From aa020f39c49b6c231ddb404cb1eaa4d15d6289f3 Mon Sep 17 00:00:00 2001 From: Paul Adelsbach Date: Mon, 26 Jan 2026 15:46:09 -0800 Subject: [PATCH] Extend AIA interface --- certs/aia/ca-issuers-cert.pem | 20 ++++++++++++++++++++ src/x509.c | 28 ++++++++++++++++++++++++++++ tests/api.c | 26 ++++++++++++++++++++++++++ wolfssl/openssl/ssl.h | 3 +++ wolfssl/openssl/x509v3.h | 4 ++++ wolfssl/ssl.h | 4 ++++ 6 files changed, 85 insertions(+) create mode 100644 certs/aia/ca-issuers-cert.pem diff --git a/certs/aia/ca-issuers-cert.pem b/certs/aia/ca-issuers-cert.pem new file mode 100644 index 0000000000..22630fc366 --- /dev/null +++ b/certs/aia/ca-issuers-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUDCCAjigAwIBAgIUQy4lyOzJcvFVekNsQWuUegW0kGgwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQd29sZnNzbC1haWEtdGVzdDAeFw0yNjAxMjYyMzE1NTZa +Fw0yNzAxMjYyMzE1NTZaMBsxGTAXBgNVBAMMEHdvbGZzc2wtYWlhLXRlc3QwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM1vUyiX+qtPFhhEqZq3bCUKpd +6QtswO7YWj+us79yh99mIGE7EZlSfTv0n3rn2//m5bQ7a+TSYMkDyNjPEH6Z+ub2 +qW4EJyc4J9DfC+T9gJM4dvsij+F8TUne/o5iCwFdiZEycEj0vtyYh53du3oqlZTY +yt8q4k5INoTl+ELCX/L0YqR/+Fl2qaloK7YHUb3EdSqBEGoa/IEfnxHMreZWhVYd +pSdDnT9rfNqT5Kb2e+eZbZZSouEmebhx9ioRfIXDadSCCa1JNp4fO3YlcDmmEahx +6TcjEmhUt80+hjhJhqrh4vPlxI24qHmfOe+k2qSimpJse/AUuz7wGRjx6ktfAgMB +AAGjgYswgYgwHQYDVR0OBBYEFMvT3KE5dvI6t3KNrcuctkm6wvXMMB8GA1UdIwQY +MBaAFMvT3KE5dvI6t3KNrcuctkm6wvXMMA8GA1UdEwEB/wQFMAMBAf8wNQYIKwYB +BQUHAQEEKTAnMCUGCCsGAQUFBzAChhlodHRwOi8vZXhhbXBsZS5jb20vY2EucGVt +MA0GCSqGSIb3DQEBCwUAA4IBAQCjxEHOlxVfmE8xgcQCnr1b4IK5EBuIMUaS7lko +AHmHvj7z9rr2cxbJhGYQxcttZ4/SQldRqpmiB0cUmko4LbD9yos4FKlyGe3xWvKa +W17SdpJU2PREShGLLqP7bwiWV6wVyo6puwDHLYSjH5vYr+IcSNNc0GuMZg1OhTWt +2PYG2vGbHoNR0/UyNibGmaPBimg0nb2GTizY7yWm+N/yXnWa6Wc5yyiF1zExw/GO +8O/rF0Lg/Gy/v6LnnNmhSOr9ENPKgQEAHFmJRXBXqDYUNhcm2U3PzlfBa06SHFcr +b59n5jgJmcNSwYDJAYKEhMvjBL40DmiWaRfol2DPoIZ7YtRf +-----END CERTIFICATE----- diff --git a/src/x509.c b/src/x509.c index 291cd37ba2..78e91338cb 100644 --- a/src/x509.c +++ b/src/x509.c @@ -15021,6 +15021,34 @@ WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x) return list; } +#ifdef WOLFSSL_ASN_CA_ISSUER +WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers(WOLFSSL_X509 *x) +{ + WOLFSSL_STACK* list = NULL; + char* url; + + if (x == NULL || x->authInfoCaIssuerSz == 0) + return NULL; + + list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + + x->authInfoCaIssuerSz + 1, + NULL, DYNAMIC_TYPE_OPENSSL); + if (list == NULL) + return NULL; + + url = (char*)list; + url += sizeof(WOLFSSL_STACK); + XMEMCPY(url, x->authInfoCaIssuer, x->authInfoCaIssuerSz); + url[x->authInfoCaIssuerSz] = '\0'; + + list->data.string = url; + list->next = NULL; + list->num = 1; + + return list; +} +#endif /* WOLFSSL_ASN_CA_ISSUER */ + int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject) { WOLFSSL_X509_NAME *issuerName = wolfSSL_X509_get_issuer_name(subject); diff --git a/tests/api.c b/tests/api.c index 95b5f37713..49478e4108 100644 --- a/tests/api.c +++ b/tests/api.c @@ -19199,6 +19199,31 @@ static int test_wolfSSL_OCSP_REQ_CTX(void) return EXPECT_RESULT(); } +static int test_wolfSSL_X509_get1_ca_issuers(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \ + defined(WOLFSSL_ASN_CA_ISSUER) && !defined(NO_FILESYSTEM) + X509* cert = NULL; + STACK_OF(WOLFSSL_STRING) *skStr = NULL; + WOLFSSL_STRING url = NULL; + const char* expected = "http://example.com/ca.pem"; + + ExpectNull(wolfSSL_X509_get1_ca_issuers(NULL)); + ExpectNotNull(cert = wolfSSL_X509_load_certificate_file( + "certs/aia/ca-issuers-cert.pem", WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(skStr = wolfSSL_X509_get1_ca_issuers(cert)); + ExpectIntEQ(wolfSSL_sk_WOLFSSL_STRING_num(skStr), 1); + ExpectNotNull(url = wolfSSL_sk_WOLFSSL_STRING_value(skStr, 0)); + ExpectIntEQ(XSTRCMP(url, expected), 0); + + wolfSSL_X509_email_free(skStr); + wolfSSL_X509_free(cert); +#endif + return EXPECT_RESULT(); +} + static int test_no_op_functions(void) { EXPECT_DECLS; @@ -31666,6 +31691,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_OCSP_resp_get0), TEST_DECL(test_wolfSSL_OCSP_parse_url), TEST_DECL(test_wolfSSL_OCSP_REQ_CTX), + TEST_DECL(test_wolfSSL_X509_get1_ca_issuers), TEST_DECL(test_wolfSSL_PEM_read), diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 5b8175564e..093be3a47c 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -565,6 +565,9 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define X509_get_ex_data wolfSSL_X509_get_ex_data #define X509_set_ex_data wolfSSL_X509_set_ex_data #define X509_get1_ocsp wolfSSL_X509_get1_ocsp +#ifdef WOLFSSL_ASN_CA_ISSUER +#define X509_get1_ca_issuers wolfSSL_X509_get1_ca_issuers +#endif /* WOLFSSL_ASN_CA_ISSUER */ #define X509_get_version wolfSSL_X509_get_version #define X509_get_signature_nid wolfSSL_X509_get_signature_nid #define X509_set_subject_name wolfSSL_X509_set_subject_name diff --git a/wolfssl/openssl/x509v3.h b/wolfssl/openssl/x509v3.h index c6a05172fc..857a9be41d 100644 --- a/wolfssl/openssl/x509v3.h +++ b/wolfssl/openssl/x509v3.h @@ -224,6 +224,10 @@ typedef struct WOLFSSL_NAME_CONSTRAINTS NAME_CONSTRAINTS; #define X509V3_EXT_print wolfSSL_X509V3_EXT_print #define X509V3_EXT_conf_nid wolfSSL_X509V3_EXT_conf_nid #define X509V3_set_ctx wolfSSL_X509V3_set_ctx +#define X509_get1_ocsp wolfSSL_X509_get1_ocsp +#ifdef WOLFSSL_ASN_CA_ISSUER +#define X509_get1_ca_issuers wolfSSL_X509_get1_ca_issuers +#endif /* WOLFSSL_ASN_CA_ISSUER */ #ifndef NO_WOLFSSL_STUB #define X509V3_set_nconf(ctx, conf) WC_DO_NOTHING #define X509V3_EXT_cleanup() WC_DO_NOTHING diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 08989907c3..5e80404d32 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -5796,6 +5796,10 @@ WOLFSSL_API int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, WOLFSSL_API void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk); WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x); +#ifdef WOLFSSL_ASN_CA_ISSUER +WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers( + WOLFSSL_X509 *x); +#endif /* WOLFSSL_ASN_CA_ISSUER */ WOLFSSL_API int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject);