Merge pull request #1329 from JacobBarthelmeh/PKCS12

PKCS12 reverse order that certificates are compared for keypair

certs/include.am

@@ -35,6 +35,7 @@ EXTRA_DIST += \
 	     certs/server-revoked-key.pem \
 	     certs/wolfssl-website-ca.pem \
 	     certs/test-servercert.p12 \
+	     certs/ecc-rsa-server.p12 \
 	     certs/dsaparams.pem \
 	     certs/ecc-privOnlyKey.pem \
 	     certs/ecc-privOnlyCert.pem \

certs/renewcerts.sh

@@ -274,12 +274,23 @@ function run_renewcerts(){
     openssl x509 -inform PEM -in server-ecc.pem -outform DER -out server-ecc.der
     openssl x509 -inform PEM -in server-ecc-comp.pem -outform DER -out server-ecc-comp.der
 
+    ############################################################
+    ###### update the ecc-rsa-server.p12 file ##################
+    ############################################################
+    echo "Updating ecc-rsa-server.p12 (password is \"\")"
+    echo ""
+    echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
+
+    ############################################################
+    ########## store DER files as buffers ######################
+    ############################################################
     echo "Changing directory to wolfssl root..."
     echo ""
     cd ../
     echo "Execute ./gencertbuf.pl..."
     echo ""
     ./gencertbuf.pl
+
     ############################################################
     ########## generate the new crls ###########################
     ############################################################

tests/api.c

@@ -2528,7 +2528,9 @@ static void test_wolfSSL_PKCS12(void)
     !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA)
     byte buffer[5300];
     char file[] = "./certs/test-servercert.p12";
+    char order[] = "./certs/ecc-rsa-server.p12";
     char pass[] = "a password";
+    WOLFSSL_X509_NAME* subject;
     FILE *f;
     int  bytes, ret;
     WOLFSSL_BIO      *bio;
@@ -2536,6 +2538,7 @@ static void test_wolfSSL_PKCS12(void)
     WC_PKCS12        *pkcs12;
     WC_PKCS12        *pkcs12_2;
     WOLFSSL_X509     *cert;
+    WOLFSSL_X509     *x509;
     WOLFSSL_X509     *tmp;
     WOLF_STACK_OF(WOLFSSL_X509) *ca;
 
@@ -2648,6 +2651,54 @@ static void test_wolfSSL_PKCS12(void)
     PKCS12_free(pkcs12_2);
     sk_X509_free(ca);
 
+
+    /* test order of parsing */
+    f = fopen(order, "rb");
+    AssertNotNull(f);
+    bytes = (int)fread(buffer, 1, sizeof(buffer), f);
+    fclose(f);
+
+    AssertNotNull(bio = BIO_new_mem_buf((void*)buffer, bytes));
+    AssertNotNull(pkcs12 = d2i_PKCS12_bio(bio, NULL));
+    AssertIntEQ((ret = PKCS12_parse(pkcs12, "", &pkey, &cert, &ca)),
+            WOLFSSL_SUCCESS);
+    AssertNotNull(pkey);
+    AssertNotNull(cert);
+    AssertNotNull(ca);
+
+    /* compare subject lines of certificates */
+    AssertNotNull(subject = wolfSSL_X509_get_subject_name(cert));
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(eccRsaCertFile,
+                SSL_FILETYPE_PEM));
+    AssertIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject,
+            (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0);
+    X509_free(x509);
+
+    /* test expected fail case */
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile,
+                SSL_FILETYPE_PEM));
+    AssertIntNE(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject,
+            (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0);
+    X509_free(x509);
+    X509_free(cert);
+
+    /* get subject line from ca stack */
+    AssertNotNull(cert = sk_X509_pop(ca));
+    AssertNotNull(subject = wolfSSL_X509_get_subject_name(cert));
+
+    /* compare subject from certificate in ca to expected */
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile,
+                SSL_FILETYPE_PEM));
+    AssertIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject,
+            (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0);
+
+    EVP_PKEY_free(pkey);
+    X509_free(x509);
+    X509_free(cert);
+    BIO_free(bio);
+    PKCS12_free(pkcs12);
+    sk_X509_free(ca);
+
     printf(resultFmt, passed);
 #endif /* OPENSSL_EXTRA */
 }

wolfcrypt/src/pkcs12.c

@@ -768,6 +768,7 @@ int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
 {
     ContentInfo* ci       = NULL;
     WC_DerCertList* certList = NULL;
+    WC_DerCertList* tailList = NULL;
     byte* buf             = NULL;
     word32 i, oid;
     int ret, pswSz;
@@ -1067,12 +1068,13 @@ int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
 
                     /* put the new node into the list */
                     if (certList != NULL) {
-                        WOLFSSL_MSG("Pushing new cert onto stack");
+                        WOLFSSL_MSG("Pushing new cert onto queue");
-                        node->next = certList;
+                        tailList->next = node;
-                        certList = node;
+                        tailList = node;
                     }
                     else {
                         certList = node;
+                        tailList = node;
                     }
 
                     /* on to next */

wolfssl/test.h

@@ -258,6 +258,7 @@
 #define caCertFile     "certs/ca-cert.pem"
 #define eccCertFile    "certs/server-ecc.pem"
 #define eccKeyFile     "certs/ecc-key.pem"
+#define eccRsaCertFile "certs/server-ecc-rsa.pem"
 #define svrCertFile    "certs/server-cert.pem"
 #define svrKeyFile     "certs/server-key.pem"
 #define cliCertFile    "certs/client-cert.pem"
@@ -278,6 +279,7 @@
 #define caCertFile     "./certs/ca-cert.pem"
 #define eccCertFile    "./certs/server-ecc.pem"
 #define eccKeyFile     "./certs/ecc-key.pem"
+#define eccRsaCertFile "./certs/server-ecc-rsa.pem"
 #define svrCertFile    "./certs/server-cert.pem"
 #define svrKeyFile     "./certs/server-key.pem"
 #define cliCertFile    "./certs/client-cert.pem"