Trusted CA Key Indication Extension

Added an API for enabling the Trusted CA Key Indication extension from RFC6066 section 6. If the server doesn't have a match for the client, the client will abandon the session.
2018-09-28 09:05:59 -07:00
parent 6e1b05316d
commit b7663a940e
10 changed files with 515 additions and 4 deletions
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -1290,6 +1290,9 @@ static void Usage(void)
 #endif
 #ifdef WOLFSSL_MULTICAST
    printf("%s", msg[++msgid]); /* -3 */
+#endif
+#ifdef HAVE_TRUSTED_CA
+    printf("-5          Use Trusted CA Key Indication\n");
 #endif
    printf("%s", msg[++msgid]);  /* -1 */
 #if !defined(NO_DH) && !defined(HAVE_FIPS) && \
@@ -1387,6 +1390,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #ifdef HAVE_SNI
    char*  sniHostName = NULL;
 #endif
+#ifdef HAVE_TRUSTED_CA
+    int trustedCaKeyId = 0;
+#endif
 #ifdef HAVE_MAX_FRAGMENT
    byte maxFragment = 0;
 #endif
@@ -1492,7 +1498,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    while ((ch = mygetopt(argc, argv, "?:"
            "ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz"
            "A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:"
-            "01:23:4")) != -1) {
+            "01:23:5")) != -1) {
        switch (ch) {
            case '?' :
                if(myoptarg!=NULL) {
@@ -1912,6 +1918,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                    forceScr  = 1;
                    resumeScr = 1;
                #endif
+
+            case '5' :
+            #ifdef HAVE_TRUSTED_CA
+                trustedCaKeyId = 1;
+            #endif /* HAVE_TRUSTED_CA */
                break;

            default:
@@ -2356,11 +2367,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #endif /* WOLFSSL_ASYNC_CRYPT */

 #ifdef HAVE_SNI
-    if (sniHostName)
+    if (sniHostName) {
        if (wolfSSL_CTX_UseSNI(ctx, 0, sniHostName,
                    (word16) XSTRLEN(sniHostName)) != WOLFSSL_SUCCESS) {
            wolfSSL_CTX_free(ctx); ctx = NULL;
            err_sys("UseSNI failed");
+        }
    }
 #endif
 #ifdef HAVE_MAX_FRAGMENT
@@ -2601,6 +2613,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");
    #endif

+#ifdef HAVE_TRUSTED_CA
+    if (trustedCaKeyId) {
+        if (wolfSSL_UseTrustedCA(ssl, WOLFSSL_TRUSTED_CA_PRE_AGREED,
+                    NULL, 0) != WOLFSSL_SUCCESS) {
+            err_sys("UseTrustedCA failed");
+        }
+    }
+#endif
 #ifdef HAVE_ALPN
    if (alpnList != NULL) {
       printf("ALPN accepted protocols list : %s\n", alpnList);
--- a/examples/server/server.c
+++ b/examples/server/server.c
@@ -825,6 +825,9 @@ static void Usage(void)
    printf("%s", msg[++msgId]);     /* -3 */
 #endif
    printf("%s", msg[++msgId]);     /* -1 */
+#ifdef HAVE_TRUSTED_CA
+    printf("-5          Use Trusted CA Key Indication\n");
+#endif /* HAVE_TRUSTED_CA */
 }

 THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
@@ -914,6 +917,10 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
    char*  sniHostName = NULL;
 #endif

+#ifdef HAVE_TRUSTED_CA
+    int trustedCaKeyId = 0;
+#endif /* HAVE_TRUSTED_CA */
+
 #ifdef HAVE_OCSP
    int    useOcsp  = 0;
    char*  ocspUrl  = NULL;
@@ -1010,7 +1017,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
    while ((ch = mygetopt(argc, argv, "?:"
                "abc:defgijk:l:mnop:q:rstuv:wxy"
                "A:B:C:D:E:GH:IJKL:MNO:PQR:S:TUVYZ:"
-                "01:23:4:")) != -1) {
+                "01:23:4:5")) != -1) {
        switch (ch) {
            case '?' :
                if(myoptarg!=NULL) {
@@ -1372,6 +1379,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
                    doBlockSeq = 1;
                    dtlsCtx.blockSeq = atoi(myoptarg);
                #endif
+
+            case '5' :
+            #ifdef HAVE_TRUSTED_CA
+                trustedCaKeyId = 1;
+            #endif /* HAVE_TRUSTED_CA */
                break;

            default:
@@ -1953,6 +1965,15 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
            err_sys_ex(runWithErrors, "error in setting fd");
        }

+#ifdef HAVE_TRUSTED_CA
+        if (trustedCaKeyId) {
+            if (wolfSSL_UseTrustedCA(ssl, WOLFSSL_TRUSTED_CA_PRE_AGREED,
+                        NULL, 0) != WOLFSSL_SUCCESS) {
+                err_sys_ex(runWithErrors, "UseTrustedCA failed");
+            }
+        }
+#endif /* HAVE_TRUSTED_CA */
+
 #ifdef HAVE_ALPN
        if (alpnList != NULL) {
            printf("ALPN accepted protocols list : %s\n", alpnList);