diff --git a/src/ssl.c b/src/ssl.c index bdd71e9a2..1e2206fa7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3448,6 +3448,240 @@ void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm) } +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) +#if defined(WOLFSSL_SIGNER_DER_CERT) +/****************************************************************************** +* wolfSSL_CertManager_GetCerts - retrieve stack of X509 certificates in a +* certificate manager (CM), also knows as cert store in OpenSSL. +* +* RETURNS: +* returns stack of X509 certs on success, otherwise returns a NULL. +*/ +WOLFSSL_STACK* wolfSSL_CertManager_GetCerts(WOLFSSL_CERT_MANAGER* cm) +{ + WOLFSSL_STACK* sk = NULL; + Signer* signers = NULL; + word32 row = 0; + DecodedCert* dCert = NULL; + WOLFSSL_X509* x509 = NULL; + int found = 0; + + if (cm == NULL) + return NULL; + + sk = wolfSSL_sk_X509_new(); + + if (sk == NULL) { + return NULL; + } + + XMEMSET(sk, 0, sizeof(WOLFSSL_STACK)); + + if (wc_LockMutex(&cm->caLock) != 0) { + goto error_init; + } + + for (row = 0; row < CA_TABLE_SIZE; row++) { + signers = cm->caTable[row]; + while (signers && signers->derCert && signers->derCert->buffer) { + + dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cm->heap, + DYNAMIC_TYPE_DCERT); + if (dCert == NULL) { + goto error; + } + + XMEMSET(dCert, 0, sizeof(DecodedCert)); + + InitDecodedCert(dCert, signers->derCert->buffer, + signers->derCert->length, cm->heap); + + /* Parse Certificate */ + if (ParseCert(dCert, CERT_TYPE, NO_VERIFY, cm)) { + goto error; + } + + x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), cm->heap, + DYNAMIC_TYPE_X509); + + if (x509 == NULL) { + goto error; + } + + InitX509(x509, 1, NULL); + + if (CopyDecodedToX509(x509, dCert) == 0) { + + if (wolfSSL_sk_X509_push(sk, x509) != SSL_SUCCESS) { + WOLFSSL_MSG("Unable to load x509 into stack"); + goto error; + } + } + else { + goto error; + } + + found = 1; + + signers = signers->next; + + FreeDecodedCert(dCert); + XFREE(dCert, cm->heap, DYNAMIC_TYPE_DCERT); + dCert = NULL; + } + } + wc_UnLockMutex(&cm->caLock); + + if (!found) { + goto error_init; + } + + return sk; + +error: + wc_UnLockMutex(&cm->caLock); + +error_init: + + if (dCert) { + FreeDecodedCert(dCert); + XFREE(dCert, cm->heap, DYNAMIC_TYPE_DCERT); + } + if (x509) + FreeX509(x509); + + if (sk) + wolfSSL_sk_X509_free(sk); + + return NULL; +} +#endif /* WOLFSSL_SIGNER_DER_CERT */ + +/****************************************************************************** +* wolfSSL_X509_STORE_GetCerts - retrieve stack of X509 in a certificate store ctx +* +* This API can be used in SSL verify callback function to view cert chain +* Here's an example to display certs to stdout. + +static int verify_callback(int ok, X509_STORE_CTX *ctx) +{ + WOLFSSL_BIO* bio = NULL; + WOLFSSL_STACK* sk = NULL; + X509* x509 = NULL; + int i = 0; + + sk = wolfSSL_X509_STORE_GetCerts(ctx->store->cm); + + for (i = 0; i < sk_X509_num(sk); i++) { + x509 = sk_X509_value(sk, i); + bio = BIO_new(wolfSSL_BIO_s_file()); + if (bio != NULL) { + BIO_set_fp(bio, stdout, BIO_NOCLOSE); + X509_print(bio, x509); + BIO_free(bio); + } + } + + sk_X509_free(sk); + return ok; +} +* You can register your call back function in your app as follows: +* +* ctx = SSL_CTX_new(SSLv23_method()); +* SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, +* verify_callback); +* +* RETURNS: +* returns stack of X509 certs on success, otherwise returns a NULL. +*/ +WOLFSSL_STACK* wolfSSL_X509_STORE_GetCerts(WOLFSSL_X509_STORE_CTX* s) +{ + int certIdx = 0; + WOLFSSL_BUFFER_INFO* cert = NULL; + DecodedCert* dCert = NULL; + WOLFSSL_X509* x509 = NULL; + WOLFSSL_STACK* sk = NULL; + int found = 0; + + if (s == NULL) { + return NULL; + } + + sk = wolfSSL_sk_X509_new(); + + if (sk == NULL) { + return NULL; + } + + XMEMSET(sk, 0, sizeof(WOLFSSL_STACK)); + certIdx = s->totalCerts; + + while (certIdx-- > 0) { + /* get certificate buffer */ + cert = &s->certs[certIdx]; + + if (cert == NULL) + break; + + dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); + + if (dCert == NULL) { + goto error; + } + XMEMSET(dCert, 0, sizeof(DecodedCert)); + + InitDecodedCert(dCert, cert->buffer, cert->length, NULL); + + /* Parse Certificate */ + if (ParseCert(dCert, CERT_TYPE, NO_VERIFY, NULL)){ + goto error; + } + x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL, + DYNAMIC_TYPE_X509); + + if (x509 == NULL) { + goto error; + } + InitX509(x509, 1, NULL); + + if (CopyDecodedToX509(x509, dCert) == 0) { + + if (wolfSSL_sk_X509_push(sk, x509) != SSL_SUCCESS) { + WOLFSSL_MSG("Unable to load x509 into stack"); + goto error; + } + } + else { + goto error; + } + found = 1; + + FreeDecodedCert(dCert); + XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT); + dCert = NULL; + } + + if (!found) { + wolfSSL_sk_X509_free(sk); + sk = NULL; + } + return sk; + +error: + if (dCert) { + FreeDecodedCert(dCert); + XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT); + } + + if (x509) + FreeX509(x509); + + if (sk) + wolfSSL_sk_X509_free(sk); + + return NULL; +} +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) */ /* Unload the CA signer list */ int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm) @@ -14114,10 +14348,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return WOLFSSL_SUCCESS; } - - - #ifndef NO_CERTS + WOLFSSL_X509_STORE* wolfSSL_CTX_get_cert_store(WOLFSSL_CTX* ctx) { if (ctx == NULL) { @@ -43550,7 +43782,7 @@ error: } #endif /* defined(OPENSSL_ALL) && defined(HAVE_PKCS7) */ -#ifdef OPENSSL_ALL +#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) WOLFSSL_STACK* wolfSSL_sk_X509_new(void) { WOLFSSL_STACK* s = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, diff --git a/tests/api.c b/tests/api.c index 964f1e35e..cee4447e2 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1093,6 +1093,56 @@ static int test_wolfSSL_CertManagerLoadCABuffer(void) return ret; } +static void test_wolfSSL_CertManager_GetCerts(void) +{ +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + defined(WOLFSSL_SIGNER_DER_CERT) + + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_STACK* sk = NULL; + X509* x509 = NULL; + X509* cert1 = NULL; + FILE* file1 = NULL; +#ifdef DEBUG_WOLFSSL_VERBOSE + WOLFSSL_BIO* bio = NULL; +#endif + int i = 0; + + printf(testingFmt, "wolfSSL_CertManager_GetCerts()"); + AssertNotNull(file1=fopen("./certs/ca-cert.pem", "rb")); + + AssertNotNull(cert1 = wolfSSL_PEM_read_X509(file1, NULL, NULL, NULL)); + fclose(file1); + + AssertNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + AssertNull(sk = wolfSSL_CertManager_GetCerts(cm)); + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm, + "./certs/ca-cert.pem", NULL)); + + AssertNotNull(sk = wolfSSL_CertManager_GetCerts(cm)); + + for (i = 0; i < sk_X509_num(sk); i++) { + x509 = sk_X509_value(sk, i); + AssertIntEQ(0, wolfSSL_X509_cmp(x509, cert1)); + +#ifdef DEBUG_WOLFSSL_VERBOSE + bio = BIO_new(wolfSSL_BIO_s_file()); + if (bio != NULL) { + BIO_set_fp(bio, stdout, BIO_NOCLOSE); + X509_print(bio, x509); + BIO_free(bio); + } +#endif /* DEBUG_WOLFSSL_VERBOSE */ + } + wolfSSL_X509_free(cert1); + sk_X509_free(sk); + wolfSSL_CertManagerFree(cm); + printf(resultFmt, passed); +#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + defined(WOLFSSL_SIGNER_DER_CERT) */ +} static void test_wolfSSL_CertManagerCRL(void) { #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ @@ -28267,6 +28317,7 @@ void ApiTest(void) test_wolfSSL_CTX_use_PrivateKey_file(); test_wolfSSL_CTX_load_verify_locations(); test_wolfSSL_CertManagerLoadCABuffer(); + test_wolfSSL_CertManager_GetCerts(); test_wolfSSL_CertManagerCRL(); test_wolfSSL_CTX_load_verify_locations_ex(); test_wolfSSL_CTX_load_verify_buffer_ex(); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index bc162965f..87b47c72f 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2574,7 +2574,9 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); WOLFSSL_CERT_MANAGER* cm); WOLFSSL_API int wolfSSL_CertManagerDisableOCSPStapling( WOLFSSL_CERT_MANAGER* cm); - +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) +WOLFSSL_API WOLFSSL_STACK* wolfSSL_CertManager_GetCerts(WOLFSSL_CERT_MANAGER* cm); +#endif WOLFSSL_API int wolfSSL_EnableCRL(WOLFSSL* ssl, int options); WOLFSSL_API int wolfSSL_DisableCRL(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_LoadCRL(WOLFSSL*, const char*, int, int); @@ -3159,6 +3161,7 @@ WOLFSSL_API int wolfSSL_i2d_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509* x509); #if !defined(NO_FILESYSTEM) WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509_fp(XFILE fp, WOLFSSL_X509** x509); +WOLFSSL_API WOLFSSL_STACK* wolfSSL_X509_STORE_GetCerts(WOLFSSL_X509_STORE_CTX* s); #endif WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509** x509);