mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-08-01 03:34:39 +02:00
Fix X509 subject and issuer name_hash mismatch
This commit is contained in:
jordan
100
src/x509.c
100
src/x509.c
@@ -4767,67 +4767,109 @@ WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(WOLFSSL_X509* cert)
|
||||
|
||||
#if defined(OPENSSL_EXTRA) && (!defined(NO_SHA) || !defined(NO_SHA256))
|
||||
/******************************************************************************
|
||||
* wolfSSL_X509_subject_name_hash - compute the hash digest of the raw subject name
|
||||
* This function prefers SHA-1 (if available) for compatibility
|
||||
* wolfSSL_X509_subject_name_hash
|
||||
* wolfSSL_X509_issuer_name_hash
|
||||
* Compute the hash digest of the subject / issuer name.
|
||||
* These functions prefers SHA-1 (if available) for compatibility.
|
||||
*
|
||||
* RETURNS:
|
||||
* The beginning of the hash digest. Otherwise, returns zero.
|
||||
* The first 4 bytes of SHA hash in little endian order as unsigned long.
|
||||
* Otherwise, returns zero.
|
||||
* Note:
|
||||
* Returns a different hash value from OpenSSL's X509_subject_name_hash() API
|
||||
* depending on the subject name.
|
||||
* Returns the same hash value as OpenSSL's X509_X_name_hash() API
|
||||
* if SHA-1 support is compiled in.
|
||||
*/
|
||||
unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509)
|
||||
{
|
||||
unsigned long ret = 0;
|
||||
int retHash = NOT_COMPILED_IN;
|
||||
WOLFSSL_X509_NAME *subjectName = NULL;
|
||||
unsigned char* canonName = NULL;
|
||||
byte digest[WC_MAX_DIGEST_SIZE];
|
||||
int size = 0;
|
||||
|
||||
if (x509 == NULL) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
subjectName = wolfSSL_X509_get_subject_name((WOLFSSL_X509*)x509);
|
||||
if (subjectName != NULL) {
|
||||
#ifndef NO_SHA
|
||||
retHash = wc_ShaHash((const byte*)subjectName->name,
|
||||
(word32)subjectName->sz, digest);
|
||||
#elif !defined(NO_SHA256)
|
||||
retHash = wc_Sha256Hash((const byte*)subjectName->name,
|
||||
(word32)subjectName->sz, digest);
|
||||
#endif
|
||||
if (retHash == 0) {
|
||||
ret = (unsigned long)MakeWordFromHash(digest);
|
||||
}
|
||||
|
||||
if (subjectName == NULL) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
size = wolfSSL_i2d_X509_NAME_canon(subjectName, &canonName);
|
||||
|
||||
if (size <= 0){
|
||||
WOLFSSL_MSG("wolfSSL_i2d_X509_NAME_canon error");
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifndef NO_SHA
|
||||
if (wc_ShaHash((const byte*)canonName, (word32)size, digest) != 0) {
|
||||
WOLFSSL_MSG("wc_ShaHash error");
|
||||
return ret;
|
||||
}
|
||||
#elif !defined(NO_SHA256)
|
||||
if (wc_Sha256Hash((const byte*)canonName, (word32)size, digest) != 0) {
|
||||
WOLFSSL_MSG("wc_Sha256Hash error");
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
ret = (unsigned long) digest[0];
|
||||
ret |= ((unsigned long) digest[1]) << 8;
|
||||
ret |= ((unsigned long) digest[2]) << 16;
|
||||
ret |= ((unsigned long) digest[3]) << 24;
|
||||
|
||||
XFREE(canonName, NULL, DYNAMIC_TYPE_OPENSSL);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
unsigned long wolfSSL_X509_issuer_name_hash(const WOLFSSL_X509* x509)
|
||||
{
|
||||
unsigned long ret = 0;
|
||||
int retHash = NOT_COMPILED_IN;
|
||||
WOLFSSL_X509_NAME *issuerName = NULL;
|
||||
unsigned char* canonName = NULL;
|
||||
byte digest[WC_MAX_DIGEST_SIZE];
|
||||
int size = 0;
|
||||
|
||||
if (x509 == NULL) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
issuerName = wolfSSL_X509_get_issuer_name((WOLFSSL_X509*)x509);
|
||||
if (issuerName != NULL) {
|
||||
#ifndef NO_SHA
|
||||
retHash = wc_ShaHash((const byte*)issuerName->name,
|
||||
(word32)issuerName->sz, digest);
|
||||
#elif !defined(NO_SHA256)
|
||||
retHash = wc_Sha256Hash((const byte*)issuerName->name,
|
||||
(word32)issuerName->sz, digest);
|
||||
#endif
|
||||
if (retHash == 0) {
|
||||
ret = (unsigned long)MakeWordFromHash(digest);
|
||||
}
|
||||
|
||||
if (issuerName == NULL) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
size = wolfSSL_i2d_X509_NAME_canon(issuerName, &canonName);
|
||||
|
||||
if (size <= 0){
|
||||
WOLFSSL_MSG("wolfSSL_i2d_X509_NAME_canon error");
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifndef NO_SHA
|
||||
if (wc_ShaHash((const byte*)canonName, (word32)size, digest) != 0) {
|
||||
WOLFSSL_MSG("wc_ShaHash error");
|
||||
return ret;
|
||||
}
|
||||
#elif !defined(NO_SHA256)
|
||||
if (wc_Sha256Hash((const byte*)canonName, (word32)size, digest) != 0) {
|
||||
WOLFSSL_MSG("wc_ShaHash error");
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
ret = (unsigned long) digest[0];
|
||||
ret |= ((unsigned long) digest[1]) << 8;
|
||||
ret |= ((unsigned long) digest[2]) << 16;
|
||||
ret |= ((unsigned long) digest[3]) << 24;
|
||||
|
||||
XFREE(canonName, NULL, DYNAMIC_TYPE_OPENSSL);
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif /* OPENSSL_EXTRA && (!NO_SHA || !NO_SHA256) */
|
||||
|
||||
46
tests/api.c
46
tests/api.c
@@ -31387,25 +31387,36 @@ static int test_wolfSSL_X509_subject_name_hash(void)
|
||||
{
|
||||
#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \
|
||||
&& !defined(NO_RSA) && (!defined(NO_SHA) || !defined(NO_SHA256))
|
||||
|
||||
X509* x509;
|
||||
X509_NAME* subjectName = NULL;
|
||||
unsigned long ret = 0;
|
||||
unsigned long ret1 = 0;
|
||||
unsigned long ret2 = 0;
|
||||
|
||||
printf(testingFmt, "wolfSSL_X509_subject_name_hash()");
|
||||
|
||||
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
|
||||
SSL_FILETYPE_PEM));
|
||||
|
||||
AssertNotNull(subjectName = wolfSSL_X509_get_subject_name(x509));
|
||||
ret = X509_subject_name_hash(x509);
|
||||
AssertIntNE(ret, 0);
|
||||
|
||||
/* These two
|
||||
* - X509_subject_name_hash(x509)
|
||||
* - X509_NAME_hash(X509_get_subject_name(x509))
|
||||
* should give the same hash, if !defined(NO_SHA) is true. */
|
||||
|
||||
ret1 = X509_subject_name_hash(x509);
|
||||
AssertIntNE(ret1, 0);
|
||||
|
||||
ret2 = X509_NAME_hash(X509_get_subject_name(x509));
|
||||
AssertIntNE(ret2, 0);
|
||||
|
||||
#if !defined(NO_SHA)
|
||||
AssertIntEQ(ret1, ret2);
|
||||
#endif
|
||||
|
||||
X509_free(x509);
|
||||
printf(resultFmt, passed);
|
||||
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -31413,25 +31424,36 @@ static int test_wolfSSL_X509_issuer_name_hash(void)
|
||||
{
|
||||
#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \
|
||||
&& !defined(NO_RSA) && (!defined(NO_SHA) || !defined(NO_SHA256))
|
||||
|
||||
X509* x509;
|
||||
X509_NAME* issuertName = NULL;
|
||||
unsigned long ret = 0;
|
||||
unsigned long ret1 = 0;
|
||||
unsigned long ret2 = 0;
|
||||
|
||||
printf(testingFmt, "wolfSSL_X509_issuer_name_hash()");
|
||||
|
||||
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
|
||||
SSL_FILETYPE_PEM));
|
||||
|
||||
AssertNotNull(issuertName = wolfSSL_X509_get_issuer_name(x509));
|
||||
ret = X509_issuer_name_hash(x509);
|
||||
AssertIntNE(ret, 0);
|
||||
|
||||
/* These two
|
||||
* - X509_issuer_name_hash(x509)
|
||||
* - X509_NAME_hash(X509_get_issuer_name(x509))
|
||||
* should give the same hash, if !defined(NO_SHA) is true. */
|
||||
|
||||
ret1 = X509_issuer_name_hash(x509);
|
||||
AssertIntNE(ret1, 0);
|
||||
|
||||
ret2 = X509_NAME_hash(X509_get_issuer_name(x509));
|
||||
AssertIntNE(ret2, 0);
|
||||
|
||||
#if !defined(NO_SHA)
|
||||
AssertIntEQ(ret1, ret2);
|
||||
#endif
|
||||
|
||||
X509_free(x509);
|
||||
printf(resultFmt, passed);
|
||||
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user