From 36db5ef9290510b8860e71afd078503841e0f41e Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 23 May 2022 09:17:42 -0700 Subject: [PATCH] add test case for UUID and FASC-N --- certs/fpki-cert.der | Bin 0 -> 1327 bytes certs/include.am | 3 ++- certs/renewcerts.sh | 15 +++++++++++++ certs/renewcerts/wolfssl.cnf | 36 ++++++++++++++++++++++++++++++ configure.ac | 3 +++ tests/api.c | 42 ++++++++++++++++++++++++++++++++++- 6 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 certs/fpki-cert.der diff --git a/certs/fpki-cert.der b/certs/fpki-cert.der new file mode 100644 index 0000000000000000000000000000000000000000..9d35ad9d5132816e2d173fa025bfae698476ff4c GIT binary patch literal 1327 zcmXqLV%0WiVi8`z%*4pV#K>sC%f_kI=F#?@mywa1mBFBKiXpcFCmVAp3!5-gXt1Gx z0UwCN!NcyGpI4HYmk1MK=V5osuS(5L%rg`;;0LMU;^7EREHBB=FUc?zHV^~}ar1CF z=jRod=9FaSr5j2Zh=Bx|dHBoA%k|3hbJB{7bM%t)a}DJUWZ}->WE2y~%uCC6KvG~J zC(dhRWMFD!Y-nm?WMUpA&TC|9U}R_pk`xx>XaDyDk&BNjr z;O$9?dz%=QkVBS{m4Ug5k)Oe!iIIz`iII`vz*LTh;f|jQbGKh|byR0eJ?6UZ(;gLr z9aGQg`(67c)3K*!{_hp(_5Wh#1eSj9I>r9nRKNe>-s%JTHLFuri2peiTfOUn;?p9% ze7&|CQ;Tn{kq+J&Z+~5qSJnSva&lldcZ&U5=N(IBVoWx#V_1-U^jkf5WJX2tvL1<* zOu6e1OET*15O{p-jKh}9#csx#?RiIbi!b~9;_lkwJ=OY(TmPm7^6U-S{4h6OW{-05 zMNZ~UkxK$QQx0ogSUAmV&%-NH(Z?4YIG9|)?_zFXG_Ao%dFsOQUBZ{97e9(sJ(eAVkC51%DAAH6i~{>=;iYp*jgGcqtPZer{m3hWG=$Q#KsO1WnyN5ON$yLg0u;;L>WXZP-o*vX!Br9WoBbrAk89q z(L&&c#(Eur7E{rM84()mnFQJvwLG^x{JKrIv?$N2v@|otD$T+$#Uw2;Ro6TvHCflt zFvUPO(cH{b*T5jrAlcF|)hsE^%)k+3g#wF}frSAN8yCb1CPrpn6rKhOPZNcwYak6W zf|EtWK*&G<=6FsPLl#ixg@mgLC|nyD84TpvI3ZTBaWS$88Gw>MOn{S-k?}urg5?G$ zSVo4Zh1J2P1py&)t zO;`N%%P&0tJo#a=gIz@?PC);9l#7lGZ*|e1xj&MgSU)mK^u1@1x!WaV)1vTGO)@st zEoQFrGZbS|H0(w8yyCIiCQxb_p7UhC^@sHr!?N$a_+b+?Q7>Iw;f|4n#-GL7p_*Go zwj5b#HN#an;-84Ao4ueVs1( z=KPYX^9#fy8BW%Q=FV^bu>a`)e`ntuoxXd;y57Xx>n*v@4sAOsdU-R$J=Z+;cg99{ QPGyL{SXrVKw9=Rh02O?rnE(I) literal 0 HcmV?d00001 diff --git a/certs/include.am b/certs/include.am index 78b432ef2..3ab8337a5 100644 --- a/certs/include.am +++ b/certs/include.am @@ -63,7 +63,8 @@ EXTRA_DIST += \ certs/csr.ext.der \ certs/entity-no-ca-bool-cert.pem \ certs/entity-no-ca-bool-key.pem \ - certs/x942dh2048.pem + certs/x942dh2048.pem \ + certs/fpki-cert.der EXTRA_DIST += \ certs/ca-key.der \ diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index ebef14a7f..208fc1a58 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -27,6 +27,7 @@ # client-relative-uri.pem # client-crl-dist.pem # entity-no-ca-bool-cert.pem +# fpki-cert.der # updates the following crls: # crl/cliCrl.pem # crl/crl.pem @@ -344,6 +345,20 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" ########################################################### + ########## update and sign fpki-cert.der ################ + ########################################################### + echo "Updating fpki-cert.der" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-req.pem + check_result $? "Step 1" + + openssl x509 -req -in fpki-req.pem -extfile wolfssl.cnf -extensions fpki_ext -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-cert.der -outform DER + check_result $? "Step 2" + rm fpki-req.pem + echo "End of section" + echo "---------------------------------------------------------------------" + ########################################################### ########## update and sign server-cert.pem ################ ########################################################### echo "Updating server-cert.pem" diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index faea03f5d..9f082b47e 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -335,3 +335,39 @@ clock_precision_digits = 0 # (optional) ordering = yes # timestamps? tsa_name = yes # include? ess_cert_id_chain = no # include chain? + + +[fpki_ext] +basicConstraints = CA:FALSE,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.2.3.4, 1.3.6.1.5.5.7.3.21 +subjectAltName = @FASC_UUID_altname +certificatePolicies = 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45 +subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr +policyConstraints = requireExplicitPolicy:0 +2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt + +# using example UUID from RFC4122 +[FASC_UUID_altname] +otherName = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D1:38:10:D8:28:AF:2C:10:84:35:15:A1:68:58:28:AF:02:10:86:A2:84:E7:39:C3:EB +URI = urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6 + +[SubjDirAttr] +attribute = SEQUENCE:SDA_attr + +[SDA_attr] +type = OID:1.3.6.1.5.5.7.9.4 +values = SET:SDA_coc + +[SDA_coc] +value = PRINTABLESTRING:US + +[PIVCertExt] +attribute = SEQUENCE:PCE_attr + +[PCE_attr] +type = OID:2.16.840.1.101.3.6.9.1 +value = BOOLEAN:true + diff --git a/configure.ac b/configure.ac index 0235f4592..5d2f3c670 100644 --- a/configure.ac +++ b/configure.ac @@ -712,6 +712,9 @@ then # Store issuer name components when parsing certificates. AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_ISSUER_NAMES" + + # Certificate extensions and alt. names for FPKI use + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SUBJ_DIR_ATTR -DWOLFSSL_FPKI -DWOLFSSL_SUBJ_INFO_ACC" fi diff --git a/tests/api.c b/tests/api.c index d9d1a5cae..a83e2f1b5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2260,6 +2260,44 @@ static void test_wolfSSL_CertManagerNameConstraint5(void) #endif } +static void test_wolfSSL_FPKI(void) +{ +#if defined(WOLFSSL_FPKI) + XFILE f; + const char* fpkiCert = "./certs/fpki-cert.der"; + DecodedCert cert; + byte buf[4096]; + byte* uuid; + byte* fascn; + word32 fascnSz; + word32 uuidSz; + int bytes; + + printf(testingFmt, "test_wolfSSL_FPKI"); + f = XFOPEN(fpkiCert, "rb"); + AssertTrue((f != XBADFILE)); + bytes = (int)XFREAD(buf, 1, sizeof(buf), f); + XFCLOSE(f); +printf("size of file = %d\n", bytes); + + wc_InitDecodedCert(&cert, buf, bytes, NULL); + AssertIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); + AssertIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), LENGTH_ONLY_E) ; + fascn = (byte*)XMALLOC(fascnSz, DYNAMIC_TYPE_TMP_BUFFER, NULL); + AssertNotNull(fascn); + AssertIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0); + XFREE(fascn, DYNAMIC_TYPE_TMP_BUFFER, NULL); + + AssertIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), LENGTH_ONLY_E); + uuid = (byte*)XMALLOC(uuidSz, DYNAMIC_TYPE_TMP_BUFFER, NULL); + AssertNotNull(uuid); + AssertIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); + XFREE(uuid, DYNAMIC_TYPE_TMP_BUFFER, NULL); + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_CertManagerCRL(void) { #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ @@ -8982,7 +9020,8 @@ static void test_wolfSSL_URI(void) wolfSSL_FreeX509(x509); x509 = wolfSSL_X509_load_certificate_file(badUri, WOLFSSL_FILETYPE_PEM); -#if !defined(IGNORE_NAME_CONSTRAINTS) && !defined(WOLFSSL_NO_ASN_STRICT) +#if !defined(IGNORE_NAME_CONSTRAINTS) && !defined(WOLFSSL_NO_ASN_STRICT) \ + && !defined(WOLFSSL_FPKI) AssertNull(x509); #else AssertNotNull(x509); @@ -54100,6 +54139,7 @@ void ApiTest(void) test_wolfSSL_CertManagerNameConstraint3(); test_wolfSSL_CertManagerNameConstraint4(); test_wolfSSL_CertManagerNameConstraint5(); + test_wolfSSL_FPKI(); test_wolfSSL_CertManagerCRL(); test_wolfSSL_CTX_load_verify_locations_ex(); test_wolfSSL_CTX_load_verify_buffer_ex();