mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-07-30 18:57:27 +02:00
Merge pull request #7194 from anhu/CerManUnExtCb
Adding unknown extension callback to CertManager
This commit is contained in:
Sean Parkinson
GitHub
@ -575,6 +575,19 @@ void wolfSSL_CertManagerSetVerify(WOLFSSL_CERT_MANAGER* cm, VerifyCallback vc)
|
||||
}
|
||||
#endif /* NO_WOLFSSL_CM_VERIFY */
|
||||
|
||||
#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
|
||||
&& defined(HAVE_OID_DECODING)
|
||||
void wolfSSL_CertManagerSetUnknownExtCallback(WOLFSSL_CERT_MANAGER* cm,
|
||||
wc_UnknownExtCallback cb)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_CertManagerSetUnknownExtCallback");
|
||||
if (cm != NULL) {
|
||||
cm->unknownExtCallback = cb;
|
||||
}
|
||||
|
||||
}
|
||||
#endif /* WOLFSSL_CUSTOM_OID && WOLFSSL_ASN_TEMPLATE && HAVE_OID_DECODING */
|
||||
|
||||
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
/* Verify the certificate.
|
||||
*
|
||||
@ -643,6 +656,12 @@ int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const unsigned char* buff,
|
||||
/* Create a decoded certificate with DER buffer. */
|
||||
InitDecodedCert(cert, buff, (word32)sz, cm->heap);
|
||||
|
||||
#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
|
||||
&& defined(HAVE_OID_DECODING)
|
||||
if (cm->unknownExtCallback != NULL)
|
||||
wc_SetUnknownExtCallback(cert, cm->unknownExtCallback);
|
||||
#endif
|
||||
|
||||
/* Parse DER into decoded certificate fields and verify signature
|
||||
* against a known CA. */
|
||||
ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, cm);
|
||||
|
||||
30
tests/api.c
30
tests/api.c
@ -1084,6 +1084,21 @@ static int do_dual_alg_tls13_connection(byte *caCert, word32 caCertSz,
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static int extCount = 0;
|
||||
static int myUnknownExtCallback(const word16* oid, word32 oidSz, int crit,
|
||||
const unsigned char* der, word32 derSz)
|
||||
{
|
||||
(void) oid;
|
||||
(void) oidSz;
|
||||
(void) crit;
|
||||
(void) der;
|
||||
(void) derSz;
|
||||
extCount ++;
|
||||
/* Accept all extensions. This is only a test. Normally we would be much more
|
||||
* careful about critical extensions. */
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int test_dual_alg_support(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
@ -1099,6 +1114,7 @@ static int test_dual_alg_support(void)
|
||||
int rootSz = 0;
|
||||
byte *server = NULL;
|
||||
int serverSz = 0;
|
||||
WOLFSSL_CERT_MANAGER* cm = NULL;
|
||||
|
||||
ExpectIntEQ(load_file(keyFile, &serverKey, &serverKeySz), 0);
|
||||
|
||||
@ -1130,6 +1146,20 @@ static int test_dual_alg_support(void)
|
||||
ExpectIntEQ(do_dual_alg_tls13_connection(root, rootSz,
|
||||
server, serverSz, serverKey, (word32)serverKeySz, 1),
|
||||
TEST_SUCCESS);
|
||||
|
||||
/* Lets see if CertManager can find the new extensions */
|
||||
extCount = 0;
|
||||
ExpectNotNull(cm = wolfSSL_CertManagerNew());
|
||||
wolfSSL_CertManagerSetUnknownExtCallback(cm, myUnknownExtCallback);
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, root, rootSz,
|
||||
SSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, server, serverSz,
|
||||
SSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
|
||||
/* There is only 1 unknown exension (1.2.3.4.5). The other ones are known
|
||||
* because they are for the dual alg extensions. */
|
||||
ExpectIntEQ(extCount, 1);
|
||||
wolfSSL_CertManagerFree(cm);
|
||||
|
||||
XFREE(root, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
XFREE(server, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
|
||||
|
||||
@ -2629,10 +2629,13 @@ struct WOLFSSL_CERT_MANAGER {
|
||||
#endif
|
||||
wolfSSL_Ref ref;
|
||||
#ifdef HAVE_PQC
|
||||
short minFalconKeySz; /* minimum allowed Falcon key size */
|
||||
short minDilithiumKeySz; /* minimum allowed Dilithium key size */
|
||||
short minFalconKeySz; /* minimum allowed Falcon key size */
|
||||
short minDilithiumKeySz; /* minimum allowed Dilithium key size */
|
||||
#endif
|
||||
#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
|
||||
&& defined(HAVE_OID_DECODING)
|
||||
wc_UnknownExtCallback unknownExtCallback;
|
||||
#endif
|
||||
|
||||
};
|
||||
|
||||
WOLFSSL_LOCAL int CM_SaveCertCache(WOLFSSL_CERT_MANAGER* cm,
|
||||
|
||||
@ -1536,7 +1536,8 @@ WOLFSSL_API int wolfSSL_sk_push_node(WOLFSSL_STACK** stack, WOLFSSL_STACK* in);
|
||||
WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_get_node(WOLFSSL_STACK* sk, int idx);
|
||||
WOLFSSL_API int wolfSSL_sk_push(WOLFSSL_STACK *st, const void *data);
|
||||
|
||||
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
|
||||
#if defined(HAVE_OCSP) || defined(HAVE_CRL) || (defined(WOLFSSL_CUSTOM_OID) && \
|
||||
defined(WOLFSSL_ASN_TEMPLATE) && defined(HAVE_OID_DECODING))
|
||||
#include "wolfssl/wolfcrypt/asn.h"
|
||||
#endif
|
||||
|
||||
@ -3594,6 +3595,13 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx,
|
||||
WOLFSSL_API void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm);
|
||||
WOLFSSL_API int wolfSSL_CertManager_up_ref(WOLFSSL_CERT_MANAGER* cm);
|
||||
|
||||
#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
|
||||
&& defined(HAVE_OID_DECODING)
|
||||
WOLFSSL_API void wolfSSL_CertManagerSetUnknownExtCallback(
|
||||
WOLFSSL_CERT_MANAGER* cm,
|
||||
wc_UnknownExtCallback cb);
|
||||
#endif
|
||||
|
||||
WOLFSSL_API int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm,
|
||||
const char* f, const char* d);
|
||||
WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm,
|
||||
|
||||
@ -348,6 +348,9 @@
|
||||
|
||||
#undef OPENSSL_EXTRA
|
||||
#define OPENSSL_EXTRA
|
||||
|
||||
#undef HAVE_OID_DECODING
|
||||
#define HAVE_OID_DECODING
|
||||
#endif /* WOLFSSL_DUAL_ALG_CERTS */
|
||||
|
||||
/* ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user