mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-08-02 04:04:39 +02:00
Fix X509 subject and issuer name_hash mismatch
This commit is contained in:
100
src/x509.c
100
src/x509.c
@@ -4767,67 +4767,109 @@ WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(WOLFSSL_X509* cert)
|
|||||||
|
|
||||||
#if defined(OPENSSL_EXTRA) && (!defined(NO_SHA) || !defined(NO_SHA256))
|
#if defined(OPENSSL_EXTRA) && (!defined(NO_SHA) || !defined(NO_SHA256))
|
||||||
/******************************************************************************
|
/******************************************************************************
|
||||||
* wolfSSL_X509_subject_name_hash - compute the hash digest of the raw subject name
|
* wolfSSL_X509_subject_name_hash
|
||||||
* This function prefers SHA-1 (if available) for compatibility
|
* wolfSSL_X509_issuer_name_hash
|
||||||
|
* Compute the hash digest of the subject / issuer name.
|
||||||
|
* These functions prefers SHA-1 (if available) for compatibility.
|
||||||
*
|
*
|
||||||
* RETURNS:
|
* RETURNS:
|
||||||
* The beginning of the hash digest. Otherwise, returns zero.
|
* The first 4 bytes of SHA hash in little endian order as unsigned long.
|
||||||
|
* Otherwise, returns zero.
|
||||||
* Note:
|
* Note:
|
||||||
* Returns a different hash value from OpenSSL's X509_subject_name_hash() API
|
* Returns the same hash value as OpenSSL's X509_X_name_hash() API
|
||||||
* depending on the subject name.
|
* if SHA-1 support is compiled in.
|
||||||
*/
|
*/
|
||||||
unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509)
|
unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509)
|
||||||
{
|
{
|
||||||
unsigned long ret = 0;
|
unsigned long ret = 0;
|
||||||
int retHash = NOT_COMPILED_IN;
|
|
||||||
WOLFSSL_X509_NAME *subjectName = NULL;
|
WOLFSSL_X509_NAME *subjectName = NULL;
|
||||||
|
unsigned char* canonName = NULL;
|
||||||
byte digest[WC_MAX_DIGEST_SIZE];
|
byte digest[WC_MAX_DIGEST_SIZE];
|
||||||
|
int size = 0;
|
||||||
|
|
||||||
if (x509 == NULL) {
|
if (x509 == NULL) {
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
subjectName = wolfSSL_X509_get_subject_name((WOLFSSL_X509*)x509);
|
subjectName = wolfSSL_X509_get_subject_name((WOLFSSL_X509*)x509);
|
||||||
if (subjectName != NULL) {
|
|
||||||
#ifndef NO_SHA
|
if (subjectName == NULL) {
|
||||||
retHash = wc_ShaHash((const byte*)subjectName->name,
|
return ret;
|
||||||
(word32)subjectName->sz, digest);
|
|
||||||
#elif !defined(NO_SHA256)
|
|
||||||
retHash = wc_Sha256Hash((const byte*)subjectName->name,
|
|
||||||
(word32)subjectName->sz, digest);
|
|
||||||
#endif
|
|
||||||
if (retHash == 0) {
|
|
||||||
ret = (unsigned long)MakeWordFromHash(digest);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
size = wolfSSL_i2d_X509_NAME_canon(subjectName, &canonName);
|
||||||
|
|
||||||
|
if (size <= 0){
|
||||||
|
WOLFSSL_MSG("wolfSSL_i2d_X509_NAME_canon error");
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifndef NO_SHA
|
||||||
|
if (wc_ShaHash((const byte*)canonName, (word32)size, digest) != 0) {
|
||||||
|
WOLFSSL_MSG("wc_ShaHash error");
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
#elif !defined(NO_SHA256)
|
||||||
|
if (wc_Sha256Hash((const byte*)canonName, (word32)size, digest) != 0) {
|
||||||
|
WOLFSSL_MSG("wc_Sha256Hash error");
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
ret = (unsigned long) digest[0];
|
||||||
|
ret |= ((unsigned long) digest[1]) << 8;
|
||||||
|
ret |= ((unsigned long) digest[2]) << 16;
|
||||||
|
ret |= ((unsigned long) digest[3]) << 24;
|
||||||
|
|
||||||
|
XFREE(canonName, NULL, DYNAMIC_TYPE_OPENSSL);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
unsigned long wolfSSL_X509_issuer_name_hash(const WOLFSSL_X509* x509)
|
unsigned long wolfSSL_X509_issuer_name_hash(const WOLFSSL_X509* x509)
|
||||||
{
|
{
|
||||||
unsigned long ret = 0;
|
unsigned long ret = 0;
|
||||||
int retHash = NOT_COMPILED_IN;
|
|
||||||
WOLFSSL_X509_NAME *issuerName = NULL;
|
WOLFSSL_X509_NAME *issuerName = NULL;
|
||||||
|
unsigned char* canonName = NULL;
|
||||||
byte digest[WC_MAX_DIGEST_SIZE];
|
byte digest[WC_MAX_DIGEST_SIZE];
|
||||||
|
int size = 0;
|
||||||
|
|
||||||
if (x509 == NULL) {
|
if (x509 == NULL) {
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
issuerName = wolfSSL_X509_get_issuer_name((WOLFSSL_X509*)x509);
|
issuerName = wolfSSL_X509_get_issuer_name((WOLFSSL_X509*)x509);
|
||||||
if (issuerName != NULL) {
|
|
||||||
#ifndef NO_SHA
|
if (issuerName == NULL) {
|
||||||
retHash = wc_ShaHash((const byte*)issuerName->name,
|
return ret;
|
||||||
(word32)issuerName->sz, digest);
|
|
||||||
#elif !defined(NO_SHA256)
|
|
||||||
retHash = wc_Sha256Hash((const byte*)issuerName->name,
|
|
||||||
(word32)issuerName->sz, digest);
|
|
||||||
#endif
|
|
||||||
if (retHash == 0) {
|
|
||||||
ret = (unsigned long)MakeWordFromHash(digest);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
size = wolfSSL_i2d_X509_NAME_canon(issuerName, &canonName);
|
||||||
|
|
||||||
|
if (size <= 0){
|
||||||
|
WOLFSSL_MSG("wolfSSL_i2d_X509_NAME_canon error");
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifndef NO_SHA
|
||||||
|
if (wc_ShaHash((const byte*)canonName, (word32)size, digest) != 0) {
|
||||||
|
WOLFSSL_MSG("wc_ShaHash error");
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
#elif !defined(NO_SHA256)
|
||||||
|
if (wc_Sha256Hash((const byte*)canonName, (word32)size, digest) != 0) {
|
||||||
|
WOLFSSL_MSG("wc_ShaHash error");
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
ret = (unsigned long) digest[0];
|
||||||
|
ret |= ((unsigned long) digest[1]) << 8;
|
||||||
|
ret |= ((unsigned long) digest[2]) << 16;
|
||||||
|
ret |= ((unsigned long) digest[3]) << 24;
|
||||||
|
|
||||||
|
XFREE(canonName, NULL, DYNAMIC_TYPE_OPENSSL);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
#endif /* OPENSSL_EXTRA && (!NO_SHA || !NO_SHA256) */
|
#endif /* OPENSSL_EXTRA && (!NO_SHA || !NO_SHA256) */
|
||||||
|
46
tests/api.c
46
tests/api.c
@@ -31387,25 +31387,36 @@ static int test_wolfSSL_X509_subject_name_hash(void)
|
|||||||
{
|
{
|
||||||
#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \
|
#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \
|
||||||
&& !defined(NO_RSA) && (!defined(NO_SHA) || !defined(NO_SHA256))
|
&& !defined(NO_RSA) && (!defined(NO_SHA) || !defined(NO_SHA256))
|
||||||
|
|
||||||
X509* x509;
|
X509* x509;
|
||||||
X509_NAME* subjectName = NULL;
|
X509_NAME* subjectName = NULL;
|
||||||
unsigned long ret = 0;
|
unsigned long ret1 = 0;
|
||||||
|
unsigned long ret2 = 0;
|
||||||
|
|
||||||
printf(testingFmt, "wolfSSL_X509_subject_name_hash()");
|
printf(testingFmt, "wolfSSL_X509_subject_name_hash()");
|
||||||
|
|
||||||
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
|
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
|
||||||
SSL_FILETYPE_PEM));
|
SSL_FILETYPE_PEM));
|
||||||
|
|
||||||
AssertNotNull(subjectName = wolfSSL_X509_get_subject_name(x509));
|
AssertNotNull(subjectName = wolfSSL_X509_get_subject_name(x509));
|
||||||
ret = X509_subject_name_hash(x509);
|
|
||||||
AssertIntNE(ret, 0);
|
/* These two
|
||||||
|
* - X509_subject_name_hash(x509)
|
||||||
|
* - X509_NAME_hash(X509_get_subject_name(x509))
|
||||||
|
* should give the same hash, if !defined(NO_SHA) is true. */
|
||||||
|
|
||||||
|
ret1 = X509_subject_name_hash(x509);
|
||||||
|
AssertIntNE(ret1, 0);
|
||||||
|
|
||||||
|
ret2 = X509_NAME_hash(X509_get_subject_name(x509));
|
||||||
|
AssertIntNE(ret2, 0);
|
||||||
|
|
||||||
|
#if !defined(NO_SHA)
|
||||||
|
AssertIntEQ(ret1, ret2);
|
||||||
|
#endif
|
||||||
|
|
||||||
X509_free(x509);
|
X509_free(x509);
|
||||||
printf(resultFmt, passed);
|
printf(resultFmt, passed);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -31413,25 +31424,36 @@ static int test_wolfSSL_X509_issuer_name_hash(void)
|
|||||||
{
|
{
|
||||||
#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \
|
#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \
|
||||||
&& !defined(NO_RSA) && (!defined(NO_SHA) || !defined(NO_SHA256))
|
&& !defined(NO_RSA) && (!defined(NO_SHA) || !defined(NO_SHA256))
|
||||||
|
|
||||||
X509* x509;
|
X509* x509;
|
||||||
X509_NAME* issuertName = NULL;
|
X509_NAME* issuertName = NULL;
|
||||||
unsigned long ret = 0;
|
unsigned long ret1 = 0;
|
||||||
|
unsigned long ret2 = 0;
|
||||||
|
|
||||||
printf(testingFmt, "wolfSSL_X509_issuer_name_hash()");
|
printf(testingFmt, "wolfSSL_X509_issuer_name_hash()");
|
||||||
|
|
||||||
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
|
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
|
||||||
SSL_FILETYPE_PEM));
|
SSL_FILETYPE_PEM));
|
||||||
|
|
||||||
AssertNotNull(issuertName = wolfSSL_X509_get_issuer_name(x509));
|
AssertNotNull(issuertName = wolfSSL_X509_get_issuer_name(x509));
|
||||||
ret = X509_issuer_name_hash(x509);
|
|
||||||
AssertIntNE(ret, 0);
|
/* These two
|
||||||
|
* - X509_issuer_name_hash(x509)
|
||||||
|
* - X509_NAME_hash(X509_get_issuer_name(x509))
|
||||||
|
* should give the same hash, if !defined(NO_SHA) is true. */
|
||||||
|
|
||||||
|
ret1 = X509_issuer_name_hash(x509);
|
||||||
|
AssertIntNE(ret1, 0);
|
||||||
|
|
||||||
|
ret2 = X509_NAME_hash(X509_get_issuer_name(x509));
|
||||||
|
AssertIntNE(ret2, 0);
|
||||||
|
|
||||||
|
#if !defined(NO_SHA)
|
||||||
|
AssertIntEQ(ret1, ret2);
|
||||||
|
#endif
|
||||||
|
|
||||||
X509_free(x509);
|
X509_free(x509);
|
||||||
printf(resultFmt, passed);
|
printf(resultFmt, passed);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user