feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Trusted peer certificate use

Browse Source
This commit is contained in:
Jacob Barthelmeh
2016-02-24 15:51:29 -07:00
parent 7c63ac4f6a
commit 7df22ee210
7 changed files with 454 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
examples/server/server.c
View File

@@ -685,6 +685,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
SSL_VERIFY_FAIL_IF_NO_PEER_CERT),0); SSL_VERIFY_FAIL_IF_NO_PEER_CERT),0);
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS) if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir"); err_sys("can't load ca file, Please run from wolfSSL home dir");
#ifdef WOLFSSL_TRUST_PEER_CERT
if ((ret = wolfSSL_CTX_trust_peer_cert(ctx,
"./certs/client-cert.pem", SSL_FILETYPE_PEM)) != SSL_SUCCESS) {
err_sys("can't load trusted peer cert file");
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
} }
#endif #endif

309
src/ssl.c
View File

@@ -1705,6 +1705,14 @@ WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew(void)
wolfSSL_CertManagerFree(cm); wolfSSL_CertManagerFree(cm);
return NULL; return NULL;
} }
#ifdef WOLFSSL_TRUST_PEER_CERT
if (InitMutex(&cm->tpLock) != 0) {
WOLFSSL_MSG("Bad mutex init");
wolfSSL_CertManagerFree(cm);
return NULL;
}
#endif
} }
return cm; return cm;
@@ -1731,6 +1739,12 @@ void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm)
#endif #endif
FreeSignerTable(cm->caTable, CA_TABLE_SIZE, NULL); FreeSignerTable(cm->caTable, CA_TABLE_SIZE, NULL);
FreeMutex(&cm->caLock); FreeMutex(&cm->caLock);
#ifdef WOLFSSL_TRUST_PEER_CERT
FreeTrustedPeerTable(cm->tpTable, TP_TABLE_SIZE, NULL);
FreeMutex(&cm->tpLock);
#endif
XFREE(cm, NULL, DYNAMIC_TYPE_CERT_MANAGER); XFREE(cm, NULL, DYNAMIC_TYPE_CERT_MANAGER);
} }
@@ -1757,6 +1771,27 @@ int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm)
} }
#ifdef WOLFSSL_TRUST_PEER_CERT
int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER* cm)
{
WOLFSSL_ENTER("wolfSSL_CertManagerUnload_trust_peers");
if (cm == NULL)
return BAD_FUNC_ARG;
if (LockMutex(&cm->tpLock) != 0)
return BAD_MUTEX_E;
FreeTrustedPeerTable(cm->tpTable, TP_TABLE_SIZE, NULL);
UnLockMutex(&cm->tpLock);
return SSL_SUCCESS;
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
/* Return bytes written to buff or < 0 for error */ /* Return bytes written to buff or < 0 for error */
int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz, int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz,
unsigned char* buff, int buffSz, int type) unsigned char* buff, int buffSz, int type)
@@ -2179,6 +2214,95 @@ int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash)
} }
#ifdef WOLFSSL_TRUST_PEER_CERT
/* does trusted peer already exist on signer list */
int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, byte* hash)
{
TrustedPeerCert* tp;
int ret = 0;
word32 row = HashSigner(hash);
if (LockMutex(&cm->tpLock) != 0)
return ret;
tp = cm->tpTable[row];
while (tp) {
byte* subjectHash;
#ifndef NO_SKID
subjectHash = tp->subjectKeyIdHash;
#else
subjectHash = tp->subjectNameHash;
#endif
if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) {
ret = 1;
break;
}
tp = tp->next;
}
UnLockMutex(&cm->tpLock);
return ret;
}
/* return Trusted Peer if found, otherwise NULL */
TrustedPeerCert* GetTrustedPeer(void* vp, byte* hash)
{
WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp;
TrustedPeerCert* ret = NULL;
TrustedPeerCert* tp = NULL;
word32 row;
if (cm == NULL || hash == NULL)
return NULL;
row = HashSigner(hash);
if (LockMutex(&cm->tpLock) != 0)
return ret;
tp = cm->tpTable[row];
while (tp) {
byte* subjectHash;
#ifndef NO_SKID
subjectHash = tp->subjectKeyIdHash;
#else
subjectHash = tp->subjectNameHash;
#endif
if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) {
ret = tp;
break;
}
tp = tp->next;
}
UnLockMutex(&cm->tpLock);
return ret;
}
int MatchTrustedPeer(TrustedPeerCert* tp, DecodedCert* cert)
{
if (tp == NULL || cert == NULL)
return BAD_FUNC_ARG;
/* subject key id or subject hash has been compared when searching
tpTable for the cert from function GetTrustedPeer */
/* compare signatures */
if (tp->sigLen == cert->sigLength) {
/* compare first four before comparing all */
if (XMEMCMP(tp->sig, cert->signature, cert->sigLength)) {
return SSL_FAILURE;
}
}
else {
return SSL_FAILURE;
}
return SSL_SUCCESS;
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
/* return CA if found, otherwise NULL */ /* return CA if found, otherwise NULL */
Signer* GetCA(void* vp, byte* hash) Signer* GetCA(void* vp, byte* hash)
{ {
@@ -2245,6 +2369,123 @@ Signer* GetCAByName(void* vp, byte* hash)
#endif #endif
#ifdef WOLFSSL_TRUST_PEER_CERT
/* add a trusted peer cert to linked list */
int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int verify)
{
int ret, row;
TrustedPeerCert* peerCert;
DecodedCert* cert = NULL;
byte* subjectHash = NULL;
WOLFSSL_MSG("Adding a Trusted Peer Cert");
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (cert == NULL)
return MEMORY_E;
InitDecodedCert(cert, der->buffer, der->length, cm->heap);
if ((ret = ParseCert(cert, TRUSTED_PEER_TYPE, verify, cm)) != 0) {
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
WOLFSSL_MSG(" Parsed new trusted peer cert");
peerCert = (TrustedPeerCert*)XMALLOC(sizeof(TrustedPeerCert), NULL,
DYNAMIC_TYPE_CERT);
if (peerCert == NULL) {
FreeDecodedCert(cert);
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return MEMORY_E;
}
XMEMSET(peerCert, 0, sizeof(TrustedPeerCert));
#ifndef NO_SKID
subjectHash = cert->extSubjKeyId;
#else
subjectHash = cert->subjectHash;
#endif
#ifndef IGNORE_NAME_CONSTRAINTS
if (peerCert->permittedNames)
FreeNameSubtrees(peerCert->permittedNames, cm->heap);
if (peerCert->excludedNames)
FreeNameSubtrees(peerCert->excludedNames, cm->heap);
#endif
if (AlreadyTrustedPeer(cm, subjectHash)) {
WOLFSSL_MSG(" Already have this CA, not adding again");
(void)ret;
}
else {
/* add trusted peer signature */
peerCert->sigLen = cert->sigLength;
peerCert->sig = XMALLOC(cert->sigLength, cm->heap,
DYNAMIC_TYPE_SIGNATURE);
if (peerCert->sig == NULL) {
FreeDecodedCert(cert);
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
FreeTrustedPeer(peerCert, cm->heap);
return MEMORY_E;
}
XMEMCPY(peerCert->sig, cert->signature, cert->sigLength);
/* add trusted peer name */
peerCert->nameLen = cert->subjectCNLen;
peerCert->name = cert->subjectCN;
#ifndef IGNORE_NAME_CONSTRAINTS
peerCert->permittedNames = cert->permittedNames;
peerCert->excludedNames = cert->excludedNames;
#endif
/* add SKID when available and hash of name */
#ifndef NO_SKID
XMEMCPY(peerCert->subjectKeyIdHash, cert->extSubjKeyId,
SIGNER_DIGEST_SIZE);
#endif
XMEMCPY(peerCert->subjectNameHash, cert->subjectHash,
SIGNER_DIGEST_SIZE);
peerCert->next = NULL; /* If Key Usage not set, all uses valid. */
cert->subjectCN = 0;
#ifndef IGNORE_NAME_CONSTRAINTS
cert->permittedNames = NULL;
cert->excludedNames = NULL;
#endif
#ifndef NO_SKID
row = HashSigner(peerCert->subjectKeyIdHash);
#else
row = HashSigner(peerCert->subjectNameHash);
#endif
if (LockMutex(&cm->tpLock) == 0) {
peerCert->next = cm->tpTable[row];
cm->tpTable[row] = peerCert; /* takes ownership */
UnLockMutex(&cm->tpLock);
}
else {
WOLFSSL_MSG(" Trusted Peer Cert Mutex Lock failed");
FreeDecodedCert(cert);
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
FreeTrustedPeer(peerCert, cm->heap);
return BAD_MUTEX_E;
}
}
WOLFSSL_MSG(" Freeing parsed trusted peer cert");
FreeDecodedCert(cert);
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
WOLFSSL_MSG(" Freeing der trusted peer cert");
FreeDer(der);
WOLFSSL_MSG(" OK Freeing der trusted peer cert");
WOLFSSL_LEAVE("AddTrustedPeer", ret);
return SSL_SUCCESS;
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
/* owns der, internal now uses too */ /* owns der, internal now uses too */
/* type flag ids from user or from chain received during verify /* type flag ids from user or from chain received during verify
don't allow chain ones to be added w/o isCA extension */ don't allow chain ones to be added w/o isCA extension */
@@ -2647,6 +2888,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
switch (type) { switch (type) {
case CA_TYPE: /* same as below */ case CA_TYPE: /* same as below */
case TRUSTED_PEER_TYPE:
case CERT_TYPE: header=BEGIN_CERT; footer=END_CERT; break; case CERT_TYPE: header=BEGIN_CERT; footer=END_CERT; break;
case CRL_TYPE: header=BEGIN_X509_CRL; footer=END_X509_CRL; break; case CRL_TYPE: header=BEGIN_X509_CRL; footer=END_X509_CRL; break;
case DH_PARAM_TYPE: header=BEGIN_DH_PARAM; footer=END_DH_PARAM; break; case DH_PARAM_TYPE: header=BEGIN_DH_PARAM; footer=END_DH_PARAM; break;
@@ -3085,6 +3327,17 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
/* verify CA unless user set to no verify */ /* verify CA unless user set to no verify */
return AddCA(ctx->cm, &der, WOLFSSL_USER_CA, !ctx->verifyNone); return AddCA(ctx->cm, &der, WOLFSSL_USER_CA, !ctx->verifyNone);
} }
#ifdef WOLFSSL_TRUST_PEER_CERT
else if (type == TRUSTED_PEER_TYPE) {
if (ctx == NULL) {
WOLFSSL_MSG("Need context for trusted peer cert load");
XFREE(der.buffer, heap, dynamicType);
return BAD_FUNC_ARG;
}
/* add trusted peer cert */
return AddTrustedPeer(ctx->cm, &der, !ctx->verifyNone);
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
else if (type == CERT_TYPE) { else if (type == CERT_TYPE) {
if (ssl) { if (ssl) {
/* Make sure previous is free'd */ /* Make sure previous is free'd */
@@ -3817,7 +4070,8 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
if ( (ret = (int)XFREAD(myBuffer, sz, 1, file)) < 0) if ( (ret = (int)XFREAD(myBuffer, sz, 1, file)) < 0)
ret = SSL_BAD_FILE; ret = SSL_BAD_FILE;
else { else {
if (type == CA_TYPE && format == SSL_FILETYPE_PEM) if ((type == CA_TYPE || type == TRUSTED_PEER_TYPE)
&& format == SSL_FILETYPE_PEM)
ret = ProcessChainBuffer(ctx, myBuffer, sz, format, type, ssl); ret = ProcessChainBuffer(ctx, myBuffer, sz, format, type, ssl);
#ifdef HAVE_CRL #ifdef HAVE_CRL
else if (type == CRL_TYPE) else if (type == CRL_TYPE)
@@ -3947,6 +4201,31 @@ int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
} }
#ifdef WOLFSSL_TRUST_PEER_CERT
/* Used to specify a peer cert to match when connecting
ctx : the ctx structure to load in peer cert
file: the string name of cert file
type: type of format such as PEM/DER
*/
int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int type)
{
int ret;
WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_cert");
if (ctx == NULL || file == NULL) {
return SSL_FAILURE;
}
if ((ret = ProcessFile(ctx, file, type, TRUSTED_PEER_TYPE, NULL, 0, NULL))
== SSL_SUCCESS) {
}
return ret;
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
/* Verify the certificate, SSL_SUCCESS for ok, < 0 for error */ /* Verify the certificate, SSL_SUCCESS for ok, < 0 for error */
int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname, int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname,
int format) int format)
@@ -7364,6 +7643,22 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
} }
#ifdef WOLFSSL_TRUST_PEER_CERT
int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX* ctx,
const unsigned char* in,
long sz, int format)
{
WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_buffer");
if (format == SSL_FILETYPE_PEM)
return ProcessChainBuffer(ctx, in, sz, format,
TRUSTED_PEER_TYPE, NULL);
else
return ProcessBuffer(ctx, in, sz, format, TRUSTED_PEER_TYPE,
NULL,NULL,0);
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx, int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx,
const unsigned char* in, long sz, int format) const unsigned char* in, long sz, int format)
{ {
@@ -7548,6 +7843,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return wolfSSL_CertManagerUnloadCAs(ctx->cm); return wolfSSL_CertManagerUnloadCAs(ctx->cm);
} }
#ifdef WOLFSSL_TRUST_PEER_CERT
int wolfSSL_CTX_Unload_trust_peers(WOLFSSL_CTX* ctx)
{
WOLFSSL_ENTER("wolfSSL_CTX_Unload_trust_peers");
if (ctx == NULL)
return BAD_FUNC_ARG;
return wolfSSL_CertManagerUnload_trust_peers(ctx->cm);
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
/* old NO_FILESYSTEM end */ /* old NO_FILESYSTEM end */
#endif /* !NO_CERTS */ #endif /* !NO_CERTS */

78
wolfcrypt/src/asn.c
View File

@@ -4905,6 +4905,10 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
extern "C" { extern "C" {
#endif #endif
WOLFSSL_LOCAL Signer* GetCA(void* signers, byte* hash); WOLFSSL_LOCAL Signer* GetCA(void* signers, byte* hash);
#ifdef WOLFSSL_TRUST_PEER_CERT
WOLFSSL_LOCAL TrustedPeerCert* GetTrustedPeer(void* signers, byte* hash);
WOLFSSL_LOCAL int MatchTrustedPeer(TrustedPeerCert* tp, DecodedCert* cert);
#endif /* WOLFSSL_TRUST_PEER_CERT */
#ifndef NO_SKID #ifndef NO_SKID
WOLFSSL_LOCAL Signer* GetCAByName(void* signers, byte* hash); WOLFSSL_LOCAL Signer* GetCAByName(void* signers, byte* hash);
#endif #endif
@@ -4999,7 +5003,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
} }
#endif #endif
if (verify && type != CA_TYPE) { if (verify && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
Signer* ca = NULL; Signer* ca = NULL;
#ifndef NO_SKID #ifndef NO_SKID
if (cert->extAuthKeyIdSet) if (cert->extAuthKeyIdSet)
@@ -5011,6 +5015,36 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
#endif /* NO SKID */ #endif /* NO SKID */
WOLFSSL_MSG("About to verify certificate signature"); WOLFSSL_MSG("About to verify certificate signature");
#ifdef WOLFSSL_TRUST_PEER_CERT
/* check for trusted peer cert */
{
TrustedPeerCert* tp = NULL;
#ifndef NO_SKID
if (cert->extAuthKeyIdSet)
tp = GetTrustedPeer(cm, cert->extAuthKeyId);
#else /* NO_SKID */
tp = GetTrustedPeer(cm, cert->issuerHash);
#endif /* NO SKID */
WOLFSSL_MSG("Checking for trusted peer cert");
if (tp == NULL) {
/* no trusted peer cert */
WOLFSSL_MSG("No matching trusted peer cert checking CAs");
} else if (MatchTrustedPeer(tp, cert)){
WOLFSSL_MSG("Found matching trusted peer cert");
if (badDate != 0)
return badDate;
if (criticalExt != 0)
return criticalExt;
return 0;
} else {
WOLFSSL_MSG("No matching trusted peer cert");
}
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
if (ca) { if (ca) {
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
/* Need the ca's public key hash for OCSP */ /* Need the ca's public key hash for OCSP */
@@ -5115,6 +5149,48 @@ void FreeSignerTable(Signer** table, int rows, void* heap)
} }
} }
#ifdef WOLFSSL_TRUST_PEER_CERT
/* Free an individual trusted peer cert */
void FreeTrustedPeer(TrustedPeerCert* tp, void* heap)
{
if (tp == NULL) {
return;
}
if (tp->name) {
XFREE(tp->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
}
if (tp->sig) {
XFREE(tp->sig, heap, DYNAMIC_TYPE_SIGNATURE);
}
#ifndef IGNORE_NAME_CONSTRAINTS
if (tp->permittedNames)
FreeNameSubtrees(tp->permittedNames, heap);
if (tp->excludedNames)
FreeNameSubtrees(tp->excludedNames, heap);
#endif
XFREE(tp, heap, DYNAMIC_TYPE_CERT);
(void)heap;
}
/* Free the whole Trusted Peer linked list */
void FreeTrustedPeerTable(TrustedPeerCert** table, int rows, void* heap)
{
int i;
for (i = 0; i < rows; i++) {
TrustedPeerCert* tp = table[i];
while (tp) {
TrustedPeerCert* next = tp->next;
FreeTrustedPeer(tp, heap);
tp = next;
}
table[i] = NULL;
}
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header) WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header)
{ {

21
wolfssl/internal.h
View File

@@ -1435,17 +1435,27 @@ struct WOLFSSL_CRL {
#ifdef NO_ASN #ifdef NO_ASN
typedef struct Signer Signer; typedef struct Signer Signer;
#ifdef WOLFSSL_TRUST_PEER_CERT
typedef struct TrustedPeerCert TrustedPeerCert;
#endif
#endif #endif
#ifndef CA_TABLE_SIZE #ifndef CA_TABLE_SIZE
#define CA_TABLE_SIZE 11 #define CA_TABLE_SIZE 11
#endif #endif
#ifdef WOLFSSL_TRUST_PEER_CERT
#define TP_TABLE_SIZE 11
#endif
/* wolfSSL Certificate Manager */ /* wolfSSL Certificate Manager */
struct WOLFSSL_CERT_MANAGER { struct WOLFSSL_CERT_MANAGER {
Signer* caTable[CA_TABLE_SIZE]; /* the CA signer table */ Signer* caTable[CA_TABLE_SIZE]; /* the CA signer table */
void* heap; /* heap helper */ void* heap; /* heap helper */
#ifdef WOLFSSL_TRUST_PEER_CERT
TrustedPeerCert* tpTable[TP_TABLE_SIZE]; /* table of trusted peer certs */
wolfSSL_Mutex tpLock; /* trusted peer list lock */
#endif
WOLFSSL_CRL* crl; /* CRL checker */ WOLFSSL_CRL* crl; /* CRL checker */
WOLFSSL_OCSP* ocsp; /* OCSP checker */ WOLFSSL_OCSP* ocsp; /* OCSP checker */
#if !defined(NO_WOLFSSL_SEVER) && (defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ #if !defined(NO_WOLFSSL_SEVER) && (defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
@@ -1934,6 +1944,12 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
int AddCA(WOLFSSL_CERT_MANAGER* ctx, DerBuffer* der, int type, int verify); int AddCA(WOLFSSL_CERT_MANAGER* ctx, DerBuffer* der, int type, int verify);
WOLFSSL_LOCAL WOLFSSL_LOCAL
int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash); int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash);
#ifdef WOLFSSL_TRUST_PEER_CERT
WOLFSSL_LOCAL
int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int verify);
WOLFSSL_LOCAL
int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, byte* hash);
#endif
#endif #endif
/* All cipher suite related info */ /* All cipher suite related info */
@@ -2820,6 +2836,11 @@ WOLFSSL_LOCAL int VerifyClientSuite(WOLFSSL* ssl);
const byte* plain, word32 plainSz, const byte* plain, word32 plainSz,
RsaKey* key); RsaKey* key);
#endif #endif
#ifdef WOLFSSL_TRUST_PEER_CERT
WOLFSSL_LOCAL TrustedPeerCert* GetTrustedPeer(void* vp, byte* hash);
WOLFSSL_LOCAL int MatchTrustedPeer(TrustedPeerCert* tp,
DecodedCert* cert);
#endif
WOLFSSL_LOCAL Signer* GetCA(void* cm, byte* hash); WOLFSSL_LOCAL Signer* GetCA(void* cm, byte* hash);
#ifndef NO_SKID #ifndef NO_SKID
WOLFSSL_LOCAL Signer* GetCAByName(void* cm, byte* hash); WOLFSSL_LOCAL Signer* GetCAByName(void* cm, byte* hash);

11
wolfssl/ssl.h
View File

@@ -229,6 +229,9 @@ WOLFSSL_API int wolfSSL_CTX_use_certificate_file(WOLFSSL_CTX*, const char*, int)
WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX*, const char*, int); WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX*, const char*, int);
WOLFSSL_API int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX*, const char*, WOLFSSL_API int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX*, const char*,
const char*); const char*);
#ifdef WOLFSSL_TRUST_PEER_CERT
WOLFSSL_API int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX*, const char*, int);
#endif
WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_file(WOLFSSL_CTX *, WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_file(WOLFSSL_CTX *,
const char *file); const char *file);
WOLFSSL_API int wolfSSL_CTX_use_RSAPrivateKey_file(WOLFSSL_CTX*, const char*, int); WOLFSSL_API int wolfSSL_CTX_use_RSAPrivateKey_file(WOLFSSL_CTX*, const char*, int);
@@ -968,6 +971,11 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len,
#ifndef NO_CERTS #ifndef NO_CERTS
/* SSL_CTX versions */ /* SSL_CTX versions */
WOLFSSL_API int wolfSSL_CTX_UnloadCAs(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_CTX_UnloadCAs(WOLFSSL_CTX*);
#ifdef WOLFSSL_TRUST_PEER_CERT
WOLFSSL_API int wolfSSL_CTX_Unload_trust_peers(WOLFSSL_CTX*);
WOLFSSL_API int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX*,
const unsigned char*, long, int);
#endif
WOLFSSL_API int wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX*, WOLFSSL_API int wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX*,
const unsigned char*, long, int); const unsigned char*, long, int);
WOLFSSL_API int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX*, WOLFSSL_API int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX*,
@@ -1247,6 +1255,9 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer(WOLFSSL_CERT_MANAGER*, WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer(WOLFSSL_CERT_MANAGER*,
const unsigned char* in, long sz, int format); const unsigned char* in, long sz, int format);
WOLFSSL_API int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm); WOLFSSL_API int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm);
#ifdef WOLFSSL_TRUST_PEER_CERT
WOLFSSL_API int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER* cm);
#endif
WOLFSSL_API int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER*, const char* f, WOLFSSL_API int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER*, const char* f,
int format); int format);
WOLFSSL_API int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, WOLFSSL_API int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm,

30
wolfssl/wolfcrypt/asn.h
View File

@@ -365,6 +365,9 @@ struct DecodedName {
typedef struct DecodedCert DecodedCert; typedef struct DecodedCert DecodedCert;
typedef struct DecodedName DecodedName; typedef struct DecodedName DecodedName;
typedef struct Signer Signer; typedef struct Signer Signer;
#ifdef WOLFSSL_TRUST_PEER_CERT
typedef struct TrustedPeerCert TrustedPeerCert;
#endif /* WOLFSSL_TRUST_PEER_CERT */
struct DecodedCert { struct DecodedCert {
@@ -554,6 +557,28 @@ struct Signer {
}; };
#ifdef WOLFSSL_TRUST_PEER_CERT
/* used for having trusted peer certs rather then CA */
struct TrustedPeerCert {
int nameLen;
char* name; /* common name */
#ifndef IGNORE_NAME_CONSTRAINTS
Base_entry* permittedNames;
Base_entry* excludedNames;
#endif /* IGNORE_NAME_CONSTRAINTS */
byte subjectNameHash[SIGNER_DIGEST_SIZE];
/* sha hash of names in certificate */
#ifndef NO_SKID
byte subjectKeyIdHash[SIGNER_DIGEST_SIZE];
/* sha hash of names in certificate */
#endif
word32 sigLen;
byte* sig;
struct TrustedPeerCert* next;
};
#endif /* WOLFSSL_TRUST_PEER_CERT */
/* not for public consumption but may use for testing sometimes */ /* not for public consumption but may use for testing sometimes */
#ifdef WOLFSSL_TEST_CERT #ifdef WOLFSSL_TEST_CERT
#define WOLFSSL_TEST_API WOLFSSL_API #define WOLFSSL_TEST_API WOLFSSL_API
@@ -575,7 +600,10 @@ WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify);
WOLFSSL_LOCAL Signer* MakeSigner(void*); WOLFSSL_LOCAL Signer* MakeSigner(void*);
WOLFSSL_LOCAL void FreeSigner(Signer*, void*); WOLFSSL_LOCAL void FreeSigner(Signer*, void*);
WOLFSSL_LOCAL void FreeSignerTable(Signer**, int, void*); WOLFSSL_LOCAL void FreeSignerTable(Signer**, int, void*);
#ifdef WOLFSSL_TRUST_PEER_CERT
WOLFSSL_LOCAL void FreeTrustedPeer(TrustedPeerCert*, void*);
WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*);
#endif /* WOLFSSL_TRUST_PEER_CERT */
WOLFSSL_LOCAL int ToTraditional(byte* buffer, word32 length); WOLFSSL_LOCAL int ToTraditional(byte* buffer, word32 length);
WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int); WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int);

3
wolfssl/wolfcrypt/asn_public.h
View File

@@ -50,7 +50,8 @@ enum CertType {
RSA_TYPE, RSA_TYPE,
PUBLICKEY_TYPE, PUBLICKEY_TYPE,
RSA_PUBLICKEY_TYPE, RSA_PUBLICKEY_TYPE,
ECC_PUBLICKEY_TYPE ECC_PUBLICKEY_TYPE,
TRUSTED_PEER_TYPE
}; };