Time-Stamp Protocol (RFC 3161)

Implementation in wolfCrypt
OpenSSL compatibility layer in wolfSSL
Added tests, certificates, examples.
This commit is contained in:
Sean Parkinson
2026-06-25 21:59:57 +10:00
parent 0ecc0c5973
commit ae023a5643
73 changed files with 18311 additions and 27 deletions
+8
View File
@@ -74,6 +74,14 @@ jobs:
"--enable-curve448", "--enable-mlkem", "--enable-staticmemory",
"CFLAGS=-DWOLFSSL_NO_MALLOC -pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"],
"check": false,
"run": [["./wolfcrypt/test/testwolfcrypt"]]},
{"name": "tps-staticmemory", "minutes": 0.8,
"configure": ["--enable-ecc", "--enable-rsa", "--enable-keygen",
"--enable-ed25519", "--enable-curve25519", "--enable-ed448",
"--enable-curve448", "--enable-mlkem", "--enable-tsp",
"--enable-staticmemory",
"CFLAGS=-DWOLFSSL_NO_MALLOC -pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"],
"check": false,
"run": [["./wolfcrypt/test/testwolfcrypt"]]}
]
EOF
+31
View File
@@ -310,6 +310,37 @@ jobs:
{"name": "pkcs7", "minutes": 1.3,
"comment": "PKCS#7 without RSA-PSS",
"configure": ["--enable-pkcs7"]},
{"name": "tsp", "minutes": 1.3,
"comment": "Time-Stamp Protocol",
"configure": ["--enable-tsp"]},
{"name": "tsp-openssl", "minutes": 1.3,
"comment": "Time-Stamp Protocol with OpenSSL compat",
"configure": ["--enable-tsp", "--enable-opensslall"]},
{"name": "tsp-no-ecc", "minutes": 1.3,
"comment": "Time-Stamp Protocol without ECC",
"configure": ["--enable-tsp", "--disable-ecc"]},
{"name": "tsp-no-rsa", "minutes": 1.3,
"comment": "Time-Stamp Protocol without RSA",
"configure": ["--enable-tsp", "--disable-rsa"]},
{"name": "tsp-smallstack", "minutes": 1.3,
"comment": "Time-Stamp Protocol Small Stack",
"configure": ["--enable-tsp", "CPPFLAGS=-DWOLFSSL_SMALL_STACK"]},
{"name": "tsp-min-hash-str", "minutes": 2.7,
"comment": "Time-Stamp Protocol Minimum 128-bit hash strength",
"configure": ["--enable-tsp",
"CPPFLAGS=-DWC_TSP_MIN_HASH_STRENGTH_BITS=128"]},
{"name": "tsp-requester", "minutes": 1.3,
"comment": "Time-Stamp Protocol Requester",
"configure": ["--enable-tsp", "--enable-opensslall",
"CPPFLAGS=-DWOLFSSL_TSP_REQUESTER"]},
{"name": "tsp-responder", "minutes": 1.3,
"comment": "Time-Stamp Protocol Responder",
"configure": ["--enable-tsp", "--enable-opensslall",
"CPPFLAGS=-DWOLFSSL_TSP_RESPONDER"]},
{"name": "tsp-verifier", "minutes": 1.3,
"comment": "Time-Stamp Protocol Verifier",
"configure": ["--enable-tsp", "--enable-opensslall",
"CPPFLAGS=-DWOLFSSL_TSP_VERIFIER"]},
{"name": "no-tls-cryptocb-aesgcm-setkey-free", "minutes": 1.3,
"configure": ["--disable-tls", "--enable-cryptocb", "--enable-aesgcm",
"CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"]},
+3
View File
@@ -72,6 +72,9 @@ examples/sctp/sctp-client-dtls
examples/asn1/asn1
examples/pem/pem
examples/ocsp_responder/ocsp_responder
examples/tsp/tsp_query
examples/tsp/tsp_reply
examples/tsp/tsp_verify
server_ready
snifftest
output
+11
View File
@@ -2021,6 +2021,9 @@ endif()
set(WOLFSSL_PKCS7_HELP_STRING "Enable PKCS7 (default: disabled)")
add_option(WOLFSSL_PKCS7 ${WOLFSSL_PKCS7_HELP_STRING} "no" "yes;no")
set(WOLFSSL_TSP_HELP_STRING "Enable RFC 3161 Time-Stamp Protocol (default: disabled)")
add_option(WOLFSSL_TSP ${WOLFSSL_TSP_HELP_STRING} "no" "yes;no")
set(WOLFSSL_TPM_HELP_STRING "Enable wolfTPM options (default: disabled)")
add_option(WOLFSSL_TPM ${WOLFSSL_TPM_HELP_STRING} "no" "yes;no")
@@ -2412,6 +2415,12 @@ if(WOLFSSL_AESCFB)
endif()
if(WOLFSSL_TSP)
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_TSP")
# Requires PKCS7 for time-stamp token creation and verification
override_cache(WOLFSSL_PKCS7 "yes")
endif()
if(WOLFSSL_PKCS7)
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_PKCS7")
override_cache(WOLFSSL_AESKEYWRAP "yes")
@@ -2965,6 +2974,8 @@ if(WOLFSSL_EXAMPLES)
tests/api/test_asn.c
tests/api/test_pkcs7.c
tests/api/test_pkcs12.c
tests/api/test_tsp.c
tests/api/test_ossl_tsp.c
tests/api/test_pwdbased.c
tests/api/test_ossl_asn1.c
tests/api/test_ossl_bio.c
+1
View File
@@ -87,6 +87,7 @@
<ClCompile Include="..\..\wolfcrypt\src\sp_x86_64.c" />
<ClCompile Include="..\..\wolfcrypt\src\srp.c" />
<ClCompile Include="..\..\wolfcrypt\src\tfm.c" />
<ClCompile Include="..\..\wolfcrypt\src\tsp.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_encrypt.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_port.c" />
<ClCompile Include="..\..\wolfcrypt\src\wolfevent.c" />
+1
View File
@@ -185,6 +185,7 @@
<ClCompile Include="..\..\wolfcrypt\src\signature.c" />
<ClCompile Include="..\..\wolfcrypt\src\srp.c" />
<ClCompile Include="..\..\wolfcrypt\src\tfm.c" />
<ClCompile Include="..\..\wolfcrypt\src\tsp.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_encrypt.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_port.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_slhdsa.c" />
+1
View File
@@ -285,6 +285,7 @@
<ClCompile Include="..\..\wolfcrypt\src\integer.c" />
<ClCompile Include="..\..\wolfcrypt\src\pkcs7.c" />
<ClCompile Include="..\..\wolfcrypt\src\tfm.c" />
<ClCompile Include="..\..\wolfcrypt\src\tsp.c" />
<ClCompile Include="..\..\src\internal.c" />
<ClCompile Include="..\..\src\wolfio.c" />
<ClCompile Include="..\..\wolfcrypt\src\kdf.c" />
+16
View File
@@ -37,6 +37,14 @@ EXTRA_DIST += \
certs/client-ca-cert.pem \
certs/dh2048.pem \
certs/server-cert.pem \
certs/tsa-bad-ku-cert.pem \
certs/tsa-extra-eku-cert.pem \
certs/tsa-chain-cert.pem \
certs/tsa-chain-key.pem \
certs/tsa-cert.pem \
certs/tsa-ecc-cert.pem \
certs/tsa-ecc-key.pem \
certs/tsa-key.pem \
certs/server-ecc.pem \
certs/server-ecc-self.pem \
certs/server-ecc-comp.pem \
@@ -119,6 +127,14 @@ EXTRA_DIST += \
certs/ecc-keyPub.der \
certs/server-key.der \
certs/server-cert.der \
certs/tsa-key.der \
certs/tsa-cert.der \
certs/tsa-ecc-key.der \
certs/tsa-ecc-cert.der \
certs/tsa-bad-ku-cert.der \
certs/tsa-extra-eku-cert.der \
certs/tsa-chain-cert.der \
certs/tsa-chain-key.der \
certs/server-ecc-comp.der \
certs/server-ecc.der \
certs/server-ecc-self.der \
+123
View File
@@ -39,6 +39,17 @@
# aia/multi-aia-cert.pem
# aia/overflow-aia-cert.pem
# sia/timestamping-sia-cert.pem
# tsa-cert.pem
# tsa-cert.der
# tsa-ecc-cert.pem
# tsa-ecc-cert.der
# tsa-bad-ku-cert.pem
# tsa-bad-ku-cert.der
# tsa-extra-eku-cert.pem
# tsa-extra-eku-cert.der
# tsa-chain-cert.pem
# tsa-chain-cert.der
# intermediate/ca-int-cert.der
# updates the following crls:
# crl/cliCrl.pem
# crl/crl.pem
@@ -216,6 +227,118 @@ run_renewcerts(){
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
######## update the self-signed (2048-bit) tsa-cert.pem ###
############################################################
echo "Updating 2048-bit tsa-cert.pem"
echo ""
openssl req -new -key tsa-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-cert.csr
check_result $? "Step 1"
openssl x509 -req -in tsa-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_cert -signkey tsa-key.pem -out tsa-cert.pem
check_result $? "Step 2"
rm tsa-cert.csr
openssl x509 -in tsa-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem tsa-cert.pem
openssl x509 -in tsa-cert.pem -outform der -out tsa-cert.der
check_result $? "Step 4"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
## update the intermediate-issued tsa-chain-cert.pem ######
############################################################
echo "Updating 2048-bit tsa-chain-cert.pem"
echo ""
openssl req -new -key tsa-chain-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-chain-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-chain-cert.csr
check_result $? "Step 1"
openssl x509 -req -in tsa-chain-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_cert -CA intermediate/ca-int-cert.pem -CAkey intermediate/ca-int-key.pem -CAcreateserial -out tsa-chain-cert.pem
check_result $? "Step 2"
rm tsa-chain-cert.csr
rm -f intermediate/ca-int-cert.srl
openssl x509 -in tsa-chain-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem tsa-chain-cert.pem
openssl x509 -in tsa-chain-cert.pem -outform der -out tsa-chain-cert.der
check_result $? "Step 4"
# DER of the issuing intermediate CA - consumed as a cert buffer
# (certs_test.h) for the TSA chain verification test. Derived from the
# existing PEM; not removed.
openssl x509 -in intermediate/ca-int-cert.pem -outform der -out intermediate/ca-int-cert.der
check_result $? "Step 5"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update the self-signed tsa-ecc-cert.pem ########
############################################################
echo "Updating tsa-ecc-cert.pem"
echo ""
openssl req -new -key tsa-ecc-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-ecc-cert.csr
check_result $? "Step 1"
openssl x509 -req -in tsa-ecc-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_cert -signkey tsa-ecc-key.pem -out tsa-ecc-cert.pem
check_result $? "Step 2"
rm tsa-ecc-cert.csr
openssl x509 -in tsa-ecc-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem tsa-ecc-cert.pem
openssl x509 -in tsa-ecc-cert.pem -outform der -out tsa-ecc-cert.der
check_result $? "Step 4"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
## update the self-signed (2048-bit) tsa-bad-ku-cert.pem ##
############################################################
echo "Updating 2048-bit tsa-bad-ku-cert.pem"
echo ""
openssl req -new -key tsa-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-bad-ku-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-bad-ku-cert.csr
check_result $? "Step 1"
openssl x509 -req -in tsa-bad-ku-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_bad_ku_cert -signkey tsa-key.pem -out tsa-bad-ku-cert.pem
check_result $? "Step 2"
rm tsa-bad-ku-cert.csr
openssl x509 -in tsa-bad-ku-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem tsa-bad-ku-cert.pem
openssl x509 -in tsa-bad-ku-cert.pem -outform der -out tsa-bad-ku-cert.der
check_result $? "Step 4"
echo "End of section"
echo "---------------------------------------------------------------------"
###############################################################
## update the self-signed (2048-bit) tsa-extra-eku-cert.pem ##
###############################################################
echo "Updating 2048-bit tsa-extra-eku-cert.pem"
echo ""
openssl req -new -key tsa-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-extra-eku-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-extra-eku-cert.csr
check_result $? "Step 1"
openssl x509 -req -in tsa-extra-eku-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_extra_eku_cert -signkey tsa-key.pem -out tsa-extra-eku-cert.pem
check_result $? "Step 2"
rm tsa-extra-eku-cert.csr
openssl x509 -in tsa-extra-eku-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem tsa-extra-eku-cert.pem
openssl x509 -in tsa-extra-eku-cert.pem -outform der -out tsa-extra-eku-cert.der
check_result $? "Step 4"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
#### update the self-signed (1024-bit) client-cert.pem #####
############################################################
+27
View File
@@ -452,3 +452,30 @@ DNS.1 = www.example.org
URI.1 = https://www.wolfssl.com/
otherName.2 = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D1:38:10:D8:28:AF:2C:10:84:35:15:A1:68:58:28:AF:02:10:86:A2:84:E7:39:C3:EB
# TSA certificate extensions - RFC 3161 time-stamping only
[ tsa_cert ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:false
subjectAltName = DNS:tsa.wolfssl.com
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, timeStamping
# TSA certificate extensions with wrong key usage - for failure testing
[ tsa_bad_ku_cert ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:false
keyUsage = critical, keyEncipherment
extendedKeyUsage = critical, timeStamping
# TSA certificate extensions with an extra (non-timeStamping) extended key
# usage - for failure testing. The extra purpose is an unrecognized OID so the
# time-stamping bit is still the only one set; rejection relies on the count.
[ tsa_extra_eku_cert ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:false
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, timeStamping, 1.3.6.1.4.1.99999.1
Binary file not shown.
+93
View File
@@ -0,0 +1,93 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7d:ef:e7:fe:70:74:73:af:df:71:6b:d3:ba:fb:d0:4b:a3:50:26:d3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=TSA-bad-ku-2048, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Validity
Not Before: Jun 4 20:35:37 2026 GMT
Not After : Feb 28 20:35:37 2029 GMT
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=TSA-bad-ku-2048, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:93:74:96:f0:0c:fd:d7:2a:5a:a0:a1:6e:b4:63:
b7:f4:e6:8b:77:8f:49:f7:a9:0c:b3:3d:5a:60:a8:
b8:67:75:b8:d0:ce:ba:ce:65:e5:64:a2:d0:c8:d0:
2c:5b:a8:a5:d3:3f:2c:46:07:e6:b1:b7:a5:65:f8:
9f:89:e1:93:bc:49:cd:55:fd:9b:a1:1e:1e:f7:99:
07:4a:1c:c8:b6:88:a2:5e:77:a5:3f:79:2f:d3:43:
41:f6:cf:ff:78:30:89:12:b1:0c:3f:f5:2f:62:e6:
71:33:02:70:d9:42:1b:e4:07:9c:9d:c7:5e:5b:4e:
93:8f:6b:0e:fe:5b:7e:02:6f:8d:e8:7d:e9:aa:1d:
12:f2:6b:a4:55:61:59:e0:3a:38:b0:14:41:9d:bb:
c6:e0:6a:9d:35:a8:08:f2:3c:29:b9:a7:b2:38:47:
f6:70:1a:b8:d2:d5:c9:48:f0:ee:60:1d:14:77:8a:
2c:38:90:29:7f:42:e4:dd:92:0a:8d:03:88:44:0a:
f0:b6:14:bd:e5:11:50:94:26:fb:3e:ab:17:69:3d:
a6:45:c7:ad:86:41:66:e6:53:e5:dc:d8:4a:04:c7:
af:fb:a7:df:99:77:57:d9:25:7c:67:73:3d:ee:60:
f3:63:2d:68:0f:97:da:68:d5:3d:e5:06:92:82:dd:
90:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C0:19:81:BB:D6:3D:BB:41:E8:22:1A:08:50:AD:57:FB:E5:B5:EA:9D
X509v3 Authority Key Identifier:
keyid:C0:19:81:BB:D6:3D:BB:41:E8:22:1A:08:50:AD:57:FB:E5:B5:EA:9D
DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-bad-ku-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
serial:7D:EF:E7:FE:70:74:73:AF:DF:71:6B:D3:BA:FB:D0:4B:A3:50:26:D3
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Key Encipherment
X509v3 Extended Key Usage: critical
Time Stamping
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
1c:b5:98:0a:98:28:90:9f:7c:ff:d9:d4:3b:92:3d:b3:7c:d6:
9b:b4:88:59:0d:cd:58:7a:6a:ad:f0:6f:f3:ed:5e:57:d7:14:
3e:64:50:1c:11:33:ab:62:09:f1:8f:58:15:93:25:20:ed:f3:
cb:ed:a3:d2:21:7c:c2:02:14:fa:61:cf:20:13:8a:6b:f1:95:
81:94:e8:d7:fd:24:13:fb:87:e3:2c:fb:4e:d7:ce:46:ab:fd:
21:bc:93:b8:0d:88:2a:76:b6:02:f9:ef:58:fc:36:b5:11:5a:
07:62:0d:a3:1a:e6:77:a7:28:b2:0e:c6:b1:a4:66:52:99:11:
90:11:4a:d7:98:e5:9f:b1:e7:99:fe:a6:66:66:5e:1e:52:bb:
b8:e7:bd:e9:95:d4:03:47:de:c7:cd:f7:58:67:af:12:57:28:
33:a7:34:ef:74:2f:6c:67:43:29:6d:57:80:b4:2d:67:21:2a:
52:41:97:1d:2d:af:2c:c7:1f:c8:20:6d:9a:79:82:f7:a6:3b:
97:5b:1a:bc:f4:2a:d9:df:a6:45:db:a2:c1:83:5a:39:ef:f9:
6f:f7:14:42:30:0f:52:71:6e:6b:05:19:ca:51:4e:a0:f1:4a:
ba:6f:95:46:3d:ea:1a:ab:e3:37:bd:30:ba:b9:b5:30:fd:97:
e4:7a:49:d4
-----BEGIN CERTIFICATE-----
MIIE8zCCA9ugAwIBAgIUfe/n/nB0c6/fcWvTuvvQS6NQJtMwDQYJKoZIhvcNAQEL
BQAwgZgxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
b3plbWFuMRAwDgYDVQQKDAd3b2xmU1NMMRgwFgYDVQQLDA9UU0EtYmFkLWt1LTIw
NDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m
b0B3b2xmc3NsLmNvbTAeFw0yNjA2MDQyMDM1MzdaFw0yOTAyMjgyMDM1MzdaMIGY
MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1h
bjEQMA4GA1UECgwHd29sZlNTTDEYMBYGA1UECwwPVFNBLWJhZC1rdS0yMDQ4MRgw
FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
ZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTdJbwDP3X
KlqgoW60Y7f05ot3j0n3qQyzPVpgqLhndbjQzrrOZeVkotDI0CxbqKXTPyxGB+ax
t6Vl+J+J4ZO8Sc1V/ZuhHh73mQdKHMi2iKJed6U/eS/TQ0H2z/94MIkSsQw/9S9i
5nEzAnDZQhvkB5ydx15bTpOPaw7+W34Cb43ofemqHRLya6RVYVngOjiwFEGdu8bg
ap01qAjyPCm5p7I4R/ZwGrjS1clI8O5gHRR3iiw4kCl/QuTdkgqNA4hECvC2FL3l
EVCUJvs+qxdpPaZFx62GQWbmU+Xc2EoEx6/7p9+Zd1fZJXxncz3uYPNjLWgPl9po
1T3lBpKC3ZAlAgMBAAGjggExMIIBLTAdBgNVHQ4EFgQUwBmBu9Y9u0HoIhoIUK1X
++W16p0wgdgGA1UdIwSB0DCBzYAUwBmBu9Y9u0HoIhoIUK1X++W16p2hgZ6kgZsw
gZgxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
bWFuMRAwDgYDVQQKDAd3b2xmU1NMMRgwFgYDVQQLDA9UU0EtYmFkLWt1LTIwNDgx
GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
b2xmc3NsLmNvbYIUfe/n/nB0c6/fcWvTuvvQS6NQJtMwCQYDVR0TBAIwADAOBgNV
HQ8BAf8EBAMCBSAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwDQYJKoZIhvcNAQEL
BQADggEBABy1mAqYKJCffP/Z1DuSPbN81pu0iFkNzVh6aq3wb/PtXlfXFD5kUBwR
M6tiCfGPWBWTJSDt88vto9IhfMICFPphzyATimvxlYGU6Nf9JBP7h+Ms+07Xzkar
/SG8k7gNiCp2tgL571j8NrURWgdiDaMa5nenKLIOxrGkZlKZEZARSteY5Z+x55n+
pmZmXh5Su7jnvemV1ANH3sfN91hnrxJXKDOnNO90L2xnQyltV4C0LWchKlJBlx0t
ryzHH8ggbZp5gvemO5dbGrz0KtnfpkXbosGDWjnv+W/3FEIwD1JxbmsFGcpRTqDx
SrpvlUY96hqr4ze9MLq5tTD9l+R6SdQ=
-----END CERTIFICATE-----
Binary file not shown.
+95
View File
@@ -0,0 +1,95 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
27:a1:f0:c9:99:87:1d:e9:ca:22:54:48:43:86:ef:5d:31:15:f5:5f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=TSA-2048, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Validity
Not Before: Jun 4 20:44:10 2026 GMT
Not After : Feb 28 20:44:10 2029 GMT
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=TSA-2048, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:93:74:96:f0:0c:fd:d7:2a:5a:a0:a1:6e:b4:63:
b7:f4:e6:8b:77:8f:49:f7:a9:0c:b3:3d:5a:60:a8:
b8:67:75:b8:d0:ce:ba:ce:65:e5:64:a2:d0:c8:d0:
2c:5b:a8:a5:d3:3f:2c:46:07:e6:b1:b7:a5:65:f8:
9f:89:e1:93:bc:49:cd:55:fd:9b:a1:1e:1e:f7:99:
07:4a:1c:c8:b6:88:a2:5e:77:a5:3f:79:2f:d3:43:
41:f6:cf:ff:78:30:89:12:b1:0c:3f:f5:2f:62:e6:
71:33:02:70:d9:42:1b:e4:07:9c:9d:c7:5e:5b:4e:
93:8f:6b:0e:fe:5b:7e:02:6f:8d:e8:7d:e9:aa:1d:
12:f2:6b:a4:55:61:59:e0:3a:38:b0:14:41:9d:bb:
c6:e0:6a:9d:35:a8:08:f2:3c:29:b9:a7:b2:38:47:
f6:70:1a:b8:d2:d5:c9:48:f0:ee:60:1d:14:77:8a:
2c:38:90:29:7f:42:e4:dd:92:0a:8d:03:88:44:0a:
f0:b6:14:bd:e5:11:50:94:26:fb:3e:ab:17:69:3d:
a6:45:c7:ad:86:41:66:e6:53:e5:dc:d8:4a:04:c7:
af:fb:a7:df:99:77:57:d9:25:7c:67:73:3d:ee:60:
f3:63:2d:68:0f:97:da:68:d5:3d:e5:06:92:82:dd:
90:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C0:19:81:BB:D6:3D:BB:41:E8:22:1A:08:50:AD:57:FB:E5:B5:EA:9D
X509v3 Authority Key Identifier:
keyid:C0:19:81:BB:D6:3D:BB:41:E8:22:1A:08:50:AD:57:FB:E5:B5:EA:9D
DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
serial:27:A1:F0:C9:99:87:1D:E9:CA:22:54:48:43:86:EF:5D:31:15:F5:5F
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:tsa.wolfssl.com
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
Time Stamping
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
1a:c2:d0:93:e8:65:f7:77:2c:62:b2:9c:e0:64:ec:18:96:5e:
89:ba:58:25:12:a9:f7:27:da:70:4a:b7:6d:0e:86:6d:61:5c:
73:9e:55:46:f1:6e:f4:06:b2:08:e5:8f:93:bf:ab:b4:60:dd:
95:d5:89:c4:16:fa:c4:c6:e5:1f:31:4a:75:cb:11:f5:16:5c:
c9:19:8b:bc:80:2a:61:c0:12:8e:71:59:ba:1e:5a:c6:6b:62:
e7:f0:a9:f2:cd:81:2d:41:37:13:59:3a:6f:63:09:b6:5e:78:
80:d3:18:72:89:90:51:fa:6f:1d:99:43:fd:5f:17:28:19:0b:
48:14:87:46:09:29:e7:d3:79:04:7e:46:af:30:eb:e9:89:0c:
7f:26:b3:c4:66:c7:37:9a:8b:42:bb:98:21:73:1a:fe:22:2d:
80:f6:78:8c:d4:80:a8:5c:b5:cb:e6:a8:b7:fb:98:cd:5d:d1:
e4:37:be:36:cf:97:c1:d0:a9:f2:64:90:dc:b8:57:44:c2:e8:
95:50:18:1d:0d:8a:ea:9f:12:0b:e4:1e:78:9e:f5:88:5b:22:
00:a8:06:aa:af:1a:2b:0c:3a:2c:f1:0a:cd:0a:af:0e:86:e5:
5c:34:e7:c7:64:48:39:9b:c4:60:40:41:2f:bd:65:20:66:54:
f2:37:5c:7b
-----BEGIN CERTIFICATE-----
MIIE+jCCA+KgAwIBAgIUJ6HwyZmHHenKIlRIQ4bvXTEV9V8wDQYJKoZIhvcNAQEL
BQAwgZExCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
b3plbWFuMRAwDgYDVQQKDAd3b2xmU1NMMREwDwYDVQQLDAhUU0EtMjA0ODEYMBYG
A1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz
c2wuY29tMB4XDTI2MDYwNDIwNDQxMFoXDTI5MDIyODIwNDQxMFowgZExCzAJBgNV
BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRAwDgYD
VQQKDAd3b2xmU1NMMREwDwYDVQQLDAhUU0EtMjA0ODEYMBYGA1UEAwwPd3d3Lndv
bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk3SW8Az91ypaoKFutGO39OaLd49J
96kMsz1aYKi4Z3W40M66zmXlZKLQyNAsW6il0z8sRgfmsbelZfifieGTvEnNVf2b
oR4e95kHShzItoiiXnelP3kv00NB9s//eDCJErEMP/UvYuZxMwJw2UIb5Aecncde
W06Tj2sO/lt+Am+N6H3pqh0S8mukVWFZ4Do4sBRBnbvG4GqdNagI8jwpuaeyOEf2
cBq40tXJSPDuYB0Ud4osOJApf0Lk3ZIKjQOIRArwthS95RFQlCb7PqsXaT2mRcet
hkFm5lPl3NhKBMev+6ffmXdX2SV8Z3M97mDzYy1oD5faaNU95QaSgt2QJQIDAQAB
o4IBRjCCAUIwHQYDVR0OBBYEFMAZgbvWPbtB6CIaCFCtV/vlteqdMIHRBgNVHSME
gckwgcaAFMAZgbvWPbtB6CIaCFCtV/vlteqdoYGXpIGUMIGRMQswCQYDVQQGEwJV
UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4GA1UECgwH
d29sZlNTTDERMA8GA1UECwwIVFNBLTIwNDgxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIUJ6HwyZmHHenK
IlRIQ4bvXTEV9V8wCQYDVR0TBAIwADAaBgNVHREEEzARgg90c2Eud29sZnNzbC5j
b20wDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA0GCSqG
SIb3DQEBCwUAA4IBAQAawtCT6GX3dyxispzgZOwYll6JulglEqn3J9pwSrdtDoZt
YVxznlVG8W70BrII5Y+Tv6u0YN2V1YnEFvrExuUfMUp1yxH1FlzJGYu8gCphwBKO
cVm6HlrGa2Ln8KnyzYEtQTcTWTpvYwm2XniA0xhyiZBR+m8dmUP9XxcoGQtIFIdG
CSnn03kEfkavMOvpiQx/JrPEZsc3motCu5ghcxr+Ii2A9niM1ICoXLXL5qi3+5jN
XdHkN742z5fB0KnyZJDcuFdEwuiVUBgdDYrqnxIL5B54nvWIWyIAqAaqrxorDDos
8QrNCq8OhuVcNOfHZEg5m8RgQEEvvWUgZlTyN1x7
-----END CERTIFICATE-----
Binary file not shown.
+95
View File
@@ -0,0 +1,95 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:0e:48:2e:70:3f:ab:8d:35:2c:78:a9:ec:1e:30:08:74:f2:c1:6d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate CA, emailAddress=facts@wolfssl.com
Validity
Not Before: Jul 3 00:51:28 2026 GMT
Not After : Mar 29 00:51:28 2029 GMT
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=TSA-chain-2048, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:bb:66:ac:49:bb:8c:5d:e8:ee:ff:55:12:b9:
6e:b0:e8:9a:77:35:7a:b8:65:85:62:a6:17:1b:27:
25:8c:59:bb:1e:e6:bb:ae:09:55:7d:ee:53:fd:ff:
56:99:9d:0c:1e:31:48:bd:42:69:2c:b2:0a:37:68:
5b:8f:33:ff:c5:a0:e0:e2:1e:6c:f6:4f:90:b4:73:
3d:13:fe:e4:ed:b0:1f:b8:5e:f0:ce:4d:51:0d:e6:
be:2b:7d:a4:44:6b:38:75:83:13:0d:41:d2:69:3f:
29:7c:f1:57:29:52:f3:d1:2c:40:0e:c7:be:64:73:
d4:9e:06:a4:67:50:57:03:ef:8e:6a:c9:06:8a:e3:
c3:c3:eb:cb:6f:0f:3a:26:b9:ee:20:28:30:47:5c:
ec:57:98:18:01:f1:d7:91:ca:15:67:11:5e:e7:03:
72:87:19:52:bf:a1:41:47:34:94:98:88:58:fc:ca:
41:d5:71:7e:75:b5:e4:95:4d:5e:be:7e:5c:6e:4e:
48:7a:a2:cd:14:0a:bb:fa:f8:70:8c:32:9d:29:7a:
77:ab:55:7e:a8:5f:b8:2d:8e:62:5d:51:2e:8e:17:
a5:6e:38:c1:05:87:74:c1:55:6e:4f:8a:4a:51:f6:
6c:d8:ac:cf:c0:8e:fa:4b:5c:74:16:39:18:1a:29:
75:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
60:3A:6A:61:84:57:4F:4B:52:94:50:57:7E:1F:F4:CC:78:22:1B:44
X509v3 Authority Key Identifier:
keyid:EF:69:E0:F7:D5:1D:E6:99:EC:DC:6D:D0:F7:E2:B9:5C:64:71:83:35
DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=facts@wolfssl.com
serial:10:00
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:tsa.wolfssl.com
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
Time Stamping
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
66:58:cb:ee:9a:a1:d7:14:be:37:d4:4b:53:7c:ba:8e:b6:a6:
c5:7c:2e:4c:3f:37:c8:39:44:8e:e5:81:5a:e1:26:04:0f:5e:
d2:06:19:a6:a0:db:62:36:69:56:b8:e0:c9:f2:f6:63:da:15:
f3:3b:7c:29:11:a8:23:94:83:c9:6d:88:76:3a:86:95:ce:dd:
ea:78:26:11:c9:9f:f6:24:93:35:b7:05:a3:d8:a5:e5:44:b9:
7e:c0:5f:b7:84:86:e4:49:ce:37:e0:32:2d:0b:a6:87:db:ff:
7d:14:a1:53:ab:db:2f:75:38:c7:69:a7:ec:3a:f0:7c:ec:07:
b7:12:b3:a7:7e:bb:c6:65:9f:22:94:fd:5f:45:3c:31:ec:11:
d2:58:4b:5b:3c:66:39:8b:79:75:a2:1f:78:0b:dd:6b:9e:cb:
c5:45:6a:25:60:68:e2:d3:1f:06:91:6f:50:c8:5a:05:c7:2c:
99:0d:34:3a:f5:2f:fa:19:77:60:d3:95:ca:9f:7d:05:c7:ad:
80:21:e9:33:d6:b0:d3:89:cc:87:4e:64:33:82:7b:e9:5b:c9:
08:3c:08:ad:01:d9:92:0a:49:67:51:48:6f:83:56:79:e6:81:
89:1e:5a:dc:7c:7c:c5:92:03:ff:8f:e2:4e:c9:9e:12:a2:6e:
2b:c3:a5:41
-----BEGIN CERTIFICATE-----
MIIFATCCA+mgAwIBAgIUUA5ILnA/q401LHip7B4wCHTywW0wDQYJKoZIhvcNAQEL
BQAwgaAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVu
dDEgMB4GA1UEAwwXd29sZlNTTCBJbnRlcm1lZGlhdGUgQ0ExIDAeBgkqhkiG9w0B
CQEWEWZhY3RzQHdvbGZzc2wuY29tMB4XDTI2MDcwMzAwNTEyOFoXDTI5MDMyOTAw
NTEyOFowgZcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQH
DAdCb3plbWFuMRAwDgYDVQQKDAd3b2xmU1NMMRcwFQYDVQQLDA5UU0EtY2hhaW4t
MjA0ODEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBp
bmZvQHdvbGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
srtmrEm7jF3o7v9VErlusOiadzV6uGWFYqYXGycljFm7Hua7rglVfe5T/f9WmZ0M
HjFIvUJpLLIKN2hbjzP/xaDg4h5s9k+QtHM9E/7k7bAfuF7wzk1RDea+K32kRGs4
dYMTDUHSaT8pfPFXKVLz0SxADse+ZHPUngakZ1BXA++OaskGiuPDw+vLbw86Jrnu
ICgwR1zsV5gYAfHXkcoVZxFe5wNyhxlSv6FBRzSUmIhY/MpB1XF+dbXklU1evn5c
bk5IeqLNFAq7+vhwjDKdKXp3q1V+qF+4LY5iXVEujhelbjjBBYd0wVVuT4pKUfZs
2KzPwI76S1x0FjkYGil1ZwIDAQABo4IBODCCATQwHQYDVR0OBBYEFGA6amGEV09L
UpRQV34f9Mx4IhtEMIHDBgNVHSMEgbswgbiAFO9p4PfVHeaZ7Nxt0PfiuVxkcYM1
oYGbpIGYMIGVMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE
BwwHQm96ZW1hbjERMA8GA1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRp
bmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEgMB4GCSqGSIb3DQEJARYRZmFj
dHNAd29sZnNzbC5jb22CAhAAMAkGA1UdEwQCMAAwGgYDVR0RBBMwEYIPdHNhLndv
bGZzc2wuY29tMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcD
CDANBgkqhkiG9w0BAQsFAAOCAQEAZljL7pqh1xS+N9RLU3y6jramxXwuTD83yDlE
juWBWuEmBA9e0gYZpqDbYjZpVrjgyfL2Y9oV8zt8KRGoI5SDyW2IdjqGlc7d6ngm
Ecmf9iSTNbcFo9il5US5fsBft4SG5EnON+AyLQumh9v/fRShU6vbL3U4x2mn7Drw
fOwHtxKzp367xmWfIpT9X0U8MewR0lhLWzxmOYt5daIfeAvda57LxUVqJWBo4tMf
BpFvUMhaBccsmQ00OvUv+hl3YNOVyp99BcetgCHpM9aw04nMh05kM4J76VvJCDwI
rQHZkgpJZ1FIb4NWeeaBiR5a3Hx8xZID/4/iTsmeEqJuK8OlQQ==
-----END CERTIFICATE-----
Binary file not shown.
+28
View File
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyu2asSbuMXeju
/1USuW6w6Jp3NXq4ZYViphcbJyWMWbse5ruuCVV97lP9/1aZnQweMUi9Qmkssgo3
aFuPM//FoODiHmz2T5C0cz0T/uTtsB+4XvDOTVEN5r4rfaREazh1gxMNQdJpPyl8
8VcpUvPRLEAOx75kc9SeBqRnUFcD745qyQaK48PD68tvDzomue4gKDBHXOxXmBgB
8deRyhVnEV7nA3KHGVK/oUFHNJSYiFj8ykHVcX51teSVTV6+flxuTkh6os0UCrv6
+HCMMp0penerVX6oX7gtjmJdUS6OF6VuOMEFh3TBVW5PikpR9mzYrM/AjvpLXHQW
ORgaKXVnAgMBAAECggEAVOJFt+topBhxqRggujzRAjnmKll+yBaHC7vf22hzH735
7YoddmE+dgl7YHUlFt2MRMaZSjFBLBX+XiQ038UNYzmttBZJH43YJqtYRafX576u
wextJz13EkgU5yjLnCbj8INox/IL0SpLNOiVwa2A2EXQwnRAywpr3wU+jUaNnPMb
Pp7vHOJgTYKGN+YY8gpYNkcrzOoZvwEt+pbc4VoJ9pyxLBAWuZfofJ9hACw/WxPR
HMrFajkLA3zvKBtCVhaccVeLHBzR0e9cLigdhp3m4qPIyQpTiHOqCD3pmQw9aU1j
7/cei345NkfIf/M0bkXxdGpTLVNchs9cSlVU5uQhmQKBgQDwOYZq2NvQa5zW9VLi
XcD2NpQCB8tOrTcYf6DLeIUbI2D9ZbXTiqArAGQy9/j6z5QuDWxUA/lzOismPRJu
erSw7Wqdl7i4DT5Q9Dr52jN8jTkM/RG0II+JZjwu5iOL0tf8/w9b0HUi2PusBLKe
0CVt8dvcUIL2Ioh0F7hsCoaHMwKBgQC+eBumJpk5tbyJnTk7Jy2bDnCO10DTUuyV
PsiCk52QvefVvcuSF5ocnUdsIFtpCIfkwVMrSos9JSd66qV/JzLN8QcYv8ttsWf3
Z5gVh05Lz7JfvjheyUHSesOhxzltKIBrOLqV1gsAkUPyxai6MV2WDk5G7neqOh4n
pAPwiBLI/QKBgDDYoZpsShYRK60R6S6aPbhS1Lms+AwhcIiMuxdkhDxGb1xXKCfB
klvsEnPCtF/bgZfzpslWnYxukYOO+4Z3cPJg9ELjLO5P0xIG908CrWFwHd+kPctQ
q58WqLoolaXC06RgALF8q7TQRixuMBvW2yWF/lzICjkeQHzKrfdaFIy9AoGBAK8R
muhXJhODVe5vUwFp+2NAHHlOpMkYuVhcwtQydmtqAkPWFd0MUJzoe5OJEjwymSXM
BHQQKndjRSyXrNJ45xuf5VP8RjFnFRa0Y3e2TGMmXt/d6dZFynh6WoLCqagJyC/F
jsrWWHqHCxuETpgFc+3O7GgKHHecv8bT3MMjb5DJAoGBAONLdeZuHrtAEuYqBZdi
iC8+YA96wOhMvULuWHxweBcJ8tLhEagcLuabLAQWrExFw+FdZ90IVyPuMzD3TTf0
VwZaDrzGplkxqfLB/8sbxL6G3+/r3Zrq0PHV+vhRyebEKbu8fKhIUPnATlcABDC8
kWRmM97sbQNJ68efcfq0C5GJ
-----END PRIVATE KEY-----
Binary file not shown.
+64
View File
@@ -0,0 +1,64 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
19:47:b6:5a:9a:23:a8:ff:c0:13:80:9b:3d:af:92:ee:0d:d7:58:de
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=TSA-ECC, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Validity
Not Before: Jun 5 10:09:40 2026 GMT
Not After : Mar 1 10:09:40 2029 GMT
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=TSA-ECC, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ce:3e:24:12:01:46:68:1d:11:7d:cd:d9:8b:63:
4e:f9:cc:36:06:b6:75:33:72:57:1c:12:7f:fa:5f:
77:83:68:fc:18:64:8b:75:d4:53:88:93:e7:64:38:
23:ef:19:c9:67:95:48:0f:7e:ed:f5:81:61:8c:66:
c9:e3:ae:c8:12
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
AB:E6:D5:D9:8A:31:CB:10:23:82:16:CE:20:1F:80:E4:D5:87:5A:20
X509v3 Authority Key Identifier:
keyid:AB:E6:D5:D9:8A:31:CB:10:23:82:16:CE:20:1F:80:E4:D5:87:5A:20
DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
serial:19:47:B6:5A:9A:23:A8:FF:C0:13:80:9B:3D:AF:92:EE:0D:D7:58:DE
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:tsa.wolfssl.com
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
Time Stamping
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:20:2b:51:26:56:e1:e1:1f:b9:ad:03:07:46:fa:7b:
34:d0:2a:f5:11:c8:12:0c:06:32:23:29:6f:1b:a1:18:87:9a:
02:21:00:d9:e6:a9:01:b6:cb:22:f8:28:5f:91:a5:bd:9c:e7:
f6:24:5b:d5:5e:7d:1d:a1:65:12:ca:aa:eb:48:fa:d5:15
-----BEGIN CERTIFICATE-----
MIIDazCCAxGgAwIBAgIUGUe2WpojqP/AE4CbPa+S7g3XWN4wCgYIKoZIzj0EAwIw
gZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
bWFuMRAwDgYDVQQKDAd3b2xmU1NMMRAwDgYDVQQLDAdUU0EtRUNDMRgwFgYDVQQD
DA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
b20wHhcNMjYwNjA1MTAwOTQwWhcNMjkwMzAxMTAwOTQwWjCBkDELMAkGA1UEBhMC
VVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoM
B3dvbGZTU0wxEDAOBgNVBAsMB1RTQS1FQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABM4+JBIBRmgdEX3N2YtjTvnMNga2dTNyVxwSf/pfd4No
/Bhki3XUU4iT52Q4I+8ZyWeVSA9+7fWBYYxmyeOuyBKjggFFMIIBQTAdBgNVHQ4E
FgQUq+bV2YoxyxAjghbOIB+A5NWHWiAwgdAGA1UdIwSByDCBxYAUq+bV2YoxyxAj
ghbOIB+A5NWHWiChgZakgZMwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250
YW5hMRAwDgYDVQQHDAdCb3plbWFuMRAwDgYDVQQKDAd3b2xmU1NMMRAwDgYDVQQL
DAdUU0EtRUNDMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B
CQEWEGluZm9Ad29sZnNzbC5jb22CFBlHtlqaI6j/wBOAmz2vku4N11jeMAkGA1Ud
EwQCMAAwGgYDVR0RBBMwEYIPdHNhLndvbGZzc2wuY29tMA4GA1UdDwEB/wQEAwIH
gDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAKBggqhkjOPQQDAgNIADBFAiArUSZW
4eEfua0DB0b6ezTQKvURyBIMBjIjKW8boRiHmgIhANnmqQG2yyL4KF+Rpb2c5/Yk
W9VefR2hZRLKqutI+tUV
-----END CERTIFICATE-----
Binary file not shown.
+5
View File
@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIHN8XsCdrSslanbYhpsRH4P7rwxT4PXttp+4zE/Ovz1doAoGCCqGSM49
AwEHoUQDQgAEzj4kEgFGaB0Rfc3Zi2NO+cw2BrZ1M3JXHBJ/+l93g2j8GGSLddRT
iJPnZDgj7xnJZ5VID37t9YFhjGbJ467IEg==
-----END EC PRIVATE KEY-----
Binary file not shown.
+93
View File
@@ -0,0 +1,93 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2e:66:3c:01:89:1b:3a:75:8a:86:40:99:fd:af:c6:7b:b1:24:7f:8e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=TSA-extra-eku-2048, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Validity
Not Before: Jun 11 10:38:14 2026 GMT
Not After : Mar 7 10:38:14 2029 GMT
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=TSA-extra-eku-2048, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:93:74:96:f0:0c:fd:d7:2a:5a:a0:a1:6e:b4:63:
b7:f4:e6:8b:77:8f:49:f7:a9:0c:b3:3d:5a:60:a8:
b8:67:75:b8:d0:ce:ba:ce:65:e5:64:a2:d0:c8:d0:
2c:5b:a8:a5:d3:3f:2c:46:07:e6:b1:b7:a5:65:f8:
9f:89:e1:93:bc:49:cd:55:fd:9b:a1:1e:1e:f7:99:
07:4a:1c:c8:b6:88:a2:5e:77:a5:3f:79:2f:d3:43:
41:f6:cf:ff:78:30:89:12:b1:0c:3f:f5:2f:62:e6:
71:33:02:70:d9:42:1b:e4:07:9c:9d:c7:5e:5b:4e:
93:8f:6b:0e:fe:5b:7e:02:6f:8d:e8:7d:e9:aa:1d:
12:f2:6b:a4:55:61:59:e0:3a:38:b0:14:41:9d:bb:
c6:e0:6a:9d:35:a8:08:f2:3c:29:b9:a7:b2:38:47:
f6:70:1a:b8:d2:d5:c9:48:f0:ee:60:1d:14:77:8a:
2c:38:90:29:7f:42:e4:dd:92:0a:8d:03:88:44:0a:
f0:b6:14:bd:e5:11:50:94:26:fb:3e:ab:17:69:3d:
a6:45:c7:ad:86:41:66:e6:53:e5:dc:d8:4a:04:c7:
af:fb:a7:df:99:77:57:d9:25:7c:67:73:3d:ee:60:
f3:63:2d:68:0f:97:da:68:d5:3d:e5:06:92:82:dd:
90:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C0:19:81:BB:D6:3D:BB:41:E8:22:1A:08:50:AD:57:FB:E5:B5:EA:9D
X509v3 Authority Key Identifier:
keyid:C0:19:81:BB:D6:3D:BB:41:E8:22:1A:08:50:AD:57:FB:E5:B5:EA:9D
DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-extra-eku-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
serial:2E:66:3C:01:89:1B:3A:75:8A:86:40:99:FD:AF:C6:7B:B1:24:7F:8E
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
Time Stamping, 1.3.6.1.4.1.99999.1
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
68:67:cb:3b:2a:55:c2:5f:be:62:c5:21:5e:a8:cd:d7:74:1b:
2e:2f:33:76:0f:0d:bb:11:75:1b:bf:1f:05:da:21:6e:a6:82:
26:f2:35:5c:ac:6d:04:86:b6:99:e9:c5:a0:23:48:af:14:ae:
bc:ae:8f:84:41:a8:14:a3:fc:69:39:9f:50:4e:6e:b9:81:f4:
d8:cc:df:a2:f9:ba:0b:79:67:7a:8f:2e:75:1f:7f:f2:57:74:
4a:4c:bd:db:1c:16:fa:e9:38:c2:7a:8d:64:ea:c2:c3:34:93:
54:73:07:8e:cc:95:44:05:9a:dd:a1:ae:b3:94:11:12:b6:1f:
47:dd:a7:1c:ff:6d:06:b3:aa:d5:da:dd:54:a7:e8:c1:87:6f:
37:ee:ef:a3:05:eb:08:10:32:7f:ad:02:2f:aa:ca:e3:80:06:
bb:2c:c3:df:c8:99:fc:c1:b5:21:f8:85:42:90:20:2d:06:33:
fd:c1:d1:57:8a:e8:82:d1:dd:c2:3e:78:fa:62:da:15:5f:4c:
04:36:06:e5:76:22:9c:e6:b0:b8:b9:2c:70:aa:16:b4:b4:20:
43:d9:0d:4d:16:81:55:b3:26:b1:32:99:2b:27:a6:c7:44:24:
b8:15:73:2b:e1:fa:b0:26:dc:e6:70:ec:12:00:5d:0f:1f:2d:
2f:50:26:3f
-----BEGIN CERTIFICATE-----
MIIFBzCCA++gAwIBAgIULmY8AYkbOnWKhkCZ/a/Ge7Ekf44wDQYJKoZIhvcNAQEL
BQAwgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
b3plbWFuMRAwDgYDVQQKDAd3b2xmU1NMMRswGQYDVQQLDBJUU0EtZXh0cmEtZWt1
LTIwNDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQ
aW5mb0B3b2xmc3NsLmNvbTAeFw0yNjA2MTExMDM4MTRaFw0yOTAzMDcxMDM4MTRa
MIGbMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96
ZW1hbjEQMA4GA1UECgwHd29sZlNTTDEbMBkGA1UECwwSVFNBLWV4dHJhLWVrdS0y
MDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu
Zm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCT
dJbwDP3XKlqgoW60Y7f05ot3j0n3qQyzPVpgqLhndbjQzrrOZeVkotDI0CxbqKXT
PyxGB+axt6Vl+J+J4ZO8Sc1V/ZuhHh73mQdKHMi2iKJed6U/eS/TQ0H2z/94MIkS
sQw/9S9i5nEzAnDZQhvkB5ydx15bTpOPaw7+W34Cb43ofemqHRLya6RVYVngOjiw
FEGdu8bgap01qAjyPCm5p7I4R/ZwGrjS1clI8O5gHRR3iiw4kCl/QuTdkgqNA4hE
CvC2FL3lEVCUJvs+qxdpPaZFx62GQWbmU+Xc2EoEx6/7p9+Zd1fZJXxncz3uYPNj
LWgPl9po1T3lBpKC3ZAlAgMBAAGjggE/MIIBOzAdBgNVHQ4EFgQUwBmBu9Y9u0Ho
IhoIUK1X++W16p0wgdsGA1UdIwSB0zCB0IAUwBmBu9Y9u0HoIhoIUK1X++W16p2h
gaGkgZ4wgZsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQH
DAdCb3plbWFuMRAwDgYDVQQKDAd3b2xmU1NMMRswGQYDVQQLDBJUU0EtZXh0cmEt
ZWt1LTIwNDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ
ARYQaW5mb0B3b2xmc3NsLmNvbYIULmY8AYkbOnWKhkCZ/a/Ge7Ekf44wCQYDVR0T
BAIwADAOBgNVHQ8BAf8EBAMCB4AwIQYDVR0lAQH/BBcwFQYIKwYBBQUHAwgGCSsG
AQQBho0fATANBgkqhkiG9w0BAQsFAAOCAQEAaGfLOypVwl++YsUhXqjN13QbLi8z
dg8NuxF1G78fBdohbqaCJvI1XKxtBIa2menFoCNIrxSuvK6PhEGoFKP8aTmfUE5u
uYH02Mzfovm6C3lneo8udR9/8ld0Sky92xwW+uk4wnqNZOrCwzSTVHMHjsyVRAWa
3aGus5QRErYfR92nHP9tBrOq1drdVKfowYdvN+7vowXrCBAyf60CL6rK44AGuyzD
38iZ/MG1IfiFQpAgLQYz/cHRV4rogtHdwj54+mLaFV9MBDYG5XYinOawuLkscKoW
tLQgQ9kNTRaBVbMmsTKZKyemx0QkuBVzK+H6sCbc5nDsEgBdDx8tL1AmPw==
-----END CERTIFICATE-----
BIN
View File
Binary file not shown.
+27
View File
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAk3SW8Az91ypaoKFutGO39OaLd49J96kMsz1aYKi4Z3W40M66
zmXlZKLQyNAsW6il0z8sRgfmsbelZfifieGTvEnNVf2boR4e95kHShzItoiiXnel
P3kv00NB9s//eDCJErEMP/UvYuZxMwJw2UIb5AecncdeW06Tj2sO/lt+Am+N6H3p
qh0S8mukVWFZ4Do4sBRBnbvG4GqdNagI8jwpuaeyOEf2cBq40tXJSPDuYB0Ud4os
OJApf0Lk3ZIKjQOIRArwthS95RFQlCb7PqsXaT2mRcethkFm5lPl3NhKBMev+6ff
mXdX2SV8Z3M97mDzYy1oD5faaNU95QaSgt2QJQIDAQABAoIBAARHDRE1/Jp5zuWQ
WU2gA5hLTyoZkjE+NQacFduY+WR9nJi+GTA0nNogWQMs+s8b44JEd7cpB9m0Sfbd
Jq+mx2ozuo0EjY0NJSPUoMqsbsF7fDkA/95erchTT/4QxvNIdn7Ve6qn+lxu8pi4
Dj2si8eVKvIZdFTHa5jCUniG1JnNxwRVAgC0vFWEUyPIwFHyPon7ruP1YdxMsaEN
JW5Gi7QnKGLvTAceFfIKIAFTArFKAfE5KFV3ksBHjS21Yehr4ngqvMTuQWpCvaPp
cMBAvMHH6t62naaibcFSh+qsLGHQWjfq7jXh0FtQbnvcW7z4yXQs4boOiLm1ug1p
T1qnJxECgYEAz2m4+VJNkG+FobHIdjQ5EejH6JBlhSMbStlxB3H1RmQzRRFhrd2N
Cnr7XPKRp7hkuMnbJX7oky/Vb72/WsJz8FazEgIRh+L7g1JLJh842R8lsap90UO5
b44Up1WNwsJ29iVi0t0fTMwWhCjLZAiKslCtGa8YXSpZj9ChjHWtBPkCgYEAtf9L
GVx9yrJjN7NYD8/WFim5E182/xsoDqQbBcxQlf49b/HdsW9H/TBSnlLHfv1yCZkc
8PY3dUuBGai8UYPOPqq6mjs5c9WsVgXcAzdCWZltIFoBb0p8yEWPFZxxMG5nytWZ
TbWKZOSZ2QhvCUYn+hHZnhP6tGWhCJ2xbTOcK40CgYA63Z6J5DnvTDd49KQYKCoq
Uw6pipHFf3k3fQ7/NfCO0dFbQNugJMjquIyujImaOFMdvuxbb/FCFMlWtVuhvp55
D6Iy8jNXhawsUSbS4vmXZaelDOY4higS6Rgjhbx+EgMBSQsLHYbMnP+m8o0HDwWO
Jid6qp8XkfVpQ6UV4DACwQKBgQCWNtx5VknNH2ec9b3dbyG4sT88qf3umS96xiA3
rOdmpa131B2y8bJtW5EVdCWMvwt8uI+WouIrQeKQlyC39x4nwyq5WeCVpurTJYru
bJGq+mODrEY64TQU6LSsla8m1jl8xMf/x7MuizAgXkGnWextDoabXsoyUx+SyPVE
uLBRkQKBgQCopTVwcup0wurvNqNzFAeSuKRwHFDffAHNcTY0u30qyyv1JyJ+Fr6J
z39jw93hEPohHGEeDVMSvHTk3nFil+Du+z+yP7NbRHsoctizjnGgTOMKZHl+O+9P
iwFFJCZv9qKG29nkfOOk57GPRLvIAij+ioywExeyaDWY/lAY0JsF0g==
-----END RSA PRIVATE KEY-----
+7
View File
@@ -329,6 +329,9 @@ function(generate_build_flags)
if(WOLFSSL_PKCS7 OR WOLFSSL_USER_SETTINGS)
set(BUILD_PKCS7 "yes" PARENT_SCOPE)
endif()
if(WOLFSSL_TSP OR WOLFSSL_USER_SETTINGS)
set(BUILD_TSP "yes" PARENT_SCOPE)
endif()
set(BUILD_HASHFLAGS ${WOLFSSL_HASHFLAGS} PARENT_SCOPE)
set(BUILD_LINUX_KM ${WOLFSSL_LINUX_KM} PARENT_SCOPE)
set(BUILD_NO_LIBRARY ${WOLFSSL_NO_LIBRARY} PARENT_SCOPE)
@@ -1088,6 +1091,10 @@ function(generate_lib_src_list LIB_SOURCES)
list(APPEND LIB_SOURCES wolfcrypt/src/pkcs7.c)
endif()
if(BUILD_TSP)
list(APPEND LIB_SOURCES wolfcrypt/src/tsp.c)
endif()
if(BUILD_SRP)
list(APPEND LIB_SOURCES wolfcrypt/src/srp.c)
endif()
+25
View File
@@ -8697,6 +8697,28 @@ then
ENABLED_PKCS7=yes
fi
# RFC 3161 Time-Stamp Protocol (TSP)
AC_ARG_ENABLE([tsp],
[AS_HELP_STRING([--enable-tsp],[Enable RFC 3161 Time-Stamp Protocol (default: disabled)])],
[ ENABLED_TSP=$enableval ],
[ ENABLED_TSP=no ]
)
if test "x$ENABLED_TSP" = "xyes"
then
# TSP ASN.1 encoding/decoding is only implemented with the template parser.
if test "$ASN_IMPL" = "original"
then
AC_MSG_ERROR([--enable-tsp is not supported with --enable-asn=original.])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TSP"
# Requires PKCS7 for time-stamp token creation and verification
if test "x$ENABLED_PKCS7" = "xno"
then
ENABLED_PKCS7="yes"
fi
fi
# wolfSSH Options
AC_ARG_ENABLE([wolfssh],
[AS_HELP_STRING([--enable-wolfssh],[Enable wolfSSH options (default: disabled)])],
@@ -12567,6 +12589,7 @@ AM_CONDITIONAL([BUILD_HEAPMATH],[test "x$ENABLED_HEAPMATH" = "xyes" || test "x$E
AM_CONDITIONAL([BUILD_EXAMPLE_SERVERS],[test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"])
AM_CONDITIONAL([BUILD_EXAMPLE_CLIENTS],[test "x$ENABLED_EXAMPLES" = "xyes"])
AM_CONDITIONAL([BUILD_EXAMPLE_ASN1],[test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_ASN_PRINT" = "xyes" && test "$ENABLED_ASN" != "no"])
AM_CONDITIONAL([BUILD_EXAMPLE_TSP],[test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_TSP" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP_RESPONDER],[test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_OCSP_RESPONDER" = "xyes"])
AM_CONDITIONAL([BUILD_TESTS],[test "x$ENABLED_EXAMPLES" = "xyes"])
AM_CONDITIONAL([BUILD_THREADED_EXAMPLES],[test "x$ENABLED_SINGLETHREADED" = "xno" && test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"])
@@ -12608,6 +12631,7 @@ AM_CONDITIONAL([BUILD_TRUST_PEER_CERT],[test "x$ENABLED_TRUSTED_PEER_CERT" = "xy
AM_CONDITIONAL([BUILD_PKI],[test "x$ENABLED_PKI" = "xyes"])
AM_CONDITIONAL([BUILD_DES3],[test "x$ENABLED_DES3" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_PKCS7],[test "x$ENABLED_PKCS7" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_TSP],[test "x$ENABLED_TSP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SMIME],[test "x$ENABLED_SMIME" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_HASHFLAGS],[test "x$ENABLED_HASHFLAGS" = "xyes"])
AM_CONDITIONAL([BUILD_LINUXKM],[test "$ENABLED_LINUXKM" = "yes"])
@@ -13137,6 +13161,7 @@ echo " * Keying Material Exporter: $ENABLED_KEYING_MATERIAL"
echo " * All TLS Extensions: $ENABLED_TLSX"
echo " * S/MIME: $ENABLED_SMIME"
echo " * PKCS#7: $ENABLED_PKCS7"
echo " * TSP: $ENABLED_TSP"
echo " * PKCS#8: $ENABLED_PKCS8"
echo " * PKCS#11: $ENABLED_PKCS11"
echo " * PKCS#12: $ENABLED_PKCS12"
@@ -263,6 +263,7 @@
\defgroup MD4 Algorithms - MD4
\defgroup MD5 Algorithms - MD5
\defgroup PKCS7 Algorithms - PKCS7
\defgroup TSP Time-Stamp Protocol (RFC 3161)
\defgroup PKCS11 Algorithms - PKCS11
\defgroup Password Algorithms - Password Based
\defgroup Poly1305 Algorithms - Poly1305
File diff suppressed because it is too large Load Diff
+1
View File
@@ -11,6 +11,7 @@ include examples/sctp/include.am
include examples/configs/include.am
include examples/asn1/include.am
include examples/pem/include.am
include examples/tsp/include.am
include examples/ocsp_responder/include.am
include examples/tls13/include.am
EXTRA_DIST += examples/README.md
+21
View File
@@ -0,0 +1,21 @@
# vim:ft=automake
# included from Top Level Makefile.am
# All paths should be given relative to the root
if BUILD_EXAMPLE_TSP
noinst_PROGRAMS += examples/tsp/tsp_query examples/tsp/tsp_reply \
examples/tsp/tsp_verify
examples_tsp_tsp_query_SOURCES = examples/tsp/tsp_query.c
examples_tsp_tsp_query_LDADD = src/libwolfssl@LIBSUFFIX@.la $(LIB_STATIC_ADD)
examples_tsp_tsp_query_DEPENDENCIES = src/libwolfssl@LIBSUFFIX@.la
examples_tsp_tsp_reply_SOURCES = examples/tsp/tsp_reply.c
examples_tsp_tsp_reply_LDADD = src/libwolfssl@LIBSUFFIX@.la $(LIB_STATIC_ADD)
examples_tsp_tsp_reply_DEPENDENCIES = src/libwolfssl@LIBSUFFIX@.la
examples_tsp_tsp_verify_SOURCES = examples/tsp/tsp_verify.c
examples_tsp_tsp_verify_LDADD = src/libwolfssl@LIBSUFFIX@.la $(LIB_STATIC_ADD)
examples_tsp_tsp_verify_DEPENDENCIES = src/libwolfssl@LIBSUFFIX@.la
endif
+232
View File
@@ -0,0 +1,232 @@
/* tsp_query.c
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* Time-Stamp Protocol (RFC 3161) example: create a request.
*
* tsp_query <file> <request.tsq>
* Hash the file with SHA-256 and write a time-stamp request.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifndef WOLFSSL_USER_SETTINGS
#include <wolfssl/options.h>
#endif
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/tsp.h>
#include <wolfssl/wolfcrypt/hash.h>
#include <wolfssl/wolfcrypt/sha256.h>
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#if defined(WOLFSSL_TSP) && defined(HAVE_PKCS7) && \
(!defined(NO_RSA) || defined(HAVE_ECC)) && \
!defined(NO_SHA256) && !defined(WC_NO_RNG) && !defined(NO_FILESYSTEM) && \
defined(WOLFSSL_TSP_REQUESTER)
/* Number of random bytes in a nonce. */
#define TSP_NUM_SZ 8
/* Maximum size of an encoded time-stamp request - a hash imprint, nonce and
* a few small fields. */
#ifndef WC_TSP_MAX_REQ_SZ
#define WC_TSP_MAX_REQ_SZ 512
#endif
/* Size of the buffer used to hash a file a chunk at a time. */
#ifndef WC_TSP_HASH_CHUNK_SZ
#define WC_TSP_HASH_CHUNK_SZ 256
#endif
/* Local variables larger than 63 bytes - big buffers and big structures - are
* kept off the stack. They are allocated from the heap, unless dynamic memory
* is not available (WOLFSSL_NO_MALLOC) in which case they go on the stack.
* WOLFSSL_SMALL_STACK uses the heap path; it never co-exists with
* WOLFSSL_NO_MALLOC. 'name' is always used as a pointer.
*
* TSP_DECL declares, TSP_ALLOC allocates (running 'fail' on failure) and
* TSP_FREE releases an array of 'cnt' items of 'type' (cnt is 1 for a single
* object). */
#ifdef WOLFSSL_NO_MALLOC
#define TSP_DECL(type, name, cnt) type name[cnt]
#define TSP_ALLOC(type, name, cnt, fail) WC_DO_NOTHING
#define TSP_FREE(name) WC_DO_NOTHING
#else
#define TSP_DECL(type, name, cnt) type* name = NULL
#define TSP_ALLOC(type, name, cnt, fail) \
do { \
(name) = (type*)XMALLOC(sizeof(type) * (cnt), NULL, \
DYNAMIC_TYPE_TMP_BUFFER); \
if ((name) == NULL) { \
fail; \
} \
} while (0)
#define TSP_FREE(name) \
XFREE((name), NULL, DYNAMIC_TYPE_TMP_BUFFER)
#endif
/* Hash a file with SHA-256 a chunk at a time so the whole file need not be
* held in memory. */
static int tsp_hash_file(const char* name, byte* hash)
{
int ret = -1;
FILE* f = NULL;
TSP_DECL(wc_Sha256, sha, 1);
TSP_DECL(byte, buf, WC_TSP_HASH_CHUNK_SZ);
size_t n;
TSP_ALLOC(wc_Sha256, sha, 1, goto done);
TSP_ALLOC(byte, buf, WC_TSP_HASH_CHUNK_SZ, goto done);
f = fopen(name, "rb");
if (f == NULL) {
fprintf(stderr, "failed to open %s\n", name);
goto done;
}
if (wc_InitSha256(sha) == 0) {
ret = 0;
while ((n = fread(buf, 1, WC_TSP_HASH_CHUNK_SZ, f)) > 0) {
if (wc_Sha256Update(sha, buf, (word32)n) != 0) {
ret = -1;
break;
}
}
if ((ret == 0) && (ferror(f) != 0))
ret = -1;
if (ret == 0)
ret = (wc_Sha256Final(sha, hash) == 0) ? 0 : -1;
wc_Sha256Free(sha);
}
done:
if (f != NULL)
fclose(f);
TSP_FREE(sha);
TSP_FREE(buf);
return ret;
}
/* Write a buffer to a file. */
static int tsp_write_file(const char* name, const byte* data, word32 sz)
{
int ret = -1;
FILE* f;
f = fopen(name, "wb");
if (f == NULL) {
fprintf(stderr, "failed to open %s\n", name);
return -1;
}
if (fwrite(data, 1, sz, f) == sz) {
ret = 0;
}
fclose(f);
return ret;
}
/* Create a time-stamp request for the file. */
static int tsp_query(const char* dataFile, const char* reqFile)
{
int ret = 1;
int r;
WC_RNG rng;
int rngInit = 0;
TSP_DECL(TspRequest, req, 1);
TSP_DECL(byte, enc, WC_TSP_MAX_REQ_SZ);
word32 encSz = WC_TSP_MAX_REQ_SZ;
byte hash[WC_SHA256_DIGEST_SIZE];
byte nonce[TSP_NUM_SZ];
TSP_ALLOC(TspRequest, req, 1, goto done);
TSP_ALLOC(byte, enc, WC_TSP_MAX_REQ_SZ, goto done);
/* Hash the data to be time-stamped - the TSA never sees the data. */
r = wc_TspRequest_Init(req);
if (r != 0)
goto done;
/* Set the message imprint hash algorithm, then its value. */
r = wc_TspRequest_SetHashType(req, WC_HASH_TYPE_SHA256);
if (r != 0)
goto done;
if (tsp_hash_file(dataFile, hash) != 0)
goto done;
r = wc_TspRequest_SetHash(req, hash, (word32)sizeof(hash));
if (r != 0)
goto done;
/* Random nonce to tie the response to this request - SetNonce strips
* any leading zero bytes so the nonce is encodable. */
if (wc_InitRng(&rng) != 0)
goto done;
rngInit = 1;
if (wc_RNG_GenerateBlock(&rng, nonce, (word32)sizeof(nonce)) != 0)
goto done;
r = wc_TspRequest_SetNonce(req, nonce, (word32)sizeof(nonce));
if (r != 0)
goto done;
/* Ask for the TSA's certificate to be included in the token. */
req->certReq = 1;
r = wc_TspRequest_Encode(req, enc, &encSz);
if (r != 0) {
fprintf(stderr, "encode request failed: %s\n", wc_GetErrorString(r));
goto done;
}
if (tsp_write_file(reqFile, enc, encSz) != 0)
goto done;
printf("Wrote %u byte time-stamp request to %s\n", encSz, reqFile);
ret = 0;
done:
if (rngInit)
wc_FreeRng(&rng);
TSP_FREE(req);
TSP_FREE(enc);
return ret;
}
int main(int argc, char* argv[])
{
if (argc != 3) {
fprintf(stderr, "usage: %s <file> <request.tsq>\n", argv[0]);
return 1;
}
return tsp_query(argv[1], argv[2]);
}
#else
int main(void)
{
#ifdef NO_FILESYSTEM
fprintf(stderr, "NO_FILESYSTEM is defined\n");
#else
fprintf(stderr, "Build wolfSSL with ./configure --enable-tsp\n");
#endif
return 1;
}
#endif
+346
View File
@@ -0,0 +1,346 @@
/* tsp_reply.c
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* Time-Stamp Protocol (RFC 3161) example: act as a TSA and reply.
*
* tsp_reply <request.tsq> <tsa-cert.der> <tsa-key.der> <response.tsr>
* [rsa|ecc]
* Write a signed response for the request.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifndef WOLFSSL_USER_SETTINGS
#include <wolfssl/options.h>
#endif
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/tsp.h>
#include <wolfssl/wolfcrypt/hash.h>
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#if defined(WOLFSSL_TSP) && defined(HAVE_PKCS7) && \
(!defined(NO_RSA) || defined(HAVE_ECC)) && \
!defined(NO_SHA256) && !defined(WC_NO_RNG) && !defined(NO_FILESYSTEM) && \
defined(WOLFSSL_TSP_RESPONDER)
/* TSA policy of this example: 1.3.6.1.4.1.999.1. */
static const byte tsaPolicy[] = {
0x2b, 0x06, 0x01, 0x04, 0x01, 0x87, 0x67, 0x01
};
/* Number of random bytes in a serial number. */
#define TSP_NUM_SZ 8
/* Maximum size of a file read into memory: a DER request, certificate or key,
* and the time-stamp token written. Big enough for an RSA-2048 credential and
* a typical time-stamp token. */
#ifndef WC_TSP_MAX_FILE_SZ
#define WC_TSP_MAX_FILE_SZ 8192
#endif
/* Local variables larger than 63 bytes - big buffers and big structures - are
* kept off the stack. They are allocated from the heap, unless dynamic memory
* is not available (WOLFSSL_NO_MALLOC) in which case they go on the stack.
* WOLFSSL_SMALL_STACK uses the heap path; it never co-exists with
* WOLFSSL_NO_MALLOC. 'name' is always used as a pointer.
*
* TSP_DECL declares, TSP_ALLOC allocates (running 'fail' on failure) and
* TSP_FREE releases an array of 'cnt' items of 'type' (cnt is 1 for a single
* object). */
#ifdef WOLFSSL_NO_MALLOC
#define TSP_DECL(type, name, cnt) type name[cnt]
#define TSP_ALLOC(type, name, cnt, fail) WC_DO_NOTHING
#define TSP_FREE(name) WC_DO_NOTHING
#else
#define TSP_DECL(type, name, cnt) type* name = NULL
#define TSP_ALLOC(type, name, cnt, fail) \
do { \
(name) = (type*)XMALLOC(sizeof(type) * (cnt), NULL, \
DYNAMIC_TYPE_TMP_BUFFER); \
if ((name) == NULL) { \
fail; \
} \
} while (0)
#define TSP_FREE(name) \
XFREE((name), NULL, DYNAMIC_TYPE_TMP_BUFFER)
#endif
/* Read a whole file into the caller's buffer. Fails when the file is larger
* than maxSz so that no dynamic allocation of the file size is needed. */
static int tsp_read_file(const char* name, byte* data, word32 maxSz,
word32* sz)
{
int ret = -1;
FILE* f;
long len;
f = fopen(name, "rb");
if (f == NULL) {
fprintf(stderr, "failed to open %s\n", name);
return -1;
}
if ((fseek(f, 0, SEEK_END) == 0) && ((len = ftell(f)) >= 0) &&
(fseek(f, 0, SEEK_SET) == 0)) {
/* Compare as unsigned long so a length above 4GB is not truncated by
* a word32 cast to a small value that slips under maxSz. */
if ((unsigned long)len > maxSz) {
fprintf(stderr, "%s is too big (%ld > %u)\n", name, len, maxSz);
}
else if (fread(data, 1, (size_t)len, f) == (size_t)len) {
*sz = (word32)len;
ret = 0;
}
}
fclose(f);
return ret;
}
/* Write a buffer to a file. */
static int tsp_write_file(const char* name, const byte* data, word32 sz)
{
int ret = -1;
FILE* f;
f = fopen(name, "wb");
if (f == NULL) {
fprintf(stderr, "failed to open %s\n", name);
return -1;
}
if (fwrite(data, 1, sz, f) == sz) {
ret = 0;
}
fclose(f);
return ret;
}
/* Generate a random number without leading zero bytes. */
static int tsp_rand_num(WC_RNG* rng, byte* num, word32 sz, word32* outSz)
{
word32 i;
if (wc_RNG_GenerateBlock(rng, num, sz) != 0)
return -1;
/* Skip leading zero bytes - keep at least one byte. */
for (i = 0; (i < sz - 1) && (num[i] == 0x00); i++);
if (num[i] == 0x00)
num[i] = 0x01;
memmove(num, num + i, sz - i);
*outSz = sz - i;
return 0;
}
/* Write a response to the file. */
static int tsp_write_response(const char* name, const TspResponse* resp)
{
int ret = 1;
int r;
TSP_DECL(byte, enc, WC_TSP_MAX_FILE_SZ);
word32 encSz = WC_TSP_MAX_FILE_SZ;
TSP_ALLOC(byte, enc, WC_TSP_MAX_FILE_SZ, return 1);
r = wc_TspResponse_Encode(resp, enc, &encSz);
if (r != 0) {
fprintf(stderr, "encode response failed: %s\n", wc_GetErrorString(r));
goto done;
}
if (tsp_write_file(name, enc, encSz) != 0)
goto done;
printf("Wrote %u byte time-stamp response to %s\n", encSz, name);
ret = 0;
done:
TSP_FREE(enc);
return ret;
}
/* Write a rejection response with failure information. */
static int tsp_reject(const char* name, word32 failInfo, const char* text)
{
TspResponse resp;
(void)wc_TspResponse_Init(&resp);
(void)wc_TspResponse_SetStatus(&resp, WC_TSP_PKISTATUS_REJECTION,
(const byte*)text, (word32)strlen(text), failInfo);
printf("Rejecting request: %s\n", text);
return tsp_write_response(name, &resp);
}
/* Act as a TSA - create a response for the request. */
static int tsp_reply(const char* reqFile, const char* certFile,
const char* keyFile, const char* respFile, const char* keyType)
{
int ret = 1;
int r;
WC_RNG rng;
int rngInit = 0;
TSP_DECL(TspRequest, req, 1);
TSP_DECL(TspTstInfo, tst, 1);
TspResponse resp;
TSP_DECL(byte, reqDer, WC_TSP_MAX_FILE_SZ);
word32 reqDerSz = 0;
TSP_DECL(byte, cert, WC_TSP_MAX_FILE_SZ);
word32 certSz = 0;
TSP_DECL(byte, key, WC_TSP_MAX_FILE_SZ);
word32 keySz = 0;
byte serial[TSP_NUM_SZ];
word32 serialSz = 0;
TSP_DECL(byte, token, WC_TSP_MAX_FILE_SZ);
word32 tokenSz = WC_TSP_MAX_FILE_SZ;
TSP_ALLOC(TspRequest, req, 1, goto done);
TSP_ALLOC(TspTstInfo, tst, 1, goto done);
TSP_ALLOC(byte, reqDer, WC_TSP_MAX_FILE_SZ, goto done);
TSP_ALLOC(byte, cert, WC_TSP_MAX_FILE_SZ, goto done);
TSP_ALLOC(byte, key, WC_TSP_MAX_FILE_SZ, goto done);
TSP_ALLOC(byte, token, WC_TSP_MAX_FILE_SZ, goto done);
/* Load the request and the TSA's credentials. */
if ((tsp_read_file(reqFile, reqDer, WC_TSP_MAX_FILE_SZ, &reqDerSz) != 0) ||
(tsp_read_file(certFile, cert, WC_TSP_MAX_FILE_SZ, &certSz) != 0) ||
(tsp_read_file(keyFile, key, WC_TSP_MAX_FILE_SZ, &keySz) != 0)) {
goto done;
}
/* A request that does not parse is rejected. */
r = wc_TspRequest_Decode(req, reqDer, reqDerSz);
if (r != 0) {
ret = tsp_reject(respFile, WC_TSP_FAIL_BAD_DATA_FORMAT,
"request could not be parsed");
goto done;
}
/* The hash algorithm of the imprint must be one the TSA supports. */
if (wc_HashGetDigestSize(wc_OidGetHash((int)req->imprint.hashAlgOID)) !=
(int)req->imprint.hashSz) {
ret = tsp_reject(respFile, WC_TSP_FAIL_BAD_ALG,
"hash algorithm not supported");
goto done;
}
if (wc_InitRng(&rng) != 0)
goto done;
rngInit = 1;
/* Fill in the TSTInfo for the request. */
r = wc_TspTstInfo_Init(tst);
if (r != 0)
goto done;
tst->policy = tsaPolicy;
tst->policySz = (word32)sizeof(tsaPolicy);
/* Time-stamp the imprint as it was sent. */
tst->imprint = req->imprint;
/* Random serial number - a real TSA must ensure uniqueness across
* restarts. */
if (tsp_rand_num(&rng, serial, (word32)sizeof(serial), &serialSz) != 0)
goto done;
/* Leading zero bytes are stripped so the serial number encodes. */
if (wc_TspTstInfo_SetSerial(tst, serial, serialSz) != 0)
goto done;
/* genTime of NULL - the current time is used. */
tst->accuracy.seconds = 1;
/* The nonce must be returned when it was in the request. */
if (req->nonceSz != 0) {
tst->nonce = req->nonce;
tst->nonceSz = req->nonceSz;
}
/* Sign the TSTInfo to make a time-stamp token. This example always
* includes the TSA's certificate in the token. */
{
enum wc_PkType keyPkType;
#ifndef HAVE_ECC
(void)keyType;
#endif
#ifdef HAVE_ECC
if ((keyType != NULL) && (strcmp(keyType, "ecc") == 0)) {
keyPkType = WC_PK_TYPE_ECDSA_SIGN;
}
else
#endif
{
#ifndef NO_RSA
keyPkType = WC_PK_TYPE_RSA;
#else
/* RSA not available - fall back to ECC. */
keyPkType = WC_PK_TYPE_ECDSA_SIGN;
#endif
}
r = wc_TspTstInfo_Sign(tst, cert, certSz, key, keySz,
keyPkType, WC_HASH_TYPE_SHA256, &rng, token, &tokenSz);
}
if (r != 0) {
fprintf(stderr, "create token failed: %s\n", wc_GetErrorString(r));
goto done;
}
/* Put the token in a granted response. */
r = wc_TspResponse_Init(&resp);
if (r != 0)
goto done;
(void)wc_TspResponse_SetStatus(&resp, WC_TSP_PKISTATUS_GRANTED, NULL, 0, 0);
resp.token = token;
resp.tokenSz = tokenSz;
ret = tsp_write_response(respFile, &resp);
done:
if (rngInit)
wc_FreeRng(&rng);
TSP_FREE(req);
TSP_FREE(tst);
TSP_FREE(reqDer);
TSP_FREE(cert);
TSP_FREE(key);
TSP_FREE(token);
return ret;
}
int main(int argc, char* argv[])
{
if ((argc != 5) && (argc != 6)) {
fprintf(stderr, "usage: %s <request.tsq> <tsa-cert.der> "
"<tsa-key.der> <response.tsr> [rsa|ecc]\n", argv[0]);
return 1;
}
return tsp_reply(argv[1], argv[2], argv[3], argv[4],
(argc == 6) ? argv[5] : NULL);
}
#else
int main(void)
{
#ifdef NO_FILESYSTEM
fprintf(stderr, "NO_FILESYSTEM is defined\n");
#else
fprintf(stderr, "Build wolfSSL with ./configure --enable-tsp\n");
#endif
return 1;
}
#endif
+302
View File
@@ -0,0 +1,302 @@
/* tsp_verify.c
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* Time-Stamp Protocol (RFC 3161) example: verify a response.
*
* tsp_verify <file> <request.tsq> <response.tsr> <tsa-cert.der>
* Verify a response against the data, the request sent and the
* trusted TSA certificate.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifndef WOLFSSL_USER_SETTINGS
#include <wolfssl/options.h>
#endif
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/tsp.h>
#include <wolfssl/wolfcrypt/hash.h>
#include <wolfssl/wolfcrypt/sha256.h>
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#if defined(WOLFSSL_TSP) && defined(HAVE_PKCS7) && \
(!defined(NO_RSA) || defined(HAVE_ECC)) && \
!defined(NO_SHA256) && !defined(WC_NO_RNG) && !defined(NO_FILESYSTEM) && \
defined(WOLFSSL_TSP_VERIFIER)
/* Maximum size of a file read into memory: a DER request, response or
* certificate. Big enough for an RSA-2048 credential and a typical
* time-stamp token. */
#ifndef WC_TSP_MAX_FILE_SZ
#define WC_TSP_MAX_FILE_SZ 8192
#endif
/* Size of the buffer used to hash a file a chunk at a time. */
#ifndef WC_TSP_HASH_CHUNK_SZ
#define WC_TSP_HASH_CHUNK_SZ 256
#endif
/* Local variables larger than 63 bytes - big buffers and big structures - are
* kept off the stack. They are allocated from the heap, unless dynamic memory
* is not available (WOLFSSL_NO_MALLOC) in which case they go on the stack.
* WOLFSSL_SMALL_STACK uses the heap path; it never co-exists with
* WOLFSSL_NO_MALLOC. 'name' is always used as a pointer.
*
* TSP_DECL declares, TSP_ALLOC allocates (running 'fail' on failure) and
* TSP_FREE releases an array of 'cnt' items of 'type' (cnt is 1 for a single
* object). */
#ifdef WOLFSSL_NO_MALLOC
#define TSP_DECL(type, name, cnt) type name[cnt]
#define TSP_ALLOC(type, name, cnt, fail) WC_DO_NOTHING
#define TSP_FREE(name) WC_DO_NOTHING
#else
#define TSP_DECL(type, name, cnt) type* name = NULL
#define TSP_ALLOC(type, name, cnt, fail) \
do { \
(name) = (type*)XMALLOC(sizeof(type) * (cnt), NULL, \
DYNAMIC_TYPE_TMP_BUFFER); \
if ((name) == NULL) { \
fail; \
} \
} while (0)
#define TSP_FREE(name) \
XFREE((name), NULL, DYNAMIC_TYPE_TMP_BUFFER)
#endif
/* Read a whole file into the caller's buffer. Fails when the file is larger
* than maxSz so that no dynamic allocation of the file size is needed. */
static int tsp_read_file(const char* name, byte* data, word32 maxSz,
word32* sz)
{
int ret = -1;
FILE* f;
long len;
f = fopen(name, "rb");
if (f == NULL) {
fprintf(stderr, "failed to open %s\n", name);
return -1;
}
if ((fseek(f, 0, SEEK_END) == 0) && ((len = ftell(f)) >= 0) &&
(fseek(f, 0, SEEK_SET) == 0)) {
/* Compare as unsigned long so a length above 4GB is not truncated by
* a word32 cast to a small value that slips under maxSz. */
if ((unsigned long)len > maxSz) {
fprintf(stderr, "%s is too big (%ld > %u)\n", name, len, maxSz);
}
else if (fread(data, 1, (size_t)len, f) == (size_t)len) {
*sz = (word32)len;
ret = 0;
}
}
fclose(f);
return ret;
}
/* Hash a file with SHA-256 a chunk at a time so the whole file need not be
* held in memory. */
static int tsp_hash_file(const char* name, byte* hash)
{
int ret = -1;
FILE* f = NULL;
TSP_DECL(wc_Sha256, sha, 1);
TSP_DECL(byte, buf, WC_TSP_HASH_CHUNK_SZ);
size_t n;
TSP_ALLOC(wc_Sha256, sha, 1, goto done);
TSP_ALLOC(byte, buf, WC_TSP_HASH_CHUNK_SZ, goto done);
f = fopen(name, "rb");
if (f == NULL) {
fprintf(stderr, "failed to open %s\n", name);
goto done;
}
if (wc_InitSha256(sha) == 0) {
ret = 0;
while ((n = fread(buf, 1, WC_TSP_HASH_CHUNK_SZ, f)) > 0) {
if (wc_Sha256Update(sha, buf, (word32)n) != 0) {
ret = -1;
break;
}
}
if ((ret == 0) && (ferror(f) != 0))
ret = -1;
if (ret == 0)
ret = (wc_Sha256Final(sha, hash) == 0) ? 0 : -1;
wc_Sha256Free(sha);
}
done:
if (f != NULL)
fclose(f);
TSP_FREE(sha);
TSP_FREE(buf);
return ret;
}
/* Check a response was granted - print the status when not. */
static int tsp_check_granted(const TspResponse* resp)
{
word32 status = 0;
const byte* statusText = NULL;
word32 statusTextSz = 0;
word32 failInfo = 0;
wc_TspResponse_GetStatus(resp, &status, &statusText, &statusTextSz,
&failInfo);
if ((status == WC_TSP_PKISTATUS_GRANTED) ||
(status == WC_TSP_PKISTATUS_GRANTED_WITH_MODS)) {
return 0;
}
fprintf(stderr, "time-stamp not granted: status %lu\n",
(unsigned long)status);
if (statusText != NULL) {
fprintf(stderr, " status text: %.*s\n", (int)statusTextSz,
statusText);
}
if (failInfo != 0) {
fprintf(stderr, " failure information: 0x%08lx\n",
(unsigned long)failInfo);
}
return 1;
}
/* Verify a response against the data and the request sent. */
static int tsp_verify(const char* dataFile, const char* reqFile,
const char* respFile, const char* certFile)
{
int ret = 1;
int r;
TSP_DECL(TspRequest, req, 1);
TspResponse resp;
TSP_DECL(TspTstInfo, tst, 1);
TSP_DECL(byte, reqDer, WC_TSP_MAX_FILE_SZ);
word32 reqDerSz = 0;
TSP_DECL(byte, respDer, WC_TSP_MAX_FILE_SZ);
word32 respDerSz = 0;
TSP_DECL(byte, cert, WC_TSP_MAX_FILE_SZ);
word32 certSz = 0;
byte hash[WC_SHA256_DIGEST_SIZE];
enum wc_HashType hashType = WC_HASH_TYPE_NONE;
TSP_ALLOC(TspRequest, req, 1, goto done);
TSP_ALLOC(TspTstInfo, tst, 1, goto done);
TSP_ALLOC(byte, reqDer, WC_TSP_MAX_FILE_SZ, goto done);
TSP_ALLOC(byte, respDer, WC_TSP_MAX_FILE_SZ, goto done);
TSP_ALLOC(byte, cert, WC_TSP_MAX_FILE_SZ, goto done);
/* Load the request, response and trusted TSA certificate. */
if ((tsp_read_file(reqFile, reqDer, WC_TSP_MAX_FILE_SZ, &reqDerSz) != 0) ||
(tsp_read_file(respFile, respDer, WC_TSP_MAX_FILE_SZ,
&respDerSz) != 0) ||
(tsp_read_file(certFile, cert, WC_TSP_MAX_FILE_SZ, &certSz) != 0)) {
goto done;
}
/* Check the request was for this data - hash the data file again. */
r = wc_TspRequest_Decode(req, reqDer, reqDerSz);
if (r != 0) {
fprintf(stderr, "decode request failed: %s\n", wc_GetErrorString(r));
goto done;
}
/* This example only hashes data with SHA-256 - the request must match. */
r = wc_TspRequest_GetHashType(req, &hashType);
if (r == 0)
r = tsp_hash_file(dataFile, hash);
if ((r != 0) || (hashType != WC_HASH_TYPE_SHA256) ||
(req->imprint.hashSz != (word32)sizeof(hash)) ||
(memcmp(req->imprint.hash, hash, sizeof(hash)) != 0)) {
fprintf(stderr, "request is not for this data\n");
goto done;
}
/* The time-stamp must have been granted. */
r = wc_TspResponse_Decode(&resp, respDer, respDerSz);
if (r != 0) {
fprintf(stderr, "decode response failed: %s\n", wc_GetErrorString(r));
goto done;
}
if (tsp_check_granted(&resp) != 0) {
goto done;
}
/* Verify the token against the trusted TSA certificate - the signer must
* be that certificate. The certificate is also used to verify tokens that
* do not include it. */
r = wc_TspResponse_Verify(&resp, cert, certSz, tst);
if (r != 0) {
fprintf(stderr, "token verification failed: %s\n",
wc_GetErrorString(r));
goto done;
}
/* Check the TSTInfo is for the request - imprint, nonce and policy. */
r = wc_TspTstInfo_CheckRequest(tst, req);
if (r != 0) {
fprintf(stderr, "token does not match request: %s\n",
wc_GetErrorString(r));
goto done;
}
/* tst references the response's token - use before respDer is freed. */
printf("Verification: OK\n");
printf(" Time: %.*s\n", (int)tst->genTimeSz, tst->genTime);
ret = 0;
done:
TSP_FREE(req);
TSP_FREE(tst);
TSP_FREE(reqDer);
TSP_FREE(respDer);
TSP_FREE(cert);
return ret;
}
int main(int argc, char* argv[])
{
if (argc != 5) {
fprintf(stderr, "usage: %s <file> <request.tsq> <response.tsr> "
"<tsa-cert.der>\n", argv[0]);
return 1;
}
return tsp_verify(argv[1], argv[2], argv[3], argv[4]);
}
#else
int main(void)
{
#ifdef NO_FILESYSTEM
fprintf(stderr, "NO_FILESYSTEM is defined\n");
#else
fprintf(stderr, "Build wolfSSL with ./configure --enable-tsp\n");
#endif
return 1;
}
#endif
+10 -1
View File
@@ -29,6 +29,8 @@ my @fileList_ecc = (
[ "./certs/server-ecc-comp.der", "serv_ecc_comp_der_256" ],
[ "./certs/server-ecc-rsa.der", "serv_ecc_rsa_der_256" ],
[ "./certs/server-ecc.der", "serv_ecc_der_256" ],
[ "./certs/tsa-ecc-key.der", "tsa_ecc_key_der_256" ],
[ "./certs/tsa-ecc-cert.der", "tsa_ecc_cert_der_256" ],
[ "./certs/ca-ecc-key.der", "ca_ecc_key_der_256" ],
[ "./certs/ca-ecc-cert.der", "ca_ecc_cert_der_256" ],
[ "./certs/ca-ecc384-key.der", "ca_ecc_key_der_384" ],
@@ -87,7 +89,14 @@ my @fileList_2048 = (
[ "./certs/ca-cert.der", "ca_cert_der_2048" ],
[ "./certs/ca-cert-chain.der", "ca_cert_chain_der" ],
[ "./certs/server-key.der", "server_key_der_2048" ],
[ "./certs/server-cert.der", "server_cert_der_2048" ]
[ "./certs/server-cert.der", "server_cert_der_2048" ],
[ "./certs/tsa-key.der", "tsa_key_der_2048" ],
[ "./certs/tsa-cert.der", "tsa_cert_der_2048" ],
[ "./certs/tsa-bad-ku-cert.der", "tsa_bad_ku_cert_der_2048" ],
[ "./certs/tsa-extra-eku-cert.der", "tsa_extra_eku_cert_der_2048" ],
[ "./certs/intermediate/ca-int-cert.der", "ca_int_cert_der_2048" ],
[ "./certs/tsa-chain-key.der", "tsa_chain_key_der_2048" ],
[ "./certs/tsa-chain-cert.der", "tsa_chain_cert_der_2048" ]
);
# 3072-bit certs/keys to be converted
+2
View File
@@ -1209,6 +1209,7 @@ my @p7t_encrypted_data = ( 1, 2, 840, 113549, 1, 7, 6 );
my @p7t_compressed_data = ( 1, 2, 840, 113549, 1, 9, 16, 1, 9 );
my @p7t_firmware_pkg_data = ( 1, 2, 840, 113549, 1, 9, 16, 1, 16 );
my @p7t_auth_env_data = ( 1, 2, 840, 113549, 1, 9, 16, 1, 23 );
my @p7t_tstinfo_data = ( 1, 2, 840, 113549, 1, 9, 16, 1, 4 );
my @p7t_encrypted_key_package = ( 2, 16, 840, 1, 101, 2, 1, 2, 78, 2 );
my @pkcs7_types = (
@@ -1222,6 +1223,7 @@ my @pkcs7_types = (
{ name => "ENCRYPTED_DATA", oid => \@p7t_encrypted_data },
{ name => "FIRMWARE_PKG_DATA", oid => \@p7t_firmware_pkg_data },
{ name => "AUTH_ENVELOPED_DATA", oid => \@p7t_auth_env_data },
{ name => "TSTINFO_DATA", oid => \@p7t_tstinfo_data },
{ name => "ENCRYPTED_KEY_PACKAGE", oid => \@p7t_encrypted_key_package },
);
+2
View File
@@ -124,6 +124,8 @@ EXTRA_DIST+= scripts/multi-msg-record.py
dist_noinst_SCRIPTS+= scripts/pem.test
dist_noinst_SCRIPTS+= scripts/tsp.test
EXTRA_DIST += scripts/sniffer-static-rsa.pcap \
scripts/sniffer-ipv6.pcap \
scripts/sniffer-tls13-dh.pcap \
+130
View File
@@ -0,0 +1,130 @@
#!/usr/bin/env bash
# tsp.test
# Time-Stamp Protocol (RFC 3161) tests using the ts example tools, with
# OpenSSL interoperability when an openssl binary is available.
TSP_QUERY=./examples/tsp/tsp_query
TSP_REPLY=./examples/tsp/tsp_reply
TSP_VERIFY=./examples/tsp/tsp_verify
RESULT=0
# Check the examples were built and are usable - can't test without them.
# A feature-disabled stub prints a build hint rather than a usage line.
if [ ! -x "$TSP_QUERY" ] || [ ! -x "$TSP_REPLY" ] || [ ! -x "$TSP_VERIFY" ]; then
echo "ts examples not found -- skipping tsp.test."
exit 77
fi
# The round trip exercises every role, so all three tools must be usable. A
# single-role build (e.g. --enable-tsp with only the responder) leaves the
# others as feature-disabled stubs - skip rather than fail in that case.
for tool in "$TSP_QUERY" "$TSP_REPLY" "$TSP_VERIFY"; do
if ! "$tool" 2>&1 | grep -q "usage:"; then
echo "ts examples not usable (need requester, responder and verifier"\
"roles) -- skipping tsp.test."
exit 77
fi
done
SRC_DIR="$(dirname "$0")/.."
CERTS_DIR="${SRC_DIR}/certs"
if [ ! -f "${CERTS_DIR}/tsa-cert.der" ]; then
echo "TSA certificate not found at ${CERTS_DIR} -- skipping tsp.test."
exit 77
fi
WORK_DIR=./tsp_test.$$
mkdir "$WORK_DIR" || exit 1
cleanup() {
rm -rf "$WORK_DIR"
}
trap cleanup EXIT
fail() {
echo "FAIL: $1"
RESULT=1
}
pass() {
echo "PASS: $1"
}
DATA="$WORK_DIR/data.txt"
REQ="$WORK_DIR/request.tsq"
RESP="$WORK_DIR/response.tsr"
echo "data to be time-stamped" > "$DATA"
# Choose a TSA credential this build supports: RSA when available,
# otherwise the ECC credential (e.g. a --disable-rsa build).
CERT="${CERTS_DIR}/tsa-cert.der"
KEY="${CERTS_DIR}/tsa-key.der"
CAFILE="${CERTS_DIR}/tsa-cert.pem"
KEYTYPE=
"$TSP_QUERY" "$DATA" "$REQ" >/dev/null 2>&1
if ! "$TSP_REPLY" "$REQ" "$CERT" "$KEY" "$RESP" >/dev/null 2>&1; then
CERT="${CERTS_DIR}/tsa-ecc-cert.der"
KEY="${CERTS_DIR}/tsa-ecc-key.der"
CAFILE="${CERTS_DIR}/tsa-ecc-cert.pem"
KEYTYPE=ecc
fi
# wolfSSL round trip: query -> reply -> verify.
"$TSP_QUERY" "$DATA" "$REQ" >/dev/null &&
"$TSP_REPLY" "$REQ" "$CERT" "$KEY" "$RESP" $KEYTYPE >/dev/null &&
"$TSP_VERIFY" "$DATA" "$REQ" "$RESP" "$CERT" \
>/dev/null
if [ $? -eq 0 ]; then
pass "wolfSSL round trip"
else
fail "wolfSSL round trip"
fi
# Tampered data must not verify.
echo "tampered" >> "$DATA"
if "$TSP_VERIFY" "$DATA" "$REQ" "$RESP" "$CERT" \
>/dev/null 2>&1; then
fail "tampered data detected"
else
pass "tampered data detected"
fi
echo "data to be time-stamped" > "$DATA"
# A request that does not parse gets a rejection response.
head -c 20 "$REQ" > "$WORK_DIR/bad.tsq"
"$TSP_REPLY" "$WORK_DIR/bad.tsq" "$CERT" \
"$KEY" "$WORK_DIR/reject.tsr" $KEYTYPE >/dev/null
if [ $? -eq 0 ] && [ -f "$WORK_DIR/reject.tsr" ]; then
pass "rejection response written"
else
fail "rejection response written"
fi
# OpenSSL interoperability - skipped without an openssl supporting ts.
if openssl ts -query -data "$DATA" -sha256 -cert \
-out "$WORK_DIR/ossl.tsq" >/dev/null 2>&1; then
# OpenSSL verifies a wolfSSL response.
if openssl ts -verify -queryfile "$REQ" -in "$RESP" \
-CAfile "$CAFILE" >/dev/null 2>&1; then
pass "OpenSSL verifies wolfSSL response"
else
fail "OpenSSL verifies wolfSSL response"
fi
# wolfSSL answers an OpenSSL request and OpenSSL verifies it.
"$TSP_REPLY" "$WORK_DIR/ossl.tsq" "$CERT" \
"$KEY" "$WORK_DIR/ossl.tsr" $KEYTYPE >/dev/null &&
"$TSP_VERIFY" "$DATA" "$WORK_DIR/ossl.tsq" "$WORK_DIR/ossl.tsr" \
"$CERT" >/dev/null &&
openssl ts -verify -data "$DATA" -in "$WORK_DIR/ossl.tsr" \
-CAfile "$CAFILE" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "wolfSSL answers OpenSSL request"
else
fail "wolfSSL answers OpenSSL request"
fi
else
echo "openssl ts not usable -- skipping interoperability tests."
fi
exit $RESULT
+5
View File
@@ -25,6 +25,7 @@ EXTRA_DIST += src/ssl_api_dtls.c
EXTRA_DIST += src/ssl_api_ext.c
EXTRA_DIST += src/ssl_api_pk.c
EXTRA_DIST += src/ssl_asn1.c
EXTRA_DIST += src/ssl_tsp.c
EXTRA_DIST += src/ssl_bn.c
EXTRA_DIST += src/ssl_certman.c
EXTRA_DIST += src/ssl_crypto.c
@@ -2241,6 +2242,10 @@ if BUILD_PKCS7
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/pkcs7.c
endif
if BUILD_TSP
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/tsp.c
endif
if BUILD_SRP
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/srp.c
endif
+3
View File
@@ -455,6 +455,9 @@ WC_RNG* wolfssl_make_rng(WC_RNG* rng, int* local)
#include "src/ssl_asn1.c"
#endif /* OPENSSL_EXTRA_NO_ASN1 */
#define WOLFSSL_SSL_TSP_INCLUDED
#include "src/ssl_tsp.c"
#define WOLFSSL_PK_INCLUDED
#include "src/pk.c"
+91
View File
@@ -758,6 +758,44 @@ void wolfSSL_ASN1_BIT_STRING_free(WOLFSSL_ASN1_BIT_STRING* bitStr)
XFREE(bitStr, NULL, DYNAMIC_TYPE_OPENSSL);
}
/* Copy data into an ASN.1 BIT_STRING object.
*
* Any existing data is disposed of and a copy of the supplied data is made.
*
* @param [in, out] bitStr ASN.1 BIT_STRING object.
* @param [in] data Data to copy in. May be NULL when len is 0.
* @param [in] len Length of data in bytes.
* @return 1 on success.
* @return 0 when bitStr is NULL, len is negative, data is NULL with a
* positive length, or dynamic memory allocation fails.
*/
int wolfSSL_ASN1_BIT_STRING_set1(WOLFSSL_ASN1_BIT_STRING* bitStr,
const unsigned char* data, int len)
{
byte* tmp = NULL;
/* Validate parameters. */
if ((bitStr == NULL) || (len < 0) || ((data == NULL) && (len > 0))) {
return 0;
}
/* Make a copy of the data when there is any. */
if (len > 0) {
tmp = (byte*)XMALLOC((size_t)len, NULL, DYNAMIC_TYPE_OPENSSL);
if (tmp == NULL) {
return 0;
}
XMEMCPY(tmp, data, (size_t)len);
}
/* Dispose of any old data and store the copy. */
XFREE(bitStr->data, NULL, DYNAMIC_TYPE_OPENSSL);
bitStr->data = tmp;
bitStr->length = len;
return 1;
}
/* Get the value of the bit from the ASN.1 BIT_STRING at specified index.
*
* A NULL object a value of 0 for the bit at all indices.
@@ -1134,6 +1172,59 @@ static int wolfssl_asn1_integer_require_len(WOLFSSL_ASN1_INTEGER* a, int len,
return ret;
}
#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TSP) && defined(HAVE_PKCS7) && \
defined(WOLFSSL_TSP_VERIFIER)
/* Create an ASN.1 INTEGER object holding a big-endian number in DER form.
*
* The data is the ASN.1 type and length followed by the number as supplied.
*
* @param [in] val Big-endian encoding of number.
* @param [in] len Length of number in bytes.
* @return ASN.1 INTEGER object on success.
* @return NULL on failure.
*/
static WOLFSSL_ASN1_INTEGER* wolfssl_asn1_integer_new_buf(
const unsigned char* val, word32 len)
{
WOLFSSL_ASN1_INTEGER* a;
word32 pad;
word32 hdrSz;
word32 i = 0;
/* Defensive: all current callers pass a non-NULL, non-empty magnitude, but
* this is a shared helper. A NULL val is dereferenced below and a zero
* length would build a non-canonical empty INTEGER (02 00). */
if ((val == NULL) || (len == 0))
return NULL;
/* Pad with a leading 0x00 when the top bit is set so the DER INTEGER stays
* positive - the wc layer supplies the magnitude without this pad. */
pad = (val[0] & 0x80) ? 1 : 0;
hdrSz = 1 + SetLength(len + pad, NULL);
a = wolfSSL_ASN1_INTEGER_new();
if (a == NULL)
return NULL;
/* Make sure there is space for the data, pad, ASN.1 type and length. */
if (wolfssl_asn1_integer_require_len(a, (int)(len + pad + hdrSz), 0) != 1) {
wolfSSL_ASN1_INTEGER_free(a);
return NULL;
}
a->data[i++] = ASN_INTEGER;
i += SetLength(len + pad, a->data + i);
if (pad == 1) {
a->data[i++] = 0x00;
}
XMEMCPY(a->data + i, val, len);
a->length = (int)(len + i);
a->type = WOLFSSL_V_ASN1_INTEGER;
return a;
}
#endif /* OPENSSL_EXTRA && WOLFSSL_TSP && HAVE_PKCS7 && WOLFSSL_TSP_VERIFIER */
/* Duplicate the ASN.1 INTEGER object into a newly allocated one.
*
* @param [in] src ASN.1 INTEGER object to copy.
+2420
View File
File diff suppressed because it is too large Load Diff
+1 -1
View File
@@ -3704,7 +3704,7 @@ static int wolfSSL_ASN1_STRING_into_old_ext_fmt(WOLFSSL_ASN1_STRING *asn1str,
ret = DecodeExtKeyUsage((const byte*)asn1str->data, asn1str->length,
&extExtKeyUsageSrc, &extExtKeyUsageSz, &extExtKeyUsageCount,
&extExtKeyUsage, &extExtKeyUsageSsh);
&extExtKeyUsage, &extExtKeyUsageSsh, NULL);
if (ret != 0)
return ret;
+6
View File
@@ -245,11 +245,13 @@
#include <tests/api/test_session.h>
#include <tests/api/test_x509.h>
#include <tests/api/test_asn.h>
#include <tests/api/test_tsp.h>
#include <tests/api/test_lms_xmss.h>
#include <tests/api/test_pkcs7.h>
#include <tests/api/test_pkcs12.h>
#include <tests/api/test_pwdbased.h>
#include <tests/api/test_ossl_asn1.h>
#include <tests/api/test_ossl_tsp.h>
#include <tests/api/test_ossl_bn.h>
#include <tests/api/test_ossl_bio.h>
#include <tests/api/test_ossl_dgst.h>
@@ -35046,6 +35048,9 @@ TEST_CASE testCases[] = {
/* ASN */
TEST_ASN_DECLS,
/* Time-Stamp Protocol (RFC 3161) */
TEST_TSP_DECLS,
/* LMS, and RFC 9802 (HSS/LMS and XMSS/XMSS^MT in X.509) */
TEST_LMS_XMSS_DECLS,
@@ -35196,6 +35201,7 @@ TEST_CASE testCases[] = {
/* X509 tests */
TEST_OSSL_X509_DECLS,
TEST_OSSL_TSP_DECLS,
TEST_OSSL_X509_NAME_DECLS,
TEST_OSSL_X509_EXT_DECLS,
TEST_OSSL_X509_PK_DECLS,
+5
View File
@@ -68,6 +68,8 @@ tests_unit_test_SOURCES += tests/api/test_session.c
tests_unit_test_SOURCES += tests/api/test_x509.c
# ASN
tests_unit_test_SOURCES += tests/api/test_asn.c
# Time-Stamp Protocol (RFC 3161)
tests_unit_test_SOURCES += tests/api/test_tsp.c
# PKCS#7
tests_unit_test_SOURCES += tests/api/test_pkcs7.c
# PKCS#12
@@ -76,6 +78,7 @@ tests_unit_test_SOURCES += tests/api/test_pkcs12.c
tests_unit_test_SOURCES += tests/api/test_pwdbased.c
# OpenSSL ASN.1
tests_unit_test_SOURCES += tests/api/test_ossl_asn1.c
tests_unit_test_SOURCES += tests/api/test_ossl_tsp.c
# OpenSSL BN
tests_unit_test_SOURCES += tests/api/test_ossl_bn.c
# OpenSSL BIO
@@ -178,10 +181,12 @@ EXTRA_DIST += tests/api/test_tls.h
EXTRA_DIST += tests/api/test_session.h
EXTRA_DIST += tests/api/test_x509.h
EXTRA_DIST += tests/api/test_asn.h
EXTRA_DIST += tests/api/test_tsp.h
EXTRA_DIST += tests/api/test_pkcs7.h
EXTRA_DIST += tests/api/test_pkcs12.h
EXTRA_DIST += tests/api/test_pwdbased.h
EXTRA_DIST += tests/api/test_ossl_asn1.h
EXTRA_DIST += tests/api/test_ossl_tsp.h
EXTRA_DIST += tests/api/test_ossl_bn.h
EXTRA_DIST += tests/api/test_ossl_bio.h
EXTRA_DIST += tests/api/test_ossl_dgst.h
File diff suppressed because it is too large Load Diff
+68
View File
@@ -0,0 +1,68 @@
/* test_ossl_tsp.h
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef WOLFCRYPT_TEST_OSSL_TSP_H
#define WOLFCRYPT_TEST_OSSL_TSP_H
#include <tests/api/api_decl.h>
int test_wolfSSL_TS_REQ(void);
int test_wolfSSL_TS_REQ_long_nonce(void);
int test_wolfSSL_TS_REQ_policy_id(void);
int test_wolfSSL_TS_RESP(void);
int test_wolfSSL_TS_RESP_accuracy_ordering(void);
int test_wolfSSL_TS_STATUS_INFO_failure_info(void);
int test_wolfSSL_TS_RESP_verify_response(void);
int test_wolfSSL_TS_RESP_verify_response_chain(void);
int test_wc_TspResponse_VerifyWithCm(void);
int test_wolfSSL_TS_RESP_verify_data(void);
int test_wolfSSL_TS_TST_INFO_get_tsa(void);
int test_wolfSSL_TS_RESP_CTX(void);
int test_wolfSSL_TS_RESP_verify_token(void);
int test_wolfSSL_TS_RESP_verify_status(void);
int test_wolfSSL_TS_RESP_verify_policy(void);
int test_wolfSSL_TS_VERIFY_CTX(void);
int test_wolfSSL_TS_VERIFY_CTX_cleanup(void);
int test_wolfSSL_TS_bad_args(void);
int test_wolfSSL_TS_view_cache(void);
#define TEST_OSSL_TSP_DECLS \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_REQ), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_REQ_long_nonce), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_REQ_policy_id), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_RESP), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_RESP_accuracy_ordering),\
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_STATUS_INFO_failure_info), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_RESP_verify_response), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_RESP_verify_response_chain), \
TEST_DECL_GROUP("ossl_tsp", test_wc_TspResponse_VerifyWithCm), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_RESP_verify_data), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_TST_INFO_get_tsa), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_RESP_CTX), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_RESP_verify_token), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_RESP_verify_status), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_RESP_verify_policy), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_VERIFY_CTX), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_VERIFY_CTX_cleanup), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_bad_args), \
TEST_DECL_GROUP("ossl_tsp", test_wolfSSL_TS_view_cache)
#endif /* WOLFCRYPT_TEST_OSSL_TSP_H */
+3531
View File
File diff suppressed because it is too large Load Diff
+148
View File
@@ -0,0 +1,148 @@
/* test_tsp.h
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef WOLFCRYPT_TEST_TSP_H
#define WOLFCRYPT_TEST_TSP_H
#include <tests/api/api_decl.h>
int test_wc_TspRequest_Init(void);
int test_wc_TspRequest_SetHashType(void);
int test_wc_TspRequest_GetHashType(void);
int test_wc_TspRequest_GetSetHash(void);
int test_wc_TspRequest_GetSetNonce(void);
int test_wc_TspGenerateNonce(void);
int test_wc_TspRequest_GetSetPolicy(void);
int test_wc_TspRequest_GetSetCertReq(void);
int test_wc_TspTstInfo_GetSetSerial(void);
int test_wc_TspRequest_Encode(void);
int test_wc_TspRequest_Decode(void);
int test_wc_TspTstInfo_Init(void);
int test_wc_TspTstInfo_Getters(void);
int test_wc_TspTstInfo_Setters(void);
int test_wc_TspTstInfo_Encode(void);
int test_wc_TspTstInfo_Decode(void);
int test_wc_TspTstInfo_CheckGenTime(void);
int test_wc_TspTstInfo_GetSetGenTimeAsTime(void);
int test_wc_TspResponse_Init(void);
int test_wc_TspGetSetStatus(void);
int test_wc_TspStrings(void);
int test_wc_TspResponse_Encode(void);
int test_wc_TspResponse_Decode(void);
int test_wc_TspTstInfo_CheckRequest(void);
int test_wc_TspTstInfo_CheckTsaName(void);
int test_wc_TspTstInfo_SignWithPkcs7(void);
int test_wc_TspTstInfo_SignWithPkcs7_create(void);
int test_wc_TspTstInfo_SignWithPkcs7_signer_required(void);
int test_wc_TspTstInfo_SignWithPkcs7_hash_and_buffer(void);
int test_wc_TspTstInfo_Sign(void);
int test_wc_TspTstInfo_SignWithPkcs7_attribs(void);
int test_wc_TspTstInfo_SignWithPkcs7_attribs_verify(void);
int test_wc_TspTstInfo_SignWithPkcs7_attribs_sha384(void);
int test_wc_TspTstInfo_VerifyWithPKCS7(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_modified(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_no_signer(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_not_tst(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_bad_eku(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_bad_ku(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_extra_eku(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_nocerts(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_nocerts_supplied(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_ess_no_attrib(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_ess_bad_hash(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_ess_bad_alg(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_ess_v1(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_tsa_name(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_tsa_name_mismatch(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_tsa_name_unsupported(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_tsa_name_bad_enc(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_tsa_name_dirname(void);
int test_wc_TspTstInfo_VerifyWithPKCS7_ecc(void);
int test_wc_TspResponse_Verify(void);
int test_wc_TspResponse_Verify_wrong_cert(void);
int test_wc_TspResponse_Verify_status(void);
int test_wc_TspResponse_Verify_modified(void);
int test_wc_TspResponse_Verify_nocerts(void);
int test_wc_TspResponse_VerifyData(void);
int test_wc_TspTstInfo_SetFromRequest(void);
#define TEST_TSP_DECLS \
TEST_DECL_GROUP("tsp", test_wc_TspRequest_Init), \
TEST_DECL_GROUP("tsp", test_wc_TspRequest_SetHashType), \
TEST_DECL_GROUP("tsp", test_wc_TspRequest_GetHashType), \
TEST_DECL_GROUP("tsp", test_wc_TspRequest_GetSetHash), \
TEST_DECL_GROUP("tsp", test_wc_TspRequest_GetSetNonce), \
TEST_DECL_GROUP("tsp", test_wc_TspGenerateNonce), \
TEST_DECL_GROUP("tsp", test_wc_TspRequest_GetSetPolicy), \
TEST_DECL_GROUP("tsp", test_wc_TspRequest_GetSetCertReq), \
TEST_DECL_GROUP("tsp", test_wc_TspRequest_Encode), \
TEST_DECL_GROUP("tsp", test_wc_TspRequest_Decode), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_Init), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_GetSetSerial), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_Getters), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_Setters), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_Encode), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_Decode), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_CheckGenTime), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_GetSetGenTimeAsTime), \
TEST_DECL_GROUP("tsp", test_wc_TspResponse_Init), \
TEST_DECL_GROUP("tsp", test_wc_TspGetSetStatus), \
TEST_DECL_GROUP("tsp", test_wc_TspStrings), \
TEST_DECL_GROUP("tsp", test_wc_TspResponse_Encode), \
TEST_DECL_GROUP("tsp", test_wc_TspResponse_Decode), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_CheckRequest), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_CheckTsaName), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_SignWithPkcs7), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_SignWithPkcs7_create), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_SignWithPkcs7_signer_required), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_SignWithPkcs7_hash_and_buffer), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_Sign), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_SignWithPkcs7_attribs), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_SignWithPkcs7_attribs_verify), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_SignWithPkcs7_attribs_sha384), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_modified), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_no_signer), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_not_tst), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_bad_eku), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_bad_ku), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_extra_eku), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_nocerts), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_nocerts_supplied), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_ess_no_attrib), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_ess_bad_hash), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_ess_bad_alg), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_ess_v1), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_tsa_name), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_tsa_name_mismatch), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_tsa_name_unsupported), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_tsa_name_bad_enc), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_tsa_name_dirname), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_VerifyWithPKCS7_ecc), \
TEST_DECL_GROUP("tsp", test_wc_TspResponse_Verify), \
TEST_DECL_GROUP("tsp", test_wc_TspResponse_Verify_wrong_cert), \
TEST_DECL_GROUP("tsp", test_wc_TspResponse_Verify_status), \
TEST_DECL_GROUP("tsp", test_wc_TspResponse_Verify_modified), \
TEST_DECL_GROUP("tsp", test_wc_TspResponse_Verify_nocerts), \
TEST_DECL_GROUP("tsp", test_wc_TspResponse_VerifyData), \
TEST_DECL_GROUP("tsp", test_wc_TspTstInfo_SetFromRequest)
#endif /* WOLFCRYPT_TEST_TSP_H */
+130 -9
View File
@@ -774,6 +774,30 @@ static word32 SizeASN_Num(word32 n, int bits, byte tag)
return len;
}
#ifdef WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
/* Calculate the size of a DER encoded BIT STRING of a 32-bit word.
*
* Named bit string: bit 0 is the most significant bit of the word and
* trailing zero bits are not encoded.
*
* @param [in] n 32-bit word to be encoded.
* @return Number of bytes of the ASN.1 item.
*/
static word32 SizeASN_BitString32(word32 n)
{
word32 len = 4;
/* Discover actual size by checking for trailing zero bytes. */
while ((len > 0) && ((n & 0xff) == 0)) {
n >>= 8;
len--;
}
/* Tag, length, unused bits byte and data. */
return 1 + 1 + 1 + len;
}
#endif
/* Calculate the size of the data in the constructed item based on the
* length of the ASN.1 items below.
*
@@ -855,9 +879,18 @@ int SizeASN_Items(const ASNItem* asn, ASNSetData *data, int count,
len = SizeASN_Num(data[i].data.u16, 16, asn[i].tag);
break;
#ifdef WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
/* Not used yet! */
case ASN_DATA_TYPE_WORD32:
len = SizeASN_Num(data[i].data.u32, 32, asn[i].tag);
/* BIT_STRING is a named bit string in a 32-bit word. */
if (asn[i].tag == ASN_BIT_STRING) {
len = SizeASN_BitString32(data[i].data.u32);
}
else {
len = SizeASN_Num(data[i].data.u32, 32, asn[i].tag);
}
break;
/* Encoded as an INTEGER even when implicitly tagged. */
case ASN_DATA_TYPE_WORD32_INT:
len = SizeASN_Num(data[i].data.u32, 32, ASN_INTEGER);
break;
#endif
@@ -1021,6 +1054,44 @@ static void SetASN_Num(word32 n, int bits, byte* out, byte tag)
out[idx++] = (byte)(n >> j);
}
#ifdef WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
/* Create the DER encoding of a BIT STRING from a 32-bit word.
*
* Named bit string: bit 0 is the most significant bit of the word and
* trailing zero bits are not encoded.
*
* Assumes that the out buffer is large enough for encoding.
*
* @param [in] n 32-bit word to be encoded.
* @param [out] out Buffer to write encoding into - after tag byte.
*/
static void SetASN_BitString32(word32 n, byte* out)
{
int j;
byte len = 4;
byte unusedBits = 0;
word32 idx = 3;
/* Discover actual size by checking for trailing zero bytes. */
while ((len > 0) && ((n & 0xff) == 0)) {
n >>= 8;
len--;
}
if (len > 0) {
/* Count trailing zero bits of last byte. */
while (((n >> unusedBits) & 0x01) == 0x00)
unusedBits++;
}
/* Length includes unused bits byte. */
out[1] = (byte)(1 + len);
out[2] = unusedBits;
/* Place in the required bytes of the word. */
for (j = 8 * (len - 1); j >= 0; j -= 8)
out[idx++] = (byte)(n >> j);
}
#endif
/* Creates the DER encoding of the ASN.1 items.
*
* Assumes the output buffer is large enough to hold encoding.
@@ -1082,9 +1153,18 @@ int SetASN_Items(const ASNItem* asn, ASNSetData *data, int count, byte* output)
SetASN_Num(data[i].data.u16, 16, out, asn[i].tag);
break;
#ifdef WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
/* Not used yet! */
case ASN_DATA_TYPE_WORD32:
SetASN_Num(data[i].data.u32, 32, out, asn[i].tag);
/* BIT_STRING is a named bit string in a 32-bit word. */
if (asn[i].tag == ASN_BIT_STRING) {
SetASN_BitString32(data[i].data.u32, out);
}
else {
SetASN_Num(data[i].data.u32, 32, out, asn[i].tag);
}
break;
/* Encoded as an INTEGER even when implicitly tagged. */
case ASN_DATA_TYPE_WORD32_INT:
SetASN_Num(data[i].data.u32, 32, out, ASN_INTEGER);
break;
#endif
@@ -1446,7 +1526,8 @@ static int GetASN_StoreData(const ASNItem* asn, ASNGetData* data,
#endif
return ASN_PARSE_E;
}
if (!zeroPadded && (input[idx] >= 0x80U)) {
if ((asn->tag != ASN_BIT_STRING) && (!zeroPadded) &&
(input[idx] >= 0x80U)) {
#ifdef WOLFSSL_DEBUG_ASN_TEMPLATE
WOLFSSL_MSG_VSNPRINTF("Unexpected negative INTEGER value");
#endif
@@ -2317,6 +2398,33 @@ void SetASN_Int16Bit(ASNSetData *dataASN, word16 num)
dataASN->data.u16 = num;
}
#ifdef WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
/* Setup an ASN data item to set a 32-bit number.
*
* @param [in] dataASN Dynamic ASN data item.
* @param [in] num 32-bit number to set.
*/
void SetASN_Int32Bit(ASNSetData *dataASN, word32 num)
{
dataASN->dataType = ASN_DATA_TYPE_WORD32;
dataASN->data.u32 = num;
}
/* Setup an ASN data item to set a 32-bit number encoded as an INTEGER.
*
* For implicitly tagged INTEGERs - a zero byte is prepended to keep the
* number positive, as is done for INTEGER tagged items.
*
* @param [in] dataASN Dynamic ASN data item.
* @param [in] num 32-bit number to set.
*/
void SetASN_Int32BitInt(ASNSetData *dataASN, word32 num)
{
dataASN->dataType = ASN_DATA_TYPE_WORD32_INT;
dataASN->data.u32 = num;
}
#endif
/* Setup an ASN data item to set the data in a buffer.
*
* @param [in] dataASN Dynamic ASN data item.
@@ -15239,7 +15347,8 @@ int ValidateGmtime(struct tm* inTime)
#if !defined(NO_ASN_TIME) && !defined(USER_TIME) && \
!defined(TIME_OVERRIDES) && (defined(OPENSSL_EXTRA) || \
defined(HAVE_PKCS7) || defined(HAVE_OCSP_RESPONDER))
defined(HAVE_PKCS7) || defined(HAVE_OCSP_RESPONDER) || \
defined(WOLFSSL_TSP))
/* Set current time string, either UTC or GeneralizedTime.
* (void*) currTime should be a pointer to time_t, output is placed in buf.
*
@@ -20208,7 +20317,7 @@ enum {
int DecodeExtKeyUsage(const byte* input, word32 sz,
const byte **extExtKeyUsageSrc, word32 *extExtKeyUsageSz,
word32 *extExtKeyUsageCount, byte *extExtKeyUsage,
byte *extExtKeyUsageSsh)
byte *extExtKeyUsageSsh, word32 *extExtKeyUsageOidCnt)
{
word32 idx = 0;
int length;
@@ -20227,6 +20336,8 @@ int DecodeExtKeyUsage(const byte* input, word32 sz,
*extExtKeyUsageCount = 0;
#endif
*extExtKeyUsage = 0;
if (extExtKeyUsageOidCnt != NULL)
*extExtKeyUsageOidCnt = 0;
#ifdef WOLFSSL_WOLFSSH
*extExtKeyUsageSsh = 0;
#endif
@@ -20290,6 +20401,11 @@ int DecodeExtKeyUsage(const byte* input, word32 sz,
(*extExtKeyUsageCount)++;
#endif
}
/* Count every KeyPurposeId consumed - recognized or not. */
if ((ret == 0) && (extExtKeyUsageOidCnt != NULL)) {
(*extExtKeyUsageOidCnt)++;
}
}
return ret;
@@ -20323,10 +20439,11 @@ static int DecodeExtKeyUsageInternal(const byte* input, word32 sz,
#endif
&cert->extExtKeyUsage,
#ifdef WOLFSSL_WOLFSSH
&cert->extExtKeyUsageSsh
&cert->extExtKeyUsageSsh,
#else
NULL
NULL,
#endif
&cert->extExtKeyUsageOidCnt
);
if (ret != 0)
@@ -39899,3 +40016,7 @@ const byte* AsnHashesGetHash(const AsnHashes* hashes, int hashAlg, int* size)
#endif /* WOLFSSL_SEP */
#undef ERROR_OUT
/* Time-Stamp Protocol (TSP) encoding and decoding. RFC 3161. */
#define WOLFSSL_ASN_TSP_INCLUDED
#include "wolfcrypt/src/asn_tsp.c"
+15 -2
View File
@@ -3902,7 +3902,7 @@ int DecodeKeyUsage(const byte* input, word32 sz, word16 *extKeyUsage)
int DecodeExtKeyUsage(const byte* input, word32 sz,
const byte **extExtKeyUsageSrc, word32 *extExtKeyUsageSz,
word32 *extExtKeyUsageCount, byte *extExtKeyUsage,
byte *extExtKeyUsageSsh)
byte *extExtKeyUsageSsh, word32 *extExtKeyUsageOidCnt)
{
word32 idx = 0, oid;
int length, ret;
@@ -3920,6 +3920,8 @@ int DecodeExtKeyUsage(const byte* input, word32 sz,
*extExtKeyUsageCount = 0;
#endif
*extExtKeyUsage = 0;
if (extExtKeyUsageOidCnt != NULL)
*extExtKeyUsageOidCnt = 0;
#ifdef WOLFSSL_WOLFSSH
*extExtKeyUsageSsh = 0;
#endif
@@ -3936,8 +3938,14 @@ int DecodeExtKeyUsage(const byte* input, word32 sz,
while (idx < (word32)sz) {
ret = GetObjectId(input, &idx, &oid, oidCertKeyUseType, sz);
if (ret == WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E))
if (ret == WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)) {
/* Unknown KeyPurposeId is still consumed - count it so the count
* matches the template parser (and every consumed OID). */
if (extExtKeyUsageOidCnt != NULL) {
(*extExtKeyUsageOidCnt)++;
}
continue;
}
else if (ret < 0)
return ret;
@@ -3981,6 +3989,11 @@ int DecodeExtKeyUsage(const byte* input, word32 sz,
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
(*extExtKeyUsageCount)++;
#endif
/* Count every KeyPurposeId consumed - recognized or not. */
if (extExtKeyUsageOidCnt != NULL) {
(*extExtKeyUsageOidCnt)++;
}
}
return 0;
File diff suppressed because it is too large Load Diff
+3
View File
@@ -692,6 +692,9 @@ const char* wc_GetErrorString(int error)
case SLH_DSA_KAT_FIPS_E:
return "SLH-DSA Known Answer Test check FIPS error";
case TSP_VERIFY_E:
return "TSP token invalid or response doesn't match request error";
case SEQ_OVERFLOW_E:
return "Sequence counter would overflow";
+1
View File
@@ -12,6 +12,7 @@ MAINTAINERCLEANFILES+= $(ASYNC_FILES)
EXTRA_DIST += wolfcrypt/src/misc.c
EXTRA_DIST += wolfcrypt/src/asn_orig.c
EXTRA_DIST += wolfcrypt/src/asn_tsp.c
EXTRA_DIST += wolfcrypt/src/evp.c
EXTRA_DIST += wolfcrypt/src/evp_pk.c
EXTRA_DIST += wolfcrypt/src/asm.c
+12
View File
@@ -599,6 +599,11 @@ static int wc_SetContentType(int pkcs7TypeOID, byte* output, word32 outputSz)
/* FirmwarePkgData (1.2.840.113549.1.9.16.1.16), RFC 4108 */
static const byte firmwarePkgData[] =
{ 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x10, 0x01, 0x10 };
#ifdef WOLFSSL_TSP
/* id-ct-TSTInfo (1.2.840.113549.1.9.16.1.4), RFC 3161 */
static const byte tstInfoData[] =
{ 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x10, 0x01, 0x04 };
#endif
#if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
/* id-ct-compressedData (1.2.840.113549.1.9.16.1.9), RFC 3274 */
static const byte compressedData[] =
@@ -670,6 +675,13 @@ static int wc_SetContentType(int pkcs7TypeOID, byte* output, word32 outputSz)
typeName = firmwarePkgData;
break;
#ifdef WOLFSSL_TSP
case TSTINFO_DATA:
typeSz = sizeof(tstInfoData);
typeName = tstInfoData;
break;
#endif
#if !defined(NO_PWDBASED) && !defined(NO_SHA)
case PWRI_KEK_WRAP:
typeSz = sizeof(pwriKek);
+2387
View File
File diff suppressed because it is too large Load Diff
+564
View File
@@ -434,6 +434,9 @@ static const byte const_byte_array[] = "A+Gd\0\0\0";
#ifdef HAVE_PKCS7
#include <wolfssl/wolfcrypt/pkcs7.h>
#endif
#ifdef WOLFSSL_TSP
#include <wolfssl/wolfcrypt/tsp.h>
#endif
#ifdef HAVE_PKCS12
#include <wolfssl/wolfcrypt/pkcs12.h>
#endif
@@ -1022,6 +1025,10 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t scrypt_test(void);
word32 keySz);
#endif
#endif
#if defined(WOLFSSL_TSP) && defined(WOLFSSL_TSP_REQUESTER) && \
defined(WOLFSSL_TSP_RESPONDER)
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t tsp_test(void);
#endif
#if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) && \
!defined(NO_FILESYSTEM)
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t cert_test(void);
@@ -3255,6 +3262,14 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\
#endif
#endif
#if defined(WOLFSSL_TSP) && defined(WOLFSSL_TSP_REQUESTER) && \
defined(WOLFSSL_TSP_RESPONDER)
if ( (ret = tsp_test()) != 0)
TEST_FAIL("TSP test failed!\n", ret);
else
TEST_PASS("TSP test passed!\n");
#endif
#if defined(WOLFSSL_PUBLIC_MP) && \
((defined(WOLFSSL_SP_MATH_ALL) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
defined(USE_FAST_MATH))
@@ -67757,6 +67772,555 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs7signed_test(void)
#endif /* HAVE_PKCS7 */
#if defined(WOLFSSL_TSP) && defined(WOLFSSL_TSP_REQUESTER) && \
defined(WOLFSSL_TSP_RESPONDER)
#ifndef NO_SHA256
#define TSP_TEST_HASH_OID SHA256h
#define TSP_TEST_HASH_SZ 32
#elif !defined(NO_SHA)
#define TSP_TEST_HASH_OID SHAh
#define TSP_TEST_HASH_SZ 20
#endif
#ifdef TSP_TEST_HASH_OID
/* 1.3.6.1.4.1.999.1 - test TSA policy. */
static const byte tspTestPolicy[] = {
0x2b, 0x06, 0x01, 0x04, 0x01, 0x87, 0x67, 0x01
};
/* Nonce with top bit set to check INTEGER encoding. */
static const byte tspTestNonce[] = {
0xc3, 0x5a, 0x10, 0x42, 0x77, 0x08, 0x99, 0x01
};
/* Serial number with top bit set to check INTEGER encoding. */
static const byte tspTestSerial[] = { 0x9a, 0x33 };
/* Time of test time-stamp. */
static const byte tspTestGenTime[] = "20260604120000Z";
/* Test encoding and decoding of TimeStampReq. */
static wc_test_ret_t tsp_req_test(byte* hashedMsg)
{
wc_test_ret_t ret = 0;
int r;
TspRequest req;
TspRequest reqDec;
byte enc[256];
word32 encSz = 0;
word32 sz;
r = wc_TspRequest_Init(&req);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
req.imprint.hashAlgOID = TSP_TEST_HASH_OID;
XMEMCPY(req.imprint.hash, hashedMsg, TSP_TEST_HASH_SZ);
req.imprint.hashSz = TSP_TEST_HASH_SZ;
XMEMCPY(req.policy, tspTestPolicy, sizeof(tspTestPolicy));
req.policySz = sizeof(tspTestPolicy);
XMEMCPY(req.nonce, tspTestNonce, sizeof(tspTestNonce));
req.nonceSz = sizeof(tspTestNonce);
req.certReq = 1;
/* Get length of encoding. */
r = wc_TspRequest_Encode(&req, NULL, &encSz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
if ((encSz == 0) || (encSz > sizeof(enc)))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
/* Check too small a buffer is rejected. */
sz = encSz - 1;
r = wc_TspRequest_Encode(&req, enc, &sz);
if (r != WC_NO_ERR_TRACE(BUFFER_E))
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
sz = sizeof(enc);
r = wc_TspRequest_Encode(&req, enc, &sz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
if (sz != encSz)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
r = wc_TspRequest_Decode(&reqDec, enc, sz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
if (reqDec.version != WC_TSP_VERSION)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (reqDec.imprint.hashAlgOID != TSP_TEST_HASH_OID)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((reqDec.imprint.hashSz != TSP_TEST_HASH_SZ) ||
(XMEMCMP(reqDec.imprint.hash, hashedMsg,
TSP_TEST_HASH_SZ) != 0))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((reqDec.policySz != sizeof(tspTestPolicy)) ||
(XMEMCMP(reqDec.policy, tspTestPolicy,
sizeof(tspTestPolicy)) != 0))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((reqDec.nonceSz != sizeof(tspTestNonce)) ||
(XMEMCMP(reqDec.nonce, tspTestNonce, sizeof(tspTestNonce)) != 0))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (reqDec.certReq != 1)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
out:
return ret;
}
/* Test encoding and decoding of TSTInfo and checking against request. */
static wc_test_ret_t tsp_tstinfo_test(byte* hashedMsg)
{
wc_test_ret_t ret = 0;
int r;
TspTstInfo tst;
TspTstInfo tstDec;
TspRequest req;
byte enc[256];
word32 sz;
r = wc_TspTstInfo_Init(&tst);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
tst.policy = tspTestPolicy;
tst.policySz = sizeof(tspTestPolicy);
tst.imprint.hashAlgOID = TSP_TEST_HASH_OID;
XMEMCPY(tst.imprint.hash, hashedMsg, TSP_TEST_HASH_SZ);
tst.imprint.hashSz = TSP_TEST_HASH_SZ;
tst.serial = tspTestSerial;
tst.serialSz = sizeof(tspTestSerial);
tst.genTime = tspTestGenTime;
tst.genTimeSz = sizeof(tspTestGenTime) - 1;
/* millis 2 bytes encoded and micros has top bit set - zero byte added. */
tst.accuracy.seconds = 1;
tst.accuracy.millis = 500;
tst.accuracy.micros = 130;
tst.ordering = 1;
tst.nonce = tspTestNonce;
tst.nonceSz = sizeof(tspTestNonce);
sz = sizeof(enc);
r = wc_TspTstInfo_Encode(&tst, enc, &sz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
r = wc_TspTstInfo_Decode(&tstDec, enc, sz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
if (tstDec.version != WC_TSP_VERSION)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((tstDec.policySz != sizeof(tspTestPolicy)) ||
(XMEMCMP(tstDec.policy, tspTestPolicy,
sizeof(tspTestPolicy)) != 0))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (tstDec.imprint.hashAlgOID != TSP_TEST_HASH_OID)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((tstDec.imprint.hashSz != TSP_TEST_HASH_SZ) ||
(XMEMCMP(tstDec.imprint.hash, hashedMsg,
TSP_TEST_HASH_SZ) != 0))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((tstDec.serialSz != sizeof(tspTestSerial)) ||
(XMEMCMP(tstDec.serial, tspTestSerial,
sizeof(tspTestSerial)) != 0))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((tstDec.genTimeSz != sizeof(tspTestGenTime) - 1) ||
(XMEMCMP(tstDec.genTime, tspTestGenTime,
sizeof(tspTestGenTime) - 1) != 0))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((tstDec.accuracy.seconds != 1) || (tstDec.accuracy.millis != 500) ||
(tstDec.accuracy.micros != 130))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (tstDec.ordering != 1)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((tstDec.nonceSz != sizeof(tspTestNonce)) ||
(XMEMCMP(tstDec.nonce, tspTestNonce, sizeof(tspTestNonce)) != 0))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (tstDec.tsa != NULL)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
/* Check TSTInfo against a matching request. */
r = wc_TspRequest_Init(&req);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
req.imprint.hashAlgOID = TSP_TEST_HASH_OID;
XMEMCPY(req.imprint.hash, hashedMsg, TSP_TEST_HASH_SZ);
req.imprint.hashSz = TSP_TEST_HASH_SZ;
XMEMCPY(req.policy, tspTestPolicy, sizeof(tspTestPolicy));
req.policySz = sizeof(tspTestPolicy);
XMEMCPY(req.nonce, tspTestNonce, sizeof(tspTestNonce));
req.nonceSz = sizeof(tspTestNonce);
r = wc_TspTstInfo_CheckRequest(&tstDec, &req);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
/* Check nonce mismatch is detected. */
XMEMCPY(req.nonce, tspTestSerial, sizeof(tspTestSerial));
req.nonceSz = sizeof(tspTestSerial);
r = wc_TspTstInfo_CheckRequest(&tstDec, &req);
if (r != WC_NO_ERR_TRACE(TSP_VERIFY_E))
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
XMEMCPY(req.nonce, tspTestNonce, sizeof(tspTestNonce));
req.nonceSz = sizeof(tspTestNonce);
/* Check hash mismatch is detected. */
req.imprint.hash[0] ^= 0x80;
r = wc_TspTstInfo_CheckRequest(&tstDec, &req);
req.imprint.hash[0] ^= 0x80;
if (r != WC_NO_ERR_TRACE(TSP_VERIFY_E))
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
out:
return ret;
}
/* Test encoding and decoding of TimeStampResp. */
static wc_test_ret_t tsp_resp_test(void)
{
wc_test_ret_t ret = 0;
int r;
TspResponse resp;
TspResponse respDec;
static const char statusText[] = "hash algorithm not supported";
byte enc[256];
word32 sz;
/* Rejection response with status string and failure information. */
r = wc_TspResponse_Init(&resp);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
resp.status = WC_TSP_PKISTATUS_REJECTION;
resp.statusString = (const byte*)statusText;
resp.statusStringSz = (word32)XSTRLEN(statusText);
resp.failInfo = WC_TSP_FAIL_BAD_ALG | WC_TSP_FAIL_BAD_REQUEST;
sz = sizeof(enc);
r = wc_TspResponse_Encode(&resp, enc, &sz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
r = wc_TspResponse_Decode(&respDec, enc, sz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
if (respDec.status != WC_TSP_PKISTATUS_REJECTION)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((respDec.statusStringSz != (word32)XSTRLEN(statusText)) ||
(XMEMCMP(respDec.statusString, statusText,
respDec.statusStringSz) != 0))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (respDec.failInfo != (WC_TSP_FAIL_BAD_ALG | WC_TSP_FAIL_BAD_REQUEST))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if (respDec.token != NULL)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
out:
return ret;
}
#if defined(HAVE_PKCS7) && !defined(NO_RSA) && !defined(NO_SHA256) && \
!defined(WC_NO_RNG)
/* Test creating and verifying a TimeStampResp with a TimeStampToken. */
static wc_test_ret_t tsp_token_test(void)
{
wc_test_ret_t ret = 0;
int r;
wc_PKCS7* pkcs7 = NULL;
WC_RNG rng;
int rngInit = 0;
byte* tsaCert = NULL;
byte* tsaKey = NULL;
word32 tsaCertSz = FOURK_BUF;
word32 tsaKeySz = FOURK_BUF;
byte* token = NULL;
word32 tokenSz = FOURK_BUF;
byte* respEnc = NULL;
word32 respEncSz = FOURK_BUF;
TspRequest req;
TspTstInfo tst;
TspTstInfo tstDec;
TspResponse resp;
TspResponse respDec;
static const char msg[] = "wolfSSL time-stamped message";
byte digest[WC_SHA256_DIGEST_SIZE];
tsaCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
tsaKey = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
token = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
respEnc = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
if ((tsaCert == NULL) || (tsaKey == NULL) || (token == NULL) ||
(respEnc == NULL))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
/* Load the TSA's certificate and key. */
#ifdef USE_CERT_BUFFERS_2048
XMEMCPY(tsaCert, tsa_cert_der_2048, sizeof_tsa_cert_der_2048);
tsaCertSz = (word32)sizeof_tsa_cert_der_2048;
XMEMCPY(tsaKey, tsa_key_der_2048, sizeof_tsa_key_der_2048);
tsaKeySz = (word32)sizeof_tsa_key_der_2048;
#elif !defined(NO_FILESYSTEM)
{
XFILE file;
file = XFOPEN(CERT_ROOT "tsa-cert.der", "rb");
if (file == XBADFILE)
ERROR_OUT(WC_TEST_RET_ENC_ERRNO, out);
tsaCertSz = (word32)XFREAD(tsaCert, 1, FOURK_BUF, file);
XFCLOSE(file);
file = XFOPEN(CERT_ROOT "tsa-key.der", "rb");
if (file == XBADFILE)
ERROR_OUT(WC_TEST_RET_ENC_ERRNO, out);
tsaKeySz = (word32)XFREAD(tsaKey, 1, FOURK_BUF, file);
XFCLOSE(file);
}
#else
/* No TSA certificate available - skip test. */
goto out;
#endif
#ifndef HAVE_FIPS
r = wc_InitRng_ex(&rng, HEAP_HINT, devId);
#else
r = wc_InitRng(&rng);
#endif
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
rngInit = 1;
/* Requester creates a request for a time-stamp of a message hash. */
r = wc_Sha256Hash((const byte*)msg, (word32)XSTRLEN(msg), digest);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
r = wc_TspRequest_Init(&req);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
req.imprint.hashAlgOID = SHA256h;
XMEMCPY(req.imprint.hash, digest, sizeof(digest));
req.imprint.hashSz = (word32)sizeof(digest);
XMEMCPY(req.nonce, tspTestNonce, sizeof(tspTestNonce));
req.nonceSz = sizeof(tspTestNonce);
req.certReq = 1;
/* TSA creates the TSTInfo for the request. */
r = wc_TspTstInfo_Init(&tst);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
tst.policy = tspTestPolicy;
tst.policySz = sizeof(tspTestPolicy);
tst.imprint = req.imprint;
tst.serial = tspTestSerial;
tst.serialSz = sizeof(tspTestSerial);
tst.accuracy.seconds = 1;
tst.nonce = req.nonce;
tst.nonceSz = req.nonceSz;
#if defined(NO_ASN_TIME) || defined(USER_TIME) || defined(TIME_OVERRIDES)
/* No current time available - set the time of the time-stamp. */
tst.genTime = tspTestGenTime;
tst.genTimeSz = sizeof(tspTestGenTime) - 1;
#endif
/* TSA signs the TSTInfo to make a TimeStampToken. */
pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
if (pkcs7 == NULL)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
r = wc_PKCS7_InitWithCert(pkcs7, tsaCert, tsaCertSz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
pkcs7->rng = &rng;
pkcs7->hashOID = SHA256h;
pkcs7->encryptOID = RSAk;
pkcs7->privateKey = tsaKey;
pkcs7->privateKeySz = tsaKeySz;
r = wc_TspTstInfo_SignWithPkcs7(&tst, pkcs7, token, &tokenSz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
wc_PKCS7_Free(pkcs7);
pkcs7 = NULL;
/* TSA puts the token in a granted response. */
r = wc_TspResponse_Init(&resp);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
resp.status = WC_TSP_PKISTATUS_GRANTED;
resp.token = token;
resp.tokenSz = tokenSz;
r = wc_TspResponse_Encode(&resp, respEnc, &respEncSz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
/* Requester decodes the response. */
r = wc_TspResponse_Decode(&respDec, respEnc, respEncSz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
if (respDec.status != WC_TSP_PKISTATUS_GRANTED)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((respDec.token == NULL) || (respDec.tokenSz != tokenSz) ||
(XMEMCMP(respDec.token, token, tokenSz) != 0))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
/* Requester verifies the token and checks it against the request. */
pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
if (pkcs7 == NULL)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
r = wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
r = wc_TspTstInfo_VerifyWithPKCS7(pkcs7, (byte*)respDec.token, respDec.tokenSz,
&tstDec);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
r = wc_TspTstInfo_CheckRequest(&tstDec, &req);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
if (tstDec.genTimeSz < 15)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
/* Check a token for a different message hash is detected. */
req.imprint.hash[0] ^= 0x80;
r = wc_TspTstInfo_CheckRequest(&tstDec, &req);
if (r != WC_NO_ERR_TRACE(TSP_VERIFY_E))
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
out:
if (pkcs7 != NULL)
wc_PKCS7_Free(pkcs7);
if (rngInit)
wc_FreeRng(&rng);
XFREE(respEnc, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(token, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(tsaKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(tsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
#endif /* HAVE_PKCS7 && !NO_RSA && !NO_SHA256 && !WC_NO_RNG */
#if defined(HAVE_PKCS7) && defined(HAVE_ECC) && \
defined(USE_CERT_BUFFERS_256) && !defined(NO_SHA256) && \
!defined(WC_NO_RNG)
/* Test creating and verifying a time-stamp token signed with ECDSA. */
static wc_test_ret_t tsp_ecc_token_test(void)
{
wc_test_ret_t ret = 0;
int r;
wc_PKCS7* pkcs7 = NULL;
WC_RNG rng;
int rngInit = 0;
TspTstInfo tst;
TspTstInfo tstDec;
byte* token = NULL;
word32 tokenSz = FOURK_BUF;
byte hashedMsg[TSP_TEST_HASH_SZ];
word32 i;
for (i = 0; i < (word32)sizeof(hashedMsg); i++)
hashedMsg[i] = (byte)(0x80 + i);
token = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
if (token == NULL)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
#ifndef HAVE_FIPS
r = wc_InitRng_ex(&rng, HEAP_HINT, devId);
#else
r = wc_InitRng(&rng);
#endif
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
rngInit = 1;
/* TSTInfo to be signed by the ECC TSA. */
r = wc_TspTstInfo_Init(&tst);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
tst.policy = tspTestPolicy;
tst.policySz = sizeof(tspTestPolicy);
tst.imprint.hashAlgOID = TSP_TEST_HASH_OID;
XMEMCPY(tst.imprint.hash, hashedMsg, TSP_TEST_HASH_SZ);
tst.imprint.hashSz = TSP_TEST_HASH_SZ;
tst.serial = tspTestSerial;
tst.serialSz = sizeof(tspTestSerial);
#if defined(NO_ASN_TIME) || defined(USER_TIME) || defined(TIME_OVERRIDES)
/* No current time available - set the time of the time-stamp. */
tst.genTime = tspTestGenTime;
tst.genTimeSz = sizeof(tspTestGenTime) - 1;
#endif
/* TSA signs the TSTInfo with its ECC key. */
pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
if (pkcs7 == NULL)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
r = wc_PKCS7_InitWithCert(pkcs7, (byte*)tsa_ecc_cert_der_256,
sizeof_tsa_ecc_cert_der_256);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
pkcs7->rng = &rng;
pkcs7->hashOID = SHA256h;
pkcs7->encryptOID = ECDSAk;
pkcs7->privateKey = (byte*)tsa_ecc_key_der_256;
pkcs7->privateKeySz = sizeof_tsa_ecc_key_der_256;
r = wc_TspTstInfo_SignWithPkcs7(&tst, pkcs7, token, &tokenSz);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
wc_PKCS7_Free(pkcs7);
pkcs7 = NULL;
/* Requester verifies the token. */
pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
if (pkcs7 == NULL)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
r = wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
r = wc_TspTstInfo_VerifyWithPKCS7(pkcs7, token, tokenSz, &tstDec);
if (r != 0)
ERROR_OUT(WC_TEST_RET_ENC_EC(r), out);
if (tstDec.version != WC_TSP_VERSION)
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
if ((tstDec.imprint.hashSz != TSP_TEST_HASH_SZ) ||
(XMEMCMP(tstDec.imprint.hash, hashedMsg, TSP_TEST_HASH_SZ) != 0))
ERROR_OUT(WC_TEST_RET_ENC_NC, out);
out:
if (pkcs7 != NULL)
wc_PKCS7_Free(pkcs7);
if (rngInit)
wc_FreeRng(&rng);
XFREE(token, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
#endif /* HAVE_PKCS7 && HAVE_ECC && USE_CERT_BUFFERS_256 && !NO_SHA256 &&
* !WC_NO_RNG */
#endif /* TSP_TEST_HASH_OID */
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t tsp_test(void)
{
wc_test_ret_t ret = 0;
#ifdef TSP_TEST_HASH_OID
byte hashedMsg[TSP_TEST_HASH_SZ];
word32 i;
WOLFSSL_ENTER("tsp_test");
for (i = 0; i < (word32)sizeof(hashedMsg); i++)
hashedMsg[i] = (byte)(0x80 + i);
ret = tsp_req_test(hashedMsg);
if (ret == 0)
ret = tsp_tstinfo_test(hashedMsg);
if (ret == 0)
ret = tsp_resp_test();
#if defined(HAVE_PKCS7) && !defined(NO_RSA) && !defined(NO_SHA256) && \
!defined(WC_NO_RNG)
if (ret == 0)
ret = tsp_token_test();
#endif
#if defined(HAVE_PKCS7) && defined(HAVE_ECC) && \
defined(USE_CERT_BUFFERS_256) && !defined(NO_SHA256) && \
!defined(WC_NO_RNG)
if (ret == 0)
ret = tsp_ecc_token_test();
#endif
#endif /* TSP_TEST_HASH_OID */
return ret;
}
#endif /* WOLFSSL_TSP */
#if defined(WOLFSSL_PUBLIC_MP) && \
((defined(WOLFSSL_SP_MATH_ALL) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
defined(USE_FAST_MATH))
+1
View File
@@ -465,6 +465,7 @@
<ClCompile Include="wolfcrypt\src\sp_x86_64.c" />
<ClCompile Include="wolfcrypt\src\srp.c" />
<ClCompile Include="wolfcrypt\src\tfm.c" />
<ClCompile Include="wolfcrypt\src\tsp.c" />
<ClCompile Include="wolfcrypt\src\wc_encrypt.c" />
<ClCompile Include="wolfcrypt\src\wc_pkcs11.c" />
<ClCompile Include="wolfcrypt\src\wc_port.c" />
+4
View File
@@ -399,6 +399,10 @@
RelativePath=".\wolfcrypt\src\tfm.c"
>
</File>
<File
RelativePath=".\wolfcrypt\src\tsp.c"
>
</File>
<File
RelativePath=".\wolfcrypt\src\wc_encrypt.c"
>
+1
View File
@@ -465,6 +465,7 @@
<ClCompile Include="wolfcrypt\src\sp_x86_64.c" />
<ClCompile Include="wolfcrypt\src\srp.c" />
<ClCompile Include="wolfcrypt\src\tfm.c" />
<ClCompile Include="wolfcrypt\src\tsp.c" />
<ClCompile Include="wolfcrypt\src\wc_encrypt.c" />
<ClCompile Include="wolfcrypt\src\wc_pkcs11.c" />
<ClCompile Include="wolfcrypt\src\wc_port.c" />
+1016
View File
File diff suppressed because it is too large Load Diff
+1
View File
@@ -54,6 +54,7 @@ nobase_include_HEADERS+= \
wolfssl/openssl/ssl.h \
wolfssl/openssl/stack.h \
wolfssl/openssl/tls1.h \
wolfssl/openssl/ts.h \
wolfssl/openssl/txt_db.h \
wolfssl/openssl/ui.h \
wolfssl/openssl/x509.h \
+1
View File
@@ -974,6 +974,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define ASN1_BIT_STRING_free wolfSSL_ASN1_BIT_STRING_free
#define ASN1_BIT_STRING_get_bit wolfSSL_ASN1_BIT_STRING_get_bit
#define ASN1_BIT_STRING_set_bit wolfSSL_ASN1_BIT_STRING_set_bit
#define ASN1_BIT_STRING_set1 wolfSSL_ASN1_BIT_STRING_set1
#define i2d_ASN1_BIT_STRING wolfSSL_i2d_ASN1_BIT_STRING
#define d2i_ASN1_BIT_STRING wolfSSL_d2i_ASN1_BIT_STRING
+359
View File
@@ -0,0 +1,359 @@
/* ts.h
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* ts.h - Time-Stamp Protocol (RFC 3161) compatibility layer.
*
* Requester side only: create and encode requests, decode responses and
* verify time-stamp tokens. There is no TS_RESP_CTX - wolfSSL's wc_Tsp API
* is used to implement a TSA.
*/
#ifndef WOLFSSL_OPENSSL_TS_H_
#define WOLFSSL_OPENSSL_TS_H_
#include <wolfssl/openssl/ssl.h>
#include <wolfssl/openssl/pkcs7.h>
#include <wolfssl/wolfcrypt/pkcs7.h>
#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TSP) && defined(HAVE_PKCS7) && \
defined(WOLFSSL_TSP_VERIFIER)
#ifdef __cplusplus
extern "C" {
#endif
typedef struct WOLFSSL_TS_MSG_IMPRINT WOLFSSL_TS_MSG_IMPRINT;
typedef struct WOLFSSL_TS_REQ WOLFSSL_TS_REQ;
typedef struct WOLFSSL_TS_ACCURACY WOLFSSL_TS_ACCURACY;
typedef struct WOLFSSL_TS_STATUS_INFO WOLFSSL_TS_STATUS_INFO;
typedef struct WOLFSSL_TS_TST_INFO WOLFSSL_TS_TST_INFO;
typedef struct WOLFSSL_TS_RESP WOLFSSL_TS_RESP;
typedef struct WOLFSSL_TS_VERIFY_CTX WOLFSSL_TS_VERIFY_CTX;
/* PKIStatus values. RFC 3161, 2.4.2. */
#define WOLFSSL_TS_STATUS_GRANTED 0
#define WOLFSSL_TS_STATUS_GRANTED_WITH_MODS 1
#define WOLFSSL_TS_STATUS_REJECTION 2
#define WOLFSSL_TS_STATUS_WAITING 3
#define WOLFSSL_TS_STATUS_REVOCATION_WARNING 4
#define WOLFSSL_TS_STATUS_REVOCATION_NOTIFICATION 5
/* Verification flags. */
#define WOLFSSL_TS_VFY_SIGNATURE (1u << 0)
#define WOLFSSL_TS_VFY_VERSION (1u << 1)
#define WOLFSSL_TS_VFY_POLICY (1u << 2)
#define WOLFSSL_TS_VFY_IMPRINT (1u << 3)
#define WOLFSSL_TS_VFY_DATA (1u << 4)
#define WOLFSSL_TS_VFY_NONCE (1u << 5)
#define WOLFSSL_TS_VFY_SIGNER (1u << 6)
#define WOLFSSL_TS_VFY_TSA_NAME (1u << 7) /* needs name - not supported */
#define WOLFSSL_TS_VFY_ALL_IMPRINT (WOLFSSL_TS_VFY_SIGNATURE | \
WOLFSSL_TS_VFY_VERSION | \
WOLFSSL_TS_VFY_POLICY | \
WOLFSSL_TS_VFY_IMPRINT | \
WOLFSSL_TS_VFY_NONCE | \
WOLFSSL_TS_VFY_SIGNER | \
WOLFSSL_TS_VFY_TSA_NAME)
/* TS_RESP_CTX flags - OpenSSL values. */
#define WOLFSSL_TS_TSA_NAME 0x01
#define WOLFSSL_TS_ORDERING 0x02
#define WOLFSSL_TS_ESS_CERT_ID_CHAIN 0x04
/* Responder context for creating time-stamp responses. */
typedef struct WOLFSSL_TS_RESP_CTX WOLFSSL_TS_RESP_CTX;
/* Callback returning a new serial number as an ASN1_INTEGER - the response
* creation takes ownership of the returned object. */
typedef WOLFSSL_ASN1_INTEGER* (*WOLFSSL_TS_serial_cb)(WOLFSSL_TS_RESP_CTX*,
void*);
/* Callback filling the time in seconds since the epoch (and optionally
* microseconds). Returns 1 on success. */
typedef int (*WOLFSSL_TS_time_cb)(WOLFSSL_TS_RESP_CTX*, void*, long* sec,
long* usec);
/* TS_MSG_IMPRINT */
WOLFSSL_API WOLFSSL_TS_MSG_IMPRINT* wolfSSL_TS_MSG_IMPRINT_new(void);
WOLFSSL_API void wolfSSL_TS_MSG_IMPRINT_free(WOLFSSL_TS_MSG_IMPRINT* a);
WOLFSSL_API int wolfSSL_TS_MSG_IMPRINT_set_algo(WOLFSSL_TS_MSG_IMPRINT* a,
WOLFSSL_X509_ALGOR* alg);
WOLFSSL_API WOLFSSL_X509_ALGOR* wolfSSL_TS_MSG_IMPRINT_get_algo(
WOLFSSL_TS_MSG_IMPRINT* a);
WOLFSSL_API int wolfSSL_TS_MSG_IMPRINT_set_msg(WOLFSSL_TS_MSG_IMPRINT* a,
unsigned char* d, int len);
WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_TS_MSG_IMPRINT_get_msg(
WOLFSSL_TS_MSG_IMPRINT* a);
/* TS_REQ */
#ifdef WOLFSSL_TSP_REQUESTER
WOLFSSL_API WOLFSSL_TS_REQ* wolfSSL_TS_REQ_new(void);
WOLFSSL_API void wolfSSL_TS_REQ_free(WOLFSSL_TS_REQ* a);
WOLFSSL_API int wolfSSL_TS_REQ_set_version(WOLFSSL_TS_REQ* a, long version);
WOLFSSL_API long wolfSSL_TS_REQ_get_version(const WOLFSSL_TS_REQ* a);
WOLFSSL_API int wolfSSL_TS_REQ_set_msg_imprint(WOLFSSL_TS_REQ* a,
WOLFSSL_TS_MSG_IMPRINT* msgImprint);
WOLFSSL_API WOLFSSL_TS_MSG_IMPRINT* wolfSSL_TS_REQ_get_msg_imprint(
WOLFSSL_TS_REQ* a);
WOLFSSL_API int wolfSSL_TS_REQ_set_policy_id(WOLFSSL_TS_REQ* a,
const WOLFSSL_ASN1_OBJECT* policy);
WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_TS_REQ_get_policy_id(
WOLFSSL_TS_REQ* a);
WOLFSSL_API int wolfSSL_TS_REQ_set_nonce(WOLFSSL_TS_REQ* a,
const WOLFSSL_ASN1_INTEGER* nonce);
WOLFSSL_API const WOLFSSL_ASN1_INTEGER* wolfSSL_TS_REQ_get_nonce(
const WOLFSSL_TS_REQ* a);
WOLFSSL_API int wolfSSL_TS_REQ_set_cert_req(WOLFSSL_TS_REQ* a, int certReq);
WOLFSSL_API int wolfSSL_TS_REQ_get_cert_req(const WOLFSSL_TS_REQ* a);
WOLFSSL_API int wolfSSL_i2d_TS_REQ(const WOLFSSL_TS_REQ* a,
unsigned char** pp);
WOLFSSL_API WOLFSSL_TS_REQ* wolfSSL_d2i_TS_REQ(WOLFSSL_TS_REQ** a,
const unsigned char** pp, long length);
#endif /* WOLFSSL_TSP_REQUESTER */
/* TS_STATUS_INFO */
WOLFSSL_API const WOLFSSL_ASN1_INTEGER* wolfSSL_TS_STATUS_INFO_get0_status(
const WOLFSSL_TS_STATUS_INFO* a);
WOLFSSL_API const WOLFSSL_ASN1_BIT_STRING*
wolfSSL_TS_STATUS_INFO_get0_failure_info(
const WOLFSSL_TS_STATUS_INFO* a);
WOLFSSL_API const WOLF_STACK_OF(WOLFSSL_ASN1_STRING)*
wolfSSL_TS_STATUS_INFO_get0_text(const WOLFSSL_TS_STATUS_INFO* a);
/* TS_ACCURACY */
WOLFSSL_API const WOLFSSL_ASN1_INTEGER* wolfSSL_TS_ACCURACY_get_seconds(
const WOLFSSL_TS_ACCURACY* a);
WOLFSSL_API const WOLFSSL_ASN1_INTEGER* wolfSSL_TS_ACCURACY_get_millis(
const WOLFSSL_TS_ACCURACY* a);
WOLFSSL_API const WOLFSSL_ASN1_INTEGER* wolfSSL_TS_ACCURACY_get_micros(
const WOLFSSL_TS_ACCURACY* a);
/* TS_TST_INFO */
WOLFSSL_API void wolfSSL_TS_TST_INFO_free(WOLFSSL_TS_TST_INFO* a);
WOLFSSL_API WOLFSSL_TS_TST_INFO* wolfSSL_d2i_TS_TST_INFO(
WOLFSSL_TS_TST_INFO** a, const unsigned char** pp, long length);
WOLFSSL_API int wolfSSL_i2d_TS_TST_INFO(const WOLFSSL_TS_TST_INFO* a,
unsigned char** pp);
WOLFSSL_API long wolfSSL_TS_TST_INFO_get_version(
const WOLFSSL_TS_TST_INFO* a);
WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_TS_TST_INFO_get_policy_id(
WOLFSSL_TS_TST_INFO* a);
WOLFSSL_API WOLFSSL_TS_MSG_IMPRINT* wolfSSL_TS_TST_INFO_get_msg_imprint(
WOLFSSL_TS_TST_INFO* a);
WOLFSSL_API const WOLFSSL_ASN1_INTEGER* wolfSSL_TS_TST_INFO_get_serial(
const WOLFSSL_TS_TST_INFO* a);
WOLFSSL_API const WOLFSSL_ASN1_GENERALIZEDTIME* wolfSSL_TS_TST_INFO_get_time(
const WOLFSSL_TS_TST_INFO* a);
WOLFSSL_API WOLFSSL_TS_ACCURACY* wolfSSL_TS_TST_INFO_get_accuracy(
WOLFSSL_TS_TST_INFO* a);
WOLFSSL_API int wolfSSL_TS_TST_INFO_get_ordering(
const WOLFSSL_TS_TST_INFO* a);
WOLFSSL_API const WOLFSSL_ASN1_INTEGER* wolfSSL_TS_TST_INFO_get_nonce(
const WOLFSSL_TS_TST_INFO* a);
WOLFSSL_API WOLFSSL_GENERAL_NAME* wolfSSL_TS_TST_INFO_get_tsa(
WOLFSSL_TS_TST_INFO* a);
/* TS_RESP */
WOLFSSL_API void wolfSSL_TS_RESP_free(WOLFSSL_TS_RESP* a);
WOLFSSL_API WOLFSSL_TS_RESP* wolfSSL_d2i_TS_RESP(WOLFSSL_TS_RESP** a,
const unsigned char** pp, long length);
WOLFSSL_API int wolfSSL_i2d_TS_RESP(const WOLFSSL_TS_RESP* a,
unsigned char** pp);
WOLFSSL_API WOLFSSL_TS_STATUS_INFO* wolfSSL_TS_RESP_get_status_info(
WOLFSSL_TS_RESP* a);
WOLFSSL_API WOLFSSL_TS_TST_INFO* wolfSSL_TS_RESP_get_tst_info(
WOLFSSL_TS_RESP* a);
/* TS_VERIFY_CTX */
WOLFSSL_API WOLFSSL_TS_VERIFY_CTX* wolfSSL_TS_VERIFY_CTX_new(void);
WOLFSSL_API void wolfSSL_TS_VERIFY_CTX_free(WOLFSSL_TS_VERIFY_CTX* ctx);
WOLFSSL_API void wolfSSL_TS_VERIFY_CTX_cleanup(WOLFSSL_TS_VERIFY_CTX* ctx);
WOLFSSL_API int wolfSSL_TS_VERIFY_CTX_set_flags(WOLFSSL_TS_VERIFY_CTX* ctx,
int flags);
WOLFSSL_API int wolfSSL_TS_VERIFY_CTX_add_flags(WOLFSSL_TS_VERIFY_CTX* ctx,
int flags);
WOLFSSL_API unsigned char* wolfSSL_TS_VERIFY_CTX_set_imprint(
WOLFSSL_TS_VERIFY_CTX* ctx, unsigned char* imprint, long len);
WOLFSSL_API WOLFSSL_X509_STORE* wolfSSL_TS_VERIFY_CTX_set_store(
WOLFSSL_TS_VERIFY_CTX* ctx, WOLFSSL_X509_STORE* store);
WOLFSSL_API WOLFSSL_BIO* wolfSSL_TS_VERIFY_CTX_set_data(
WOLFSSL_TS_VERIFY_CTX* ctx, WOLFSSL_BIO* b);
#ifdef WOLFSSL_TSP_REQUESTER
WOLFSSL_API WOLFSSL_TS_VERIFY_CTX* wolfSSL_TS_REQ_to_TS_VERIFY_CTX(
WOLFSSL_TS_REQ* req, WOLFSSL_TS_VERIFY_CTX* ctx);
#endif /* WOLFSSL_TSP_REQUESTER */
WOLFSSL_API int wolfSSL_TS_RESP_verify_response(WOLFSSL_TS_VERIFY_CTX* ctx,
WOLFSSL_TS_RESP* response);
#ifdef OPENSSL_ALL
WOLFSSL_API int wolfSSL_TS_RESP_verify_token(WOLFSSL_TS_VERIFY_CTX* ctx,
WOLFSSL_PKCS7* token);
#endif
/* TS_RESP_CTX - responder context for creating time-stamp responses. */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API WOLFSSL_TS_RESP_CTX* wolfSSL_TS_RESP_CTX_new(void);
WOLFSSL_API void wolfSSL_TS_RESP_CTX_free(WOLFSSL_TS_RESP_CTX* ctx);
WOLFSSL_API int wolfSSL_TS_RESP_CTX_set_signer_cert(WOLFSSL_TS_RESP_CTX* ctx,
WOLFSSL_X509* signer);
WOLFSSL_API int wolfSSL_TS_RESP_CTX_set_signer_key(WOLFSSL_TS_RESP_CTX* ctx,
WOLFSSL_EVP_PKEY* key);
WOLFSSL_API int wolfSSL_TS_RESP_CTX_set_signer_digest(
WOLFSSL_TS_RESP_CTX* ctx, const WOLFSSL_EVP_MD* md);
WOLFSSL_API int wolfSSL_TS_RESP_CTX_set_def_policy(WOLFSSL_TS_RESP_CTX* ctx,
const WOLFSSL_ASN1_OBJECT* policy);
WOLFSSL_API int wolfSSL_TS_RESP_CTX_set_serial_cb(WOLFSSL_TS_RESP_CTX* ctx,
WOLFSSL_TS_serial_cb cb, void* data);
WOLFSSL_API int wolfSSL_TS_RESP_CTX_set_time_cb(WOLFSSL_TS_RESP_CTX* ctx,
WOLFSSL_TS_time_cb cb, void* data);
WOLFSSL_API int wolfSSL_TS_RESP_CTX_set_accuracy(WOLFSSL_TS_RESP_CTX* ctx,
int secs, int millis, int micros);
WOLFSSL_API int wolfSSL_TS_RESP_CTX_add_flags(WOLFSSL_TS_RESP_CTX* ctx,
int flags);
WOLFSSL_API WOLFSSL_TS_RESP* wolfSSL_TS_RESP_create_response(
WOLFSSL_TS_RESP_CTX* ctx, WOLFSSL_BIO* req_bio);
#endif /* WOLFSSL_TSP_RESPONDER */
#ifndef OPENSSL_COEXIST
typedef WOLFSSL_TS_MSG_IMPRINT TS_MSG_IMPRINT;
typedef WOLFSSL_TS_REQ TS_REQ;
typedef WOLFSSL_TS_ACCURACY TS_ACCURACY;
typedef WOLFSSL_TS_STATUS_INFO TS_STATUS_INFO;
typedef WOLFSSL_TS_TST_INFO TS_TST_INFO;
typedef WOLFSSL_TS_RESP TS_RESP;
typedef WOLFSSL_TS_VERIFY_CTX TS_VERIFY_CTX;
#define TS_STATUS_GRANTED WOLFSSL_TS_STATUS_GRANTED
#define TS_STATUS_GRANTED_WITH_MODS WOLFSSL_TS_STATUS_GRANTED_WITH_MODS
#define TS_STATUS_REJECTION WOLFSSL_TS_STATUS_REJECTION
#define TS_STATUS_WAITING WOLFSSL_TS_STATUS_WAITING
#define TS_STATUS_REVOCATION_WARNING WOLFSSL_TS_STATUS_REVOCATION_WARNING
#define TS_STATUS_REVOCATION_NOTIFICATION \
WOLFSSL_TS_STATUS_REVOCATION_NOTIFICATION
#define TS_VFY_SIGNATURE WOLFSSL_TS_VFY_SIGNATURE
#define TS_VFY_VERSION WOLFSSL_TS_VFY_VERSION
#define TS_VFY_POLICY WOLFSSL_TS_VFY_POLICY
#define TS_VFY_IMPRINT WOLFSSL_TS_VFY_IMPRINT
#define TS_VFY_DATA WOLFSSL_TS_VFY_DATA
#define TS_VFY_NONCE WOLFSSL_TS_VFY_NONCE
#define TS_VFY_SIGNER WOLFSSL_TS_VFY_SIGNER
#define TS_VFY_TSA_NAME WOLFSSL_TS_VFY_TSA_NAME
#define TS_VFY_ALL_IMPRINT WOLFSSL_TS_VFY_ALL_IMPRINT
#define TS_MSG_IMPRINT_new wolfSSL_TS_MSG_IMPRINT_new
#define TS_MSG_IMPRINT_free wolfSSL_TS_MSG_IMPRINT_free
#define TS_MSG_IMPRINT_set_algo wolfSSL_TS_MSG_IMPRINT_set_algo
#define TS_MSG_IMPRINT_get_algo wolfSSL_TS_MSG_IMPRINT_get_algo
#define TS_MSG_IMPRINT_set_msg wolfSSL_TS_MSG_IMPRINT_set_msg
#define TS_MSG_IMPRINT_get_msg wolfSSL_TS_MSG_IMPRINT_get_msg
#ifdef WOLFSSL_TSP_REQUESTER
#define TS_REQ_new wolfSSL_TS_REQ_new
#define TS_REQ_free wolfSSL_TS_REQ_free
#define TS_REQ_set_version wolfSSL_TS_REQ_set_version
#define TS_REQ_get_version wolfSSL_TS_REQ_get_version
#define TS_REQ_set_msg_imprint wolfSSL_TS_REQ_set_msg_imprint
#define TS_REQ_get_msg_imprint wolfSSL_TS_REQ_get_msg_imprint
#define TS_REQ_set_policy_id wolfSSL_TS_REQ_set_policy_id
#define TS_REQ_get_policy_id wolfSSL_TS_REQ_get_policy_id
#define TS_REQ_set_nonce wolfSSL_TS_REQ_set_nonce
#define TS_REQ_get_nonce wolfSSL_TS_REQ_get_nonce
#define TS_REQ_set_cert_req wolfSSL_TS_REQ_set_cert_req
#define TS_REQ_get_cert_req wolfSSL_TS_REQ_get_cert_req
#define i2d_TS_REQ wolfSSL_i2d_TS_REQ
#define d2i_TS_REQ wolfSSL_d2i_TS_REQ
#endif /* WOLFSSL_TSP_REQUESTER */
#define TS_STATUS_INFO_get0_status wolfSSL_TS_STATUS_INFO_get0_status
#define TS_STATUS_INFO_get0_text wolfSSL_TS_STATUS_INFO_get0_text
#define sk_ASN1_UTF8STRING_num wolfSSL_sk_num
#define sk_ASN1_UTF8STRING_value wolfSSL_sk_value
#define TS_STATUS_INFO_get0_failure_info \
wolfSSL_TS_STATUS_INFO_get0_failure_info
#define TS_ACCURACY_get_seconds wolfSSL_TS_ACCURACY_get_seconds
#define TS_ACCURACY_get_millis wolfSSL_TS_ACCURACY_get_millis
#define TS_ACCURACY_get_micros wolfSSL_TS_ACCURACY_get_micros
#define TS_TST_INFO_free wolfSSL_TS_TST_INFO_free
#define d2i_TS_TST_INFO wolfSSL_d2i_TS_TST_INFO
#define i2d_TS_TST_INFO wolfSSL_i2d_TS_TST_INFO
#define TS_TST_INFO_get_version wolfSSL_TS_TST_INFO_get_version
#define TS_TST_INFO_get_policy_id wolfSSL_TS_TST_INFO_get_policy_id
#define TS_TST_INFO_get_msg_imprint wolfSSL_TS_TST_INFO_get_msg_imprint
#define TS_TST_INFO_get_serial wolfSSL_TS_TST_INFO_get_serial
#define TS_TST_INFO_get_time wolfSSL_TS_TST_INFO_get_time
#define TS_TST_INFO_get_accuracy wolfSSL_TS_TST_INFO_get_accuracy
#define TS_TST_INFO_get_ordering wolfSSL_TS_TST_INFO_get_ordering
#define TS_TST_INFO_get_nonce wolfSSL_TS_TST_INFO_get_nonce
#define TS_TST_INFO_get_tsa wolfSSL_TS_TST_INFO_get_tsa
#define TS_RESP_free wolfSSL_TS_RESP_free
#define d2i_TS_RESP wolfSSL_d2i_TS_RESP
#define i2d_TS_RESP wolfSSL_i2d_TS_RESP
#define TS_RESP_get_status_info wolfSSL_TS_RESP_get_status_info
#define TS_RESP_get_tst_info wolfSSL_TS_RESP_get_tst_info
#define TS_VERIFY_CTX_new wolfSSL_TS_VERIFY_CTX_new
#define TS_VERIFY_CTX_free wolfSSL_TS_VERIFY_CTX_free
#define TS_VERIFY_CTX_cleanup wolfSSL_TS_VERIFY_CTX_cleanup
#define TS_VERIFY_CTX_set_flags wolfSSL_TS_VERIFY_CTX_set_flags
#define TS_VERIFY_CTX_add_flags wolfSSL_TS_VERIFY_CTX_add_flags
#define TS_VERIFY_CTX_set_imprint wolfSSL_TS_VERIFY_CTX_set_imprint
#define TS_VERIFY_CTX_set_store wolfSSL_TS_VERIFY_CTX_set_store
#define TS_VERIFY_CTX_set_data wolfSSL_TS_VERIFY_CTX_set_data
#ifdef WOLFSSL_TSP_REQUESTER
#define TS_REQ_to_TS_VERIFY_CTX wolfSSL_TS_REQ_to_TS_VERIFY_CTX
#endif
#define TS_RESP_verify_response wolfSSL_TS_RESP_verify_response
#ifdef OPENSSL_ALL
#define TS_RESP_verify_token wolfSSL_TS_RESP_verify_token
#endif
#define TS_TST_INFO_get_tsa wolfSSL_TS_TST_INFO_get_tsa
#ifdef WOLFSSL_TSP_RESPONDER
#define TS_RESP_CTX_new wolfSSL_TS_RESP_CTX_new
#define TS_RESP_CTX_free wolfSSL_TS_RESP_CTX_free
#define TS_RESP_CTX_set_signer_cert wolfSSL_TS_RESP_CTX_set_signer_cert
#define TS_RESP_CTX_set_signer_key wolfSSL_TS_RESP_CTX_set_signer_key
#define TS_RESP_CTX_set_signer_digest wolfSSL_TS_RESP_CTX_set_signer_digest
#define TS_RESP_CTX_set_def_policy wolfSSL_TS_RESP_CTX_set_def_policy
#define TS_RESP_CTX_set_serial_cb wolfSSL_TS_RESP_CTX_set_serial_cb
#define TS_RESP_CTX_set_time_cb wolfSSL_TS_RESP_CTX_set_time_cb
#define TS_RESP_CTX_set_accuracy wolfSSL_TS_RESP_CTX_set_accuracy
#define TS_RESP_CTX_add_flags wolfSSL_TS_RESP_CTX_add_flags
#define TS_RESP_create_response wolfSSL_TS_RESP_create_response
#define TS_RESP_CTX WOLFSSL_TS_RESP_CTX
#define TS_TSA_NAME WOLFSSL_TS_TSA_NAME
#define TS_ORDERING WOLFSSL_TS_ORDERING
#define TS_ESS_CERT_ID_CHAIN WOLFSSL_TS_ESS_CERT_ID_CHAIN
#endif /* WOLFSSL_TSP_RESPONDER */
#endif /* !OPENSSL_COEXIST */
#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* OPENSSL_EXTRA && WOLFSSL_TSP && HAVE_PKCS7 */
#endif /* WOLFSSL_OPENSSL_TS_H_ */
+3
View File
@@ -5687,6 +5687,9 @@ WOLFSSL_API int wolfSSL_ASN1_BIT_STRING_get_bit(
const WOLFSSL_ASN1_BIT_STRING* str, int i);
WOLFSSL_API int wolfSSL_ASN1_BIT_STRING_set_bit(
WOLFSSL_ASN1_BIT_STRING* str, int pos, int val);
WOLFSSL_API int wolfSSL_ASN1_BIT_STRING_set1(
WOLFSSL_ASN1_BIT_STRING* str,
const unsigned char* data, int len);
WOLFSSL_API int wolfSSL_i2d_ASN1_BIT_STRING(const WOLFSSL_ASN1_BIT_STRING* bstr,
unsigned char** pp);
WOLFSSL_API WOLFSSL_ASN1_BIT_STRING* wolfSSL_d2i_ASN1_BIT_STRING(
+69 -12
View File
@@ -254,6 +254,11 @@ enum ASNItem_DataType {
ASN_DATA_TYPE_MP_POS_NEG = 10,
/* ASN.1 CHOICE. A 0 terminated list of tags that are valid. */
ASN_DATA_TYPE_CHOICE = 11
#ifdef WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
/* 32-bit integer value encoded as an INTEGER's content even when the
* item is implicitly tagged. */
,ASN_DATA_TYPE_WORD32_INT = 12
#endif
};
/* A template entry describing an ASN.1 item. */
@@ -390,6 +395,10 @@ WOLFSSL_LOCAL void GetASN_OIDData(const ASNGetData * dataASN, const byte** data,
WOLFSSL_LOCAL void SetASN_Boolean(ASNSetData *dataASN, byte val);
WOLFSSL_LOCAL void SetASN_Int8Bit(ASNSetData *dataASN, byte num);
WOLFSSL_LOCAL void SetASN_Int16Bit(ASNSetData *dataASN, word16 num);
#ifdef WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
WOLFSSL_LOCAL void SetASN_Int32Bit(ASNSetData *dataASN, word32 num);
WOLFSSL_LOCAL void SetASN_Int32BitInt(ASNSetData *dataASN, word32 num);
#endif
WOLFSSL_LOCAL void SetASN_Buffer(ASNSetData *dataASN, const byte* data,
word32 length);
WOLFSSL_LOCAL void SetASN_ReplaceBuffer(ASNSetData *dataASN, const byte* data,
@@ -588,6 +597,33 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType);
(dataASN)->data.u16 = (num); \
} while (0)
#ifdef WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
/* Setup an ASN data item to set a 32-bit number.
*
* @param [in] dataASN Dynamic ASN data item.
* @param [in] num 32-bit number to set.
*/
#define SetASN_Int32Bit(dataASN, num) \
do { \
(dataASN)->dataType = ASN_DATA_TYPE_WORD32; \
(dataASN)->data.u32 = (num); \
} while (0)
/* Setup an ASN data item to set a 32-bit number encoded as an INTEGER.
*
* For implicitly tagged INTEGERs - a zero byte is prepended to keep the
* number positive, as is done for INTEGER tagged items.
*
* @param [in] dataASN Dynamic ASN data item.
* @param [in] num 32-bit number to set.
*/
#define SetASN_Int32BitInt(dataASN, num) \
do { \
(dataASN)->dataType = ASN_DATA_TYPE_WORD32_INT; \
(dataASN)->data.u32 = (num); \
} while (0)
#endif
/* Setup an ASN data item to set the data in a buffer.
*
* @param [in] dataASN Dynamic ASN data item.
@@ -723,6 +759,32 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType);
} \
while (0)
/* Set the node, and when a header, all nodes below to not be encoded.
*
* A node that is not a header has no nodes below - no need to check
* further nodes at a lower depth.
*
* @param [in] dataASN Dynamic ASN data item.
* @param [in] asn ASN template item.
* @param [in] header Node is a header - nodes below are also set to not
* be encoded.
* @param [in] node Node which should not be encoded.
* @param [in] dataASNLen Number of items in dataASN.
*/
#define SetASNItem_NoOutNode_ex(dataASN, asn, header, node, dataASNLen) \
do { \
(dataASN)[node].noOut = 1; \
if (header) { \
int ii; \
for (ii = (node) + 1; ii < (int)(dataASNLen); ii++) { \
if ((asn)[ii].depth <= (asn)[node].depth) \
break; \
(dataASN)[ii].noOut = 1; \
} \
} \
} \
while (0)
/* Set the node and all nodes below to not be encoded.
*
* @param [in] dataASN Dynamic ASN data item.
@@ -732,16 +794,7 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType);
* @param [in] dataASNLen Number of items in dataASN.
*/
#define SetASNItem_NoOutNode(dataASN, asn, node, dataASNLen) \
do { \
int ii; \
(dataASN)[node].noOut = 1; \
for (ii = (node) + 1; ii < (int)(dataASNLen); ii++) { \
if ((asn)[ii].depth <= (asn)[node].depth) \
break; \
(dataASN)[ii].noOut = 1; \
} \
} \
while (0)
SetASNItem_NoOutNode_ex(dataASN, asn, 1, node, dataASNLen)
#endif /* WOLFSSL_ASN_TEMPLATE */
@@ -2175,6 +2228,9 @@ struct DecodedCert {
WOLFSSL_AIA_ENTRY extAuthInfoList[WOLFSSL_MAX_AIA_ENTRIES];
WC_BITFIELD extAuthInfoListSz:7;
WC_BITFIELD extAuthInfoListOverflow:1;
/* Appended to preserve the offsets of existing members. */
word32 extExtKeyUsageOidCnt; /* Number of EKU KeyPurposeIds seen,
* recognized or not */
};
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
@@ -2485,7 +2541,7 @@ WOLFSSL_LOCAL int DecodeKeyUsage(const byte* input, word32 sz,
WOLFSSL_LOCAL int DecodeExtKeyUsage(const byte* input, word32 sz,
const byte **extExtKeyUsageSrc, word32 *extExtKeyUsageSz,
word32 *extExtKeyUsageCount, byte *extExtKeyUsage,
byte *extExtKeyUsageSsh);
byte *extExtKeyUsageSsh, word32 *extExtKeyUsageOidCnt);
WOLFSSL_LOCAL int TryDecodeRPKToKey(DecodedCert* cert);
WOLFSSL_LOCAL int wc_GetPubX509(DecodedCert* cert, int verify, int* badDate);
@@ -2542,7 +2598,8 @@ WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len,
#endif
#if !defined(NO_ASN_TIME) && !defined(USER_TIME) && \
!defined(TIME_OVERRIDES) && (defined(OPENSSL_EXTRA) || \
defined(HAVE_PKCS7) || defined(HAVE_OCSP_RESPONDER))
defined(HAVE_PKCS7) || defined(HAVE_OCSP_RESPONDER) || \
defined(WOLFSSL_TSP))
WOLFSSL_LOCAL int GetFormattedTime(void* currTime, byte* buf, word32 len);
WOLFSSL_LOCAL int GetAsnTimeString(void* currTime, byte* buf, word32 len);
WOLFSSL_LOCAL int GetFormattedTime_ex(void* currTime, byte* buf, word32 len, byte format);
+5 -2
View File
@@ -328,8 +328,11 @@ enum wolfCrypt_ErrorCodes {
DRBG_SHA512_KAT_FIPS_E = -1017, /* SHA-512 DRBG KAT failure */
SLH_DSA_KAT_FIPS_E = -1018, /* SLH-DSA CAST KAT failure */
WC_SPAN2_LAST_E = -1018, /* Update to indicate last used error code */
WC_LAST_E = -1018, /* the last code used either here or in
TSP_VERIFY_E = -1019, /* TSP token invalid or response doesn't
* match request */
WC_SPAN2_LAST_E = -1019, /* Update to indicate last used error code */
WC_LAST_E = -1019, /* the last code used either here or in
* error-ssl.h */
WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */
+1
View File
@@ -7,6 +7,7 @@ nobase_include_HEADERS+= \
wolfssl/wolfcrypt/ascon.h \
wolfssl/wolfcrypt/asn.h \
wolfssl/wolfcrypt/asn_public.h \
wolfssl/wolfcrypt/tsp.h \
wolfssl/wolfcrypt/poly1305.h \
wolfssl/wolfcrypt/camellia.h \
wolfssl/wolfcrypt/cmac.h \
+4
View File
@@ -1786,6 +1786,8 @@ enum PKCS7_TYPES {
FIRMWARE_PKG_DATA = 685, /* 1.2.840.113549.1.9.16.1.16 */
/* 0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x09,0x10,0x01,0x17 */
AUTH_ENVELOPED_DATA = 692, /* 1.2.840.113549.1.9.16.1.23 */
/* 0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x09,0x10,0x01,0x04 */
TSTINFO_DATA = 673, /* 1.2.840.113549.1.9.16.1.4 */
/* 0x60,0x86,0x48,0x01,0x65,0x02,0x01,0x02,0x4e,0x02 */
ENCRYPTED_KEY_PACKAGE = 489 /* 2.16.840.1.101.2.1.2.78.2 */
#else
@@ -1809,6 +1811,8 @@ enum PKCS7_TYPES {
FIRMWARE_PKG_DATA = 0x70a68a32, /* 1.2.840.113549.1.9.16.1.16 */
/* 0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x09,0x10,0x01,0x17 */
AUTH_ENVELOPED_DATA = 0x70a18a32, /* 1.2.840.113549.1.9.16.1.23 */
/* 0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x09,0x10,0x01,0x04 */
TSTINFO_DATA = 0x70b28a32, /* 1.2.840.113549.1.9.16.1.4 */
/* 0x60,0x86,0x48,0x01,0x65,0x02,0x01,0x02,0x4e,0x02 */
ENCRYPTED_KEY_PACKAGE = 0x034986b4 /* 2.16.840.1.101.2.1.2.78.2 */
#endif
+24
View File
@@ -3970,6 +3970,30 @@
#error "Attribute Certificate support requires the ASN.1 template feature."
#endif
#if defined(WOLFSSL_TSP) && !defined(WOLFSSL_ASN_TEMPLATE)
#error "Time-Stamp Protocol support requires the ASN.1 template feature."
#endif
#ifdef WOLFSSL_TSP
/* Time-Stamp Protocol roles: requester (create requests, verify
* responses), verifier (verify tokens/responses only) and responder
* (read requests, create responses). When none is chosen, requester and
* responder are enabled. */
#if !defined(WOLFSSL_TSP_REQUESTER) && !defined(WOLFSSL_TSP_RESPONDER) && \
!defined(WOLFSSL_TSP_VERIFIER)
#define WOLFSSL_TSP_REQUESTER
#define WOLFSSL_TSP_RESPONDER
#endif
/* A requester also verifies the responses it receives. */
#if defined(WOLFSSL_TSP_REQUESTER) && !defined(WOLFSSL_TSP_VERIFIER)
#define WOLFSSL_TSP_VERIFIER
#endif
/* Encoding the accuracy seconds of a TSTInfo needs 32-bit numbers. */
#undef WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
#define WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
#endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
#undef WOLFSSL_ASN_ALL
#define WOLFSSL_ASN_ALL
+458
View File
@@ -0,0 +1,458 @@
/* tsp.h
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*!
\file wolfssl/wolfcrypt/tsp.h
Time-Stamp Protocol (TSP) message encoding and decoding. RFC 3161.
*/
#ifndef WOLF_CRYPT_TSP_H
#define WOLF_CRYPT_TSP_H
#include <wolfssl/wolfcrypt/types.h>
#ifdef WOLFSSL_TSP
#include <wolfssl/wolfcrypt/asn_public.h>
#include <wolfssl/wolfcrypt/asn.h>
#ifdef HAVE_PKCS7
#include <wolfssl/wolfcrypt/pkcs7.h>
#endif
#ifdef __cplusplus
extern "C" {
#endif
/* Version of TimeStampReq and TSTInfo supported. RFC 3161, 2.4.1 and 2.4.2. */
#define WC_TSP_VERSION 1
/* PKIStatus values. RFC 3161, 2.4.2. */
enum TspPkiStatus {
WC_TSP_PKISTATUS_GRANTED = 0,
WC_TSP_PKISTATUS_GRANTED_WITH_MODS = 1,
WC_TSP_PKISTATUS_REJECTION = 2,
WC_TSP_PKISTATUS_WAITING = 3,
WC_TSP_PKISTATUS_REVOCATION_WARNING = 4,
WC_TSP_PKISTATUS_REVOCATION_NOTIFICATION = 5
};
/* PKIFailureInfo flags. RFC 3161, 2.4.2.
* The value is the BIT STRING's data as a big-endian number left-aligned to
* 32 bits - named bit n is bit (31 - n) of the value. */
#define WC_TSP_FAIL_BAD_ALG 0x80000000UL /* bit 0 */
#define WC_TSP_FAIL_BAD_REQUEST 0x20000000UL /* bit 2 */
#define WC_TSP_FAIL_BAD_DATA_FORMAT 0x04000000UL /* bit 5 */
#define WC_TSP_FAIL_TIME_NOT_AVAILABLE 0x00020000UL /* bit 14 */
#define WC_TSP_FAIL_UNACCEPTED_POLICY 0x00010000UL /* bit 15 */
#define WC_TSP_FAIL_UNACCEPTED_EXTENSION 0x00008000UL /* bit 16 */
#define WC_TSP_FAIL_ADD_INFO_NOT_AVAILABLE 0x00004000UL /* bit 17 */
#define WC_TSP_FAIL_SYSTEM_FAILURE 0x00000040UL /* bit 25 */
/* Maximum length of the hash in a MessageImprint: SHA-512 is the longest
* hash supported. */
#define WC_TSP_MAX_HASH_SZ 64
/* Maximum length of a nonce in a TimeStampReq: OpenSSL sends 8 bytes. */
#ifndef MAX_TS_NONCE_SZ
#define MAX_TS_NONCE_SZ 32
#endif
/* Minimum security strength in bits of the hash algorithms accepted when
* verifying a token - the collision resistance of a hash is half the
* digest length in bits. 0 means any available hash algorithm is accepted.
* e.g. 128 requires SHA-256 or longer. */
#ifndef WC_TSP_MIN_HASH_STRENGTH_BITS
#define WC_TSP_MIN_HASH_STRENGTH_BITS 0
#endif
/* MessageImprint. RFC 3161, 2.4.1.
* Hash algorithm and hash of the data to be time-stamped. */
typedef struct TspMessageImprint {
/* Hash algorithm OID sum: SHA256h, SHA384h, etc. On decode, checked
* against the known hash algorithm OIDs - an OID not known is accepted
* and the caller checks the sum is one it supports. */
word32 hashAlgOID;
/* Hash of message - copied into on decode. */
byte hash[WC_TSP_MAX_HASH_SZ];
/* Length of hash in bytes. */
word32 hashSz;
} TspMessageImprint;
/* Accuracy of time in TSTInfo. RFC 3161, 2.4.2.
* A value of 0 in a field means not present. */
typedef struct TspAccuracy {
/* Accuracy in seconds. */
word32 seconds;
/* Accuracy in milliseconds: 1..999. */
word16 millis;
/* Accuracy in microseconds: 1..999. */
word16 micros;
} TspAccuracy;
/* TimeStampReq. RFC 3161, 2.4.1.
* Extensions are not supported - decode fails when present. */
typedef struct TspRequest {
/* Version: must be 1. Set on decode - always 1 on encode. */
byte version;
/* Hash algorithm and hash of data to be time-stamped. */
TspMessageImprint imprint;
/* Optional TSA policy ID: content of OBJECT IDENTIFIER - copied into on
* decode. Not present when policySz is 0. */
byte policy[MAX_OID_SZ];
word32 policySz;
/* Optional nonce: big-endian number - must not have a leading zero
* byte, checked on encode. Copied into on decode. Not present when
* nonceSz is 0. */
byte nonce[MAX_TS_NONCE_SZ];
word32 nonceSz;
/* Request TSA certificate to be included in response when true. */
byte certReq;
} TspRequest;
/* TSTInfo. RFC 3161, 2.4.2.
* Content of the time-stamp token signed by the TSA.
* On decode, pointers reference into the message buffer - the buffer must
* remain available while the structure is in use.
* Extensions are not supported - decode fails when present. */
typedef struct TspTstInfo {
/* Version: must be 1. Set on decode - always 1 on encode. */
byte version;
/* TSA policy ID: content of OBJECT IDENTIFIER. */
const byte* policy;
word32 policySz;
/* Hash algorithm and hash of data time-stamped. */
TspMessageImprint imprint;
/* Serial number of time-stamp: big-endian number, up to 160 bits -
* must not have a leading zero byte, checked on encode. */
const byte* serial;
word32 serialSz;
/* Time of time-stamp as a GeneralizedTime string of RFC 3161:
* "YYYYMMDDhhmmss[.s...]Z" - syntax checked on encode and decode.
* When NULL on encode, the current time is used (requires a real time
* clock - not available with NO_ASN_TIME). */
const byte* genTime;
word32 genTimeSz;
/* Optional accuracy of time. */
TspAccuracy accuracy;
/* Time-stamps from TSA are strictly ordered when true. */
byte ordering;
/* Optional nonce: big-endian number, must match request's nonce
* exactly - must not have a leading zero byte, checked on encode. NULL
* when not present. */
const byte* nonce;
word32 nonceSz;
/* Optional name of TSA: DER encoding of GeneralName. NULL when not
* present. */
const byte* tsa;
word32 tsaSz;
} TspTstInfo;
/* TimeStampResp. RFC 3161, 2.4.2.
* PKIStatusInfo and optional TimeStampToken.
* On decode, pointers reference into the message buffer - the buffer must
* remain available while the structure is in use. */
typedef struct TspResponse {
/* PKIStatus value. See TspPkiStatus. */
byte status;
/* Optional status text, UTF-8 encoded, no NUL terminator.
* On encode, placed in a PKIFreeText with one UTF8String.
* On decode, references the first UTF8String of the PKIFreeText. */
const byte* statusString;
word32 statusStringSz;
/* Optional failure information: WC_TSP_FAIL_* flags. 0 when not
* present. */
word32 failInfo;
/* Optional time-stamp token: DER encoding of ContentInfo containing
* CMS SignedData with TSTInfo content. NULL when not present. */
const byte* token;
word32 tokenSz;
} TspResponse;
/* TimeStampReq encoding, decoding and operations. */
#ifdef WOLFSSL_TSP_REQUESTER
WOLFSSL_API int wc_TspRequest_Init(TspRequest* req);
#endif /* WOLFSSL_TSP_REQUESTER */
#ifdef WOLFSSL_TSP_REQUESTER
WOLFSSL_API int wc_TspRequest_SetHashType(TspRequest* req,
enum wc_HashType hashType);
#endif /* WOLFSSL_TSP_REQUESTER */
#if defined(WOLFSSL_TSP_REQUESTER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspRequest_GetHashType(const TspRequest* req,
enum wc_HashType* hashType);
#endif /* WOLFSSL_TSP_REQUESTER || WOLFSSL_TSP_VERIFIER */
#if defined(WOLFSSL_TSP_REQUESTER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspRequest_GetHash(const TspRequest* req, byte* hash,
word32* hashSz);
#endif /* WOLFSSL_TSP_REQUESTER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_REQUESTER
WOLFSSL_API int wc_TspRequest_SetHash(TspRequest* req, const byte* hash,
word32 hashSz);
#endif /* WOLFSSL_TSP_REQUESTER */
#if defined(WOLFSSL_TSP_REQUESTER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspRequest_GetNonce(const TspRequest* req, byte* nonce,
word32* nonceSz);
#endif /* WOLFSSL_TSP_REQUESTER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_REQUESTER
WOLFSSL_API int wc_TspRequest_SetNonce(TspRequest* req, const byte* nonce,
word32 nonceSz);
#endif /* WOLFSSL_TSP_REQUESTER */
#if defined(WOLFSSL_TSP_REQUESTER) && !defined(WC_NO_RNG)
WOLFSSL_API int wc_TspRequest_GenerateNonce(TspRequest* req, WC_RNG* rng,
word32 sz);
#endif /* WOLFSSL_TSP_REQUESTER && !WC_NO_RNG */
#if defined(WOLFSSL_TSP_REQUESTER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspRequest_GetPolicy(const TspRequest* req, byte* policy,
word32* policySz);
#endif /* WOLFSSL_TSP_REQUESTER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_REQUESTER
WOLFSSL_API int wc_TspRequest_SetPolicy(TspRequest* req, const byte* policy,
word32 policySz);
#endif /* WOLFSSL_TSP_REQUESTER */
/* The requester sets certReq and reads it back; the responder reads it from a
* received request. */
#if defined(WOLFSSL_TSP_REQUESTER) || defined(WOLFSSL_TSP_RESPONDER)
/* Get the certReq flag of a TimeStampReq.
*
* A non-zero value means the requester asked for the TSA certificate to be
* included in the response.
*
* @param [in] req TimeStampReq object.
* @return Non-zero when the TSA certificate is requested, 0 otherwise.
*/
#define wc_TspRequest_GetCertReq(req) ((req)->certReq)
#endif /* WOLFSSL_TSP_REQUESTER || WOLFSSL_TSP_RESPONDER */
#ifdef WOLFSSL_TSP_REQUESTER
/* Set the certReq flag of a TimeStampReq.
*
* A non-zero value requests the TSA certificate to be included in the
* response. Any non-zero value is normalized to 1.
*
* @param [in, out] req TimeStampReq object.
* @param [in] val Non-zero to request the TSA certificate, 0 otherwise.
*/
#define wc_TspRequest_SetCertReq(req, val) \
((req)->certReq = (byte)((val) != 0))
#endif /* WOLFSSL_TSP_REQUESTER */
#ifdef WOLFSSL_TSP_REQUESTER
WOLFSSL_API int wc_TspRequest_Encode(const TspRequest* req, byte* out,
word32* outSz);
#endif /* WOLFSSL_TSP_REQUESTER */
WOLFSSL_API int wc_TspRequest_Decode(TspRequest* req, const byte* input,
word32 inSz);
/* TSTInfo encoding, decoding and operations. */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspTstInfo_Init(TspTstInfo* tstInfo);
#endif /* WOLFSSL_TSP_RESPONDER */
#if defined(WOLFSSL_TSP_RESPONDER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspTstInfo_GetSerial(const TspTstInfo* tstInfo,
const byte** serial, word32* serialSz);
#endif /* WOLFSSL_TSP_RESPONDER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspTstInfo_SetSerial(TspTstInfo* tstInfo,
const byte* serial, word32 serialSz);
#endif /* WOLFSSL_TSP_RESPONDER */
#if defined(WOLFSSL_TSP_RESPONDER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspTstInfo_GetPolicy(const TspTstInfo* tstInfo,
const byte** policy, word32* policySz);
#endif /* WOLFSSL_TSP_RESPONDER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspTstInfo_SetPolicy(TspTstInfo* tstInfo,
const byte* policy, word32 policySz);
#endif /* WOLFSSL_TSP_RESPONDER */
#if defined(WOLFSSL_TSP_RESPONDER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspTstInfo_GetMsgImprint(const TspTstInfo* tstInfo,
word32* hashOID, const byte** hash, word32* hashSz);
#endif /* WOLFSSL_TSP_RESPONDER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspTstInfo_SetMsgImprint(TspTstInfo* tstInfo,
word32 hashOID, const byte* hash, word32 hashSz);
#endif /* WOLFSSL_TSP_RESPONDER */
#if defined(WOLFSSL_TSP_RESPONDER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspTstInfo_GetGenTime(const TspTstInfo* tstInfo,
const byte** genTime, word32* genTimeSz);
#endif /* WOLFSSL_TSP_RESPONDER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspTstInfo_SetGenTime(TspTstInfo* tstInfo,
const byte* genTime, word32 genTimeSz);
#endif /* WOLFSSL_TSP_RESPONDER */
#ifndef NO_ASN_TIME
#if defined(WOLFSSL_TSP_RESPONDER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspTstInfo_GetGenTimeAsTime(const TspTstInfo* tstInfo,
time_t* t);
#endif /* WOLFSSL_TSP_RESPONDER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspTstInfo_SetGenTimeAsTime(TspTstInfo* tstInfo, time_t t,
byte* buf, word32 bufSz);
#endif /* WOLFSSL_TSP_RESPONDER */
#endif /* !NO_ASN_TIME */
#if defined(WOLFSSL_TSP_RESPONDER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspTstInfo_GetAccuracy(const TspTstInfo* tstInfo,
word32* seconds, word16* millis, word16* micros);
#endif /* WOLFSSL_TSP_RESPONDER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspTstInfo_SetAccuracy(TspTstInfo* tstInfo,
word32 seconds, word16 millis, word16 micros);
#endif /* WOLFSSL_TSP_RESPONDER */
#if defined(WOLFSSL_TSP_RESPONDER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspTstInfo_GetNonce(const TspTstInfo* tstInfo,
const byte** nonce, word32* nonceSz);
#endif /* WOLFSSL_TSP_RESPONDER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspTstInfo_SetNonce(TspTstInfo* tstInfo,
const byte* nonce, word32 nonceSz);
#endif /* WOLFSSL_TSP_RESPONDER */
#if defined(WOLFSSL_TSP_RESPONDER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspTstInfo_GetTsa(const TspTstInfo* tstInfo,
const byte** tsa, word32* tsaSz);
#endif /* WOLFSSL_TSP_RESPONDER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspTstInfo_SetTsa(TspTstInfo* tstInfo, const byte* tsa,
word32 tsaSz);
#endif /* WOLFSSL_TSP_RESPONDER */
/* Set the TSTInfo's values to respond to a request - echoes the request's
* imprint and nonce and sets the TSA's policy, serial and time. */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspTstInfo_SetFromRequest(TspTstInfo* tstInfo,
const TspRequest* req, const byte* policy, word32 policySz,
const byte* serial, word32 serialSz, const byte* genTime,
word32 genTimeSz);
#endif /* WOLFSSL_TSP_RESPONDER */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspTstInfo_Encode(const TspTstInfo* tstInfo, byte* out,
word32* outSz);
#endif /* WOLFSSL_TSP_RESPONDER */
#ifdef WOLFSSL_TSP_VERIFIER
WOLFSSL_API int wc_TspTstInfo_Decode(TspTstInfo* tstInfo, const byte* input,
word32 inSz);
#endif /* WOLFSSL_TSP_VERIFIER */
#if !defined(NO_ASN_TIME) && !defined(USER_TIME) && !defined(TIME_OVERRIDES)
#ifdef WOLFSSL_TSP_VERIFIER
WOLFSSL_API int wc_TspTstInfo_CheckGenTime(const TspTstInfo* tstInfo,
word32 tolerance);
#endif /* WOLFSSL_TSP_VERIFIER */
#endif
/* Check TSTInfo from a response against the request sent. */
#ifdef WOLFSSL_TSP_VERIFIER
WOLFSSL_API int wc_TspTstInfo_CheckRequest(const TspTstInfo* tstInfo,
const TspRequest* req);
#endif /* WOLFSSL_TSP_VERIFIER */
/* Check the TSA name of a TSTInfo is the expected name. */
#ifdef WOLFSSL_TSP_VERIFIER
WOLFSSL_API int wc_TspTstInfo_CheckTsaName(const TspTstInfo* tstInfo,
const byte* tsa, word32 tsaSz);
#endif /* WOLFSSL_TSP_VERIFIER */
/* Verify the message imprint of a TSTInfo against the original data. */
#ifdef WOLFSSL_TSP_VERIFIER
WOLFSSL_API int wc_TspTstInfo_VerifyData(const TspTstInfo* tstInfo,
const byte* data, word32 dataSz);
#endif /* WOLFSSL_TSP_VERIFIER */
#ifdef HAVE_PKCS7
/* Internal: id-aa-signingCertificateV2 attribute OID. Defined in asn_tsp.c;
* used by token creation (tsp.c) and the signing-certificate check
* (asn_tsp.c). */
extern const byte tspSigningCertV2Oid[13];
/* TimeStampToken creation (responder) using CMS SignedData. */
#ifdef WOLFSSL_TSP_RESPONDER
/* Create a token with the TSA's certificate and key - manages the PKCS7
* object. */
WOLFSSL_API int wc_TspTstInfo_Sign(const TspTstInfo* tstInfo,
const byte* cert, word32 certSz, const byte* key, word32 keySz,
enum wc_PkType keyType, enum wc_HashType hashType, WC_RNG* rng,
byte* out, word32* outSz);
WOLFSSL_API int wc_TspTstInfo_SignWithPkcs7(const TspTstInfo* tstInfo,
wc_PKCS7* pkcs7, byte* out, word32* outSz);
/* Internal: encode a SigningCertificateV2 signed attribute - asn_tsp.c. */
WOLFSSL_LOCAL int TspEncodeSigningCertV2(int hashOID, const byte* cert,
word32 certSz, byte* out, word32* outSz, void* heap);
#endif /* WOLFSSL_TSP_RESPONDER */
/* TimeStampToken verification (requester) using CMS SignedData. */
#ifdef WOLFSSL_TSP_VERIFIER
WOLFSSL_API int wc_TspTstInfo_VerifyWithPKCS7(wc_PKCS7* pkcs7, byte* token,
word32 tokenSz, TspTstInfo* tstInfo);
/* Internal helper in tsp.c, also used by TspCheckSigningCertAttr (asn_tsp.c). */
WOLFSSL_LOCAL int Tsp_CheckHashStrength(word32 hashOID);
/* Internal helpers in asn_tsp.c used by wc_TspTstInfo_VerifyWithPKCS7 (tsp.c). */
WOLFSSL_LOCAL int TspCheckOneSignerInfo(const byte* token, word32 tokenSz,
void* heap);
WOLFSSL_LOCAL int TspCheckSigningCertAttr(wc_PKCS7* pkcs7);
#endif /* WOLFSSL_TSP_VERIFIER */
#endif /* HAVE_PKCS7 */
/* TimeStampResp encoding, decoding and operations. */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspResponse_Init(TspResponse* resp);
#endif /* WOLFSSL_TSP_RESPONDER */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspResponse_Encode(const TspResponse* resp, byte* out,
word32* outSz);
#endif /* WOLFSSL_TSP_RESPONDER */
#ifdef WOLFSSL_TSP_VERIFIER
WOLFSSL_API int wc_TspResponse_Decode(TspResponse* resp, const byte* input,
word32 inSz);
#endif /* WOLFSSL_TSP_VERIFIER */
/* Get and set the status information of a TimeStampResp. */
#if defined(WOLFSSL_TSP_RESPONDER) || defined(WOLFSSL_TSP_VERIFIER)
WOLFSSL_API int wc_TspResponse_GetStatus(const TspResponse* resp,
word32* status, const byte** str, word32* strSz, word32* failInfo);
#endif /* WOLFSSL_TSP_RESPONDER || WOLFSSL_TSP_VERIFIER */
#ifdef WOLFSSL_TSP_RESPONDER
WOLFSSL_API int wc_TspResponse_SetStatus(TspResponse* resp, word32 status,
const byte* str, word32 strSz, word32 failInfo);
#endif /* WOLFSSL_TSP_RESPONDER */
/* Human-readable strings for a PKIStatus and a PKIFailureInfo flag. */
WOLFSSL_API const char* wc_TspStatus_ToString(word32 status);
WOLFSSL_API const char* wc_TspFailInfo_ToString(word32 failInfo);
#ifdef HAVE_PKCS7
/* Verify a response's token with the TSA's certificate - manages the PKCS7
* object. A NULL cert verifies the signature against the token's embedded
* certificate only and establishes no trust; use wc_TspResponse_VerifyWithCm()
* to anchor the signer to a trusted CA. */
#ifdef WOLFSSL_TSP_VERIFIER
WOLFSSL_API int wc_TspResponse_Verify(TspResponse* resp, const byte* cert,
word32 certSz, TspTstInfo* tstInfo);
#endif /* WOLFSSL_TSP_VERIFIER */
/* Verify a response's token, trusting the signer via a certificate manager
* (WOLFSSL_CERT_MANAGER, passed as void* to avoid an SSL layer dependency). */
#ifdef WOLFSSL_TSP_VERIFIER
WOLFSSL_API int wc_TspResponse_VerifyWithCm(TspResponse* resp, void* cm,
TspTstInfo* tstInfo);
#endif /* WOLFSSL_TSP_VERIFIER */
/* Verify a response's token and that it is over the given data. */
#ifdef WOLFSSL_TSP_VERIFIER
WOLFSSL_API int wc_TspResponse_VerifyData(TspResponse* resp, const byte* cert,
word32 certSz, const byte* data, word32 dataSz, TspTstInfo* tstInfo);
#endif /* WOLFSSL_TSP_VERIFIER */
#endif /* HAVE_PKCS7 */
/* Internal: validate a genTime is a GeneralizedTime of RFC 3161. Shared by
* the message encoding/decoding (asn_tsp.c) and wc_TspTstInfo_CheckGenTime
* (tsp.c). */
WOLFSSL_LOCAL int TspCheckGenTimeSyntax(const byte* t, word32 sz);
#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* WOLFSSL_TSP */
#endif /* WOLF_CRYPT_TSP_H */
+1
View File
@@ -347,6 +347,7 @@
<ClCompile Include="..\..\wolfcrypt\src\sp_x86_64.c" />
<ClCompile Include="..\..\wolfcrypt\src\srp.c" />
<ClCompile Include="..\..\wolfcrypt\src\tfm.c" />
<ClCompile Include="..\..\wolfcrypt\src\tsp.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_encrypt.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_pkcs11.c" />
<ClCompile Include="..\..\wolfcrypt\src\wc_port.c" />