Commit Graph

77 Commits

Author SHA1 Message Date
Reda Chouk 6111c60ea6 reject crls with unrecognized critical entry extensions per rfc 5280 section 5.3 2026-04-30 16:58:47 +02:00
JacobBarthelmeh bbf3beef35 fix to free CRL reason extension 2026-03-13 16:17:52 -06:00
Hideki Miyazaki f59b9fd32e fix number in sh 2026-03-06 14:16:36 +09:00
Hideki Miyazaki 5ce86cff62 fix multi-test.sh failure 2026-03-06 10:53:52 +09:00
Hideki Miyazaki 4877c0e579 fix PRB tests failures 2026-03-06 10:51:57 +09:00
Hideki Miyazaki cfb7f35e72 fix lareger(>57 octets) crlnum 2026-03-06 10:51:54 +09:00
Paul Adelsbach ebda79fadb Fix OCSP->CRL fallback 2026-02-26 11:44:50 -08:00
Paul Adelsbach 81ae472e50 Add CRL generation code 2026-02-13 10:54:47 -08:00
Paul Adelsbach 08c1397cc1 Enable 8 combined OCSP and URLs instead of 1 of each 2026-02-04 11:04:46 -08:00
Hideki Miyazaki 08876e278a Fix CRL Number hex string buffer overflow in CRL parser 2026-01-08 17:25:19 +09:00
Anthony Hu 48ebe99372 Validate asn date based on position of Z (#8603) 2025-12-29 16:01:22 -06:00
JacobBarthelmeh 6c74098be5 run renewcerts.sh, gencertbuf.pl, and create_ocsp_test_blobs.py 2025-11-14 14:45:37 -07:00
JacobBarthelmeh 7b5e3e2551 regenerate intermediate and crl certs to update ca-int.pem 2025-06-25 10:00:57 -06:00
JacobBarthelmeh 28184dd8cc update certificates in certs directory 2024-12-18 14:26:15 -07:00
Daniel Pouzzner 1c68da282c portability enhancement: use "#!/usr/bin/env <interpreter>" on all perl scripts and shell scripts that use bash extensions, and use "#!/bin/sh" on the rest. 2024-08-20 13:48:33 -05:00
JacobBarthelmeh b38e20a721 add crl_rsapss.pem to make dist 2024-01-15 15:19:04 -07:00
JacobBarthelmeh cd07e32b13 update crl files and add in compat support for RSA-PSS 2024-01-08 16:38:11 -08:00
JacobBarthelmeh d58acef895 add RSA-PSS CRL test case 2024-01-05 14:47:53 -08:00
Chris Conlon d0aa80eb37 update example/test certs for end of year release 2023-12-13 16:41:59 -07:00
Juliusz Sosinowicz 7baf151c37 CRL verify the entire chain including loaded CA's
- Regen CRL's as most of them are expired
- certs/crl/extra-crls/ca-int-cert-revoked.pem: CRL that revokes certs/intermediate/ca-int-cert.pem signed by certs/ca-cert.pem
- Add CheckCertCRL_ex API to not depend on DecodedCert
- CheckCertCRLList: accept raw serial or hashed version to work with Signers
- Add XELEM_CNT to simplify pre-proc element counting
2023-10-03 11:45:43 +02:00
Juliusz Sosinowicz 57ce894393 CRL refactor
- CheckCertCRLList: check all entries in case a single issuer has multiple CRL's loaded
- test_multiple_crls_same_issuer: testing two different certificates forcing the client to check both CRL's from the same issuer
- CRL_Entry
  - use a lock instead of a mutex to allow multiple threads to access the same list simultaneously
  - add a verifyMutex when doing verification so that we don't have to release the crlLock
- Add allocation and free functions for CRL_Entry
- DupCRL_Entry: simplify copying by copying all static fields in one memcpy
2023-08-28 10:52:36 +02:00
Sean Parkinson a39a04fc88 PEM example: new example for convert between PEM and DER
PEM example converts PEM to DER and DER to PEM.
Supports encrypting DER and writing out as PEM.

Added better support for 40-bit RC2-CBC PBE.
Added AES-128-CBC encryption support with PKCS#5v2.
Fixed handling of iterations to support writing 24-bit values.
Declared enum types for pass to PKCS#8 encryption APIs.

Add more DER and PEM files to certs directory.
Add testing of 'pem' with pem.test script.
2023-07-03 17:20:35 +10:00
Jacob Barthelmeh db03994899 add crl test file to dist 2022-12-21 15:05:30 -07:00
JacobBarthelmeh c6aaa1310e end of year certificate update 2022-12-16 13:32:37 -08:00
jordan 81ed2a60b4 Support ASN1/DER CRLs in LoadCertByIssuer.
This fixes hash based dir lookup of ASN1/DER CRLs in OpenSSL
compatible API. The function wolfSSL_X509_load_crl_file is
called with entry->dir_type, rather than hardcoded filetype.

A new test crl was added, and existing crl 0fdb2da4.r0 was
reorganized to a new dir.

Also, completes the stub wolfSSL_X509_LOOKUP_add_dir. A new
test function test_X509_LOOKUP_add_dir was added to tests/api.c
2022-11-11 15:13:00 -06:00
tim-weller-wolfssl 3bc3ec25b8 Add link of newly created x509 store's certificate manager to self by default 2022-11-09 17:17:30 -06:00
Juliusz Sosinowicz 15d0dd258a Add cert test for UID name component 2022-02-15 14:05:46 +01:00
JacobBarthelmeh c0f8fd5f5d update certificate dates and fix autorenew 2021-12-20 16:04:05 -08:00
David Garske 90d894b9fd Remove execute bit on update pem/der files. 2021-06-16 10:17:20 -07:00
David Garske 6d95188f4b Fixes for expired test certs. Generated using cd certs/test && ./gen-testcerts.sh. 2021-06-15 15:07:34 -07:00
Hideki Miyazaki 44a20c8ce6 add more unit test case for load_crl_file 2021-03-05 08:19:14 +09:00
Jacob Barthelmeh 41e5e547c4 run renewcerts.sh script 2021-02-11 03:12:54 +07:00
Juliusz Sosinowicz fe1f815761 wolfSSL_X509V3_EXT_i2d: NID_ext_key_usage 2020-08-06 13:45:36 +02:00
David Garske 5a5bc34aa5 Added second intermediate CA to testing certs. This creates a chain that looks like: ROOT (www.wolfssl.com) -> INT (wolfSSL Intermediate CA) -> INT2 (wolfSSL Intermediate2 CA) -> PEER (wolfSSL Client Chain / wolfSSL Server Chain). 2020-06-18 08:33:59 -07:00
Juliusz Sosinowicz 9e68de0fb7 Add test certs for ASN_IP_TYPE 2020-05-07 11:52:49 +02:00
David Garske 59a3b4a110 New tests for cert chains, alternate cert chains, trusted peer certs and DH prime cleanup:
* Added ECC and RSA intermediate CA's and server/client chain certificates for testing.
* Enhanced suites test to support expected fail arg `-H exitWithRet` in any test .conf file.
* Added new `test-altchains.conf` for testing with `WOLFSSL_ALT_CERT_CHAINS` defined.
* Added new `test-chains` for testing chains.
* Added new `test-dhprime.conf` for DH prime check tests.
* Added new `test-trustedpeer.conf` for testing `WOLFSSL_TRUST_PEER_CERT`.
* Refactor to add `-2` to disable DH prime check by default (except for new test-dhprime.conf).
* Added ability to run a specific test.conf file using syntax like `./tests/unit.test tests/test-altchains.conf`.
2018-12-21 09:54:55 -08:00
David Garske 3be7eacea9 Added client/server certs and keys for P-384-bit signed by P-384 CA. Fix for broken certs/ecc/genecc.sh script. Added simple P-384 cipher suite test. 2018-10-25 09:21:27 -07:00
kaleb-himes dc942bf9cb Remove unnecessary duplicate revocation 2018-09-20 16:54:35 -06:00
David Garske 427c62e04a Merge pull request #1841 from kaleb-himes/CERT_UPDATE_REFACTOR
Cert update refactor
2018-09-20 14:24:06 -07:00
kaleb-himes 54e04dd312 posix compliance enhancements for portability 2018-09-20 10:30:11 -06:00
kaleb-himes 17ebb0ea49 Update certs to address nightly failure with disable sha enable crl 2018-09-19 15:22:08 -06:00
kaleb-himes 4f6ee556dc Refactor the cert renewal scripts with error handling
Portability updates
2018-09-19 14:47:21 -06:00
David Garske 61056829c5 Added success test cases for domain name match (SNI) in common name and alternate name. 2018-06-13 09:26:54 -07:00
David Garske 8fa1592542 Fix to use SHA256 for the self-signed test certificates. 2018-06-12 16:12:29 -07:00
David Garske 1f16b36402 Fixes for MatchDomainName to properly detect failures:
* Fix `MatchDomainName` to also check for remaining len on success check.
* Enhanced `DNS_entry` to include actual ASN.1 length and use it thoughout (was using XSTRLEN).

Added additional tests for matching on domain name:
* Check for bad common name with embedded null (CN=localhost\0h, Alt=None) - Note: Trouble creating cert with this criteria
* Check for bad alternate name with embedded null (CN=www.nomatch.com, Alt=localhost\0h)
* Check for bad common name (CN=www.nomatch.com, Alt=None)
* Check for bad alternate name (CN=www.nomatch.com, Alt=www.nomatch.com)
* Check for good wildcard common name (CN=*localhost, Alt=None)
* Check for good wildcard alternate name (CN=www.nomatch.com, Alt=*localhost)
2018-06-12 14:15:34 -07:00
Jacob Barthelmeh 1a7d208a60 add crl2.pem to renew certs script 2018-05-29 16:57:30 -06:00
Jacob Barthelmeh e895bacbba update before/after dates with certificates 2018-04-13 09:31:32 -06:00
Jacob Barthelmeh e41f5de556 default generate ed25519 cert with renew and add ecc crls to script 2018-03-09 14:09:34 -07:00
David Garske d7ae1df778 Fix to add keyUsage keyAgreement for the ECC server certificate. Resolves issue with openssl test using "ECDH-ECDSA" cipher suite. 2017-10-20 11:26:15 -07:00
David Garske 024c8725ad Testing improvements for cert gen and TLS cert validation:
* Fixes to support certificate generation (`WOLFSSL_CERT_GEN`) without RSA enabled.
* Added new ECC CA for 384-bit tests.
* Created new server cert chain (ECC CA for 256-bit that signs server-ecc.pem)
* Created new `./certs/ecc/genecc.sh` script for generating all ECC CA's, generated server cert req (CSR), signing with CA and the required CRL.
* Moved the wolfCrypt ECC CA / ECC cert gen test into `ecc_test` as `ecc_test_cert_gen`.
* Refactor duplicate code that saves DER to disk, converts DER to PEM and saves PEM to disk into SaveDerAndPem function.
* Changed `ecc_test_make_pub` and `ecc_test_key_gen` to use XMALLOC for temp buffers (uses heap instead of stack).
* Cleanup to combine all certificate subject information into global `certDefaultName`.
* Updated cert request info to use wolfSSL instead of Yassl.
* Cleanup to combine keyUsage into `certKeyUsage` and `certKeyUsage2`.
* Re-number error codes in rsa_test.
* Moved the certext_test after the ecc_test, since it uses a file generated in `ecc_test_cert_gen`.
2017-10-19 16:17:51 -07:00