wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-29 11:32:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8842 from julek-wolfssl/zd/19966

Browse Source 
ALT_NAMES_OID: Mark IP address as WOLFSSL_V_ASN1_OCTET_STRING
This commit is contained in:
JacobBarthelmeh
2025-06-05 17:07:47 -06:00
committed by GitHub
parent c207e2d198 f2584fd5fa
commit 3ecc58cc0e
6 changed files with 195 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CMakeLists.txt
View File

@@ -2634,6 +2634,7 @@ if(WOLFSSL_EXAMPLES)
tests/api/test_evp.c
tests/api/test_tls_ext.c
tests/api/test_tls.c
tests/api/test_x509.c
tests/srp.c
tests/suites.c
tests/w64wrapper.c

9
src/x509.c
View File

@@ -2349,6 +2349,15 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c,
}
break;
case ASN_IP_TYPE:
if (wolfSSL_ASN1_STRING_set(gn->d.iPAddress,
dns->name, dns->len) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("ASN1_STRING_set failed");
goto err;
}
gn->d.iPAddress->type = WOLFSSL_V_ASN1_OCTET_STRING;
break;
default:
if (wolfSSL_ASN1_STRING_set(gn->d.dNSName,
dns->name, dns->len) != WOLFSSL_SUCCESS) {

3
tests/api.c
View File

@@ -325,6 +325,7 @@
#include <tests/api/test_evp.h>
#include <tests/api/test_tls_ext.h>
#include <tests/api/test_tls.h>
#include <tests/api/test_x509.h>
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \
!defined(NO_RSA) && !defined(SINGLE_THREADED) && \
@@ -67210,6 +67211,8 @@ TEST_CASE testCases[] = {
TEST_MLDSA_DECLS,
/* Signature API */
TEST_SIGNATURE_DECLS,
/* x509 */
TEST_X509_DECLS,
/* PEM and DER APIs. */
TEST_DECL(test_wc_PemToDer),

3
tests/api/include.am
View File

@@ -54,6 +54,8 @@ tests_unit_test_SOURCES += tests/api/test_ocsp.c
tests_unit_test_SOURCES += tests/api/test_evp.c
tests_unit_test_SOURCES += tests/api/test_tls_ext.c
tests_unit_test_SOURCES += tests/api/test_tls.c
# Certs
tests_unit_test_SOURCES += tests/api/test_x509.c
endif
EXTRA_DIST += tests/api/api.h
@@ -105,4 +107,5 @@ EXTRA_DIST += tests/api/create_ocsp_test_blobs.py
EXTRA_DIST += tests/api/test_evp.h
EXTRA_DIST += tests/api/test_tls_ext.h
EXTRA_DIST += tests/api/test_tls.h
EXTRA_DIST += tests/api/test_x509.h

149
tests/api/test_x509.c Normal file
View File

@@ -0,0 +1,149 @@
/* test_x509.c
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include <tests/unit.h>
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
#else
#define WOLFSSL_MISC_INCLUDED
#include <wolfcrypt/src/misc.c>
#endif
#include <wolfssl/wolfcrypt/types.h>
#include <tests/api/api.h>
#include <tests/api/test_x509.h>
#include <tests/utils.h>
#include <wolfssl/openssl/ssl.h>
#include <wolfssl/openssl/x509.h>
#include <wolfssl/openssl/x509v3.h>
#if defined(OPENSSL_ALL)
#define HAVE_TEST_X509_RFC2818_VERIFICATION_CALLBACK
/* callback taken and simplified from
* include/boost/asio/ssl/impl/rfc2818_verification.ipp
* version: boost-1.84.0 */
static int rfc2818_verification_callback(int preverify,
WOLFSSL_X509_STORE_CTX* store)
{
EXPECT_DECLS;
int depth;
X509* cert;
GENERAL_NAMES* gens;
byte address_bytes[] = { 127, 0, 0, 1 };
X509_NAME* name;
int i;
ASN1_STRING* common_name = 0;
int matches = 0;
/* Don't bother looking at certificates that have
* failed pre-verification. */
if (!preverify)
return 0;
/* We're only interested in checking the certificate at
* the end of the chain. */
depth = X509_STORE_CTX_get_error_depth(store);
if (depth > 0)
return 1;
/* Try converting the host name to an address. If it is an address then we
* need to look for an IP address in the certificate rather than a
* host name. */
cert = X509_STORE_CTX_get_current_cert(store);
/* Go through the alternate names in the certificate looking for matching
* DNS or IP address entries. */
gens = (GENERAL_NAMES*)X509_get_ext_d2i(
cert, NID_subject_alt_name, NULL, NULL);
for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i) {
GENERAL_NAME* gen = sk_GENERAL_NAME_value(gens, i);
if (gen->type == GEN_DNS) {
ASN1_IA5STRING* domain = gen->d.dNSName;
if (domain->type == V_ASN1_IA5STRING && domain->data &&
domain->length &&
XSTRCMP(domain->data, "example.com") == 0)
matches++;
}
else if (gen->type == GEN_IPADD)
{
ASN1_OCTET_STRING* ip_address = gen->d.iPAddress;
if (ip_address->type == V_ASN1_OCTET_STRING && ip_address->data &&
ip_address->length == sizeof(address_bytes) &&
XMEMCMP(address_bytes, ip_address->data, 4) == 0)
matches++;
}
}
GENERAL_NAMES_free(gens);
/* No match in the alternate names, so try the common names. We should only
* use the "most specific" common name, which is the last one in
* the list. */
name = X509_get_subject_name(cert);
i = -1;
while ((i = X509_NAME_get_index_by_NID(name, NID_commonName, i)) >= 0)
{
X509_NAME_ENTRY* name_entry = X509_NAME_get_entry(name, i);
common_name = X509_NAME_ENTRY_get_data(name_entry);
}
if (common_name && common_name->data && common_name->length)
{
if (XSTRCMP(common_name->data, "www.wolfssl.com") == 0)
matches++;
}
ExpectIntEQ(matches, 3);
return matches == 3;
}
#endif
int test_x509_rfc2818_verification_callback(void)
{
EXPECT_DECLS;
#ifdef HAVE_TEST_X509_RFC2818_VERIFICATION_CALLBACK
struct test_memio_ctx test_ctx;
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
wolfTLS_client_method, wolfTLS_server_method), 0);
ExpectIntEQ(wolfSSL_use_certificate_file(ssl_c, cliCertFile,
WOLFSSL_FILETYPE_PEM), 1);
ExpectIntEQ(wolfSSL_use_PrivateKey_file(ssl_c, cliKeyFile,
WOLFSSL_FILETYPE_PEM), 1);
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx_s, cliCertFile, NULL), 1);
wolfSSL_set_verify(ssl_s, WOLFSSL_VERIFY_PEER,
rfc2818_verification_callback);
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
wolfSSL_free(ssl_s);
wolfSSL_free(ssl_c);
wolfSSL_CTX_free(ctx_s);
wolfSSL_CTX_free(ctx_c);
#endif
return EXPECT_RESULT();
}

30
tests/api/test_x509.h Normal file
View File

@@ -0,0 +1,30 @@
/* test_x509.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef WOLFCRYPT_TEST_X509_H
#define WOLFCRYPT_TEST_X509_H
int test_x509_rfc2818_verification_callback(void);
#define TEST_X509_DECLS \
TEST_DECL_GROUP("x509", test_x509_rfc2818_verification_callback)
#endif /* WOLFCRYPT_TEST_X509_H */