From 74f0625c89f477565e97589fc8b08a9aebc2fcbe Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 5 Jan 2024 14:25:12 -0800 Subject: [PATCH 1/7] add native asn template RSA-PSS support with CRL --- src/crl.c | 6 +++- wolfcrypt/src/asn.c | 75 +++++++++++++++++++++++++++++++++++++---- wolfssl/internal.h | 4 +++ wolfssl/wolfcrypt/asn.h | 8 +++-- 4 files changed, 84 insertions(+), 9 deletions(-) diff --git a/src/crl.c b/src/crl.c index 9c847b8cf..9a49f219f 100644 --- a/src/crl.c +++ b/src/crl.c @@ -337,7 +337,11 @@ static int VerifyCRLE(const WOLFSSL_CRL* crl, CRL_Entry* crle) } ret = VerifyCRL_Signature(&sigCtx, crle->toBeSigned, crle->tbsSz, - crle->signature, crle->signatureSz, crle->signatureOID, ca, + crle->signature, crle->signatureSz, crle->signatureOID, + + /* @TODO RSA PSS params */ NULL, 0, + + ca, crl->heap); if (ret == 0) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 2fdef0e65..d5abe1bc0 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -36611,7 +36611,8 @@ static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl, int VerifyCRL_Signature(SignatureCtx* sigCtx, const byte* toBeSigned, word32 tbsSz, const byte* signature, word32 sigSz, - word32 signatureOID, Signer *ca, void* heap) + word32 signatureOID, const byte* sigParams, + int sigParamsSz, Signer *ca, void* heap) { /* try to confirm/verify signature */ #ifndef IGNORE_KEY_EXTENSIONS @@ -36625,7 +36626,7 @@ int VerifyCRL_Signature(SignatureCtx* sigCtx, const byte* toBeSigned, InitSignatureCtx(sigCtx, heap, INVALID_DEVID); if (ConfirmSignature(sigCtx, toBeSigned, tbsSz, ca->publicKey, ca->pubKeySize, ca->keyOID, signature, sigSz, - signatureOID, NULL, 0, NULL) != 0) { + signatureOID, sigParams, sigParamsSz, NULL) != 0) { WOLFSSL_MSG("CRL Confirm signature failed"); WOLFSSL_ERROR_VERBOSE(ASN_CRL_CONFIRM_E); return ASN_CRL_CONFIRM_E; @@ -36644,7 +36645,8 @@ int VerifyCRL_Signature(SignatureCtx* sigCtx, const byte* toBeSigned, * @return ASN_CRL_NO_SIGNER_E when no signer found. * @return ASN_CRL_CONFIRM_E when signature did not verify. */ -static int PaseCRL_CheckSignature(DecodedCRL* dcrl, const byte* buff, void* cm) +static int PaseCRL_CheckSignature(DecodedCRL* dcrl, const byte* sigParams, + int sigParamsSz, const byte* buff, void* cm) { int ret = 0; Signer* ca = NULL; @@ -36688,7 +36690,7 @@ static int PaseCRL_CheckSignature(DecodedCRL* dcrl, const byte* buff, void* cm) /* Verify CRL signature with CA. */ ret = VerifyCRL_Signature(&sigCtx, buff + dcrl->certBegin, dcrl->sigIndex - dcrl->certBegin, dcrl->signature, dcrl->sigLength, - dcrl->signatureOID, ca, dcrl->heap); + dcrl->signatureOID, sigParams, sigParamsSz, ca, dcrl->heap); } return ret; @@ -37085,6 +37087,9 @@ static const ASNItem crlASN[] = { /* TBS_SIGALGO_OID */ { 3, ASN_OBJECT_ID, 0, 0, 0 }, /* TBS_SIGALGO_NULL */ { 3, ASN_TAG_NULL, 0, 0, 1 }, /* issuer */ +#ifdef WC_RSA_PSS +/* TBS_SIGALGO_P_SEQ */ { 3, ASN_SEQUENCE, 1, 0, 2 }, +#endif /* TBS_ISSUER */ { 2, ASN_SEQUENCE, 1, 0, 0 }, /* thisUpdate */ /* TBS_THISUPDATE_UTC */ { 2, ASN_UTC_TIME, 0, 0, 2 }, @@ -37101,6 +37106,9 @@ static const ASNItem crlASN[] = { /* SIGALGO */ { 1, ASN_SEQUENCE, 1, 1, 0 }, /* SIGALGO_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* SIGALGO_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 }, +#ifdef WC_RSA_PSS +/* SIGALGO_PARAMS */ { 2, ASN_SEQUENCE, 1, 0, 2 }, +#endif /* signatureValue */ /* SIGNATURE */ { 1, ASN_BIT_STRING, 0, 0, 0 }, }; @@ -37111,6 +37119,9 @@ enum { CRLASN_IDX_TBS_SIGALGO, CRLASN_IDX_TBS_SIGALGO_OID, CRLASN_IDX_TBS_SIGALGO_NULL, +#ifdef WC_RSA_PSS + CRLASN_IDX_TBS_SIGALGO_PARAMS, +#endif CRLASN_IDX_TBS_ISSUER, CRLASN_IDX_TBS_THISUPDATE_UTC, CRLASN_IDX_TBS_THISUPDATE_GT, @@ -37122,6 +37133,9 @@ enum { CRLASN_IDX_SIGALGO, CRLASN_IDX_SIGALGO_OID, CRLASN_IDX_SIGALGO_NULL, +#ifdef WC_RSA_PSS + CRLASN_IDX_SIGALGO_PARAMS, +#endif CRLASN_IDX_SIGNATURE, }; @@ -37209,7 +37223,7 @@ int ParseCRL(RevokedCert* rcert, DecodedCRL* dcrl, const byte* buff, word32 sz, WOLFSSL_MSG("Found CRL issuer CA"); ret = VerifyCRL_Signature(&sigCtx, buff + dcrl->certBegin, dcrl->sigIndex - dcrl->certBegin, dcrl->signature, dcrl->sigLength, - dcrl->signatureOID, ca, dcrl->heap); + dcrl->signatureOID, sigParam, sigParamsSz, ca, dcrl->heap); end: return ret; @@ -37222,6 +37236,12 @@ end: /* Size of buffer for date. */ word32 lastDateSz = MAX_DATE_SIZE; word32 nextDateSz = MAX_DATE_SIZE; + const byte* sigParams = NULL; + int sigParamsSz = 0; +#ifdef WC_RSA_PSS + const byte* tbsParams = NULL; + int tbsParamsSz = 0; +#endif /* When NO_ASN_TIME is defined, verify not used. */ (void)verify; @@ -37274,11 +37294,54 @@ end: dcrl->certBegin = dataASN[CRLASN_IDX_TBS].offset; /* Store index of signature. */ dcrl->sigIndex = dataASN[CRLASN_IDX_SIGALGO].offset; + + #ifdef WC_RSA_PSS + /* get TBS and Signature parameters for PSS */ + if (dataASN[CRLASN_IDX_TBS_SIGALGO_PARAMS].tag != 0) { + tbsParams = + GetASNItem_Addr(dataASN[CRLASN_IDX_TBS_SIGALGO_PARAMS], + buff); + tbsParamsSz = + GetASNItem_Length(dataASN[CRLASN_IDX_TBS_SIGALGO_PARAMS], + buff); + } + if (dataASN[CRLASN_IDX_SIGALGO_PARAMS].tag != 0) { + sigParams = + GetASNItem_Addr(dataASN[CRLASN_IDX_SIGALGO_PARAMS], + buff); + sigParamsSz = + GetASNItem_Length(dataASN[CRLASN_IDX_SIGALGO_PARAMS], + buff); + dcrl->sigParamsIndex = + dataASN[CRLASN_IDX_SIGALGO_PARAMS].offset; + dcrl->sigParamsLength = sigParamsSz; + } + #endif + /* Store address and length of signature data. */ GetASN_GetRef(&dataASN[CRLASN_IDX_SIGNATURE], &dcrl->signature, &dcrl->sigLength); /* Get the signature OID. */ dcrl->signatureOID = dataASN[CRLASN_IDX_SIGALGO_OID].data.oid.sum; + + #ifdef WC_RSA_PSS + /* Sanity check on parameters found */ + if (tbsParamsSz != sigParamsSz) { + WOLFSSL_MSG("CRL TBS and signature parameter sizes mismatch"); + ret = ASN_PARSE_E; + } + else if ((tbsParamsSz > 0) && + (dataASN[CRLASN_IDX_TBS_SIGALGO_OID].data.oid.sum != CTC_RSASSAPSS)) { + WOLFSSL_MSG("CRL unexpected signature parameters found"); + ret = ASN_PARSE_E; + } + else if ((tbsParamsSz > 0) && + (XMEMCMP(tbsParams, sigParams, tbsParamsSz) != 0)) { + WOLFSSL_MSG("CRL TBS and signature parameter mismatch"); + ret = ASN_PARSE_E; + } + #endif + /* Get the format/tag of the last and next date. */ dcrl->lastDateFormat = (dataASN[CRLASN_IDX_TBS_THISUPDATE_UTC].tag != 0) ? dataASN[CRLASN_IDX_TBS_THISUPDATE_UTC].tag @@ -37331,7 +37394,7 @@ end: } if (ret == 0) { /* Find signer and verify signature. */ - ret = PaseCRL_CheckSignature(dcrl, buff, cm); + ret = PaseCRL_CheckSignature(dcrl, sigParams, sigParamsSz, buff, cm); } FREE_ASNGETDATA(dataASN, dcrl->heap); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 0afd04b95..d32e8d6ed 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2499,6 +2499,10 @@ struct CRL_Entry { word32 tbsSz; word32 signatureSz; word32 signatureOID; +#ifdef WC_RSA_PSS + word32 sigParamsIndex; /* start of signature parameters */ + word32 sigParamsLength; /* length of signature parameters */ +#endif #if !defined(NO_SKID) && !defined(NO_ASN) byte extAuthKeyIdSet; byte extAuthKeyId[KEYID_SIZE]; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 52041e509..870ecfd21 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2548,6 +2548,10 @@ struct DecodedCRL { word32 sigIndex; /* offset to start of signature */ word32 sigLength; /* length of signature */ word32 signatureOID; /* sum of algorithm object id */ +#ifdef WC_RSA_PSS + word32 sigParamsIndex; /* start of signature parameters */ + word32 sigParamsLength; /* length of signature parameters */ +#endif byte* signature; /* pointer into raw source, not owned */ byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */ byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ @@ -2574,8 +2578,8 @@ WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL* dcrl, void* heap); WOLFSSL_LOCAL int VerifyCRL_Signature(SignatureCtx* sigCtx, const byte* toBeSigned, word32 tbsSz, const byte* signature, word32 sigSz, - word32 signatureOID, Signer *ca, - void* heap); + word32 signatureOID, const byte* sigParams, + int sigParamsSz, Signer *ca, void* heap); WOLFSSL_LOCAL int ParseCRL(RevokedCert* rcert, DecodedCRL* dcrl, const byte* buff, word32 sz, int verify, void* cm); WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL* dcrl); From d58acef8952ab1afaf390fb395af5467acd4859a Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 5 Jan 2024 14:47:53 -0800 Subject: [PATCH 2/7] add RSA-PSS CRL test case --- certs/crl/crl_rsapss.pem | 16 ++++++++++++++++ certs/crl/gencrls.sh | 4 ++++ certs/renewcerts.sh | 1 + tests/api.c | 16 ++++++++++++++++ 4 files changed, 37 insertions(+) create mode 100644 certs/crl/crl_rsapss.pem diff --git a/certs/crl/crl_rsapss.pem b/certs/crl/crl_rsapss.pem new file mode 100644 index 000000000..d98db4108 --- /dev/null +++ b/certs/crl/crl_rsapss.pem @@ -0,0 +1,16 @@ +-----BEGIN X509 CRL----- +MIICbjCCASYCAQEwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkq +hkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASAwgZ0xCzAJBgNVBAYTAlVTMRAwDgYD +VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93b2xmU1NM +X1JTQS1QU1MxFTATBgNVBAsMDFJvb3QtUlNBLVBTUzEYMBYGA1UEAwwPd3d3Lndv +bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNDAx +MDUyMjM0MDNaFw0yNjEwMDEyMjM0MDNaMBQwEgIBAhcNMjQwMTA1MjIzNDAzWqAO +MAwwCgYDVR0UBAMCAQMwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAY +BgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBADcOR4Ay7OIHoQeH9AJ9 +y26uPqALflnmCTv8uUKkPhWvPoXZpAF7Sq0xCFAyYxbEtonLV0yQMWlPJWYtr3w8 +R6GIa+9A2iFR0MiDD/pppgIem+aP2DK72HObH96CgM5vRLlQ3ti8g72wfVVTZdi5 +G6QX1tZH8M8FMRcGyyiFeMaA1fLVry0uAyer9bIqPQ1JZ7VE1GzFnVByQ+BtPK8b +8OSIZud1VvxgETKYkRjvzA+fOwz/J4sum2MS4oLMXZ4DOt3RKDzqXc8o5NpZGOah +ViGgZLWhsCeuBqmJV9+gHJUDv4EFnE4UE6U75qZvkKgSvYxNL7u9sNSU8tu7a+Ay +oxw= +-----END X509 CRL----- diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index e509d9623..bb48b5387 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -56,6 +56,10 @@ echo "Step 3" openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem check_result $? +echo "Step 3 RSA-PSS" +openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl_rsapss.pem -keyfile ../rsapss/root-rsapss-priv.pem -cert ../rsapss/root-rsapss.pem +check_result $? + # metadata echo "Step 4" openssl crl -in crl.pem -text > tmp diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index a25385d54..5485656b6 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -838,6 +838,7 @@ run_renewcerts(){ cd ./crl || { echo "Failed to switch to dir ./crl"; exit 1; } echo "changed directory: cd/crl" echo "" + # has dependency on rsapss generation (rsapss should be ran first) ./gencrls.sh check_result $? "gencrls.sh" echo "ran ./gencrls.sh" diff --git a/tests/api.c b/tests/api.c index 5641c939c..194a3607b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -3044,6 +3044,10 @@ static int test_wolfSSL_CertManagerCRL(void) const char* ca_cert = "./certs/ca-cert.pem"; const char* crl1 = "./certs/crl/crl.pem"; const char* crl2 = "./certs/crl/crl2.pem"; +#ifdef WC_RSA_PSS + const char* crl_rsapss = "./certs/crl/crl_rsapss.pem"; + const char* ca_rsapss = "certs/rsapss/root-rsapss.pem"; +#endif const unsigned char crl_buff[] = { 0x30, 0x82, 0x02, 0x04, 0x30, 0x81, 0xed, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, @@ -3199,6 +3203,18 @@ static int test_wolfSSL_CertManagerCRL(void) ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, sizeof(crl_buff), WOLFSSL_FILETYPE_ASN1), 1); +#if !defined(NO_FILESYSTEM) && defined(WC_RSA_PSS) + /* loading should fail without the CA set */ + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss, + WOLFSSL_FILETYPE_PEM), ASN_CRL_NO_SIGNER_E); + + /* now successfully load the RSA-PSS crl once loading in it's CA */ + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, ca_rsapss, NULL)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); +#endif + wolfSSL_CertManagerFree(cm); #endif From cd07e32b13af329e63c98c35a669ade8540e876d Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 8 Jan 2024 16:38:11 -0800 Subject: [PATCH 3/7] update crl files and add in compat support for RSA-PSS --- certs/crl/caEcc384Crl.pem | 12 +-- certs/crl/caEccCrl.pem | 12 +-- certs/crl/cliCrl.pem | 54 +++++----- certs/crl/crl.der | Bin 520 -> 520 bytes certs/crl/crl.pem | 52 +++++----- certs/crl/crl.revoked | 56 +++++----- certs/crl/crl2.der | Bin 520 -> 520 bytes certs/crl/crl2.pem | 102 +++++++++---------- certs/crl/crl_rsapss.pem | 65 +++++++++--- certs/crl/eccCliCRL.pem | 22 ++-- certs/crl/eccSrvCRL.pem | 22 ++-- certs/crl/extra-crls/ca-int-cert-revoked.pem | 16 +-- certs/crl/extra-crls/general-server-crl.pem | 16 +-- certs/crl/gencrls.sh | 21 +++- src/crl.c | 44 ++++++-- tests/api.c | 14 ++- wolfssl/internal.h | 4 +- 17 files changed, 301 insertions(+), 211 deletions(-) diff --git a/certs/crl/caEcc384Crl.pem b/certs/crl/caEcc384Crl.pem index ab0833e06..cf3f9a1b1 100644 --- a/certs/crl/caEcc384Crl.pem +++ b/certs/crl/caEcc384Crl.pem @@ -1,10 +1,10 @@ -----BEGIN X509 CRL----- -MIIBcjCB+AIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +MIIBcTCB+AIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x -HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIzMTIxMzIyMTkzM1oX -DTI2MDkwODIyMTkzM1qgLzAtMB8GA1UdIwQYMBaAFKvgwyZMGNRyu9KEjJwKBZKA -ElNSMAoGA1UdFAQDAgEMMAoGCCqGSM49BAMCA2kAMGYCMQDiAhgtXMrlvYjxh1+q -uqluR12ThFI1k8wTdFiGF0yToo3zpoxbaN5w33vBYVUZzCYCMQD76v5cIfO8RUBc -f5tVsV7n7fGhwMPREOw0f0nmtl+qwNWSDDegMLtTdZyYF9ERdV0= +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTI0MDEwOTAwMzQzMFoX +DTI2MTAwNTAwMzQzMFqgLzAtMB8GA1UdIwQYMBaAFKvgwyZMGNRyu9KEjJwKBZKA +ElNSMAoGA1UdFAQDAgEMMAoGCCqGSM49BAMCA2gAMGUCMQCjqo2bmsEzvBpsVBfA +7CXvvAoldG0sFKW75EvAUOFZYWC92/GDULxTxzOGqg81B5ICMEeFr+vl+RMQZfju +ZY3eOC5PKW4z1LwneOUyoKu2joHBENLhsD+tSixSHumx+kmh2g== -----END X509 CRL----- diff --git a/certs/crl/caEccCrl.pem b/certs/crl/caEccCrl.pem index 4729407bc..8574c307d 100644 --- a/certs/crl/caEccCrl.pem +++ b/certs/crl/caEccCrl.pem @@ -1,10 +1,10 @@ -----BEGIN X509 CRL----- -MIIBUTCB+AIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +MIIBUDCB+AIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x -HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIzMTIxMzIyMTkzM1oX -DTI2MDkwODIyMTkzM1qgLzAtMB8GA1UdIwQYMBaAFFaOmsPwQt4YuUVVbvmTz+rD -86UhMAoGA1UdFAQDAgELMAoGCCqGSM49BAMCA0gAMEUCICFj5IcBuGatpURtIwMU -hSKkP11GeUUb5crLMcBKI2u9AiEArWyOTYXvODOGebzJONGEy7UQ9d+HUba3ROqc -aGu35HE= +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTI0MDEwOTAwMzQzMFoX +DTI2MTAwNTAwMzQzMFqgLzAtMB8GA1UdIwQYMBaAFFaOmsPwQt4YuUVVbvmTz+rD +86UhMAoGA1UdFAQDAgELMAoGCCqGSM49BAMCA0cAMEQCIFuy1ACI/xzHowxHb4+6 +Ey9EPuLVgbvwLmVVSnDiwEkAAiB8BrOHHUMxK0ZFMZoAdRBgE/p32q9FdJJfAO0n +VnFcxg== -----END X509 CRL----- diff --git a/certs/crl/cliCrl.pem b/certs/crl/cliCrl.pem index 00c485372..e20203ef7 100644 --- a/certs/crl/cliCrl.pem +++ b/certs/crl/cliCrl.pem @@ -2,41 +2,41 @@ Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = info@wolfssl.com - Last Update: Dec 13 22:19:33 2023 GMT - Next Update: Sep 8 22:19:33 2026 GMT + Last Update: Jan 9 00:34:30 2024 GMT + Next Update: Oct 5 00:34:30 2026 GMT CRL extensions: X509v3 CRL Number: 8 Revoked Certificates: Serial Number: 02 - Revocation Date: Dec 13 22:19:33 2023 GMT + Revocation Date: Jan 9 00:34:30 2024 GMT Signature Algorithm: sha256WithRSAEncryption - 74:17:9b:40:81:d2:a0:f3:26:68:44:5b:f8:a2:6c:3f:7e:71: - 75:a2:7f:c6:e6:71:cb:f9:08:57:42:cd:3e:3f:ab:cd:0c:85: - 36:45:58:8b:59:28:81:d9:b0:6b:10:4a:d0:7d:59:ad:cf:53: - 05:cb:13:c7:c1:ec:65:64:6b:4d:e6:87:0b:ae:06:60:ab:8a: - 3c:ae:c1:7d:ed:8f:ee:09:02:7a:3a:f2:21:bf:89:ef:cd:14: - b1:03:64:2d:b2:b6:45:15:da:2d:ee:2d:c0:15:3b:a8:01:a8: - 4f:30:61:ae:99:b9:16:07:b5:8b:71:8f:38:ac:69:82:39:90: - 92:ff:d6:41:33:3b:92:5b:f2:dd:56:5a:8f:82:d1:1f:76:ee: - ca:01:a2:ac:c0:22:41:dd:6e:e1:ce:06:b0:6f:bc:e2:da:91: - 11:c1:a0:41:16:7d:ba:7e:a1:53:13:14:4b:54:3b:b9:44:cf: - 4f:1c:ef:ce:a8:bd:e8:ab:ba:de:97:f7:b7:7d:4f:ab:7a:e7: - 73:65:97:a1:d9:a3:f3:92:f1:95:06:6d:52:7b:6e:fd:26:56: - 55:83:c7:71:f7:a4:8f:9a:2c:52:04:dd:9f:85:ab:9c:88:e1: - 30:c6:4a:88:7d:20:1b:c6:47:8b:82:cc:9d:0f:51:69:b1:90: - b2:8a:9c:74 + 52:11:97:57:04:d7:e2:14:1f:c4:7f:a2:d8:cf:4c:b7:5b:0c: + d3:ac:ca:29:10:74:09:2f:3d:fb:4d:75:3e:32:21:5a:0f:41: + 5f:cc:e7:98:f8:ea:8e:e2:c9:57:60:b6:a3:b0:70:10:18:b9: + 86:a3:65:1e:3a:88:13:df:44:18:15:51:00:f6:33:d6:ab:90: + 18:93:df:ac:7d:15:5c:6a:63:55:d1:4d:41:37:03:89:86:65: + fa:fb:d7:b1:73:db:c3:43:08:ff:89:94:89:b1:b4:ad:96:78: + 52:92:50:8c:0a:5d:ca:29:8b:e0:bc:ca:88:c0:7a:52:48:d3: + cf:09:03:08:5f:a1:b9:16:b0:55:5e:11:60:7f:73:9a:98:05: + 54:97:bf:eb:0e:04:61:4f:b4:40:23:61:9a:07:69:78:fc:16: + de:f4:54:04:cf:f0:2b:07:8d:51:9e:6b:b5:77:c4:13:2c:a3: + 40:99:ed:fa:f4:00:4a:45:36:da:52:9d:dc:88:66:3e:03:f0: + 20:ce:54:a4:56:58:a8:9e:30:78:e8:42:2d:a8:0f:9b:c4:a9: + ab:13:c2:4e:ec:be:2e:99:16:56:2f:22:86:96:27:1d:30:80: + 7d:a5:f8:45:ef:93:b4:63:13:96:4f:6a:df:a0:11:3b:52:be: + 93:03:7a:81 -----BEGIN X509 CRL----- MIICDjCB9wIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVVMxEDAOBgNV BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xf MjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEYMBYGA1UEAwwPd3d3Lndv -bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMzEy -MTMyMjE5MzNaFw0yNjA5MDgyMjE5MzNaMBQwEgIBAhcNMjMxMjEzMjIxOTMzWqAO -MAwwCgYDVR0UBAMCAQgwDQYJKoZIhvcNAQELBQADggEBAHQXm0CB0qDzJmhEW/ii -bD9+cXWif8bmccv5CFdCzT4/q80MhTZFWItZKIHZsGsQStB9Wa3PUwXLE8fB7GVk -a03mhwuuBmCrijyuwX3tj+4JAno68iG/ie/NFLEDZC2ytkUV2i3uLcAVO6gBqE8w -Ya6ZuRYHtYtxjzisaYI5kJL/1kEzO5Jb8t1WWo+C0R927soBoqzAIkHdbuHOBrBv -vOLakRHBoEEWfbp+oVMTFEtUO7lEz08c786oveirut6X97d9T6t653Nll6HZo/OS -8ZUGbVJ7bv0mVlWDx3H3pI+aLFIE3Z+Fq5yI4TDGSoh9IBvGR4uCzJ0PUWmxkLKK -nHQ= +bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNDAx +MDkwMDM0MzBaFw0yNjEwMDUwMDM0MzBaMBQwEgIBAhcNMjQwMTA5MDAzNDMwWqAO +MAwwCgYDVR0UBAMCAQgwDQYJKoZIhvcNAQELBQADggEBAFIRl1cE1+IUH8R/otjP +TLdbDNOsyikQdAkvPftNdT4yIVoPQV/M55j46o7iyVdgtqOwcBAYuYajZR46iBPf +RBgVUQD2M9arkBiT36x9FVxqY1XRTUE3A4mGZfr717Fz28NDCP+JlImxtK2WeFKS +UIwKXcopi+C8yojAelJI088JAwhfobkWsFVeEWB/c5qYBVSXv+sOBGFPtEAjYZoH +aXj8Ft70VATP8CsHjVGea7V3xBMso0CZ7fr0AEpFNtpSndyIZj4D8CDOVKRWWKie +MHjoQi2oD5vEqasTwk7svi6ZFlYvIoaWJx0wgH2l+EXvk7RjE5ZPat+gETtSvpMD +eoE= -----END X509 CRL----- diff --git a/certs/crl/crl.der b/certs/crl/crl.der index c6ec65c4bf2185a61b97c7c2f19a6293c7727900..7ce490cdabbb14e5d7a4702a4bac1ab3948224a4 100644 GIT binary patch delta 317 zcmeBR>0p_#*}%lW(7@8bz}UptAWEFq$js2dz!b_g5HS#9Vq_BMH9}G}@v&_gjVT36aPu+>>?YZ0v-uDZSDk9(YuLs%C2oPM&>3MO0v;`{ZGF>Th z?P^@`W0Sd`y4fXX%YS6zXK{P6W80_R;|E0T?E0n^i^?T^^V9miYQe+?q54Li)H4?Q zB638QDlY8(-nCQZi|(ld>CW6IWVX}_)z>eQmgJjqzIuM?0*+bf_U)Z^KO&ZPN$cL4 zeL-4c(&0;4*Jb{=W|kigPc5A}&s|GF_5FlT@z%9-Y8hTl3VF@_TztKX)X$pcfDG9? z(FsD!gDP&W+#nz6VRn4kbd%%l_Urzx42$(R(^*xS&_7!{*=93~Z2WhHOMgEFZk#q* LIC^ynQ&Tqpr%H%_ delta 317 zcmeBR>0p_#*}&M)$k5ox$k5W*I7*z?$jrdfzyiuO5HS#9Vq_BMH9}G}@v&;XhuI7X zr#U>0fs&=(YO@}&OLQ(;xObc1#7{1hr2-cA7s(%4H?#35gVhw~dkiWwuIPwA-StV+ z%K3!yuHvkinX$VX?(X$J8@%kiv7n)W`lCyRY^gi!&i`Xj{Ld@l|L5=3hSH)MJ(q(E z)s}U2oH&psb!Dd6ss41Q{+drx&!sO+V69i;)x2yPuH3WxQt-hQ3^rFbPgm~pm+d}T zoHfm1!;+21@3HwVj?KFCHAe1(BLBs|ik*+<*&f{Vfj_QN&fR0u{@2qq)^c~oS-+jG zxw}{8&@;8C#_v1C4@yn{73i|)%%+s5F;ha`TG#fQczItwmGo1Ap-t_T^vW&w`@i_! Mu$#Kdn#oxP0Jz0p_#*}%lW(7@8bz}UptAWEFq$js2dz!b_g5HS#9Vq_BMH9}G}@v&_gjVT36aPu+>>?YZ0v-uDZSDk9(YuLs%C2oPM&>3MO0v;`{ZGF>Th z?P^@`W0Sd`y4fXX%YS6zXK{P6W80_R;|E0T?E0n^i^?T^^V9miYQe+?q54Li)H4?Q zB638QDlY8(-nCQZi|(ld>CW6IWVX}_)z>eQmgJjqzIuM?0*+bf_U)Z^KO&ZPN$cL4 zeL-4c(&0;4*Jb{=W|kigPc5A}&s|GF_5FlT@z%9-Y8hTl3VF@_TztKX)X$pcfDG9? z(FsD!gDP&W+#nz6VRn4kbd%%l_Urzx42$(R(^*xS&_7!{*=93~Z2WhHOMgEFZk#q* LIC^ynQ&Tqpr%H%_ delta 317 zcmeBR>0p_#*}&M)$k5ox$k5W*I7*z?$jrdfzyiuO5HS#9Vq_BMH9}G}@v&;XhuI7X zr#U>0fs&=(YO@}&OLQ(;xObc1#7{1hr2-cA7s(%4H?#35gVhw~dkiWwuIPwA-StV+ z%K3!yuHvkinX$VX?(X$J8@%kiv7n)W`lCyRY^gi!&i`Xj{Ld@l|L5=3hSH)MJ(q(E z)s}U2oH&psb!Dd6ss41Q{+drx&!sO+V69i;)x2yPuH3WxQt-hQ3^rFbPgm~pm+d}T zoHfm1!;+21@3HwVj?KFCHAe1(BLBs|ik*+<*&f{Vfj_QN&fR0u{@2qq)^c~oS-+jG zxw}{8&@;8C#_v1C4@yn{73i|)%%+s5F;ha`TG#fQczItwmGo1Ap-t_T^vW&w`@i_! Mu$#Kdn#oxP0Jz tmp @@ -206,4 +202,21 @@ echo "Step 26" openssl crl -in crl.pem -inform PEM -out crl.der -outform DER openssl crl -in crl2.pem -inform PEM -out crl2.der -outform DER +# clear state for RSA-PSS revoke +cp blank.index.txt demoCA/index.txt + +echo "Step 27 RSA-PSS revoke" +openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../rsapss/server-rsapss.pem -keyfile ../rsapss/ca-rsapss-priv.pem -cert ../rsapss/ca-rsapss.pem +check_result $? + +echo "Step 28 RSA-PSS" +openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl_rsapss.pem -keyfile ../rsapss/ca-rsapss-priv.pem -cert ../rsapss/ca-rsapss.pem +check_result $? + +# metadata +echo "Step 29" +openssl crl -in crl_rsapss.pem -text > tmp +check_result $? +mv tmp crl_rsapss.pem + exit 0 diff --git a/src/crl.c b/src/crl.c index 9a49f219f..8a617dd34 100644 --- a/src/crl.c +++ b/src/crl.c @@ -138,6 +138,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, crle->tbsSz = dcrl->sigIndex - dcrl->certBegin; crle->signatureSz = dcrl->sigLength; crle->signatureOID = dcrl->signatureOID; + crle->sigParamsSz = dcrl->sigParamsLength; crle->toBeSigned = (byte*)XMALLOC(crle->tbsSz, heap, DYNAMIC_TYPE_CRL_ENTRY); if (crle->toBeSigned == NULL) @@ -149,6 +150,20 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, crle->toBeSigned = NULL; return -1; } + + if (dcrl->sigParamsLength > 0) { + crle->sigParams = (byte*)XMALLOC(crle->sigParamsSz, heap, + DYNAMIC_TYPE_CRL_ENTRY); + if (crle->sigParams== NULL) { + XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_CRL_ENTRY); + crle->toBeSigned = NULL; + XFREE(crle->signature, heap, DYNAMIC_TYPE_CRL_ENTRY); + crle->signature = NULL; + return -1; + } + XMEMCPY(crle->sigParams, buff + dcrl->sigParamsIndex, + crle->sigParamsSz); + } XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz); XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz); #ifndef NO_SKID @@ -206,6 +221,8 @@ static void CRL_Entry_free(CRL_Entry* crle, void* heap) XFREE(crle->signature, heap, DYNAMIC_TYPE_CRL_ENTRY); if (crle->toBeSigned != NULL) XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_CRL_ENTRY); + if (crle->sigParams != NULL) + XFREE(crle->sigParams, heap, DYNAMIC_TYPE_CRL_ENTRY); #if defined(OPENSSL_EXTRA) if (crle->issuer != NULL) { FreeX509Name(crle->issuer); @@ -338,16 +355,19 @@ static int VerifyCRLE(const WOLFSSL_CRL* crl, CRL_Entry* crle) ret = VerifyCRL_Signature(&sigCtx, crle->toBeSigned, crle->tbsSz, crle->signature, crle->signatureSz, crle->signatureOID, + #ifdef WC_RSA_PSS + crle->sigParams, crle->sigParamsSz, + #else + NULL, 0, + #endif + ca, crl->heap); - /* @TODO RSA PSS params */ NULL, 0, - - ca, - crl->heap); - - if (ret == 0) + if (ret == 0) { crle->verified = 1; - else + } + else { crle->verified = ret; + } return ret; } @@ -739,11 +759,15 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) DYNAMIC_TYPE_CRL_ENTRY); dupl->signature = (byte*)XMALLOC(dupl->signatureSz, heap, DYNAMIC_TYPE_CRL_ENTRY); - if (dupl->toBeSigned == NULL || dupl->signature == NULL) { + dupl->sigParams = (byte*)XMALLOC(dupl->sigParamsSz, heap, + DYNAMIC_TYPE_CRL_ENTRY); + if (dupl->toBeSigned == NULL || dupl->signature == NULL || + dupl->sigParams == NULL) { CRL_Entry_free(dupl, heap); return NULL; } XMEMCPY(dupl->toBeSigned, ent->toBeSigned, dupl->tbsSz); + XMEMCPY(dupl->sigParams, ent->sigParams, dupl->sigParamsSz); XMEMCPY(dupl->signature, ent->signature, dupl->signatureSz); } else { @@ -751,6 +775,10 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) dupl->tbsSz = 0; dupl->signature = NULL; dupl->signatureSz = 0; +#ifdef WC_RSA_PSS + dupl->sigParams = NULL; + dupl->sigParamsSz = 0; +#endif #if !defined(NO_SKID) && !defined(NO_ASN) dupl->extAuthKeyIdSet = 0; #endif diff --git a/tests/api.c b/tests/api.c index 194a3607b..b878fcd14 100644 --- a/tests/api.c +++ b/tests/api.c @@ -3046,7 +3046,7 @@ static int test_wolfSSL_CertManagerCRL(void) const char* crl2 = "./certs/crl/crl2.pem"; #ifdef WC_RSA_PSS const char* crl_rsapss = "./certs/crl/crl_rsapss.pem"; - const char* ca_rsapss = "certs/rsapss/root-rsapss.pem"; + const char* ca_rsapss = "certs/rsapss/ca-rsapss.pem"; #endif const unsigned char crl_buff[] = { 0x30, 0x82, 0x02, 0x04, 0x30, 0x81, 0xed, 0x02, @@ -54537,6 +54537,9 @@ static int test_wolfSSL_X509_load_crl_file(void) "./certs/crl/caEccCrl.pem", "./certs/crl/eccCliCRL.pem", "./certs/crl/eccSrvCRL.pem", + #ifdef WC_RSA_PSS + "./certs/crl/crl_rsapss.pem", + #endif "" }; char der[][100] = { @@ -54552,6 +54555,10 @@ static int test_wolfSSL_X509_load_crl_file(void) ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", X509_FILETYPE_PEM), 1); +#ifdef WC_RSA_PSS + ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/rsapss/ca-rsapss.pem", + X509_FILETYPE_PEM), 1); +#endif ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", X509_FILETYPE_PEM), 1); if (store) { @@ -54572,6 +54579,11 @@ static int test_wolfSSL_X509_load_crl_file(void) ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), CRL_CERT_REVOKED); +#ifdef WC_RSA_PSS + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, + "certs/rsapss/server-rsapss-cert.pem", WOLFSSL_FILETYPE_PEM), + CRL_CERT_REVOKED); +#endif } /* once feeing store */ X509_STORE_free(store); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d32e8d6ed..2291e0c4d 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2500,8 +2500,8 @@ struct CRL_Entry { word32 signatureSz; word32 signatureOID; #ifdef WC_RSA_PSS - word32 sigParamsIndex; /* start of signature parameters */ - word32 sigParamsLength; /* length of signature parameters */ + word32 sigParamsSz; /* length of signature parameters */ + byte* sigParams; /* buffer with signature parameters */ #endif #if !defined(NO_SKID) && !defined(NO_ASN) byte extAuthKeyIdSet; From 5fc71161e91ddfa3137aa4775bc8995ac8e8a9ca Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 11 Jan 2024 16:50:16 -0700 Subject: [PATCH 4/7] add crl rsa pss for asn=original --- wolfcrypt/src/asn.c | 42 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 39 insertions(+), 3 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index d5abe1bc0..d6eefa791 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -36722,8 +36722,24 @@ static int ParseCRL_CertList(RevokedCert* rcert, DecodedCRL* dcrl, dcrl->version++; } - if (GetAlgoId(buf, &idx, &oid, oidIgnoreType, sz) < 0) + if (GetAlgoId(buf, &idx, &oid, oidIgnoreType, sz) < 0) { return ASN_PARSE_E; + } +#ifdef WC_RSA_PSS + else if (oid == CTC_RSASSAPSS) { + word32 tmpSz; + int len; + + tmpSz = idx; + dcrl->sigParamsIndex = idx; + if (GetSequence(buf, &idx, &len, sz) < 0) { + dcrl->sigParamsIndex = 0; + return ASN_PARSE_E; + } + idx += len; + dcrl->sigParamsLength = idx - tmpSz; + } +#endif checkIdx = idx; if (GetSequence(buf, &checkIdx, &length, sz) < 0) { @@ -37153,6 +37169,10 @@ int ParseCRL(RevokedCert* rcert, DecodedCRL* dcrl, const byte* buff, word32 sz, int ret = 0; int len; word32 idx = 0; +#ifdef WC_RSA_PSS + const byte* sigParams = NULL; + int sigParamsSz = 0; +#endif WOLFSSL_MSG("ParseCRL"); @@ -37182,8 +37202,24 @@ int ParseCRL(RevokedCert* rcert, DecodedCRL* dcrl, const byte* buff, word32 sz, idx = dcrl->sigIndex; - if (GetAlgoId(buff, &idx, &dcrl->signatureOID, oidSigType, sz) < 0) + if (GetAlgoId(buff, &idx, &dcrl->signatureOID, oidSigType, sz) < 0) { return ASN_PARSE_E; + } +#ifdef WC_RSA_PSS + else if (dcrl->signatureOID == CTC_RSASSAPSS) { + word32 tmpSz; + const byte* params; + + tmpSz = idx; + params = buff + idx; + if (GetSequence(buff, &idx, &len, sz) < 0) { + return ASN_PARSE_E; + } + idx += len; + sigParams = params; + sigParamsSz = idx - tmpSz; + } +#endif if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0) return ASN_PARSE_E; @@ -37223,7 +37259,7 @@ int ParseCRL(RevokedCert* rcert, DecodedCRL* dcrl, const byte* buff, word32 sz, WOLFSSL_MSG("Found CRL issuer CA"); ret = VerifyCRL_Signature(&sigCtx, buff + dcrl->certBegin, dcrl->sigIndex - dcrl->certBegin, dcrl->signature, dcrl->sigLength, - dcrl->signatureOID, sigParam, sigParamsSz, ca, dcrl->heap); + dcrl->signatureOID, sigParams, sigParamsSz, ca, dcrl->heap); end: return ret; From b38e20a7219c60602eb6b77ce469a8904b4151b8 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 15 Jan 2024 15:19:04 -0700 Subject: [PATCH 5/7] add crl_rsapss.pem to make dist --- certs/crl/include.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/certs/crl/include.am b/certs/crl/include.am index 91f09bd0d..d3194933a 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -15,7 +15,8 @@ EXTRA_DIST += \ certs/crl/caEcc384Crl.pem \ certs/crl/wolfssl.cnf \ certs/crl/crl.der \ - certs/crl/crl2.der + certs/crl/crl2.der \ + certs/crl/crl_rsapss.pem EXTRA_DIST += \ certs/crl/crl.revoked \ From 114d11a8d8308917e0f57da7047fe570083410eb Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 15 Jan 2024 15:33:01 -0700 Subject: [PATCH 6/7] adding RSA-PSS macro guard around CRL use --- src/crl.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/crl.c b/src/crl.c index 8a617dd34..787901f66 100644 --- a/src/crl.c +++ b/src/crl.c @@ -138,7 +138,6 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, crle->tbsSz = dcrl->sigIndex - dcrl->certBegin; crle->signatureSz = dcrl->sigLength; crle->signatureOID = dcrl->signatureOID; - crle->sigParamsSz = dcrl->sigParamsLength; crle->toBeSigned = (byte*)XMALLOC(crle->tbsSz, heap, DYNAMIC_TYPE_CRL_ENTRY); if (crle->toBeSigned == NULL) @@ -151,6 +150,8 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, return -1; } + #ifdef WC_RSA_PSS + crle->sigParamsSz = dcrl->sigParamsLength; if (dcrl->sigParamsLength > 0) { crle->sigParams = (byte*)XMALLOC(crle->sigParamsSz, heap, DYNAMIC_TYPE_CRL_ENTRY); @@ -164,6 +165,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, XMEMCPY(crle->sigParams, buff + dcrl->sigParamsIndex, crle->sigParamsSz); } + #endif XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz); XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz); #ifndef NO_SKID @@ -221,8 +223,10 @@ static void CRL_Entry_free(CRL_Entry* crle, void* heap) XFREE(crle->signature, heap, DYNAMIC_TYPE_CRL_ENTRY); if (crle->toBeSigned != NULL) XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_CRL_ENTRY); +#ifdef WC_RSA_PSS if (crle->sigParams != NULL) XFREE(crle->sigParams, heap, DYNAMIC_TYPE_CRL_ENTRY); +#endif #if defined(OPENSSL_EXTRA) if (crle->issuer != NULL) { FreeX509Name(crle->issuer); @@ -759,16 +763,24 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) DYNAMIC_TYPE_CRL_ENTRY); dupl->signature = (byte*)XMALLOC(dupl->signatureSz, heap, DYNAMIC_TYPE_CRL_ENTRY); +#ifdef WC_RSA_PSS dupl->sigParams = (byte*)XMALLOC(dupl->sigParamsSz, heap, DYNAMIC_TYPE_CRL_ENTRY); - if (dupl->toBeSigned == NULL || dupl->signature == NULL || - dupl->sigParams == NULL) { +#endif + if (dupl->toBeSigned == NULL || dupl->signature == NULL) { CRL_Entry_free(dupl, heap); return NULL; } XMEMCPY(dupl->toBeSigned, ent->toBeSigned, dupl->tbsSz); - XMEMCPY(dupl->sigParams, ent->sigParams, dupl->sigParamsSz); XMEMCPY(dupl->signature, ent->signature, dupl->signatureSz); + +#ifdef WC_RSA_PSS + if (dupl->sigParams == NULL) { + CRL_Entry_free(dupl, heap); + return NULL; + } + XMEMCPY(dupl->sigParams, ent->sigParams, dupl->sigParamsSz); +#endif } else { dupl->toBeSigned = NULL; From b140f93b17c9562173551ac071a39ad85be1902e Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 16 Jan 2024 14:41:24 -0700 Subject: [PATCH 7/7] refactor sigParams allocation and adjust test file name --- src/crl.c | 19 +++++++++---------- tests/api.c | 2 +- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/src/crl.c b/src/crl.c index 787901f66..20b2241ab 100644 --- a/src/crl.c +++ b/src/crl.c @@ -763,24 +763,23 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) DYNAMIC_TYPE_CRL_ENTRY); dupl->signature = (byte*)XMALLOC(dupl->signatureSz, heap, DYNAMIC_TYPE_CRL_ENTRY); -#ifdef WC_RSA_PSS + #ifdef WC_RSA_PSS dupl->sigParams = (byte*)XMALLOC(dupl->sigParamsSz, heap, DYNAMIC_TYPE_CRL_ENTRY); -#endif - if (dupl->toBeSigned == NULL || dupl->signature == NULL) { + #endif + if (dupl->toBeSigned == NULL || dupl->signature == NULL + #ifdef WC_RSA_PSS + || dupl->sigParams == NULL + #endif + ) { CRL_Entry_free(dupl, heap); return NULL; } XMEMCPY(dupl->toBeSigned, ent->toBeSigned, dupl->tbsSz); XMEMCPY(dupl->signature, ent->signature, dupl->signatureSz); - -#ifdef WC_RSA_PSS - if (dupl->sigParams == NULL) { - CRL_Entry_free(dupl, heap); - return NULL; - } + #ifdef WC_RSA_PSS XMEMCPY(dupl->sigParams, ent->sigParams, dupl->sigParamsSz); -#endif + #endif } else { dupl->toBeSigned = NULL; diff --git a/tests/api.c b/tests/api.c index b878fcd14..71830ac69 100644 --- a/tests/api.c +++ b/tests/api.c @@ -3046,7 +3046,7 @@ static int test_wolfSSL_CertManagerCRL(void) const char* crl2 = "./certs/crl/crl2.pem"; #ifdef WC_RSA_PSS const char* crl_rsapss = "./certs/crl/crl_rsapss.pem"; - const char* ca_rsapss = "certs/rsapss/ca-rsapss.pem"; + const char* ca_rsapss = "./certs/rsapss/ca-rsapss.pem"; #endif const unsigned char crl_buff[] = { 0x30, 0x82, 0x02, 0x04, 0x30, 0x81, 0xed, 0x02,