From b52e11d3d4c1a638787f03c80f5525f26554a536 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 8 Jul 2020 20:14:27 +0200 Subject: [PATCH] Implement/stub the following: - X509_get0_extensions - X509_to_X509_REQ - i2d_X509_REQ_bio - X509v3_get_ext_count - i2d_PKCS7_bio Additional changes: - Added a wc_PKCS7_VerifySignedData call to wolfSSL_d2i_PKCS7_bio to populate the PKCS7 struct with parsed values - wc_PKCS7_VerifySignedData_ex -> wc_PKCS7_VerifySignedData --- configure.ac | 2 + src/internal.c | 3 + src/ssl.c | 143 +++++++++++++++++++++++++++++++++------ wolfssl/internal.h | 1 + wolfssl/openssl/pkcs7.h | 4 +- wolfssl/openssl/ssl.h | 3 + wolfssl/openssl/x509v3.h | 7 +- wolfssl/ssl.h | 5 +- 8 files changed, 144 insertions(+), 24 deletions(-) diff --git a/configure.ac b/configure.ac index 298b4be1b..53c62b0cb 100644 --- a/configure.ac +++ b/configure.ac @@ -4250,6 +4250,8 @@ AC_ARG_ENABLE([libest], if test "$ENABLED_LIBEST" = "yes" then + AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA" + # Requires opensslextra and opensslall if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno" then diff --git a/src/internal.c b/src/internal.c index c600c7b9d..654080f5d 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3432,6 +3432,9 @@ void FreeX509(WOLFSSL_X509* x509) if (x509->ext_sk != NULL) { wolfSSL_sk_X509_EXTENSION_free(x509->ext_sk); } + if (x509->ext_sk_full != NULL) { + wolfSSL_sk_X509_EXTENSION_free(x509->ext_sk_full); + } #endif /* OPENSSL_ALL || WOLFSSL_QT */ #ifdef OPENSSL_EXTRA /* Free serialNumber that was set by wolfSSL_X509_get_serialNumber */ diff --git a/src/ssl.c b/src/ssl.c index 549ffcff9..d20900388 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8224,6 +8224,44 @@ int wolfSSL_ASN1_BIT_STRING_set_bit(WOLFSSL_ASN1_BIT_STRING* str, int pos, return WOLFSSL_SUCCESS; } +/** + * @param x Certificate to extract extensions from + * @return STACK_OF(X509_EXTENSION)* + */ +const WOLFSSL_STACK *wolfSSL_X509_get0_extensions(const WOLFSSL_X509 *x) +{ + int numOfExt, i; + WOLFSSL_X509 *x509 = (WOLFSSL_X509*)x; + WOLFSSL_STACK* tmp; + WOLFSSL_ENTER("wolfSSL_X509_get0_extensions"); + + if (!x509) { + WOLFSSL_MSG("Bad parameter"); + return NULL; + } + + numOfExt = wolfSSL_X509_get_ext_count(x509); + + if (numOfExt != wolfSSL_sk_num(x509->ext_sk_full)) { + wolfSSL_sk_free(x509->ext_sk_full); + x509->ext_sk_full = NULL; + /* Save x509->ext_sk */ + tmp = x509->ext_sk; + x509->ext_sk = NULL; + + for (i = 0; i < numOfExt; i++) { + /* Build the extension stack */ + (void)wolfSSL_X509_set_ext(x509, i); + } + + /* Restore */ + x509->ext_sk_full = x509->ext_sk; + x509->ext_sk = tmp; + } + + return x509->ext_sk_full; +} + /* Gets the X509_EXTENSION* ext based on it's location in WOLFSSL_X509* x509. * * x509 : The X509 structure to look for the extension. @@ -27513,7 +27551,7 @@ void wolfSSL_ASN1_GENERALIZEDTIME_free(WOLFSSL_ASN1_TIME* asn1Time) #endif /* OPENSSL_EXTRA */ #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) -int wolfSSL_sk_num(WOLFSSL_STACK* sk) +int wolfSSL_sk_num(const WOLFSSL_STACK* sk) { WOLFSSL_ENTER("wolfSSL_sk_num"); if (sk == NULL) @@ -48467,6 +48505,8 @@ PKCS7* wolfSSL_d2i_PKCS7(PKCS7** p7, const unsigned char** in, int len) WOLFSSL_PKCS7* pkcs7 = NULL; word32 idx = 0; + WOLFSSL_ENTER("wolfSSL_d2i_PKCS7"); + if (in == NULL) return NULL; @@ -48498,6 +48538,8 @@ PKCS7* wolfSSL_d2i_PKCS7_bio(WOLFSSL_BIO* bio, PKCS7** p7) { WOLFSSL_PKCS7* pkcs7; + WOLFSSL_ENTER("wolfSSL_d2i_PKCS7_bio"); + if (bio == NULL) return NULL; @@ -48516,11 +48558,39 @@ PKCS7* wolfSSL_d2i_PKCS7_bio(WOLFSSL_BIO* bio, PKCS7** p7) return NULL; } + if (wc_PKCS7_VerifySignedData(&pkcs7->pkcs7, pkcs7->data, pkcs7->len) != 0) { + return NULL; + } + if (p7 != NULL) *p7 = (PKCS7*)pkcs7; return (PKCS7*)pkcs7; } +int wolfSSL_i2d_PKCS7_bio(WOLFSSL_BIO *bio, PKCS7 *p7) +{ + byte output[4096]; + int len; + WOLFSSL_ENTER("wolfSSL_i2d_PKCS7_bio"); + + if (!bio || !p7) { + WOLFSSL_MSG("Bad parameter"); + return WOLFSSL_FAILURE; + } + + if ((len = wc_PKCS7_EncodeSignedData(p7, output, sizeof(output))) < 0) { + WOLFSSL_MSG("wc_PKCS7_EncodeSignedData error"); + return WOLFSSL_FAILURE; + } + + if (wolfSSL_BIO_write(bio, output, len) <= 0) { + WOLFSSL_MSG("wolfSSL_BIO_write error"); + return WOLFSSL_FAILURE; + } + + return WOLFSSL_SUCCESS; +} + int wolfSSL_PKCS7_verify(PKCS7* pkcs7, WOLFSSL_STACK* certs, WOLFSSL_X509_STORE* store, WOLFSSL_BIO* in, WOLFSSL_BIO* out, int flags) @@ -48530,6 +48600,8 @@ int wolfSSL_PKCS7_verify(PKCS7* pkcs7, WOLFSSL_STACK* certs, int memSz = 0; WOLFSSL_PKCS7* p7 = (WOLFSSL_PKCS7*)pkcs7; + WOLFSSL_ENTER("wolfSSL_PKCS7_verify"); + if (pkcs7 == NULL) return WOLFSSL_FAILURE; @@ -48548,8 +48620,7 @@ int wolfSSL_PKCS7_verify(PKCS7* pkcs7, WOLFSSL_STACK* certs, */ (void)store; - ret = wc_PKCS7_VerifySignedData_ex(&p7->pkcs7, NULL, 0, p7->data, p7->len, - NULL, 0); + ret = wc_PKCS7_VerifySignedData(&p7->pkcs7, p7->data, p7->len); if (ret != 0) return WOLFSSL_FAILURE; @@ -48567,8 +48638,6 @@ int wolfSSL_PKCS7_verify(PKCS7* pkcs7, WOLFSSL_STACK* certs, int wolfSSL_PKCS7_encode_certs(PKCS7* pkcs7, WOLFSSL_STACK* certs, WOLFSSL_BIO* out) { - byte output[4096]; - int len; PKCS7* p7; WOLFSSL_ENTER("wolfSSL_PKCS7_encode_certs"); @@ -48590,24 +48659,51 @@ int wolfSSL_PKCS7_encode_certs(PKCS7* pkcs7, WOLFSSL_STACK* certs, certs = certs->next; } - if ((len = wc_PKCS7_EncodeSignedData(p7, output, sizeof(output))) < 0) { - WOLFSSL_MSG("wc_PKCS7_EncodeSignedData error"); - return WOLFSSL_FAILURE; - } - - if (wolfSSL_BIO_write(out, output, len) <= 0) { - WOLFSSL_MSG("wolfSSL_BIO_write error"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; + return wolfSSL_i2d_PKCS7_bio(out, p7); } - #endif /* !NO_BIO */ -WOLFSSL_STACK* wolfSSL_PKCS7_to_stack(PKCS7* p7) +WOLFSSL_STACK* wolfSSL_PKCS7_to_stack(PKCS7* pkcs7) { + int i; + WOLFSSL_PKCS7* p7 = (WOLFSSL_PKCS7*)pkcs7; + WOLF_STACK_OF(WOLFSSL_X509)* ret = NULL; + WOLFSSL_ENTER("wolfSSL_PKCS7_to_stack"); + + if (!p7) { + WOLFSSL_MSG("Bad parameter"); + return WOLFSSL_FAILURE; + } + + ret = wolfSSL_sk_X509_new(); + + for (i = 0; i < MAX_PKCS7_CERTS && p7->pkcs7.cert[i]; i++) { + WOLFSSL_X509* x509 = wolfSSL_X509_d2i(NULL, p7->pkcs7.cert[i], p7->pkcs7.certSz[i]); + if (x509) { + if (wolfSSL_sk_X509_push(ret, x509) != WOLFSSL_SUCCESS) { + wolfSSL_X509_free(x509); + WOLFSSL_MSG("wolfSSL_sk_X509_push error"); + goto error; + } + } + else { + WOLFSSL_MSG("wolfSSL_X509_d2i error"); + goto error; + } + } + + /* Save stack to free later */ + if (p7->certs) + wolfSSL_sk_free(p7->certs); + p7->certs = ret; + + return ret; +error: + if (ret) { + wolfSSL_sk_free(ret); + } + return NULL; } WOLFSSL_STACK* wolfSSL_PKCS7_get0_signers(PKCS7* pkcs7, WOLFSSL_STACK* certs, @@ -49385,7 +49481,7 @@ int wolfSSL_X509_REQ_add_extensions(WOLFSSL_X509* req, { (void)req; (void)ext; - return WOLFSSL_FATAL_ERROR; + return WOLFSSL_FAILURE; } int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req, @@ -49404,6 +49500,15 @@ int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req, } #endif +WOLFSSL_X509 *wolfSSL_X509_to_X509_REQ(WOLFSSL_X509 *x, + WOLFSSL_EVP_PKEY *pkey, const WOLFSSL_EVP_MD *md) +{ + WOLFSSL_ENTER("wolfSSL_X509_to_X509_REQ"); + (void)pkey; + (void)md; + return wolfSSL_X509_dup(x); +} + int wolfSSL_X509_REQ_set_subject_name(WOLFSSL_X509 *req, WOLFSSL_X509_NAME *name) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index aea8a6478..8d1bda9e4 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3685,6 +3685,7 @@ struct WOLFSSL_X509 { #endif /* (WOLFSSL_SEP || WOLFSSL_QT) && (OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) */ #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) WOLFSSL_STACK* ext_sk; /* Store X509_EXTENSIONS from wolfSSL_X509_get_ext */ + WOLFSSL_STACK* ext_sk_full; /* Store X509_EXTENSIONS from wolfSSL_X509_get0_extensions */ WOLFSSL_STACK* ext_d2i;/* Store d2i extensions from wolfSSL_X509_get_ext_d2i */ #endif /* WOLFSSL_QT || OPENSSL_ALL */ #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) diff --git a/wolfssl/openssl/pkcs7.h b/wolfssl/openssl/pkcs7.h index ad096858a..ce444d51d 100644 --- a/wolfssl/openssl/pkcs7.h +++ b/wolfssl/openssl/pkcs7.h @@ -54,11 +54,12 @@ WOLFSSL_API void wolfSSL_PKCS7_SIGNED_free(PKCS7_SIGNED* p7); WOLFSSL_API PKCS7* wolfSSL_d2i_PKCS7(PKCS7** p7, const unsigned char** in, int len); WOLFSSL_API PKCS7* wolfSSL_d2i_PKCS7_bio(WOLFSSL_BIO* bio, PKCS7** p7); +WOLFSSL_API int wolfSSL_i2d_PKCS7_bio(WOLFSSL_BIO *bio, PKCS7 *p7); WOLFSSL_API int wolfSSL_PKCS7_verify(PKCS7* p7, WOLFSSL_STACK* certs, WOLFSSL_X509_STORE* store, WOLFSSL_BIO* in, WOLFSSL_BIO* out, int flags); WOLFSSL_API int wolfSSL_PKCS7_encode_certs(PKCS7* p7, WOLFSSL_STACK* certs, WOLFSSL_BIO* out); -WOLFSSL_API WOLFSSL_STACK* wolfSSL_PKCS7_to_stack(PKCS7* p7); +WOLFSSL_API WOLFSSL_STACK* wolfSSL_PKCS7_to_stack(PKCS7* pkcs7); WOLFSSL_API WOLFSSL_STACK* wolfSSL_PKCS7_get0_signers(PKCS7* p7, WOLFSSL_STACK* certs, int flags); WOLFSSL_API int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7); @@ -69,6 +70,7 @@ WOLFSSL_API int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7); #define PKCS7_SIGNED_free wolfSSL_PKCS7_SIGNED_free #define d2i_PKCS7 wolfSSL_d2i_PKCS7 #define d2i_PKCS7_bio wolfSSL_d2i_PKCS7_bio +#define i2d_PKCS7_bio wolfSSL_i2d_PKCS7_bio #define PKCS7_verify wolfSSL_PKCS7_verify #define PKCS7_get0_signers wolfSSL_PKCS7_get0_signers #define PEM_write_bio_PKCS7 wolfSSL_PEM_write_bio_PKCS7 diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 344552b19..35e148a30 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -358,6 +358,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define DSA_bits wolfSSL_DSA_bits #define i2d_X509_bio wolfSSL_i2d_X509_bio +#define i2d_X509_REQ_bio wolfSSL_i2d_X509_bio #define d2i_X509_bio wolfSSL_d2i_X509_bio #define d2i_X509_REQ_bio wolfSSL_d2i_X509_bio #define d2i_X509_fp wolfSSL_d2i_X509_fp @@ -381,6 +382,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define X509_REQ_sign_ctx wolfSSL_X509_REQ_sign_ctx #define X509_REQ_add_extensions wolfSSL_X509_REQ_add_extensions #define X509_REQ_add1_attr_by_NID wolfSSL_X509_REQ_add1_attr_by_NID +#define X509_to_X509_REQ wolfSSL_X509_to_X509_REQ #define X509_REQ_set_subject_name wolfSSL_X509_REQ_set_subject_name #define X509_REQ_set_pubkey wolfSSL_X509_REQ_set_pubkey #define PEM_write_bio_X509_REQ wolfSSL_PEM_write_bio_X509_REQ @@ -393,6 +395,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define X509_get_ext_count wolfSSL_X509_get_ext_count #define X509_get_ext_d2i wolfSSL_X509_get_ext_d2i #define X509V3_EXT_i2d wolfSSL_X509V3_EXT_i2d +#define X509_get0_extensions wolfSSL_X509_get0_extensions #define X509_get_ext wolfSSL_X509_get_ext #define X509_get_ext_by_NID wolfSSL_X509_get_ext_by_NID #define X509_get_issuer_name wolfSSL_X509_get_issuer_name diff --git a/wolfssl/openssl/x509v3.h b/wolfssl/openssl/x509v3.h index 65d8037e7..cf4691a4d 100644 --- a/wolfssl/openssl/x509v3.h +++ b/wolfssl/openssl/x509v3.h @@ -109,9 +109,10 @@ WOLFSSL_API int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, #define X509V3_EXT_d2i wolfSSL_X509V3_EXT_d2i #define i2s_ASN1_OCTET_STRING wolfSSL_i2s_ASN1_STRING #define X509V3_EXT_print wolfSSL_X509V3_EXT_print -#define X509V3_EXT_conf_nid wolfSSL_X509V3_EXT_conf_nid -#define X509V3_set_ctx wolfSSL_X509V3_set_ctx -#define X509V3_set_ctx_nodb wolfSSL_X509V3_set_ctx_nodb +#define X509V3_EXT_conf_nid wolfSSL_X509V3_EXT_conf_nid +#define X509V3_set_ctx wolfSSL_X509V3_set_ctx +#define X509V3_set_ctx_nodb wolfSSL_X509V3_set_ctx_nodb +#define X509v3_get_ext_count wolfSSL_sk_num #ifdef __cplusplus } diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index e66ff85bf..fa13d15b4 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2082,7 +2082,7 @@ WOLFSSL_API int wolfSSL_ASN1_TIME_diff(int *pday, int *psec, WOLFSSL_API WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_set(WOLFSSL_ASN1_TIME *s, time_t t); #endif -WOLFSSL_API int wolfSSL_sk_num(WOLFSSL_STACK* sk); +WOLFSSL_API int wolfSSL_sk_num(const WOLFSSL_STACK* sk); WOLFSSL_API void* wolfSSL_sk_value(WOLFSSL_STACK* sk, int i); #if (defined(HAVE_EX_DATA) || defined(FORTRESS)) && \ @@ -3398,6 +3398,7 @@ WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_ASN1(int pri, WOLFSSL_CTX* ctx, #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) WOLFSSL_API int wolfSSL_X509_cmp(const WOLFSSL_X509* a, const WOLFSSL_X509* b); +WOLFSSL_API const WOLFSSL_STACK *wolfSSL_X509_get0_extensions(const WOLFSSL_X509 *x); WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_X509_get_ext(const WOLFSSL_X509* x, int loc); WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x, int loc); WOLFSSL_API int wolfSSL_X509_EXTENSION_get_critical(const WOLFSSL_X509_EXTENSION* ex); @@ -3560,6 +3561,8 @@ WOLFSSL_API int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req, int nid, int type, const unsigned char *bytes, int len); +WOLFSSL_API WOLFSSL_X509 *wolfSSL_X509_to_X509_REQ(WOLFSSL_X509 *x, + WOLFSSL_EVP_PKEY *pkey, const WOLFSSL_EVP_MD *md); #endif