forked from wolfSSL/wolfssl
Merge pull request #5164 from cconlon/x509date
Remove WOLFSSL_ALT_NAMES restriction on notBefore/notAfter use in Cert struct
This commit is contained in:
David Garske
GitHub
@@ -8171,7 +8171,6 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
|
|||||||
}
|
}
|
||||||
#endif /* WOLFSSL_CERT_REQ */
|
#endif /* WOLFSSL_CERT_REQ */
|
||||||
|
|
||||||
#ifdef WOLFSSL_ALT_NAMES
|
|
||||||
/* converts WOLFSSL_AN1_TIME to Cert form, returns positive size on
|
/* converts WOLFSSL_AN1_TIME to Cert form, returns positive size on
|
||||||
* success */
|
* success */
|
||||||
static int CertDateFromX509(byte* out, int outSz, WOLFSSL_ASN1_TIME* t)
|
static int CertDateFromX509(byte* out, int outSz, WOLFSSL_ASN1_TIME* t)
|
||||||
@@ -8189,7 +8188,6 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
|
|||||||
}
|
}
|
||||||
return t->length + sz;
|
return t->length + sz;
|
||||||
}
|
}
|
||||||
#endif /* WOLFSSL_ALT_NAMES */
|
|
||||||
|
|
||||||
/* convert a WOLFSSL_X509 to a Cert structure for writing out */
|
/* convert a WOLFSSL_X509 to a Cert structure for writing out */
|
||||||
static int CertFromX509(Cert* cert, WOLFSSL_X509* x509)
|
static int CertFromX509(Cert* cert, WOLFSSL_X509* x509)
|
||||||
@@ -8209,7 +8207,6 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
|
|||||||
|
|
||||||
cert->version = (int)wolfSSL_X509_get_version(x509);
|
cert->version = (int)wolfSSL_X509_get_version(x509);
|
||||||
|
|
||||||
#ifdef WOLFSSL_ALT_NAMES
|
|
||||||
if (x509->notBefore.length > 0) {
|
if (x509->notBefore.length > 0) {
|
||||||
cert->beforeDateSz = CertDateFromX509(cert->beforeDate,
|
cert->beforeDateSz = CertDateFromX509(cert->beforeDate,
|
||||||
CTC_DATE_SIZE, &x509->notBefore);
|
CTC_DATE_SIZE, &x509->notBefore);
|
||||||
@@ -8234,6 +8231,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref(
|
|||||||
cert->afterDateSz = 0;
|
cert->afterDateSz = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef WOLFSSL_ALT_NAMES
|
||||||
cert->altNamesSz = FlattenAltNames(cert->altNames,
|
cert->altNamesSz = FlattenAltNames(cert->altNames,
|
||||||
sizeof(cert->altNames), x509->altNames);
|
sizeof(cert->altNames), x509->altNames);
|
||||||
#endif /* WOLFSSL_ALT_NAMES */
|
#endif /* WOLFSSL_ALT_NAMES */
|
||||||
|
|||||||
56
tests/api.c
56
tests/api.c
@@ -38533,7 +38533,12 @@ static void test_wolfSSL_PEM_write_bio_X509(void)
|
|||||||
|
|
||||||
BIO* input;
|
BIO* input;
|
||||||
BIO* output;
|
BIO* output;
|
||||||
X509* x509 = NULL;
|
X509* x509a = NULL;
|
||||||
|
X509* x509b = NULL;
|
||||||
|
ASN1_TIME* notBeforeA = NULL;
|
||||||
|
ASN1_TIME* notAfterA = NULL;
|
||||||
|
ASN1_TIME* notBeforeB = NULL;
|
||||||
|
ASN1_TIME* notAfterB = NULL;
|
||||||
int expectedLen;
|
int expectedLen;
|
||||||
|
|
||||||
printf(testingFmt, "wolfSSL_PEM_write_bio_X509()");
|
printf(testingFmt, "wolfSSL_PEM_write_bio_X509()");
|
||||||
@@ -38542,51 +38547,50 @@ static void test_wolfSSL_PEM_write_bio_X509(void)
|
|||||||
"certs/test/cert-ext-multiple.pem", "rb"));
|
"certs/test/cert-ext-multiple.pem", "rb"));
|
||||||
AssertIntEQ(wolfSSL_BIO_get_len(input), 2000);
|
AssertIntEQ(wolfSSL_BIO_get_len(input), 2000);
|
||||||
|
|
||||||
|
/* read PEM into X509 struct, get notBefore / notAfter to verify against */
|
||||||
|
AssertNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL));
|
||||||
|
AssertNotNull(notBeforeA = X509_get_notBefore(x509a));
|
||||||
|
AssertNotNull(notAfterA = X509_get_notAfter(x509a));
|
||||||
|
|
||||||
|
/* write X509 back to PEM BIO */
|
||||||
AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
|
AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
|
||||||
|
AssertIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS);
|
||||||
AssertNotNull(PEM_read_bio_X509(input, &x509, NULL, NULL));
|
/* compare length against expected */
|
||||||
|
|
||||||
AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS);
|
|
||||||
|
|
||||||
#ifdef WOLFSSL_ALT_NAMES
|
|
||||||
/* Here we copy the validity struct from the original */
|
|
||||||
expectedLen = 2000;
|
expectedLen = 2000;
|
||||||
#else
|
|
||||||
/* Only difference is that we generate the validity in generalized
|
|
||||||
* time. Generating UTCTime vs Generalized time should be fixed in
|
|
||||||
* the future */
|
|
||||||
expectedLen = 2004;
|
|
||||||
#endif
|
|
||||||
AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
|
AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
|
||||||
|
|
||||||
|
/* read exported X509 PEM back into struct, sanity check on export,
|
||||||
|
* make sure notBefore/notAfter are the same. */
|
||||||
|
AssertNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL));
|
||||||
|
AssertNotNull(notBeforeB = X509_get_notBefore(x509b));
|
||||||
|
AssertNotNull(notAfterB = X509_get_notAfter(x509b));
|
||||||
|
AssertIntEQ(ASN1_TIME_compare(notBeforeA, notBeforeB), 0);
|
||||||
|
AssertIntEQ(ASN1_TIME_compare(notAfterA, notAfterB), 0);
|
||||||
|
X509_free(x509b);
|
||||||
|
|
||||||
/* Reset output buffer */
|
/* Reset output buffer */
|
||||||
BIO_free(output);
|
BIO_free(output);
|
||||||
AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
|
AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
|
||||||
|
|
||||||
/* Test forcing the AKID to be generated just from KeyIdentifier */
|
/* Test forcing the AKID to be generated just from KeyIdentifier */
|
||||||
if (x509->authKeyIdSrc != NULL) {
|
if (x509a->authKeyIdSrc != NULL) {
|
||||||
XMEMMOVE(x509->authKeyIdSrc, x509->authKeyId, x509->authKeyIdSz);
|
XMEMMOVE(x509a->authKeyIdSrc, x509a->authKeyId, x509a->authKeyIdSz);
|
||||||
x509->authKeyId = x509->authKeyIdSrc;
|
x509a->authKeyId = x509a->authKeyIdSrc;
|
||||||
x509->authKeyIdSrc = NULL;
|
x509a->authKeyIdSrc = NULL;
|
||||||
x509->authKeyIdSrcSz = 0;
|
x509a->authKeyIdSrcSz = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS);
|
AssertIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS);
|
||||||
|
|
||||||
/* Check that we generate a smaller output since the AKID will
|
/* Check that we generate a smaller output since the AKID will
|
||||||
* only contain the KeyIdentifier without any additional
|
* only contain the KeyIdentifier without any additional
|
||||||
* information */
|
* information */
|
||||||
|
|
||||||
#ifdef WOLFSSL_ALT_NAMES
|
|
||||||
/* Here we copy the validity struct from the original */
|
/* Here we copy the validity struct from the original */
|
||||||
expectedLen = 1688;
|
expectedLen = 1688;
|
||||||
#else
|
|
||||||
/* UTCTime vs Generalized time */
|
|
||||||
expectedLen = 1692;
|
|
||||||
#endif
|
|
||||||
AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
|
AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
|
||||||
|
|
||||||
X509_free(x509);
|
X509_free(x509a);
|
||||||
BIO_free(input);
|
BIO_free(input);
|
||||||
BIO_free(output);
|
BIO_free(output);
|
||||||
|
|
||||||
|
|||||||
@@ -21752,7 +21752,6 @@ static void SetTime(struct tm* date, byte* output)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef WOLFSSL_ALT_NAMES
|
|
||||||
#ifndef WOLFSSL_ASN_TEMPLATE
|
#ifndef WOLFSSL_ASN_TEMPLATE
|
||||||
|
|
||||||
/* Copy Dates from cert, return bytes written */
|
/* Copy Dates from cert, return bytes written */
|
||||||
@@ -21773,7 +21772,6 @@ static int CopyValidity(byte* output, Cert* cert)
|
|||||||
}
|
}
|
||||||
|
|
||||||
#endif /* !WOLFSSL_ASN_TEMPLATE */
|
#endif /* !WOLFSSL_ASN_TEMPLATE */
|
||||||
#endif
|
|
||||||
|
|
||||||
|
|
||||||
/* Simple name OID size. */
|
/* Simple name OID size. */
|
||||||
@@ -23997,16 +23995,14 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
|
|||||||
return PUBLIC_KEY_E;
|
return PUBLIC_KEY_E;
|
||||||
|
|
||||||
der->validitySz = 0;
|
der->validitySz = 0;
|
||||||
#ifdef WOLFSSL_ALT_NAMES
|
/* copy date validity if already set in cert struct */
|
||||||
/* date validity copy ? */
|
|
||||||
if (cert->beforeDateSz && cert->afterDateSz) {
|
if (cert->beforeDateSz && cert->afterDateSz) {
|
||||||
der->validitySz = CopyValidity(der->validity, cert);
|
der->validitySz = CopyValidity(der->validity, cert);
|
||||||
if (der->validitySz <= 0)
|
if (der->validitySz <= 0)
|
||||||
return DATE_E;
|
return DATE_E;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
|
|
||||||
/* date validity */
|
/* set date validity using daysValid if not set already */
|
||||||
if (der->validitySz == 0) {
|
if (der->validitySz == 0) {
|
||||||
der->validitySz = SetValidity(der->validity, cert->daysValid);
|
der->validitySz = SetValidity(der->validity, cert->daysValid);
|
||||||
if (der->validitySz <= 0)
|
if (der->validitySz <= 0)
|
||||||
|
|||||||
@@ -390,11 +390,11 @@ typedef struct Cert {
|
|||||||
#ifdef WOLFSSL_ALT_NAMES
|
#ifdef WOLFSSL_ALT_NAMES
|
||||||
byte altNames[CTC_MAX_ALT_SIZE]; /* altNames copy */
|
byte altNames[CTC_MAX_ALT_SIZE]; /* altNames copy */
|
||||||
int altNamesSz; /* altNames size in bytes */
|
int altNamesSz; /* altNames size in bytes */
|
||||||
|
#endif
|
||||||
byte beforeDate[CTC_DATE_SIZE]; /* before date copy */
|
byte beforeDate[CTC_DATE_SIZE]; /* before date copy */
|
||||||
int beforeDateSz; /* size of copy */
|
int beforeDateSz; /* size of copy */
|
||||||
byte afterDate[CTC_DATE_SIZE]; /* after date copy */
|
byte afterDate[CTC_DATE_SIZE]; /* after date copy */
|
||||||
int afterDateSz; /* size of copy */
|
int afterDateSz; /* size of copy */
|
||||||
#endif
|
|
||||||
#ifdef WOLFSSL_CERT_EXT
|
#ifdef WOLFSSL_CERT_EXT
|
||||||
byte skid[CTC_MAX_SKID_SIZE]; /* Subject Key Identifier */
|
byte skid[CTC_MAX_SKID_SIZE]; /* Subject Key Identifier */
|
||||||
int skidSz; /* SKID size in bytes */
|
int skidSz; /* SKID size in bytes */
|
||||||
|
|||||||
Reference in New Issue
Block a user