wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2136 from dgarske/asncapathlen

Browse Source 
Fixes issue with CA path length for self signed root CA's
This commit is contained in:
toddouska
2019-03-12 14:11:15 -07:00
committed by GitHub
parent 28a1ff5d59 03e0dd6ca3
commit b4ba3d7ca6
3 changed files with 27 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/ssl.c
View File

@ -4286,6 +4286,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
} }
signer->pathLength = cert->pathLength; signer->pathLength = cert->pathLength;
signer->pathLengthSet = cert->pathLengthSet; signer->pathLengthSet = cert->pathLengthSet;
signer->selfSigned = cert->selfSigned;
#ifndef IGNORE_NAME_CONSTRAINTS #ifndef IGNORE_NAME_CONSTRAINTS
signer->permittedNames = cert->permittedNames; signer->permittedNames = cert->permittedNames;
signer->excludedNames = cert->excludedNames; signer->excludedNames = cert->excludedNames;

31
wolfcrypt/src/asn.c
View File

@ -8108,16 +8108,32 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
WOLFSSL_MSG("About to verify certificate signature"); WOLFSSL_MSG("About to verify certificate signature");
if (cert->ca) { if (cert->ca) {
/* Check if cert is CA type and has path length set */ /* Check if cert is CA type and signer has path length set */
if (cert->isCA && cert->ca->pathLengthSet) { if (cert->isCA && cert->ca->pathLengthSet) {
/* Check root CA (self-signed) has path length > 0 */ #if defined(WOLFSSL_WPAS) && !defined(WOLFSSL_NO_ASN_STRICT)
/* WPA Supplicant - has test case that expects self-signed
root CA to have path length == 0 */
if (cert->selfSigned) { if (cert->selfSigned) {
if (cert->ca->pathLength != 0) { if (cert->ca->pathLength != 0) {
WOLFSSL_MSG("Root CA with path length > 0"); WOLFSSL_MSG("Root CA with path length > 0");
return ASN_PATHLEN_INV_E;
}
}
#endif
/* Check if signer is root CA (self-signed) */
if (cert->ca->selfSigned) {
/* Root CA as signer:
* Must have path length > 0 to sign another CA
* If path length == 0 can only sign an end entity
* certificate, not intermediate CA
*/
if (cert->ca->pathLength == 0) {
WOLFSSL_MSG("Root CA with path length == 0");
return ASN_PATHLEN_INV_E; return ASN_PATHLEN_INV_E;
} }
} }
else { else {
/* Intermediate CA signing Intermediate CA */
/* Check path lengths are valid between two CA's */ /* Check path lengths are valid between two CA's */
if (cert->ca->pathLength == 0) { if (cert->ca->pathLength == 0) {
WOLFSSL_MSG("CA with path length 0 signing a CA"); WOLFSSL_MSG("CA with path length 0 signing a CA");
@ -8130,10 +8146,11 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
} }
} }
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
/* Need the CA's public key hash for OCSP */ /* Need the CA's public key hash for OCSP */
XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash, KEYID_SIZE); XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash,
#endif /* HAVE_OCSP */ KEYID_SIZE);
#endif /* HAVE_OCSP */
} }
} }
} }

3
wolfssl/wolfcrypt/asn.h
View File

@ -861,7 +861,8 @@ struct Signer {
word32 keyOID; /* key type */ word32 keyOID; /* key type */
word16 keyUsage; word16 keyUsage;
byte pathLength; byte pathLength;
byte pathLengthSet; byte pathLengthSet : 1;
byte selfSigned : 1;
const byte* publicKey; const byte* publicKey;
int nameLen; int nameLen;
char* name; /* common name */ char* name; /* common name */