Enable 8 combined OCSP and URLs instead of 1 of each

This commit is contained in:
Paul Adelsbach
2026-01-26 17:59:33 -08:00
parent aa020f39c4
commit 08c1397cc1
20 changed files with 463 additions and 69 deletions
+3
View File
@@ -470,3 +470,6 @@ wolfssl/debug-trace-error-codes.h
wolfssl/debug-untrace-error-codes.h wolfssl/debug-untrace-error-codes.h
AGENTS.md AGENTS.md
# Code navigation files
compile_commands.json
+23
View File
@@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDwTCCAqmgAwIBAgIUEcNoHSMtIkVhW/MmkmUEsVoJVQEwDQYJKoZIhvcNAQEL
BQAwITEfMB0GA1UEAwwWd29sZnNzbC1haWEtbXVsdGktdGVzdDAeFw0yNjAxMjcw
MTUwNDRaFw0yNzAxMjcwMTUwNDRaMCExHzAdBgNVBAMMFndvbGZzc2wtYWlhLW11
bHRpLXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpVdogPQ2I
/nErbxSaNGoYhkwoj1qt+Be1/qWnvZzJ0EBOG4EdioMRIkJzP6W3HoAhkGBrueXf
riN07M3XLocRfE+9C1+jZQxBGRxysns9z7K+i0pBtPN/AXV2RCSz13FFyVyLhLks
2YAL9By36X9R0wsL+Nd4EAQ4ouf0GglmTmtb5rHf2GIno4xFg9tpWosiUTytwgDC
K9lQEQnTnPG6E43N2bszqBc4roOPrYDnd7raNTqcv9yTHM8zwffGJuCogE/Fbr2R
yVubLW28n5/O1Pb47hHuPJv6oHMZgct2SV5OB/mwVgI0eoFMSQZ35o6BpHD0C497
L2IcoMi8A9rFAgMBAAGjgfAwge0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAoQw
gbAGCCsGAQUFBwEBBIGjMIGgMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4x
OjIyMjIxMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIyMCkGCCsG
AQUFBzAChh1odHRwOi8vd3d3LndvbGZzc2wuY29tL2NhLnBlbTArBggrBgEFBQcw
AoYfaHR0cHM6Ly93d3cud29sZnNzbC5jb20vY2EyLnBlbTAdBgNVHQ4EFgQU1GNm
eP/LXQk0tFaTeWoNHyLhLZkwDQYJKoZIhvcNAQELBQADggEBACwuXdKYI2Q/Vhd7
TJFvKdp7BuUopQGEQ+4vR+FoesYXc9MHjZJfMqEffv1MArTeY46At/zvcTeszagi
io+jjGBLOutsAf9WK3PnKMIkGGfro6btZ8QFyKiZ6unMMlqe6cGqrCrNKp8jLP3k
CKZltR5c+MIPhpjoOhNDMOcPMwZBGQJWubwOb4uOu3wv7UWJk/ovKP9WJCUn6wLH
soDs+MHMICkxOvDfPf+F4URVqTbzE8IvSMv38z4cAqsyEfWxr32Dg34S/NmeePFV
7sSDpksvyITGsxjnQulSuUFSmldumQ6GnA4ZUXvCNdJ0zbD/Iib9ud6K05VdWYZP
uyCRkjY=
-----END CERTIFICATE-----
+26
View File
@@ -0,0 +1,26 @@
-----BEGIN CERTIFICATE-----
MIIEcDCCA1igAwIBAgIUN5kIU1GLRP5bRKctP271p7IGFVowDQYJKoZIhvcNAQEL
BQAwJDEiMCAGA1UEAwwZd29sZnNzbC1haWEtb3ZlcmZsb3ctdGVzdDAeFw0yNjAx
MjcwMTU1NTBaFw0yNzAxMjcwMTU1NTBaMCQxIjAgBgNVBAMMGXdvbGZzc2wtYWlh
LW92ZXJmbG93LXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS
eHeAzVuCe44SU8bcyIWLwkA2AABw/ctSBWKAFEd7DYHduRr3diblHERU1Fv5JzYx
JnZquj1IO/qsnSFJYDc9sQmYea89iW8KNPVXKDzdbzhpiQLZL7Yq71ICxxqVLfRr
91lyAj0+Syncrp96olSpMJochVnQ6PqLcc/Gq7CMtrKn5KAN7Mn3+LdAQYU8JjRa
zqEJ8fmkBKbS5watzgnkP2o5jWSpWzpDOxTdw85hju4H9m5Gmun3XVO9dEAN/dqK
vklkzgQGvAMMQMIcgOzw0HxAuvsSNtjgEpIlOir0M7YiC0pYqtMO+thSCmVCvsDR
/nG/iqe6YBSXh6oszGwTAgMBAAGjggGYMIIBlDAMBgNVHRMEBTADAQH/MAsGA1Ud
DwQEAwIChDCCAVYGCCsGAQUFBwEBBIIBSDCCAUQwIgYIKwYBBQUHMAGGFmh0dHA6
Ly8xMjcuMC4wLjE6MjIyMjAwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6
MjIyMjEwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjIwIgYIKwYB
BQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjMwIgYIKwYBBQUHMAGGFmh0dHA6
Ly8xMjcuMC4wLjE6MjIyMjQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6
MjIyMjUwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjYwIgYIKwYB
BQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjcwIgYIKwYBBQUHMAGGFmh0dHA6
Ly8xMjcuMC4wLjE6MjIyMjgwHQYDVR0OBBYEFJt6TNgqMFBebotXaauIYPpUJi1S
MA0GCSqGSIb3DQEBCwUAA4IBAQA5noHB343sKQqVmmLds0gC/k1UhVA5iftAGmes
uRdNOOCdo2i739DmRAXggetgtatcjDfjxkrvq0Qi+geozZra6uX9FT/hgfw6kDpU
HKzJFy4E0G0HTM8mtJi+aGDZL3Lts+h272eahkT1jVKGAPFugqfz7fKRsMce6eCE
UD5cvtQXX16fGhBxxmUCZPnxMKcj2oNl7RliHphK6ofXuNbKjqjVQfxsTUXSQDyS
ApH5w6iUnAvC5l19qYrBcCVOB6CNJ2CdmvFI//Ox8Jc56HRYYDIdVp2Q3FFA5Z4s
gTLvlumVgihAekD+0zVF9q+AJ4TSbE3cqsQgHF/+p84KxWid
-----END CERTIFICATE-----
Binary file not shown.
+10
View File
@@ -0,0 +1,10 @@
-----BEGIN X509 CRL-----
MIIBdDCCARkCAQEwCgYIKoZIzj0EAwIwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NM
MRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAyMDQwMzU0Mjla
Fw0yNjAzMDYwMzU0MjlaMFAwEgIBAhcNMjYwMjA0MDM1NDI5WjASAgEDFw0yNjAy
MDQwMzU0MjlaMBICAQQXDTI2MDIwNDAzNTQyOVowEgIBAxcNMjYwMjA0MDM1NDI5
WjAKBggqhkjOPQQDAgNJADBGAiEA6xz109x9tZwaxxs3iLvW65h9AGL8+e1gTnbr
GoEsXaQCIQDzxO4LU1d6seHETQDKjUEXivHuvC6f0Nq5uARmWX0DOA==
-----END X509 CRL-----
Binary file not shown.
+14
View File
@@ -0,0 +1,14 @@
-----BEGIN X509 CRL-----
MIICMTCCARkCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAyMDQwMzU0Mjla
Fw0yNjAzMDYwMzU0MjlaMFAwEgIBAhcNMjYwMjA0MDM1NDI5WjASAgEDFw0yNjAy
MDQwMzU0MjlaMBICAQQXDTI2MDIwNDAzNTQyOVowEgIBARcNMjYwMjA0MDM1NDI5
WjANBgkqhkiG9w0BAQsFAAOCAQEAid2CDa/invAbnAJaeVVkS8mRjI/kR0aPHwt1
/Sz6w+j163+KZnBwUNgrMmLSMbssm8oxQ8i8zNvBeYd6u1x2N/jw/cwH2rxhZ3zQ
bOkDQKKe2eRYXMykAl1uj2VwCeu8/ivqbimYReq7iloEHo8PUiizs1Pj6zJ59I1u
LRZDDlS9wiY+VVkKx28dxyClsqtJNCvz5ezNB8GeH+gekaJ1tJVbd3TujBajPPAx
R6FobbOOavCZPyGkeZlU/T9S5FwIi07qga5Zuq/9Dy7YwiVya3sAZ/nTYY++HKDQ
DL0Bs3/05Lf8BLaf2CX2vGvan4JCQv9CMdnlYBifwvQCeUToyQ==
-----END X509 CRL-----
+3 -1
View File
@@ -22,7 +22,9 @@ EXTRA_DIST += \
EXTRA_DIST += \ EXTRA_DIST += \
certs/crl/crl.revoked \ certs/crl/crl.revoked \
certs/crl/extra-crls/ca-int-cert-revoked.pem \ certs/crl/extra-crls/ca-int-cert-revoked.pem \
certs/crl/extra-crls/general-server-crl.pem certs/crl/extra-crls/general-server-crl.pem \
certs/crl/extra-crls/large_crlnum.pem \
certs/crl/extra-crls/large_crlnum2.pem
# Intermediate cert CRL's # Intermediate cert CRL's
EXTRA_DIST += \ EXTRA_DIST += \
+5 -1
View File
@@ -85,6 +85,11 @@ EXTRA_DIST += \
certs/dh-pub-2048.pem \ certs/dh-pub-2048.pem \
certs/dsa2048.pem certs/dsa2048.pem
EXTRA_DIST += \
certs/aia/ca-issuers-cert.pem \
certs/aia/multi-aia-cert.pem \
certs/aia/overflow-aia-cert.pem
EXTRA_DIST += \ EXTRA_DIST += \
certs/ca-key.der \ certs/ca-key.der \
certs/ca-cert.der \ certs/ca-cert.der \
@@ -154,4 +159,3 @@ include certs/sphincs/include.am
include certs/rpk/include.am include certs/rpk/include.am
include certs/acert/include.am include certs/acert/include.am
include certs/mldsa/include.am include certs/mldsa/include.am
+57
View File
@@ -31,6 +31,9 @@
# fpki-cert.der # fpki-cert.der
# fpki-certpol-cert.der # fpki-certpol-cert.der
# rid-cert.der # rid-cert.der
# aia/ca-issuers-cert.pem
# aia/multi-aia-cert.pem
# aia/overflow-aia-cert.pem
# updates the following crls: # updates the following crls:
# crl/cliCrl.pem # crl/cliCrl.pem
# crl/crl.pem # crl/crl.pem
@@ -292,6 +295,60 @@ run_renewcerts(){
echo "End of section" echo "End of section"
echo "---------------------------------------------------------------------" echo "---------------------------------------------------------------------"
############################################################ ############################################################
########## update AIA test certs ###########################
############################################################
echo "Updating AIA test certs"
echo ""
mkdir -p aia
echo "Updating aia/ca-issuers-cert.pem"
echo ""
openssl req -new -newkey rsa:2048 -nodes -keyout aia/ca-issuers-key.pem -subj "/CN=wolfssl-aia-test" -out aia/ca-issuers-cert.csr
check_result $? "Step AIA-1"
openssl x509 -req -in aia/ca-issuers-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_ca_issuers -signkey aia/ca-issuers-key.pem -out aia/ca-issuers-cert.pem
check_result $? "Step AIA-2"
rm aia/ca-issuers-cert.csr
openssl x509 -in aia/ca-issuers-cert.pem -text > tmp.pem
check_result $? "Step AIA-3"
mv tmp.pem aia/ca-issuers-cert.pem
rm aia/ca-issuers-key.pem
echo "End of section"
echo "---------------------------------------------------------------------"
echo "Updating aia/multi-aia-cert.pem"
echo ""
openssl req -new -newkey rsa:2048 -nodes -keyout aia/multi-aia-key.pem -subj "/CN=wolfssl-aia-multi-test" -out aia/multi-aia-cert.csr
check_result $? "Step AIA-4"
openssl x509 -req -in aia/multi-aia-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_multi -signkey aia/multi-aia-key.pem -out aia/multi-aia-cert.pem
check_result $? "Step AIA-5"
rm aia/multi-aia-cert.csr
openssl x509 -in aia/multi-aia-cert.pem -text > tmp.pem
check_result $? "Step AIA-6"
mv tmp.pem aia/multi-aia-cert.pem
rm aia/multi-aia-key.pem
echo "End of section"
echo "---------------------------------------------------------------------"
echo "Updating aia/overflow-aia-cert.pem"
echo ""
openssl req -new -newkey rsa:2048 -nodes -keyout aia/overflow-aia-key.pem -subj "/CN=wolfssl-aia-overflow-test" -out aia/overflow-aia-cert.csr
check_result $? "Step AIA-7"
openssl x509 -req -in aia/overflow-aia-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_overflow -signkey aia/overflow-aia-key.pem -out aia/overflow-aia-cert.pem
check_result $? "Step AIA-8"
rm aia/overflow-aia-cert.csr
openssl x509 -in aia/overflow-aia-cert.pem -text > tmp.pem
check_result $? "Step AIA-9"
mv tmp.pem aia/overflow-aia-cert.pem
rm aia/overflow-aia-key.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update the self-signed ca-cert-chain.der ######## ########## update the self-signed ca-cert-chain.der ########
############################################################ ############################################################
echo "Updating ca-cert-chain.der" echo "Updating ca-cert-chain.der"
+39 -1
View File
@@ -321,6 +321,45 @@ keyUsage=critical, digitalSignature, keyCertSign, cRLSign
[ crl_dist_points ] [ crl_dist_points ]
crlDistributionPoints=URI:http://www.wolfssl.com/crl.pem crlDistributionPoints=URI:http://www.wolfssl.com/crl.pem
# AIA test certs
[ aia_ca_issuers ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical,CA:true
authorityInfoAccess=@aia_ca_issuers_info
[ aia_ca_issuers_info ]
caIssuers;URI.0=http://example.com/ca.pem
[ aia_multi ]
subjectKeyIdentifier=hash
basicConstraints=CA:true
keyUsage=digitalSignature, keyCertSign
authorityInfoAccess=@aia_multi_info
[ aia_multi_info ]
OCSP;URI.0=http://127.0.0.1:22221
OCSP;URI.1=http://127.0.0.1:22222
caIssuers;URI.0=http://www.wolfssl.com/ca.pem
caIssuers;URI.1=https://www.wolfssl.com/ca2.pem
[ aia_overflow ]
subjectKeyIdentifier=hash
basicConstraints=CA:true
keyUsage=digitalSignature, keyCertSign
authorityInfoAccess=@aia_overflow_info
[ aia_overflow_info ]
OCSP;URI.0=http://127.0.0.1:22220
OCSP;URI.1=http://127.0.0.1:22221
OCSP;URI.2=http://127.0.0.1:22222
OCSP;URI.3=http://127.0.0.1:22223
OCSP;URI.4=http://127.0.0.1:22224
OCSP;URI.5=http://127.0.0.1:22225
OCSP;URI.6=http://127.0.0.1:22226
OCSP;URI.7=http://127.0.0.1:22227
OCSP;URI.8=http://127.0.0.1:22228
#tsa default #tsa default
[ tsa ] [ tsa ]
default_tsa = tsa_config1 default_tsa = tsa_config1
@@ -404,4 +443,3 @@ DNS.1 = www.example.org
URI.1 = https://www.wolfssl.com/ URI.1 = https://www.wolfssl.com/
otherName.2 = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D1:38:10:D8:28:AF:2C:10:84:35:15:A1:68:58:28:AF:02:10:86:A2:84:E7:39:C3:EB otherName.2 = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D1:38:10:D8:28:AF:2C:10:84:35:15:A1:68:58:28:AF:02:10:86:A2:84:E7:39:C3:EB
+28
View File
@@ -13848,6 +13848,34 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
} }
x509->authInfoSet = dCert->extAuthInfoSet; x509->authInfoSet = dCert->extAuthInfoSet;
x509->authInfoCrit = dCert->extAuthInfoCrit; x509->authInfoCrit = dCert->extAuthInfoCrit;
x509->authInfoListSz = dCert->extAuthInfoListSz;
x509->authInfoListOverflow = dCert->extAuthInfoListOverflow;
if (x509->authInfoListSz > WOLFSSL_MAX_AIA_ENTRIES) {
x509->authInfoListSz = WOLFSSL_MAX_AIA_ENTRIES;
x509->authInfoListOverflow = 1;
}
if (x509->authInfoListSz > 0) {
int i;
for (i = 0; i < x509->authInfoListSz; i++) {
x509->authInfoList[i].method = dCert->extAuthInfoList[i].method;
x509->authInfoList[i].uriSz = dCert->extAuthInfoList[i].uriSz;
x509->authInfoList[i].uri = NULL;
if (dCert->extAuthInfoList[i].uri != NULL &&
dCert->source != NULL && dCert->maxIdx > 0 &&
x509->derCert != NULL && x509->derCert->buffer != NULL) {
word32 offset = (word32)
(dCert->extAuthInfoList[i].uri - dCert->source);
if (offset < (word32)dCert->maxIdx) {
x509->authInfoList[i].uri =
x509->derCert->buffer + offset;
}
else {
x509->authInfoList[i].uriSz = 0;
}
}
}
}
if (dCert->extAuthInfo != NULL && dCert->extAuthInfoSz > 0) { if (dCert->extAuthInfo != NULL && dCert->extAuthInfoSz > 0) {
x509->authInfo = (byte*)XMALLOC(dCert->extAuthInfoSz, x509->heap, x509->authInfo = (byte*)XMALLOC(dCert->extAuthInfoSz, x509->heap,
DYNAMIC_TYPE_X509_EXT); DYNAMIC_TYPE_X509_EXT);
+87 -36
View File
@@ -14996,56 +14996,107 @@ void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk)
} }
} }
WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x) static WOLFSSL_STACK* x509_aia_append_string(WOLFSSL_STACK** head,
const byte* uri, word32 uriSz)
{ {
WOLFSSL_STACK* list = NULL; WOLFSSL_STACK* node;
char* url; char* url;
if (x == NULL || x->authInfoSz == 0) node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + uriSz + 1, NULL,
DYNAMIC_TYPE_OPENSSL);
if (node == NULL)
return NULL; return NULL;
list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + x->authInfoSz + 1, url = (char*)node;
NULL, DYNAMIC_TYPE_OPENSSL);
if (list == NULL)
return NULL;
url = (char*)list;
url += sizeof(WOLFSSL_STACK); url += sizeof(WOLFSSL_STACK);
XMEMCPY(url, x->authInfo, x->authInfoSz); XMEMCPY(url, uri, uriSz);
url[x->authInfoSz] = '\0'; url[uriSz] = '\0';
list->data.string = url; node->data.string = url;
list->next = NULL; node->next = NULL;
list->num = 1; node->num = 1;
return list; if (*head == NULL) {
*head = node;
}
else {
WOLFSSL_STACK* cur = *head;
while (cur->next != NULL) {
cur->num++;
cur = cur->next;
}
cur->num++;
cur->next = node;
}
return node;
}
static WOLFSSL_STACK* x509_get1_aia_by_method(WOLFSSL_X509* x, word32 method,
const byte* fallback, int fallbackSz)
{
WOLFSSL_STACK* head = NULL;
int i;
if (x == NULL)
return NULL;
/* Build from multi-entry list when available; otherwise fall back to the
* legacy single-entry fields to preserve previous behavior. */
if (x->authInfoListSz > 0) {
for (i = 0; i < x->authInfoListSz; i++) {
if (x->authInfoList[i].method != method ||
x->authInfoList[i].uri == NULL ||
x->authInfoList[i].uriSz == 0) {
continue;
}
if (x509_aia_append_string(&head, x->authInfoList[i].uri,
x->authInfoList[i].uriSz) == NULL) {
wolfSSL_X509_email_free(head);
return NULL;
}
}
}
if (head == NULL && fallback != NULL && fallbackSz > 0) {
if (x509_aia_append_string(&head, fallback, (word32)fallbackSz) == NULL) {
wolfSSL_X509_email_free(head);
return NULL;
}
}
return head;
}
WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x)
{
if (x == NULL)
return NULL;
return x509_get1_aia_by_method(x, AIA_OCSP_OID, x->authInfo, x->authInfoSz);
}
int wolfSSL_X509_get_aia_overflow(WOLFSSL_X509 *x)
{
int overflow = 0;
WOLFSSL_ENTER("wolfSSL_X509_get_aia_overflow");
if (x != NULL) {
overflow = x->authInfoListOverflow;
}
WOLFSSL_LEAVE("wolfSSL_X509_get_aia_overflow", overflow);
return overflow;
} }
#ifdef WOLFSSL_ASN_CA_ISSUER #ifdef WOLFSSL_ASN_CA_ISSUER
WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers(WOLFSSL_X509 *x) WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers(WOLFSSL_X509 *x)
{ {
WOLFSSL_STACK* list = NULL; if (x == NULL)
char* url;
if (x == NULL || x->authInfoCaIssuerSz == 0)
return NULL; return NULL;
return x509_get1_aia_by_method(x, AIA_CA_ISSUER_OID, x->authInfoCaIssuer,
list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + x->authInfoCaIssuerSz);
x->authInfoCaIssuerSz + 1,
NULL, DYNAMIC_TYPE_OPENSSL);
if (list == NULL)
return NULL;
url = (char*)list;
url += sizeof(WOLFSSL_STACK);
XMEMCPY(url, x->authInfoCaIssuer, x->authInfoCaIssuerSz);
url[x->authInfoCaIssuerSz] = '\0';
list->data.string = url;
list->next = NULL;
list->num = 1;
return list;
} }
#endif /* WOLFSSL_ASN_CA_ISSUER */ #endif /* WOLFSSL_ASN_CA_ISSUER */
+81 -1
View File
@@ -19204,7 +19204,8 @@ static int test_wolfSSL_X509_get1_ca_issuers(void)
EXPECT_DECLS; EXPECT_DECLS;
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \ defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
defined(WOLFSSL_ASN_CA_ISSUER) && !defined(NO_FILESYSTEM) defined(WOLFSSL_ASN_CA_ISSUER) && !defined(NO_FILESYSTEM) && \
!defined(NO_RSA)
X509* cert = NULL; X509* cert = NULL;
STACK_OF(WOLFSSL_STRING) *skStr = NULL; STACK_OF(WOLFSSL_STRING) *skStr = NULL;
WOLFSSL_STRING url = NULL; WOLFSSL_STRING url = NULL;
@@ -19224,6 +19225,83 @@ static int test_wolfSSL_X509_get1_ca_issuers(void)
return EXPECT_RESULT(); return EXPECT_RESULT();
} }
static int test_wolfSSL_X509_get1_aia_multi(void)
{
EXPECT_DECLS;
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
defined(WOLFSSL_ASN_CA_ISSUER) && !defined(NO_FILESYSTEM) && \
!defined(NO_RSA)
X509* cert = NULL;
STACK_OF(WOLFSSL_STRING) *ocsp = NULL;
STACK_OF(WOLFSSL_STRING) *ca = NULL;
const char* ocspExp1 = "http://127.0.0.1:22221";
const char* ocspExp2 = "http://127.0.0.1:22222";
const char* caExp1 = "http://www.wolfssl.com/ca.pem";
const char* caExp2 = "https://www.wolfssl.com/ca2.pem";
int i;
int ocspFound1 = 0, ocspFound2 = 0;
int caFound1 = 0, caFound2 = 0;
ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(
"certs/aia/multi-aia-cert.pem", WOLFSSL_FILETYPE_PEM));
ExpectIntEQ(wolfSSL_X509_get_aia_overflow(cert), 0);
ExpectNotNull(ocsp = wolfSSL_X509_get1_ocsp(cert));
ExpectIntEQ(wolfSSL_sk_WOLFSSL_STRING_num(ocsp), 2);
for (i = 0; i < wolfSSL_sk_WOLFSSL_STRING_num(ocsp); i++) {
WOLFSSL_STRING url = wolfSSL_sk_WOLFSSL_STRING_value(ocsp, i);
if (url == NULL)
continue;
if (XSTRCMP(url, ocspExp1) == 0) ocspFound1 = 1;
if (XSTRCMP(url, ocspExp2) == 0) ocspFound2 = 1;
}
ExpectIntEQ(ocspFound1, 1);
ExpectIntEQ(ocspFound2, 1);
ExpectNotNull(ca = wolfSSL_X509_get1_ca_issuers(cert));
ExpectIntEQ(wolfSSL_sk_WOLFSSL_STRING_num(ca), 2);
for (i = 0; i < wolfSSL_sk_WOLFSSL_STRING_num(ca); i++) {
WOLFSSL_STRING url = wolfSSL_sk_WOLFSSL_STRING_value(ca, i);
if (url == NULL)
continue;
if (XSTRCMP(url, caExp1) == 0) caFound1 = 1;
if (XSTRCMP(url, caExp2) == 0) caFound2 = 1;
}
ExpectIntEQ(caFound1, 1);
ExpectIntEQ(caFound2, 1);
wolfSSL_X509_email_free(ocsp);
wolfSSL_X509_email_free(ca);
wolfSSL_X509_free(cert);
#endif
return EXPECT_RESULT();
}
static int test_wolfSSL_X509_get1_aia_overflow(void)
{
EXPECT_DECLS;
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
!defined(NO_FILESYSTEM) && !defined(NO_RSA)
X509* cert = NULL;
STACK_OF(WOLFSSL_STRING) *ocsp = NULL;
int count;
ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(
"certs/aia/overflow-aia-cert.pem", WOLFSSL_FILETYPE_PEM));
ExpectNotNull(ocsp = wolfSSL_X509_get1_ocsp(cert));
count = wolfSSL_sk_WOLFSSL_STRING_num(ocsp);
ExpectIntEQ(count, 8);
ExpectIntEQ(wolfSSL_X509_get_aia_overflow(cert), 1);
wolfSSL_X509_email_free(ocsp);
wolfSSL_X509_free(cert);
#endif
return EXPECT_RESULT();
}
static int test_no_op_functions(void) static int test_no_op_functions(void)
{ {
EXPECT_DECLS; EXPECT_DECLS;
@@ -31692,6 +31770,8 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_OCSP_parse_url), TEST_DECL(test_wolfSSL_OCSP_parse_url),
TEST_DECL(test_wolfSSL_OCSP_REQ_CTX), TEST_DECL(test_wolfSSL_OCSP_REQ_CTX),
TEST_DECL(test_wolfSSL_X509_get1_ca_issuers), TEST_DECL(test_wolfSSL_X509_get1_ca_issuers),
TEST_DECL(test_wolfSSL_X509_get1_aia_multi),
TEST_DECL(test_wolfSSL_X509_get1_aia_overflow),
TEST_DECL(test_wolfSSL_PEM_read), TEST_DECL(test_wolfSSL_PEM_read),
+53 -22
View File
@@ -21195,6 +21195,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
int length = 0; int length = 0;
byte b = 0; byte b = 0;
word32 oid; word32 oid;
int aiaIdx;
WOLFSSL_ENTER("DecodeAuthInfo"); WOLFSSL_ENTER("DecodeAuthInfo");
@@ -21219,14 +21220,29 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
if (GetLength(input, &idx, &length, sz) < 0) if (GetLength(input, &idx, &length, sz) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
/* Set ocsp entry */ if (b == GENERALNAME_URI) {
/* Add to AIA list if space. */
aiaIdx = cert->extAuthInfoListSz;
if (aiaIdx < WOLFSSL_MAX_AIA_ENTRIES) {
cert->extAuthInfoList[aiaIdx].method = oid;
cert->extAuthInfoList[aiaIdx].uri = input + idx;
cert->extAuthInfoList[aiaIdx].uriSz = (word32)length;
cert->extAuthInfoListSz++;
}
else {
cert->extAuthInfoListOverflow = 1;
WOLFSSL_MSG("AIA list overflow");
}
}
/* Set first ocsp entry */
if (b == GENERALNAME_URI && oid == AIA_OCSP_OID && if (b == GENERALNAME_URI && oid == AIA_OCSP_OID &&
cert->extAuthInfo == NULL) { cert->extAuthInfo == NULL) {
cert->extAuthInfoSz = length; cert->extAuthInfoSz = length;
cert->extAuthInfo = input + idx; cert->extAuthInfo = input + idx;
} }
#ifdef WOLFSSL_ASN_CA_ISSUER #ifdef WOLFSSL_ASN_CA_ISSUER
/* Set CaIssuers entry */ /* Set first CaIssuers entry */
else if ((b == GENERALNAME_URI) && oid == AIA_CA_ISSUER_OID && else if ((b == GENERALNAME_URI) && oid == AIA_CA_ISSUER_OID &&
cert->extAuthInfoCaIssuer == NULL) cert->extAuthInfoCaIssuer == NULL)
{ {
@@ -21242,6 +21258,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
word32 idx = 0; word32 idx = 0;
int length = 0; int length = 0;
int ret = 0; int ret = 0;
int aiaIdx;
WOLFSSL_ENTER("DecodeAuthInfo"); WOLFSSL_ENTER("DecodeAuthInfo");
@@ -21263,27 +21280,41 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
if (ret == 0) { if (ret == 0) {
word32 sz32; word32 sz32;
/* Check we have OCSP and URI. */ if (dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI) {
if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum == AIA_OCSP_OID) && const byte* uri = NULL;
(dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI) &&
(cert->extAuthInfo == NULL)) { GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC], &uri, &sz32);
/* Store URI for OCSP lookup. */
GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC], /* Add to AIA list if space. */
&cert->extAuthInfo, &sz32); aiaIdx = cert->extAuthInfoListSz;
cert->extAuthInfoSz = (int)sz32; if (aiaIdx < WOLFSSL_MAX_AIA_ENTRIES) {
cert->extAuthInfoList[aiaIdx].method =
dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum;
cert->extAuthInfoList[aiaIdx].uri = uri;
cert->extAuthInfoList[aiaIdx].uriSz = sz32;
cert->extAuthInfoListSz++;
}
else {
cert->extAuthInfoListOverflow = 1;
WOLFSSL_MSG("AIA list overflow");
}
/* Set first OCSP entry. */
if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum ==
AIA_OCSP_OID) && (cert->extAuthInfo == NULL)) {
cert->extAuthInfo = uri;
cert->extAuthInfoSz = (int)sz32;
}
#ifdef WOLFSSL_ASN_CA_ISSUER
/* Set first CA Issuer entry. */
else if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum ==
AIA_CA_ISSUER_OID) &&
(cert->extAuthInfoCaIssuer == NULL)) {
cert->extAuthInfoCaIssuer = uri;
cert->extAuthInfoCaIssuerSz = (int)sz32;
}
#endif
} }
#ifdef WOLFSSL_ASN_CA_ISSUER
/* Check we have CA Issuer and URI. */
else if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum ==
AIA_CA_ISSUER_OID) &&
(dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI) &&
(cert->extAuthInfoCaIssuer == NULL)) {
/* Set CaIssuers entry */
GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC],
&cert->extAuthInfoCaIssuer, &sz32);
cert->extAuthInfoCaIssuerSz = (int)sz32;
}
#endif
/* Otherwise skip. */ /* Otherwise skip. */
} }
} }
+16
View File
@@ -5335,6 +5335,19 @@ struct WOLFSSL_X509_NAME {
#endif #endif
#endif #endif
#ifndef WOLFSSL_AIA_ENTRY_DEFINED
#ifndef WOLFSSL_MAX_AIA_ENTRIES
#define WOLFSSL_MAX_AIA_ENTRIES 8
#endif
#define WOLFSSL_AIA_ENTRY_DEFINED
typedef struct WOLFSSL_AIA_ENTRY {
word32 method; /* AIA method OID sum (e.g., AIA_OCSP_OID). */
const byte* uri; /* Pointer into cert DER for the URI. */
word32 uriSz; /* Length of URI data. */
} WOLFSSL_AIA_ENTRY;
#endif /* WOLFSSL_AIA_ENTRY_DEFINED */
struct WOLFSSL_X509 { struct WOLFSSL_X509 {
int version; int version;
int serialSz; int serialSz;
@@ -5405,6 +5418,9 @@ struct WOLFSSL_X509 {
byte* authInfoCaIssuer; byte* authInfoCaIssuer;
int authInfoCaIssuerSz; int authInfoCaIssuerSz;
#endif #endif
WOLFSSL_AIA_ENTRY authInfoList[WOLFSSL_MAX_AIA_ENTRIES];
byte authInfoListSz:7;
byte authInfoListOverflow:1;
word32 pathLength; word32 pathLength;
word16 keyUsage; word16 keyUsage;
int rawCRLInfoSz; int rawCRLInfoSz;
-3
View File
@@ -565,9 +565,6 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
#define X509_get_ex_data wolfSSL_X509_get_ex_data #define X509_get_ex_data wolfSSL_X509_get_ex_data
#define X509_set_ex_data wolfSSL_X509_set_ex_data #define X509_set_ex_data wolfSSL_X509_set_ex_data
#define X509_get1_ocsp wolfSSL_X509_get1_ocsp #define X509_get1_ocsp wolfSSL_X509_get1_ocsp
#ifdef WOLFSSL_ASN_CA_ISSUER
#define X509_get1_ca_issuers wolfSSL_X509_get1_ca_issuers
#endif /* WOLFSSL_ASN_CA_ISSUER */
#define X509_get_version wolfSSL_X509_get_version #define X509_get_version wolfSSL_X509_get_version
#define X509_get_signature_nid wolfSSL_X509_get_signature_nid #define X509_get_signature_nid wolfSSL_X509_get_signature_nid
#define X509_set_subject_name wolfSSL_X509_set_subject_name #define X509_set_subject_name wolfSSL_X509_set_subject_name
-4
View File
@@ -224,10 +224,6 @@ typedef struct WOLFSSL_NAME_CONSTRAINTS NAME_CONSTRAINTS;
#define X509V3_EXT_print wolfSSL_X509V3_EXT_print #define X509V3_EXT_print wolfSSL_X509V3_EXT_print
#define X509V3_EXT_conf_nid wolfSSL_X509V3_EXT_conf_nid #define X509V3_EXT_conf_nid wolfSSL_X509V3_EXT_conf_nid
#define X509V3_set_ctx wolfSSL_X509V3_set_ctx #define X509V3_set_ctx wolfSSL_X509V3_set_ctx
#define X509_get1_ocsp wolfSSL_X509_get1_ocsp
#ifdef WOLFSSL_ASN_CA_ISSUER
#define X509_get1_ca_issuers wolfSSL_X509_get1_ca_issuers
#endif /* WOLFSSL_ASN_CA_ISSUER */
#ifndef NO_WOLFSSL_STUB #ifndef NO_WOLFSSL_STUB
#define X509V3_set_nconf(ctx, conf) WC_DO_NOTHING #define X509V3_set_nconf(ctx, conf) WC_DO_NOTHING
#define X509V3_EXT_cleanup() WC_DO_NOTHING #define X509V3_EXT_cleanup() WC_DO_NOTHING
+1
View File
@@ -5796,6 +5796,7 @@ WOLFSSL_API int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer,
WOLFSSL_API void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk); WOLFSSL_API void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk);
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x); WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x);
WOLFSSL_API int wolfSSL_X509_get_aia_overflow(WOLFSSL_X509 *x);
#ifdef WOLFSSL_ASN_CA_ISSUER #ifdef WOLFSSL_ASN_CA_ISSUER
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers( WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers(
WOLFSSL_X509 *x); WOLFSSL_X509 *x);
+17
View File
@@ -1702,6 +1702,19 @@ typedef struct TrustedPeerCert TrustedPeerCert;
#endif /* WOLFSSL_TRUST_PEER_CERT */ #endif /* WOLFSSL_TRUST_PEER_CERT */
typedef struct SignatureCtx SignatureCtx; typedef struct SignatureCtx SignatureCtx;
#ifndef WOLFSSL_AIA_ENTRY_DEFINED
#ifndef WOLFSSL_MAX_AIA_ENTRIES
#define WOLFSSL_MAX_AIA_ENTRIES 8
#endif
#define WOLFSSL_AIA_ENTRY_DEFINED
typedef struct WOLFSSL_AIA_ENTRY {
word32 method; /* AIA method OID sum (e.g., AIA_OCSP_OID). */
const byte* uri; /* Pointer into cert DER for the URI. */
word32 uriSz; /* Length of URI data. */
} WOLFSSL_AIA_ENTRY;
#endif /* WOLFSSL_AIA_ENTRY_DEFINED */
#ifdef WC_ASN_UNKNOWN_EXT_CB #ifdef WC_ASN_UNKNOWN_EXT_CB
typedef int (*wc_UnknownExtCallback)(const word16* oid, word32 oidSz, int crit, typedef int (*wc_UnknownExtCallback)(const word16* oid, word32 oidSz, int crit,
const unsigned char* der, word32 derSz); const unsigned char* der, word32 derSz);
@@ -2060,6 +2073,10 @@ struct DecodedCert {
WC_BITFIELD extAltSigAlgCrit:1; WC_BITFIELD extAltSigAlgCrit:1;
WC_BITFIELD extAltSigValCrit:1; WC_BITFIELD extAltSigValCrit:1;
#endif /* WOLFSSL_DUAL_ALG_CERTS */ #endif /* WOLFSSL_DUAL_ALG_CERTS */
WOLFSSL_AIA_ENTRY extAuthInfoList[WOLFSSL_MAX_AIA_ENTRIES];
byte extAuthInfoListSz:7;
byte extAuthInfoListOverflow:1;
}; };
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)