feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

X.509

Browse Source 
1. Added stubs for the Extended Key Usage and Inhibit anyPolicy
   extensions.
2. Key Usage extension is decoded normally.
3. Certificate Policy extension is noted normally.
This commit is contained in:
John Safranek
2014-03-14 15:48:33 -07:00
parent 4ac70de055
commit bcd7f03495
2 changed files with 57 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
ctaocrypt/src/asn.c
View File

@@ -1280,6 +1280,8 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
cert->extSubjKeyIdSet = 0; cert->extSubjKeyIdSet = 0;
XMEMSET(cert->extAuthKeyId, 0, SHA_SIZE); XMEMSET(cert->extAuthKeyId, 0, SHA_SIZE);
cert->extAuthKeyIdSet = 0; cert->extAuthKeyIdSet = 0;
cert->extKeyUsageSet = 0;
cert->extKeyUsage = 0;
cert->isCA = 0; cert->isCA = 0;
#ifdef HAVE_PKCS7 #ifdef HAVE_PKCS7
cert->issuerRaw = NULL; cert->issuerRaw = NULL;
@@ -1316,9 +1318,7 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
cert->extSubjAltNameCrit = 0; cert->extSubjAltNameCrit = 0;
cert->extAuthKeyIdCrit = 0; cert->extAuthKeyIdCrit = 0;
cert->extSubjKeyIdCrit = 0; cert->extSubjKeyIdCrit = 0;
cert->extKeyUsageSet = 0;
cert->extKeyUsageCrit = 0; cert->extKeyUsageCrit = 0;
cert->extKeyUsage = 0;
cert->extAuthKeyIdSrc = NULL; cert->extAuthKeyIdSrc = NULL;
cert->extAuthKeyIdSz = 0; cert->extAuthKeyIdSz = 0;
cert->extSubjKeyIdSrc = NULL; cert->extSubjKeyIdSrc = NULL;
@@ -2950,11 +2950,13 @@ static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
int length = 0; int length = 0;
CYASSL_ENTER("DecodeBasicCaConstraint"); CYASSL_ENTER("DecodeBasicCaConstraint");
if (GetSequence(input, &idx, &length, sz) < 0) if (GetSequence(input, &idx, &length, sz) < 0) {
CYASSL_MSG("\tfail: bad SEQUENCE");
return ASN_PARSE_E; return ASN_PARSE_E;
}
if (length == 0) if (length == 0)
return ASN_PARSE_E; return 0;
/* If the basic ca constraint is false, this extension may be named, but /* If the basic ca constraint is false, this extension may be named, but
* left empty. So, if the length is 0, just return. */ * left empty. So, if the length is 0, just return. */
@@ -3205,9 +3207,8 @@ static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
} }
#ifdef OPENSSL_EXTRA static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert)
static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert) {
{
word32 idx = 0; word32 idx = 0;
int length; int length;
byte unusedBits; byte unusedBits;
@@ -3234,8 +3235,7 @@ static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
cert->extKeyUsage = (word16)(input[idx] << 1); cert->extKeyUsage = (word16)(input[idx] << 1);
return 0; return 0;
} }
#endif /* OPENSSL_EXTRA */
#ifdef CYASSL_SEP #ifdef CYASSL_SEP
@@ -3394,25 +3394,34 @@ static int DecodeCertExtensions(DecodedCert* cert)
return ASN_PARSE_E; return ASN_PARSE_E;
break; break;
#ifdef CYASSL_SEP
case CERT_POLICY_OID: case CERT_POLICY_OID:
CYASSL_MSG("Certificate Policy extension not supported yet.");
#ifdef CYASSL_SEP
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
cert->extCertPolicySet = 1; cert->extCertPolicySet = 1;
cert->extCertPolicyCrit = critical; cert->extCertPolicyCrit = critical;
#endif #endif
if (DecodeCertPolicy(&input[idx], length, cert) < 0) if (DecodeCertPolicy(&input[idx], length, cert) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
break;
#endif #endif
break;
#ifdef OPENSSL_EXTRA
case KEY_USAGE_OID: case KEY_USAGE_OID:
cert->extKeyUsageSet = 1; cert->extKeyUsageSet = 1;
#ifdef OPENSSL_EXTRA
cert->extKeyUsageCrit = critical; cert->extKeyUsageCrit = critical;
#endif
if (DecodeKeyUsage(&input[idx], length, cert) < 0) if (DecodeKeyUsage(&input[idx], length, cert) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
break; break;
#endif
case EXT_KEY_USAGE_OID:
CYASSL_MSG("Extended Key Usage extension not supported yet.");
break;
case INHIBIT_ANY_OID:
CYASSL_MSG("Inhibit anyPolicy extension not supported yet.");
break;
default: default:
/* While it is a failure to not support critical extensions, /* While it is a failure to not support critical extensions,

8
cyassl/ctaocrypt/asn.h
View File

@@ -216,7 +216,9 @@ enum Extensions_Sum {
AUTH_KEY_OID = 149, AUTH_KEY_OID = 149,
SUBJ_KEY_OID = 128, SUBJ_KEY_OID = 128,
CERT_POLICY_OID = 146, CERT_POLICY_OID = 146,
KEY_USAGE_OID = 129 /* 2.5.29.15 */ KEY_USAGE_OID = 129, /* 2.5.29.15 */
INHIBIT_ANY_OID = 168, /* 2.5.29.54 */
EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */
}; };
enum CertificatePolicy_Sum { enum CertificatePolicy_Sum {
@@ -332,6 +334,8 @@ struct DecodedCert {
byte extAuthKeyId[SHA_SIZE]; /* Authority Key ID */ byte extAuthKeyId[SHA_SIZE]; /* Authority Key ID */
byte extAuthKeyIdSet; /* Set when the AKID was read from cert */ byte extAuthKeyIdSet; /* Set when the AKID was read from cert */
byte isCA; /* CA basic constraint true */ byte isCA; /* CA basic constraint true */
byte extKeyUsageSet;
word16 extKeyUsage; /* Key usage bitfield */
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
byte extBasicConstSet; byte extBasicConstSet;
byte extBasicConstCrit; byte extBasicConstCrit;
@@ -341,9 +345,7 @@ struct DecodedCert {
byte extSubjAltNameCrit; byte extSubjAltNameCrit;
byte extAuthKeyIdCrit; byte extAuthKeyIdCrit;
byte extSubjKeyIdCrit; byte extSubjKeyIdCrit;
byte extKeyUsageSet;
byte extKeyUsageCrit; byte extKeyUsageCrit;
word16 extKeyUsage; /* Key usage bitfield */
byte* extAuthKeyIdSrc; byte* extAuthKeyIdSrc;
word32 extAuthKeyIdSz; word32 extAuthKeyIdSz;
byte* extSubjKeyIdSrc; byte* extSubjKeyIdSrc;