Fix issue with loading PEM certs. Address code review feedback.

Add tests.
This commit is contained in:
Kareem
2025-08-04 16:37:41 -07:00
parent a652b733e4
commit 3bcbbd2924
3 changed files with 175 additions and 21 deletions
+40 -19
View File
@@ -453,12 +453,12 @@ int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm)
return ret;
}
int wolfSSL_CertManagerUnloadIntermediateCertsEx(
int wolfSSL_CertManagerUnloadTypeCerts(
WOLFSSL_CERT_MANAGER* cm, byte type)
{
int ret = WOLFSSL_SUCCESS;
WOLFSSL_ENTER("wolfSSL_CertManagerUnloadIntermediateCertsEx");
WOLFSSL_ENTER("wolfSSL_CertManagerUnloadTypeCerts");
/* Validate parameter. */
if (cm == NULL) {
@@ -485,7 +485,7 @@ static int wolfSSL_CertManagerUnloadTempIntermediateCerts(
WOLFSSL_CERT_MANAGER* cm)
{
WOLFSSL_ENTER("wolfSSL_CertManagerUnloadTempIntermediateCerts");
return wolfSSL_CertManagerUnloadIntermediateCertsEx(cm, WOLFSSL_TEMP_CA);
return wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_TEMP_CA);
}
#endif
@@ -493,7 +493,7 @@ int wolfSSL_CertManagerUnloadIntermediateCerts(
WOLFSSL_CERT_MANAGER* cm)
{
WOLFSSL_ENTER("wolfSSL_CertManagerUnloadIntermediateCerts");
return wolfSSL_CertManagerUnloadIntermediateCertsEx(cm, WOLFSSL_CHAIN_CA);
return wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_CHAIN_CA);
}
#ifdef WOLFSSL_TRUST_PEER_CERT
@@ -530,7 +530,7 @@ int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER* cm)
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
/* Load certificate/s from buffer with flags.
/* Load certificate/s from buffer with flags and type.
*
* @param [in] cm Certificate manager.
* @param [in] buff Buffer holding encoding of certificate.
@@ -549,20 +549,21 @@ int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER* cm)
in WOLFSSL_USER_CA = noop. Recommended to
set to WOLFSSL_USER_INTER when loading
intermediate certs to allow unloading via
wolfSSL_CertManagerUnloadIntermediateCertsEx.
wolfSSL_CertManagerUnloadTypeCerts.
* @return WOLFSSL_SUCCESS on success.
* @return WOLFSSL_FATAL_ERROR when cm is NULL or failed create WOLFSSL_CTX.
* @return Other values on loading failure.
*/
int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm,
int wolfSSL_CertManagerLoadCABufferType(WOLFSSL_CERT_MANAGER* cm,
const unsigned char* buff, long sz, int format, int userChain,
word32 flags, int type)
{
int ret = WOLFSSL_SUCCESS;
WOLFSSL_CTX* tmp = NULL;
DecodedCert* dCert = NULL;
DerBuffer* der = NULL;
WOLFSSL_ENTER("wolfSSL_CertManagerLoadCABuffer_ex2");
WOLFSSL_ENTER("wolfSSL_CertManagerLoadCABufferType");
/* Validate parameters. */
if (cm == NULL) {
@@ -592,25 +593,45 @@ int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm,
tmp->cm = NULL;
}
if (ret == WOLFSSL_SUCCESS && type != WOLFSSL_USER_CA) {
dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cm->heap,
DYNAMIC_TYPE_DCERT);
if (dCert == NULL) {
ret = WOLFSSL_FATAL_ERROR;
} else {
XMEMSET(dCert, 0, sizeof(DecodedCert));
wc_InitDecodedCert(dCert, buff,
(word32)sz, cm->heap);
ret = wc_ParseCert(dCert, CA_TYPE, NO_VERIFY, NULL);
if (ret) {
ret = WOLFSSL_FATAL_ERROR;
} else {
ret = SetCAType(cm, dCert->extSubjKeyId, type);
if (format == WOLFSSL_FILETYPE_PEM) {
ret = PemToDer(buff, sz, CERT_TYPE, &der, cm->heap, NULL, NULL);
if (!ret) {
/* Replace buffer pointer and size with DER buffer. */
buff = der->buffer;
sz = (long)der->length;
ret = WOLFSSL_SUCCESS;
} else {
WOLFSSL_ERROR(ret);
if (der != NULL) {
FreeDer(&der);
}
ret = WOLFSSL_FATAL_ERROR;
}
}
if (ret == WOLFSSL_SUCCESS) {
XMEMSET(dCert, 0, sizeof(DecodedCert));
wc_InitDecodedCert(dCert, buff,
(word32)sz, cm->heap);
ret = wc_ParseCert(dCert, CERT_TYPE, NO_VERIFY, NULL);
if (ret) {
ret = WOLFSSL_FATAL_ERROR;
} else {
ret = SetCAType(cm, dCert->extSubjKeyId, type);
}
}
if (dCert) {
wc_FreeDecodedCert(dCert);
XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT);
XFREE(dCert, cm->heap, DYNAMIC_TYPE_DCERT);
}
}
}
@@ -642,7 +663,7 @@ int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm,
int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm,
const unsigned char* buff, long sz, int format, int userChain, word32 flags)
{
return wolfSSL_CertManagerLoadCABuffer_ex2(cm, buff, sz, format, userChain,
return wolfSSL_CertManagerLoadCABufferType(cm, buff, sz, format, userChain,
flags, WOLFSSL_USER_CA);
}
+133
View File
@@ -3143,6 +3143,138 @@ static int test_wolfSSL_CertManagerLoadCABuffer_ex(void)
return EXPECT_RESULT();
}
static int test_wolfSSL_CertManagerLoadCABufferType(void)
{
EXPECT_DECLS;
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS)
const char* ca_cert = "./certs/ca-cert.pem";
const char* int1_cert = "./certs/intermediate/ca-int-cert.pem";
const char* int2_cert = "./certs/intermediate/ca-int2-cert.pem";
const char* client_cert = "./certs/intermediate/client-int-cert.pem";
byte* ca_cert_buf = NULL;
byte* int1_cert_buf = NULL;
byte* int2_cert_buf = NULL;
byte* client_cert_buf = NULL;
size_t ca_cert_sz = 0;
size_t int1_cert_sz = 0;
size_t int2_cert_sz = 0;
size_t client_cert_sz = 0;
WOLFSSL_CERT_MANAGER* cm;
ExpectNotNull(cm = wolfSSL_CertManagerNew());
ExpectIntEQ(load_file(ca_cert, &ca_cert_buf, &ca_cert_sz), 0);
ExpectIntEQ(load_file(int1_cert, &int1_cert_buf, &int1_cert_sz), 0);
ExpectIntEQ(load_file(int2_cert, &int2_cert_buf, &int2_cert_sz), 0);
ExpectIntEQ(load_file(client_cert, &client_cert_buf, &client_cert_sz), 0);
ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf,
(sword32)ca_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 0), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf,
(sword32)ca_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 5), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf,
(sword32)ca_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_CA),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf,
(sword32)int1_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf,
(sword32)int2_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf,
(sword32)client_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER),
WOLFSSL_SUCCESS);
/* Intermediate certs have been unloaded, but CA cert is still
loaded. Expect first level intermediate to verify, rest to fail. */
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf,
(sword32)int1_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_TEMP_CA),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf,
(sword32)int2_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_CHAIN_CA),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf,
(sword32)client_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_CHAIN_CA),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_TEMP_CA),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_CA),
WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
wolfSSL_CertManagerFree(cm);
if (ca_cert_buf)
free(ca_cert_buf);
if (int1_cert_buf)
free(int1_cert_buf);
if (int2_cert_buf)
free(int2_cert_buf);
if (client_cert_buf)
free(client_cert_buf);
#endif
return EXPECT_RESULT();
}
static int test_wolfSSL_CertManagerGetCerts(void)
{
@@ -52866,6 +52998,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_CertManagerAPI),
TEST_DECL(test_wolfSSL_CertManagerLoadCABuffer),
TEST_DECL(test_wolfSSL_CertManagerLoadCABuffer_ex),
TEST_DECL(test_wolfSSL_CertManagerLoadCABufferType),
TEST_DECL(test_wolfSSL_CertManagerGetCerts),
TEST_DECL(test_wolfSSL_CertManagerSetVerify),
TEST_DECL(test_wolfSSL_CertManagerNameConstraint),
+2 -2
View File
@@ -4203,7 +4203,7 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx,
WOLFSSL_API int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm,
const char* f, const char* d);
WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm,
WOLFSSL_API int wolfSSL_CertManagerLoadCABufferType(WOLFSSL_CERT_MANAGER* cm,
const unsigned char* buff, long sz, int format, int userChain,
word32 flags, int type);
WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm,
@@ -4213,7 +4213,7 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx,
const unsigned char* buff, long sz, int format);
WOLFSSL_API int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm);
WOLFSSL_API int wolfSSL_CertManagerUnloadIntermediateCertsEx(
WOLFSSL_API int wolfSSL_CertManagerUnloadTypeCerts(
WOLFSSL_CERT_MANAGER* cm, byte type);
WOLFSSL_API int wolfSSL_CertManagerUnloadIntermediateCerts(
WOLFSSL_CERT_MANAGER* cm);