forked from wolfSSL/wolfssl
Merge pull request #3361 from tmael/ocsp-nocheck
Add support for id-pkix-ocsp-nocheck
This commit is contained in:
David Garske
GitHub
@ -849,7 +849,7 @@ static int SMTP_Shutdown(WOLFSSL* ssl, int wc_shutdown)
|
|||||||
return WOLFSSL_SUCCESS;
|
return WOLFSSL_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int ClientWrite(WOLFSSL* ssl, const char* msg, int msgSz, const char* str,
|
static int ClientWrite(WOLFSSL* ssl, const char* msg, int msgSz, const char* str,
|
||||||
int exitWithRet)
|
int exitWithRet)
|
||||||
{
|
{
|
||||||
int ret, err;
|
int ret, err;
|
||||||
@ -1099,6 +1099,9 @@ static const char* client_usage_msg[][66] = {
|
|||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_CURVE448
|
#ifdef HAVE_CURVE448
|
||||||
"-8 Use X448 for key exchange\n", /* 65 */
|
"-8 Use X448 for key exchange\n", /* 65 */
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_CRL
|
||||||
|
"-C Disable CRL\n",
|
||||||
#endif
|
#endif
|
||||||
NULL,
|
NULL,
|
||||||
},
|
},
|
||||||
@ -2553,7 +2556,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
|
|||||||
}
|
}
|
||||||
#endif /* WOLFSSL_TRUST_PEER_CERT && !NO_FILESYSTEM */
|
#endif /* WOLFSSL_TRUST_PEER_CERT && !NO_FILESYSTEM */
|
||||||
}
|
}
|
||||||
if (useVerifyCb || myVerifyAction == VERIFY_FORCE_FAIL ||
|
if (useVerifyCb || myVerifyAction == VERIFY_FORCE_FAIL ||
|
||||||
myVerifyAction == VERIFY_USE_PREVERFIY) {
|
myVerifyAction == VERIFY_USE_PREVERFIY) {
|
||||||
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);
|
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1616,8 +1616,9 @@ static const byte wrapPwriKekOid[] = {42, 134, 72, 134, 247, 13, 1, 9, 16, 3,9};
|
|||||||
|
|
||||||
/* ocspType */
|
/* ocspType */
|
||||||
#ifdef HAVE_OCSP
|
#ifdef HAVE_OCSP
|
||||||
static const byte ocspBasicOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 1};
|
static const byte ocspBasicOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 1};
|
||||||
static const byte ocspNonceOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 2};
|
static const byte ocspNonceOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 2};
|
||||||
|
static const byte ocspNoCheckOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 5};
|
||||||
#endif /* HAVE_OCSP */
|
#endif /* HAVE_OCSP */
|
||||||
|
|
||||||
/* certExtType */
|
/* certExtType */
|
||||||
@ -1655,7 +1656,6 @@ static const byte extExtKeyUsageCodeSigningOid[] = {43, 6, 1, 5, 5, 7, 3, 3};
|
|||||||
static const byte extExtKeyUsageEmailProtectOid[] = {43, 6, 1, 5, 5, 7, 3, 4};
|
static const byte extExtKeyUsageEmailProtectOid[] = {43, 6, 1, 5, 5, 7, 3, 4};
|
||||||
static const byte extExtKeyUsageTimestampOid[] = {43, 6, 1, 5, 5, 7, 3, 8};
|
static const byte extExtKeyUsageTimestampOid[] = {43, 6, 1, 5, 5, 7, 3, 8};
|
||||||
static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9};
|
static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9};
|
||||||
|
|
||||||
/* kdfType */
|
/* kdfType */
|
||||||
static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12};
|
static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12};
|
||||||
|
|
||||||
@ -2037,6 +2037,12 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
|
|||||||
*oidSz = sizeof(extNameConsOid);
|
*oidSz = sizeof(extNameConsOid);
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef HAVE_OCSP
|
||||||
|
case OCSP_NOCHECK_OID:
|
||||||
|
oid = ocspNoCheckOid;
|
||||||
|
*oidSz = sizeof(ocspNoCheckOid);
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -4440,7 +4446,7 @@ int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e,
|
|||||||
|
|
||||||
#ifndef NO_DH
|
#ifndef NO_DH
|
||||||
/* Supports either:
|
/* Supports either:
|
||||||
* - DH params G/P (PKCS#3 DH) file or
|
* - DH params G/P (PKCS#3 DH) file or
|
||||||
* - DH key file (if WOLFSSL_DH_EXTRA enabled) */
|
* - DH key file (if WOLFSSL_DH_EXTRA enabled) */
|
||||||
/* The wc_DhParamsLoad function also loads DH params, but directly into buffers, not DhKey */
|
/* The wc_DhParamsLoad function also loads DH params, but directly into buffers, not DhKey */
|
||||||
int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz)
|
int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz)
|
||||||
@ -8875,7 +8881,14 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef HAVE_OCSP
|
||||||
|
case OCSP_NOCHECK_OID:
|
||||||
|
VERIFY_AND_SET_OID(cert->ocspNoCheckSet);
|
||||||
|
ret = GetASNNull(input, &idx, sz);
|
||||||
|
if (ret != 0)
|
||||||
|
return ASN_PARSE_E;
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
default:
|
default:
|
||||||
#ifndef WOLFSSL_NO_ASN_STRICT
|
#ifndef WOLFSSL_NO_ASN_STRICT
|
||||||
/* While it is a failure to not support critical extensions,
|
/* While it is a failure to not support critical extensions,
|
||||||
@ -9347,6 +9360,11 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_OCSP
|
||||||
|
/* trust for the lifetime of the responder's cert*/
|
||||||
|
if (cert->ocspNoCheckSet && verify == VERIFY_OCSP)
|
||||||
|
verify = NO_VERIFY;
|
||||||
|
#endif
|
||||||
/* advance past extensions */
|
/* advance past extensions */
|
||||||
cert->srcIdx = cert->sigIndex;
|
cert->srcIdx = cert->sigIndex;
|
||||||
}
|
}
|
||||||
@ -9871,7 +9889,7 @@ void wc_FreeDer(DerBuffer** pDer)
|
|||||||
|
|
||||||
#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)
|
#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)
|
||||||
|
|
||||||
/* Note: If items added make sure MAX_X509_HEADER_SZ is
|
/* Note: If items added make sure MAX_X509_HEADER_SZ is
|
||||||
updated to reflect maximum length */
|
updated to reflect maximum length */
|
||||||
wcchar BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
|
wcchar BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
|
||||||
wcchar END_CERT = "-----END CERTIFICATE-----";
|
wcchar END_CERT = "-----END CERTIFICATE-----";
|
||||||
@ -17248,7 +17266,7 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
|
|||||||
WOLFSSL_MSG("\tReq missing");
|
WOLFSSL_MSG("\tReq missing");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
if (resp == NULL || resp->issuerHash == NULL ||
|
if (resp == NULL || resp->issuerHash == NULL ||
|
||||||
resp->issuerKeyHash == NULL || resp->status == NULL) {
|
resp->issuerKeyHash == NULL || resp->status == NULL) {
|
||||||
WOLFSSL_MSG("\tResp missing");
|
WOLFSSL_MSG("\tResp missing");
|
||||||
return 1;
|
return 1;
|
||||||
|
|||||||
@ -538,7 +538,9 @@ enum Extensions_Sum {
|
|||||||
POLICY_CONST_OID = 150,
|
POLICY_CONST_OID = 150,
|
||||||
ISSUE_ALT_NAMES_OID = 132,
|
ISSUE_ALT_NAMES_OID = 132,
|
||||||
TLS_FEATURE_OID = 92, /* id-pe 24 */
|
TLS_FEATURE_OID = 92, /* id-pe 24 */
|
||||||
NETSCAPE_CT_OID = 753 /* 2.16.840.1.113730.1.1 */
|
NETSCAPE_CT_OID = 753, /* 2.16.840.1.113730.1.1 */
|
||||||
|
OCSP_NOCHECK_OID = 121 /* 1.3.6.1.5.5.7.48.1.5
|
||||||
|
id-pkix-ocsp-nocheck */
|
||||||
};
|
};
|
||||||
|
|
||||||
enum CertificatePolicy_Sum {
|
enum CertificatePolicy_Sum {
|
||||||
@ -909,6 +911,9 @@ struct DecodedCert {
|
|||||||
byte weOwnAltNames : 1; /* altNames haven't been given to copy */
|
byte weOwnAltNames : 1; /* altNames haven't been given to copy */
|
||||||
byte extKeyUsageSet : 1;
|
byte extKeyUsageSet : 1;
|
||||||
byte extExtKeyUsageSet : 1; /* Extended Key Usage set */
|
byte extExtKeyUsageSet : 1; /* Extended Key Usage set */
|
||||||
|
#ifdef HAVE_OCSP
|
||||||
|
byte ocspNoCheckSet : 1; /* id-pkix-ocsp-nocheck set */
|
||||||
|
#endif
|
||||||
byte extCRLdistSet : 1;
|
byte extCRLdistSet : 1;
|
||||||
byte extAuthInfoSet : 1;
|
byte extAuthInfoSet : 1;
|
||||||
byte extBasicConstSet : 1;
|
byte extBasicConstSet : 1;
|
||||||
|
|||||||
Reference in New Issue
Block a user