wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7194 from anhu/CerManUnExtCb

Browse Source 
Adding unknown extension callback to CertManager
This commit is contained in:
Sean Parkinson
2024-02-08 22:10:32 +10:00
committed by GitHub
parent 9147a7254b 271462128d
commit 5b5f0ff32c
5 changed files with 67 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/ssl_certman.c
View File

@ -575,6 +575,19 @@ void wolfSSL_CertManagerSetVerify(WOLFSSL_CERT_MANAGER* cm, VerifyCallback vc)
} }
#endif /* NO_WOLFSSL_CM_VERIFY */ #endif /* NO_WOLFSSL_CM_VERIFY */
#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
&& defined(HAVE_OID_DECODING)
void wolfSSL_CertManagerSetUnknownExtCallback(WOLFSSL_CERT_MANAGER* cm,
wc_UnknownExtCallback cb)
{
WOLFSSL_ENTER("wolfSSL_CertManagerSetUnknownExtCallback");
if (cm != NULL) {
cm->unknownExtCallback = cb;
}
}
#endif /* WOLFSSL_CUSTOM_OID && WOLFSSL_ASN_TEMPLATE && HAVE_OID_DECODING */
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
/* Verify the certificate. /* Verify the certificate.
* *
@ -643,6 +656,12 @@ int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const unsigned char* buff,
/* Create a decoded certificate with DER buffer. */ /* Create a decoded certificate with DER buffer. */
InitDecodedCert(cert, buff, (word32)sz, cm->heap); InitDecodedCert(cert, buff, (word32)sz, cm->heap);
#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
&& defined(HAVE_OID_DECODING)
if (cm->unknownExtCallback != NULL)
wc_SetUnknownExtCallback(cert, cm->unknownExtCallback);
#endif
/* Parse DER into decoded certificate fields and verify signature /* Parse DER into decoded certificate fields and verify signature
* against a known CA. */ * against a known CA. */
ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, cm); ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, cm);

30
tests/api.c
View File

@ -1084,6 +1084,21 @@ static int do_dual_alg_tls13_connection(byte *caCert, word32 caCertSz,
return EXPECT_RESULT(); return EXPECT_RESULT();
} }
static int extCount = 0;
static int myUnknownExtCallback(const word16* oid, word32 oidSz, int crit,
const unsigned char* der, word32 derSz)
{
(void) oid;
(void) oidSz;
(void) crit;
(void) der;
(void) derSz;
extCount ++;
/* Accept all extensions. This is only a test. Normally we would be much more
* careful about critical extensions. */
return 1;
}
static int test_dual_alg_support(void) static int test_dual_alg_support(void)
{ {
EXPECT_DECLS; EXPECT_DECLS;
@ -1099,6 +1114,7 @@ static int test_dual_alg_support(void)
int rootSz = 0; int rootSz = 0;
byte *server = NULL; byte *server = NULL;
int serverSz = 0; int serverSz = 0;
WOLFSSL_CERT_MANAGER* cm = NULL;
ExpectIntEQ(load_file(keyFile, &serverKey, &serverKeySz), 0); ExpectIntEQ(load_file(keyFile, &serverKey, &serverKeySz), 0);
@ -1130,6 +1146,20 @@ static int test_dual_alg_support(void)
ExpectIntEQ(do_dual_alg_tls13_connection(root, rootSz, ExpectIntEQ(do_dual_alg_tls13_connection(root, rootSz,
server, serverSz, serverKey, (word32)serverKeySz, 1), server, serverSz, serverKey, (word32)serverKeySz, 1),
TEST_SUCCESS); TEST_SUCCESS);
/* Lets see if CertManager can find the new extensions */
extCount = 0;
ExpectNotNull(cm = wolfSSL_CertManagerNew());
wolfSSL_CertManagerSetUnknownExtCallback(cm, myUnknownExtCallback);
ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, root, rootSz,
SSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, server, serverSz,
SSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* There is only 1 unknown exension (1.2.3.4.5). The other ones are known
* because they are for the dual alg extensions. */
ExpectIntEQ(extCount, 1);
wolfSSL_CertManagerFree(cm);
XFREE(root, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(root, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(server, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(server, NULL, DYNAMIC_TYPE_TMP_BUFFER);

9
wolfssl/internal.h
View File

@ -2629,10 +2629,13 @@ struct WOLFSSL_CERT_MANAGER {
#endif #endif
wolfSSL_Ref ref; wolfSSL_Ref ref;
#ifdef HAVE_PQC #ifdef HAVE_PQC
short minFalconKeySz; /* minimum allowed Falcon key size */ short minFalconKeySz; /* minimum allowed Falcon key size */
short minDilithiumKeySz; /* minimum allowed Dilithium key size */ short minDilithiumKeySz; /* minimum allowed Dilithium key size */
#endif
#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
&& defined(HAVE_OID_DECODING)
wc_UnknownExtCallback unknownExtCallback;
#endif #endif
}; };
WOLFSSL_LOCAL int CM_SaveCertCache(WOLFSSL_CERT_MANAGER* cm, WOLFSSL_LOCAL int CM_SaveCertCache(WOLFSSL_CERT_MANAGER* cm,

10
wolfssl/ssl.h
View File

@ -1536,7 +1536,8 @@ WOLFSSL_API int wolfSSL_sk_push_node(WOLFSSL_STACK** stack, WOLFSSL_STACK* in);
WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_get_node(WOLFSSL_STACK* sk, int idx); WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_get_node(WOLFSSL_STACK* sk, int idx);
WOLFSSL_API int wolfSSL_sk_push(WOLFSSL_STACK *st, const void *data); WOLFSSL_API int wolfSSL_sk_push(WOLFSSL_STACK *st, const void *data);
#if defined(HAVE_OCSP) || defined(HAVE_CRL) #if defined(HAVE_OCSP) || defined(HAVE_CRL) || (defined(WOLFSSL_CUSTOM_OID) && \
defined(WOLFSSL_ASN_TEMPLATE) && defined(HAVE_OID_DECODING))
#include "wolfssl/wolfcrypt/asn.h" #include "wolfssl/wolfcrypt/asn.h"
#endif #endif
@ -3594,6 +3595,13 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx,
WOLFSSL_API void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm); WOLFSSL_API void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm);
WOLFSSL_API int wolfSSL_CertManager_up_ref(WOLFSSL_CERT_MANAGER* cm); WOLFSSL_API int wolfSSL_CertManager_up_ref(WOLFSSL_CERT_MANAGER* cm);
#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
&& defined(HAVE_OID_DECODING)
WOLFSSL_API void wolfSSL_CertManagerSetUnknownExtCallback(
WOLFSSL_CERT_MANAGER* cm,
wc_UnknownExtCallback cb);
#endif
WOLFSSL_API int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, WOLFSSL_API int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm,
const char* f, const char* d); const char* f, const char* d);
WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm, WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm,

3
wolfssl/wolfcrypt/settings.h
View File

@ -348,6 +348,9 @@
#undef OPENSSL_EXTRA #undef OPENSSL_EXTRA
#define OPENSSL_EXTRA #define OPENSSL_EXTRA
#undef HAVE_OID_DECODING
#define HAVE_OID_DECODING
#endif /* WOLFSSL_DUAL_ALG_CERTS */ #endif /* WOLFSSL_DUAL_ALG_CERTS */
/* --------------------------------------------------------------------------- /* ---------------------------------------------------------------------------