @@ L = Brisbane O = wolfSSL Inc OU = Engineering CN = www.wolfssl.com -emailAddress = support@wolfsssl.com +emailAddress = support@wolfssl.com postalCode = 56-131 street = Main St diff --git a/tests/api.c b/tests/api.c index cd4bcc2f9..f65dead5f 100644 --- a/tests/api.c +++ b/tests/api.c @@ -37612,7 +37612,7 @@ static void test_wolfSSL_PEM_write_bio_X509(void) AssertNotNull(input = BIO_new_file( "certs/test/cert-ext-multiple.pem", "rb")); - AssertIntEQ(wolfSSL_BIO_get_len(input), 2004); + AssertIntEQ(wolfSSL_BIO_get_len(input), 2000); AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); @@ -37623,12 +37623,12 @@ static void test_wolfSSL_PEM_write_bio_X509(void) AssertIntEQ(wolfSSL_BIO_get_len(output), #ifdef WOLFSSL_ALT_NAMES /* Here we copy the validity struct from the original */ - 2004 + 2000 #else /* Only difference is that we generate the validity in generalized * time. Generating UTCTime vs Generalized time should be fixed in * the future */ - 2009 + 2004 #endif ); @@ -37652,10 +37652,10 @@ static void test_wolfSSL_PEM_write_bio_X509(void) AssertIntEQ(wolfSSL_BIO_get_len(output), #ifdef WOLFSSL_ALT_NAMES /* Here we copy the validity struct from the original */ - 1692 + 1688 #else /* UTCTime vs Generalized time */ - 1696 + 1692 #endif ); From a738c16b2fb648280217893ca12dee98e928b333 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 26 Oct 2021 21:27:09 +0200 Subject: [PATCH 09/11] Can't have macros within macros --- tests/api.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/tests/api.c b/tests/api.c index f65dead5f..8f31f97be 100644 --- a/tests/api.c +++ b/tests/api.c @@ -37607,6 +37607,7 @@ static void test_wolfSSL_PEM_write_bio_X509(void) BIO* input; BIO* output; X509* x509 = NULL; + int expectedLen; printf(testingFmt, "wolfSSL_PEM_write_bio_X509()"); @@ -37620,17 +37621,16 @@ static void test_wolfSSL_PEM_write_bio_X509(void) AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS); - AssertIntEQ(wolfSSL_BIO_get_len(output), #ifdef WOLFSSL_ALT_NAMES - /* Here we copy the validity struct from the original */ - 2000 + /* Here we copy the validity struct from the original */ + expectedLen = 2000; #else - /* Only difference is that we generate the validity in generalized - * time. Generating UTCTime vs Generalized time should be fixed in - * the future */ - 2004 + /* Only difference is that we generate the validity in generalized + * time. Generating UTCTime vs Generalized time should be fixed in + * the future */ + expectedLen = 2004; #endif - ); + AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen); /* Reset output buffer */ BIO_free(output); @@ -37649,15 +37649,15 @@ static void test_wolfSSL_PEM_write_bio_X509(void) /* Check that we generate a smaller output since the AKID will * only contain the KeyIdentifier without any additional * information */ - AssertIntEQ(wolfSSL_BIO_get_len(output), + #ifdef WOLFSSL_ALT_NAMES - /* Here we copy the validity struct from the original */ - 1688 + /* Here we copy the validity struct from the original */ + expectedLen = 1688; #else - /* UTCTime vs Generalized time */ - 1692 + /* UTCTime vs Generalized time */ + expectedLen = 1692; #endif - ); + AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen); BIO_free(input); BIO_free(output); From 8cba5dda17a3332e99a06cbb92dbe12bb184cf21 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 26 Oct 2021 21:53:44 +0200 Subject: [PATCH 10/11] Need to free x509 in tests --- src/ssl.c | 3 +++ tests/api.c | 1 + 2 files changed, 4 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index bc62c71d4..f9582a94f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -46003,6 +46003,9 @@ int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bio, WOLFSSL_X509 *cert) /* write the PEM to BIO */ ret = wolfSSL_BIO_write(bio, pem, pemSz); XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #ifdef WOLFSSL_SMALL_STACK + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif if (ret <= 0) return WOLFSSL_FAILURE; return WOLFSSL_SUCCESS; diff --git a/tests/api.c b/tests/api.c index 8f31f97be..a2f8f8151 100644 --- a/tests/api.c +++ b/tests/api.c @@ -37659,6 +37659,7 @@ static void test_wolfSSL_PEM_write_bio_X509(void) #endif AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen); + X509_free(x509); BIO_free(input); BIO_free(output); From 9c8e4f558c7e5437d963ec16e2883175e6b88b28 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 28 Oct 2021 21:05:19 +0200 Subject: [PATCH 11/11] Explicit cast to `int` --- wolfcrypt/src/asn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a8307eabe..47e7f2c17 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -10378,7 +10378,7 @@ static const CertNameData certNameSubject[] = { }; static const int certNameSubjectSz = - sizeof(certNameSubject) / sizeof(CertNameData); + (int) (sizeof(certNameSubject) / sizeof(CertNameData)); /* Full email OID. */ static const byte emailOid[] = {