Fixes for various build options (!NO_RSA, HAVE_ECC, NO_PKCS8, NO_PKCS12). Added new NO_CHECK_PRIVATE_KEY to allow reduce code size when not required.

This commit is contained in:
David Garske
2019-08-20 10:38:08 -07:00
parent 644e7a8f45
commit 24bfea1ad2
5 changed files with 58 additions and 26 deletions
+3 -2
View File
@@ -6279,7 +6279,7 @@ int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file,
return ret;
}
#ifndef NO_CHECK_PRIVATE_KEY
/* Check private against public in certificate for match
*
* ctx WOLFSSL_CTX structure to check private key in
@@ -6339,10 +6339,11 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
return WOLFSSL_FAILURE;
#endif
}
#endif /* !NO_CHECK_PRIVATE_KEY */
#ifdef HAVE_CRL
/* check CRL if enabled, WOLFSSL_SUCCESS */
int wolfSSL_CertManagerCheckCRL(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)
{
+25 -17
View File
@@ -4390,8 +4390,8 @@ static void test_wolfSSL_PKCS12(void)
#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \
defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && \
!defined(NO_PWDBASED) && !defined(NO_RSA)
defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && !defined(NO_PWDBASED) && \
(!defined(NO_RSA) || defined(HAVE_ECC))
#define TEST_PKCS8_ENC
#endif
@@ -4425,10 +4425,14 @@ static void test_wolfSSL_PKCS8(void)
#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8)
byte buffer[FOURK_BUF];
byte der[FOURK_BUF];
#ifndef NO_RSA
const char serverKeyPkcs8PemFile[] = "./certs/server-keyPkcs8.pem";
const char serverKeyPkcs8DerFile[] = "./certs/server-keyPkcs8.der";
#endif
const char eccPkcs8PrivKeyPemFile[] = "./certs/ecc-privkeyPkcs8.pem";
const char eccPkcs8PrivKeyDerFile[] = "./certs/ecc-privkeyPkcs8.der";
const char serverKeyPkcs8PemFile[] = "./certs/server-keyPkcs8.pem";
const char serverKeyPkcs8DerFile[] = "./certs/server-keyPkcs8.der";
#ifdef HAVE_ECC
const char eccPkcs8PrivKeyDerFile[] = "./certs/ecc-privkeyPkcs8.der";
#endif
XFILE f;
int bytes;
WOLFSSL_CTX* ctx;
@@ -4438,8 +4442,10 @@ static void test_wolfSSL_PKCS8(void)
word32 x = 0;
#endif
#ifdef TEST_PKCS8_ENC
const char serverKeyPkcs8EncPemFile[] = "./certs/server-keyPkcs8Enc.pem";
const char serverKeyPkcs8EncDerFile[] = "./certs/server-keyPkcs8Enc.der";
#ifndef NO_RSA
const char serverKeyPkcs8EncPemFile[] = "./certs/server-keyPkcs8Enc.pem";
const char serverKeyPkcs8EncDerFile[] = "./certs/server-keyPkcs8Enc.der";
#endif
#ifdef HAVE_ECC
const char eccPkcs8EncPrivKeyPemFile[] = "./certs/ecc-keyPkcs8Enc.pem";
const char eccPkcs8EncPrivKeyDerFile[] = "./certs/ecc-keyPkcs8Enc.der";
@@ -4466,13 +4472,14 @@ static void test_wolfSSL_PKCS8(void)
#ifdef TEST_PKCS8_ENC
wolfSSL_CTX_set_default_passwd_cb(ctx, PKCS8TestCallBack);
wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)&flag);
flag = 1; /* used by password callback as return code */
#ifndef NO_RSA
/* test loading PEM PKCS8 encrypted file */
f = XFOPEN(serverKeyPkcs8EncPemFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
XFCLOSE(f);
flag = 1; /* used by password callback as return code */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
@@ -4502,6 +4509,7 @@ static void test_wolfSSL_PKCS8(void)
flag = 0; /* used by password callback as return code */
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#endif /* !NO_RSA */
#ifdef HAVE_ECC
/* test loading PEM PKCS8 encrypted ECC Key file */
@@ -4542,10 +4550,11 @@ static void test_wolfSSL_PKCS8(void)
/* leave flag as "okay" */
flag = 1;
#endif
#endif /* HAVE_ECC */
#endif /* TEST_PKCS8_ENC */
#ifndef NO_RSA
/* test loading ASN.1 (DER) PKCS8 private key file (not encrypted) */
f = XFOPEN(serverKeyPkcs8DerFile, "rb");
AssertTrue((f != XBADFILE));
@@ -4561,14 +4570,13 @@ static void test_wolfSSL_PKCS8(void)
XFCLOSE(f);
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
#endif /* !NO_RSA */
/* Test PKCS8 PEM ECC key no crypt */
f = XFOPEN(eccPkcs8PrivKeyPemFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
XFCLOSE(f);
#ifdef HAVE_ECC
/* Test PKCS8 PEM ECC key no crypt */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
@@ -4583,12 +4591,7 @@ static void test_wolfSSL_PKCS8(void)
wc_ecc_free(&key);
}
AssertIntEQ(ret, 0);
#else
AssertIntEQ((bytes = wc_KeyPemToDer(buffer, bytes, der,
(word32)sizeof(der), NULL)), ASN_NO_PEM_HEADER);
#endif
#ifdef HAVE_ECC
/* Test PKCS8 DER ECC key no crypt */
f = XFOPEN(eccPkcs8PrivKeyDerFile, "rb");
AssertTrue((f != XBADFILE));
@@ -4598,7 +4601,10 @@ static void test_wolfSSL_PKCS8(void)
/* Test using a PKCS8 ECC PEM */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#endif
#else
AssertIntEQ((bytes = wc_KeyPemToDer(buffer, bytes, der,
(word32)sizeof(der), NULL)), ASN_NO_PEM_HEADER);
#endif /* HAVE_ECC */
wolfSSL_CTX_free(ctx);
@@ -18459,6 +18465,7 @@ static void test_wolfSSL_private_keys(void)
AssertIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx,
(unsigned char*)client_key_der_2048,
sizeof_client_key_der_2048), WOLFSSL_SUCCESS);
#ifndef NO_CHECK_PRIVATE_KEY
#ifndef HAVE_USER_RSA
/* Should mismatch now that a different private key loaded */
AssertIntNE(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS);
@@ -18469,6 +18476,7 @@ static void test_wolfSSL_private_keys(void)
sizeof_server_key_der_2048), WOLFSSL_SUCCESS);
/* After loading back in DER format of original key, should match */
AssertIntEQ(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS);
#endif /* !NO_CHECK_PRIVATE_KEY */
/* pkey not set yet, expecting to fail */
AssertIntEQ(SSL_use_PrivateKey(ssl, pkey), WOLFSSL_FAILURE);
+24 -6
View File
@@ -2312,7 +2312,7 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
#endif /* HAVE_USER_RSA */
#endif /* NO_RSA */
#ifdef HAVE_PKCS8
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* Remove PKCS8 header, place inOutIdx at beginning of traditional,
* return traditional length on success, negative on error */
@@ -2383,6 +2383,10 @@ int ToTraditional(byte* input, word32 sz)
return ToTraditional_ex(input, sz, &oid);
}
#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
#ifdef HAVE_PKCS8
/* find beginning of traditional key inside PKCS#8 unencrypted buffer
* return traditional length on success, with inOutIdx at beginning of
* traditional
@@ -2513,7 +2517,7 @@ int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz,
#endif /* HAVE_PKCS8 */
#ifdef HAVE_PKCS12
#if defined(HAVE_PKCS12) || !defined(NO_CHECK_PRIVATE_KEY)
/* check that the private key is a pair for the public key in certificate
* return 1 (true) on match
* return 0 or negative value on failure/error
@@ -2716,11 +2720,11 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
return ret;
}
#endif /* HAVE_PKCS12 */
#endif /* HAVE_PKCS12 || !NO_CHECK_PRIVATE_KEY */
#ifndef NO_PWDBASED
#ifdef HAVE_PKCS8
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* Check To see if PKCS version algo is supported, set id if it is return 0
< 0 on error */
static int CheckAlgo(int first, int second, int* id, int* version, int* blockSz)
@@ -2780,7 +2784,6 @@ static int CheckAlgo(int first, int second, int* id, int* version, int* blockSz)
}
}
/* Check To see if PKCS v2 algo is supported, set id if it is return 0
< 0 on error */
static int CheckAlgoV2(int oid, int* id, int* blockSz)
@@ -2810,6 +2813,9 @@ static int CheckAlgoV2(int oid, int* id, int* blockSz)
}
}
#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
#ifdef HAVE_PKCS8
int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
int* algoID, void* heap)
@@ -2894,6 +2900,10 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
return 1;
}
#endif /* HAVE_PKCS8 */
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
#define PKCS8_MIN_BLOCK_SIZE 8
static int Pkcs8Pad(byte* buf, int sz, int blockSz)
{
@@ -2913,6 +2923,10 @@ static int Pkcs8Pad(byte* buf, int sz, int blockSz)
return sz + padSz;
}
#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
#ifdef HAVE_PKCS8
/*
* Used when creating PKCS12 shrouded key bags
* vPKCS is the version of PKCS to use
@@ -3353,6 +3367,10 @@ int TraditionalEnc(byte* key, word32 keySz, byte* out, word32* outSz,
return ret;
}
#endif /* HAVE_PKCS8 */
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* Remove Encrypted PKCS8 header, move beginning of traditional to beginning
of input */
int ToTraditionalEnc(byte* input, word32 sz,const char* password,
@@ -3496,7 +3514,7 @@ exit_tte:
return ret;
}
#endif /* HAVE_PKCS8 */
#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
#ifdef HAVE_PKCS12
+2
View File
@@ -440,6 +440,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
ret = wc_PBKDF1(key, (byte*)password, passwordSz,
salt, saltSz, iterations, derivedLen, typeH);
#endif
#ifdef HAVE_PKCS12
else if (version == PKCS12v1) {
int i, idx = 0;
byte unicodePasswd[MAX_UNICODE_SZ];
@@ -465,6 +466,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz,
iterations, 8, typeH, 2);
}
#endif /* HAVE_PKCS12 */
else {
#ifdef WOLFSSL_SMALL_STACK
XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+4 -1
View File
@@ -15798,6 +15798,7 @@ int scrypt_test(void)
}
#endif
#ifdef HAVE_PKCS12
int pkcs12_test(void)
{
const byte passwd[] = { 0x00, 0x73, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x67,
@@ -15849,7 +15850,7 @@ int pkcs12_test(void)
return 0;
}
#endif /* HAVE_PKCS12 */
int pbkdf2_test(void)
{
@@ -15914,9 +15915,11 @@ int pwdbased_test(void)
ret = pbkdf2_test();
if (ret != 0)
return ret;
#ifdef HAVE_PKCS12
ret = pkcs12_test();
if (ret != 0)
return ret;
#endif
#ifdef HAVE_SCRYPT
ret = scrypt_test();
if (ret != 0)