Remove magic numbers from WOLFSSL_ASN_TEMPLATE code (#4582)

* pkcs8KeyASN and other misc asn fixes - Test fixes for testing with `USE_CERT_BUFFERS_1024` * intASN * bitStringASN * objectIdASN * algoIdASN * rsaKeyASN * pbes2ParamsASN * pbes1ParamsASN * pkcs8DecASN * p8EncPbes1ASN * rsaPublicKeyASN * dhParamASN * dhKeyPkcs8ASN * dsaKeyASN * dsaPubKeyASN - Add `wc_SetDsaPublicKey` without header testing * dsaKeyOctASN * rsaCertKeyASN * eccCertKeyASN * rdnASN * certNameASN * digestInfoASN * otherNameASN * altNameASN * basicConsASN * crlDistASN * accessDescASN * authKeyIdASN * keyUsageASN * keyPurposeIdASN * subTreeASN * nameConstraintsASN * policyInfoASN * certExtHdrASN * certExtASN * x509CertASN * reqAttrASN * strAttrASN * certReqASN * eccPublicKeyASN * edPubKeyASN * ekuASN * nameASN * certExtsASN * sigASN * certReqBodyASN_IDX_EXT_BODY * dsaSigASN * eccSpecifiedASN * eccKeyASN * edKeyASN * singleResponseASN * respExtHdrASN * ocspRespDataASN * ocspBasicRespASN * ocspResponseASN * ocspNonceExtASN * ocspRequestASN * revokedASN * crlASN * pivASN * pivCertASN * dateASN * `wc_SetDsaPublicKey` was not including `y` in the sequence length * All index names changed to uppercase * Shorten names in comments * Make sure extensions have sequence header when in cert gen * Fix/refactor size calc in `SetNameEx` * Pad blocks for encryption * Add casting for increased enum portability * Use stack for small ASN types
2025-07-30 18:57:27 +02:00 · 2021-12-22 02:28:01 +01:00
parent af0bcef0ef
commit dd9b1afb72
5 changed files with 2359 additions and 1422 deletions
--- a/tests/api.c
+++ b/tests/api.c
@ -1463,8 +1463,9 @@ static int test_wolfSSL_CertManagerSetVerify(void)
 #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
    defined(DEBUG_UNIT_TEST_CERTS)
-/* used when debugging name constraint tests */
+/* Used when debugging name constraint tests. Not static to allow use in
-static void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName)
+ * multiple locations with complex define guards. */
 void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName)
 {
    BIO* out = BIO_new(BIO_s_file());
    if (out != NULL) {
@ -1474,7 +1475,7 @@ static void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName)
        BIO_free(out);
    }
 }
-static void DEBUG_WRITE_CERT_DER(const byte* der, int derSz, const char* fileName)
+void DEBUG_WRITE_DER(const byte* der, int derSz, const char* fileName)
 {
    BIO* out = BIO_new(BIO_s_file());
    if (out != NULL) {
@ -1486,7 +1487,7 @@ static void DEBUG_WRITE_CERT_DER(const byte* der, int derSz, const char* fileNam
 }
 #else
 #define DEBUG_WRITE_CERT_X509(x509, fileName)
-#define DEBUG_WRITE_CERT_DER(der, derSz, fileName)
+#define DEBUG_WRITE_DER(der, derSz, fileName)
 #endif
@ -1572,7 +1573,7 @@ static void test_wolfSSL_CertManagerNameConstraint(void)
                WOLFSSL_FILETYPE_ASN1));
    AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
-    DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
+    DEBUG_WRITE_DER(der, derSz, "ca.der");
    AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
                WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
@ -1853,7 +1854,7 @@ static void test_wolfSSL_CertManagerNameConstraint3(void)
    AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
                WOLFSSL_FILETYPE_ASN1));
    AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
-    DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
+    DEBUG_WRITE_DER(der, derSz, "ca.der");
    AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
                WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
@ -1968,7 +1969,7 @@ static void test_wolfSSL_CertManagerNameConstraint4(void)
    AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
                WOLFSSL_FILETYPE_ASN1));
    AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
-    DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
+    DEBUG_WRITE_DER(der, derSz, "ca.der");
    AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
                WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
@ -2124,7 +2125,7 @@ static void test_wolfSSL_CertManagerNameConstraint5(void)
    AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
                WOLFSSL_FILETYPE_ASN1));
    AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
-    DEBUG_WRITE_CERT_DER(der, derSz, "ca.der");
+    DEBUG_WRITE_DER(der, derSz, "ca.der");
    AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
                WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
@ -18500,7 +18501,7 @@ static int test_RsaDecryptBoundsCheck(void)
        mp_init_copy(&c, &key.n);
        mp_sub_d(&c, 1, &c);
        mp_to_unsigned_bin(&c, flatC);
-        ret = wc_RsaDirect(flatC, sizeof(flatC), out, &outSz, &key,
+        ret = wc_RsaDirect(flatC, flatCSz, out, &outSz, &key,
                           RSA_PRIVATE_DECRYPT, NULL);
        mp_clear(&c);
    }
@ -20619,6 +20620,20 @@ static int test_wc_DsaKeyToPublicDer(void)
        word32 idx = 0;
        ret = wc_DsaPublicKeyDecode(der, &idx, &genKey, sz);
    }
    /* Test without the SubjectPublicKeyInfo header */
    if (ret == 0) {
        ret = wc_SetDsaPublicKey(der, &genKey, ONEK_BUF, 0);
        if (ret >= 0) {
            sz = ret;
            ret = 0;
        } else {
            ret = WOLFSSL_FATAL_ERROR;
        }
    }
    if (ret == 0) {
        word32 idx = 0;
        ret = wc_DsaPublicKeyDecode(der, &idx, &genKey, sz);
    }
    /* Test bad args. */
    if (ret == 0) {
@ -36321,9 +36336,12 @@ static void test_wolfSSL_X509_sign(void)
    AssertIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz),
                WOLFSSL_SUCCESS);
-    DEBUG_WRITE_CERT_X509(x509, "signed.der");
+    DEBUG_WRITE_CERT_X509(x509, "signed.pem");
-    /* Variation in size depends on ASN.1 encoding when MSB is set */
+    /* Variation in size depends on ASN.1 encoding when MSB is set.
     * WOLFSSL_ASN_TEMPLATE code does not generate a serial number
     * with the MSB set. See GenerateInteger in asn.c */
 #ifndef USE_CERT_BUFFERS_1024
 #ifndef WOLFSSL_ALT_NAMES
    /* Valid case - size should be 798-797 with 16 byte serial number */
    AssertTrue((ret == 781 + snSz) || (ret == 782 + snSz));
@ -36333,6 +36351,18 @@ static void test_wolfSSL_X509_sign(void)
 #else
    /* Valid case - size should be 926-927 with 16 byte serial number */
    AssertTrue((ret == 910 + snSz) || (ret == 911 + snSz));
 #endif
 #else
 #ifndef WOLFSSL_ALT_NAMES
    /* Valid case - size should be 537-538 with 16 byte serial number */
    AssertTrue((ret == 521 + snSz) || (ret == 522 + snSz));
 #elif defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
    /* Valid case - size should be 695-696 with 16 byte serial number */
    AssertTrue((ret == 679 + snSz) || (ret == 680 + snSz));
 #else
    /* Valid case - size should be 666-667 with 16 byte serial number */
    AssertTrue((ret == 650 + snSz) || (ret == 651 + snSz));
 #endif
 #endif
    /* check that issuer name is as expected after signature */
    InitDecodedCert(&dCert, certIssuer, (word32)certIssuerSz, 0);
@ -36759,6 +36789,7 @@ static void test_wolfSSL_X509_PUBKEY_DSA(void)
    AssertIntEQ(pptype, V_ASN1_SEQUENCE);
    AssertIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_DSA);
    str = (ASN1_STRING *)pval;
    DEBUG_WRITE_DER(ASN1_STRING_data(str), ASN1_STRING_length(str), "str.der");
 #ifdef USE_CERT_BUFFERS_1024
    AssertIntEQ(ASN1_STRING_length(str), 291);
 #else
@ -42746,12 +42777,12 @@ static void test_wolfSSL_EVP_PKEY_set1_get1_DSA(void)
    word32  bytes;
    int     answer;
 #ifdef USE_CERT_BUFFERS_1024
-    const unsigned char* dsaKeyDer = dsa_key_der1024;
+    const unsigned char* dsaKeyDer = dsa_key_der_1024;
    int dsaKeySz  = sizeof_dsa_key_der_1024;
    byte    tmp[ONEK_BUF];
    XMEMSET(tmp, 0, sizeof(tmp));
    XMEMCPY(tmp, dsaKeyDer , dsaKeySz);
-    bytes = dsa_key_der_sz;
+    bytes = dsaKeySz;
 #elif defined(USE_CERT_BUFFERS_2048)
    const unsigned char* dsaKeyDer = dsa_key_der_2048;
    int dsaKeySz  = sizeof_dsa_key_der_2048;
@ -42760,16 +42791,15 @@ static void test_wolfSSL_EVP_PKEY_set1_get1_DSA(void)
    XMEMCPY(tmp, dsaKeyDer , dsaKeySz);
    bytes = dsaKeySz;
 #else
    const unsigned char* dsaKeyDer = dsa_key_der_2048;
    int dsaKeySz  = sizeof_dsa_key_der_2048;
    byte    tmp[TWOK_BUF];
    const unsigned char* dsaKeyDer = (const unsigned char*)tmp;
    int dsaKeySz;
    XMEMSET(tmp, 0, sizeof(tmp));
-    XMEMCPY(tmp, dsaKeyDer , dsaKeySz);
+    XFILE fp = XFOPEN("./certs/dsa2048.der", "rb");
    XFILE fp = XOPEN("./certs/dsa2048.der", "rb");
    if (fp == XBADFILE) {
        return WOLFSSL_BAD_FILE;
    }
-    bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp);
+    dsaKeySz = bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp);
    XFCLOSE(fp);
 #endif /* END USE_CERT_BUFFERS_1024 */
@ -42793,7 +42823,11 @@ static void test_wolfSSL_EVP_PKEY_set1_get1_DSA(void)
    AssertNotNull(dsa = EVP_PKEY_get0_DSA(pkey));
    AssertNotNull(dsa = EVP_PKEY_get1_DSA(pkey));
 #ifdef USE_CERT_BUFFERS_1024
    AssertIntEQ(DSA_bits(dsa), 1024);
 #else
    AssertIntEQ(DSA_bits(dsa), 2048);
 #endif
    /* Sign */
    AssertIntEQ(wolfSSL_DSA_do_sign(hash, signature, dsa), WOLFSSL_SUCCESS);
@ -46498,6 +46532,7 @@ static void test_X509_REQ(void)
    EVP_PKEY* priv;
    EVP_PKEY* pub;
    unsigned char* der = NULL;
    int len;
 #endif
 #ifndef NO_RSA
    EVP_MD_CTX *mctx = NULL;
@ -46513,7 +46548,6 @@ static void test_X509_REQ(void)
 #ifdef HAVE_ECC
    const unsigned char* ecPriv = (const unsigned char*)ecc_clikey_der_256;
    const unsigned char* ecPub = (unsigned char*)ecc_clikeypub_der_256;
    int len;
 #endif
    AssertNotNull(name = X509_NAME_new());
@ -46540,7 +46574,13 @@ static void test_X509_REQ(void)
    AssertIntEQ(X509_REQ_sign(req, NULL, EVP_sha256()), WOLFSSL_FAILURE);
    AssertIntEQ(X509_REQ_sign(req, priv, NULL), WOLFSSL_FAILURE);
    AssertIntEQ(X509_REQ_sign(req, priv, EVP_sha256()), WOLFSSL_SUCCESS);
-    AssertIntEQ(i2d_X509_REQ(req, &der), 643);
+    len = i2d_X509_REQ(req, &der);
    DEBUG_WRITE_DER(der, len, "req.der");
 #ifdef USE_CERT_BUFFERS_1024
    AssertIntEQ(len, 381);
 #else
    AssertIntEQ(len, 643);
 #endif
    XFREE(der, NULL, DYNAMIC_TYPE_OPENSSL);
    der = NULL;
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -32724,9 +32724,15 @@ static int verifyBundle(byte* derBuf, word32 derSz, int keyHint)
    int  decodedSz = FOURK_BUF/2;
    WOLFSSL_SMALL_STACK_STATIC const byte expectedSid[] = {
 #ifdef USE_CERT_BUFFERS_1024
        0x81, 0x69, 0x0f, 0xf8, 0xdf, 0xdd, 0xcf, 0x34,
        0x29, 0xd5, 0x67, 0x75, 0x71, 0x85, 0xc7, 0x75,
        0x10, 0x69, 0x59, 0xec,
 #else
        0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, 0x18,
        0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26,
        0xD7, 0x85, 0x65, 0xC0
 #endif
    };
    decoded = (byte *)XMALLOC(decodedSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@ -5176,4 +5176,11 @@ static WC_INLINE void EarlyDataStatus(WOLFSSL* ssl)
 }
 #endif /* WOLFSSL_EARLY_DATA */
 #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
    defined(DEBUG_UNIT_TEST_CERTS)
 void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName);
 void DEBUG_WRITE_DER(const byte* der, int derSz, const char* fileName);
 #endif
 #endif /* wolfSSL_TEST_H */
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@ -127,6 +127,33 @@ enum ASN_Tags {
    ASN_DIR_TYPE          = 0x04,
    ASN_URI_TYPE          = 0x06, /* the value 6 is from GeneralName OID */
    ASN_IP_TYPE           = 0x07, /* the value 7 is from GeneralName OID */
    /* PKCS #7 types */
    ASN_ENC_CONTENT       = 0x00,
    ASN_OTHERNAME_VALUE   = 0x00,
    /* AuthorityKeyIdentifier fields */
    ASN_AUTHKEYID_KEYID   = 0x00,
    ASN_AUTHKEYID_ISSUER  = 0x01,
    ASN_AUTHKEYID_SERIAL  = 0x02,
    /* GeneralSubtree fields */
    ASN_SUBTREE_MIN       = 0x00,
    ASN_SUBTREE_MAX       = 0x01,
    /* x509 Cert Fields */
    ASN_X509_CERT_VERSION = 0x00,
    /* x509 Cert Extension Fields */
    ASN_AKID_KEYID        = 0x00,
    /* ECC Key Fields */
    ASN_ECC_PARAMS        = 0x00,
    ASN_ECC_PUBKEY        = 0x01,
    /* OneAsymmetricKey Fields */
    ASN_ASYMKEY_ATTRS     = 0x00,
    ASN_ASYMKEY_PUBKEY    = 0x01,
 };
 #define ASN_UTC_TIME_SIZE 14
@ -606,6 +633,25 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType);
    }                                                                  \
    while (0)
 /* Set the node and all nodes below to not be encoded.
 *
 * @param [in] dataASN  Dynamic ASN data item.
 * @param [in] node     Node which should not be encoded. Child nodes will
 *                      also not be encoded.
 * @param [in] dataASNLen Number of items in dataASN.
 */
 #define SetASNItem_NoOutNode(dataASN, asn, node, dataASNLen)           \
    do {                                                               \
        int ii;                                                        \
        dataASN[node].noOut = 1;                                       \
        for (ii = node + 1; ii < (int)(dataASNLen); ii++) {            \
            if (asn[ii].depth <= asn[node].depth)                      \
                break;                                                 \
            dataASN[ii].noOut = 1;                                     \
        }                                                              \
    }                                                                  \
    while (0)
 #endif /* WOLFSSL_ASN_TEMPLATE */