mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 14:20:49 +02:00
Enable 8 combined OCSP and URLs instead of 1 of each
This commit is contained in:
@@ -470,3 +470,6 @@ wolfssl/debug-trace-error-codes.h
|
||||
wolfssl/debug-untrace-error-codes.h
|
||||
|
||||
AGENTS.md
|
||||
|
||||
# Code navigation files
|
||||
compile_commands.json
|
||||
|
||||
@@ -0,0 +1,23 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDwTCCAqmgAwIBAgIUEcNoHSMtIkVhW/MmkmUEsVoJVQEwDQYJKoZIhvcNAQEL
|
||||
BQAwITEfMB0GA1UEAwwWd29sZnNzbC1haWEtbXVsdGktdGVzdDAeFw0yNjAxMjcw
|
||||
MTUwNDRaFw0yNzAxMjcwMTUwNDRaMCExHzAdBgNVBAMMFndvbGZzc2wtYWlhLW11
|
||||
bHRpLXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpVdogPQ2I
|
||||
/nErbxSaNGoYhkwoj1qt+Be1/qWnvZzJ0EBOG4EdioMRIkJzP6W3HoAhkGBrueXf
|
||||
riN07M3XLocRfE+9C1+jZQxBGRxysns9z7K+i0pBtPN/AXV2RCSz13FFyVyLhLks
|
||||
2YAL9By36X9R0wsL+Nd4EAQ4ouf0GglmTmtb5rHf2GIno4xFg9tpWosiUTytwgDC
|
||||
K9lQEQnTnPG6E43N2bszqBc4roOPrYDnd7raNTqcv9yTHM8zwffGJuCogE/Fbr2R
|
||||
yVubLW28n5/O1Pb47hHuPJv6oHMZgct2SV5OB/mwVgI0eoFMSQZ35o6BpHD0C497
|
||||
L2IcoMi8A9rFAgMBAAGjgfAwge0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAoQw
|
||||
gbAGCCsGAQUFBwEBBIGjMIGgMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4x
|
||||
OjIyMjIxMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIyMCkGCCsG
|
||||
AQUFBzAChh1odHRwOi8vd3d3LndvbGZzc2wuY29tL2NhLnBlbTArBggrBgEFBQcw
|
||||
AoYfaHR0cHM6Ly93d3cud29sZnNzbC5jb20vY2EyLnBlbTAdBgNVHQ4EFgQU1GNm
|
||||
eP/LXQk0tFaTeWoNHyLhLZkwDQYJKoZIhvcNAQELBQADggEBACwuXdKYI2Q/Vhd7
|
||||
TJFvKdp7BuUopQGEQ+4vR+FoesYXc9MHjZJfMqEffv1MArTeY46At/zvcTeszagi
|
||||
io+jjGBLOutsAf9WK3PnKMIkGGfro6btZ8QFyKiZ6unMMlqe6cGqrCrNKp8jLP3k
|
||||
CKZltR5c+MIPhpjoOhNDMOcPMwZBGQJWubwOb4uOu3wv7UWJk/ovKP9WJCUn6wLH
|
||||
soDs+MHMICkxOvDfPf+F4URVqTbzE8IvSMv38z4cAqsyEfWxr32Dg34S/NmeePFV
|
||||
7sSDpksvyITGsxjnQulSuUFSmldumQ6GnA4ZUXvCNdJ0zbD/Iib9ud6K05VdWYZP
|
||||
uyCRkjY=
|
||||
-----END CERTIFICATE-----
|
||||
@@ -0,0 +1,26 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEcDCCA1igAwIBAgIUN5kIU1GLRP5bRKctP271p7IGFVowDQYJKoZIhvcNAQEL
|
||||
BQAwJDEiMCAGA1UEAwwZd29sZnNzbC1haWEtb3ZlcmZsb3ctdGVzdDAeFw0yNjAx
|
||||
MjcwMTU1NTBaFw0yNzAxMjcwMTU1NTBaMCQxIjAgBgNVBAMMGXdvbGZzc2wtYWlh
|
||||
LW92ZXJmbG93LXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS
|
||||
eHeAzVuCe44SU8bcyIWLwkA2AABw/ctSBWKAFEd7DYHduRr3diblHERU1Fv5JzYx
|
||||
JnZquj1IO/qsnSFJYDc9sQmYea89iW8KNPVXKDzdbzhpiQLZL7Yq71ICxxqVLfRr
|
||||
91lyAj0+Syncrp96olSpMJochVnQ6PqLcc/Gq7CMtrKn5KAN7Mn3+LdAQYU8JjRa
|
||||
zqEJ8fmkBKbS5watzgnkP2o5jWSpWzpDOxTdw85hju4H9m5Gmun3XVO9dEAN/dqK
|
||||
vklkzgQGvAMMQMIcgOzw0HxAuvsSNtjgEpIlOir0M7YiC0pYqtMO+thSCmVCvsDR
|
||||
/nG/iqe6YBSXh6oszGwTAgMBAAGjggGYMIIBlDAMBgNVHRMEBTADAQH/MAsGA1Ud
|
||||
DwQEAwIChDCCAVYGCCsGAQUFBwEBBIIBSDCCAUQwIgYIKwYBBQUHMAGGFmh0dHA6
|
||||
Ly8xMjcuMC4wLjE6MjIyMjAwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6
|
||||
MjIyMjEwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjIwIgYIKwYB
|
||||
BQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjMwIgYIKwYBBQUHMAGGFmh0dHA6
|
||||
Ly8xMjcuMC4wLjE6MjIyMjQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6
|
||||
MjIyMjUwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjYwIgYIKwYB
|
||||
BQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjcwIgYIKwYBBQUHMAGGFmh0dHA6
|
||||
Ly8xMjcuMC4wLjE6MjIyMjgwHQYDVR0OBBYEFJt6TNgqMFBebotXaauIYPpUJi1S
|
||||
MA0GCSqGSIb3DQEBCwUAA4IBAQA5noHB343sKQqVmmLds0gC/k1UhVA5iftAGmes
|
||||
uRdNOOCdo2i739DmRAXggetgtatcjDfjxkrvq0Qi+geozZra6uX9FT/hgfw6kDpU
|
||||
HKzJFy4E0G0HTM8mtJi+aGDZL3Lts+h272eahkT1jVKGAPFugqfz7fKRsMce6eCE
|
||||
UD5cvtQXX16fGhBxxmUCZPnxMKcj2oNl7RliHphK6ofXuNbKjqjVQfxsTUXSQDyS
|
||||
ApH5w6iUnAvC5l19qYrBcCVOB6CNJ2CdmvFI//Ox8Jc56HRYYDIdVp2Q3FFA5Z4s
|
||||
gTLvlumVgihAekD+0zVF9q+AJ4TSbE3cqsQgHF/+p84KxWid
|
||||
-----END CERTIFICATE-----
|
||||
Binary file not shown.
@@ -0,0 +1,10 @@
|
||||
-----BEGIN X509 CRL-----
|
||||
MIIBdDCCARkCAQEwCgYIKoZIzj0EAwIwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
|
||||
DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NM
|
||||
MRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
|
||||
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAyMDQwMzU0Mjla
|
||||
Fw0yNjAzMDYwMzU0MjlaMFAwEgIBAhcNMjYwMjA0MDM1NDI5WjASAgEDFw0yNjAy
|
||||
MDQwMzU0MjlaMBICAQQXDTI2MDIwNDAzNTQyOVowEgIBAxcNMjYwMjA0MDM1NDI5
|
||||
WjAKBggqhkjOPQQDAgNJADBGAiEA6xz109x9tZwaxxs3iLvW65h9AGL8+e1gTnbr
|
||||
GoEsXaQCIQDzxO4LU1d6seHETQDKjUEXivHuvC6f0Nq5uARmWX0DOA==
|
||||
-----END X509 CRL-----
|
||||
Binary file not shown.
@@ -0,0 +1,14 @@
|
||||
-----BEGIN X509 CRL-----
|
||||
MIICMTCCARkCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
|
||||
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
|
||||
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
|
||||
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAyMDQwMzU0Mjla
|
||||
Fw0yNjAzMDYwMzU0MjlaMFAwEgIBAhcNMjYwMjA0MDM1NDI5WjASAgEDFw0yNjAy
|
||||
MDQwMzU0MjlaMBICAQQXDTI2MDIwNDAzNTQyOVowEgIBARcNMjYwMjA0MDM1NDI5
|
||||
WjANBgkqhkiG9w0BAQsFAAOCAQEAid2CDa/invAbnAJaeVVkS8mRjI/kR0aPHwt1
|
||||
/Sz6w+j163+KZnBwUNgrMmLSMbssm8oxQ8i8zNvBeYd6u1x2N/jw/cwH2rxhZ3zQ
|
||||
bOkDQKKe2eRYXMykAl1uj2VwCeu8/ivqbimYReq7iloEHo8PUiizs1Pj6zJ59I1u
|
||||
LRZDDlS9wiY+VVkKx28dxyClsqtJNCvz5ezNB8GeH+gekaJ1tJVbd3TujBajPPAx
|
||||
R6FobbOOavCZPyGkeZlU/T9S5FwIi07qga5Zuq/9Dy7YwiVya3sAZ/nTYY++HKDQ
|
||||
DL0Bs3/05Lf8BLaf2CX2vGvan4JCQv9CMdnlYBifwvQCeUToyQ==
|
||||
-----END X509 CRL-----
|
||||
@@ -22,7 +22,9 @@ EXTRA_DIST += \
|
||||
EXTRA_DIST += \
|
||||
certs/crl/crl.revoked \
|
||||
certs/crl/extra-crls/ca-int-cert-revoked.pem \
|
||||
certs/crl/extra-crls/general-server-crl.pem
|
||||
certs/crl/extra-crls/general-server-crl.pem \
|
||||
certs/crl/extra-crls/large_crlnum.pem \
|
||||
certs/crl/extra-crls/large_crlnum2.pem
|
||||
|
||||
# Intermediate cert CRL's
|
||||
EXTRA_DIST += \
|
||||
|
||||
+5
-1
@@ -85,6 +85,11 @@ EXTRA_DIST += \
|
||||
certs/dh-pub-2048.pem \
|
||||
certs/dsa2048.pem
|
||||
|
||||
EXTRA_DIST += \
|
||||
certs/aia/ca-issuers-cert.pem \
|
||||
certs/aia/multi-aia-cert.pem \
|
||||
certs/aia/overflow-aia-cert.pem
|
||||
|
||||
EXTRA_DIST += \
|
||||
certs/ca-key.der \
|
||||
certs/ca-cert.der \
|
||||
@@ -154,4 +159,3 @@ include certs/sphincs/include.am
|
||||
include certs/rpk/include.am
|
||||
include certs/acert/include.am
|
||||
include certs/mldsa/include.am
|
||||
|
||||
|
||||
@@ -31,6 +31,9 @@
|
||||
# fpki-cert.der
|
||||
# fpki-certpol-cert.der
|
||||
# rid-cert.der
|
||||
# aia/ca-issuers-cert.pem
|
||||
# aia/multi-aia-cert.pem
|
||||
# aia/overflow-aia-cert.pem
|
||||
# updates the following crls:
|
||||
# crl/cliCrl.pem
|
||||
# crl/crl.pem
|
||||
@@ -292,6 +295,60 @@ run_renewcerts(){
|
||||
echo "End of section"
|
||||
echo "---------------------------------------------------------------------"
|
||||
############################################################
|
||||
########## update AIA test certs ###########################
|
||||
############################################################
|
||||
echo "Updating AIA test certs"
|
||||
echo ""
|
||||
mkdir -p aia
|
||||
|
||||
echo "Updating aia/ca-issuers-cert.pem"
|
||||
echo ""
|
||||
openssl req -new -newkey rsa:2048 -nodes -keyout aia/ca-issuers-key.pem -subj "/CN=wolfssl-aia-test" -out aia/ca-issuers-cert.csr
|
||||
check_result $? "Step AIA-1"
|
||||
|
||||
openssl x509 -req -in aia/ca-issuers-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_ca_issuers -signkey aia/ca-issuers-key.pem -out aia/ca-issuers-cert.pem
|
||||
check_result $? "Step AIA-2"
|
||||
rm aia/ca-issuers-cert.csr
|
||||
|
||||
openssl x509 -in aia/ca-issuers-cert.pem -text > tmp.pem
|
||||
check_result $? "Step AIA-3"
|
||||
mv tmp.pem aia/ca-issuers-cert.pem
|
||||
rm aia/ca-issuers-key.pem
|
||||
echo "End of section"
|
||||
echo "---------------------------------------------------------------------"
|
||||
|
||||
echo "Updating aia/multi-aia-cert.pem"
|
||||
echo ""
|
||||
openssl req -new -newkey rsa:2048 -nodes -keyout aia/multi-aia-key.pem -subj "/CN=wolfssl-aia-multi-test" -out aia/multi-aia-cert.csr
|
||||
check_result $? "Step AIA-4"
|
||||
|
||||
openssl x509 -req -in aia/multi-aia-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_multi -signkey aia/multi-aia-key.pem -out aia/multi-aia-cert.pem
|
||||
check_result $? "Step AIA-5"
|
||||
rm aia/multi-aia-cert.csr
|
||||
|
||||
openssl x509 -in aia/multi-aia-cert.pem -text > tmp.pem
|
||||
check_result $? "Step AIA-6"
|
||||
mv tmp.pem aia/multi-aia-cert.pem
|
||||
rm aia/multi-aia-key.pem
|
||||
echo "End of section"
|
||||
echo "---------------------------------------------------------------------"
|
||||
|
||||
echo "Updating aia/overflow-aia-cert.pem"
|
||||
echo ""
|
||||
openssl req -new -newkey rsa:2048 -nodes -keyout aia/overflow-aia-key.pem -subj "/CN=wolfssl-aia-overflow-test" -out aia/overflow-aia-cert.csr
|
||||
check_result $? "Step AIA-7"
|
||||
|
||||
openssl x509 -req -in aia/overflow-aia-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_overflow -signkey aia/overflow-aia-key.pem -out aia/overflow-aia-cert.pem
|
||||
check_result $? "Step AIA-8"
|
||||
rm aia/overflow-aia-cert.csr
|
||||
|
||||
openssl x509 -in aia/overflow-aia-cert.pem -text > tmp.pem
|
||||
check_result $? "Step AIA-9"
|
||||
mv tmp.pem aia/overflow-aia-cert.pem
|
||||
rm aia/overflow-aia-key.pem
|
||||
echo "End of section"
|
||||
echo "---------------------------------------------------------------------"
|
||||
############################################################
|
||||
########## update the self-signed ca-cert-chain.der ########
|
||||
############################################################
|
||||
echo "Updating ca-cert-chain.der"
|
||||
|
||||
@@ -321,6 +321,45 @@ keyUsage=critical, digitalSignature, keyCertSign, cRLSign
|
||||
[ crl_dist_points ]
|
||||
crlDistributionPoints=URI:http://www.wolfssl.com/crl.pem
|
||||
|
||||
# AIA test certs
|
||||
[ aia_ca_issuers ]
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
basicConstraints=critical,CA:true
|
||||
authorityInfoAccess=@aia_ca_issuers_info
|
||||
|
||||
[ aia_ca_issuers_info ]
|
||||
caIssuers;URI.0=http://example.com/ca.pem
|
||||
|
||||
[ aia_multi ]
|
||||
subjectKeyIdentifier=hash
|
||||
basicConstraints=CA:true
|
||||
keyUsage=digitalSignature, keyCertSign
|
||||
authorityInfoAccess=@aia_multi_info
|
||||
|
||||
[ aia_multi_info ]
|
||||
OCSP;URI.0=http://127.0.0.1:22221
|
||||
OCSP;URI.1=http://127.0.0.1:22222
|
||||
caIssuers;URI.0=http://www.wolfssl.com/ca.pem
|
||||
caIssuers;URI.1=https://www.wolfssl.com/ca2.pem
|
||||
|
||||
[ aia_overflow ]
|
||||
subjectKeyIdentifier=hash
|
||||
basicConstraints=CA:true
|
||||
keyUsage=digitalSignature, keyCertSign
|
||||
authorityInfoAccess=@aia_overflow_info
|
||||
|
||||
[ aia_overflow_info ]
|
||||
OCSP;URI.0=http://127.0.0.1:22220
|
||||
OCSP;URI.1=http://127.0.0.1:22221
|
||||
OCSP;URI.2=http://127.0.0.1:22222
|
||||
OCSP;URI.3=http://127.0.0.1:22223
|
||||
OCSP;URI.4=http://127.0.0.1:22224
|
||||
OCSP;URI.5=http://127.0.0.1:22225
|
||||
OCSP;URI.6=http://127.0.0.1:22226
|
||||
OCSP;URI.7=http://127.0.0.1:22227
|
||||
OCSP;URI.8=http://127.0.0.1:22228
|
||||
|
||||
#tsa default
|
||||
[ tsa ]
|
||||
default_tsa = tsa_config1
|
||||
@@ -404,4 +443,3 @@ DNS.1 = www.example.org
|
||||
URI.1 = https://www.wolfssl.com/
|
||||
otherName.2 = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D1:38:10:D8:28:AF:2C:10:84:35:15:A1:68:58:28:AF:02:10:86:A2:84:E7:39:C3:EB
|
||||
|
||||
|
||||
|
||||
@@ -13848,6 +13848,34 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
|
||||
}
|
||||
x509->authInfoSet = dCert->extAuthInfoSet;
|
||||
x509->authInfoCrit = dCert->extAuthInfoCrit;
|
||||
x509->authInfoListSz = dCert->extAuthInfoListSz;
|
||||
x509->authInfoListOverflow = dCert->extAuthInfoListOverflow;
|
||||
if (x509->authInfoListSz > WOLFSSL_MAX_AIA_ENTRIES) {
|
||||
x509->authInfoListSz = WOLFSSL_MAX_AIA_ENTRIES;
|
||||
x509->authInfoListOverflow = 1;
|
||||
}
|
||||
if (x509->authInfoListSz > 0) {
|
||||
int i;
|
||||
for (i = 0; i < x509->authInfoListSz; i++) {
|
||||
x509->authInfoList[i].method = dCert->extAuthInfoList[i].method;
|
||||
x509->authInfoList[i].uriSz = dCert->extAuthInfoList[i].uriSz;
|
||||
x509->authInfoList[i].uri = NULL;
|
||||
|
||||
if (dCert->extAuthInfoList[i].uri != NULL &&
|
||||
dCert->source != NULL && dCert->maxIdx > 0 &&
|
||||
x509->derCert != NULL && x509->derCert->buffer != NULL) {
|
||||
word32 offset = (word32)
|
||||
(dCert->extAuthInfoList[i].uri - dCert->source);
|
||||
if (offset < (word32)dCert->maxIdx) {
|
||||
x509->authInfoList[i].uri =
|
||||
x509->derCert->buffer + offset;
|
||||
}
|
||||
else {
|
||||
x509->authInfoList[i].uriSz = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (dCert->extAuthInfo != NULL && dCert->extAuthInfoSz > 0) {
|
||||
x509->authInfo = (byte*)XMALLOC(dCert->extAuthInfoSz, x509->heap,
|
||||
DYNAMIC_TYPE_X509_EXT);
|
||||
|
||||
+87
-36
@@ -14996,56 +14996,107 @@ void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk)
|
||||
}
|
||||
}
|
||||
|
||||
WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x)
|
||||
static WOLFSSL_STACK* x509_aia_append_string(WOLFSSL_STACK** head,
|
||||
const byte* uri, word32 uriSz)
|
||||
{
|
||||
WOLFSSL_STACK* list = NULL;
|
||||
WOLFSSL_STACK* node;
|
||||
char* url;
|
||||
|
||||
if (x == NULL || x->authInfoSz == 0)
|
||||
node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + uriSz + 1, NULL,
|
||||
DYNAMIC_TYPE_OPENSSL);
|
||||
if (node == NULL)
|
||||
return NULL;
|
||||
|
||||
list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + x->authInfoSz + 1,
|
||||
NULL, DYNAMIC_TYPE_OPENSSL);
|
||||
if (list == NULL)
|
||||
return NULL;
|
||||
|
||||
url = (char*)list;
|
||||
url = (char*)node;
|
||||
url += sizeof(WOLFSSL_STACK);
|
||||
XMEMCPY(url, x->authInfo, x->authInfoSz);
|
||||
url[x->authInfoSz] = '\0';
|
||||
XMEMCPY(url, uri, uriSz);
|
||||
url[uriSz] = '\0';
|
||||
|
||||
list->data.string = url;
|
||||
list->next = NULL;
|
||||
list->num = 1;
|
||||
node->data.string = url;
|
||||
node->next = NULL;
|
||||
node->num = 1;
|
||||
|
||||
return list;
|
||||
if (*head == NULL) {
|
||||
*head = node;
|
||||
}
|
||||
else {
|
||||
WOLFSSL_STACK* cur = *head;
|
||||
while (cur->next != NULL) {
|
||||
cur->num++;
|
||||
cur = cur->next;
|
||||
}
|
||||
cur->num++;
|
||||
cur->next = node;
|
||||
}
|
||||
|
||||
return node;
|
||||
}
|
||||
|
||||
static WOLFSSL_STACK* x509_get1_aia_by_method(WOLFSSL_X509* x, word32 method,
|
||||
const byte* fallback, int fallbackSz)
|
||||
{
|
||||
WOLFSSL_STACK* head = NULL;
|
||||
int i;
|
||||
|
||||
if (x == NULL)
|
||||
return NULL;
|
||||
|
||||
/* Build from multi-entry list when available; otherwise fall back to the
|
||||
* legacy single-entry fields to preserve previous behavior. */
|
||||
if (x->authInfoListSz > 0) {
|
||||
for (i = 0; i < x->authInfoListSz; i++) {
|
||||
if (x->authInfoList[i].method != method ||
|
||||
x->authInfoList[i].uri == NULL ||
|
||||
x->authInfoList[i].uriSz == 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (x509_aia_append_string(&head, x->authInfoList[i].uri,
|
||||
x->authInfoList[i].uriSz) == NULL) {
|
||||
wolfSSL_X509_email_free(head);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (head == NULL && fallback != NULL && fallbackSz > 0) {
|
||||
if (x509_aia_append_string(&head, fallback, (word32)fallbackSz) == NULL) {
|
||||
wolfSSL_X509_email_free(head);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
return head;
|
||||
}
|
||||
|
||||
WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x)
|
||||
{
|
||||
if (x == NULL)
|
||||
return NULL;
|
||||
return x509_get1_aia_by_method(x, AIA_OCSP_OID, x->authInfo, x->authInfoSz);
|
||||
}
|
||||
|
||||
int wolfSSL_X509_get_aia_overflow(WOLFSSL_X509 *x)
|
||||
{
|
||||
int overflow = 0;
|
||||
|
||||
WOLFSSL_ENTER("wolfSSL_X509_get_aia_overflow");
|
||||
|
||||
if (x != NULL) {
|
||||
overflow = x->authInfoListOverflow;
|
||||
}
|
||||
|
||||
WOLFSSL_LEAVE("wolfSSL_X509_get_aia_overflow", overflow);
|
||||
|
||||
return overflow;
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_ASN_CA_ISSUER
|
||||
WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers(WOLFSSL_X509 *x)
|
||||
{
|
||||
WOLFSSL_STACK* list = NULL;
|
||||
char* url;
|
||||
|
||||
if (x == NULL || x->authInfoCaIssuerSz == 0)
|
||||
if (x == NULL)
|
||||
return NULL;
|
||||
|
||||
list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) +
|
||||
x->authInfoCaIssuerSz + 1,
|
||||
NULL, DYNAMIC_TYPE_OPENSSL);
|
||||
if (list == NULL)
|
||||
return NULL;
|
||||
|
||||
url = (char*)list;
|
||||
url += sizeof(WOLFSSL_STACK);
|
||||
XMEMCPY(url, x->authInfoCaIssuer, x->authInfoCaIssuerSz);
|
||||
url[x->authInfoCaIssuerSz] = '\0';
|
||||
|
||||
list->data.string = url;
|
||||
list->next = NULL;
|
||||
list->num = 1;
|
||||
|
||||
return list;
|
||||
return x509_get1_aia_by_method(x, AIA_CA_ISSUER_OID, x->authInfoCaIssuer,
|
||||
x->authInfoCaIssuerSz);
|
||||
}
|
||||
#endif /* WOLFSSL_ASN_CA_ISSUER */
|
||||
|
||||
|
||||
+81
-1
@@ -19204,7 +19204,8 @@ static int test_wolfSSL_X509_get1_ca_issuers(void)
|
||||
EXPECT_DECLS;
|
||||
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
|
||||
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
|
||||
defined(WOLFSSL_ASN_CA_ISSUER) && !defined(NO_FILESYSTEM)
|
||||
defined(WOLFSSL_ASN_CA_ISSUER) && !defined(NO_FILESYSTEM) && \
|
||||
!defined(NO_RSA)
|
||||
X509* cert = NULL;
|
||||
STACK_OF(WOLFSSL_STRING) *skStr = NULL;
|
||||
WOLFSSL_STRING url = NULL;
|
||||
@@ -19224,6 +19225,83 @@ static int test_wolfSSL_X509_get1_ca_issuers(void)
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static int test_wolfSSL_X509_get1_aia_multi(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
|
||||
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
|
||||
defined(WOLFSSL_ASN_CA_ISSUER) && !defined(NO_FILESYSTEM) && \
|
||||
!defined(NO_RSA)
|
||||
X509* cert = NULL;
|
||||
STACK_OF(WOLFSSL_STRING) *ocsp = NULL;
|
||||
STACK_OF(WOLFSSL_STRING) *ca = NULL;
|
||||
const char* ocspExp1 = "http://127.0.0.1:22221";
|
||||
const char* ocspExp2 = "http://127.0.0.1:22222";
|
||||
const char* caExp1 = "http://www.wolfssl.com/ca.pem";
|
||||
const char* caExp2 = "https://www.wolfssl.com/ca2.pem";
|
||||
int i;
|
||||
int ocspFound1 = 0, ocspFound2 = 0;
|
||||
int caFound1 = 0, caFound2 = 0;
|
||||
|
||||
ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(
|
||||
"certs/aia/multi-aia-cert.pem", WOLFSSL_FILETYPE_PEM));
|
||||
ExpectIntEQ(wolfSSL_X509_get_aia_overflow(cert), 0);
|
||||
|
||||
ExpectNotNull(ocsp = wolfSSL_X509_get1_ocsp(cert));
|
||||
ExpectIntEQ(wolfSSL_sk_WOLFSSL_STRING_num(ocsp), 2);
|
||||
for (i = 0; i < wolfSSL_sk_WOLFSSL_STRING_num(ocsp); i++) {
|
||||
WOLFSSL_STRING url = wolfSSL_sk_WOLFSSL_STRING_value(ocsp, i);
|
||||
if (url == NULL)
|
||||
continue;
|
||||
if (XSTRCMP(url, ocspExp1) == 0) ocspFound1 = 1;
|
||||
if (XSTRCMP(url, ocspExp2) == 0) ocspFound2 = 1;
|
||||
}
|
||||
ExpectIntEQ(ocspFound1, 1);
|
||||
ExpectIntEQ(ocspFound2, 1);
|
||||
|
||||
ExpectNotNull(ca = wolfSSL_X509_get1_ca_issuers(cert));
|
||||
ExpectIntEQ(wolfSSL_sk_WOLFSSL_STRING_num(ca), 2);
|
||||
for (i = 0; i < wolfSSL_sk_WOLFSSL_STRING_num(ca); i++) {
|
||||
WOLFSSL_STRING url = wolfSSL_sk_WOLFSSL_STRING_value(ca, i);
|
||||
if (url == NULL)
|
||||
continue;
|
||||
if (XSTRCMP(url, caExp1) == 0) caFound1 = 1;
|
||||
if (XSTRCMP(url, caExp2) == 0) caFound2 = 1;
|
||||
}
|
||||
ExpectIntEQ(caFound1, 1);
|
||||
ExpectIntEQ(caFound2, 1);
|
||||
|
||||
wolfSSL_X509_email_free(ocsp);
|
||||
wolfSSL_X509_email_free(ca);
|
||||
wolfSSL_X509_free(cert);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static int test_wolfSSL_X509_get1_aia_overflow(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
|
||||
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
|
||||
!defined(NO_FILESYSTEM) && !defined(NO_RSA)
|
||||
X509* cert = NULL;
|
||||
STACK_OF(WOLFSSL_STRING) *ocsp = NULL;
|
||||
int count;
|
||||
|
||||
ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(
|
||||
"certs/aia/overflow-aia-cert.pem", WOLFSSL_FILETYPE_PEM));
|
||||
|
||||
ExpectNotNull(ocsp = wolfSSL_X509_get1_ocsp(cert));
|
||||
count = wolfSSL_sk_WOLFSSL_STRING_num(ocsp);
|
||||
ExpectIntEQ(count, 8);
|
||||
ExpectIntEQ(wolfSSL_X509_get_aia_overflow(cert), 1);
|
||||
|
||||
wolfSSL_X509_email_free(ocsp);
|
||||
wolfSSL_X509_free(cert);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static int test_no_op_functions(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
@@ -31692,6 +31770,8 @@ TEST_CASE testCases[] = {
|
||||
TEST_DECL(test_wolfSSL_OCSP_parse_url),
|
||||
TEST_DECL(test_wolfSSL_OCSP_REQ_CTX),
|
||||
TEST_DECL(test_wolfSSL_X509_get1_ca_issuers),
|
||||
TEST_DECL(test_wolfSSL_X509_get1_aia_multi),
|
||||
TEST_DECL(test_wolfSSL_X509_get1_aia_overflow),
|
||||
|
||||
TEST_DECL(test_wolfSSL_PEM_read),
|
||||
|
||||
|
||||
+53
-22
@@ -21195,6 +21195,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
|
||||
int length = 0;
|
||||
byte b = 0;
|
||||
word32 oid;
|
||||
int aiaIdx;
|
||||
|
||||
WOLFSSL_ENTER("DecodeAuthInfo");
|
||||
|
||||
@@ -21219,14 +21220,29 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
|
||||
if (GetLength(input, &idx, &length, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
/* Set ocsp entry */
|
||||
if (b == GENERALNAME_URI) {
|
||||
/* Add to AIA list if space. */
|
||||
aiaIdx = cert->extAuthInfoListSz;
|
||||
if (aiaIdx < WOLFSSL_MAX_AIA_ENTRIES) {
|
||||
cert->extAuthInfoList[aiaIdx].method = oid;
|
||||
cert->extAuthInfoList[aiaIdx].uri = input + idx;
|
||||
cert->extAuthInfoList[aiaIdx].uriSz = (word32)length;
|
||||
cert->extAuthInfoListSz++;
|
||||
}
|
||||
else {
|
||||
cert->extAuthInfoListOverflow = 1;
|
||||
WOLFSSL_MSG("AIA list overflow");
|
||||
}
|
||||
}
|
||||
|
||||
/* Set first ocsp entry */
|
||||
if (b == GENERALNAME_URI && oid == AIA_OCSP_OID &&
|
||||
cert->extAuthInfo == NULL) {
|
||||
cert->extAuthInfoSz = length;
|
||||
cert->extAuthInfo = input + idx;
|
||||
}
|
||||
#ifdef WOLFSSL_ASN_CA_ISSUER
|
||||
/* Set CaIssuers entry */
|
||||
/* Set first CaIssuers entry */
|
||||
else if ((b == GENERALNAME_URI) && oid == AIA_CA_ISSUER_OID &&
|
||||
cert->extAuthInfoCaIssuer == NULL)
|
||||
{
|
||||
@@ -21242,6 +21258,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
|
||||
word32 idx = 0;
|
||||
int length = 0;
|
||||
int ret = 0;
|
||||
int aiaIdx;
|
||||
|
||||
WOLFSSL_ENTER("DecodeAuthInfo");
|
||||
|
||||
@@ -21263,27 +21280,41 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
|
||||
if (ret == 0) {
|
||||
word32 sz32;
|
||||
|
||||
/* Check we have OCSP and URI. */
|
||||
if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum == AIA_OCSP_OID) &&
|
||||
(dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI) &&
|
||||
(cert->extAuthInfo == NULL)) {
|
||||
/* Store URI for OCSP lookup. */
|
||||
GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC],
|
||||
&cert->extAuthInfo, &sz32);
|
||||
cert->extAuthInfoSz = (int)sz32;
|
||||
if (dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI) {
|
||||
const byte* uri = NULL;
|
||||
|
||||
GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC], &uri, &sz32);
|
||||
|
||||
/* Add to AIA list if space. */
|
||||
aiaIdx = cert->extAuthInfoListSz;
|
||||
if (aiaIdx < WOLFSSL_MAX_AIA_ENTRIES) {
|
||||
cert->extAuthInfoList[aiaIdx].method =
|
||||
dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum;
|
||||
cert->extAuthInfoList[aiaIdx].uri = uri;
|
||||
cert->extAuthInfoList[aiaIdx].uriSz = sz32;
|
||||
cert->extAuthInfoListSz++;
|
||||
}
|
||||
else {
|
||||
cert->extAuthInfoListOverflow = 1;
|
||||
WOLFSSL_MSG("AIA list overflow");
|
||||
}
|
||||
|
||||
/* Set first OCSP entry. */
|
||||
if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum ==
|
||||
AIA_OCSP_OID) && (cert->extAuthInfo == NULL)) {
|
||||
cert->extAuthInfo = uri;
|
||||
cert->extAuthInfoSz = (int)sz32;
|
||||
}
|
||||
#ifdef WOLFSSL_ASN_CA_ISSUER
|
||||
/* Set first CA Issuer entry. */
|
||||
else if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum ==
|
||||
AIA_CA_ISSUER_OID) &&
|
||||
(cert->extAuthInfoCaIssuer == NULL)) {
|
||||
cert->extAuthInfoCaIssuer = uri;
|
||||
cert->extAuthInfoCaIssuerSz = (int)sz32;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
#ifdef WOLFSSL_ASN_CA_ISSUER
|
||||
/* Check we have CA Issuer and URI. */
|
||||
else if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum ==
|
||||
AIA_CA_ISSUER_OID) &&
|
||||
(dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI) &&
|
||||
(cert->extAuthInfoCaIssuer == NULL)) {
|
||||
/* Set CaIssuers entry */
|
||||
GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC],
|
||||
&cert->extAuthInfoCaIssuer, &sz32);
|
||||
cert->extAuthInfoCaIssuerSz = (int)sz32;
|
||||
}
|
||||
#endif
|
||||
/* Otherwise skip. */
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5335,6 +5335,19 @@ struct WOLFSSL_X509_NAME {
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifndef WOLFSSL_AIA_ENTRY_DEFINED
|
||||
#ifndef WOLFSSL_MAX_AIA_ENTRIES
|
||||
#define WOLFSSL_MAX_AIA_ENTRIES 8
|
||||
#endif
|
||||
|
||||
#define WOLFSSL_AIA_ENTRY_DEFINED
|
||||
typedef struct WOLFSSL_AIA_ENTRY {
|
||||
word32 method; /* AIA method OID sum (e.g., AIA_OCSP_OID). */
|
||||
const byte* uri; /* Pointer into cert DER for the URI. */
|
||||
word32 uriSz; /* Length of URI data. */
|
||||
} WOLFSSL_AIA_ENTRY;
|
||||
#endif /* WOLFSSL_AIA_ENTRY_DEFINED */
|
||||
|
||||
struct WOLFSSL_X509 {
|
||||
int version;
|
||||
int serialSz;
|
||||
@@ -5405,6 +5418,9 @@ struct WOLFSSL_X509 {
|
||||
byte* authInfoCaIssuer;
|
||||
int authInfoCaIssuerSz;
|
||||
#endif
|
||||
WOLFSSL_AIA_ENTRY authInfoList[WOLFSSL_MAX_AIA_ENTRIES];
|
||||
byte authInfoListSz:7;
|
||||
byte authInfoListOverflow:1;
|
||||
word32 pathLength;
|
||||
word16 keyUsage;
|
||||
int rawCRLInfoSz;
|
||||
|
||||
@@ -565,9 +565,6 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
|
||||
#define X509_get_ex_data wolfSSL_X509_get_ex_data
|
||||
#define X509_set_ex_data wolfSSL_X509_set_ex_data
|
||||
#define X509_get1_ocsp wolfSSL_X509_get1_ocsp
|
||||
#ifdef WOLFSSL_ASN_CA_ISSUER
|
||||
#define X509_get1_ca_issuers wolfSSL_X509_get1_ca_issuers
|
||||
#endif /* WOLFSSL_ASN_CA_ISSUER */
|
||||
#define X509_get_version wolfSSL_X509_get_version
|
||||
#define X509_get_signature_nid wolfSSL_X509_get_signature_nid
|
||||
#define X509_set_subject_name wolfSSL_X509_set_subject_name
|
||||
|
||||
@@ -224,10 +224,6 @@ typedef struct WOLFSSL_NAME_CONSTRAINTS NAME_CONSTRAINTS;
|
||||
#define X509V3_EXT_print wolfSSL_X509V3_EXT_print
|
||||
#define X509V3_EXT_conf_nid wolfSSL_X509V3_EXT_conf_nid
|
||||
#define X509V3_set_ctx wolfSSL_X509V3_set_ctx
|
||||
#define X509_get1_ocsp wolfSSL_X509_get1_ocsp
|
||||
#ifdef WOLFSSL_ASN_CA_ISSUER
|
||||
#define X509_get1_ca_issuers wolfSSL_X509_get1_ca_issuers
|
||||
#endif /* WOLFSSL_ASN_CA_ISSUER */
|
||||
#ifndef NO_WOLFSSL_STUB
|
||||
#define X509V3_set_nconf(ctx, conf) WC_DO_NOTHING
|
||||
#define X509V3_EXT_cleanup() WC_DO_NOTHING
|
||||
|
||||
@@ -5796,6 +5796,7 @@ WOLFSSL_API int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer,
|
||||
|
||||
WOLFSSL_API void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk);
|
||||
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x);
|
||||
WOLFSSL_API int wolfSSL_X509_get_aia_overflow(WOLFSSL_X509 *x);
|
||||
#ifdef WOLFSSL_ASN_CA_ISSUER
|
||||
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers(
|
||||
WOLFSSL_X509 *x);
|
||||
|
||||
@@ -1702,6 +1702,19 @@ typedef struct TrustedPeerCert TrustedPeerCert;
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
typedef struct SignatureCtx SignatureCtx;
|
||||
|
||||
#ifndef WOLFSSL_AIA_ENTRY_DEFINED
|
||||
#ifndef WOLFSSL_MAX_AIA_ENTRIES
|
||||
#define WOLFSSL_MAX_AIA_ENTRIES 8
|
||||
#endif
|
||||
|
||||
#define WOLFSSL_AIA_ENTRY_DEFINED
|
||||
typedef struct WOLFSSL_AIA_ENTRY {
|
||||
word32 method; /* AIA method OID sum (e.g., AIA_OCSP_OID). */
|
||||
const byte* uri; /* Pointer into cert DER for the URI. */
|
||||
word32 uriSz; /* Length of URI data. */
|
||||
} WOLFSSL_AIA_ENTRY;
|
||||
#endif /* WOLFSSL_AIA_ENTRY_DEFINED */
|
||||
|
||||
#ifdef WC_ASN_UNKNOWN_EXT_CB
|
||||
typedef int (*wc_UnknownExtCallback)(const word16* oid, word32 oidSz, int crit,
|
||||
const unsigned char* der, word32 derSz);
|
||||
@@ -2060,6 +2073,10 @@ struct DecodedCert {
|
||||
WC_BITFIELD extAltSigAlgCrit:1;
|
||||
WC_BITFIELD extAltSigValCrit:1;
|
||||
#endif /* WOLFSSL_DUAL_ALG_CERTS */
|
||||
|
||||
WOLFSSL_AIA_ENTRY extAuthInfoList[WOLFSSL_MAX_AIA_ENTRIES];
|
||||
byte extAuthInfoListSz:7;
|
||||
byte extAuthInfoListOverflow:1;
|
||||
};
|
||||
|
||||
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
|
||||
|
||||
Reference in New Issue
Block a user