wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 11:17:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

add test case

Browse Source
This commit is contained in:
Jacob Barthelmeh
2020-12-11 08:20:48 +07:00
parent 17f32c3e05
commit f00263889b
6 changed files with 153 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
certs/test/cert-ext-ndir.cfg Normal file
View File

@@ -0,0 +1,23 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = constraints
[ req_distinguished_name ]
C = US
ST = Montana
L = Bozeman
O = Sawtooth
OU = Consulting
CN = www.wolfssl.com
emailAddress = info@wolfsssl.com
[constraints]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE
nameConstraints=critical,permitted;dirName:dir_name
[dir_name]
countryName = US

BIN
certs/test/cert-ext-ndir.der Normal file
View File

Binary file not shown.

34
certs/test/gen-ext-certs.sh
View File

@@ -2,8 +2,9 @@
TMP="/tmp/`basename $0`" TMP="/tmp/`basename $0`"
KEY=certs/server-key.der
gen_cert() { gen_cert() {
openssl req -x509 -keyform DER -key certs/server-key.der \ openssl req -x509 -keyform DER -key $KEY \
-days 1000 -new -outform DER -out $OUT -config $CONFIG \ -days 1000 -new -outform DER -out $OUT -config $CONFIG \
>$TMP 2>&1 >$TMP 2>&1
@@ -96,3 +97,34 @@ nsComment = "Testing Netscape Certificate Type"
EOF EOF
gen_cert gen_cert
KEY=certs/ca-key.der
OUT=certs/test/cert-ext-ndir.der
KEYFILE=certs/ca-key.der
CONFIG=certs/test/cert-ext-ndir.cfg
tee >$CONFIG <<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = constraints
[ req_distinguished_name ]
C = US
ST = Montana
L = Bozeman
O = Sawtooth
OU = Consulting
CN = www.wolfssl.com
emailAddress = info@wolfsssl.com
[constraints]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE
nameConstraints=critical,permitted;dirName:dir_name
[dir_name]
countryName = US
EOF
gen_cert

2
certs/test/include.am
View File

@@ -9,6 +9,8 @@ EXTRA_DIST += \
certs/test/cert-ext-nc.der \ certs/test/cert-ext-nc.der \
certs/test/cert-ext-nct.cfg \ certs/test/cert-ext-nct.cfg \
certs/test/cert-ext-nct.der \ certs/test/cert-ext-nct.der \
certs/test/cert-ext-ndir.cfg \
certs/test/cert-ext-ndir.der \
certs/test/cert-ext-ns.der \ certs/test/cert-ext-ns.der \
certs/test/gen-ext-certs.sh \ certs/test/gen-ext-certs.sh \
certs/test/server-duplicate-policy.pem \ certs/test/server-duplicate-policy.pem \

85
tests/api.c
View File

@@ -1267,6 +1267,90 @@ static void test_wolfSSL_CertManagerNameConstraint(void)
#endif #endif
} }
static void test_wolfSSL_CertManagerNameConstraint2(void)
{
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES)
const char* ca_cert = "./certs/test/cert-ext-ndir.der";
const char* server_cert = "./certs/server-cert.pem";
WOLFSSL_CERT_MANAGER* cm;
WOLFSSL_X509 *x509, *ca;
const unsigned char *der;
const unsigned char *pt;
WOLFSSL_EVP_PKEY *priv;
WOLFSSL_X509_NAME* name;
int derSz;
/* C=US*/
char altName[] = {
0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09,
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53
};
/* C=ID */
char altNameFail[] = {
0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09,
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x49, 0x44
};
/* load in CA private key for signing */
pt = ca_key_der_2048;
AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt,
sizeof_ca_key_der_2048));
AssertNotNull(cm = wolfSSL_CertManagerNew());
AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
WOLFSSL_FILETYPE_ASN1));
AssertNotNull((der = wolfSSL_X509_get_der(ca, &derSz)));
AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
wolfSSL_X509_sign(x509, priv, EVP_sha256());
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* add in matching DIR alt name and resign */
wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE);
wolfSSL_X509_sign(x509, priv, EVP_sha256());
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_X509_free(x509);
/* check verify fail */
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
/* add in miss matching DIR alt name and resign */
wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail),
ASN_DIR_TYPE);
wolfSSL_X509_sign(x509, priv, EVP_sha256());
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
wolfSSL_CertManagerFree(cm);
wolfSSL_X509_free(x509);
wolfSSL_X509_free(ca);
wolfSSL_X509_MAME_free(name);
wolfSSL_EVP_PKEY_free(priv);
#endif
}
static void test_wolfSSL_CertManagerCRL(void) static void test_wolfSSL_CertManagerCRL(void)
{ {
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \
@@ -39246,6 +39330,7 @@ void ApiTest(void)
test_wolfSSL_CertManagerGetCerts(); test_wolfSSL_CertManagerGetCerts();
test_wolfSSL_CertManagerSetVerify(); test_wolfSSL_CertManagerSetVerify();
test_wolfSSL_CertManagerNameConstraint(); test_wolfSSL_CertManagerNameConstraint();
test_wolfSSL_CertManagerNameConstraint2();
test_wolfSSL_CertManagerCRL(); test_wolfSSL_CertManagerCRL();
test_wolfSSL_CTX_load_verify_locations_ex(); test_wolfSSL_CTX_load_verify_locations_ex();
test_wolfSSL_CTX_load_verify_buffer_ex(); test_wolfSSL_CTX_load_verify_buffer_ex();

11
wolfcrypt/src/asn.c
View File

@@ -7799,6 +7799,11 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert)
WOLFSSL_MSG("\tfail: str length"); WOLFSSL_MSG("\tfail: str length");
return ASN_PARSE_E; return ASN_PARSE_E;
} }
if (GetSequence(input, &idx, &strLen, sz) < 0) {
WOLFSSL_MSG("\tfail: seq length");
return ASN_PARSE_E;
}
length -= (idx - lenStartIdx); length -= (idx - lenStartIdx);
dirEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, dirEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
@@ -12717,7 +12722,11 @@ int FlattenAltNames(byte* output, word32 outputSz, const DNS_entry* names)
curName = names; curName = names;
do { do {
output[idx++] = ASN_CONTEXT_SPECIFIC | curName->type; output[idx] = ASN_CONTEXT_SPECIFIC | curName->type;
if (curName->type == ASN_DIR_TYPE) {
output[idx] |= ASN_CONSTRUCTED;
}
idx++;
idx += SetLength(curName->len, output + idx); idx += SetLength(curName->len, output + idx);
XMEMCPY(output + idx, curName->name, curName->len); XMEMCPY(output + idx, curName->name, curName->len);
idx += curName->len; idx += curName->len;