From 8d1b20706c493f259e283fdcdbdfcb637dcbeb0f Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 10 Jan 2020 16:06:26 -0800 Subject: [PATCH] Maintenance: X509 1. Add a test for the new alt name handling. 2. Added an API to set altnames in a WOLFSSL_X509 struct. Just adds DNS_entries. 3. Removed the "static" from a bunch of constant byte arrays used inside some of the ASN.1 code. --- src/ssl.c | 40 ++++++++++++++++++++++++++++++++++++++++ tests/api.c | 21 +++++++++++++++++++++ wolfcrypt/src/asn.c | 30 +++++++++++++++--------------- wolfssl/ssl.h | 1 + 4 files changed, 77 insertions(+), 15 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 882c05bc0..af27625c9 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -9743,6 +9743,46 @@ err: return NULL; } + +int wolfSSL_X509_add_altname(WOLFSSL_X509* x509, const char* name, int type) +{ + DNS_entry* newAltName = NULL; + char* nameCopy = NULL; + word32 nameSz; + + if (x509 == NULL) + return WOLFSSL_FAILURE; + + if (name == NULL) + return WOLFSSL_SUCCESS; + + nameSz = (word32)XSTRLEN(name); + if (nameSz == 0) + return WOLFSSL_SUCCESS; + + newAltName = (DNS_entry*)XMALLOC(sizeof(DNS_entry), + x509->heap, DYNAMIC_TYPE_ALTNAME); + if (newAltName == NULL) + return WOLFSSL_FAILURE; + + nameCopy = (char*)XMALLOC(nameSz + 1, x509->heap, DYNAMIC_TYPE_ALTNAME); + if (nameCopy == NULL) { + XFREE(newAltName, x509->heap, DYNAMIC_TYPE_ALTNAME); + return WOLFSSL_FAILURE; + } + + XSTRNCPY(nameCopy, name, nameSz); + + newAltName->next = x509->altNames; + newAltName->type = type; + newAltName->len = nameSz; + newAltName->name = nameCopy; + x509->altNames = newAltName; + + return WOLFSSL_SUCCESS; +} + + #ifndef NO_WOLFSSL_STUB int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int loc) { diff --git a/tests/api.c b/tests/api.c index 1d24b0114..ce1478ad9 100644 --- a/tests/api.c +++ b/tests/api.c @@ -22443,6 +22443,22 @@ static void test_wolfSSL_X509_sign(void) /* Set subject name, add pubkey, and sign certificate */ AssertIntEQ(X509_set_subject_name(x509, name), SSL_SUCCESS); AssertIntEQ(X509_set_pubkey(x509, pub), SSL_SUCCESS); +#ifdef WOLFSSL_ALT_NAMES + /* Add some subject alt names */ + AssertIntNE(wolfSSL_X509_add_altname(NULL, + NULL, ASN_DNS_TYPE), SSL_SUCCESS); + AssertIntEQ(wolfSSL_X509_add_altname(x509, + NULL, ASN_DNS_TYPE), SSL_SUCCESS); + AssertIntEQ(wolfSSL_X509_add_altname(x509, + "sphygmomanometer", + ASN_DNS_TYPE), SSL_SUCCESS); + AssertIntEQ(wolfSSL_X509_add_altname(x509, + "supercalifragilisticexpialidocious", + ASN_DNS_TYPE), SSL_SUCCESS); + AssertIntEQ(wolfSSL_X509_add_altname(x509, + "Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch", + ASN_DNS_TYPE), SSL_SUCCESS); +#endif /* WOLFSSL_ALT_NAMES */ /* Test invalid parameters */ AssertIntEQ(X509_sign(NULL, priv, EVP_sha256()), 0); AssertIntEQ(X509_sign(x509, NULL, EVP_sha256()), 0); @@ -22461,8 +22477,13 @@ static void test_wolfSSL_X509_sign(void) XFCLOSE(tmpFile); #endif +#ifndef WOLFSSL_ALT_NAMES /* Valid case - size should be 798 */ AssertIntEQ(ret, 798); +#else /* WOLFSSL_ALT_NAMES */ + /* Valid case - size should be 927 */ + AssertIntEQ(ret, 927); +#endif /* WOLFSSL_ALT_NAMES */ X509_NAME_free(name); EVP_PKEY_free(priv); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 9923c700b..f45e03e24 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -5408,7 +5408,7 @@ WOLFSSL_API int EccEnumToNID(int n) #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_LOCAL int wc_OBJ_sn2nid(const char *sn) { - static const struct { + const struct { const char *sn; int nid; } sn2nid[] = { @@ -11867,7 +11867,7 @@ static int SetExtensionsHeader(byte* out, word32 outSz, int extSz) /* encode CA basic constraint true, return total bytes written */ static int SetCa(byte* out, word32 outSz) { - static const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, + const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff }; if (out == NULL) @@ -11916,7 +11916,7 @@ static int SetSKID(byte* output, word32 outSz, const byte *input, word32 length) byte skid_len[1 + MAX_LENGTH_SZ]; byte skid_enc_len[MAX_LENGTH_SZ]; int idx = 0, skid_lenSz, skid_enc_lenSz; - static const byte skid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04 }; + const byte skid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04 }; if (output == NULL || input == NULL) return BAD_FUNC_ARG; @@ -11962,8 +11962,8 @@ static int SetAKID(byte* output, word32 outSz, { byte *enc_val; int ret, enc_valSz; - static const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04 }; - static const byte akid_cs[] = { 0x80 }; + const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04 }; + const byte akid_cs[] = { 0x80 }; (void)heap; @@ -11995,7 +11995,7 @@ static int SetKeyUsage(byte* output, word32 outSz, word16 input) { byte ku[5]; int idx; - static const byte keyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f, + const byte keyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04}; if (output == NULL) return BAD_FUNC_ARG; @@ -12023,7 +12023,7 @@ static int SetOjectIdValue(byte* output, word32 outSz, int* idx, static int SetExtKeyUsage(Cert* cert, byte* output, word32 outSz, byte input) { int idx = 0, oidListSz = 0, totalSz, ret = 0; - static const byte extkeyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x25 }; + const byte extkeyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x25 }; if (output == NULL) return BAD_FUNC_ARG; @@ -12115,8 +12115,8 @@ static int SetCertificatePolicies(byte *output, word32 outSz, i = 0, der_oidSz[MAX_CERTPOL_NB]; int ret; - static const byte certpol_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04 }; - static const byte oid_oid[] = { 0x06 }; + const byte certpol_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04 }; + const byte oid_oid[] = { 0x06 }; if (output == NULL || input == NULL || nb_certpol > MAX_CERTPOL_NB) return BAD_FUNC_ARG; @@ -12164,7 +12164,7 @@ static int SetAltNames(byte *output, word32 outSz, { byte san_len[1 + MAX_LENGTH_SZ]; int idx = 0, san_lenSz; - static const byte san_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x11 }; + const byte san_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x11 }; if (output == NULL || input == NULL) return BAD_FUNC_ARG; @@ -12240,7 +12240,7 @@ int FlattenAltNames(byte* output, word32 outputSz, const DNS_entry* names) #endif /* WOLFSSL_CERT_GEN */ -#endif /* WOLFSL_ALT_NAMES */ +#endif /* WOLFSSL_ALT_NAMES */ /* Encodes one attribute of the name (issuer/subject) * @@ -13127,10 +13127,10 @@ int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz, static int SetReqAttrib(byte* output, char* pw, int pwPrintableString, int extSz) { - static const byte cpOid[] = + const byte cpOid[] = { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x07 }; - static const byte erOid[] = + const byte erOid[] = { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x0e }; @@ -14929,7 +14929,7 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key, #ifdef WOLFSSL_CUSTOM_CURVES static void ByteToHex(byte n, char* str) { - static const char hexChar[] = { '0', '1', '2', '3', '4', '5', '6', '7', + const char hexChar[] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; str[0] = hexChar[n >> 4]; @@ -16116,7 +16116,7 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify) word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) { - static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, + const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02 }; byte seqArray[5][MAX_SEQ_SZ]; word32 seqSz[5], totalSz = (word32)sizeof(NonceObjId); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 2c5c53dc0..79fec7237 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2076,6 +2076,7 @@ WOLFSSL_API int wolfSSL_X509_version(WOLFSSL_X509*); WOLFSSL_API int wolfSSL_cmp_peer_cert_to_file(WOLFSSL*, const char*); WOLFSSL_ABI WOLFSSL_API char* wolfSSL_X509_get_next_altname(WOLFSSL_X509*); +WOLFSSL_API int wolfSSL_X509_add_altname(WOLFSSL_X509*, const char*, int); WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509(WOLFSSL_X509** x509, const unsigned char** in, int len);