mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-11 12:00:51 +02:00
Fix issue with loading PEM certs. Address code review feedback.
Add tests.
This commit is contained in:
+40
-19
@@ -453,12 +453,12 @@ int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm)
|
||||
return ret;
|
||||
}
|
||||
|
||||
int wolfSSL_CertManagerUnloadIntermediateCertsEx(
|
||||
int wolfSSL_CertManagerUnloadTypeCerts(
|
||||
WOLFSSL_CERT_MANAGER* cm, byte type)
|
||||
{
|
||||
int ret = WOLFSSL_SUCCESS;
|
||||
|
||||
WOLFSSL_ENTER("wolfSSL_CertManagerUnloadIntermediateCertsEx");
|
||||
WOLFSSL_ENTER("wolfSSL_CertManagerUnloadTypeCerts");
|
||||
|
||||
/* Validate parameter. */
|
||||
if (cm == NULL) {
|
||||
@@ -485,7 +485,7 @@ static int wolfSSL_CertManagerUnloadTempIntermediateCerts(
|
||||
WOLFSSL_CERT_MANAGER* cm)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_CertManagerUnloadTempIntermediateCerts");
|
||||
return wolfSSL_CertManagerUnloadIntermediateCertsEx(cm, WOLFSSL_TEMP_CA);
|
||||
return wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_TEMP_CA);
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -493,7 +493,7 @@ int wolfSSL_CertManagerUnloadIntermediateCerts(
|
||||
WOLFSSL_CERT_MANAGER* cm)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_CertManagerUnloadIntermediateCerts");
|
||||
return wolfSSL_CertManagerUnloadIntermediateCertsEx(cm, WOLFSSL_CHAIN_CA);
|
||||
return wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_CHAIN_CA);
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
@@ -530,7 +530,7 @@ int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER* cm)
|
||||
}
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
||||
/* Load certificate/s from buffer with flags.
|
||||
/* Load certificate/s from buffer with flags and type.
|
||||
*
|
||||
* @param [in] cm Certificate manager.
|
||||
* @param [in] buff Buffer holding encoding of certificate.
|
||||
@@ -549,20 +549,21 @@ int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER* cm)
|
||||
in WOLFSSL_USER_CA = noop. Recommended to
|
||||
set to WOLFSSL_USER_INTER when loading
|
||||
intermediate certs to allow unloading via
|
||||
wolfSSL_CertManagerUnloadIntermediateCertsEx.
|
||||
wolfSSL_CertManagerUnloadTypeCerts.
|
||||
* @return WOLFSSL_SUCCESS on success.
|
||||
* @return WOLFSSL_FATAL_ERROR when cm is NULL or failed create WOLFSSL_CTX.
|
||||
* @return Other values on loading failure.
|
||||
*/
|
||||
int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm,
|
||||
int wolfSSL_CertManagerLoadCABufferType(WOLFSSL_CERT_MANAGER* cm,
|
||||
const unsigned char* buff, long sz, int format, int userChain,
|
||||
word32 flags, int type)
|
||||
{
|
||||
int ret = WOLFSSL_SUCCESS;
|
||||
WOLFSSL_CTX* tmp = NULL;
|
||||
DecodedCert* dCert = NULL;
|
||||
DerBuffer* der = NULL;
|
||||
|
||||
WOLFSSL_ENTER("wolfSSL_CertManagerLoadCABuffer_ex2");
|
||||
WOLFSSL_ENTER("wolfSSL_CertManagerLoadCABufferType");
|
||||
|
||||
/* Validate parameters. */
|
||||
if (cm == NULL) {
|
||||
@@ -592,25 +593,45 @@ int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm,
|
||||
tmp->cm = NULL;
|
||||
}
|
||||
if (ret == WOLFSSL_SUCCESS && type != WOLFSSL_USER_CA) {
|
||||
dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
|
||||
dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cm->heap,
|
||||
DYNAMIC_TYPE_DCERT);
|
||||
|
||||
if (dCert == NULL) {
|
||||
ret = WOLFSSL_FATAL_ERROR;
|
||||
} else {
|
||||
XMEMSET(dCert, 0, sizeof(DecodedCert));
|
||||
wc_InitDecodedCert(dCert, buff,
|
||||
(word32)sz, cm->heap);
|
||||
ret = wc_ParseCert(dCert, CA_TYPE, NO_VERIFY, NULL);
|
||||
if (ret) {
|
||||
ret = WOLFSSL_FATAL_ERROR;
|
||||
} else {
|
||||
ret = SetCAType(cm, dCert->extSubjKeyId, type);
|
||||
if (format == WOLFSSL_FILETYPE_PEM) {
|
||||
ret = PemToDer(buff, sz, CERT_TYPE, &der, cm->heap, NULL, NULL);
|
||||
if (!ret) {
|
||||
/* Replace buffer pointer and size with DER buffer. */
|
||||
buff = der->buffer;
|
||||
sz = (long)der->length;
|
||||
ret = WOLFSSL_SUCCESS;
|
||||
} else {
|
||||
WOLFSSL_ERROR(ret);
|
||||
|
||||
if (der != NULL) {
|
||||
FreeDer(&der);
|
||||
}
|
||||
|
||||
ret = WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
if (ret == WOLFSSL_SUCCESS) {
|
||||
XMEMSET(dCert, 0, sizeof(DecodedCert));
|
||||
wc_InitDecodedCert(dCert, buff,
|
||||
(word32)sz, cm->heap);
|
||||
ret = wc_ParseCert(dCert, CERT_TYPE, NO_VERIFY, NULL);
|
||||
if (ret) {
|
||||
ret = WOLFSSL_FATAL_ERROR;
|
||||
} else {
|
||||
ret = SetCAType(cm, dCert->extSubjKeyId, type);
|
||||
}
|
||||
}
|
||||
|
||||
if (dCert) {
|
||||
wc_FreeDecodedCert(dCert);
|
||||
XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT);
|
||||
XFREE(dCert, cm->heap, DYNAMIC_TYPE_DCERT);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -642,7 +663,7 @@ int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm,
|
||||
int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm,
|
||||
const unsigned char* buff, long sz, int format, int userChain, word32 flags)
|
||||
{
|
||||
return wolfSSL_CertManagerLoadCABuffer_ex2(cm, buff, sz, format, userChain,
|
||||
return wolfSSL_CertManagerLoadCABufferType(cm, buff, sz, format, userChain,
|
||||
flags, WOLFSSL_USER_CA);
|
||||
}
|
||||
|
||||
|
||||
+133
@@ -3143,6 +3143,138 @@ static int test_wolfSSL_CertManagerLoadCABuffer_ex(void)
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static int test_wolfSSL_CertManagerLoadCABufferType(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS)
|
||||
const char* ca_cert = "./certs/ca-cert.pem";
|
||||
const char* int1_cert = "./certs/intermediate/ca-int-cert.pem";
|
||||
const char* int2_cert = "./certs/intermediate/ca-int2-cert.pem";
|
||||
const char* client_cert = "./certs/intermediate/client-int-cert.pem";
|
||||
byte* ca_cert_buf = NULL;
|
||||
byte* int1_cert_buf = NULL;
|
||||
byte* int2_cert_buf = NULL;
|
||||
byte* client_cert_buf = NULL;
|
||||
size_t ca_cert_sz = 0;
|
||||
size_t int1_cert_sz = 0;
|
||||
size_t int2_cert_sz = 0;
|
||||
size_t client_cert_sz = 0;
|
||||
WOLFSSL_CERT_MANAGER* cm;
|
||||
|
||||
ExpectNotNull(cm = wolfSSL_CertManagerNew());
|
||||
ExpectIntEQ(load_file(ca_cert, &ca_cert_buf, &ca_cert_sz), 0);
|
||||
ExpectIntEQ(load_file(int1_cert, &int1_cert_buf, &int1_cert_sz), 0);
|
||||
ExpectIntEQ(load_file(int2_cert, &int2_cert_buf, &int2_cert_sz), 0);
|
||||
ExpectIntEQ(load_file(client_cert, &client_cert_buf, &client_cert_sz), 0);
|
||||
|
||||
ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf,
|
||||
(sword32)ca_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 0), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf,
|
||||
(sword32)ca_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 5), WOLFSSL_SUCCESS);
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf,
|
||||
(sword32)ca_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf,
|
||||
(sword32)int1_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
|
||||
WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf,
|
||||
(sword32)int2_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
|
||||
WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf,
|
||||
(sword32)client_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
|
||||
WOLFSSL_SUCCESS);
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER),
|
||||
WOLFSSL_SUCCESS);
|
||||
|
||||
/* Intermediate certs have been unloaded, but CA cert is still
|
||||
loaded. Expect first level intermediate to verify, rest to fail. */
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf,
|
||||
(sword32)int1_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_TEMP_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf,
|
||||
(sword32)int2_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_CHAIN_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf,
|
||||
(sword32)client_cert_sz, WOLFSSL_FILETYPE_PEM, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
|
||||
WOLFSSL_SUCCESS);
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER),
|
||||
WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_CHAIN_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_TEMP_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
|
||||
wolfSSL_CertManagerFree(cm);
|
||||
if (ca_cert_buf)
|
||||
free(ca_cert_buf);
|
||||
if (int1_cert_buf)
|
||||
free(int1_cert_buf);
|
||||
if (int2_cert_buf)
|
||||
free(int2_cert_buf);
|
||||
if (client_cert_buf)
|
||||
free(client_cert_buf);
|
||||
#endif
|
||||
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static int test_wolfSSL_CertManagerGetCerts(void)
|
||||
{
|
||||
@@ -52866,6 +52998,7 @@ TEST_CASE testCases[] = {
|
||||
TEST_DECL(test_wolfSSL_CertManagerAPI),
|
||||
TEST_DECL(test_wolfSSL_CertManagerLoadCABuffer),
|
||||
TEST_DECL(test_wolfSSL_CertManagerLoadCABuffer_ex),
|
||||
TEST_DECL(test_wolfSSL_CertManagerLoadCABufferType),
|
||||
TEST_DECL(test_wolfSSL_CertManagerGetCerts),
|
||||
TEST_DECL(test_wolfSSL_CertManagerSetVerify),
|
||||
TEST_DECL(test_wolfSSL_CertManagerNameConstraint),
|
||||
|
||||
+2
-2
@@ -4203,7 +4203,7 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx,
|
||||
|
||||
WOLFSSL_API int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm,
|
||||
const char* f, const char* d);
|
||||
WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm,
|
||||
WOLFSSL_API int wolfSSL_CertManagerLoadCABufferType(WOLFSSL_CERT_MANAGER* cm,
|
||||
const unsigned char* buff, long sz, int format, int userChain,
|
||||
word32 flags, int type);
|
||||
WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm,
|
||||
@@ -4213,7 +4213,7 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx,
|
||||
const unsigned char* buff, long sz, int format);
|
||||
|
||||
WOLFSSL_API int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm);
|
||||
WOLFSSL_API int wolfSSL_CertManagerUnloadIntermediateCertsEx(
|
||||
WOLFSSL_API int wolfSSL_CertManagerUnloadTypeCerts(
|
||||
WOLFSSL_CERT_MANAGER* cm, byte type);
|
||||
WOLFSSL_API int wolfSSL_CertManagerUnloadIntermediateCerts(
|
||||
WOLFSSL_CERT_MANAGER* cm);
|
||||
|
||||
Reference in New Issue
Block a user