forked from wolfSSL/wolfssl
Patch from customer that adds new WOLFSSL_NO_TRUSTED_CERTS_VERIFY option to load CA using subject and match using publicKey. This is a workaround for situation where entire cert chain is not loaded/available. This is not a secure solution because it does not perform PKI validation.
This commit is contained in:
David Garske
@ -34,6 +34,11 @@ ASN Options:
|
||||
* ASN_DUMP_OID: Allows dump of OID information for debugging.
|
||||
* RSA_DECODE_EXTRA: Decodes extra information in RSA public key.
|
||||
* WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName.
|
||||
* WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer
|
||||
must still be trusted)
|
||||
* WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for sitatuon where entire cert
|
||||
chain is not loaded. This only matches on subject and public key and
|
||||
does not perform a PKI validation, so it is not a secure solution.
|
||||
*/
|
||||
|
||||
#ifndef NO_ASN
|
||||
@ -6031,6 +6036,25 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
|
||||
cert->ca = GetCA(cm, cert->extAuthKeyId);
|
||||
if (cert->ca == NULL)
|
||||
cert->ca = GetCAByName(cm, cert->issuerHash);
|
||||
|
||||
/* alternate lookup method using subject and match on public key */
|
||||
#ifdef WOLFSSL_NO_TRUSTED_CERTS_VERIFY
|
||||
if (cert->ca == NULL) {
|
||||
if (cert->extSubjKeyIdSet) {
|
||||
cert->ca = GetCA(cm, cert->extSubjKeyId);
|
||||
}
|
||||
if (cert->ca == NULL) {
|
||||
cert->ca = GetCAByName(cm, cert->subjectHash);
|
||||
}
|
||||
if (cert->ca) {
|
||||
if ((cert->ca->pubKeySize == cert->pubKeySize) &&
|
||||
(XMEMCMP(cert->ca->publicKey, cert->publicKey,
|
||||
cert->ca->pubKeySize) == 0)) {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif /* WOLFSSL_NO_TRUSTED_CERTS_VERIFY */
|
||||
#else
|
||||
cert->ca = GetCA(cm, cert->issuerHash);
|
||||
#endif /* !NO_SKID */
|
||||
|
||||
Reference in New Issue
Block a user