forked from wolfSSL/wolfssl
Added check to enforce RFC 5280 Sec 4.2: "A certificate MUST NOT include more than one instance of a particular extension". Refactor of the DecodedCert struct to combine bit type options into bit-fields. Fix for wolfCrypt test for error codes to allow -161.
This commit is contained in:
David Garske
@ -6175,6 +6175,30 @@ int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
|
||||
}
|
||||
#endif /* WOLFSSL_SEP */
|
||||
|
||||
/* Macro to check if bit is set, if not sets and return success.
|
||||
Otherwise returns failure */
|
||||
#ifndef WOLFSSL_NO_ASN_STRICT
|
||||
#define VERIFY_AND_SET_OID(bit) \
|
||||
({ \
|
||||
int bitvalid; \
|
||||
if (bit == 0) { \
|
||||
bit = 1; \
|
||||
bitvalid = 0; /* success */ \
|
||||
} \
|
||||
else { \
|
||||
bitvalid = -1; /* fail */ \
|
||||
} \
|
||||
bitvalid; \
|
||||
})
|
||||
#else
|
||||
/* With no strict defined, the verify is skipped */
|
||||
#define VERIFY_AND_SET_OID(bit) \
|
||||
({ \
|
||||
bit = 1; \
|
||||
0; /* success */ \
|
||||
})
|
||||
#endif
|
||||
|
||||
static int DecodeCertExtensions(DecodedCert* cert)
|
||||
/*
|
||||
* Processing the Certificate Extensions. This does not modify the current
|
||||
@ -6243,8 +6267,9 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
|
||||
switch (oid) {
|
||||
case BASIC_CA_OID:
|
||||
if (VERIFY_AND_SET_OID(cert->extBasicConstSet))
|
||||
return ASN_OBJECT_ID_E;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extBasicConstSet = 1;
|
||||
cert->extBasicConstCrit = critical;
|
||||
#endif
|
||||
if (DecodeBasicCaConstraint(&input[idx], length, cert) < 0)
|
||||
@ -6252,8 +6277,9 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
break;
|
||||
|
||||
case CRL_DIST_OID:
|
||||
if (VERIFY_AND_SET_OID(cert->extCRLdistSet))
|
||||
return ASN_OBJECT_ID_E;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extCRLdistSet = 1;
|
||||
cert->extCRLdistCrit = critical;
|
||||
#endif
|
||||
if (DecodeCrlDist(&input[idx], length, cert) < 0)
|
||||
@ -6261,8 +6287,9 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
break;
|
||||
|
||||
case AUTH_INFO_OID:
|
||||
if (VERIFY_AND_SET_OID(cert->extAuthInfoSet))
|
||||
return ASN_OBJECT_ID_E;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extAuthInfoSet = 1;
|
||||
cert->extAuthInfoCrit = critical;
|
||||
#endif
|
||||
if (DecodeAuthInfo(&input[idx], length, cert) < 0)
|
||||
@ -6270,8 +6297,9 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
break;
|
||||
|
||||
case ALT_NAMES_OID:
|
||||
if (VERIFY_AND_SET_OID(cert->extSubjAltNameSet))
|
||||
return ASN_OBJECT_ID_E;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extSubjAltNameSet = 1;
|
||||
cert->extSubjAltNameCrit = critical;
|
||||
#endif
|
||||
ret = DecodeAltNames(&input[idx], length, cert);
|
||||
@ -6280,7 +6308,8 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
break;
|
||||
|
||||
case AUTH_KEY_OID:
|
||||
cert->extAuthKeyIdSet = 1;
|
||||
if (VERIFY_AND_SET_OID(cert->extAuthKeyIdSet))
|
||||
return ASN_OBJECT_ID_E;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extAuthKeyIdCrit = critical;
|
||||
#endif
|
||||
@ -6289,7 +6318,8 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
break;
|
||||
|
||||
case SUBJ_KEY_OID:
|
||||
cert->extSubjKeyIdSet = 1;
|
||||
if (VERIFY_AND_SET_OID(cert->extSubjKeyIdSet))
|
||||
return ASN_OBJECT_ID_E;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extSubjKeyIdCrit = critical;
|
||||
#endif
|
||||
@ -6311,8 +6341,9 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
|
||||
case CERT_POLICY_OID:
|
||||
#ifdef WOLFSSL_SEP
|
||||
if (VERIFY_AND_SET_OID(cert->extCertPolicySet))
|
||||
return ASN_OBJECT_ID_E;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extCertPolicySet = 1;
|
||||
cert->extCertPolicyCrit = critical;
|
||||
#endif
|
||||
#endif
|
||||
@ -6326,7 +6357,8 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
break;
|
||||
|
||||
case KEY_USAGE_OID:
|
||||
cert->extKeyUsageSet = 1;
|
||||
if (VERIFY_AND_SET_OID(cert->extKeyUsageSet))
|
||||
return ASN_OBJECT_ID_E;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extKeyUsageCrit = critical;
|
||||
#endif
|
||||
@ -6335,7 +6367,8 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
break;
|
||||
|
||||
case EXT_KEY_USAGE_OID:
|
||||
cert->extExtKeyUsageSet = 1;
|
||||
if (VERIFY_AND_SET_OID(cert->extExtKeyUsageSet))
|
||||
return ASN_OBJECT_ID_E;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extExtKeyUsageCrit = critical;
|
||||
#endif
|
||||
@ -6354,7 +6387,8 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
return ASN_NAME_INVALID_E;
|
||||
}
|
||||
#endif
|
||||
cert->extNameConstraintSet = 1;
|
||||
if (VERIFY_AND_SET_OID(cert->extNameConstraintSet))
|
||||
return ASN_OBJECT_ID_E;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extNameConstraintCrit = critical;
|
||||
#endif
|
||||
@ -6364,6 +6398,8 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
#endif /* IGNORE_NAME_CONSTRAINTS */
|
||||
|
||||
case INHIBIT_ANY_OID:
|
||||
if (VERIFY_AND_SET_OID(cert->inhibitAnyOidSet))
|
||||
return ASN_OBJECT_ID_E;
|
||||
WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet.");
|
||||
break;
|
||||
|
||||
|
||||
@ -1026,7 +1026,7 @@ int error_test(void)
|
||||
int j = 0;
|
||||
/* Values that are not or no longer error codes. */
|
||||
int missing[] = { -122, -123, -124, -127, -128, -129,
|
||||
-161, -162, -163, -164, -165, -166, -167, -168, -169,
|
||||
-162, -163, -164, -165, -166, -167, -168, -169,
|
||||
-179, -233,
|
||||
0 };
|
||||
|
||||
|
||||
@ -549,7 +549,6 @@ struct DecodedCert {
|
||||
char* subjectCN; /* CommonName */
|
||||
int subjectCNLen; /* CommonName Length */
|
||||
char subjectCNEnc; /* CommonName Encoding */
|
||||
int subjectCNStored; /* have we saved a copy we own */
|
||||
char issuer[ASN_NAME_MAX]; /* full name including common name */
|
||||
char subject[ASN_NAME_MAX]; /* full name including common name */
|
||||
int verify; /* Default to yes, but could be off */
|
||||
@ -567,36 +566,12 @@ struct DecodedCert {
|
||||
byte* extCrlInfo; /* CRL Distribution Points */
|
||||
int extCrlInfoSz; /* length of the URI */
|
||||
byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */
|
||||
byte extSubjKeyIdSet; /* Set when the SKID was read from cert */
|
||||
byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */
|
||||
byte extAuthKeyIdSet; /* Set when the AKID was read from cert */
|
||||
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||
byte extNameConstraintSet;
|
||||
#endif /* IGNORE_NAME_CONSTRAINTS */
|
||||
byte isCA; /* CA basic constraint true */
|
||||
byte pathLengthSet; /* CA basic const path length set */
|
||||
byte pathLength; /* CA basic constraint path length */
|
||||
byte weOwnAltNames; /* altNames haven't been given to copy */
|
||||
byte extKeyUsageSet;
|
||||
word16 extKeyUsage; /* Key usage bitfield */
|
||||
byte extExtKeyUsageSet; /* Extended Key Usage */
|
||||
byte extExtKeyUsage; /* Extended Key usage bitfield */
|
||||
|
||||
#ifdef OPENSSL_EXTRA
|
||||
byte extCRLdistSet;
|
||||
byte extCRLdistCrit;
|
||||
byte extAuthInfoSet;
|
||||
byte extAuthInfoCrit;
|
||||
byte extBasicConstSet;
|
||||
byte extBasicConstCrit;
|
||||
byte extSubjAltNameSet;
|
||||
byte extSubjAltNameCrit;
|
||||
byte extAuthKeyIdCrit;
|
||||
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||
byte extNameConstraintCrit;
|
||||
#endif /* IGNORE_NAME_CONSTRAINTS */
|
||||
byte extSubjKeyIdCrit;
|
||||
byte extKeyUsageCrit;
|
||||
byte extExtKeyUsageCrit;
|
||||
byte* extExtKeyUsageSrc;
|
||||
word32 extExtKeyUsageSz;
|
||||
word32 extExtKeyUsageCount;
|
||||
@ -605,6 +580,7 @@ struct DecodedCert {
|
||||
byte* extSubjKeyIdSrc;
|
||||
word32 extSubjKeyIdSz;
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_ECC) || defined(HAVE_ED25519)
|
||||
word32 pkCurveOID; /* Public Key's curve OID */
|
||||
#endif /* HAVE_ECC */
|
||||
@ -620,7 +596,7 @@ struct DecodedCert {
|
||||
byte* subjectRaw; /* pointer to subject inside source */
|
||||
int subjectRawLen;
|
||||
#endif
|
||||
#if defined(WOLFSSL_CERT_GEN)
|
||||
#ifdef WOLFSSL_CERT_GEN
|
||||
/* easy access to subject info for other sign */
|
||||
char* subjectSN;
|
||||
int subjectSNLen;
|
||||
@ -654,10 +630,6 @@ struct DecodedCert {
|
||||
byte* hwType;
|
||||
int hwSerialNumSz;
|
||||
byte* hwSerialNum;
|
||||
#ifdef OPENSSL_EXTRA
|
||||
byte extCertPolicySet;
|
||||
byte extCertPolicyCrit;
|
||||
#endif /* OPENSSL_EXTRA */
|
||||
#endif /* WOLFSSL_SEP */
|
||||
#ifdef WOLFSSL_CERT_EXT
|
||||
char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ];
|
||||
@ -666,6 +638,44 @@ struct DecodedCert {
|
||||
|
||||
Signer* ca;
|
||||
SignatureCtx sigCtx;
|
||||
|
||||
/* Option Bits */
|
||||
byte subjectCNStored : 1; /* have we saved a copy we own */
|
||||
byte extSubjKeyIdSet : 1; /* Set when the SKID was read from cert */
|
||||
byte extAuthKeyIdSet : 1; /* Set when the AKID was read from cert */
|
||||
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||
byte extNameConstraintSet : 1;
|
||||
#endif
|
||||
byte isCA : 1; /* CA basic constraint true */
|
||||
byte pathLengthSet : 1; /* CA basic const path length set */
|
||||
byte weOwnAltNames : 1; /* altNames haven't been given to copy */
|
||||
byte extKeyUsageSet : 1;
|
||||
byte extExtKeyUsageSet : 1; /* Extended Key Usage set */
|
||||
byte extCRLdistSet : 1;
|
||||
byte extAuthInfoSet : 1;
|
||||
byte extBasicConstSet : 1;
|
||||
byte extSubjAltNameSet : 1;
|
||||
byte inhibitAnyOidSet : 1;
|
||||
#ifdef WOLFSSL_SEP
|
||||
byte extCertPolicySet : 1;
|
||||
#endif
|
||||
#ifdef OPENSSL_EXTRA
|
||||
byte extCRLdistCrit : 1;
|
||||
byte extAuthInfoCrit : 1;
|
||||
byte extBasicConstCrit : 1;
|
||||
byte extSubjAltNameCrit : 1;
|
||||
byte extAuthKeyIdCrit : 1;
|
||||
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||
byte extNameConstraintCrit : 1;
|
||||
#endif
|
||||
byte extSubjKeyIdCrit : 1;
|
||||
byte extKeyUsageCrit : 1;
|
||||
byte extExtKeyUsageCrit : 1;
|
||||
#endif /* OPENSSL_EXTRA */
|
||||
#ifdef WOLFSSL_SEP
|
||||
byte extCertPolicyCrit : 1;
|
||||
#endif
|
||||
|
||||
};
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user