diff --git a/certs/test/expired-ca.der b/certs/test/expired-ca.der new file mode 100644 index 000000000..df9dd7508 Binary files /dev/null and b/certs/test/expired-ca.der differ diff --git a/certs/test/expired-ca.pem b/certs/test/expired-ca.pem index 6a0cf898e..319f38297 100644 --- a/certs/test/expired-ca.pem +++ b/certs/test/expired-ca.pem @@ -1,56 +1,69 @@ Certificate: Data: - Version: 3 (0x2) - Serial Number: - 8a:37:22:65:73:f5:aa:e8 - Signature Algorithm: md5WithRSAEncryption - Issuer: C=US, ST=Montana, L=Bozeman, O=sawtooth, OU=consulting, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Version: 1 (0x0) + Serial Number: 4096 (0x1000) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=www.wolfssl.com, ST=Montana, C=US/emailAddress=info@wolfssl.com, OU=Engineering Validity - Not Before: Jun 30 18:47:10 2010 GMT - Not After : Mar 26 18:47:10 2013 GMT - Subject: C=US, ST=Montana, L=Bozeman, O=sawtooth, OU=consulting, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Not Before: Jul 31 00:00:00 2018 GMT + Not After : Aug 30 00:00:00 2018 GMT + Subject: CN=www.wolfssl.com, ST=Montana, C=US/emailAddress=info@wolfssl.com, OU=Engineering Subject Public Key Info: Public Key Algorithm: rsaEncryption - RSA Public Key: (512 bit) - Modulus (512 bit): - 00:97:30:b9:1a:92:ef:25:4f:ca:4c:11:31:95:1a: - e1:c0:10:19:0a:20:b9:37:80:1a:57:38:02:4e:1b: - c5:0f:28:4f:da:e3:c9:16:aa:50:bd:4a:fb:b7:71: - c7:35:cc:63:81:c1:dd:9d:33:f9:38:16:88:32:a0: - aa:56:23:03:a3 + Public-Key: (2048 bit) + Modulus: + 00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a: + f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac: + de:03:66:ee:2a:f1:d8:b0:7d:6e:07:54:0b:10:98: + 21:4d:80:cb:12:20:e7:cc:4f:de:45:7d:c9:72:77: + 32:ea:ca:90:bb:69:52:10:03:2f:a8:f3:95:c5:f1: + 8b:62:56:1b:ef:67:6f:a4:10:41:95:ad:0a:9b:e3: + a5:c0:b0:d2:70:76:50:30:5b:a8:e8:08:2c:7c:ed: + a7:a2:7a:8d:38:29:1c:ac:c7:ed:f2:7c:95:b0:95: + 82:7d:49:5c:38:cd:77:25:ef:bd:80:75:53:94:3c: + 3d:ca:63:5b:9f:15:b5:d3:1d:13:2f:19:d1:3c:db: + 76:3a:cc:b8:7d:c9:e5:c2:d7:da:40:6f:d8:21:dc: + 73:1b:42:2d:53:9c:fe:1a:fc:7d:ab:7a:36:3f:98: + de:84:7c:05:67:ce:6a:14:38:87:a9:f1:8c:b5:68: + cb:68:7f:71:20:2b:f5:a0:63:f5:56:2f:a3:26:d2: + b7:6f:b1:5a:17:d7:38:99:08:fe:93:58:6f:fe:c3: + 13:49:08:16:0b:a7:4d:67:00:52:31:67:23:4e:98: + ed:51:45:1d:b9:04:d9:0b:ec:d8:28:b3:4b:bd:ed: + 36:79 Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 3B:66:FD:A0:40:C6:F4:E2:70:CF:21:1A:0C:4F:67:FE:B7:4B:42:09 - X509v3 Authority Key Identifier: - keyid:3B:66:FD:A0:40:C6:F4:E2:70:CF:21:1A:0C:4F:67:FE:B7:4B:42:09 - DirName:/C=US/ST=Montana/L=Bozeman/O=sawtooth/OU=consulting/CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com - serial:8A:37:22:65:73:F5:AA:E8 - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: md5WithRSAEncryption - 32:65:a2:b1:dc:6d:e0:8d:8b:c8:58:29:8e:b8:18:4b:62:88: - 13:67:f8:6c:75:46:75:8f:8a:19:a6:a3:d5:3c:fc:57:4e:7a: - 68:a9:fc:93:dc:ae:29:7d:bb:4e:ec:ea:55:fa:a4:e3:00:61: - f4:b0:34:6d:d1:d5:a4:64:24:f8 + Signature Algorithm: sha256WithRSAEncryption + 52:af:84:10:08:83:9a:39:c2:05:5c:33:fc:a6:a0:7c:ce:68: + 34:fa:cc:05:9f:8a:33:79:64:07:da:6c:17:85:91:ab:1d:be: + 32:45:c6:7f:54:b6:10:cf:ea:17:74:d4:d9:06:6e:71:5d:0d: + 40:72:21:07:79:20:63:b3:15:d5:b7:e6:1a:d6:d0:11:1a:60: + 7f:81:e9:9b:69:b4:67:4e:e2:22:1a:2f:9d:6a:3c:da:95:34: + a9:bf:2b:14:fa:fe:21:73:e7:c9:19:7d:2c:14:9f:9f:33:c1: + 83:35:9c:94:95:0e:e4:3e:29:17:95:a2:85:e3:ad:70:5f:6a: + ff:2d:8a:92:fb:58:f6:fe:46:2b:d0:e4:9d:9b:0d:d9:e4:39: + 0a:c5:e2:3d:17:de:95:cc:a4:1c:33:a1:75:02:ec:98:66:47: + b9:ce:e4:8f:7e:32:cd:38:ff:6f:3d:be:7a:44:bf:47:61:7a: + b7:5a:09:fa:1e:bf:3d:63:68:b3:15:00:87:fd:8d:b8:f6:b8: + 83:13:ff:f8:56:ed:14:05:4f:49:07:f9:33:6b:3f:fd:c6:7d: + ff:6b:04:d5:46:80:c1:6b:74:fd:e6:18:14:1d:3b:c6:12:67: + 0e:1e:8d:81:c4:a9:9c:59:ee:29:cd:cf:55:a6:bc:53:13:f4: + 51:bc:b7:b3 -----BEGIN CERTIFICATE----- -MIIDQDCCAuqgAwIBAgIJAIo3ImVz9aroMA0GCSqGSIb3DQEBBAUAMIGeMQswCQYD -VQQGEwJVUzEQMA4GA1UECBMHTW9udGFuYTEQMA4GA1UEBxMHQm96ZW1hbjERMA8G -A1UEChMIc2F3dG9vdGgxEzARBgNVBAsTCmNvbnN1bHRpbmcxJDAiBgNVBAMTG3d3 -dy5zYXd0b290aC1jb25zdWx0aW5nLmNvbTEdMBsGCSqGSIb3DQEJARYOaW5mb0B5 -YXNzbC5jb20wHhcNMTAwNjMwMTg0NzEwWhcNMTMwMzI2MTg0NzEwWjCBnjELMAkG -A1UEBhMCVVMxEDAOBgNVBAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAP -BgNVBAoTCHNhd3Rvb3RoMRMwEQYDVQQLEwpjb25zdWx0aW5nMSQwIgYDVQQDExt3 -d3cuc2F3dG9vdGgtY29uc3VsdGluZy5jb20xHTAbBgkqhkiG9w0BCQEWDmluZm9A -eWFzc2wuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJcwuRqS7yVPykwRMZUa -4cAQGQoguTeAGlc4Ak4bxQ8oT9rjyRaqUL1K+7dxxzXMY4HB3Z0z+TgWiDKgqlYj -A6MCAwEAAaOCAQcwggEDMB0GA1UdDgQWBBQ7Zv2gQMb04nDPIRoMT2f+t0tCCTCB -0wYDVR0jBIHLMIHIgBQ7Zv2gQMb04nDPIRoMT2f+t0tCCaGBpKSBoTCBnjELMAkG -A1UEBhMCVVMxEDAOBgNVBAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAP -BgNVBAoTCHNhd3Rvb3RoMRMwEQYDVQQLEwpjb25zdWx0aW5nMSQwIgYDVQQDExt3 -d3cuc2F3dG9vdGgtY29uc3VsdGluZy5jb20xHTAbBgkqhkiG9w0BCQEWDmluZm9A -eWFzc2wuY29tggkAijciZXP1qugwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQF -AANBADJlorHcbeCNi8hYKY64GEtiiBNn+Gx1RnWPihmmo9U8/FdOemip/JPcril9 -u07s6lX6pOMAYfSwNG3R1aRkJPg= +MIIDVTCCAj0CAhAAMA0GCSqGSIb3DQEBCwUAMHAxGDAWBgNVBAMMD3d3dy53b2xm +c3NsLmNvbTEQMA4GA1UECAwHTW9udGFuYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG +9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFDASBgNVBAsMC0VuZ2luZWVyaW5nMB4Y +DTIwMTgwNzMxMDAwMFoYDTIwMTgwODMwMDAwMFowcDEYMBYGA1UEAwwPd3d3Lndv +bGZzc2wuY29tMRAwDgYDVQQIDAdNb250YW5hMQswCQYDVQQGEwJVUzEfMB0GCSqG +SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEUMBIGA1UECwwLRW5naW5lZXJpbmcw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgfSvJN +dRDxtjWf38p9A5jTrN4DZu4q8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLqypC7 +aVIQAy+o85XF8YtiVhvvZ2+kEEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04KRys +x+3yfJWwlYJ9SVw4zXcl772AdVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC19pA +b9gh3HMbQi1TnP4a/H2rejY/mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VWL6Mm +0rdvsVoX1ziZCP6TWG/+wxNJCBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u97TZ5 +AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFKvhBAIg5o5wgVcM/ymoHzOaDT6zAWf +ijN5ZAfabBeFkasdvjJFxn9UthDP6hd01NkGbnFdDUByIQd5IGOzFdW35hrW0BEa +YH+B6ZtptGdO4iIaL51qPNqVNKm/KxT6/iFz58kZfSwUn58zwYM1nJSVDuQ+KReV +ooXjrXBfav8tipL7WPb+RivQ5J2bDdnkOQrF4j0X3pXMpBwzoXUC7JhmR7nO5I9+ +Ms04/289vnpEv0dherdaCfoevz1jaLMVAIf9jbj2uIMT//hW7RQFT0kH+TNrP/3G +ff9rBNVGgMFrdP3mGBQdO8YSZw4ejYHEqZxZ7inNz1WmvFMT9FG8t7M= -----END CERTIFICATE----- diff --git a/certs/test/expired-cert.der b/certs/test/expired-cert.der new file mode 100644 index 000000000..32a1c4a43 Binary files /dev/null and b/certs/test/expired-cert.der differ diff --git a/certs/test/expired-cert.pem b/certs/test/expired-cert.pem index 1ec53c026..34cb7d253 100644 --- a/certs/test/expired-cert.pem +++ b/certs/test/expired-cert.pem @@ -1,39 +1,69 @@ Certificate: Data: Version: 1 (0x0) - Serial Number: 1 (0x1) - Signature Algorithm: md5WithRSAEncryption - Issuer: C=US, ST=Montana, L=Bozeman, O=sawtooth, OU=consulting, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Serial Number: 4096 (0x1000) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=www.wolfssl.com, ST=Montana, C=US/emailAddress=info@wolfssl.com, OU=Engineering Validity - Not Before: Jun 30 18:52:17 2010 GMT - Not After : Mar 26 18:52:17 2013 GMT - Subject: C=US, ST=Montana, L=Bozeman, O=yaSSL, OU=support, CN=www.yassl.com/emailAddress=info@yassl.com + Not Before: Jul 31 00:00:00 2018 GMT + Not After : Aug 30 00:00:00 2018 GMT + Subject: CN=www.wolfssl.com, ST=Montana, C=US/emailAddress=info@wolfssl.com, OU=Engineering Subject Public Key Info: Public Key Algorithm: rsaEncryption - RSA Public Key: (512 bit) - Modulus (512 bit): - 00:c6:7b:c0:68:81:2f:de:82:3f:f9:ac:c3:86:4a: - 66:b7:ec:d4:f1:f6:64:21:ff:f5:a2:34:42:d0:38: - 9f:c6:dd:3b:6e:26:65:6a:54:96:dd:d2:7b:eb:36: - a2:ae:7e:2a:9e:7e:56:a5:b6:87:9f:15:c7:18:66: - 7e:16:77:e2:a7 + Public-Key: (2048 bit) + Modulus: + 00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27: + 01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6: + f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75: + f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab: + 64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e: + 86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25: + 4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c: + 34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6: + 8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc: + 40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8: + dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3: + e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9: + 64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0: + c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77: + ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4: + b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22: + a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f: + ad:d7 Exponent: 65537 (0x10001) - Signature Algorithm: md5WithRSAEncryption - 58:a9:98:e7:16:52:4c:40:e7:e1:47:92:19:1b:3a:8f:97:6c: - 7b:b7:b0:cb:20:6d:ad:b5:d3:47:58:d8:e4:f2:3e:32:e9:ef: - 87:77:e5:54:36:f4:8d:50:8d:07:b4:77:45:ea:9d:a4:33:36: - 9b:0b:e0:74:58:11:c5:01:7b:4d + Signature Algorithm: sha256WithRSAEncryption + 3d:b8:e9:dc:03:4f:0c:79:ed:5d:b5:e8:45:99:b4:9e:fe:9b: + d9:88:aa:6c:de:1e:34:59:8a:4b:1c:39:0c:7a:a0:7d:24:c1: + 8d:54:d2:65:92:d4:5b:35:cb:de:fc:37:fe:b1:67:20:64:04: + 0a:8f:09:71:cf:d3:16:2e:dc:23:c8:7c:2e:72:35:54:ec:d3: + 63:5a:9d:63:93:42:b6:72:67:8f:80:83:6a:e3:d3:ad:28:87: + 46:4c:6e:56:d2:02:af:58:2e:a9:0e:e0:07:a6:f1:58:dd:17: + 82:27:f1:49:3b:8c:77:6f:08:96:d9:04:c8:ec:34:22:a5:b1: + e9:48:07:41:3c:aa:1e:e4:d9:75:1b:71:bd:4f:ec:5e:fd:2b: + 44:2e:81:cd:8c:b1:08:e6:de:9b:e2:61:c9:ee:43:f7:af:99: + 29:fa:50:69:2a:98:47:b9:58:46:57:1e:2d:29:77:51:89:64: + ee:f2:ba:14:fb:f7:ba:dc:68:d6:34:bc:28:eb:17:f4:37:6a: + 91:a9:cf:d5:46:e8:6e:8f:2f:e7:f2:e0:b1:ca:8a:0f:a4:55: + 8b:b9:c2:89:d0:29:82:b7:11:47:af:8b:96:92:e5:a3:da:11: + 0f:76:db:15:61:a5:5a:ab:60:83:06:de:7e:bf:b6:c8:10:ab: + 38:1a:d3:c2 -----BEGIN CERTIFICATE----- -MIICFDCCAb4CAQEwDQYJKoZIhvcNAQEEBQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYD -VQQIEwdNb250YW5hMRAwDgYDVQQHEwdCb3plbWFuMREwDwYDVQQKEwhzYXd0b290 -aDETMBEGA1UECxMKY29uc3VsdGluZzEkMCIGA1UEAxMbd3d3LnNhd3Rvb3RoLWNv -bnN1bHRpbmcuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0x -MDA2MzAxODUyMTdaFw0xMzAzMjYxODUyMTdaMIGKMQswCQYDVQQGEwJVUzEQMA4G -A1UECBMHTW9udGFuYTEQMA4GA1UEBxMHQm96ZW1hbjEOMAwGA1UEChMFeWFTU0wx -EDAOBgNVBAsTB3N1cHBvcnQxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkq -hkiG9w0BCQEWDmluZm9AeWFzc2wuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB -AMZ7wGiBL96CP/msw4ZKZrfs1PH2ZCH/9aI0QtA4n8bdO24mZWpUlt3Se+s2oq5+ -Kp5+VqW2h58VxxhmfhZ34qcCAwEAATANBgkqhkiG9w0BAQQFAANBAFipmOcWUkxA -5+FHkhkbOo+XbHu3sMsgba2100dY2OTyPjLp74d35VQ29I1QjQe0d0XqnaQzNpsL -4HRYEcUBe00= +MIIDVTCCAj0CAhAAMA0GCSqGSIb3DQEBCwUAMHAxGDAWBgNVBAMMD3d3dy53b2xm +c3NsLmNvbTEQMA4GA1UECAwHTW9udGFuYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG +9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFDASBgNVBAsMC0VuZ2luZWVyaW5nMB4Y +DTIwMTgwNzMxMDAwMFoYDTIwMTgwODMwMDAwMFowcDEYMBYGA1UEAwwPd3d3Lndv +bGZzc2wuY29tMRAwDgYDVQQIDAdNb250YW5hMQswCQYDVQQGEwJVUzEfMB0GCSqG +SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEUMBIGA1UECwwLRW5naW5lZXJpbmcw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFl +xkWu8rwkMLiVzi9O1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zK +XXu64CHlci5vLobYlXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2 +fwtZaHhzpowYqQJtr8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZR +DL1Us+FtXxy8I3PRCQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Wh +d7oT0pdz4l0lyWoNwzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63X +AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD246dwDTwx57V216EWZtJ7+m9mIqmze +HjRZikscOQx6oH0kwY1U0mWS1Fs1y978N/6xZyBkBAqPCXHP0xYu3CPIfC5yNVTs +02NanWOTQrZyZ4+Ag2rj060oh0ZMblbSAq9YLqkO4Aem8VjdF4In8Uk7jHdvCJbZ +BMjsNCKlselIB0E8qh7k2XUbcb1P7F79K0Qugc2MsQjm3pviYcnuQ/evmSn6UGkq +mEe5WEZXHi0pd1GJZO7yuhT797rcaNY0vCjrF/Q3apGpz9VG6G6PL+fy4LHKig+k +VYu5wonQKYK3EUevi5aS5aPaEQ922xVhpVqrYIMG3n6/tsgQqzga08I= -----END CERTIFICATE----- diff --git a/certs/test/expired-key.pem b/certs/test/expired-key.pem deleted file mode 100644 index 154d661b1..000000000 --- a/certs/test/expired-key.pem +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIBOwIBAAJBAMZ7wGiBL96CP/msw4ZKZrfs1PH2ZCH/9aI0QtA4n8bdO24mZWpU -lt3Se+s2oq5+Kp5+VqW2h58VxxhmfhZ34qcCAwEAAQJBAJSbGxgjgV+rTZL2Ev58 -viN/IoB25cm/Bn4Heu7DNn2A2kpdGX2cCaf7rEQoIKCiHxvopvxOcd/7nLS/gNli -dCECIQD/cX/9fvB1Uajw0fmvwNON9+3P9uJSqpig90zL32pwjQIhAMbqee9TBMN4 -TxXbgWqA92PrCXe8WDZ3PwoJqdR6MRUDAiEAny+TDF1z6hiWiGTCDgXDkKBlwgjf -p5aKgR077XzwLu0CICVpWEGg1ZaF/CnaPP7w/pZ2UDOK4vRrfRnAM4bY7H5NAiBS -1eXJ/MCZ2uPfpl7XK2BU9P69KdKUk5WHxdRchVvcDg== ------END RSA PRIVATE KEY----- diff --git a/certs/test/gen-testcerts.sh b/certs/test/gen-testcerts.sh index f07721c42..3ee661c99 100755 --- a/certs/test/gen-testcerts.sh +++ b/certs/test/gen-testcerts.sh @@ -1,12 +1,38 @@ #!/bin/sh -# Args: 1=FileName, 2=CN, 3=AltName +# Args: 1=FileName, 2=CN, 3=AltName, 4=CA function build_test_cert_conf { - echo "[ req ]" > $1.conf + echo "# Generated openssl conf" > $1.conf + echo "" >> $1.conf + echo "[ ca ]" >> $1.conf + echo "default_ca = CA_default" >> $1.conf + echo "[ CA_default ]" >> $1.conf + echo "certificate = ../ca-cert.pem" >> $1.conf + echo "database = ./index.txt" >> $1.conf + echo "new_certs_dir = ./certs" >> $1.conf + echo "private_key = ./private/cakey.pem" >> $1.conf + echo "serial = ./serial" >> $1.conf + echo "default_md = sha256" >> $1.conf + echo "default_days = 1000" >> $1.conf + echo "policy = default_ca_policy" >> $1.conf + echo "" >> $1.conf + echo "[ default_ca_policy ]" >> $1.conf + echo "commonName = supplied" >> $1.conf + echo "stateOrProvinceName = supplied" >> $1.conf + echo "countryName = supplied" >> $1.conf + echo "emailAddress = supplied" >> $1.conf + echo "organizationName = optional" >> $1.conf + echo "organizationalUnitName = optional" >> $1.conf + echo "" >> $1.conf + echo "[ req ]" >> $1.conf echo "prompt = no" >> $1.conf echo "default_bits = 2048" >> $1.conf echo "distinguished_name = req_distinguished_name" >> $1.conf echo "req_extensions = req_ext" >> $1.conf + if [ -n "$4" ]; then + echo "basicConstraints=CA:true,pathlen:0" >> $1.conf + echo "" >> $1.conf + fi echo "" >> $1.conf echo "[ req_distinguished_name ]" >> $1.conf echo "C = US" >> $1.conf @@ -70,6 +96,40 @@ function generate_test_cert { openssl x509 -inform pem -in $1.pem -outform der -out $1.der } +function generate_expired_certs { + rm $1.der + rm $1.pem + + mkdir -p certs + touch ./index.txt + echo 1000 > ./serial + + echo "step 1 create configuration" + build_test_cert_conf $1 www.wolfssl.com 0 $3 + + echo "step 2 create csr" + openssl req -new -sha256 -out $1.csr -key $2 -config $1.conf + + echo "step 3 check csr" + openssl req -text -noout -in $1.csr + + echo "step 4 create cert" + openssl ca -selfsign -config $1.conf -keyfile $2 -in $1.csr -out $1.pem \ + -startdate 201807310000Z -enddate 201808300000Z -batch + rm $1.conf + rm $1.csr + + echo "step 5 add cert text information to pem" + openssl x509 -inform pem -in $1.pem -text > tmp.pem + mv tmp.pem $1.pem + + echo "step 7 make binary der version" + openssl x509 -inform pem -in $1.pem -outform der -out $1.der + + rm -rf certs + rm ./index.txt* + rm ./serial* +} # Generate Good CN=localhost, Alt=None generate_test_cert server-goodcn localhost "" 1 @@ -101,3 +161,8 @@ generate_test_cert server-localhost localhost localhost # Generate Bad Alt Name CN=localhost, Alt=garbage generate_test_cert server-garbage localhost garbage + + +# Generate Expired Certificates +generate_expired_certs expired-ca ../ca-key.pem 1 +generate_expired_certs expired-cert ../server-key.pem diff --git a/certs/test/include.am b/certs/test/include.am index ee94f1aa7..6a923319d 100644 --- a/certs/test/include.am +++ b/certs/test/include.am @@ -21,8 +21,8 @@ EXTRA_DIST += \ EXTRA_DIST += \ certs/test/gen-testcerts.sh \ - certs/test/server-garbage.der \ - certs/test/server-garbage.pem \ + certs/test/server-garbage.der \ + certs/test/server-garbage.pem \ certs/test/server-goodcn.pem \ certs/test/server-goodcn.der \ certs/test/server-goodalt.pem \ @@ -39,21 +39,22 @@ EXTRA_DIST += \ certs/test/server-badaltnull.der \ certs/test/server-badaltname.der \ certs/test/server-badaltname.pem \ - certs/test/server-localhost.der \ - certs/test/server-localhost.pem \ + certs/test/server-localhost.der \ + certs/test/server-localhost.pem \ certs/crl/server-goodaltCrl.pem \ certs/crl/server-goodcnCrl.pem \ certs/crl/server-goodaltwildCrl.pem \ certs/crl/server-goodcnwildCrl.pem EXTRA_DIST += \ - certs/test/crit-cert.pem \ - certs/test/crit-key.pem \ - certs/test/dh1024.der \ - certs/test/dh1024.pem \ - certs/test/dh512.der \ - certs/test/dh512.pem \ - certs/test/digsigku.pem \ - certs/test/expired-ca.pem \ - certs/test/expired-cert.pem \ - certs/test/expired-key.pem + certs/test/crit-cert.pem \ + certs/test/crit-key.pem \ + certs/test/dh1024.der \ + certs/test/dh1024.pem \ + certs/test/dh512.der \ + certs/test/dh512.pem \ + certs/test/digsigku.pem \ + certs/test/expired-ca.pem \ + certs/test/expired-ca.der \ + certs/test/expired-cert.pem \ + certs/test/expired-cert.der diff --git a/doc/dox_comments/header_files/ssl.h b/doc/dox_comments/header_files/ssl.h index d4b6a0723..74a159ffb 100644 --- a/doc/dox_comments/header_files/ssl.h +++ b/doc/dox_comments/header_files/ssl.h @@ -896,8 +896,8 @@ WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX*, const char*, int); as NULL if not needed. If path is specified and NO_WOLFSSL_DIR was not defined when building the library, wolfSSL will load all CA certificates located in the given directory. This function will attempt to load all - files in the directory and locate any files with the PEM header - “-----BEGIN CERTIFICATE-----”. Please see the examples for proper usage. + files in the directory. This function expects PEM formatted CERT_TYPE + file with header “-----BEGIN CERTIFICATE-----”. \return SSL_SUCCESS up success. \return SSL_FAILURE will be returned if ctx is NULL, or if both file and @@ -923,13 +923,14 @@ WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX*, const char*, int); int ret = 0; WOLFSSL_CTX* ctx; ... - ret = wolfSSL_CTX_load_verify_locations(ctx, “./ca-cert.pem”, 0); - if (ret != SSL_SUCCESS) { + ret = wolfSSL_CTX_load_verify_locations(ctx, “./ca-cert.pem”, NULL); + if (ret != WOLFSSL_SUCCESS) { // error loading CA certs } ... \endcode + \sa wolfSSL_CTX_load_verify_locations_ex \sa wolfSSL_CTX_load_verify_buffer \sa wolfSSL_CTX_use_certificate_file \sa wolfSSL_CTX_use_PrivateKey_file @@ -942,6 +943,71 @@ WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX*, const char*, int); WOLFSSL_API int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX*, const char*, const char*); +/*! + \ingroup CertsKeys + + \brief This function loads PEM-formatted CA certificate files into the SSL + context (WOLFSSL_CTX). These certificates will be treated as trusted root + certificates and used to verify certs received from peers during the SSL + handshake. The root certificate file, provided by the file argument, may + be a single certificate or a file containing multiple certificates. + If multiple CA certs are included in the same file, wolfSSL will load them + in the same order they are presented in the file. The path argument is + a pointer to the name of a directory that contains certificates of + trusted root CAs. If the value of file is not NULL, path may be specified + as NULL if not needed. If path is specified and NO_WOLFSSL_DIR was not + defined when building the library, wolfSSL will load all CA certificates + located in the given directory. This function will attempt to load all + files in the directory based on flags specified. This function expects PEM + formatted CERT_TYPE files with header “-----BEGIN CERTIFICATE-----”. + + \return SSL_SUCCESS up success. + \return SSL_FAILURE will be returned if ctx is NULL, or if both file and + path are NULL. + \return SSL_BAD_FILETYPE will be returned if the file is the wrong format. + \return SSL_BAD_FILE will be returned if the file doesn’t exist, can’t be + read, or is corrupted. + \return MEMORY_E will be returned if an out of memory condition occurs. + \return ASN_INPUT_E will be returned if Base16 decoding fails on the file. + \return BUFFER_E will be returned if a chain buffer is bigger than the + receiving buffer. + \return BAD_PATH_ERROR will be returned if opendir() fails when trying + to open path. + + \param ctx pointer to the SSL context, created with wolfSSL_CTX_new(). + \param file pointer to name of the file containing PEM-formatted CA + certificates. + \param path pointer to the name of a directory to load PEM-formatted + certificates from. + \param flags possible mask values are: WOLFSSL_LOAD_FLAG_IGNORE_ERR, + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY and WOLFSSL_LOAD_FLAG_PEM_CA_ONLY + + _Example_ + \code + int ret = 0; + WOLFSSL_CTX* ctx; + ... + ret = wolfSSL_CTX_load_verify_locations_ex(ctx, NUULL, “./certs/external", + WOLFSSL_LOAD_FLAG_PEM_CA_ONLY); + if (ret != WOLFSSL_SUCCESS) { + // error loading CA certs + } + ... + \endcode + + \sa wolfSSL_CTX_load_verify_locations + \sa wolfSSL_CTX_load_verify_buffer + \sa wolfSSL_CTX_use_certificate_file + \sa wolfSSL_CTX_use_PrivateKey_file + \sa wolfSSL_CTX_use_NTRUPrivateKey_file + \sa wolfSSL_CTX_use_certificate_chain_file + \sa wolfSSL_use_certificate_file + \sa wolfSSL_use_PrivateKey_file + \sa wolfSSL_use_certificate_chain_file +*/ +WOLFSSL_API int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX*, const char*, + const char*, unsigned int flags); + /*! \ingroup Setup diff --git a/src/ssl.c b/src/ssl.c index 7d601d565..f673f427e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5085,7 +5085,7 @@ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, WOLFSSL_MSG("Trying a CRL"); if (PemToDer(buff + used, sz - used, CRL_TYPE, &der, NULL, &info, NULL) == 0) { - WOLFSSL_MSG(" Proccessed a CRL"); + WOLFSSL_MSG(" Processed a CRL"); wolfSSL_CertManagerLoadCRLBuffer(ctx->cm, der->buffer, der->length, WOLFSSL_FILETYPE_ASN1); FreeDer(&der); @@ -5095,26 +5095,26 @@ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, } #endif #endif - if (ret < 0) - { - if(consumed > 0) { /* Made progress in file */ + if (ret < 0) { + if (consumed > 0) { /* Made progress in file */ WOLFSSL_ERROR(ret); WOLFSSL_MSG("CA Parse failed, with progress in file."); WOLFSSL_MSG("Search for other certs in file"); - } else { + } + else { WOLFSSL_MSG("CA Parse failed, no progress in file."); WOLFSSL_MSG("Do not continue search for other certs in file"); break; } - } else { + } + else { WOLFSSL_MSG(" Processed a CA"); gotOne = 1; } used += consumed; } - if(gotOne) - { + if (gotOne) { WOLFSSL_MSG("Processed at least one valid CA. Other stuff OK"); return WOLFSSL_SUCCESS; } @@ -5733,17 +5733,18 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, return ret; } - /* loads file then loads each file in path, no c_rehash */ -int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file, - const char* path) +int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file, + const char* path, word32 flags) { int ret = WOLFSSL_SUCCESS; #ifndef NO_WOLFSSL_DIR int fileRet; + int successCount = 0; + int failCount = 0; #endif - WOLFSSL_ENTER("wolfSSL_CTX_load_verify_locations"); + WOLFSSL_MSG("wolfSSL_CTX_load_verify_locations_ex"); if (ctx == NULL || (file == NULL && path == NULL) ) return WOLFSSL_FAILURE; @@ -5767,30 +5768,70 @@ int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file, /* try to load each regular file in path */ fileRet = wc_ReadDirFirst(readCtx, path, &name); while (fileRet == 0 && name) { + WOLFSSL_MSG(name); /* log file name */ ret = ProcessFile(ctx, name, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0, NULL); - if (ret != WOLFSSL_SUCCESS) - break; + if (ret != WOLFSSL_SUCCESS) { + /* handle flags for ignoring errors, skipping expired certs or + by PEM certificate header error */ + if ( (flags & WOLFSSL_LOAD_FLAG_IGNORE_ERR) || + ((flags & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && + (ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E)) || + ((flags & WOLFSSL_LOAD_FLAG_PEM_CA_ONLY) && + (ret == ASN_NO_PEM_HEADER))) { + /* Do not fail here if a certificate fails to load, + continue to next file */ + ret = WOLFSSL_SUCCESS; + } + else { + WOLFSSL_ERROR(ret); + WOLFSSL_MSG("Load CA file failed, continuing"); + failCount++; + } + } + else { + successCount++; + } fileRet = wc_ReadDirNext(readCtx, path, &name); } wc_ReadDirClose(readCtx); /* pass directory read failure to response code */ - if (ret == WOLFSSL_SUCCESS && fileRet != -1) { + if (fileRet != WC_READDIR_NOFILE) { ret = fileRet; } + /* report failure if no files were loaded or there were failures */ + else if (successCount == 0 || failCount > 0) { + /* use existing error code if exists */ + if (ret == WOLFSSL_SUCCESS) + ret = WOLFSSL_FAILURE; + } + else { + ret = WOLFSSL_SUCCESS; + } #ifdef WOLFSSL_SMALL_STACK XFREE(readCtx, ctx->heap, DYNAMIC_TYPE_DIRCTX); #endif #else ret = NOT_COMPILED_IN; + (void)flags; #endif } return ret; } +#ifndef WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS +#define WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS WOLFSSL_LOAD_FLAG_NONE +#endif +int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file, + const char* path) +{ + return wolfSSL_CTX_load_verify_locations_ex(ctx, file, path, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS); +} + #ifdef WOLFSSL_TRUST_PEER_CERT /* Used to specify a peer cert to match when connecting diff --git a/tests/api.c b/tests/api.c index ef093859f..ec2fb3ebd 100644 --- a/tests/api.c +++ b/tests/api.c @@ -697,32 +697,39 @@ static void test_wolfSSL_CTX_load_verify_locations(void) #ifdef PERSIST_CERT_CACHE int cacheSz; #endif +#if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_TIRTOS) + const char* load_certs_path = "./certs/external"; + const char* load_no_certs_path = "./examples"; +#endif AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - /* invalid context */ - AssertFalse(wolfSSL_CTX_load_verify_locations(NULL, caCertFile, 0)); + /* invalid arguments */ + AssertIntEQ(wolfSSL_CTX_load_verify_locations(NULL, caCertFile, NULL), WOLFSSL_FAILURE); + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, NULL, NULL), WOLFSSL_FAILURE); /* invalid ca file */ - AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations(ctx, NULL, 0)); - AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations(ctx, bogusFile, 0)); + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, bogusFile, NULL), WOLFSSL_BAD_FILE); -#ifndef WOLFSSL_TIRTOS +#if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_TIRTOS) /* invalid path */ - /* not working... investigate! */ - /* AssertFalse(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, bogusFile)); */ + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, NULL, bogusFile), BAD_PATH_ERROR); #endif /* load ca cert */ - AssertTrue(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); +#ifdef NO_RSA + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), ASN_UNKNOWN_OID_E); +#else + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), WOLFSSL_SUCCESS); +#endif #ifdef PERSIST_CERT_CACHE /* Get cert cache size */ cacheSz = wolfSSL_CTX_get_cert_cache_memsize(ctx); #endif /* Test unloading CA's */ - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UnloadCAs(ctx)); + AssertIntEQ(wolfSSL_CTX_UnloadCAs(ctx), WOLFSSL_SUCCESS); #ifdef PERSIST_CERT_CACHE /* Verify no certs (result is less than cacheSz) */ @@ -730,23 +737,143 @@ static void test_wolfSSL_CTX_load_verify_locations(void) #endif /* load ca cert again */ - AssertTrue(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); +#ifdef NO_RSA + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), ASN_UNKNOWN_OID_E); +#else + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), WOLFSSL_SUCCESS); +#endif /* Test getting CERT_MANAGER */ AssertNotNull(cm = wolfSSL_CTX_GetCertManager(ctx)); /* Test unloading CA's using CM */ - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerUnloadCAs(cm)); + AssertIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); #ifdef PERSIST_CERT_CACHE /* Verify no certs (result is less than cacheSz) */ AssertIntGT(cacheSz, wolfSSL_CTX_get_cert_cache_memsize(ctx)); #endif +#if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_TIRTOS) + /* Test loading CA certificates using a path */ + #ifdef NO_RSA + AssertIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, load_certs_path, + WOLFSSL_LOAD_FLAG_PEM_CA_ONLY), ASN_UNKNOWN_OID_E); + #else + AssertIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, load_certs_path, + WOLFSSL_LOAD_FLAG_PEM_CA_ONLY), WOLFSSL_SUCCESS); + #endif + + /* Test loading path with no files */ + AssertIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, load_no_certs_path, + WOLFSSL_LOAD_FLAG_PEM_CA_ONLY), WOLFSSL_FAILURE); + + /* Test loading expired CA certificates */ + #ifdef NO_RSA + AssertIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, load_certs_path, + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY | WOLFSSL_LOAD_FLAG_PEM_CA_ONLY), ASN_UNKNOWN_OID_E); + #else + AssertIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, load_certs_path, + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY | WOLFSSL_LOAD_FLAG_PEM_CA_ONLY), WOLFSSL_SUCCESS); + #endif + + /* Test loading CA certificates and ignoring all errors */ + #ifdef NO_RSA + AssertIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, load_certs_path, + WOLFSSL_LOAD_FLAG_IGNORE_ERR), WOLFSSL_FAILURE); + #else + AssertIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, load_certs_path, + WOLFSSL_LOAD_FLAG_IGNORE_ERR), WOLFSSL_SUCCESS); + #endif +#endif + wolfSSL_CTX_free(ctx); #endif } +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) +static int test_cm_load_ca_buffer(const byte* cert_buf, size_t cert_sz, int file_type) +{ + int ret; + WOLFSSL_CERT_MANAGER* cm = NULL; + + cm = wolfSSL_CertManagerNew(); + if (cm == NULL) { + printf("test_cm_load_ca failed\n"); + return -1; + } + + ret = wolfSSL_CertManagerLoadCABuffer(cm, cert_buf, cert_sz, file_type); + + wolfSSL_CertManagerFree(cm); + + return ret; +} + +static int test_cm_load_ca_file(const char* ca_cert_file) +{ + int ret = 0; + byte* cert_buf = NULL; + size_t cert_sz = 0; +#if defined(WOLFSSL_PEM_TO_DER) + DerBuffer* pDer = NULL; +#endif + + ret = load_file(ca_cert_file, &cert_buf, &cert_sz); + if (ret == 0) { + /* normal test */ + ret = test_cm_load_ca_buffer(cert_buf, cert_sz, WOLFSSL_FILETYPE_PEM); + + if (ret == 0) { + /* test including null terminator in length */ + ret = test_cm_load_ca_buffer(cert_buf, cert_sz+1, WOLFSSL_FILETYPE_PEM); + } + + #if defined(WOLFSSL_PEM_TO_DER) + if (ret == 0) { + /* test loading DER */ + ret = wc_PemToDer(cert_buf, cert_sz, CA_TYPE, &pDer, NULL, NULL, NULL); + if (ret == 0) { + ret = test_cm_load_ca_buffer(pDer->buffer, pDer->length, + WOLFSSL_FILETYPE_ASN1); + + wc_FreeDer(&pDer); + } + } + #endif + + free(cert_buf); + } + return ret; +} +#endif /* !NO_FILESYSTEM && !NO_CERTS */ + +static int test_wolfSSL_CertManagerLoadCABuffer(void) +{ + int ret = 0; + +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) + const char* ca_cert = "./certs/ca-cert.pem"; + const char* ca_expired_cert = "./certs/test/expired-ca.pem"; + + ret = test_cm_load_ca_file(ca_cert); + #ifdef NO_RSA + AssertIntEQ(ret, ASN_UNKNOWN_OID_E); + #else + AssertIntEQ(ret, WOLFSSL_SUCCESS); + #endif + + ret = test_cm_load_ca_file(ca_expired_cert); + #ifdef NO_RSA + AssertIntEQ(ret, ASN_UNKNOWN_OID_E); + #else + AssertIntEQ(ret, ASN_AFTER_DATE_E); + #endif +#endif + + return ret; +} + static int test_wolfSSL_CTX_use_certificate_chain_file_format(void) { @@ -16222,13 +16349,14 @@ static void test_wolfSSL_PEM_PrivateKey(void) #if !defined(NO_RSA) && (defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN)) { + #define BIO_PEM_TEST_CHAR 'a' EVP_PKEY* pkey2 = NULL; unsigned char extra[10]; int i; printf(testingFmt, "wolfSSL_PEM_PrivateKey()"); - XMEMSET(extra, 0, sizeof(extra)); + XMEMSET(extra, BIO_PEM_TEST_CHAR, sizeof(extra)); AssertNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); AssertIntEQ(BIO_set_write_buf_size(bio, 4096), SSL_FAILURE); @@ -16245,14 +16373,14 @@ static void test_wolfSSL_PEM_PrivateKey(void) /* test creating new EVP_PKEY with good args */ AssertNotNull((pkey2 = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL))); if (pkey && pkey->pkey.ptr && pkey2 && pkey2->pkey.ptr) - AssertIntEQ((int)XMEMCMP(pkey->pkey.ptr, pkey2->pkey.ptr, pkey->pkey_sz),0); + AssertIntEQ((int)XMEMCMP(pkey->pkey.ptr, pkey2->pkey.ptr, pkey->pkey_sz), 0); /* test of reuse of EVP_PKEY */ AssertNull(PEM_read_bio_PrivateKey(bio, &pkey, NULL, NULL)); AssertIntEQ(BIO_pending(bio), 0); AssertIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), SSL_SUCCESS); - AssertIntEQ(BIO_write(bio, extra, 10), 10); /*add 10 extra bytes after PEM*/ + AssertIntEQ(BIO_write(bio, extra, 10), 10); /* add 10 extra bytes after PEM */ AssertNotNull(PEM_read_bio_PrivateKey(bio, &pkey, NULL, NULL)); AssertNotNull(pkey); if (pkey && pkey->pkey.ptr && pkey2 && pkey2->pkey.ptr) { @@ -16261,7 +16389,7 @@ static void test_wolfSSL_PEM_PrivateKey(void) AssertIntEQ(BIO_pending(bio), 10); /* check 10 extra bytes still there */ AssertIntEQ(BIO_read(bio, extra, 10), 10); for (i = 0; i < 10; i++) { - AssertIntEQ(extra[i], 0); + AssertIntEQ(extra[i], BIO_PEM_TEST_CHAR); } BIO_free(bio); @@ -20647,6 +20775,7 @@ void ApiTest(void) AssertIntEQ(test_wolfSSL_CTX_use_certificate_buffer(), WOLFSSL_SUCCESS); test_wolfSSL_CTX_use_PrivateKey_file(); test_wolfSSL_CTX_load_verify_locations(); + test_wolfSSL_CertManagerLoadCABuffer(); test_wolfSSL_CTX_use_certificate_chain_file_format(); test_wolfSSL_CTX_trust_peer_cert(); test_wolfSSL_CTX_SetTmpDH_file(); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index bc240c9e1..9368190c5 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8389,9 +8389,12 @@ int PemToDer(const unsigned char* buff, long longSz, int type, consumedEnd = footerEnd + XSTRLEN(footer); - if (consumedEnd < bufferEnd) { /* handle no end of line on last line */ + if (consumedEnd < bufferEnd) { /* handle no end of line on last line */ /* eat end of line characters */ consumedEnd = SkipEndOfLineChars(consumedEnd, bufferEnd); + /* skip possible null term */ + if (consumedEnd < bufferEnd && consumedEnd[0] == '\0') + consumedEnd++; } if (info) diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index c1b7ff314..f44459b0b 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -247,10 +247,10 @@ int wolfCrypt_Cleanup(void) !defined(WOLFSSL_NUCLEUS) && !defined(WOLFSSL_NUCLEUS_1_2) /* File Handling Helpers */ -/* returns 0 if file found, -1 if no files or negative error */ +/* returns 0 if file found, WC_READDIR_NOFILE if no files or negative error */ int wc_ReadDirFirst(ReadDirCtx* ctx, const char* path, char** name) { - int ret = -1; /* default to no files found */ + int ret = WC_READDIR_NOFILE; /* default to no files found */ int pathLen = 0; int dnameLen = 0; @@ -329,10 +329,10 @@ int wc_ReadDirFirst(ReadDirCtx* ctx, const char* path, char** name) return ret; } -/* returns 0 if file found, -1 if no more files */ +/* returns 0 if file found, WC_READDIR_NOFILE if no more files */ int wc_ReadDirNext(ReadDirCtx* ctx, const char* path, char** name) { - int ret = -1; /* default to no file found */ + int ret = WC_READDIR_NOFILE; /* default to no file found */ int pathLen = 0; int dnameLen = 0; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 54ba2baf6..96dfbf45f 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -504,6 +504,13 @@ WOLFSSL_API int wolfSSL_is_static_memory(WOLFSSL* ssl, WOLFSSL_API int wolfSSL_CTX_use_certificate_file(WOLFSSL_CTX*, const char*, int); WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX*, const char*, int); + +#define WOLFSSL_LOAD_FLAG_NONE 0x00000000 +#define WOLFSSL_LOAD_FLAG_IGNORE_ERR 0x00000001 +#define WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY 0x00000002 +#define WOLFSSL_LOAD_FLAG_PEM_CA_ONLY 0x00000004 +WOLFSSL_API int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX*, const char*, + const char*, unsigned int); WOLFSSL_API int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX*, const char*, const char*); #ifdef WOLFSSL_TRUST_PEER_CERT diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 5c6aa71e7..c42a12ea3 100755 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -357,6 +357,8 @@ WOLFSSL_API int wolfCrypt_Cleanup(void); char name[MAX_FILENAME_SZ]; } ReadDirCtx; + #define WC_READDIR_NOFILE -1 + WOLFSSL_API int wc_ReadDirFirst(ReadDirCtx* ctx, const char* path, char** name); WOLFSSL_API int wc_ReadDirNext(ReadDirCtx* ctx, const char* path, char** name); WOLFSSL_API void wc_ReadDirClose(ReadDirCtx* ctx);