diff --git a/certs/test/gen-testcerts.sh b/certs/test/gen-testcerts.sh index 1d254d788..7564bb358 100755 --- a/certs/test/gen-testcerts.sh +++ b/certs/test/gen-testcerts.sh @@ -120,6 +120,31 @@ generate_test_cert() { check_result $? } +generate_test_trusted_cert() { + rm "$1".der + rm "$1".pem + + echo "step 1 create configuration" + build_test_cert_conf "$1" "$2" "$3" + check_result $? + + echo "step 2 create csr" + openssl req -new -sha256 -out "$1".csr -key ../server-key.pem -config "$1".conf + check_result $? + + echo "step 3 check csr" + openssl req -text -noout -in "$1".csr -config "$1".conf + check_result $? + + echo "step 4 create cert" + openssl x509 -req -days 1000 -sha256 \ + -in "$1".csr -signkey ../server-key.pem \ + -out "$1".pem -extensions req_ext -addtrust serverAuth -trustout -extfile "$1".conf + check_result $? + rm "$1".conf + rm "$1".csr +} + generate_expired_certs() { rm "$1".der rm "$1".pem @@ -200,3 +225,6 @@ generate_test_cert server-garbage localhost garbage # Generate Expired Certificates generate_expired_certs expired/expired-ca ../ca-key.pem 1 generate_expired_certs expired/expired-cert ../server-key.pem + + +generate_test_trusted_cert ossl-trusted-cert localhost "" 1 diff --git a/certs/test/include.am b/certs/test/include.am index 59569c92c..c69ec42b8 100644 --- a/certs/test/include.am +++ b/certs/test/include.am @@ -67,6 +67,7 @@ EXTRA_DIST += \ certs/test/server-badaltname.pem \ certs/test/server-localhost.der \ certs/test/server-localhost.pem \ + certs/test/ossl-trusted-cert.pem \ certs/test/ktri-keyid-cms.msg \ certs/test/smime-test.p7s \ certs/test/smime-test-canon.p7s \ diff --git a/certs/test/ossl-trusted-cert.pem b/certs/test/ossl-trusted-cert.pem new file mode 100644 index 000000000..e8e2ea1b7 --- /dev/null +++ b/certs/test/ossl-trusted-cert.pem @@ -0,0 +1,29 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh +d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz +bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjUwMTMw +MjE0NTQ2WhcNMjcxMDI3MjE0NTQ2WjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM +B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO +BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG +SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn +f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X +GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM +QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq +0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ +6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW +BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t +M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh +bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL +DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG +9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFACr6s+Ce0259tiQB3+gnZ7kb6T9MAwG +A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l +BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBqX+1+ +o2hLg3bT22ktzzG7y1Xu+7ZymPHCf7c2inTuFQq8epdbQ4RHwlk9/y8T52CM063y +DJPPzXBYiGFwLo7Eff3pOCxsGRCGZZm5Yj/oCgN2dEywDPoOf6J+PBz589obsYU6 +d2QqcnhghWK6pM+9OdR5idtv4tOpnPEpehMJE14Oxg36nNDobn2rqKgSrvd1xbEh +SnNwN6ZYwlLHCj+uGEEIFiLfZFisaEqmQlXA1THIUJMMypiwJ9snSXzZN6g+Ssw7 +AG+1kSbrbpnuECTBO4GBoJ7qcnhqPe1fbP/atwb7hh4RiHKXEVVQv96fu6BZ3cHH +rb8OQ3qAW+juUlxaMAwwCgYIKwYBBQUHAwE= +-----END TRUSTED CERTIFICATE----- diff --git a/tests/api.c b/tests/api.c index 89bac6646..0bb7fe404 100644 --- a/tests/api.c +++ b/tests/api.c @@ -56313,6 +56313,7 @@ static int test_wc_PemToDer(void) int ret; DerBuffer* pDer = NULL; const char* ca_cert = "./certs/server-cert.pem"; + const char* trusted_cert = "./certs/test/ossl-trusted-cert.pem"; byte* cert_buf = NULL; size_t cert_sz = 0; int eccKey = 0; @@ -56331,6 +56332,18 @@ static int test_wc_PemToDer(void) cert_buf = NULL; } + /* Test that -----BEGIN TRUSTED CERTIFICATE----- banner parses OK */ + ExpectIntEQ(ret = load_file(trusted_cert, &cert_buf, &cert_sz), 0); + ExpectIntEQ(ret = wc_PemToDer(cert_buf, (long int)cert_sz, TRUSTED_CERT_TYPE, &pDer, NULL, + &info, &eccKey), 0); + wc_FreeDer(&pDer); + pDer = NULL; + + if (cert_buf != NULL) { + free(cert_buf); + cert_buf = NULL; + } + #ifdef HAVE_ECC { const char* ecc_private_key = "./certs/ecc-privOnlyKey.pem"; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 1041533d4..bfd969348 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -24777,6 +24777,8 @@ wcchar END_CERT = "-----END CERTIFICATE-----"; #endif wcchar BEGIN_X509_CRL = "-----BEGIN X509 CRL-----"; wcchar END_X509_CRL = "-----END X509 CRL-----"; +wcchar BEGIN_TRUSTED_CERT = "-----BEGIN TRUSTED CERTIFICATE-----"; +wcchar END_TRUSTED_CERT = "-----END TRUSTED CERTIFICATE-----"; wcchar BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----"; wcchar END_RSA_PRIV = "-----END RSA PRIVATE KEY-----"; wcchar BEGIN_RSA_PUB = "-----BEGIN RSA PUBLIC KEY-----"; @@ -25073,6 +25075,11 @@ int wc_PemGetHeaderFooter(int type, const char** header, const char** footer) if (footer) *footer = END_ENC_PRIV_KEY; ret = 0; break; + case TRUSTED_CERT_TYPE: + if (header) *header = BEGIN_TRUSTED_CERT; + if (footer) *footer = END_TRUSTED_CERT; + ret = 0; + break; default: ret = BAD_FUNC_ARG; break; diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index 51834d02b..9e7a8558a 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -182,7 +182,8 @@ enum CertType { SPHINCS_SMALL_LEVEL5_TYPE, ECC_PARAM_TYPE, CHAIN_CERT_TYPE, - PKCS7_TYPE + PKCS7_TYPE, + TRUSTED_CERT_TYPE };