From 4377996d87eccf125d71f13bda9064953dc6e6d9 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 19 Nov 2013 16:20:18 -0800 Subject: [PATCH] Saved original SKID and AKID from certificate for later use with X.509 functions. --- ctaocrypt/src/asn.c | 15 ++++++++++++++- cyassl/ctaocrypt/asn.h | 4 ++++ cyassl/internal.h | 6 ++++-- src/internal.c | 32 ++++++++++++++++++++++++++++---- src/ssl.c | 14 ++++++++++---- 5 files changed, 60 insertions(+), 11 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index ff9b62c0d..5f276af4f 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1314,6 +1314,10 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) cert->extKeyUsageSet = 0; cert->extKeyUsageCrit = 0; cert->extKeyUsage = 0; + cert->extAuthKeyIdSrc = NULL; + cert->extAuthKeyIdSz = 0; + cert->extSubjKeyIdSrc = NULL; + cert->extSubjKeyIdSz = 0; #ifdef HAVE_ECC cert->pkCurveOID = 0; #endif /* HAVE_ECC */ @@ -3077,6 +3081,11 @@ static void DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert) return; } + #ifdef OPENSSL_EXTRA + cert->extAuthKeyIdSrc = &input[idx]; + cert->extAuthKeyIdSz = length; + #endif /* OPENSSL_EXTRA */ + if (length == SHA_SIZE) { XMEMCPY(cert->extAuthKeyId, input + idx, length); } @@ -3108,6 +3117,11 @@ static void DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert) return; } + #ifdef OPENSSL_EXTRA + cert->extSubjKeyIdSrc = &input[idx]; + cert->extSubjKeyIdSz = length; + #endif /* OPENSSL_EXTRA */ + if (length == SIGNER_DIGEST_SIZE) { XMEMCPY(cert->extSubjKeyId, input + idx, length); } @@ -3420,7 +3434,6 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) InitSha(&sha); ShaUpdate(&sha, cert->publicKey, cert->pubKeySize); ShaFinal(&sha, cert->extSubjKeyId); - cert->extSubjKeyIdSet = 1; } #endif diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index d4621c025..4fa7e2b63 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -323,6 +323,10 @@ struct DecodedCert { byte extKeyUsageSet; byte extKeyUsageCrit; word16 extKeyUsage; /* Key usage bitfield */ + byte* extAuthKeyIdSrc; + word32 extAuthKeyIdSz; + byte* extSubjKeyIdSrc; + word32 extSubjKeyIdSz; #ifdef HAVE_ECC word32 pkCurveOID; /* Public Key's curve OID */ #endif /* HAVE_ECC */ diff --git a/cyassl/internal.h b/cyassl/internal.h index 527a3f380..53e60c309 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1692,10 +1692,12 @@ struct CYASSL_X509 { byte subjAltNameCrit; byte authKeyIdSet; byte authKeyIdCrit; - byte authKeyId[SHA_SIZE]; + byte* authKeyId; + word32 authKeyIdSz; byte subjKeyIdSet; byte subjKeyIdCrit; - byte subjKeyId[SHA_SIZE]; + byte* subjKeyId; + word32 subjKeyIdSz; byte keyUsageSet; byte keyUsageCrit; #endif /* OPENSSL_EXTRA */ diff --git a/src/internal.c b/src/internal.c index 21cb6b743..741cedfd7 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1281,10 +1281,12 @@ void InitX509(CYASSL_X509* x509, int dynamicFlag) x509->subjAltNameCrit = 0; x509->authKeyIdSet = 0; x509->authKeyIdCrit = 0; - XMEMSET(x509->authKeyId, 0, SHA_SIZE); + x509->authKeyId = NULL; + x509->authKeyIdSz = 0; x509->subjKeyIdSet = 0; x509->subjKeyIdCrit = 0; - XMEMSET(x509->subjKeyId, 0, SHA_SIZE); + x509->subjKeyId = NULL; + x509->subjKeyIdSz = 0; x509->keyUsageSet = 0; x509->keyUsageCrit = 0; x509->keyUsage = 0; @@ -1311,6 +1313,10 @@ void FreeX509(CYASSL_X509* x509) XFREE(x509->pubKey.buffer, NULL, DYNAMIC_TYPE_PUBLIC_KEY); XFREE(x509->derCert.buffer, NULL, DYNAMIC_TYPE_SUBJECT_CN); XFREE(x509->sig.buffer, NULL, 0); + #ifdef OPENSSL_EXTRA + XFREE(x509->authKeyId, NULL, 0); + XFREE(x509->subjKeyId, NULL, 0); + #endif /* OPENSSL_EXTRA */ if (x509->altNames) FreeAltNames(x509->altNames, NULL); if (x509->dynamicMemory) @@ -3193,10 +3199,28 @@ int CopyDecodedToX509(CYASSL_X509* x509, DecodedCert* dCert) x509->subjAltNameCrit = dCert->extSubjAltNameCrit; x509->authKeyIdSet = dCert->extAuthKeyIdSet; x509->authKeyIdCrit = dCert->extAuthKeyIdCrit; - XMEMCPY(x509->authKeyId, dCert->extAuthKeyId, SHA_SIZE); + if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) { + x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, NULL, 0); + if (x509->authKeyId != NULL) { + XMEMCPY(x509->authKeyId, + dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz); + x509->authKeyIdSz = dCert->extAuthKeyIdSz; + } + else + ret = MEMORY_E; + } x509->subjKeyIdSet = dCert->extSubjKeyIdSet; x509->subjKeyIdCrit = dCert->extSubjKeyIdCrit; - XMEMCPY(x509->subjKeyId, dCert->extSubjKeyId, SHA_SIZE); + if (dCert->extSubjKeyIdSrc != NULL && dCert->extSubjKeyIdSz != 0) { + x509->subjKeyId = (byte*)XMALLOC(dCert->extSubjKeyIdSz, NULL, 0); + if (x509->subjKeyId != NULL) { + XMEMCPY(x509->subjKeyId, + dCert->extSubjKeyIdSrc, dCert->extSubjKeyIdSz); + x509->subjKeyIdSz = dCert->extSubjKeyIdSz; + } + else + ret = MEMORY_E; + } x509->keyUsageSet = dCert->extKeyUsageSet; x509->keyUsageCrit = dCert->extKeyUsageCrit; #ifdef HAVE_ECC diff --git a/src/ssl.c b/src/ssl.c index 8ae90d350..43f0579c0 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -7209,13 +7209,16 @@ int CyaSSL_set_compression(CYASSL* ssl) CYASSL_X509* x509, byte* dst, int* dstLen) { byte *id = NULL; - int copySz = min(dstLen != NULL ? *dstLen : 0, SHA_SIZE); + int copySz = 0; CYASSL_ENTER("CyaSSL_X509_get_authorityKeyID"); if (x509 != NULL) { - if (x509->authKeyIdSet) + if (x509->authKeyIdSet) { + copySz = min(dstLen != NULL ? *dstLen : 0, + (int)x509->authKeyIdSz); id = x509->authKeyId; + } if (dst != NULL && dstLen != NULL && id != NULL && copySz > 0) { XMEMCPY(dst, id, copySz); @@ -7234,13 +7237,16 @@ int CyaSSL_set_compression(CYASSL* ssl) CYASSL_X509* x509, byte* dst, int* dstLen) { byte *id = NULL; - int copySz = min(dstLen != NULL ? *dstLen : 0, SHA_SIZE); + int copySz = 0; CYASSL_ENTER("CyaSSL_X509_get_subjectKeyID"); if (x509 != NULL) { - if (x509->subjKeyIdSet) + if (x509->subjKeyIdSet) { + copySz = min(dstLen != NULL ? *dstLen : 0, + (int)x509->subjKeyIdSz); id = x509->subjKeyId; + } if (dst != NULL && dstLen != NULL && id != NULL && copySz > 0) { XMEMCPY(dst, id, copySz);