diff --git a/src/ssl.c b/src/ssl.c index 5ef8c4f21..9d6b953a4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -40803,7 +40803,177 @@ cleanup: return wolfSSL_X509_sign(x509, ctx->pctx->pkey, wolfSSL_EVP_MD_CTX_md(ctx)); } #endif /* OPENSSL_EXTRA */ + +/* Guarded by either + * A) WOLFSSL_WPAS_SMALL is on or + * B) (OPENSSL_EXTRA or OPENSSL_EXTRA_X509_SMALL) + WOLFSSL_CERT_GEN + + * (WOLFSSL_CERT_REQ or WOLFSSL_CERT_EXT or OPENSSL_EXTRA) has been + * defined + */ +#if defined(WOLFSSL_WPAS_SMALL) || \ + (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ + defined(WOLFSSL_CERT_GEN) && \ + (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || \ + defined(OPENSSL_EXTRA)) +/* Converts from NID_* value to wolfSSL value if needed */ +static int ConvertNIDToWolfSSL(int nid) +{ + switch (nid) { + case NID_commonName : return ASN_COMMON_NAME; + case NID_surname : return ASN_SUR_NAME; + case NID_countryName: return ASN_COUNTRY_NAME; + case NID_localityName: return ASN_LOCALITY_NAME; + case NID_stateOrProvinceName: return ASN_STATE_NAME; + case NID_organizationName: return ASN_ORG_NAME; + case NID_organizationalUnitName: return ASN_ORGUNIT_NAME; + case NID_emailAddress: return ASN_EMAIL_NAME; + case NID_serialNumber: return ASN_SERIAL_NUMBER; + case NID_businessCategory: return ASN_BUS_CAT; + case NID_domainComponent: return ASN_DOMAIN_COMPONENT; + default: + WOLFSSL_MSG("Attribute NID not found"); + return -1; + } +} + +/* Converts the x509 name structure into DER format. + * + * out pointer to either a pre setup buffer or a pointer to null for + * creating a dynamic buffer. In the case that a pre-existing buffer is + * used out will be incremented the size of the DER buffer on success. + * + * returns the size of the buffer on success, or negative value with failure + */ +int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) +{ + int totalBytes = 0, i, idx; + byte temp[MAX_SEQ_SZ]; + byte *output, *local = NULL; +#ifdef WOLFSSL_SMALL_STACK + EncodedName* names = NULL; +#else + EncodedName names[MAX_NAME_ENTRIES]; +#endif + + if (out == NULL || name == NULL) + return BAD_FUNC_ARG; + +#ifdef WOLFSSL_SMALL_STACK + names = (EncodedName*)XMALLOC(sizeof(EncodedName) * MAX_NAME_ENTRIES, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (names == NULL) + return MEMORY_E; +#endif + + XMEMSET(names, 0, sizeof(EncodedName) * MAX_NAME_ENTRIES); + + for (i = 0; i < MAX_NAME_ENTRIES; i++) { + WOLFSSL_X509_NAME_ENTRY* entry; + int ret; + + entry = wolfSSL_X509_NAME_get_entry(name, i); + if (entry != NULL && entry->set == 1) { + const char* nameStr; + int type; + WOLFSSL_ASN1_STRING* data; + + data = wolfSSL_X509_NAME_ENTRY_get_data(entry); + if (data == NULL) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + WOLFSSL_MSG("Error getting entry data"); + return WOLFSSL_FATAL_ERROR; + } + + nameStr = (const char*)wolfSSL_ASN1_STRING_data(data); + type = wolfSSL_ASN1_STRING_type(data); + + switch (type) { + case MBSTRING_UTF8: + type = CTC_UTF8; + break; + case V_ASN1_PRINTABLESTRING: + type = CTC_PRINTABLE; + break; + default: + WOLFSSL_MSG("Unknown encoding type conversion UTF8 by default"); + type = CTC_UTF8; + } + ret = wc_EncodeName(&names[i], nameStr, type, + ConvertNIDToWolfSSL(entry->nid)); + if (ret < 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + WOLFSSL_MSG("EncodeName failed"); + return WOLFSSL_FATAL_ERROR; + } + totalBytes += ret; + } + } + + /* header */ + idx = SetSequence(totalBytes, temp); + if (totalBytes + idx > ASN_NAME_MAX) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + WOLFSSL_MSG("Total Bytes is greater than ASN_NAME_MAX"); + return BUFFER_E; + } + + /* check if using buffer passed in */ + if (*out == NULL) { + *out = local = (unsigned char*)XMALLOC(totalBytes + idx, NULL, + DYNAMIC_TYPE_OPENSSL); + if (*out == NULL) { + return MEMORY_E; + } + } + output = *out; + /* header */ + idx = SetSequence(totalBytes, temp); + if (totalBytes + idx > ASN_NAME_MAX) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + WOLFSSL_MSG("Total Bytes is greater than ASN_NAME_MAX"); + return BUFFER_E; + } + + /* check if using buffer passed in */ + if (*out == NULL) { + *out = local = (unsigned char*)XMALLOC(totalBytes + idx, NULL, + DYNAMIC_TYPE_OPENSSL); + if (*out == NULL) { + return MEMORY_E; + } + } + output = *out; + + idx = SetSequence(totalBytes, output); + totalBytes += idx; + for (i = 0; i < MAX_NAME_ENTRIES; i++) { + if (names[i].used) { + XMEMCPY(output + idx, names[i].encoded, names[i].totalLen); + idx += names[i].totalLen; + } + } + +#ifdef WOLFSSL_SMALL_STACK + XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + /* used existing buffer passed in, so increment pointer */ + if (local == NULL) { + *out += totalBytes; + } + return totalBytes; +} +#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ #endif /* WOLFSSL_CERT_GEN */ + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) WOLFSSL_X509_NAME *wolfSSL_d2i_X509_NAME(WOLFSSL_X509_NAME **name, diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e4fe97ed1..9b7908890 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -12413,16 +12413,6 @@ static int CopyValidity(byte* output, Cert* cert) #endif -/* ASN Encoded Name field */ -typedef struct EncodedName { - int nameLen; /* actual string value length */ - int totalLen; /* total encoded length */ - int type; /* type of name */ - int used; /* are we actually using this one */ - byte encoded[CTC_NAME_SIZE * 2]; /* encoding */ -} EncodedName; - - /* Get Which Name from index */ const char* GetOneCertName(CertName* name, int idx) { @@ -13004,281 +12994,126 @@ int FlattenAltNames(byte* output, word32 outputSz, const DNS_entry* names) * * returns length on success */ -static int wc_EncodeName(EncodedName* name, const char* nameStr, char nameType, - byte type) +int wc_EncodeName(EncodedName* name, const char* nameStr, char nameType, + byte type) { word32 idx = 0; + /* bottom up */ + byte firstLen[1 + MAX_LENGTH_SZ]; + byte secondLen[MAX_LENGTH_SZ]; + byte sequence[MAX_SEQ_SZ]; + byte set[MAX_SET_SZ]; - if (nameStr) { - /* bottom up */ - byte firstLen[1 + MAX_LENGTH_SZ]; - byte secondLen[MAX_LENGTH_SZ]; - byte sequence[MAX_SEQ_SZ]; - byte set[MAX_SET_SZ]; + int strLen; + int thisLen; + int firstSz, secondSz, seqSz, setSz; - int strLen = (int)XSTRLEN(nameStr); - int thisLen = strLen; - int firstSz, secondSz, seqSz, setSz; - - if (strLen == 0) { /* no user data for this item */ - name->used = 0; - return 0; - } - - /* Restrict country code size */ - if (ASN_COUNTRY_NAME == type && strLen != CTC_COUNTRY_SIZE) { - WOLFSSL_MSG("Country code size error"); - return ASN_COUNTRY_SIZE_E; - } - - secondSz = SetLength(strLen, secondLen); - thisLen += secondSz; - switch (type) { - case ASN_EMAIL_NAME: /* email */ - thisLen += EMAIL_JOINT_LEN; - firstSz = EMAIL_JOINT_LEN; - break; - - case ASN_DOMAIN_COMPONENT: - thisLen += PILOT_JOINT_LEN; - firstSz = PILOT_JOINT_LEN; - break; - - default: - thisLen++; /* str type */ - thisLen += JOINT_LEN; - firstSz = JOINT_LEN + 1; - } - thisLen++; /* id type */ - firstSz = SetObjectId(firstSz, firstLen); - thisLen += firstSz; - - seqSz = SetSequence(thisLen, sequence); - thisLen += seqSz; - setSz = SetSet(thisLen, set); - thisLen += setSz; - - if (thisLen > (int)sizeof(name->encoded)) { - return BUFFER_E; - } - - /* store it */ - idx = 0; - /* set */ - XMEMCPY(name->encoded, set, setSz); - idx += setSz; - /* seq */ - XMEMCPY(name->encoded + idx, sequence, seqSz); - idx += seqSz; - /* asn object id */ - XMEMCPY(name->encoded + idx, firstLen, firstSz); - idx += firstSz; - switch (type) { - case ASN_EMAIL_NAME: - { - const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x09, 0x01, 0x16 }; - /* email joint id */ - XMEMCPY(name->encoded + idx, EMAIL_OID, sizeof(EMAIL_OID)); - idx += (int)sizeof(EMAIL_OID); - } - break; - - case ASN_DOMAIN_COMPONENT: - { - const byte PILOT_OID[] = { 0x09, 0x92, 0x26, 0x89, - 0x93, 0xF2, 0x2C, 0x64, 0x01 - }; - - XMEMCPY(name->encoded + idx, PILOT_OID, - sizeof(PILOT_OID)); - idx += (int)sizeof(PILOT_OID); - /* id type */ - name->encoded[idx++] = type; - /* str type */ - name->encoded[idx++] = nameType; - } - break; - - default: - name->encoded[idx++] = 0x55; - name->encoded[idx++] = 0x04; - /* id type */ - name->encoded[idx++] = type; - /* str type */ - name->encoded[idx++] = nameType; - } - /* second length */ - XMEMCPY(name->encoded + idx, secondLen, secondSz); - idx += secondSz; - /* str value */ - XMEMCPY(name->encoded + idx, nameStr, strLen); - idx += strLen; - - name->type = type; - name->totalLen = idx; - name->used = 1; - } - else + if (nameStr == NULL) { name->used = 0; + return 0; + } + thisLen = strLen = (int)XSTRLEN(nameStr); + if (strLen == 0) { /* no user data for this item */ + name->used = 0; + return 0; + } - return idx; -} + /* Restrict country code size */ + if (ASN_COUNTRY_NAME == type && strLen != CTC_COUNTRY_SIZE) { + WOLFSSL_MSG("Country code size error"); + return ASN_COUNTRY_SIZE_E; + } + secondSz = SetLength(strLen, secondLen); + thisLen += secondSz; + switch (type) { + case ASN_EMAIL_NAME: /* email */ + thisLen += EMAIL_JOINT_LEN; + firstSz = EMAIL_JOINT_LEN; + break; + case ASN_DOMAIN_COMPONENT: + thisLen += PILOT_JOINT_LEN; + firstSz = PILOT_JOINT_LEN; + break; - -/* Guarded by either - * A) WOLFSSL_WPAS_SMALL is on or - * B) (OPENSSL_EXTRA or OPENSSL_EXTRA_X509_SMALL) + WOLFSSL_CERT_GEN + - * (WOLFSSL_CERT_REQ or WOLFSSL_CERT_EXT or OPENSSL_EXTRA) has been - * defined - */ -#if defined(WOLFSSL_WPAS_SMALL) || \ - (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ - defined(WOLFSSL_CERT_GEN) && \ - (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || \ - defined(OPENSSL_EXTRA)) -/* Converts from NID_* value to wolfSSL value if needed */ -static int ConvertNIDToWolfSSL(int nid) -{ - switch (nid) { - case NID_commonName : return ASN_COMMON_NAME; - case NID_surname : return ASN_SUR_NAME; - case NID_countryName: return ASN_COUNTRY_NAME; - case NID_localityName: return ASN_LOCALITY_NAME; - case NID_stateOrProvinceName: return ASN_STATE_NAME; - case NID_organizationName: return ASN_ORG_NAME; - case NID_organizationalUnitName: return ASN_ORGUNIT_NAME; - case NID_emailAddress: return ASN_EMAIL_NAME; - case NID_serialNumber: return ASN_SERIAL_NUMBER; - case NID_businessCategory: return ASN_BUS_CAT; - case NID_domainComponent: return ASN_DOMAIN_COMPONENT; default: - WOLFSSL_MSG("Attribute NID not found"); - return -1; + thisLen++; /* str type */ + thisLen += JOINT_LEN; + firstSz = JOINT_LEN + 1; } -} + thisLen++; /* id type */ + firstSz = SetObjectId(firstSz, firstLen); + thisLen += firstSz; + seqSz = SetSequence(thisLen, sequence); + thisLen += seqSz; + setSz = SetSet(thisLen, set); + thisLen += setSz; -/* Converts the x509 name structure into DER format. - * - * out pointer to either a pre setup buffer or a pointer to null for - * creating a dynamic buffer. In the case that a pre-existing buffer is - * used out will be incremented the size of the DER buffer on success. - * - * returns the size of the buffer on success, or negative value with failure - */ -int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) -{ - int totalBytes = 0, i, idx; - byte temp[MAX_SEQ_SZ]; - byte *output, *local = NULL; -#ifdef WOLFSSL_SMALL_STACK - EncodedName* names = NULL; -#else - EncodedName names[MAX_NAME_ENTRIES]; -#endif - - if (out == NULL || name == NULL) - return BAD_FUNC_ARG; - -#ifdef WOLFSSL_SMALL_STACK - names = (EncodedName*)XMALLOC(sizeof(EncodedName) * MAX_NAME_ENTRIES, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (names == NULL) - return MEMORY_E; -#endif - - XMEMSET(names, 0, sizeof(EncodedName) * MAX_NAME_ENTRIES); - - for (i = 0; i < MAX_NAME_ENTRIES; i++) { - WOLFSSL_X509_NAME_ENTRY* entry; - int ret; - - entry = wolfSSL_X509_NAME_get_entry(name, i); - if (entry != NULL && entry->set == 1) { - const char* nameStr; - int type; - WOLFSSL_ASN1_STRING* data; - - data = wolfSSL_X509_NAME_ENTRY_get_data(entry); - if (data == NULL) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - WOLFSSL_MSG("Error getting entry data"); - return WOLFSSL_FATAL_ERROR; - } - - nameStr = (const char*)wolfSSL_ASN1_STRING_data(data); - type = wolfSSL_ASN1_STRING_type(data); - - switch (type) { - case MBSTRING_UTF8: - type = CTC_UTF8; - break; - case V_ASN1_PRINTABLESTRING: - type = CTC_PRINTABLE; - break; - default: - WOLFSSL_MSG("Unknown encoding type conversion UTF8 by default"); - type = CTC_UTF8; - } - ret = wc_EncodeName(&names[i], nameStr, type, - ConvertNIDToWolfSSL(entry->nid)); - if (ret < 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - WOLFSSL_MSG("EncodeName failed"); - return WOLFSSL_FATAL_ERROR; - } - totalBytes += ret; - } - } - - /* header */ - idx = SetSequence(totalBytes, temp); - if (totalBytes + idx > ASN_NAME_MAX) { -#ifdef WOLFSSL_SMALL_STACK - XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - WOLFSSL_MSG("Total Bytes is greater than ASN_NAME_MAX"); + if (thisLen > (int)sizeof(name->encoded)) { return BUFFER_E; } - /* check if using buffer passed in */ - if (*out == NULL) { - *out = local = (unsigned char*)XMALLOC(totalBytes + idx, NULL, - DYNAMIC_TYPE_OPENSSL); - if (*out == NULL) { - return MEMORY_E; + /* store it */ + idx = 0; + /* set */ + XMEMCPY(name->encoded, set, setSz); + idx += setSz; + /* seq */ + XMEMCPY(name->encoded + idx, sequence, seqSz); + idx += seqSz; + /* asn object id */ + XMEMCPY(name->encoded + idx, firstLen, firstSz); + idx += firstSz; + switch (type) { + case ASN_EMAIL_NAME: + { + const byte EMAIL_OID[] = { + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16 + }; + /* email joint id */ + XMEMCPY(name->encoded + idx, EMAIL_OID, sizeof(EMAIL_OID)); + idx += (int)sizeof(EMAIL_OID); + break; } - } - output = *out; - idx = SetSequence(totalBytes, output); - totalBytes += idx; - for (i = 0; i < MAX_NAME_ENTRIES; i++) { - if (names[i].used) { - XMEMCPY(output + idx, names[i].encoded, names[i].totalLen); - idx += names[i].totalLen; + case ASN_DOMAIN_COMPONENT: + { + const byte PILOT_OID[] = { + 0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01 + }; + + XMEMCPY(name->encoded + idx, PILOT_OID, sizeof(PILOT_OID)); + idx += (int)sizeof(PILOT_OID); + /* id type */ + name->encoded[idx++] = type; + /* str type */ + name->encoded[idx++] = nameType; + break; } - } -#ifdef WOLFSSL_SMALL_STACK - XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - /* used existing buffer passed in, so increment pointer */ - if (local == NULL) { - *out += totalBytes; + default: + name->encoded[idx++] = 0x55; + name->encoded[idx++] = 0x04; + /* id type */ + name->encoded[idx++] = type; + /* str type */ + name->encoded[idx++] = nameType; } - return totalBytes; + /* second length */ + XMEMCPY(name->encoded + idx, secondLen, secondSz); + idx += secondSz; + /* str value */ + XMEMCPY(name->encoded + idx, nameStr, strLen); + idx += strLen; + + name->type = type; + name->totalLen = idx; + name->used = 1; + + return idx; } -#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ - /* encode CertName into output, return total bytes written */ int SetName(byte* output, word32 outputSz, CertName* name) diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 2ea5761c1..508084111 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -977,6 +977,14 @@ struct DecodedCert { #endif }; +/* ASN Encoded Name field */ +typedef struct EncodedName { + int nameLen; /* actual string value length */ + int totalLen; /* total encoded length */ + int type; /* type of name */ + int used; /* are we actually using this one */ + byte encoded[CTC_NAME_SIZE * 2]; /* encoding */ +} EncodedName; #ifdef NO_SHA #define SIGNER_DIGEST_SIZE WC_SHA256_DIGEST_SIZE @@ -1163,6 +1171,8 @@ WOLFSSL_LOCAL int DateGreaterThan(const struct tm* a, const struct tm* b); WOLFSSL_LOCAL int wc_ValidateDate(const byte* date, byte format, int dateType); WOLFSSL_LOCAL int wc_OBJ_sn2nid(const char *sn); +WOLFSSL_LOCAL int wc_EncodeName(EncodedName* name, const char* nameStr, + char nameType, byte type); /* ASN.1 helper functions */ #ifdef WOLFSSL_CERT_GEN WOLFSSL_ASN_API int SetName(byte* output, word32 outputSz, CertName* name);