From 61ccea55ac048a9f075e2e4f0f75754ae5be20bb Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 30 Jul 2025 16:33:30 -0700 Subject: [PATCH] Allow setting the CA type when loading into cert manager and unloading specific CA types from the cert manager. --- src/ssl.c | 43 ++++++++++++++++++++++++++++++ src/ssl_certman.c | 65 +++++++++++++++++++++++++++++++++++++++++++--- wolfssl/internal.h | 1 + wolfssl/ssl.h | 8 +++++- 4 files changed, 112 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 766ad47cd..a4015ba29 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6142,6 +6142,49 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) return ret == 0 ? WOLFSSL_SUCCESS : ret; } +/* Sets the CA with the passed in subject hash + to the provided type. */ +int SetCAType(WOLFSSL_CERT_MANAGER* cm, byte* hash, int type) +{ + Signer* current; + int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); + word32 row; + + WOLFSSL_MSG_EX("Setting CA to type %d", type); + + if (cm == NULL || hash == NULL || + type < WOLFSSL_USER_CA || type > WOLFSSL_USER_INTER) { + return ret; + } + + row = HashSigner(hash); + + if (wc_LockMutex(&cm->caLock) != 0) { + return ret; + } + current = cm->caTable[row]; + while (current) { + byte* subjectHash; + + #ifndef NO_SKID + subjectHash = current->subjectKeyIdHash; + #else + subjectHash = current->subjectNameHash; + #endif + + if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) { + current->type = type; + ret = WOLFSSL_SUCCESS; + break; + } + current = current->next; + } + wc_UnLockMutex(&cm->caLock); + + WOLFSSL_LEAVE("SetCAType", ret); + + return ret; +} #endif /* !NO_CERTS */ diff --git a/src/ssl_certman.c b/src/ssl_certman.c index 286831b9d..7a77e432c 100644 --- a/src/ssl_certman.c +++ b/src/ssl_certman.c @@ -453,7 +453,7 @@ int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm) return ret; } -static int wolfSSL_CertManagerUnloadIntermediateCertsEx( +int wolfSSL_CertManagerUnloadIntermediateCertsEx( WOLFSSL_CERT_MANAGER* cm, byte type) { int ret = WOLFSSL_SUCCESS; @@ -544,17 +544,25 @@ int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER* cm) * WOLFSSL_LOAD_FLAG_PEM_CA_ONLY, * WOLFSSL_LOAD_FLAG_IGNORE_BAD_PATH_ERR, and * WOLFSSL_LOAD_FLAG_IGNORE_ZEROFILE. + * @param [in] type The CA cert's type, used in the internal CA + table. Defaults to WOLFSSL_USER_CA, passing + in WOLFSSL_USER_CA = noop. Recommended to + set to WOLFSSL_USER_INTER when loading + intermediate certs to allow unloading via + wolfSSL_CertManagerUnloadIntermediateCertsEx. * @return WOLFSSL_SUCCESS on success. * @return WOLFSSL_FATAL_ERROR when cm is NULL or failed create WOLFSSL_CTX. * @return Other values on loading failure. */ -int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm, - const unsigned char* buff, long sz, int format, int userChain, word32 flags) +int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm, + const unsigned char* buff, long sz, int format, int userChain, + word32 flags, int type) { int ret = WOLFSSL_SUCCESS; WOLFSSL_CTX* tmp = NULL; + DecodedCert* dCert = NULL; - WOLFSSL_ENTER("wolfSSL_CertManagerLoadCABuffer_ex"); + WOLFSSL_ENTER("wolfSSL_CertManagerLoadCABuffer_ex2"); /* Validate parameters. */ if (cm == NULL) { @@ -583,10 +591,59 @@ int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm, /* Clear certificate manager in WOLFSSL_CTX so it won't be freed. */ tmp->cm = NULL; } + if (ret == WOLFSSL_SUCCESS && type != WOLFSSL_USER_CA) { + dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_DCERT); + + if (dCert == NULL) { + ret = WOLFSSL_FATAL_ERROR; + } else { + XMEMSET(dCert, 0, sizeof(DecodedCert)); + wc_InitDecodedCert(dCert, buff, + sz, cm->heap); + ret = wc_ParseCert(dCert, CA_TYPE, NO_VERIFY, NULL); + if (ret) { + ret = WOLFSSL_FATAL_ERROR; + } else { + ret = SetCAType(cm, dCert->extSubjKeyId, type); + } + + if (dCert) { + wc_FreeDecodedCert(dCert); + XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT); + } + } + } /* Dispose of temporary WOLFSSL_CTX. */ wolfSSL_CTX_free(tmp); return ret; + +} + +/* Load certificate/s from buffer with flags. + * + * @param [in] cm Certificate manager. + * @param [in] buff Buffer holding encoding of certificate. + * @param [in] sz Length in bytes of data in buffer. + * @param [in] format Format of encoding. Valid values: + * WOLFSSL_FILETYPE_ASN1, WOLFSSL_FILETYPE_PEM. + * @param [in] userChain Indicates buffer holds chain of certificates. + * @param [in] flags Flags to modify behaviour of loading. Valid flags: + * WOLFSSL_LOAD_FLAG_IGNORE_ERR, + * WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY, + * WOLFSSL_LOAD_FLAG_PEM_CA_ONLY, + * WOLFSSL_LOAD_FLAG_IGNORE_BAD_PATH_ERR, and + * WOLFSSL_LOAD_FLAG_IGNORE_ZEROFILE. + * @return WOLFSSL_SUCCESS on success. + * @return WOLFSSL_FATAL_ERROR when cm is NULL or failed create WOLFSSL_CTX. + * @return Other values on loading failure. + */ +int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm, + const unsigned char* buff, long sz, int format, int userChain, word32 flags) +{ + return wolfSSL_CertManagerLoadCABuffer_ex2(cm, buff, sz, format, userChain, + flags, WOLFSSL_USER_CA); } /* Load certificate/s from buffer into table. diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c5beafa60..59603477b 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4276,6 +4276,7 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, WOLFSSL_LOCAL int AddSigner(WOLFSSL_CERT_MANAGER* cm, Signer *s); WOLFSSL_LOCAL int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify); + WOLFSSL_LOCAL int SetCAType(WOLFSSL_CERT_MANAGER* cm, byte* hash, int type); WOLFSSL_LOCAL int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash); #ifdef WOLFSSL_TRUST_PEER_CERT diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 44c5f35f2..5cefabb59 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3719,8 +3719,9 @@ enum { WOLFSSL_USER_CA = 1, /* user added as trusted */ WOLFSSL_CHAIN_CA = 2, /* added to cache from trusted chain */ - WOLFSSL_TEMP_CA = 3 /* Temp intermediate CA, only for use by + WOLFSSL_TEMP_CA = 3, /* Temp intermediate CA, only for use by * X509_STORE */ + WOLFSSL_USER_INTER = 4 /* user added intermediate cert */ }; WOLFSSL_ABI WOLFSSL_API WC_RNG* wolfSSL_GetRNG(WOLFSSL* ssl); @@ -4202,6 +4203,9 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx, WOLFSSL_API int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* f, const char* d); + WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm, + const unsigned char* buff, long sz, int format, int userChain, + word32 flags, int type); WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm, const unsigned char* buff, long sz, int format, int userChain, word32 flags); @@ -4209,6 +4213,8 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz, int format); WOLFSSL_API int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm); + WOLFSSL_API int wolfSSL_CertManagerUnloadIntermediateCertsEx( + WOLFSSL_CERT_MANAGER* cm, byte type); WOLFSSL_API int wolfSSL_CertManagerUnloadIntermediateCerts( WOLFSSL_CERT_MANAGER* cm); #ifdef WOLFSSL_TRUST_PEER_CERT