From fd01659baa68358cd68b03ae69c5f84c15307014 Mon Sep 17 00:00:00 2001 From: Go Hosohara Date: Wed, 11 Jul 2018 17:09:38 +0900 Subject: [PATCH] Obj_obj2nid --- src/ssl.c | 62 ++++++++++++++++------------------ tests/api.c | 68 +++++++++++++++++++++++++++++++++++--- wolfcrypt/src/asn.c | 55 ++++++++++++++++++++++++++++++ wolfssl/openssl/ssl.h | 2 +- wolfssl/ssl.h | 1 + wolfssl/wolfcrypt/asn.h | 11 ++++++ wolfssl/wolfcrypt/memory.h | 5 ++- 7 files changed, 162 insertions(+), 42 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 0ea2dfe93..5d0fa9f30 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -30198,17 +30198,12 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) objSz += oidSz; obj->objSz = objSz; - if(arg_obj == NULL) { /* Dynamic NAME_ENTRY */ - obj->obj = (byte*)XMALLOC(obj->objSz, NULL, DYNAMIC_TYPE_ASN1); - if ((obj->obj == NULL) && arg_obj == NULL) { - wolfSSL_ASN1_OBJECT_free(obj); - return NULL; - } - XMEMCPY(obj->obj, objBuf, obj->objSz); - } else {/* static NAME_ENTR is for just type and grp */ - obj->obj = NULL; - obj->type = id; + obj->obj = (byte*)XMALLOC(obj->objSz, NULL, DYNAMIC_TYPE_ASN1); + if ((obj->obj == NULL) && arg_obj == NULL) { + wolfSSL_ASN1_OBJECT_free(obj); + return NULL; } + XMEMCPY(obj->obj, objBuf, obj->objSz); (void)type; @@ -30554,24 +30549,14 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) return NULL; } - int wolfSSL_OBJ_sn2nid(const char *sn) { - int i; - WOLFSSL_ENTER("wolfSSL_OBJ_osn2nid"); - - /* Nginx uses this OpenSSL string. */ - if (XSTRNCMP(sn, "prime256v1", 10) == 0) - sn = "SECP256R1"; - if (XSTRNCMP(sn, "secp384r1", 10) == 0) - sn = "SECP384R1"; - /* find based on name and return NID */ - for (i = 0; i < ecc_sets[i].size; i++) { - if (XSTRNCMP(sn, ecc_sets[i].name, ECC_MAXNAME) == 0) { - return ecc_sets[i].id; - } - } - return -1; - } #endif /* HAVE_ECC */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + int wolfSSL_OBJ_sn2nid(const char *sn) { + + WOLFSSL_ENTER("wolfSSL_OBJ_sn2nid"); + return OBJ_sn2nid(sn); + } +#endif /* Gets the NID value that corresponds with the ASN1 object. * @@ -30589,6 +30574,8 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) if (o == NULL) { return -1; } + if (o->nid > 0) + return o->nid; if ((id = GetObjectId(o->obj, &idx, &oid, o->grp, o->objSz)) < 0) { WOLFSSL_MSG("Issue getting OID of object"); return -1; @@ -30910,6 +30897,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) WOLFSSL_ENTER("wolfSSL_X509_NAME_ENTRY_get_object"); if (ne == NULL) return NULL; wolfSSL_OBJ_nid2obj_ex(ne->nid, &ne->object); + ne->object.nid = ne->nid; return &ne->object; } @@ -30927,38 +30915,47 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) case 1: name->cnEntry.value->length = name->fullName.cLen; name->cnEntry.value->data = &name->fullName.fullName[name->fullName.cIdx]; + name->cnEntry.nid = name->fullName.cNid; break; case 2: name->cnEntry.value->length = name->fullName.lLen; name->cnEntry.value->data = &name->fullName.fullName[name->fullName.lIdx]; + name->cnEntry.nid = name->fullName.lNid; break; case 3: name->cnEntry.value->length = name->fullName.stLen; name->cnEntry.value->data = &name->fullName.fullName[name->fullName.stIdx]; + name->cnEntry.nid = name->fullName.stNid; break; case 4: name->cnEntry.value->length = name->fullName.oLen; name->cnEntry.value->data = &name->fullName.fullName[name->fullName.oIdx]; + name->cnEntry.nid = name->fullName.oNid; break; case 5: name->cnEntry.value->length = name->fullName.ouLen; name->cnEntry.value->data = &name->fullName.fullName[name->fullName.ouIdx]; + name->cnEntry.nid = name->fullName.ouNid; break; case 6: name->cnEntry.value->length = name->fullName.emailLen; name->cnEntry.value->data = &name->fullName.fullName[name->fullName.emailIdx]; + name->cnEntry.nid = name->fullName.emailNid; break; case 7: name->cnEntry.value->length = name->fullName.snLen; name->cnEntry.value->data = &name->fullName.fullName[name->fullName.snIdx]; + name->cnEntry.nid = name->fullName.snNid; break; case 8: name->cnEntry.value->length = name->fullName.uidLen; name->cnEntry.value->data = &name->fullName.fullName[name->fullName.uidIdx]; + name->cnEntry.nid = name->fullName.uidNid; break; case 9: name->cnEntry.value->length = name->fullName.serialLen; name->cnEntry.value->data = &name->fullName.fullName[name->fullName.serialIdx]; + name->cnEntry.nid = name->fullName.serialNid; break; default: return NULL; @@ -30986,6 +30983,11 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) return NULL; } + if ((loc >= 0) && (loc < name->fullName.entryCount)){ + if (get_nameByLoc(name, loc) != NULL) + return &name->cnEntry; + } + /* DC component */ if (name->fullName.dcMode){ if (name->fullName.fullName != NULL){ @@ -31012,12 +31014,6 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) name->cnEntry.set = 1; } - if((loc >= 0) && (loc < name->fullName.entryCount)){ - if(get_nameByLoc(name, loc) == NULL) - return NULL; - } - - wolfSSL_OBJ_nid2obj_ex(name->cnEntry.nid, &name->cnEntry.object); return &name->cnEntry; } diff --git a/tests/api.c b/tests/api.c index e0d23d17e..343a926b8 100644 --- a/tests/api.c +++ b/tests/api.c @@ -18499,10 +18499,33 @@ static void test_wolfSSL_HMAC(void) static void test_wolfSSL_OBJ(void) { - #if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) - ASN1_OBJECT* obj = NULL; +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) + ASN1_OBJECT *obj = NULL; char buf[50]; + XFILE fp; + X509 *x509 = NULL; + X509_NAME *x509Name; + X509_NAME_ENTRY *x509NameEntry; + ASN1_OBJECT *asn1Name; + int numNames; + BIO *bio = NULL; + int nid; + int i, j; + const char *f[] = { + "./certs/ca-cert.der", + "./certs/ca-ecc-cert.der", + "./certs/ca-ecc384-cert.der", + NULL}; +#ifndef NO_DES3 + PKCS12 *p12; + int boolRet; + EVP_PKEY *pkey = NULL; + const char *p12_f[] = { + "./certs/test-servercert.p12", + NULL}; +#endif /* !NO_DES3 */ + printf(testingFmt, "wolfSSL_OBJ()"); AssertIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), SSL_FAILURE); @@ -18518,10 +18541,45 @@ static void test_wolfSSL_OBJ(void) AssertIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); ASN1_OBJECT_free(obj); - printf(resultFmt, passed); - #endif -} + for (i = 0; f[i] != NULL; i++) + { + AssertTrue((fp = XFOPEN(f[i], "r")) != XBADFILE); + AssertNotNull(x509 = d2i_X509_fp(fp, NULL)); + AssertNotNull(x509Name = X509_get_issuer_name(x509)); + AssertIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); + AssertTrue((bio = BIO_new(BIO_s_mem())) != NULL); + for (j = 0; j < numNames; j++) + { + AssertNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); + AssertNotNull(asn1Name = X509_NAME_ENTRY_get_object(x509NameEntry)); + AssertTrue((nid = OBJ_obj2nid(asn1Name)) > 0); + printf("nid=%d\n", nid); + } + } +#ifndef NO_DES3 + for (i = 0; p12_f[i] != NULL; i++) + { + AssertTrue((fp = XFOPEN(p12_f[i], "r")) != XBADFILE); + AssertNotNull(p12 = d2i_PKCS12_fp(fp, NULL)); + AssertTrue((boolRet = PKCS12_parse(p12, "wolfSSL test", &pkey, &x509, NULL)) > 0); + AssertNotNull((x509Name = X509_get_issuer_name(x509)) != NULL); + AssertIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); + AssertTrue((bio = BIO_new(BIO_s_mem())) != NULL); + + for (j = 0; j < numNames; j++) + { + AssertNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); + AssertNotNull(asn1Name = X509_NAME_ENTRY_get_object(x509NameEntry)); + AssertTrue((nid = OBJ_obj2nid(asn1Name)) > 0); + printf("nid=%d\n", nid); + } + } +#endif /* !NO_DES3 */ + + printf(resultFmt, passed); +#endif +} static void test_wolfSSL_X509_NAME_ENTRY(void) { diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index cb5f5e13d..aa3e76f7b 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -104,6 +104,10 @@ ASN Options: #include #endif +#ifdef OPENSSL_EXTRA + #include /* for OBJ_sn2nid */ +#endif + #ifdef WOLFSSL_DEBUG_ENCODING #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) #if MQX_USE_IO_OLD @@ -4076,6 +4080,47 @@ static int GetKey(DecodedCert* cert) } } +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +WOLFSSL_LOCAL int OBJ_sn2nid(const char *sn) +{ + static const struct { + const char *sn; + int nid; + } sn2nid[] = { + {WOLFSSL_COMMON_NAME, NID_commonName}, + {WOLFSSL_COUNTRY_NAME, NID_countryName}, + {WOLFSSL_LOCALITY_NAME, NID_localityName}, + {"/ST", NID_stateOrProvinceName}, + {WOLFSSL_ORG_NAME, NID_organizationName}, + {WOLFSSL_ORGUNIT_NAME, NID_organizationalUnitName}, + {"/emailAddress", NID_emailAddress}, + {NULL, -1}}; + + int i; + WOLFSSL_ENTER("OBJ_osn2nid"); + + /* Nginx uses this OpenSSL string. */ + if (XSTRNCMP(sn, "prime256v1", 10) == 0) + sn = "SECP256R1"; + if (XSTRNCMP(sn, "secp384r1", 10) == 0) + sn = "SECP384R1"; + /* find based on name and return NID */ + for (i = 0; i < ecc_sets[i].size; i++) { + if (XSTRNCMP(sn, ecc_sets[i].name, ECC_MAXNAME) == 0) { + return ecc_sets[i].id; + } + } + + for(i=0; sn2nid[i].sn != NULL; i++) { + if(XSTRNCMP(sn, sn2nid[i].sn, XSTRLEN(sn2nid[i].sn)) == 0) { + return sn2nid[i].nid; + } + } + + return NID_undef; +} +#endif + /* process NAME, either issuer or subject */ static int GetName(DecodedCert* cert, int nameType) { @@ -4556,6 +4601,7 @@ static int GetName(DecodedCert* cert, int nameType) if (dName->cnLen != 0) { dName->entryCount++; XMEMCPY(&dName->fullName[idx], WOLFSSL_COMMON_NAME, 4); + dName->cnNid = OBJ_sn2nid((const char *)WOLFSSL_COMMON_NAME); idx += 4; XMEMCPY(&dName->fullName[idx], &cert->source[dName->cnIdx], dName->cnLen); @@ -4565,6 +4611,7 @@ static int GetName(DecodedCert* cert, int nameType) if (dName->snLen != 0) { dName->entryCount++; XMEMCPY(&dName->fullName[idx], WOLFSSL_SUR_NAME, 4); + dName->snNid = OBJ_sn2nid((const char *)WOLFSSL_SUR_NAME); idx += 4; XMEMCPY(&dName->fullName[idx], &cert->source[dName->snIdx], dName->snLen); @@ -4574,6 +4621,7 @@ static int GetName(DecodedCert* cert, int nameType) if (dName->cLen != 0) { dName->entryCount++; XMEMCPY(&dName->fullName[idx], WOLFSSL_COUNTRY_NAME, 3); + dName->cNid = OBJ_sn2nid((const char *)WOLFSSL_COUNTRY_NAME); idx += 3; XMEMCPY(&dName->fullName[idx], &cert->source[dName->cIdx], dName->cLen); @@ -4583,6 +4631,7 @@ static int GetName(DecodedCert* cert, int nameType) if (dName->lLen != 0) { dName->entryCount++; XMEMCPY(&dName->fullName[idx], WOLFSSL_LOCALITY_NAME, 3); + dName->lNid = OBJ_sn2nid((const char *)WOLFSSL_LOCALITY_NAME); idx += 3; XMEMCPY(&dName->fullName[idx], &cert->source[dName->lIdx], dName->lLen); @@ -4592,6 +4641,7 @@ static int GetName(DecodedCert* cert, int nameType) if (dName->stLen != 0) { dName->entryCount++; XMEMCPY(&dName->fullName[idx], WOLFSSL_STATE_NAME, 4); + dName->stNid = OBJ_sn2nid((const char *)WOLFSSL_STATE_NAME); idx += 4; XMEMCPY(&dName->fullName[idx], &cert->source[dName->stIdx], dName->stLen); @@ -4601,6 +4651,7 @@ static int GetName(DecodedCert* cert, int nameType) if (dName->oLen != 0) { dName->entryCount++; XMEMCPY(&dName->fullName[idx], WOLFSSL_ORG_NAME, 3); + dName->oNid = OBJ_sn2nid((const char *)WOLFSSL_ORG_NAME); idx += 3; XMEMCPY(&dName->fullName[idx], &cert->source[dName->oIdx], dName->oLen); @@ -4610,6 +4661,7 @@ static int GetName(DecodedCert* cert, int nameType) if (dName->ouLen != 0) { dName->entryCount++; XMEMCPY(&dName->fullName[idx], WOLFSSL_ORGUNIT_NAME, 4); + dName->ouNid = OBJ_sn2nid((const char *)WOLFSSL_ORGUNIT_NAME); idx += 4; XMEMCPY(&dName->fullName[idx], &cert->source[dName->ouIdx], dName->ouLen); @@ -4619,6 +4671,7 @@ static int GetName(DecodedCert* cert, int nameType) if (dName->emailLen != 0) { dName->entryCount++; XMEMCPY(&dName->fullName[idx], "/emailAddress=", 14); + dName->emailNid = OBJ_sn2nid((const char *)"/emailAddress="); idx += 14; XMEMCPY(&dName->fullName[idx], &cert->source[dName->emailIdx], dName->emailLen); @@ -4639,6 +4692,7 @@ static int GetName(DecodedCert* cert, int nameType) if (dName->uidLen != 0) { dName->entryCount++; XMEMCPY(&dName->fullName[idx], "/UID=", 5); + dName->uidNid = OBJ_sn2nid((const char *)"/UID="); idx += 5; XMEMCPY(&dName->fullName[idx], &cert->source[dName->uidIdx], dName->uidLen); @@ -4648,6 +4702,7 @@ static int GetName(DecodedCert* cert, int nameType) if (dName->serialLen != 0) { dName->entryCount++; XMEMCPY(&dName->fullName[idx], WOLFSSL_SERIAL_NUMBER, 14); + dName->serialNid = OBJ_sn2nid((const char *)WOLFSSL_SERIAL_NUMBER); idx += 14; XMEMCPY(&dName->fullName[idx], &cert->source[dName->serialIdx], dName->serialLen); diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 073cbcdbd..8508be543 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -854,7 +854,7 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define NID_stateOrProvinceName 0x08 /* ST */ #define NID_organizationName 0x0a /* O */ #define NID_organizationalUnitName 0x0b /* OU */ - +#define NID_emailAddress 0x30 /* emailAddress */ #define SSL_CTX_set_msg_callback wolfSSL_CTX_set_msg_callback #define SSL_set_msg_callback wolfSSL_set_msg_callback diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 2ab9df2c4..800ee63e1 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -217,6 +217,7 @@ struct WOLFSSL_ASN1_OBJECT { char sName[WOLFSSL_MAX_SNAME]; int type; /* oid */ int grp; /* type of OID, i.e. oidCertPolicyType */ + int nid; unsigned int objSz; unsigned char dynamic; /* if 1 then obj was dynamiclly created, 0 otherwise */ struct d { /* derefrenced */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index df0c2d6b4..c6594b57a 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -480,16 +480,22 @@ struct DecodedName { int entryCount; int cnIdx; int cnLen; + int cnNid; int snIdx; int snLen; + int snNid; int cIdx; int cLen; + int cNid; int lIdx; int lLen; + int lNid; int stIdx; int stLen; + int stNid; int oIdx; int oLen; + int oNid; int ouIdx; int ouLen; #ifdef WOLFSSL_CERT_EXT @@ -500,12 +506,16 @@ struct DecodedName { int jsIdx; int jsLen; #endif + int ouNid; int emailIdx; int emailLen; + int emailNid; int uidIdx; int uidLen; + int uidNid; int serialIdx; int serialLen; + int serialNid; int dcIdx[DOMAIN_COMPONENT_MAX]; int dcLen[DOMAIN_COMPONENT_MAX]; int dcNum; @@ -898,6 +908,7 @@ WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len); WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format, wolfssl_tm* certTime, int* idx); WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType); +WOLFSSL_LOCAL int OBJ_sn2nid(const char *sn); /* ASN.1 helper functions */ #ifdef WOLFSSL_CERT_GEN diff --git a/wolfssl/wolfcrypt/memory.h b/wolfssl/wolfcrypt/memory.h index 94ea1b019..cb2a43b9f 100644 --- a/wolfssl/wolfcrypt/memory.h +++ b/wolfssl/wolfcrypt/memory.h @@ -105,9 +105,8 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb*, /* certificate extensions requires 24k for the SSL struct */ #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3456,4544,24576 #else - /* having session certs enabled makes a 21k SSL struct */ - #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3456,4544,21920 - /* #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3456,4544,23088 */ + /* increase 23k for object member of WOLFSSL_X509_NAME_ENTRY */ + #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3456,4544,23088 #endif #endif #ifndef WOLFMEM_DIST